Skip to content

Commit

Permalink
Merge branch 'dev' into isolate-metrics
Browse files Browse the repository at this point in the history
  • Loading branch information
@binbin-li
binbin-li authored Jun 6, 2024
2 parents ec20d28 + a3424b1 commit 9c534dc
Show file tree
Hide file tree
Showing 26 changed files with 612 additions and 212 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/codeql.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,12 @@ jobs:
with:
go-version: "1.21"
- name: Initialize CodeQL
uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f # tag=v3.25.7
uses: github/codeql-action/init@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # tag=v3.25.8
with:
languages: go
- name: Run tidy
run: go mod tidy
- name: Build CLI
run: make build
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f # tag=v3.25.7
uses: github/codeql-action/analyze@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # tag=v3.25.8
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
go-version: '1.21'

- name: Goreleaser
uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
with:
version: '1.18.0'
args: release --rm-dist
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scorecards.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,6 @@ jobs:
retention-days: 5

- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@f079b8493333aace61c81488f8bd40919487bd9f # tag=v3.25.7
uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # tag=v3.25.8
with:
sarif_file: results.sarif
2 changes: 2 additions & 0 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -592,6 +592,7 @@ e2e-helm-deploy-ratify:
--set notationCerts[0]="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
--set cosignKeys[0]="$$(cat .staging/cosign/cosign.pub)" \
--set cosign.key="$$(cat .staging/cosign/cosign.pub)" \
--set cosign.tLogVerify=false \
--set oras.useHttp=true \
--set-file dockerConfig="mount_config.json" \
--set logger.level=debug
Expand All @@ -611,6 +612,7 @@ e2e-helm-deploy-ratify-without-tls-certs:
--set notaryCert="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
--set cosign.key="$$(cat .staging/cosign/cosign.pub)" \
--set cosignKeys[0]="$$(cat .staging/cosign/cosign.pub)" \
--set cosign.tLogVerify=false \
--set oras.useHttp=true \
--set-file dockerConfig="mount_config.json" \
--set logger.level=debug
Expand Down
2 changes: 1 addition & 1 deletion archive/meeting-notes/ratify-weekly-notes-2023-Jan-2023-Jun.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -785,7 +785,7 @@ Recording: https://youtu.be/vn_GOUXZGhw

### Presentation/Discussion Agenda Items:
- [Akash]How do we handle breaking changes that require a change to the README? (Akash) From last week
[Susan] Maybe link to github page something like https://deislabs.github.io/ratify/getting-started.html? how does csi driver maintain its docs ? https://secrets-store-csi-driver.sigs.k8s.io/getting-started/getting-started.html
[Susan] Maybe link to github page something like https://ratify-project.github.io/ratify/getting-started.html? how does csi driver maintain its docs ? https://secrets-store-csi-driver.sigs.k8s.io/getting-started/getting-started.html
[Sajay] Not sure if external doc will have maintainance overhead. We can add a link to the quickstart that is pinned to a released version for now.

- [Akash] Cosign auth support: https://hackmd.io/@akashsinghal/rks7vlOps
Expand Down
9 changes: 8 additions & 1 deletion charts/ratify/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
## Get Repo Info

```console
helm repo add ratify https://deislabs.github.io/ratify
helm repo add ratify https://ratify-project.github.io/ratify
helm repo update
```

Expand Down Expand Up @@ -51,6 +51,13 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| cosignKeys | An array of public keys used to create inline key management providers used by Cosign verifier | `[]` |
| cosign.enabled | Enables/disables cosign tag-based signature lookup in ORAS store. MUST be set to true for cosign verification. | `true` |
| cosign.scopes | An array of scopes relevant to the single trust policy configured in Cosign verifier. A scope of '*' is a global wildcard character to represent all images apply. | `["*"]` |
| cosign.rekorURL | URL string reference to remote rekor server. If not specified, implementation will default to use Rekor public good instance `https://rekor.sigstore.dev`. | `` |
| cosign.tLogVerify | Enables/disables verification of presence of signature in Transparency log. | `true` |
| cosign.keyless.ctLogVerify | Enables/disables verification of presence of Secure Certificate Timestamp (SCT) in transparency log | `true` |
| cosign.keyless.certificateIdentity | String certificate identity used for exact identity match during verification. Either `certificateIdentity` or `certificateIdentityRegExp` MUST be defined, but both cannot be defined at together | `` |
| cosign.keyless.certificateIdentityRegExp | String certificate identity regular expression for identity matching during verification. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either `certificateIdentity` or `certificateIdentityRegExp` MUST be defined, but both cannot be defined together | `` |
| cosign.keyless.certificateOIDCIssuer | String certificate OIDC issuer for exact issuer matching during verification. Either `certificateOIDCIssuer` or `certificateOIDCIssuerRegExp` MUST be defined, but both cannot be defined together | `` |
| cosign.keyless.certificateOIDCIssuerRegExp | String certificate OIDC issuer regular expression for issuer matching during verification. Accepts the Go regular expression syntax described at https://golang.org/s/re2syntax. Either `certificateOIDCIssuer` or `certificateOIDCIssuerRegExp` MUST be defined, but both cannot be defined together | `` |
| vulnerabilityreport.enabled | Enables/disables installation of vulnerability report verifier | `false` |
| vulnerabilityreport.passthrough | Enables/disables passthrough. All validation except `maximumAge` are disregarded and report content is added to verifier report | `false` |
| vulnerabilityreport.schemaURL | URL for JSON schema to validate report against | `` |
Expand Down
16 changes: 16 additions & 0 deletions charts/ratify/templates/_helpers.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -146,4 +146,20 @@ Set the namespace exclusions for Assign
{{- if and (ne .Release.Namespace $gkNamespace) (ne .Release.Namespace "kube-system") }}
- {{ .Release.Namespace | quote}}
{{- end }}
{{- end }}

{{/*
Choose cosign legacy or not. Determined by if cosignKeys are provided or not
OR if azurekeyvault is enabled and keys are provided
OR if keyless is enabled and certificateIdentity, certificateIdentityRegExp, certificateOIDCIssuer, or certificateOIDCIssuerExp are provided
*/}}
{{- define "ratify.cosignLegacy" -}}
{{- $cosignKeysPresent := gt (len .Values.cosignKeys) 0 -}}
{{- $azureKeyVaultEnabled := .Values.azurekeyvault.enabled -}}
{{- $azureKeyVaultKeysPresent := gt (len .Values.azurekeyvault.keys) 0 -}}
{{- if or $cosignKeysPresent (and $azureKeyVaultEnabled $azureKeyVaultKeysPresent) .Values.cosign.keyless.certificateIdentity .Values.cosign.keyless.certificateIdentityRegExp .Values.cosign.keyless.certificateOIDCIssuer .Values.cosign.keyless.certificateOIDCIssuerExp -}}
false
{{- else }}
true
{{- end }}
{{- end }}
12 changes: 11 additions & 1 deletion charts/ratify/templates/verifier.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ spec:
name: cosign
artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json
parameters:
{{- if or (gt (len .Values.cosignKeys) 0) (and .Values.azurekeyvault.enabled (gt (len .Values.azurekeyvault.keys) 0)) }}
{{- if (eq (include "ratify.cosignLegacy" .) "false") }}
trustPolicies:
- name: default
version: 1.0.0
Expand All @@ -65,6 +65,16 @@ spec:
{{- if and .Values.azurekeyvault.enabled (gt (len .Values.azurekeyvault.keys) 0) }}
- provider: kmprovider-akv
{{- end }}
tLogVerify: {{ .Values.cosign.tLogVerify }}
rekorURL: {{ .Values.cosign.rekorURL }}
{{- if or .Values.cosign.keyless.certificateIdentity .Values.cosign.keyless.certificateIdentityRegExp .Values.cosign.keyless.certificateOIDCIssuer .Values.cosign.keyless.certificateOIDCIssuerRegExp }}
keyless:
ctLogVerify: {{ .Values.cosign.keyless.ctLogVerify }}
certificateIdentity: {{ .Values.cosign.keyless.certificateIdentity }}
certificateIdentityRegExp: {{ .Values.cosign.keyless.certificateIdentityRegExp }}
certificateOIDCIssuer: {{ .Values.cosign.keyless.certificateOIDCIssuer }}
certificateOIDCIssuerRegExp: {{ .Values.cosign.keyless.certificateOIDCIssuerRegExp }}
{{- end }}
{{- else }}
key: /usr/local/ratify-certs/cosign/cosign.pub
{{- end }}
Expand Down
9 changes: 9 additions & 0 deletions charts/ratify/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,15 @@ cosign:
enabled: true
scopes: ["*"] # corresponds to a single trust policy
key: "" # DEPRECATED: Use cosignKeys instead
rekorURL: ""
tLogVerify: true
keyless:
ctLogVerify: true
certificateIdentity: ""
certificateIdentityRegExp: ""
certificateOIDCIssuer: ""
certificateOIDCIssuerRegExp: ""

vulnerabilityreport:
enabled: false
passthrough: false
Expand Down
3 changes: 2 additions & 1 deletion config/samples/clustered/verifier/config_v1beta1_verifier_cosign.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,4 +11,5 @@ spec:
scopes:
- "*"
keys:
- provider: ratify-cosign-inline-key-0
- provider: ratify-cosign-inline-key-0
tLogVerify: false
0 ...nfig_v1beta1_verifier_cosign_keyless.yaml → ...beta1_verifier_cosign_keyless_legacy.yaml
View file
File renamed without changes.
1 change: 1 addition & 0 deletions config/samples/namespaced/verifier/config_v1beta1_verifier_cosign.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,4 @@ spec:
- "*"
keys:
- provider: default/ratify-cosign-inline-key-0
tLogVerify: false
10 changes: 5 additions & 5 deletions dev.helmfile.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ repositories:
- name: gatekeeper
url: https://open-policy-agent.github.io/gatekeeper/charts
- name: ratify
url: ghcr.io/deislabs/ratify-chart-dev # PRERELEASE: Change to 'https://deislabs.github.io/ratify' before copying to helmfile.yaml
url: ghcr.io/deislabs/ratify-chart-dev # PRERELEASE: Change to 'https://ratify-project.github.io/ratify' before copying to helmfile.yaml
oci: true # PRERELEASE: Remove before copying to helmfile.yaml

releases:
- name: gatekeeper
namespace: gatekeeper-system
Expand Down Expand Up @@ -34,22 +34,22 @@ releases:
command: "bash"
args:
- "-c"
- "kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml && kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml"
- "kubectl apply -f https://ratify-project.github.io/ratify/library/default/template.yaml && kubectl apply -f https://ratify-project.github.io/ratify/library/default/samples/constraint.yaml"
- events: ["postuninstall"]
showlogs: true
command: "kubectl"
args:
- "delete"
- "-f"
- "https://deislabs.github.io/ratify/library/default/template.yaml"
- "https://ratify-project.github.io/ratify/library/default/template.yaml"
- "--ignore-not-found=true"
- events: ["postuninstall"]
showlogs: true
command: "kubectl"
args:
- "delete"
- "-f"
- "https://deislabs.github.io/ratify/library/default/samples/constraint.yaml"
- "https://ratify-project.github.io/ratify/library/default/samples/constraint.yaml"
- "--ignore-not-found=true"
- events: ["postuninstall"]
showlogs: true
Expand Down
10 changes: 5 additions & 5 deletions dev.high-availability.helmfile.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,9 @@ repositories:
- name: bitnami
url: https://charts.bitnami.com/bitnami
- name: ratify
url: ghcr.io/deislabs/ratify-chart-dev # PRERELEASE: Change to 'https://deislabs.github.io/ratify' before copying to helmfile.yaml
url: ghcr.io/deislabs/ratify-chart-dev # PRERELEASE: Change to 'https://ratify-project.github.io/ratify' before copying to helmfile.yaml
oci: true # PRERELEASE: Remove before copying to helmfile.yaml

releases:
- name: dapr
namespace: dapr-system
Expand Down Expand Up @@ -78,7 +78,7 @@ releases:
command: "bash"
args:
- "-c"
- "kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml && kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml"
- "kubectl apply -f https://ratify-project.github.io/ratify/library/default/template.yaml && kubectl apply -f https://ratify-project.github.io/ratify/library/default/samples/constraint.yaml"
- events: ["postuninstall"]
showlogs: true
command: "kubectl"
Expand All @@ -105,15 +105,15 @@ releases:
args:
- "delete"
- "-f"
- "https://deislabs.github.io/ratify/library/default/template.yaml"
- "https://ratify-project.github.io/ratify/library/default/template.yaml"
- "--ignore-not-found=true"
- events: ["postuninstall"]
showlogs: true
command: "kubectl"
args:
- "delete"
- "-f"
- "https://deislabs.github.io/ratify/library/default/samples/constraint.yaml"
- "https://ratify-project.github.io/ratify/library/default/samples/constraint.yaml"
- "--ignore-not-found=true"
- events: ["postuninstall"]
showlogs: true
Expand Down
8 changes: 4 additions & 4 deletions helmfile.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ repositories:
- name: gatekeeper
url: https://open-policy-agent.github.io/gatekeeper/charts
- name: ratify
url: https://deislabs.github.io/ratify
url: https://ratify-project.github.io/ratify

releases:
- name: gatekeeper
Expand Down Expand Up @@ -33,22 +33,22 @@ releases:
command: "bash"
args:
- "-c"
- "kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml && kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml"
- "kubectl apply -f https://ratify-project.github.io/ratify/library/default/template.yaml && kubectl apply -f https://ratify-project.github.io/ratify/library/default/samples/constraint.yaml"
- events: ["postuninstall"]
showlogs: true
command: "kubectl"
args:
- "delete"
- "-f"
- "https://deislabs.github.io/ratify/library/default/template.yaml"
- "https://ratify-project.github.io/ratify/library/default/template.yaml"
- "--ignore-not-found=true"
- events: ["postuninstall"]
showlogs: true
command: "kubectl"
args:
- "delete"
- "-f"
- "https://deislabs.github.io/ratify/library/default/samples/constraint.yaml"
- "https://ratify-project.github.io/ratify/library/default/samples/constraint.yaml"
- "--ignore-not-found=true"
- events: ["postuninstall"]
showlogs: true
Expand Down
8 changes: 4 additions & 4 deletions high-availability.helmfile.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ repositories:
- name: bitnami
url: https://charts.bitnami.com/bitnami
- name: ratify
url: https://deislabs.github.io/ratify
url: https://ratify-project.github.io/ratify

releases:
- name: dapr
Expand Down Expand Up @@ -77,7 +77,7 @@ releases:
command: "bash"
args:
- "-c"
- "kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml && kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml"
- "kubectl apply -f https://ratify-project.github.io/ratify/library/default/template.yaml && kubectl apply -f https://ratify-project.github.io/ratify/library/default/samples/constraint.yaml"
- events: ["postuninstall"]
showlogs: true
command: "kubectl"
Expand All @@ -104,15 +104,15 @@ releases:
args:
- "delete"
- "-f"
- "https://deislabs.github.io/ratify/library/default/template.yaml"
- "https://ratify-project.github.io/ratify/library/default/template.yaml"
- "--ignore-not-found=true"
- events: ["postuninstall"]
showlogs: true
command: "kubectl"
args:
- "delete"
- "-f"
- "https://deislabs.github.io/ratify/library/default/samples/constraint.yaml"
- "https://ratify-project.github.io/ratify/library/default/samples/constraint.yaml"
- "--ignore-not-found=true"
- events: ["postuninstall"]
showlogs: true
Expand Down
2 changes: 1 addition & 1 deletion library/default/customazurepolicy.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@
"details": {
"templateInfo": {
"sourceType": "PublicURL",
"url": "https://deislabs.github.io/ratify/library/default/template.yaml"
"url": "https://ratify-project.github.io/ratify/library/default/template.yaml"
},
"apiGroups": [
""
Expand Down
Loading

0 comments on commit 9c534dc

Please sign in to comment.