diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml index 272f4333e..f3c43e693 100644 --- a/.github/workflows/build-pr.yml +++ b/.github/workflows/build-pr.yml @@ -24,8 +24,8 @@ jobs: strategy: fail-fast: false matrix: - KUBERNETES_VERSION: ["1.29.2"] - GATEKEEPER_VERSION: ["3.17.0"] + KUBERNETES_VERSION: ["1.30.6"] + GATEKEEPER_VERSION: ["3.18.0"] uses: ./.github/workflows/e2e-k8s.yml with: k8s_version: ${{ matrix.KUBERNETES_VERSION }} @@ -37,8 +37,8 @@ jobs: strategy: fail-fast: false matrix: - KUBERNETES_VERSION: ["1.28.12", "1.29.2"] - GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"] + KUBERNETES_VERSION: ["1.29.10", "1.30.6"] + GATEKEEPER_VERSION: ["3.16.0", "3.17.0", "3.18.0"] uses: ./.github/workflows/e2e-k8s.yml with: k8s_version: ${{ matrix.KUBERNETES_VERSION }} @@ -53,8 +53,8 @@ jobs: strategy: fail-fast: false matrix: - KUBERNETES_VERSION: ["1.28.12", "1.29.2"] - GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"] + KUBERNETES_VERSION: ["1.29.10", "1.30.6"] + GATEKEEPER_VERSION: ["3.16.0", "3.17.0", "3.18.0"] uses: ./.github/workflows/e2e-aks.yml with: k8s_version: ${{ matrix.KUBERNETES_VERSION }} @@ -70,14 +70,14 @@ jobs: environment: azure-test steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - name: Check out code into the Go module directory uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go 1.22 - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "1.22" diff --git a/.github/workflows/cache-cleanup.yml b/.github/workflows/cache-cleanup.yml index 46042f7f1..af26b9253 100644 --- a/.github/workflows/cache-cleanup.yml +++ b/.github/workflows/cache-cleanup.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit diff --git a/.github/workflows/clean-dev-package.yml b/.github/workflows/clean-dev-package.yml index 0a53bd8d0..0cbdbb534 100644 --- a/.github/workflows/clean-dev-package.yml +++ b/.github/workflows/clean-dev-package.yml @@ -13,7 +13,7 @@ jobs: packages: write steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index edbb6eea1..a0bb75e4f 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -26,18 +26,18 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=3.0.2 - name: setup go environment - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "1.22" - name: Initialize CodeQL - uses: github/codeql-action/init@396bb3e45325a47dd9ef434068033c6d5bb0d11a # tag=v3.27.3 + uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # tag=v3.27.9 with: languages: go - name: Run tidy @@ -45,4 +45,4 @@ jobs: - name: Build CLI run: make build - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@396bb3e45325a47dd9ef434068033c6d5bb0d11a # tag=v3.27.3 + uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # tag=v3.27.9 diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml index 2cb7fbdf4..82cd13ed2 100644 --- a/.github/workflows/e2e-aks.yml +++ b/.github/workflows/e2e-aks.yml @@ -9,12 +9,12 @@ on: k8s_version: description: "Kubernetes version" required: true - default: "1.29.2" + default: "1.30.6" type: string gatekeeper_version: description: "Gatekeeper version" required: true - default: "3.17.0" + default: "3.18.0" type: string jobs: @@ -28,14 +28,14 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - name: Check out code into the Go module directory uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go 1.22 - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "1.22" - name: Az CLI login diff --git a/.github/workflows/e2e-cli.yml b/.github/workflows/e2e-cli.yml index 5a2366f34..c301c58ee 100644 --- a/.github/workflows/e2e-cli.yml +++ b/.github/workflows/e2e-cli.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit @@ -34,14 +34,14 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - name: setup go environment - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "1.22" - name: Run tidy @@ -51,7 +51,7 @@ jobs: - name: Check build run: bin/ratify version - name: Upload coverage to codecov.io - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 + uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1 with: token: ${{ secrets.CODECOV_TOKEN }} - name: Run helm lint @@ -63,14 +63,14 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: setup go environment - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "1.22" - name: Run tidy @@ -86,14 +86,14 @@ jobs: make install ratify-config install-bats make test-e2e-cli GOCOVERDIR=${GITHUB_WORKSPACE}/test/e2e/.cover - name: Upload coverage to codecov.io - uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0 + uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1 with: token: ${{ secrets.CODECOV_TOKEN }} markdown-link-check: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit diff --git a/.github/workflows/e2e-k8s.yml b/.github/workflows/e2e-k8s.yml index 2d911b56b..9d6465244 100644 --- a/.github/workflows/e2e-k8s.yml +++ b/.github/workflows/e2e-k8s.yml @@ -9,12 +9,12 @@ on: k8s_version: description: "Kubernetes version" required: true - default: "1.29.2" + default: "1.30.6" type: string gatekeeper_version: description: "Gatekeeper version" required: true - default: "3.17.0" + default: "3.18.0" type: string jobs: @@ -26,14 +26,14 @@ jobs: contents: read steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - name: Check out code into the Go module directory uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go 1.22 - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "1.22" - name: Restore Trivy cache diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml index f6eaa9331..d74fea83b 100644 --- a/.github/workflows/golangci-lint.yml +++ b/.github/workflows/golangci-lint.yml @@ -15,16 +15,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "1.22" - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: golangci-lint uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1 with: - version: v1.59.1 + version: v1.62.2 args: --timeout=10m diff --git a/.github/workflows/high-availability.yml b/.github/workflows/high-availability.yml index be5281354..d4326df6b 100644 --- a/.github/workflows/high-availability.yml +++ b/.github/workflows/high-availability.yml @@ -27,17 +27,17 @@ jobs: contents: read strategy: matrix: - DAPR_VERSION: ["1.13.2"] + DAPR_VERSION: ["1.14.4"] steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - name: Check out code into the Go module directory uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go 1.22 - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "1.22" diff --git a/.github/workflows/pr-to-main.yml b/.github/workflows/pr-to-main.yml index 325158903..df966cf9e 100644 --- a/.github/workflows/pr-to-main.yml +++ b/.github/workflows/pr-to-main.yml @@ -13,7 +13,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit diff --git a/.github/workflows/publish-charts.yml b/.github/workflows/publish-charts.yml index fd1d16a25..aa2069e47 100644 --- a/.github/workflows/publish-charts.yml +++ b/.github/workflows/publish-charts.yml @@ -13,7 +13,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit diff --git a/.github/workflows/publish-cosign-sample.yml b/.github/workflows/publish-cosign-sample.yml index 36f3a897c..e2064dbf9 100644 --- a/.github/workflows/publish-cosign-sample.yml +++ b/.github/workflows/publish-cosign-sample.yml @@ -20,7 +20,7 @@ jobs: id-token: write steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml index 0426b2bf7..4e4d1bf65 100644 --- a/.github/workflows/publish-dev-assets.yml +++ b/.github/workflows/publish-dev-assets.yml @@ -17,7 +17,7 @@ jobs: environment: azure-publish steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - name: Checkout @@ -37,6 +37,10 @@ jobs: az version # Key Vault: az account get-access-token --scope https://vault.azure.net/.default --output none + - name: Prepare notation certificate + run: | + mkdir -p truststore/x509/ca/ratify-verify + cp ./.well-known/pki-validation/ratify-verification.crt truststore/x509/ca/ratify-verify - name: prepare id: prepare run: | @@ -69,7 +73,7 @@ jobs: docker buildx build \ --attest type=sbom \ --attest type=provenance,mode=max \ - --build-arg KUBE_VERSION="1.29.2" \ + --build-arg KUBE_VERSION="1.30.6" \ -f crd.Dockerfile \ --platform linux/amd64,linux/arm64,linux/arm/v7 \ --label org.opencontainers.image.revision=${{ github.sha }} \ @@ -138,6 +142,44 @@ jobs: cosign sign --yes ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }} cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }} + - name: Verify with Notation + uses: notaryproject/notation-action/verify@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0 + with: + target_artifact_reference: |- + ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} + ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }} + ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} + ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }} + ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }} + trust_policy: ./.well-known/pki-validation/trustpolicy.json + trust_store: truststore + - name: Verify with Cosign + run: | + cosign verify \ + --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-github-workflow-repository ratify-project/ratify \ + ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }} + cosign verify \ + --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-github-workflow-repository ratify-project/ratify \ + ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }} + cosign verify \ + --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-github-workflow-repository ratify-project/ratify \ + ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }} + cosign verify \ + --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-github-workflow-repository ratify-project/ratify \ + ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }} + cosign verify \ + --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-github-workflow-repository ratify-project/ratify \ + ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }} - name: clear if: always() run: | diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml index 11bee4cee..e8036f28a 100644 --- a/.github/workflows/publish-package.yml +++ b/.github/workflows/publish-package.yml @@ -14,13 +14,34 @@ jobs: permissions: packages: write contents: read + id-token: write + environment: azure-publish steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 + - name: Install Notation + uses: notaryproject/notation-action/setup@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0 + - name: Install cosign + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + - name: Az CLI login + uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Cache AAD tokens + run: | + az version + # Key Vault: + az account get-access-token --scope https://vault.azure.net/.default --output none + - name: Prepare notation certificate + run: | + mkdir -p truststore/x509/ca/ratify-verify + cp ./.well-known/pki-validation/ratify-verification.crt truststore/x509/ca/ratify-verify - name: prepare id: prepare run: | @@ -51,7 +72,7 @@ jobs: docker buildx build \ --attest type=sbom \ --attest type=provenance,mode=max \ - --build-arg KUBE_VERSION="1.29.2" \ + --build-arg KUBE_VERSION="1.30.6" \ -f crd.Dockerfile \ --platform linux/amd64,linux/arm64,linux/arm/v7 \ --label org.opencontainers.image.revision=${{ github.sha }} \ @@ -83,6 +104,49 @@ jobs: --label org.opencontainers.image.revision=${{ github.sha }} \ -t ${{ steps.prepare.outputs.ref }} \ --push . + - name: Sign with Notation + uses: notaryproject/notation-action/sign@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0 + with: + plugin_name: azure-kv + plugin_url: ${{ vars.AZURE_KV_PLUGIN_URL }} + plugin_checksum: ${{ vars.AZURE_KV_CHECKSUM }} + key_id: ${{ secrets.AZURE_KV_KEY_ID }} + target_artifact_reference: |- + ${{ steps.prepare.outputs.crdref }} + ${{ steps.prepare.outputs.baseref }} + ${{ steps.prepare.outputs.ref }} + signature_format: cose + - name: Sign with Cosign + run: | + cosign sign --yes ${{ steps.prepare.outputs.crdref }} + cosign sign --yes ${{ steps.prepare.outputs.baseref }} + cosign sign --yes ${{ steps.prepare.outputs.ref }} + - name: Verify with Notation + uses: notaryproject/notation-action/verify@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0 + with: + target_artifact_reference: |- + ${{ steps.prepare.outputs.crdref }} + ${{ steps.prepare.outputs.baseref }} + ${{ steps.prepare.outputs.ref }} + trust_policy: ./.well-known/pki-validation/trustpolicy.json + trust_store: truststore + - name: Verify with Cosign + run: | + cosign verify \ + --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-package.yml@*" \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-github-workflow-repository ratify-project/ratify \ + ${{ steps.prepare.outputs.crdref }} + cosign verify \ + --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-package.yml@*" \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-github-workflow-repository ratify-project/ratify \ + ${{ steps.prepare.outputs.baseref }} + cosign verify \ + --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-package.yml@*" \ + --certificate-oidc-issuer https://token.actions.githubusercontent.com \ + --certificate-github-workflow-repository ratify-project/ratify \ + ${{ steps.prepare.outputs.ref }} - name: clear if: always() run: | diff --git a/.github/workflows/publish-sample.yml b/.github/workflows/publish-sample.yml index 52981797d..54a2157a2 100644 --- a/.github/workflows/publish-sample.yml +++ b/.github/workflows/publish-sample.yml @@ -19,7 +19,7 @@ jobs: packages: write steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit diff --git a/.github/workflows/quick-start.yml b/.github/workflows/quick-start.yml index 1655d725f..c8c224c64 100644 --- a/.github/workflows/quick-start.yml +++ b/.github/workflows/quick-start.yml @@ -27,17 +27,17 @@ jobs: contents: read strategy: matrix: - KUBERNETES_VERSION: ["1.29.2"] + KUBERNETES_VERSION: ["1.30.6"] steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: setup go environment - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "1.22" - name: Run tidy diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5479ad24c..23ad45fd4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit @@ -26,10 +26,10 @@ jobs: fetch-depth: 0 - name: Install Syft - uses: anchore/sbom-action/download-syft@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7 + uses: anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9 - name: Set up Go - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "1.22" diff --git a/.github/workflows/run-full-validation.yml b/.github/workflows/run-full-validation.yml index 4b2c13f19..b1f3042fe 100644 --- a/.github/workflows/run-full-validation.yml +++ b/.github/workflows/run-full-validation.yml @@ -26,8 +26,8 @@ jobs: strategy: fail-fast: false matrix: - KUBERNETES_VERSION: ["1.28.12", "1.29.2"] - GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"] + KUBERNETES_VERSION: ["1.29.10", "1.30.6"] + GATEKEEPER_VERSION: ["3.16.0", "3.17.0", "3.18.0"] uses: ./.github/workflows/e2e-k8s.yml with: k8s_version: ${{ matrix.KUBERNETES_VERSION }} @@ -41,8 +41,8 @@ jobs: strategy: fail-fast: false matrix: - KUBERNETES_VERSION: ["1.28.12", "1.29.2"] - GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"] + KUBERNETES_VERSION: ["1.29.10", "1.30.6"] + GATEKEEPER_VERSION: ["3.16.0", "3.17.0", "3.18.0"] uses: ./.github/workflows/e2e-aks.yml with: k8s_version: ${{ matrix.KUBERNETES_VERSION }} @@ -58,14 +58,14 @@ jobs: environment: azure-test steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - name: Check out code into the Go module directory uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up Go 1.22 - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "1.22" diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index fc9d9c9a9..1d0b85298 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -23,11 +23,11 @@ jobs: timeout-minutes: 15 steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit - - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 + - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "1.22" check-latest: true @@ -41,7 +41,7 @@ jobs: TRIVY_VERSION: 0.49.1 steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 261490912..94cc48a17 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -30,7 +30,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit @@ -55,6 +55,6 @@ jobs: retention-days: 5 - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # tag=v3.27.3 + uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # tag=v3.27.9 with: sarif_file: results.sarif diff --git a/.github/workflows/sync-gh-pages.yml b/.github/workflows/sync-gh-pages.yml index 54a05e0cb..55069d724 100644 --- a/.github/workflows/sync-gh-pages.yml +++ b/.github/workflows/sync-gh-pages.yml @@ -17,7 +17,7 @@ jobs: repository-projects: write steps: - name: Harden Runner - uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 with: egress-policy: audit diff --git a/.github/workflows/update-trivy-cache.yml b/.github/workflows/update-trivy-cache.yml index 6d2fea0be..15e411b39 100644 --- a/.github/workflows/update-trivy-cache.yml +++ b/.github/workflows/update-trivy-cache.yml @@ -36,7 +36,7 @@ jobs: rm db.tar.gz - name: Cache DBs - uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2 + uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0 with: path: ${{ github.workspace }}/.cache/trivy key: cache-trivy-${{ steps.date.outputs.date }} \ No newline at end of file diff --git a/.well-known/pki-validation/trustpolicy.json b/.well-known/pki-validation/trustpolicy.json new file mode 100644 index 000000000..779f096a5 --- /dev/null +++ b/.well-known/pki-validation/trustpolicy.json @@ -0,0 +1,24 @@ +{ + "version": "1.0", + "trustPolicies": [ + { + "name": "ratify-images", + "registryScopes": [ + "ghcr.io/ratify-project/ratify", + "ghcr.io/ratify-project/ratify-base", + "ghcr.io/ratify-project/ratify-crds", + "ghcr.io/ratify-project/ratify-dev", + "ghcr.io/ratify-project/ratify-base-dev", + "ghcr.io/ratify-project/ratify-crds-dev", + "ghcr.io/ratify-project/ratify-chart-dev/ratify" + ], + "signatureVerification": { + "level" : "strict" + }, + "trustStores": [ "ca:ratify-verify" ], + "trustedIdentities": [ + "x509.subject: CN=ratify.dev,O=ratify-project,L=Seattle,ST=WA,C=US" + ] + } + ] +} \ No newline at end of file diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b634fac3a..7ac0a452b 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -207,7 +207,7 @@ export REGISTRY=yourregistry docker buildx create --use docker buildx build -f httpserver/Dockerfile --platform linux/amd64 --build-arg build_sbom=true --build-arg build_licensechecker=true --build-arg build_schemavalidator=true --build-arg build_vulnerabilityreport=true -t ${REGISTRY}/ratify-project/ratify:yourtag . -docker build --progress=plain --build-arg KUBE_VERSION="1.29.2" --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -f crd.Dockerfile -t ${REGISTRY}/localbuildcrd:yourtag ./charts/ratify/crds +docker build --progress=plain --build-arg KUBE_VERSION="1.30.6" --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -f crd.Dockerfile -t ${REGISTRY}/localbuildcrd:yourtag ./charts/ratify/crds ``` #### [Authenticate](https://docs.docker.com/engine/reference/commandline/login/#usage) with your registry, and push the newly built image diff --git a/Makefile b/Makefile index fde9cad09..1bfc547fd 100644 --- a/Makefile +++ b/Makefile @@ -25,33 +25,33 @@ LDFLAGS += -X $(GO_PKG)/internal/version.GitCommitHash=$(GIT_COMMIT_HASH) LDFLAGS += -X $(GO_PKG)/internal/version.GitTreeState=$(GIT_TREE_STATE) LDFLAGS += -X $(GO_PKG)/internal/version.GitTag=$(GIT_TAG) -KIND_VERSION ?= 0.22.0 -KUBERNETES_VERSION ?= 1.29.2 -KIND_KUBERNETES_VERSION ?= 1.29.2 -GATEKEEPER_VERSION ?= 3.17.0 -DAPR_VERSION ?= 1.12.5 -COSIGN_VERSION ?= 2.2.3 +KIND_VERSION ?= 0.25.0 +KUBERNETES_VERSION ?= 1.30.6 +KIND_KUBERNETES_VERSION ?= 1.30.6 +GATEKEEPER_VERSION ?= 3.18.0 +DAPR_VERSION ?= 1.14.4 +COSIGN_VERSION ?= 2.4.1 NOTATION_VERSION ?= 1.2.0 -ORAS_VERSION ?= 1.1.0 +ORAS_VERSION ?= 1.2.1 -HELM_VERSION ?= 3.14.2 -HELMFILE_VERSION ?= 0.162.0 +HELM_VERSION ?= 3.16.3 +HELMFILE_VERSION ?= 0.169.2 BATS_BASE_TESTS_FILE ?= test/bats/base-test.bats BATS_PLUGIN_TESTS_FILE ?= test/bats/plugin-test.bats BATS_CLI_TESTS_FILE ?= test/bats/cli-test.bats BATS_QUICKSTART_TESTS_FILE ?= test/bats/quickstart-test.bats BATS_HA_TESTS_FILE ?= test/bats/high-availability.bats -BATS_VERSION ?= 1.10.0 -SYFT_VERSION ?= v1.0.0 -YQ_VERSION ?= v4.42.1 +BATS_VERSION ?= 1.11.1 +SYFT_VERSION ?= v1.18.0 +YQ_VERSION ?= v4.44.6 YQ_BINARY ?= yq_linux_amd64 ALPINE_IMAGE ?= alpine@sha256:93d5a28ff72d288d69b5997b8ba47396d2cbb62a72b5d87cd3351094b5d578a0 ALPINE_IMAGE_VULNERABLE ?= alpine@sha256:25fad2a32ad1f6f510e528448ae1ec69a28ef81916a004d3629874104f8a7f70 -REDIS_IMAGE_TAG ?= 7.0-debian-11 +REDIS_IMAGE_TAG ?= 7.4-debian-12 CERT_ROTATION_ENABLED ?= false REGO_POLICY_ENABLED ?= false -SBOM_TOOL_VERSION ?=v2.2.3 -TRIVY_VERSION ?= 0.49.1 +SBOM_TOOL_VERSION ?=v2.2.9 +TRIVY_VERSION ?= 0.58.0 GATEKEEPER_NAMESPACE = gatekeeper-system RATIFY_NAME = ratify @@ -202,7 +202,7 @@ e2e-dependencies: # Download and install kind curl -L https://github.com/kubernetes-sigs/kind/releases/download/v${KIND_VERSION}/kind-linux-amd64 --output ${GITHUB_WORKSPACE}/bin/kind && chmod +x ${GITHUB_WORKSPACE}/bin/kind # Download and install kubectl - curl -L https://storage.googleapis.com/kubernetes-release/release/v${KUBERNETES_VERSION}/bin/linux/amd64/kubectl --output ${GITHUB_WORKSPACE}/bin/kubectl && chmod +x ${GITHUB_WORKSPACE}/bin/kubectl + curl -L https://dl.k8s.io/release/v${KUBERNETES_VERSION}/bin/linux/amd64/kubectl --output ${GITHUB_WORKSPACE}/bin/kubectl && chmod +x ${GITHUB_WORKSPACE}/bin/kubectl # Download and install bats curl -sSLO https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz && tar -zxvf v${BATS_VERSION}.tar.gz && bash bats-core-${BATS_VERSION}/install.sh ${GITHUB_WORKSPACE} # Download and install jq diff --git a/RELEASES.md b/RELEASES.md index 1069f3f1f..28d6754ac 100644 --- a/RELEASES.md +++ b/RELEASES.md @@ -92,13 +92,13 @@ After a successful release, please prepare a [PR](https://github.com/ratify-proj * Contributors MUST select the `Helm Chart Change` option under the `Type of Change` section if there is ANY update to the helm chart that is required for proposed changes in PR. * Maintainers MUST manually trigger the "Publish Package" workflow after merging any PR that indicates `Helm Chart Change` * Go to the `Actions` tab for the Ratify repository - * Select `publish-ghcr` option from list of workflows on left pane + * Select `publish-dev-assets` option from list of workflows on left pane * Select the `Run workflow` drop down on the right side above the list of action runs - * Choose `Branch: main` + * Choose `Branch: dev` * Select `Run workflow` * Process to Request an off-schedule dev build be published * Submit a new feature request issue prefixed with `[Dev Build Request]` - * In the the `What this PR does / why we need it` section, briefly explain why an off schedule build is needed + * In the the `What would you like to be added?` section, briefly explain why an off schedule build is needed * Once issue is created, post in the `#ratify` slack channel and tag the maintainers * Maintainers should acknowledge request by approving/denying request as a follow up comment diff --git a/charts/ratify/README.md b/charts/ratify/README.md index 7dc6ee02d..82a49c116 100644 --- a/charts/ratify/README.md +++ b/charts/ratify/README.md @@ -79,7 +79,7 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t | serviceAccount.create | Create new dedicated Ratify service account | `true` | | serviceAccount.name | Name of Ratify service account to create | `ratify-admin` | | serviceAccount.annotations | Annotations to add to the service account | `{}` | -| gatekeeper.version | Determines the Gatekeeper CRD versioning | `3.17.0` | +| gatekeeper.version | Determines the Gatekeeper CRD versioning | `3.18.0` | | gatekeeper.namespace | Namespace Gatekeeper is installed | `gatekeeper-system` | | instrumentation.metricsEnabled | Initializes the configured metrics provider | `true` | | instrumentation.metricsType | Specifies the metrics provider type | `prometheus` | diff --git a/charts/ratify/templates/_helpers.tpl b/charts/ratify/templates/_helpers.tpl index cc56acb9e..db0e4da18 100644 --- a/charts/ratify/templates/_helpers.tpl +++ b/charts/ratify/templates/_helpers.tpl @@ -8,7 +8,13 @@ Expand the name of the chart. {{- define "ratify.podLabels" -}} {{- if .Values.podLabels }} -{{- toYaml .Values.podLabels | nindent 8 }} +{{- toYaml .Values.podLabels }} +{{- end }} +{{- end }} + +{{- define "ratify.podAnnotations" -}} +{{- if .Values.podAnnotations }} +{{- toYaml .Values.podAnnotations }} {{- end }} {{- end }} diff --git a/charts/ratify/templates/deployment.yaml b/charts/ratify/templates/deployment.yaml index 46ed544ae..3c3a630ee 100644 --- a/charts/ratify/templates/deployment.yaml +++ b/charts/ratify/templates/deployment.yaml @@ -13,11 +13,13 @@ spec: template: metadata: labels: + {{- include "ratify.podLabels" . | nindent 8 }} {{- include "ratify.selectorLabels" . | nindent 8 }} {{- if ne .Values.azureWorkloadIdentity.clientId "" }} azure.workload.identity/use: "true" {{- end }} annotations: + {{- include "ratify.podAnnotations" . | nindent 8 }} {{- if eq .Values.instrumentation.metricsType "prometheus" }} prometheus.io/scrape: "true" prometheus.io/port: {{ .Values.instrumentation.metricsPort | quote }} diff --git a/charts/ratify/templates/upgrade-crds-hook.yaml b/charts/ratify/templates/upgrade-crds-hook.yaml index a843c66cc..48e21f020 100644 --- a/charts/ratify/templates/upgrade-crds-hook.yaml +++ b/charts/ratify/templates/upgrade-crds-hook.yaml @@ -78,7 +78,7 @@ spec: annotations: {{- toYaml .Values.podAnnotations | trim | nindent 8 }} labels: - {{- include "ratify.podLabels" . }} + {{- include "ratify.podLabels" . | nindent 8 }} app: '{{ template "ratify.name" . }}' chart: '{{ template "ratify.name" . }}' ratify.sh/system: "yes" diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml index 1b9cc4ba4..46e5ae920 100644 --- a/charts/ratify/values.yaml +++ b/charts/ratify/values.yaml @@ -57,7 +57,7 @@ serviceAccount: annotations: {} gatekeeper: - version: "3.17.0" + version: "3.18.0" namespace: # default is gatekeeper-system instrumentation: metricsEnabled: true diff --git a/cmd/ratify/cmd/serve.go b/cmd/ratify/cmd/serve.go index ab0f872f0..373ad12ef 100644 --- a/cmd/ratify/cmd/serve.go +++ b/cmd/ratify/cmd/serve.go @@ -118,7 +118,7 @@ func serve(opts serveCmdOptions) error { if err != nil { return err } - logrus.Infof("starting server at" + opts.httpServerAddress) + logrus.Infof("starting server at %s", opts.httpServerAddress) if err := server.Run(nil); err != nil { return err } diff --git a/crd.Dockerfile b/crd.Dockerfile index 6606aa0af..d4578a4da 100644 --- a/crd.Dockerfile +++ b/crd.Dockerfile @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d as builder +FROM alpine@sha256:21dc6063fd678b478f57c0e13f47560d0ea4eeba26dfc947b2a4f81f686b9f45 as builder ARG TARGETOS ARG TARGETARCH @@ -20,7 +20,7 @@ ARG KUBE_VERSION RUN echo "Ratify crd building on $TARGETOS, building for $TARGETARCH" RUN apk add --no-cache curl && \ - curl -LO https://storage.googleapis.com/kubernetes-release/release/v${KUBE_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl && \ + curl -LO https://dl.k8s.io/release/v${KUBE_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl && \ chmod +x kubectl FROM scratch as build diff --git a/dev.helmfile.yaml b/dev.helmfile.yaml index bec894af9..896bc619c 100644 --- a/dev.helmfile.yaml +++ b/dev.helmfile.yaml @@ -10,7 +10,7 @@ releases: namespace: gatekeeper-system createNamespace: true chart: gatekeeper/gatekeeper - version: 3.17.0 + version: 3.18.0 wait: true set: - name: enableExternalData diff --git a/dev.high-availability.helmfile.yaml b/dev.high-availability.helmfile.yaml index 29c40fe8a..38bf1f0a6 100644 --- a/dev.high-availability.helmfile.yaml +++ b/dev.high-availability.helmfile.yaml @@ -14,13 +14,13 @@ releases: namespace: dapr-system createNamespace: true chart: dapr/dapr - version: 1.13.2 + version: 1.14.4 wait: true - name: gatekeeper namespace: gatekeeper-system createNamespace: true chart: gatekeeper/gatekeeper - version: 3.17.0 + version: 3.18.0 wait: true set: - name: enableExternalData diff --git a/go.mod b/go.mod index dbad99c35..76a85a592 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/ratify-project/ratify -go 1.22.8 +go 1.23.3 // Accidentally published prior to 1.0.0 release retract ( @@ -9,20 +9,21 @@ retract ( ) require ( - github.com/Azure/azure-sdk-for-go v68.0.0+incompatible - github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 - github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 + github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 + github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry v0.2.2 - github.com/Azure/go-autorest/autorest/to v0.4.0 + github.com/Azure/azure-sdk-for-go/sdk/keyvault/azcertificates v0.9.0 + github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 + github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.3 github.com/alibabacloud-go/cr-20181201/v2 v2.5.0 github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.10 github.com/alibabacloud-go/tea v1.2.2 github.com/alibabacloud-go/tea-utils/v2 v2.0.7 - github.com/aliyun/credentials-go v1.3.10 - github.com/aws/aws-sdk-go-v2 v1.32.4 - github.com/aws/aws-sdk-go-v2/config v1.27.43 - github.com/aws/aws-sdk-go-v2/credentials v1.17.44 + github.com/aliyun/credentials-go v1.3.11 + github.com/aws/aws-sdk-go-v2 v1.32.6 + github.com/aws/aws-sdk-go-v2/config v1.28.6 + github.com/aws/aws-sdk-go-v2/credentials v1.17.47 github.com/aws/aws-sdk-go-v2/service/ecr v1.28.6 github.com/cespare/xxhash/v2 v2.3.0 github.com/dapr/go-sdk v1.8.0 @@ -35,8 +36,8 @@ require ( github.com/golang/protobuf v1.5.4 github.com/google/go-containerregistry v0.20.2 github.com/gorilla/mux v1.8.1 - github.com/notaryproject/notation-core-go v1.2.0-rc.1 - github.com/notaryproject/notation-go v1.3.0-rc.1 + github.com/notaryproject/notation-core-go v1.2.0-rc.2 + github.com/notaryproject/notation-go v1.3.0-rc.2 github.com/notaryproject/notation-plugin-framework-go v1.0.0 github.com/open-policy-agent/cert-controller v0.8.0 github.com/open-policy-agent/frameworks/constraint v0.0.0-20230411224310-3f237e2710fa @@ -46,17 +47,17 @@ require ( github.com/owenrumney/go-sarif/v2 v2.3.3 github.com/pkg/errors v0.9.1 github.com/sigstore/cosign/v2 v2.2.4 - github.com/sigstore/sigstore v1.8.10 + github.com/sigstore/sigstore v1.8.11 github.com/sirupsen/logrus v1.9.3 github.com/spdx/tools-golang v0.5.5 github.com/spf13/cobra v1.8.1 github.com/xlab/treeprint v1.1.0 go.opentelemetry.io/otel/exporters/prometheus v0.49.0 - go.opentelemetry.io/otel/metric v1.28.0 + go.opentelemetry.io/otel/metric v1.29.0 go.opentelemetry.io/otel/sdk/metric v1.27.0 - golang.org/x/sync v0.8.0 - google.golang.org/grpc v1.66.3 - google.golang.org/protobuf v1.34.2 + golang.org/x/sync v0.10.0 + google.golang.org/grpc v1.68.1 + google.golang.org/protobuf v1.35.2 k8s.io/api v0.28.15 k8s.io/apimachinery v0.28.15 k8s.io/client-go v0.28.15 @@ -64,12 +65,13 @@ require ( ) require ( - cloud.google.com/go/compute/metadata v0.3.0 // indirect + cloud.google.com/go/compute/metadata v0.5.2 // indirect filippo.io/edwards25519 v1.1.0 // indirect github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect + github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect + github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect - github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect github.com/Microsoft/go-winio v0.6.2 // indirect github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect @@ -86,8 +88,7 @@ require ( github.com/alibabacloud-go/tea-xml v1.1.3 // indirect github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.7 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 // indirect - github.com/aws/aws-sdk-go-v2/service/kms v1.31.3 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 // indirect github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect github.com/clbanning/mxj/v2 v2.7.0 // indirect @@ -113,7 +114,7 @@ require ( github.com/hashicorp/go-retryablehttp v0.7.7 // indirect github.com/miekg/pkcs11 v1.1.1 // indirect github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect - github.com/notaryproject/tspclient-go v0.2.0 // indirect + github.com/notaryproject/tspclient-go v1.0.0-rc.1 // indirect github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect github.com/sagikazarmark/slog-shim v0.1.0 // indirect @@ -128,31 +129,31 @@ require ( github.com/tjfoc/gmsm v1.4.1 // indirect github.com/xanzy/go-gitlab v0.102.0 // indirect github.com/yashtewari/glob-intersection v0.2.0 // indirect - go.step.sm/crypto v0.44.2 // indirect - google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect + go.step.sm/crypto v0.54.2 // indirect + google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect gotest.tools/v3 v3.1.0 // indirect - sigs.k8s.io/release-utils v0.7.7 // indirect + sigs.k8s.io/release-utils v0.8.5 // indirect ) require ( github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect github.com/Azure/go-autorest v14.2.0+incompatible // indirect - github.com/Azure/go-autorest/autorest v0.11.29 + github.com/Azure/go-autorest/autorest v0.11.29 // indirect github.com/Azure/go-autorest/autorest/adal v0.9.24 // indirect github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect github.com/Azure/go-autorest/logger v0.2.1 // indirect github.com/Azure/go-autorest/tracing v0.6.0 // indirect github.com/OneOfOne/xxhash v1.2.8 // indirect github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23 // indirect + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.21 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.25 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.25 // indirect github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.24.5 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.32.4 // indirect - github.com/aws/smithy-go v1.22.0 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.6 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.24.7 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.6 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.33.2 // indirect + github.com/aws/smithy-go v1.22.1 // indirect github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver v3.5.1+incompatible // indirect github.com/bshuster-repo/logrus-logstash-hook v1.1.0 @@ -177,7 +178,7 @@ require ( github.com/go-openapi/validate v0.24.0 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang-jwt/jwt/v4 v4.5.1 // indirect - github.com/golang/glog v1.2.1 // indirect + github.com/golang/glog v1.2.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/snappy v0.0.4 // indirect github.com/google/certificate-transparency-go v1.1.8 // indirect @@ -189,7 +190,7 @@ require ( github.com/in-toto/in-toto-golang v0.9.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect - github.com/jmespath/go-jmespath v0.4.0 // indirect + github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/klauspost/compress v1.17.9 // indirect @@ -204,7 +205,7 @@ require ( github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/opentracing/opentracing-go v1.2.0 // indirect - github.com/pelletier/go-toml/v2 v2.1.0 // indirect + github.com/pelletier/go-toml/v2 v2.2.2 // indirect github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/prometheus/client_golang v1.20.5 @@ -215,11 +216,11 @@ require ( github.com/sassoftware/relic v7.2.1+incompatible // indirect github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect github.com/shibumi/go-pathspec v1.3.0 // indirect - github.com/sigstore/rekor v1.3.6 + github.com/sigstore/rekor v1.3.7 github.com/spf13/afero v1.11.0 // indirect - github.com/spf13/cast v1.6.0 // indirect + github.com/spf13/cast v1.7.0 // indirect github.com/spf13/pflag v1.0.5 // indirect - github.com/spf13/viper v1.18.2 // indirect + github.com/spf13/viper v1.19.0 // indirect github.com/stretchr/testify v1.9.0 github.com/subosito/gotenv v1.6.0 // indirect github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect @@ -227,27 +228,27 @@ require ( github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect github.com/transparency-dev/merkle v0.0.2 // indirect github.com/vbatts/tar-split v0.11.5 // indirect - github.com/veraison/go-cose v1.2.1 // indirect + github.com/veraison/go-cose v1.3.0 // indirect github.com/x448/float16 v0.8.4 // indirect github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect github.com/xeipuuv/gojsonschema v1.2.0 go.mongodb.org/mongo-driver v1.14.0 // indirect - go.opentelemetry.io/otel v1.28.0 + go.opentelemetry.io/otel v1.29.0 go.opentelemetry.io/otel/sdk v1.28.0 - go.opentelemetry.io/otel/trace v1.28.0 // indirect + go.opentelemetry.io/otel/trace v1.29.0 // indirect go.uber.org/atomic v1.11.0 // indirect go.uber.org/multierr v1.11.0 // indirect go.uber.org/zap v1.27.0 // indirect - golang.org/x/crypto v0.28.0 - golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect - golang.org/x/mod v0.21.0 // indirect - golang.org/x/net v0.29.0 // indirect - golang.org/x/oauth2 v0.23.0 // indirect - golang.org/x/sys v0.26.0 // indirect - golang.org/x/term v0.25.0 // indirect - golang.org/x/text v0.19.0 // indirect - golang.org/x/time v0.6.0 // indirect + golang.org/x/crypto v0.31.0 + golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8 // indirect + golang.org/x/mod v0.22.0 // indirect + golang.org/x/net v0.31.0 // indirect + golang.org/x/oauth2 v0.24.0 // indirect + golang.org/x/sys v0.28.0 // indirect + golang.org/x/term v0.27.0 // indirect + golang.org/x/text v0.21.0 // indirect + golang.org/x/time v0.8.0 // indirect gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/ini.v1 v1.67.0 // indirect @@ -255,9 +256,9 @@ require ( gopkg.in/yaml.v3 v3.0.1 k8s.io/apiextensions-apiserver v0.27.7 // indirect k8s.io/component-base v0.27.7 // indirect - k8s.io/klog/v2 v2.120.1 // indirect + k8s.io/klog/v2 v2.130.1 // indirect k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect - k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect + k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect sigs.k8s.io/controller-runtime v0.15.3 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect diff --git a/go.sum b/go.sum index c7be23e9a..660ea4a93 100644 --- a/go.sum +++ b/go.sum @@ -1,11 +1,18 @@ cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw= -cloud.google.com/go v0.112.1 h1:uJSeirPke5UNZHIb4SxfZklVSiWWVqW4oXlETwZziwM= -cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc= -cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= -cloud.google.com/go/iam v1.1.6 h1:bEa06k05IO4f4uJonbB5iAgKTPpABy1ayxaIZV/GHVc= -cloud.google.com/go/iam v1.1.6/go.mod h1:O0zxdPeGBoFdWW3HWmBxJsk0pfvNM/p/qa82rWOGTwI= -cloud.google.com/go/kms v1.15.8 h1:szIeDCowID8th2i8XE4uRev5PMxQFqW+JjwYxL9h6xs= -cloud.google.com/go/kms v1.15.8/go.mod h1:WoUHcDjD9pluCg7pNds131awnH429QGvRM3N/4MyoVs= +cloud.google.com/go v0.116.0 h1:B3fRrSDkLRt5qSHWe40ERJvhvnQwdZiHu0bJOpldweE= +cloud.google.com/go v0.116.0/go.mod h1:cEPSRWPzZEswwdr9BxE6ChEn01dWlTaF05LiC2Xs70U= +cloud.google.com/go/auth v0.10.2 h1:oKF7rgBfSHdp/kuhXtqU/tNDr0mZqhYbEh+6SiqzkKo= +cloud.google.com/go/auth v0.10.2/go.mod h1:xxA5AqpDrvS+Gkmo9RqrGGRh6WSNKKOXhY3zNOr38tI= +cloud.google.com/go/auth/oauth2adapt v0.2.5 h1:2p29+dePqsCHPP1bqDJcKj4qxRyYCcbzKpFyKGt3MTk= +cloud.google.com/go/auth/oauth2adapt v0.2.5/go.mod h1:AlmsELtlEBnaNTL7jCj8VQFLy6mbZv0s4Q7NGBeQ5E8= +cloud.google.com/go/compute/metadata v0.5.2 h1:UxK4uu/Tn+I3p2dYWTfiX4wva7aYlKixAHn3fyqngqo= +cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k= +cloud.google.com/go/iam v1.2.2 h1:ozUSofHUGf/F4tCNy/mu9tHLTaxZFLOUiKzjcgWHGIA= +cloud.google.com/go/iam v1.2.2/go.mod h1:0Ys8ccaZHdI1dEUilwzqng/6ps2YB6vRsjIe00/+6JY= +cloud.google.com/go/kms v1.20.1 h1:og29Wv59uf2FVaZlesaiDAqHFzHaoUyHI3HYp9VUHVg= +cloud.google.com/go/kms v1.20.1/go.mod h1:LywpNiVCvzYNJWS9JUcGJSVTNSwPwi0vBAotzDqn2nc= +cloud.google.com/go/longrunning v0.6.2 h1:xjDfh1pQcWPEvnfjZmwjKQEcHnpz6lHjfy7Fo0MK+hc= +cloud.google.com/go/longrunning v0.6.2/go.mod h1:k/vIs83RN4bE3YCswdXC5PFfWVILjm3hpEUlSko4PiI= cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e h1:GwCVItFUPxwdsEYnlUcJ6PJxOjTeFFCKOh6QWg4oAzQ= cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e/go.mod h1:ApHceQLLwcOkCEXM1+DyCXTHEJhNGDpJ2kmV6axsx24= cuelang.org/go v0.8.1 h1:VFYsxIFSPY5KgSaH1jQ2GxHOrbu6Ga3kEI70yCZwnOg= @@ -18,14 +25,24 @@ github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0/go.mod h1:GgeIE+1be8Ivm7Sh4RgwI42aTtC9qrcj+Y9Y6CjJhJs= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU= github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 h1:nyQWyZvwGTvunIMxi1Y9uXkcyr+I7TeNrr/foo4Kpk8= -github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0/go.mod h1:l38EPgmsp71HHLq9j7De57JcKOWPyhrsW1Awm1JS6K0= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc= -github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 h1:JZg6HRh6W6U4OLl6lk7BZ7BLisIzM9dG1R50zUk9C/M= +github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0/go.mod h1:YL1xnZ6QejvQHWJrX/AvhFl4WW4rqHVoKspWNVwFk0M= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 h1:B/dfvscEQtew9dVuoxqxrUKKv8Ih2f55PydknDamU+g= +github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0/go.mod h1:fiPSssYvltE08HJchL04dOy+RD4hgrjph0cwGGMntdI= +github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0 h1:+m0M/LFxN43KvULkDNfdXOgrjtg6UYJPFBJyuEcRCAw= +github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0/go.mod h1:PwOyop78lveYMRs6oCxjiVyBdyCgIYH6XHIVZO9/SFQ= github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry v0.2.2 h1:wBx10efdJcl8FSewgc41kAW4AvHPgmJZmN7fpNxn8rc= github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry v0.2.2/go.mod h1:zzmu18cpAinSbhC86oWd47nmgbb91Fl+Yac2PE8NdYk= github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY= github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY= +github.com/Azure/azure-sdk-for-go/sdk/keyvault/azcertificates v0.9.0 h1:btEsytNrA4TG3edZnnUnzOz8W2MjOd6Bu3/7xyOXSOY= +github.com/Azure/azure-sdk-for-go/sdk/keyvault/azcertificates v0.9.0/go.mod h1:5SlTxxL1U4LLipEr7pAbnu6Ck5y3aIEu4L/tVbGmpsY= +github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 h1:m/sWOGCREuSBqg2htVQTBY8nOZpyajYztF0vUvSZTuM= +github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0/go.mod h1:Pu5Zksi2KrU7LPbZbNINx6fuVrUp/ffvpxdDj+i8LeE= +github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0 h1:xnO4sFyG8UH2fElBkcqLTOZsAajvKfnSlgBBW8dXYjw= +github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0/go.mod h1:XD3DIOOVgBCO03OleB1fHjgktVRFxlT++KwKgIOewdM= +github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 h1:FbH3BbSb4bvGluTesZZ+ttN/MDsnMmQP36OSnDuSXqw= +github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1/go.mod h1:9V2j0jn9jDEkCkv8w/bKTNppX/d0FVA1ud77xCIP4KA= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 h1:DRiANoJTiW6obBQe3SqZizkuV1PEgfiiGivmVocDy64= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0/go.mod h1:qLIye2hwb/ZouqhpSD9Zn3SJipvpEnz1Ywl3VUk9Y0s= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80= @@ -49,16 +66,14 @@ github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSY github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw= github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= -github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk= -github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= -github.com/Azure/go-autorest/autorest/validation v0.3.1 h1:AgyqjAd94fwNAoTjl/WQXg4VvFeRFpO+UhNyRXqF1ac= -github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E= github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg= github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8= github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo= github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8= github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU= +github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM= +github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE= github.com/AzureAD/microsoft-authentication-library-for-go v1.2.3 h1:6LyjnnaLpcOKK0fbYisI+mb8CE7iNe7i89nMNQxFxs8= github.com/AzureAD/microsoft-authentication-library-for-go v1.2.3/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= @@ -143,8 +158,9 @@ github.com/alibabacloud-go/tea-xml v1.1.3/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCE github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw= github.com/aliyun/credentials-go v1.3.1/go.mod h1:8jKYhQuDawt8x2+fusqa1Y6mPxemTsBEN04dgcAcYz0= github.com/aliyun/credentials-go v1.3.6/go.mod h1:1LxUuX7L5YrZUWzBrRyk0SwSdH4OmPrib8NVePL3fxM= -github.com/aliyun/credentials-go v1.3.10 h1:45Xxrae/evfzQL9V10zL3xX31eqgLWEaIdCoPipOEQA= github.com/aliyun/credentials-go v1.3.10/go.mod h1:Jm6d+xIgwJVLVWT561vy67ZRP4lPTQxMbEYRuT2Ti1U= +github.com/aliyun/credentials-go v1.3.11 h1:8CjGRa0wAoNC0zGMar+PRushZkd1n4xdijpdV4vlCho= +github.com/aliyun/credentials-go v1.3.11/go.mod h1:Jm6d+xIgwJVLVWT561vy67ZRP4lPTQxMbEYRuT2Ti1U= github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc= github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA= github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo= @@ -152,40 +168,40 @@ github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so= github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw= -github.com/aws/aws-sdk-go v1.51.6 h1:Ld36dn9r7P9IjU8WZSaswQ8Y/XUCRpewim5980DwYiU= -github.com/aws/aws-sdk-go v1.51.6/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= -github.com/aws/aws-sdk-go-v2 v1.32.4 h1:S13INUiTxgrPueTmrm5DZ+MiAo99zYzHEFh1UNkOxNE= -github.com/aws/aws-sdk-go-v2 v1.32.4/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo= -github.com/aws/aws-sdk-go-v2/config v1.27.43 h1:p33fDDihFC390dhhuv8nOmX419wjOSDQRb+USt20RrU= -github.com/aws/aws-sdk-go-v2/config v1.27.43/go.mod h1:pYhbtvg1siOOg8h5an77rXle9tVG8T+BWLWAo7cOukc= -github.com/aws/aws-sdk-go-v2/credentials v1.17.44 h1:qqfs5kulLUHUEXlHEZXLJkgGoF3kkUeFUTVA585cFpU= -github.com/aws/aws-sdk-go-v2/credentials v1.17.44/go.mod h1:0Lm2YJ8etJdEdw23s+q/9wTpOeo2HhNE97XcRa7T8MA= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19 h1:woXadbf0c7enQ2UGCi8gW/WuKmE0xIzxBF/eD94jMKQ= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19/go.mod h1:zminj5ucw7w0r65bP6nhyOd3xL6veAUMc3ElGMoLVb4= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23 h1:A2w6m6Tmr+BNXjDsr7M90zkWjsu4JXHwrzPg235STs4= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23/go.mod h1:35EVp9wyeANdujZruvHiQUAo9E3vbhnIO1mTCAxMlY0= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23 h1:pgYW9FCabt2M25MoHYCfMrVY2ghiiBKYWUVXfwZs+sU= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23/go.mod h1:c48kLgzO19wAu3CPkDWC28JbaJ+hfQlsdl7I2+oqIbk= +github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU= +github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= +github.com/aws/aws-sdk-go-v2 v1.32.6 h1:7BokKRgRPuGmKkFMhEg/jSul+tB9VvXhcViILtfG8b4= +github.com/aws/aws-sdk-go-v2 v1.32.6/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U= +github.com/aws/aws-sdk-go-v2/config v1.28.6 h1:D89IKtGrs/I3QXOLNTH93NJYtDhm8SYa9Q5CsPShmyo= +github.com/aws/aws-sdk-go-v2/config v1.28.6/go.mod h1:GDzxJ5wyyFSCoLkS+UhGB0dArhb9mI+Co4dHtoTxbko= +github.com/aws/aws-sdk-go-v2/credentials v1.17.47 h1:48bA+3/fCdi2yAwVt+3COvmatZ6jUDNkDTIsqDiMUdw= +github.com/aws/aws-sdk-go-v2/credentials v1.17.47/go.mod h1:+KdckOejLW3Ks3b0E3b5rHsr2f9yuORBum0WPnE5o5w= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.21 h1:AmoU1pziydclFT/xRV+xXE/Vb8fttJCLRPv8oAkprc0= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.21/go.mod h1:AjUdLYe4Tgs6kpH4Bv7uMZo7pottoyHMn4eTcIcneaY= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.25 h1:s/fF4+yDQDoElYhfIVvSNyeCydfbuTKzhxSXDXCPasU= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.25/go.mod h1:IgPfDv5jqFIzQSNbUEMoitNooSMXjRSDkhXv8jiROvU= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.25 h1:ZntTCl5EsYnhN/IygQEUugpdwbhdkom9uHcbCftiGgA= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.25/go.mod h1:DBdPrgeocww+CSl1C8cEV8PN1mHMBhuCDLpXezyvWkE= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ= github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc= github.com/aws/aws-sdk-go-v2/service/ecr v1.28.6 h1:CnQNpQv+WGl5aECyAXrJ4w+Qccz2aC/uXg2OjxiPl30= github.com/aws/aws-sdk-go-v2/service/ecr v1.28.6/go.mod h1:1FKdZMR/Tfx40IKjdLDRlFz/UKlff8CKQuC7mhlTAMM= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.7 h1:dsmihXaPkhFuUTiL+ygm9RtUYEmhOeIl7DXNIHCoKDg= github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.7/go.mod h1:g7If3uXj+mKcmIuxh08qh8I9ju6f/aOSWMyc6hEEi58= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 h1:TToQNkvGguu209puTojY/ozlqy2d/SFNcoLIqTFi42g= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0/go.mod h1:0jp+ltwkf+SwG2fm/PKo8t4y8pJSgOCO4D8Lz3k0aHQ= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4 h1:tHxQi/XHPK0ctd/wdOw0t7Xrc2OxcRCnVzv8lwWPu0c= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4/go.mod h1:4GQbF1vJzG60poZqWatZlhP31y8PGCCVTvIGPdaaYJ0= -github.com/aws/aws-sdk-go-v2/service/kms v1.31.3 h1:wLBgq6nDNYdd0A5CvscVAKV5SVlHKOHVPedpgtigATg= -github.com/aws/aws-sdk-go-v2/service/kms v1.31.3/go.mod h1:8lETO9lelSG2B6KMXFh2OwPPqGV6WQM3RqLAEjP1xaU= -github.com/aws/aws-sdk-go-v2/service/sso v1.24.5 h1:HJwZwRt2Z2Tdec+m+fPjvdmkq2s9Ra+VR0hjF7V2o40= -github.com/aws/aws-sdk-go-v2/service/sso v1.24.5/go.mod h1:wrMCEwjFPms+V86TCQQeOxQF/If4vT44FGIOFiMC2ck= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4 h1:zcx9LiGWZ6i6pjdcoE9oXAB6mUdeyC36Ia/QEiIvYdg= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4/go.mod h1:Tp/ly1cTjRLGBBmNccFumbZ8oqpZlpdhFf80SrRh4is= -github.com/aws/aws-sdk-go-v2/service/sts v1.32.4 h1:yDxvkz3/uOKfxnv8YhzOi9m+2OGIxF+on3KOISbK5IU= -github.com/aws/aws-sdk-go-v2/service/sts v1.32.4/go.mod h1:9XEUty5v5UAsMiFOBJrNibZgwCeOma73jgGwwhgffa8= -github.com/aws/smithy-go v1.22.0 h1:uunKnWlcoL3zO7q+gG2Pk53joueEOsnNB28QdMsmiMM= -github.com/aws/smithy-go v1.22.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1/go.mod h1:9nu0fVANtYiAePIBh2/pFUSwtJ402hLnp854CNoDOeE= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.6 h1:50+XsN70RS7dwJ2CkVNXzj7U2L1HKP8nqTd3XWEXBN4= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.6/go.mod h1:WqgLmwY7so32kG01zD8CPTJWVWM+TzJoOVHwTg4aPug= +github.com/aws/aws-sdk-go-v2/service/kms v1.37.5 h1:5dQJ6Q5QrQOqZxXjSbRXukBqU8Pgu6Ro6Qqtyd8yiz4= +github.com/aws/aws-sdk-go-v2/service/kms v1.37.5/go.mod h1:A9vfQcNHVBCE7ZZN6H+UUJpXtbH26Vv6L7Zhk5nIJAY= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.7 h1:rLnYAfXQ3YAccocshIH5mzNNwZBkBo+bP6EhIxak6Hw= +github.com/aws/aws-sdk-go-v2/service/sso v1.24.7/go.mod h1:ZHtuQJ6t9A/+YDuxOLnbryAmITtr8UysSny3qcyvJTc= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.6 h1:JnhTZR3PiYDNKlXy50/pNeix9aGMo6lLpXwJ1mw8MD4= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.6/go.mod h1:URronUEGfXZN1VpdktPSD1EkAL9mfrV+2F4sjH38qOY= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.2 h1:s4074ZO1Hk8qv65GqNXqDjmkf4HSQqJukaLuuW0TpDA= +github.com/aws/aws-sdk-go-v2/service/sts v1.33.2/go.mod h1:mVggCnIWoM09jP71Wh+ea7+5gAp53q+49wDFs1SW5z8= +github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro= +github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M= github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8/go.mod h1:2JF49jcDOrLStIXN/j/K1EKRq8a8R2qRnlZA6/o/c7c= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -203,8 +219,6 @@ github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251/go.mod h1:gb github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA= github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q= -github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M= -github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs= github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= @@ -256,6 +270,8 @@ github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkz github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 h1:fAjc9m62+UWV/WAFKLNi6ZS0675eEUC9y3AlwSbQu1Y= github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw= +github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78= +github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g= github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA= github.com/digitorus/pkcs7 v0.0.0-20230713084857-e76b763bdc49/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc= @@ -366,8 +382,8 @@ github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk= github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= -github.com/golang/glog v1.2.1 h1:OptwRhECazUx5ix5TTWC3EZhsZEHWcYWY4FQHTIubm4= -github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= +github.com/golang/glog v1.2.2 h1:1+mZ9upx1Dh6FmUTFR1naJ77miKiXgALjWOZ3NVFPmY= +github.com/golang/glog v1.2.2/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE= github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= @@ -413,20 +429,20 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b h1:RMpPgZTSApbPf7xaVel+QkoGPRLFLrwFO89uDUHEGf0= -github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik= -github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o= -github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw= +github.com/google/pprof v0.0.0-20240528025155-186aa0362fba h1:ql1qNgCyOB7iAEk8JTNM+zJrgIbnyCKX/wdlyPufP5g= +github.com/google/pprof v0.0.0-20240528025155-186aa0362fba/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo= +github.com/google/s2a-go v0.1.8 h1:zZDs9gcbt9ZPLV0ndSyQk6Kacx2g/X+SKYovpnz3SMM= +github.com/google/s2a-go v0.1.8/go.mod h1:6iNWHTpQ+nfNRN5E00MSdfDwVesa8hhS32PhPO8deJA= github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w= github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM= -github.com/google/trillian v1.6.0 h1:jMBeDBIkINFvS2n6oV5maDqfRlxREAc6CW9QYWQ0qT4= -github.com/google/trillian v1.6.0/go.mod h1:Yu3nIMITzNhhMJEHjAtp6xKiu+H/iHu2Oq5FjV2mCWI= +github.com/google/trillian v1.6.1 h1:jWU5BGz24GQ5IsHNr+qbmISLkt+73jLv8BOIPN8RtD4= +github.com/google/trillian v1.6.1/go.mod h1:TvwtNkJViJgWZ5VmAMXDwsTjzPBHaPjQO85Kt37JPmM= github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs= -github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0= -github.com/googleapis/gax-go/v2 v2.12.3 h1:5/zPPDvw8Q1SuXjrqrZslrqT7dL/uJT2CQii/cLCKqA= -github.com/googleapis/gax-go/v2 v2.12.3/go.mod h1:AKloxT6GtNbaLm8QTNSidHUVsHYcBHwWRvkNFJUQcS4= +github.com/googleapis/enterprise-certificate-proxy v0.3.4 h1:XYIDZApgAnrN1c855gTgghdIA6Stxb52D5RnLI1SLyw= +github.com/googleapis/enterprise-certificate-proxy v0.3.4/go.mod h1:YKe7cfqYXjKGpGvmSg28/fFvhNzinZQm8DGnaburhGA= +github.com/googleapis/gax-go/v2 v2.14.0 h1:f+jMrjBPl+DL9nI4IQzLUxMq7XrAqFYB7hBPqMNIe8o= +github.com/googleapis/gax-go/v2 v2.14.0/go.mod h1:lhBCnjdLrWRaPvLWhmc8IS24m9mr07qSYnHncrgo+zk= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= @@ -459,8 +475,8 @@ github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/C github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro= github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM= github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM= -github.com/hashicorp/vault/api v1.12.2 h1:7YkCTE5Ni90TcmYHDBExdt4WGJxhpzaHqR6uGbQb/rE= -github.com/hashicorp/vault/api v1.12.2/go.mod h1:LSGf1NGT1BnvFFnKVtnvcaLBM2Lz+gJdpL6HUYed8KE= +github.com/hashicorp/vault/api v1.15.0 h1:O24FYQCWwhwKnF7CuSqP30S51rTV7vz1iACXE/pj5DA= +github.com/hashicorp/vault/api v1.15.0/go.mod h1:+5YTO09JGn0u+b6ySD/LLVf8WkJCPLAL2Vkmrn2+CM8= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb28sjiS3i7tcKCkflWFEkHfuAgM= github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= @@ -485,11 +501,11 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 h1:TMtDYDHKYY15rFihtRfck/bfFqNfvcabqvXAFQfAUpY= github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267/go.mod h1:h1nSAbGFqGVzn6Jyl1R/iCcBUHN4g+gW1u9CoBTrb9E= -github.com/jellydator/ttlcache/v3 v3.2.0 h1:6lqVJ8X3ZaUwvzENqPAobDsXNExfUJd61u++uW8a3LE= -github.com/jellydator/ttlcache/v3 v3.2.0/go.mod h1:hi7MGFdMAwZna5n2tuvh63DvFLzVKySzCVW6+0gA2n4= +github.com/jellydator/ttlcache/v3 v3.3.0 h1:BdoC9cE81qXfrxeb9eoJi9dWrdhSuwXMAnHTbnBm4Wc= +github.com/jellydator/ttlcache/v3 v3.3.0/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw= github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= -github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= -github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 h1:liMMTbpW34dhU4az1GN0pTPADwNmvoRSeoZ6PItiqnY= +github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs= @@ -500,6 +516,8 @@ github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKuao2vNdfD82fjjgPLfyHLpR41Z88viRWs= +github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6/go.mod h1:3VeWNIJaW+O5xpRQbPp0Ybqu1vJd/pm7s2F473HRrkw= github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8= github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck= github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA= @@ -546,14 +564,14 @@ github.com/mozillazg/docker-credential-acr-helper v0.3.0/go.mod h1:cZlu3tof523uj github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno= -github.com/notaryproject/notation-core-go v1.2.0-rc.1 h1:VMFlG+9a1JoNAQ3M96g8iqCq0cDRtE7XBaiTD8Ouvqw= -github.com/notaryproject/notation-core-go v1.2.0-rc.1/go.mod h1:b/70rA4OgOHlg0A7pb8zTWKJadFO6781zS3a37KHEJQ= -github.com/notaryproject/notation-go v1.3.0-rc.1 h1:pm9tdUy2tWYqlwyRDZyKXgLwAscDATPUYv0ul2RK/Iw= -github.com/notaryproject/notation-go v1.3.0-rc.1/go.mod h1:W4o45yolX4Q+3PKlcpGleLLXEKWHa3BshEqw/JX5c6I= +github.com/notaryproject/notation-core-go v1.2.0-rc.2 h1:0jOItalNwBNUhyuc5PPHQxO3jIZ5xRYq+IvRMQXNbuE= +github.com/notaryproject/notation-core-go v1.2.0-rc.2/go.mod h1:7aIcavfywFvBQoYyfVFJB501kt7Etqyubrt5mhJBG2c= +github.com/notaryproject/notation-go v1.3.0-rc.2 h1:uugL3kruAAWPMFoOhjcoPAhUnIqMF1pcc8nIlqOKpeU= +github.com/notaryproject/notation-go v1.3.0-rc.2/go.mod h1:l7C6xVLPy5cBb+6MpsM9iLyFrVYxgS6+QjBdrl/KSY8= github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4= github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics= -github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8WhLqAzuiQAQ= -github.com/notaryproject/tspclient-go v0.2.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= +github.com/notaryproject/tspclient-go v1.0.0-rc.1 h1:KcHxlqg6Adt4kzGLw012i0YMLlwGwToiR129c6IQ7Ys= +github.com/notaryproject/tspclient-go v1.0.0-rc.1/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs= github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE= github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481/go.mod h1:yKZQO8QE2bHlgozqWDiRVqTFlLQSj30K/6SAK8EeYFw= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= @@ -595,8 +613,8 @@ github.com/owenrumney/go-sarif/v2 v2.3.3 h1:ubWDJcF5i3L/EIOER+ZyQ03IfplbSU1BLOE2 github.com/owenrumney/go-sarif/v2 v2.3.3/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w= github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw= github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k= -github.com/pelletier/go-toml/v2 v2.1.0 h1:FnwAJ4oYMvbT/34k9zzHuZNrhlz48GB3/s6at6/MHO4= -github.com/pelletier/go-toml/v2 v2.1.0/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc= +github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM= +github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ= github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -618,6 +636,8 @@ github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf h1:014O62 github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM= github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4= +github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E= +github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw= github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8= github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -641,18 +661,18 @@ github.com/sigstore/cosign/v2 v2.2.4 h1:iY4vtEacmu2hkNj1Fh+8EBqBwKs2DHM27/lbNWDF github.com/sigstore/cosign/v2 v2.2.4/go.mod h1:JZlRD2uaEjVAvZ1XJ3QkkZJhTqSDVtLaet+C/TMR81Y= github.com/sigstore/fulcio v1.4.5 h1:WWNnrOknD0DbruuZWCbN+86WRROpEl3Xts+WT2Ek1yc= github.com/sigstore/fulcio v1.4.5/go.mod h1:oz3Qwlma8dWcSS/IENR/6SjbW4ipN0cxpRVfgdsjMU8= -github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8= -github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc= -github.com/sigstore/sigstore v1.8.10 h1:r4t+TYzJlG9JdFxMy+um9GZhZ2N1hBTyTex0AHEZxFs= -github.com/sigstore/sigstore v1.8.10/go.mod h1:BekjqxS5ZtHNJC4u3Q3Stvfx2eyisbW/lUZzmPU2u4A= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 h1:LTfPadUAo+PDRUbbdqbeSl2OuoFQwUFTnJ4stu+nwWw= -github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3/go.mod h1:QV/Lxlxm0POyhfyBtIbTWxNeF18clMlkkyL9mu45y18= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 h1:xgbPRCr2npmmsuVVteJqi/ERw9+I13Wou7kq0Yk4D8g= -github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3/go.mod h1:G4+I83FILPX6MtnoaUdmv/bRGEVtR3JdLeJa/kXdk/0= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3 h1:vDl2fqPT0h3D/k6NZPlqnKFd1tz3335wm39qjvpZNJc= -github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3/go.mod h1:9uOJXbXEXj+M6QjMKH5PaL5WDMu43rHfbIMgXzA8eKI= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.3 h1:h9G8j+Ds21zqqulDbA/R/ft64oQQIyp8S7wJYABYSlg= -github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.3/go.mod h1:zgCeHOuqF6k7A7TTEvftcA9V3FRzB7mrPtHOhXAQBnc= +github.com/sigstore/rekor v1.3.7 h1:Z5UW5TmqbTZnyOFkMRfi32q/CWcxK6VuzIkx+33mbq8= +github.com/sigstore/rekor v1.3.7/go.mod h1:TihqJscZ6L6398x68EHY82t0AOnGYfrQ0siXe3WgbR4= +github.com/sigstore/sigstore v1.8.11 h1:tEqeQqbT+awtM87ec9KEeSUxT/AFvJNawneYJyAkFrQ= +github.com/sigstore/sigstore v1.8.11/go.mod h1:fdrFQosxCQ4wTL5H1NrZcQkqQ72AQbPjtpcL2QOGKV0= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.10 h1:e5GfVngPjGap/N3ODefayt7vKIPS1/v3hWLZ9+4MrN4= +github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.10/go.mod h1:HOr3AdFPKdND2FNl/sUD5ZifPl1OMJvrbf9xIaaWcus= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.10 h1:9tZEpfIL/ewAG9G87AHe3aVoy8Ujos2F1qLfCckX6jQ= +github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.10/go.mod h1:VnIAcitund62R45ezK/dtUeEhuRtB3LsAgJ8m0H34zc= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.10 h1:Xre51HdjIIaVo5ox5zyL+6h0tkrx7Ke9Neh7fLmmZK0= +github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.10/go.mod h1:VNfdklQDbyGJog8S7apdxiEfmYmCkKyxrsCL9xprkTY= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.10 h1:HjfjL3x3dP2kaGqQHVog974cTcKfzFaGjfZyLQ9KXrg= +github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.10/go.mod h1:jaeEjkTW1p3gUyPjz9lTcT4TydCs208FoyAwIs6bIT4= github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00JQ/JonBiu3QvLE= github.com/sigstore/timestamp-authority v1.2.2/go.mod h1:nEah4Eq4wpliDjlY342rXclGSO7Kb9hoRrl9tqLW13A= github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0= @@ -672,15 +692,15 @@ github.com/spdx/tools-golang v0.5.5 h1:61c0KLfAcNqAjlg6UNMdkwpMernhw3zVRwDZ2x9XO github.com/spdx/tools-golang v0.5.5/go.mod h1:MVIsXx8ZZzaRWNQpUDhC4Dud34edUYJYecciXgrw5vE= github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8= github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY= -github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0= -github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= +github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w= +github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo= github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM= github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y= github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= -github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ= -github.com/spf13/viper v1.18.2/go.mod h1:EKmWIqdnk5lOcmR72yw6hS+8OPYcwD0jteitLMVB+yk= +github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI= +github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg= github.com/spiffe/go-spiffe/v2 v2.2.0 h1:9Vf06UsvsDbLYK/zJ4sYsIsHmMFknUD+feA7IYoWMQY= github.com/spiffe/go-spiffe/v2 v2.2.0/go.mod h1:Urzb779b3+IwDJD2ZbN8fVl3Aa8G4N/PiUe6iXC0XxU= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -721,8 +741,8 @@ github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A= github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts= github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk= -github.com/veraison/go-cose v1.2.1 h1:Gj4x20D0YP79J2+cK3anjGEMwIkg2xX+TKVVGUXwNAc= -github.com/veraison/go-cose v1.2.1/go.mod h1:t6V8WJzHm1PD5HNsuDjW3KLv577uWb6UTzbZGvdQHD8= +github.com/veraison/go-cose v1.3.0 h1:2/H5w8kdSpQJyVtIhx8gmwPJ2uSz1PkyWFx0idbd7rk= +github.com/veraison/go-cose v1.3.0/go.mod h1:df09OV91aHoQWLmy1KsDdYiagtXgyAwAl8vFeFn1gMc= github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4= github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= @@ -763,30 +783,30 @@ go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 h1:vS1Ao/R55RNV4O7TA2Qopok8yN+X0LIP6RVWLFkprck= -go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0/go.mod h1:BMsdeOxN04K0L5FNUBfjFdvwWGNe/rkmSwH4Aelu/X0= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA= -go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg= -go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo= -go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 h1:r6I7RJCN86bpD/FQwedZ0vSixDpwuWREjW9oRMsmqDc= +go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0/go.mod h1:B9yO6b04uB80CzjedvewuqDhxJxi11s7/GtiGa8bAjI= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk= +go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8= +go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw= +go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY= go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw= go.opentelemetry.io/otel/exporters/prometheus v0.49.0 h1:Er5I1g/YhfYv9Affk9nJLfH/+qCCVVg1f2R9AbJfqDQ= go.opentelemetry.io/otel/exporters/prometheus v0.49.0/go.mod h1:KfQ1wpjf3zsHjzP149P4LyAwWRupc6c7t1ZJ9eXpKQM= -go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= -go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s= +go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc= +go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8= go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE= go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg= go.opentelemetry.io/otel/sdk/metric v1.27.0 h1:5uGNOlpXi+Hbo/DRoI31BSb1v+OGcpv2NemcCrOL8gI= go.opentelemetry.io/otel/sdk/metric v1.27.0/go.mod h1:we7jJVrYN2kh3mVBlswtPU22K0SA+769l93J6bsyvqw= -go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g= -go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI= +go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4= +go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ= go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0= go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8= -go.step.sm/crypto v0.44.2 h1:t3p3uQ7raP2jp2ha9P6xkQF85TJZh+87xmjSLaib+jk= -go.step.sm/crypto v0.44.2/go.mod h1:x1439EnFhadzhkuaGX7sz03LEMQ+jV4gRamf5LCZJQQ= +go.step.sm/crypto v0.54.2 h1:3LSA5nYDQvcd484OSx7xsS3XDqQ7/WZjVqvq0+a0fWc= +go.step.sm/crypto v0.54.2/go.mod h1:1+OjUozd5aA3TkBJfr5Aobd6vNt9F70n1DagcoBh3Pc= go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= @@ -813,11 +833,11 @@ golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU= golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= -golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw= -golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U= +golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U= +golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= -golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 h1:hNQpMuAJe5CtcUqCXaWga3FHu+kQvCqcsoVaQgSV60o= -golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08= +golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8 h1:aAcj0Da7eBAtrTp03QXWvm88pSyOt+UgdZw2BFZ+lEw= +golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8/go.mod h1:CQ1k9gNrJ50XIzaKCRR2hssIjF07kZFEiieALBM/ARQ= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU= golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= @@ -825,8 +845,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs= -golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0= -golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= +golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4= +golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -859,11 +879,11 @@ golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44= golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= -golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo= -golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0= +golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo= +golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= -golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs= -golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= +golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE= +golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -872,8 +892,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ= -golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= +golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ= +golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -909,8 +929,8 @@ golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= -golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo= -golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA= +golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= @@ -923,8 +943,8 @@ golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0= golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY= golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk= golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58= -golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24= -golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= +golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q= +golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= @@ -938,10 +958,10 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8= golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= -golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM= -golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= -golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U= -golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= +golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo= +golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ= +golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg= +golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY= @@ -965,25 +985,25 @@ golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8= gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc= gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY= -google.golang.org/api v0.172.0 h1:/1OcMZGPmW1rX2LCu2CmGUD1KXK1+pfzxotxyRUCCdk= -google.golang.org/api v0.172.0/go.mod h1:+fJZq6QXWfa9pXhnIzsjx4yI22d4aI9ZpLb58gvXjis= +google.golang.org/api v0.206.0 h1:A27GClesCSheW5P2BymVHjpEeQ2XHH8DI8Srs2HI2L8= +google.golang.org/api v0.206.0/go.mod h1:BtB8bfjTYIrai3d8UyvPmV9REGgox7coh+ZRwm0b+W8= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4= google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc= -google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 h1:ImUcDPHjTrAqNhlOkSocDLfG9rrNHH7w7uoKWPaWZ8s= -google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7/go.mod h1:/3XmxOjePkvmKrHuBy4zNFw7IzxJXtAgdpXi8Ll990U= -google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 h1:0+ozOGcrp+Y8Aq8TLNN2Aliibms5LEzsq99ZZmAGYm0= -google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094/go.mod h1:fJ/e3If/Q67Mj99hin0hMhiNyCRmt6BQ2aWIJshUSJw= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA= -google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY= +google.golang.org/genproto v0.0.0-20241104194629-dd2ea8efbc28 h1:KJjNNclfpIkVqrZlTWcgOOaVQ00LdBnoEaRfkUx760s= +google.golang.org/genproto v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:mt9/MofW7AWQ+Gy179ChOnvmJatV8YHUmrcedo9CIFI= +google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1:M0KvPgPmDZHPlbRbaNU1APr28TvwvvdUPlSv7PUvy8g= +google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 h1:XVhgTWWV3kGQlwJHR3upFWZeTsei6Oks1apkZSeonIE= +google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg= google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY= google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= -google.golang.org/grpc v1.66.3 h1:TWlsh8Mv0QI/1sIbs1W36lqRclxrmF+eFJ4DbI0fuhA= -google.golang.org/grpc v1.66.3/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y= +google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0= +google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -992,8 +1012,8 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg= -google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw= +google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io= +google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= @@ -1030,22 +1050,22 @@ k8s.io/client-go v0.28.15 h1:+g6Ub+i6tacV3tYJaoyK6bizpinPkamcEwsiKyHcIxc= k8s.io/client-go v0.28.15/go.mod h1:/4upIpTbhWQVSXKDqTznjcAegj2Bx73mW/i0aennJrY= k8s.io/component-base v0.27.7 h1:kngM58HR9W9Nqpv7e4rpdRyWnKl/ABpUhLAZ+HoliMs= k8s.io/component-base v0.27.7/go.mod h1:YGjlCVL1oeKvG3HSciyPHFh+LCjIEqsxz4BDR3cfHRs= -k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw= -k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= +k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk= +k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE= k8s.io/kube-aggregator v0.27.2 h1:jfHoPip+qN/fn3OcrYs8/xMuVYvkJHKo0H0DYciqdns= k8s.io/kube-aggregator v0.27.2/go.mod h1:mwrTt4ESjQ7A6847biwohgZWn8P/KzSFHegEScbSGY4= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= -k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= -k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak= +k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= oras.land/oras-go/v2 v2.5.0 h1:o8Me9kLY74Vp5uw07QXPiitjsw7qNXi8Twd+19Zf02c= oras.land/oras-go/v2 v2.5.0/go.mod h1:z4eisnLP530vwIOUOJeBIj0aGI0L1C3d53atvCBqZHg= sigs.k8s.io/controller-runtime v0.15.3 h1:L+t5heIaI3zeejoIyyvLQs5vTVu/67IU2FfisVzFlBc= sigs.k8s.io/controller-runtime v0.15.3/go.mod h1:kp4jckA4vTx281S/0Yk2LFEEQe67mjg+ev/yknv47Ds= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/release-utils v0.7.7 h1:JKDOvhCk6zW8ipEOkpTGDH/mW3TI+XqtPp16aaQ79FU= -sigs.k8s.io/release-utils v0.7.7/go.mod h1:iU7DGVNi3umZJ8q6aHyUFzsDUIaYwNnNKGHo3YE5E3s= +sigs.k8s.io/release-utils v0.8.5 h1:FUtFqEAN621gSXv0L7kHyWruBeS7TUU9aWf76olX7uQ= +sigs.k8s.io/release-utils v0.8.5/go.mod h1:qsm5bdxdgoHkD8HsXpgme2/c3mdsNaiV53Sz2HmKeJA= sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk= sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= diff --git a/helmfile.yaml b/helmfile.yaml index 6e142d469..88e536d8d 100644 --- a/helmfile.yaml +++ b/helmfile.yaml @@ -9,7 +9,7 @@ releases: namespace: gatekeeper-system createNamespace: true chart: gatekeeper/gatekeeper - version: 3.17.0 + version: 3.18.0 wait: true set: - name: enableExternalData diff --git a/high-availability.helmfile.yaml b/high-availability.helmfile.yaml index e43ff3d0c..311cd3e3d 100644 --- a/high-availability.helmfile.yaml +++ b/high-availability.helmfile.yaml @@ -13,13 +13,13 @@ releases: namespace: dapr-system createNamespace: true chart: dapr/dapr - version: 1.13.2 + version: 1.14.4 wait: true - name: gatekeeper namespace: gatekeeper-system createNamespace: true chart: gatekeeper/gatekeeper - version: 3.17.0 + version: 3.18.0 wait: true set: - name: enableExternalData diff --git a/httpserver/Dockerfile b/httpserver/Dockerfile index 87cdeacec..c02233f82 100644 --- a/httpserver/Dockerfile +++ b/httpserver/Dockerfile @@ -11,7 +11,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM --platform=$BUILDPLATFORM golang:1.22@sha256:4cfe4a9a7ff5817f93e70bcc016ea269401290ec9bd9509b4f0a2dd553640944 as builder +FROM --platform=$BUILDPLATFORM golang:1.23@sha256:574185e5c6b9d09873f455a7c205ea0514bfd99738c5dc7750196403a44ed4b7 as builder ARG TARGETPLATFORM ARG TARGETOS @@ -41,7 +41,7 @@ RUN if [ "$build_licensechecker" = "true" ]; then go build -o /app/out/plugins/ RUN if [ "$build_schemavalidator" = "true" ]; then go build -o /app/out/plugins/ /app/plugins/verifier/schemavalidator; fi RUN if [ "$build_vulnerabilityreport" = "true" ]; then go build -o /app/out/plugins/ /app/plugins/verifier/vulnerabilityreport; fi -FROM gcr.io/distroless/static:nonroot@sha256:3a03fc0826340c7deb82d4755ca391bef5adcedb8892e58412e1a6008199fa91 +FROM gcr.io/distroless/static:nonroot@sha256:6cd937e9155bdfd805d1b94e037f9d6a899603306030936a3b11680af0c2ed58 LABEL org.opencontainers.image.source https://github.com/ratify-project/ratify ARG RATIFY_FOLDER=$HOME/.ratify/ diff --git a/httpserver/server.go b/httpserver/server.go index 782e3c83d..10fcb87ee 100644 --- a/httpserver/server.go +++ b/httpserver/server.go @@ -140,7 +140,9 @@ func (server *Server) Run(certRotatorReady chan struct{}) error { } if server.CertDirectory != "" { - <-certRotatorReady + if certRotatorReady != nil { + <-certRotatorReady + } certFile := filepath.Join(server.CertDirectory, certName) keyFile := filepath.Join(server.CertDirectory, keyName) diff --git a/pkg/certificateprovider/azurekeyvault/auth.go b/pkg/certificateprovider/azurekeyvault/auth.go index b347000e7..9323f4607 100644 --- a/pkg/certificateprovider/azurekeyvault/auth.go +++ b/pkg/certificateprovider/azurekeyvault/auth.go @@ -18,16 +18,10 @@ package azurekeyvault // This class is based on implementation from azure secret store csi provider // Source: https://github.com/Azure/secrets-store-csi-driver-provider-azure/tree/release-1.4/pkg/auth import ( - "context" "encoding/json" "fmt" "strconv" - "strings" "time" - - "github.com/ratify-project/ratify/pkg/utils/azureauth" - - "github.com/Azure/go-autorest/autorest" ) const ( @@ -41,44 +35,6 @@ const ( DefaultTokenAudience = "api://AzureADTokenExchange" //nolint ) -// authResult contains the subset of results from token acquisition operation in ConfidentialClientApplication -// For details see https://aka.ms/msal-net-authenticationresult -type authResult struct { - accessToken string - expiresOn time.Time - grantedScopes []string - declinedScopes []string -} - -func getAuthorizerForWorkloadIdentity(ctx context.Context, tenantID, clientID, resource string) (autorest.Authorizer, error) { - scope := resource - // .default needs to be added to the scope - if !strings.Contains(resource, ".default") { - scope = fmt.Sprintf("%s/.default", resource) - } - - result, err := azureauth.GetAADAccessToken(ctx, tenantID, clientID, scope) - if err != nil { - return nil, fmt.Errorf("failed to acquire token: %w", err) - } - - if _, err = parseExpiresOn(result.ExpiresOn.UTC().Local().Format(expiresOnDateFormat)); err != nil { - return nil, fmt.Errorf("failed to parse expires_on: %w", err) - } - - return autorest.NewBearerAuthorizer(authResult{ - accessToken: result.AccessToken, - expiresOn: result.ExpiresOn, - grantedScopes: result.GrantedScopes, - declinedScopes: result.DeclinedScopes, - }), nil -} - -// OAuthToken implements the OAuthTokenProvider interface. It returns the current access token. -func (ar authResult) OAuthToken() string { - return ar.accessToken -} - // Vendored from https://github.com/Azure/go-autorest/blob/79575dd7ba2e88e7ce7ab84e167ec6653dcb70c1/autorest/adal/token.go // converts expires_on to the number of seconds func parseExpiresOn(s interface{}) (json.Number, error) { diff --git a/pkg/certificateprovider/azurekeyvault/provider.go b/pkg/certificateprovider/azurekeyvault/provider.go index 6565bca07..d93dccb6c 100644 --- a/pkg/certificateprovider/azurekeyvault/provider.go +++ b/pkg/certificateprovider/azurekeyvault/provider.go @@ -34,8 +34,9 @@ import ( "github.com/ratify-project/ratify/pkg/metrics" "golang.org/x/crypto/pkcs12" - kv "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault" - "github.com/Azure/go-autorest/autorest/azure" + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azidentity" + "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets" "gopkg.in/yaml.v2" ) @@ -65,7 +66,6 @@ func Create() certificateprovider.CertificateProvider { // get certificate retrieve the entire cert chain using getSecret API call func (s *akvCertProvider) GetCertificates(ctx context.Context, attrib map[string]string) ([]*x509.Certificate, certificateprovider.CertificatesStatus, error) { keyvaultURI := types.GetKeyVaultURI(attrib) - cloudName := types.GetCloudName(attrib) tenantID := types.GetTenantID(attrib) workloadIdentityClientID := types.GetClientID(attrib) @@ -79,11 +79,6 @@ func (s *akvCertProvider) GetCertificates(ctx context.Context, attrib map[string return nil, nil, re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.AKVLink, nil, "clientID is not set", re.HideStackTrace) } - azureCloudEnv, err := parseAzureEnvironment(cloudName) - if err != nil { - return nil, nil, re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, nil, fmt.Sprintf("cloudName %s is not valid", cloudName), re.HideStackTrace) - } - keyVaultCerts, err := getKeyvaultRequestObj(ctx, attrib) if err != nil { return nil, nil, re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.AKVLink, err, "failed to get keyvault request object from provider attributes", re.HideStackTrace) @@ -93,9 +88,10 @@ func (s *akvCertProvider) GetCertificates(ctx context.Context, attrib map[string return nil, nil, re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, nil, "no keyvault certificate configured", re.HideStackTrace) } - logger.GetLogger(ctx, logOpt).Debugf("vaultURI %s", keyvaultURI) - - kvClient, err := initializeKvClient(ctx, azureCloudEnv.KeyVaultEndpoint, tenantID, workloadIdentityClientID) + // credProvider is nil, so we will create a new workload identity credential inside the function + // For testing purposes, we can pass in a mock credential provider + var credProvider azcore.TokenCredential + secretKVClient, err := initializeKvClient(keyvaultURI, tenantID, workloadIdentityClientID, credProvider) if err != nil { return nil, nil, re.ErrorCodePluginInitFailure.NewError(re.CertProvider, providerName, re.AKVLink, err, "failed to get keyvault client", re.HideStackTrace) } @@ -108,11 +104,12 @@ func (s *akvCertProvider) GetCertificates(ctx context.Context, attrib map[string // fetch the object from Key Vault // GetSecret is required so we can fetch the entire cert chain. See issue https://github.com/ratify-project/ratify/issues/695 for details startTime := time.Now() - secretBundle, err := kvClient.GetSecret(ctx, keyvaultURI, keyVaultCert.CertificateName, keyVaultCert.CertificateVersion) + secretResponse, err := secretKVClient.GetSecret(ctx, keyVaultCert.CertificateName, keyVaultCert.CertificateVersion, nil) if err != nil { return nil, nil, fmt.Errorf("failed to get secret objectName:%s, objectVersion:%s, error: %w", keyVaultCert.CertificateName, keyVaultCert.CertificateVersion, err) } + secretBundle := secretResponse.SecretBundle certResult, certProperty, err := getCertsFromSecretBundle(ctx, secretBundle, keyVaultCert.CertificateName) @@ -195,42 +192,39 @@ func formatKeyVaultCertificate(object *types.KeyVaultCertificate) { } } -// parseAzureEnvironment returns azure environment by name -func parseAzureEnvironment(cloudName string) (*azure.Environment, error) { - var env azure.Environment - var err error - if cloudName == "" { - env = azure.PublicCloud - } else { - env, err = azure.EnvironmentFromName(cloudName) - } - return &env, err -} - -func initializeKvClient(ctx context.Context, keyVaultEndpoint, tenantID, clientID string) (*kv.BaseClient, error) { - kvClient := kv.New() +func initializeKvClient(keyVaultEndpoint, tenantID, clientID string, credProvider azcore.TokenCredential) (*azsecrets.Client, error) { + // Trim any trailing slash from the endpoint kvEndpoint := strings.TrimSuffix(keyVaultEndpoint, "/") - err := kvClient.AddToUserAgent("ratify") - if err != nil { - return nil, re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.AKVLink, err, "failed to add user agent to keyvault client", re.HideStackTrace) + // If credProvider is nil, create the default credential + if credProvider == nil { + var err error + credProvider, err = azidentity.NewWorkloadIdentityCredential(&azidentity.WorkloadIdentityCredentialOptions{ + ClientID: clientID, + TenantID: tenantID, + }) + if err != nil { + return nil, re.ErrorCodeAuthDenied.WithDetail("failed to create workload identity credential").WithError(err) + } } - kvClient.Authorizer, err = getAuthorizerForWorkloadIdentity(ctx, tenantID, clientID, kvEndpoint) + // create azsecrets client + secretKVClient, err := azsecrets.NewClient(kvEndpoint, credProvider, nil) if err != nil { - return nil, re.ErrorCodeAuthDenied.NewError(re.CertProvider, providerName, re.AKVLink, err, "failed to get authorizer for keyvault client", re.HideStackTrace) + return nil, re.ErrorCodeConfigInvalid.WithDetail("Failed to create Key Vault client").WithError(err) } - return &kvClient, nil + + return secretKVClient, nil } // Parse the secret bundle and return an array of certificates // In a certificate chain scenario, all certificates from root to leaf will be returned -func getCertsFromSecretBundle(ctx context.Context, secretBundle kv.SecretBundle, certName string) ([]*x509.Certificate, []map[string]string, error) { +func getCertsFromSecretBundle(ctx context.Context, secretBundle azsecrets.SecretBundle, certName string) ([]*x509.Certificate, []map[string]string, error) { if secretBundle.ContentType == nil || secretBundle.Value == nil || secretBundle.ID == nil { return nil, nil, re.ErrorCodeCertInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, nil, "found invalid secret bundle for certificate %s, contentType, value, and id must not be nil", re.HideStackTrace) } - version := getObjectVersion(*secretBundle.ID) + version := getObjectVersion(string(*secretBundle.ID)) // This aligns with notation akv implementation // akv plugin supports both PKCS12 and PEM. https://github.com/Azure/notation-azure-kv/blob/558e7345ef8318783530de6a7a0a8420b9214ba8/Notation.Plugin.AzureKeyVault/KeyVault/KeyVaultClient.cs#L192 diff --git a/pkg/certificateprovider/azurekeyvault/provider_test.go b/pkg/certificateprovider/azurekeyvault/provider_test.go index f11f31eed..35b03c4bd 100644 --- a/pkg/certificateprovider/azurekeyvault/provider_test.go +++ b/pkg/certificateprovider/azurekeyvault/provider_test.go @@ -19,40 +19,19 @@ package azurekeyvault // Source: https://github.com/Azure/secrets-store-csi-driver-provider-azure/tree/release-1.4/pkg/provider import ( "context" + "errors" "reflect" - "strings" "testing" "time" - kv "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault" - "github.com/Azure/go-autorest/autorest/azure" - "github.com/ratify-project/ratify/internal/version" + "github.com/Azure/azure-sdk-for-go/sdk/azidentity" + "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets" "github.com/ratify-project/ratify/pkg/certificateprovider/azurekeyvault/types" "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/mock" ) -func TestParseAzureEnvironment(t *testing.T) { - envNamesArray := []string{"AZURECHINACLOUD", "AZUREGERMANCLOUD", "AZUREPUBLICCLOUD", "AZUREUSGOVERNMENTCLOUD", ""} - for _, envName := range envNamesArray { - azureEnv, err := parseAzureEnvironment(envName) - if err != nil { - t.Fatalf("expected no error, got %v", err) - } - if strings.EqualFold(envName, "") && !strings.EqualFold(azureEnv.Name, "AZUREPUBLICCLOUD") { - t.Fatalf("string doesn't match, expected AZUREPUBLICCLOUD, got %s", azureEnv.Name) - } else if !strings.EqualFold(envName, "") && !strings.EqualFold(envName, azureEnv.Name) { - t.Fatalf("string doesn't match, expected %s, got %s", envName, azureEnv.Name) - } - } - - wrongEnvName := "AZUREWRONGCLOUD" - _, err := parseAzureEnvironment(wrongEnvName) - if err == nil { - t.Fatalf("expected error for wrong azure environment name") - } -} - func TestFormatKeyVaultCertificate(t *testing.T) { cases := []struct { desc string @@ -93,21 +72,110 @@ func TestFormatKeyVaultCertificate(t *testing.T) { } } -func SkipTestInitializeKVClient(t *testing.T) { - testEnvs := []azure.Environment{ - azure.PublicCloud, - azure.GermanCloud, - azure.ChinaCloud, - azure.USGovernmentCloud, +// Mock clients +type MockAzSecretsClient struct { + mock.Mock +} + +type MockWorkloadIdentityCredential struct { + mock.Mock +} + +// Mock functions +func (m *MockWorkloadIdentityCredential) NewWorkloadIdentityCredential(options *azidentity.WorkloadIdentityCredentialOptions) (*MockWorkloadIdentityCredential, error) { + args := m.Called(options) + return args.Get(0).(*MockWorkloadIdentityCredential), args.Error(1) +} + +func (m *MockAzSecretsClient) NewClient(endpoint string, credential *azidentity.WorkloadIdentityCredential, options *azsecrets.ClientOptions) (*azsecrets.Client, error) { + args := m.Called(endpoint, credential, options) + return args.Get(0).(*azsecrets.Client), args.Error(1) +} + +func TestInitializeKvClient(t *testing.T) { + mockCredential := new(MockWorkloadIdentityCredential) + mockSecretsClient := new(MockAzSecretsClient) + + tests := []struct { + name string + kvEndpoint string + userAgent string + tenantID string + clientID string + mockCredentialErr error + mockSecretsErr error + expectedErr bool + }{ + { + name: "Empty user agent", + kvEndpoint: "https://test.vault.azure.net", + userAgent: "", + expectedErr: true, + }, + { + name: "Auth failure", + kvEndpoint: "https://test.vault.azure.net", + tenantID: "testTenantID", + clientID: "testClientID", + expectedErr: true, + }, + { + name: "credential creation error", + kvEndpoint: "https://test-keyvault.vault.azure.net", + tenantID: "test-tenant-id", + clientID: "test-client-id", + mockCredentialErr: errors.New("failed to create workload identity credential"), + expectedErr: true, + }, + { + name: "azsecrets client creation error", + kvEndpoint: "https://test-keyvault.vault.azure.net", + tenantID: "test-tenant-id", + clientID: "test-client-id", + mockSecretsErr: errors.New("failed to create azsecrets client"), + expectedErr: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + // Set up mocks + mockCredential.On("NewWorkloadIdentityCredential", mock.Anything).Return(mockCredential, tt.mockCredentialErr) + mockSecretsClient.On("NewClient", tt.kvEndpoint, mockCredential, mock.Anything).Return(mockSecretsClient, tt.mockSecretsErr) + + // Call function under test + secretsClient, err := initializeKvClient(tt.kvEndpoint, tt.tenantID, tt.clientID, nil) + + // Validate expectations + if tt.expectedErr { + assert.Error(t, err) + assert.Nil(t, secretsClient) + } else { + assert.NoError(t, err) + assert.NotNil(t, secretsClient) + } + }) } +} + +func TestInitializeKvClient_Success(t *testing.T) { + // Mock the context and input parameters + keyVaultEndpoint := "https://myvault.vault.azure.net/" + tenantID := "tenant-id" + clientID := "client-id" - for i := range testEnvs { - kvBaseClient, err := initializeKvClient(context.TODO(), testEnvs[i].KeyVaultEndpoint, "", "") - assert.NoError(t, err) - assert.NotNil(t, kvBaseClient) - assert.NotNil(t, kvBaseClient.Authorizer) - assert.Contains(t, kvBaseClient.UserAgent, version.UserAgent) + // Create a mock credential provider + mockCredential, err := azidentity.NewClientSecretCredential(tenantID, clientID, "fake-secret", nil) + if err != nil { + t.Fatalf("Failed to create mock credential: %v", err) } + + // Run the function with the mock credential + kvClientSecrets, err := initializeKvClient(keyVaultEndpoint, tenantID, clientID, mockCredential) + + // Assert the function succeeds without errors and clients are created + assert.NotNil(t, kvClientSecrets) + assert.NoError(t, err) } func TestGetCertificates(t *testing.T) { @@ -137,15 +205,6 @@ func TestGetCertificates(t *testing.T) { }, expectedErr: true, }, - { - desc: "invalid cloud name", - parameters: map[string]string{ - "vaultUri": "https://testkv.vault.azure.net/", - "tenantID": "tid", - "cloudName": "AzureCloud", - }, - expectedErr: true, - }, { desc: "certificates array not set", parameters: map[string]string{ @@ -261,7 +320,6 @@ func TestGetKeyvaultRequestObj(t *testing.T) { attrib := map[string]string{} attrib["vaultURI"] = "https://testvault.vault.azure.net/" attrib["clientID"] = "TestClient" - attrib["cloudName"] = "TestCloud" attrib["tenantID"] = "TestIDABC" attrib["certificates"] = "array:\n- |\n certificateName: wabbit-networks-io \n certificateVersion: \"testversion\"\n" @@ -280,7 +338,7 @@ func Test(t *testing.T) { desc string value string contentType string - id string + id azsecrets.ID expectedErr bool }{ { @@ -322,7 +380,7 @@ func Test(t *testing.T) { for i, tc := range cases { t.Run(tc.desc, func(t *testing.T) { - testdata := kv.SecretBundle{ + testdata := azsecrets.SecretBundle{ Value: &cases[i].value, ID: &cases[i].id, ContentType: &cases[i].contentType, diff --git a/pkg/certificateprovider/certificate_provider_test.go b/pkg/certificateprovider/certificate_provider_test.go index 78d70c439..2b6309be4 100644 --- a/pkg/certificateprovider/certificate_provider_test.go +++ b/pkg/certificateprovider/certificate_provider_test.go @@ -78,7 +78,7 @@ func TestDecodeCertificates_ByteArrayToCertificates(t *testing.T) { r, err := DecodeCertificates(c1) if err != nil { - t.Fatalf(err.Error()) + t.Fatal(err.Error()) } expectedLen := 1 diff --git a/pkg/controllers/logging.go b/pkg/controllers/logging.go index 7ad3429f6..90abce740 100644 --- a/pkg/controllers/logging.go +++ b/pkg/controllers/logging.go @@ -122,7 +122,7 @@ func (sink *LogrusSink) createEntry(keysAndValues ...interface{}) *logrus.Entry } func (sink *LogrusSink) formatMessage(msg string) string { - if sink.names == nil || len(sink.names) == 0 { + if len(sink.names) == 0 { return msg } diff --git a/pkg/keymanagementprovider/azurekeyvault/auth.go b/pkg/keymanagementprovider/azurekeyvault/auth.go index cd4d248f7..1de94181a 100644 --- a/pkg/keymanagementprovider/azurekeyvault/auth.go +++ b/pkg/keymanagementprovider/azurekeyvault/auth.go @@ -18,16 +18,10 @@ package azurekeyvault // This class is based on implementation from azure secret store csi provider // Source: https://github.com/Azure/secrets-store-csi-driver-provider-azure/tree/release-1.4/pkg/auth import ( - "context" "encoding/json" "fmt" "strconv" - "strings" "time" - - "github.com/ratify-project/ratify/pkg/utils/azureauth" - - "github.com/Azure/go-autorest/autorest" ) const ( @@ -41,44 +35,6 @@ const ( DefaultTokenAudience = "api://AzureADTokenExchange" //nolint ) -// authResult contains the subset of results from token acquisition operation in ConfidentialClientApplication -// For details see https://aka.ms/msal-net-authenticationresult -type authResult struct { - accessToken string - expiresOn time.Time - grantedScopes []string - declinedScopes []string -} - -func getAuthorizerForWorkloadIdentity(ctx context.Context, tenantID, clientID, resource string) (autorest.Authorizer, error) { - scope := resource - // .default needs to be added to the scope - if !strings.Contains(resource, ".default") { - scope = fmt.Sprintf("%s/.default", resource) - } - - result, err := azureauth.GetAADAccessToken(ctx, tenantID, clientID, scope) - if err != nil { - return nil, fmt.Errorf("failed to acquire token: %w", err) - } - - if _, err = parseExpiresOn(result.ExpiresOn.UTC().Local().Format(expiresOnDateFormat)); err != nil { - return nil, fmt.Errorf("failed to parse expires_on: %w", err) - } - - return autorest.NewBearerAuthorizer(authResult{ - accessToken: result.AccessToken, - expiresOn: result.ExpiresOn, - grantedScopes: result.GrantedScopes, - declinedScopes: result.DeclinedScopes, - }), nil -} - -// OAuthToken implements the OAuthTokenProvider interface. It returns the current access token. -func (ar authResult) OAuthToken() string { - return ar.accessToken -} - // Vendored from https://github.com/Azure/go-autorest/blob/79575dd7ba2e88e7ce7ab84e167ec6653dcb70c1/autorest/adal/token.go // converts expires_on to the number of seconds func parseExpiresOn(s interface{}) (json.Number, error) { diff --git a/pkg/keymanagementprovider/azurekeyvault/provider.go b/pkg/keymanagementprovider/azurekeyvault/provider.go index 22c3fba6a..5a77692d5 100644 --- a/pkg/keymanagementprovider/azurekeyvault/provider.go +++ b/pkg/keymanagementprovider/azurekeyvault/provider.go @@ -26,6 +26,8 @@ import ( "encoding/pem" "errors" "fmt" + "io" + "net/http" "strconv" "strings" "time" @@ -33,7 +35,6 @@ import ( "github.com/go-jose/go-jose/v3" re "github.com/ratify-project/ratify/errors" "github.com/ratify-project/ratify/internal/logger" - "github.com/ratify-project/ratify/internal/version" "github.com/ratify-project/ratify/pkg/keymanagementprovider" "github.com/ratify-project/ratify/pkg/keymanagementprovider/azurekeyvault/types" "github.com/ratify-project/ratify/pkg/keymanagementprovider/config" @@ -41,9 +42,11 @@ import ( "github.com/ratify-project/ratify/pkg/metrics" "golang.org/x/crypto/pkcs12" - kv "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault" - "github.com/Azure/go-autorest/autorest" - "github.com/Azure/go-autorest/autorest/azure" + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azidentity" + "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azcertificates" + "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys" + "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets" ) const ( @@ -61,54 +64,63 @@ type AKVKeyManagementProviderConfig struct { VaultURI string `json:"vaultURI"` TenantID string `json:"tenantID"` ClientID string `json:"clientID"` - CloudName string `json:"cloudName,omitempty"` Resource string `json:"resource,omitempty"` Certificates []types.KeyVaultValue `json:"certificates,omitempty"` Keys []types.KeyVaultValue `json:"keys,omitempty"` } type akvKMProvider struct { - provider string - vaultURI string - tenantID string - clientID string - cloudName string - resource string - certificates []types.KeyVaultValue - keys []types.KeyVaultValue - cloudEnv *azure.Environment - kvClient kvClient + provider string + vaultURI string + tenantID string + clientID string + resource string + certificates []types.KeyVaultValue + keys []types.KeyVaultValue + keyKVClient keyKVClient + secretKVClient secretKVClient + certificateKVClient certificateKVClient } type akvKMProviderFactory struct{} // kvClient is an interface to interact with the keyvault client used for mocking purposes -type kvClient interface { - // GetCertificate retrieves a certificate from the keyvault - GetCertificate(ctx context.Context, vaultBaseURL string, certificateName string, certificateVersion string) (kv.CertificateBundle, error) +type keyKVClient interface { // GetKey retrieves a key from the keyvault - GetKey(ctx context.Context, vaultBaseURL string, keyName string, keyVersion string) (kv.KeyBundle, error) + GetKey(ctx context.Context, keyName string, keyVersion string) (azkeys.GetKeyResponse, error) +} +type secretKVClient interface { // GetSecret retrieves a secret from the keyvault - GetSecret(ctx context.Context, vaultBaseURL string, secretName string, secretVersion string) (kv.SecretBundle, error) + GetSecret(ctx context.Context, secretName string, secretVersion string) (azsecrets.GetSecretResponse, error) +} +type certificateKVClient interface { + // GetCertificate retrieves a certificate from the keyvault + GetCertificate(ctx context.Context, certificateName string, certificateVersion string) (azcertificates.GetCertificateResponse, error) } -type kvClientImpl struct { - kv.BaseClient +type keyKVClientImpl struct { + azkeys.Client +} +type secretKVClientImpl struct { + azsecrets.Client +} +type certificateKVClientImpl struct { + azcertificates.Client } // GetCertificate retrieves a certificate from the keyvault -func (c *kvClientImpl) GetCertificate(ctx context.Context, vaultBaseURL string, certificateName string, certificateVersion string) (kv.CertificateBundle, error) { - return c.BaseClient.GetCertificate(ctx, vaultBaseURL, certificateName, certificateVersion) +func (c *certificateKVClientImpl) GetCertificate(ctx context.Context, certificateName string, certificateVersion string) (azcertificates.GetCertificateResponse, error) { + return c.Client.GetCertificate(ctx, certificateName, certificateVersion, nil) } // GetKey retrieves a key from the keyvault -func (c *kvClientImpl) GetKey(ctx context.Context, vaultBaseURL string, keyName string, keyVersion string) (kv.KeyBundle, error) { - return c.BaseClient.GetKey(ctx, vaultBaseURL, keyName, keyVersion) +func (c *keyKVClientImpl) GetKey(ctx context.Context, keyName string, keyVersion string) (azkeys.GetKeyResponse, error) { + return c.Client.GetKey(ctx, keyName, keyVersion, nil) } // GetSecret retrieves a secret from the keyvault -func (c *kvClientImpl) GetSecret(ctx context.Context, vaultBaseURL string, secretName string, secretVersion string) (kv.SecretBundle, error) { - return c.BaseClient.GetSecret(ctx, vaultBaseURL, secretName, secretVersion) +func (c *secretKVClientImpl) GetSecret(ctx context.Context, secretName string, secretVersion string) (azsecrets.GetSecretResponse, error) { + return c.Client.GetSecret(ctx, secretName, secretVersion, nil) } // initKVClient is a function to initialize the keyvault client @@ -133,11 +145,6 @@ func (f *akvKMProviderFactory) Create(_ string, keyManagementProviderConfig conf return nil, re.ErrorCodeConfigInvalid.NewError(re.KeyManagementProvider, "", re.EmptyLink, err, "failed to parse AKV key management provider configuration", re.HideStackTrace) } - azureCloudEnv, err := parseAzureEnvironment(conf.CloudName) - if err != nil { - return nil, re.ErrorCodeConfigInvalid.NewError(re.KeyManagementProvider, ProviderName, re.EmptyLink, nil, fmt.Sprintf("cloudName %s is not valid", conf.CloudName), re.HideStackTrace) - } - if len(conf.Certificates) == 0 && len(conf.Keys) == 0 { return nil, re.ErrorCodeConfigInvalid.NewError(re.KeyManagementProvider, ProviderName, re.EmptyLink, nil, "no keyvault certificates or keys configured", re.HideStackTrace) } @@ -147,23 +154,25 @@ func (f *akvKMProviderFactory) Create(_ string, keyManagementProviderConfig conf vaultURI: strings.TrimSpace(conf.VaultURI), tenantID: strings.TrimSpace(conf.TenantID), clientID: strings.TrimSpace(conf.ClientID), - cloudName: strings.TrimSpace(conf.CloudName), certificates: conf.Certificates, keys: conf.Keys, - cloudEnv: azureCloudEnv, resource: conf.Resource, } if err := provider.validate(); err != nil { return nil, err } - logger.GetLogger(context.Background(), logOpt).Debugf("vaultURI %s", provider.vaultURI) - - kvClient, err := initKVClient(context.Background(), provider.cloudEnv.KeyVaultEndpoint, provider.tenantID, provider.clientID, version.UserAgent) + // credProvider is nil, so we will create a new workload identity credential inside the function + // For testing purposes, we can pass in a mock credential provider + var credProvider azcore.TokenCredential + keyKVClient, secretKVClient, certificateKVClient, err := initKVClient(provider.vaultURI, provider.tenantID, provider.clientID, credProvider) if err != nil { return nil, re.ErrorCodePluginInitFailure.NewError(re.KeyManagementProvider, ProviderName, re.AKVLink, err, "failed to create keyvault client", re.HideStackTrace) } - provider.kvClient = &kvClientImpl{*kvClient} + + provider.keyKVClient = &keyKVClientImpl{*keyKVClient} + provider.secretKVClient = &secretKVClientImpl{*secretKVClient} + provider.certificateKVClient = &certificateKVClientImpl{*certificateKVClient} return provider, nil } @@ -174,20 +183,19 @@ func (s *akvKMProvider) GetCertificates(ctx context.Context) (map[keymanagementp certsMap := map[keymanagementprovider.KMPMapKey][]*x509.Certificate{} certsStatus := []map[string]string{} for _, keyVaultCert := range s.certificates { - logger.GetLogger(ctx, logOpt).Debugf("fetching secret from key vault, certName %v, keyvault %v", keyVaultCert.Name, s.vaultURI) + logger.GetLogger(ctx, logOpt).Debugf("fetching secret from key vault, certName %v, certVersion %v, vaultURI: %v", keyVaultCert.Name, keyVaultCert.Version, s.vaultURI) startTime := time.Now() - - // GetSecret is required so we can fetch the entire cert chain. See issue https://github.com/ratify-project/ratify/issues/695 for details - secretBundle, err := s.kvClient.GetSecret(ctx, s.vaultURI, keyVaultCert.Name, keyVaultCert.Version) + secretResponse, err := s.secretKVClient.GetSecret(ctx, keyVaultCert.Name, keyVaultCert.Version) if err != nil { if isSecretDisabledError(err) { // if secret is disabled, get the version of the certificate for status - certBundle, err := s.kvClient.GetCertificate(ctx, s.vaultURI, keyVaultCert.Name, keyVaultCert.Version) + certResponse, err := s.certificateKVClient.GetCertificate(ctx, keyVaultCert.Name, keyVaultCert.Version) if err != nil { return nil, nil, fmt.Errorf("failed to get certificate objectName:%s, objectVersion:%s, error: %w", keyVaultCert.Name, keyVaultCert.Version, err) } - keyVaultCert.Version = getObjectVersion(*certBundle.Kid) + certBundle := certResponse.CertificateBundle + keyVaultCert.Version = getObjectVersion(*certBundle.KID) isEnabled := *certBundle.Attributes.Enabled lastRefreshed := startTime.Format(time.RFC3339) certProperty := getStatusProperty(keyVaultCert.Name, keyVaultCert.Version, lastRefreshed, isEnabled) @@ -196,10 +204,10 @@ func (s *akvKMProvider) GetCertificates(ctx context.Context) (map[keymanagementp keymanagementprovider.DeleteCertificateFromMap(s.resource, mapKey) continue } - return nil, nil, fmt.Errorf("failed to get secret objectName:%s, objectVersion:%s, error: %w", keyVaultCert.Name, keyVaultCert.Version, err) } + secretBundle := secretResponse.SecretBundle isEnabled := *secretBundle.Attributes.Enabled certResult, certProperty, err := getCertsFromSecretBundle(ctx, secretBundle, keyVaultCert.Name, isEnabled) @@ -225,14 +233,14 @@ func (s *akvKMProvider) GetKeys(ctx context.Context) (map[keymanagementprovider. // fetch the key object from Key Vault startTime := time.Now() - keyBundle, err := s.kvClient.GetKey(ctx, s.vaultURI, keyVaultKey.Name, keyVaultKey.Version) + keyResponse, err := s.keyKVClient.GetKey(ctx, keyVaultKey.Name, keyVaultKey.Version) if err != nil { return nil, nil, fmt.Errorf("failed to get key objectName:%s, objectVersion:%s, error: %w", keyVaultKey.Name, keyVaultKey.Version, err) } - + keyBundle := keyResponse.KeyBundle isEnabled := *keyBundle.Attributes.Enabled // if version is set as "" in the config, use the version from the key bundle - keyVaultKey.Version = getObjectVersion(*keyBundle.Key.Kid) + keyVaultKey.Version = getObjectVersion(string(*keyBundle.Key.KID)) if !isEnabled { startTime := time.Now() @@ -278,42 +286,53 @@ func getStatusProperty(name, version, lastRefreshed string, enabled bool) map[st return properties } -// parseAzureEnvironment returns azure environment by name -func parseAzureEnvironment(cloudName string) (*azure.Environment, error) { - var env azure.Environment - var err error - if cloudName == "" { - env = azure.PublicCloud - } else { - env, err = azure.EnvironmentFromName(cloudName) +// initializeKvClient creates a new keyvault client for keys, secrets and certificates +// TODO: credProvider in only added to params for testing purposes. Make sure it is handled properly in future +func initializeKvClient(keyVaultURI, tenantID, clientID string, credProvider azcore.TokenCredential) (*azkeys.Client, *azsecrets.Client, *azcertificates.Client, error) { + // Trim any trailing slash from the endpoint + kvEndpoint := strings.TrimSuffix(keyVaultURI, "/") + + // If credProvider is nil, create the default credential + if credProvider == nil { + var err error + credProvider, err = azidentity.NewWorkloadIdentityCredential(&azidentity.WorkloadIdentityCredentialOptions{ + ClientID: clientID, + TenantID: tenantID, + }) + if err != nil { + return nil, nil, nil, re.ErrorCodeAuthDenied.WithDetail("failed to create workload identity credential").WithError(err) + } } - return &env, err -} -func initializeKvClient(ctx context.Context, keyVaultEndpoint, tenantID, clientID, userAgent string) (*kv.BaseClient, error) { - kvClient := kv.New() - kvEndpoint := strings.TrimSuffix(keyVaultEndpoint, "/") + // create azkeys client + keyKVClient, err := azkeys.NewClient(kvEndpoint, credProvider, nil) + if err != nil { + return nil, nil, nil, re.ErrorCodeConfigInvalid.WithDetail("Failed to create keys Key Vault client").WithError(err) + } - err := kvClient.Client.AddToUserAgent(userAgent) + // create azsecrets client + secretKVClient, err := azsecrets.NewClient(kvEndpoint, credProvider, nil) if err != nil { - return nil, re.ErrorCodeConfigInvalid.WithDetail("Failed to add user agent to keyvault client.").WithRemediation(re.AKVLink).WithError(err) + return nil, nil, nil, re.ErrorCodeConfigInvalid.WithDetail("Failed to create secrets Key Vault client").WithError(err) } - kvClient.Authorizer, err = getAuthorizerForWorkloadIdentity(ctx, tenantID, clientID, kvEndpoint) + // create azcertificates client + certificateKVClient, err := azcertificates.NewClient(kvEndpoint, credProvider, nil) if err != nil { - return nil, re.ErrorCodeAuthDenied.WithDetail("failed to get authorizer for keyvault client").WithRemediation(re.AKVLink).WithError(err) + return nil, nil, nil, re.ErrorCodeConfigInvalid.WithDetail("Failed to create certificates Key Vault client").WithError(err) } - return &kvClient, nil + + return keyKVClient, secretKVClient, certificateKVClient, nil } // Parse the secret bundle and return an array of certificates // In a certificate chain scenario, all certificates from root to leaf will be returned -func getCertsFromSecretBundle(ctx context.Context, secretBundle kv.SecretBundle, certName string, enabled bool) ([]*x509.Certificate, []map[string]string, error) { +func getCertsFromSecretBundle(ctx context.Context, secretBundle azsecrets.SecretBundle, certName string, enabled bool) ([]*x509.Certificate, []map[string]string, error) { if secretBundle.ContentType == nil || secretBundle.Value == nil || secretBundle.ID == nil { return nil, nil, re.ErrorCodeCertInvalid.NewError(re.KeyManagementProvider, ProviderName, re.EmptyLink, nil, "found invalid secret bundle for certificate %s, contentType, value, and id must not be nil", re.HideStackTrace) } - version := getObjectVersion(*secretBundle.ID) + version := getObjectVersion(string(*secretBundle.ID)) // This aligns with notation akv implementation // akv plugin supports both PKCS12 and PEM. https://github.com/Azure/notation-azure-kv/blob/558e7345ef8318783530de6a7a0a8420b9214ba8/Notation.Plugin.AzureKeyVault/KeyVault/KeyVaultClient.cs#L192 @@ -378,18 +397,24 @@ func getCertsFromSecretBundle(ctx context.Context, secretBundle kv.SecretBundle, } // Based on https://github.com/sigstore/sigstore/blob/8b208f7d608b80a7982b2a66358b8333b1eec542/pkg/signature/kms/azure/client.go#L258 -func getKeyFromKeyBundle(keyBundle kv.KeyBundle) (crypto.PublicKey, error) { +func getKeyFromKeyBundle(keyBundle azkeys.KeyBundle) (crypto.PublicKey, error) { webKey := keyBundle.Key if webKey == nil { return nil, re.ErrorCodeKeyInvalid.NewError(re.KeyManagementProvider, ProviderName, re.EmptyLink, nil, "found invalid key bundle, key must not be nil", re.HideStackTrace) } - keyType := webKey.Kty + if webKey.Kty == nil { + return nil, re.ErrorCodeKeyInvalid.NewError(re.KeyManagementProvider, ProviderName, re.EmptyLink, nil, "found invalid key bundle, keytype must not be nil", re.HideStackTrace) + } + + keyType := *webKey.Kty switch keyType { - case kv.ECHSM: - webKey.Kty = kv.EC - case kv.RSAHSM: - webKey.Kty = kv.RSA + case azkeys.JSONWebKeyTypeECHSM: + ecType := azkeys.JSONWebKeyTypeEC + webKey.Kty = &ecType + case azkeys.JSONWebKeyTypeRSAHSM: + rsaType := azkeys.JSONWebKeyTypeRSA + webKey.Kty = &rsaType } keyBytes, err := json.Marshal(webKey) @@ -417,15 +442,39 @@ func getObjectVersion(id string) string { } func isSecretDisabledError(err error) bool { - var de autorest.DetailedError - if errors.As(err, &de) { - var re *azure.RequestError - if errors.As(de.Original, &re) { - if re.ServiceError.Code == "SecretDisabled" { - return true - } + // AzureError defines the structure of the error response from Azure Key Vault + // This structure is defined according to https://learn.microsoft.com/en-us/rest/api/keyvault/keys/get-keys/get-keys?view=rest-keyvault-keys-7.4&tabs=HTTP#error + type AzureError struct { + Error struct { + Code string `json:"code"` + Message string `json:"message"` + InnerError struct { + Code string `json:"code"` + } `json:"innererror"` + } `json:"error"` + } + + // Parse err and make sure it is a secretDisabled error and return true + const ErrorCodeForbidden = "Forbidden" + const SecretDisabledCode = "SecretDisabled" + var httpErr *azcore.ResponseError + if errors.As(err, &httpErr) { + if httpErr.StatusCode != http.StatusForbidden { + return false + } + + var azureError AzureError + errorResponseBody, readErr := io.ReadAll(httpErr.RawResponse.Body) + if readErr != nil { + return false + } + jsonErr := json.Unmarshal(errorResponseBody, &azureError) + if jsonErr == nil && azureError.Error.Code == ErrorCodeForbidden && azureError.Error.InnerError.Code == SecretDisabledCode { + return true } } + + // Return false if it's not a secretDisabled error return false } diff --git a/pkg/keymanagementprovider/azurekeyvault/provider_test.go b/pkg/keymanagementprovider/azurekeyvault/provider_test.go index 98effa5c4..9bb444ae6 100644 --- a/pkg/keymanagementprovider/azurekeyvault/provider_test.go +++ b/pkg/keymanagementprovider/azurekeyvault/provider_test.go @@ -20,61 +20,24 @@ package azurekeyvault import ( "context" "crypto" - "encoding/base64" "errors" + "io" + "net/http" "strings" "testing" "time" - kv "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault" - "github.com/Azure/go-autorest/autorest" - "github.com/Azure/go-autorest/autorest/azure" - "github.com/Azure/go-autorest/autorest/to" - "github.com/ratify-project/ratify/internal/version" + "github.com/Azure/azure-sdk-for-go/sdk/azcore" + "github.com/Azure/azure-sdk-for-go/sdk/azidentity" + "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azcertificates" + "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys" + "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets" "github.com/ratify-project/ratify/pkg/keymanagementprovider/azurekeyvault/types" "github.com/ratify-project/ratify/pkg/keymanagementprovider/config" "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/mock" ) -// TestParseAzureEnvironment tests the parseAzureEnvironment function -func TestParseAzureEnvironment(t *testing.T) { - envNamesArray := []string{"AZURECHINACLOUD", "AZUREGERMANCLOUD", "AZUREPUBLICCLOUD", "AZUREUSGOVERNMENTCLOUD", ""} - for _, envName := range envNamesArray { - azureEnv, err := parseAzureEnvironment(envName) - if err != nil { - t.Fatalf("expected no error, got %v", err) - } - if strings.EqualFold(envName, "") && !strings.EqualFold(azureEnv.Name, "AZUREPUBLICCLOUD") { - t.Fatalf("string doesn't match, expected AZUREPUBLICCLOUD, got %s", azureEnv.Name) - } else if !strings.EqualFold(envName, "") && !strings.EqualFold(envName, azureEnv.Name) { - t.Fatalf("string doesn't match, expected %s, got %s", envName, azureEnv.Name) - } - } - - wrongEnvName := "AZUREWRONGCLOUD" - _, err := parseAzureEnvironment(wrongEnvName) - if err == nil { - t.Fatalf("expected error for wrong azure environment name") - } -} - -func SkipTestInitializeKVClient(t *testing.T) { - testEnvs := []azure.Environment{ - azure.PublicCloud, - azure.GermanCloud, - azure.ChinaCloud, - azure.USGovernmentCloud, - } - - for i := range testEnvs { - kvBaseClient, err := initializeKvClient(context.TODO(), testEnvs[i].KeyVaultEndpoint, "", "", version.UserAgent) - assert.NoError(t, err) - assert.NotNil(t, kvBaseClient) - assert.NotNil(t, kvBaseClient.Authorizer) - assert.Contains(t, kvBaseClient.UserAgent, version.UserAgent) - } -} - // TestCreate tests the Create function func TestCreate(t *testing.T) { factory := &akvKMProviderFactory{} @@ -118,15 +81,6 @@ func TestCreate(t *testing.T) { }, expectErr: true, }, - { - name: "invalid cloud name", - config: config.KeyManagementProviderConfig{ - "vaultUri": "https://testkv.vault.azure.net/", - "tenantID": "tid", - "cloudName": "AzureCloud", - }, - expectErr: true, - }, { name: "certificates & keys array not set", config: config.KeyManagementProviderConfig{ @@ -178,8 +132,8 @@ func TestCreate(t *testing.T) { } for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - initKVClient = func(_ context.Context, _, _, _, _ string) (*kv.BaseClient, error) { - return &kv.BaseClient{}, nil + initKVClient = func(_, _, _ string, _ azcore.TokenCredential) (*azkeys.Client, *azsecrets.Client, *azcertificates.Client, error) { + return &azkeys.Client{}, &azsecrets.Client{}, &azcertificates.Client{}, nil } _, err := factory.Create("v1", tc.config, "") if tc.expectErr != (err != nil) { @@ -189,124 +143,205 @@ func TestCreate(t *testing.T) { } } -type MockKvClient struct { - GetCertificateFunc func(ctx context.Context, certificateName string, certificateVersion string, arg string) (kv.CertificateBundle, error) - GetSecretFunc func(ctx context.Context, secretName string, secretVersion string, arg string) (kv.SecretBundle, error) - GetKeyFunc func(ctx context.Context, keyName string, keyVersion string, arg string) (kv.KeyBundle, error) +// TestGetCertificates tests the GetCertificates function +func TestGetCertificates_original(t *testing.T) { + factory := &akvKMProviderFactory{} + config := config.KeyManagementProviderConfig{ + "vaultUri": "https://testkv.vault.azure.net/", + "tenantID": "tid", + "clientID": "clientid", + "certificates": []map[string]interface{}{ + { + "name": "cert1", + "version": "", + }, + }, + } + + provider, err := factory.Create("v1", config, "") + if err != nil { + t.Fatalf("expected no err but got error = %v", err) + } + + certs, certStatus, err := provider.GetCertificates(context.Background()) + assert.NotNil(t, err) + assert.Nil(t, certs) + assert.Nil(t, certStatus) } -func (m *MockKvClient) GetCertificate(ctx context.Context, certificateName string, certificateVersion string, arg string) (kv.CertificateBundle, error) { - if m.GetCertificateFunc != nil { - return m.GetCertificateFunc(ctx, certificateName, certificateVersion, arg) +type MockKeyKVClient struct { + GetKeyFunc func(ctx context.Context, keyName string, keyVersion string) (azkeys.GetKeyResponse, error) +} +type MockSecretKVClient struct { + GetSecretFunc func(ctx context.Context, secretName string, secretVersion string) (azsecrets.GetSecretResponse, error) +} +type MockCertificateKVClient struct { + GetCertificateFunc func(ctx context.Context, certificateName string, certificateVersion string) (azcertificates.GetCertificateResponse, error) +} + +func (m *MockKeyKVClient) GetKey(ctx context.Context, keyName string, keyVersion string) (azkeys.GetKeyResponse, error) { + if m.GetKeyFunc != nil { + return m.GetKeyFunc(ctx, keyName, keyVersion) } - return kv.CertificateBundle{}, nil + return azkeys.GetKeyResponse{}, nil } -func (m *MockKvClient) GetSecret(ctx context.Context, secretName string, secretVersion string, arg string) (kv.SecretBundle, error) { +func (m *MockSecretKVClient) GetSecret(ctx context.Context, secretName string, secretVersion string) (azsecrets.GetSecretResponse, error) { if m.GetSecretFunc != nil { - return m.GetSecretFunc(ctx, secretName, secretVersion, arg) + return m.GetSecretFunc(ctx, secretName, secretVersion) } - return kv.SecretBundle{}, nil + return azsecrets.GetSecretResponse{}, nil } -func (m *MockKvClient) GetKey(ctx context.Context, keyName string, keyVersion string, arg string) (kv.KeyBundle, error) { - if m.GetKeyFunc != nil { - return m.GetKeyFunc(ctx, keyName, keyVersion, arg) +func (m *MockCertificateKVClient) GetCertificate(ctx context.Context, certificateName string, certificateVersion string) (azcertificates.GetCertificateResponse, error) { + if m.GetCertificateFunc != nil { + return m.GetCertificateFunc(ctx, certificateName, certificateVersion) } - return kv.KeyBundle{}, nil + return azcertificates.GetCertificateResponse{}, nil +} + +// stringPtr returns a pointer to the given string. +func stringPtr(s string) *string { + return &s +} + +// boolPtr returns a pointer to the given bool. +func boolPtr(b bool) *bool { + return &b } // TestGetCertificates tests the GetCertificates function func TestGetCertificates(t *testing.T) { + certID := azcertificates.ID("https://testkv.vault.azure.net/certificates/cert1") + secretID := azsecrets.ID("https://testkv.vault.azure.net/secrets/secret1") testCases := []struct { - name string - mockKvClient *MockKvClient - expectedErr bool + name string + mockKeyKVClient *MockKeyKVClient + mockSecretKVClient *MockSecretKVClient + mockCertificateKVClient *MockCertificateKVClient + expectedErr bool }{ { name: "GetSecret error", - mockKvClient: &MockKvClient{ - GetSecretFunc: func(_ context.Context, _ string, _ string, _ string) (kv.SecretBundle, error) { - return kv.SecretBundle{}, errors.New("error") + mockSecretKVClient: &MockSecretKVClient{ + GetSecretFunc: func(_ context.Context, _ string, _ string) (azsecrets.GetSecretResponse, error) { + return azsecrets.GetSecretResponse{}, errors.New("error") }, }, expectedErr: true, }, { name: "Certificate disabled", - mockKvClient: &MockKvClient{ - GetCertificateFunc: func(_ context.Context, _ string, _ string, _ string) (kv.CertificateBundle, error) { - return kv.CertificateBundle{ - ID: to.StringPtr("https://testkv.vault.azure.net/certificates/cert1"), - Kid: to.StringPtr("https://testkv.vault.azure.net/keys/key1"), - Attributes: &kv.CertificateAttributes{ - Enabled: to.BoolPtr(false), + mockCertificateKVClient: &MockCertificateKVClient{ + GetCertificateFunc: func(_ context.Context, _ string, _ string) (azcertificates.GetCertificateResponse, error) { + return azcertificates.GetCertificateResponse{ + CertificateBundle: azcertificates.CertificateBundle{ + ID: &certID, + KID: stringPtr("https://testkv.vault.azure.net/keys/key1"), + Attributes: &azcertificates.CertificateAttributes{ + Enabled: boolPtr(false), + }, }, }, nil }, - GetSecretFunc: func(_ context.Context, _ string, _ string, _ string) (kv.SecretBundle, error) { - err := autorest.DetailedError{ - Original: &azure.RequestError{ - ServiceError: &azure.ServiceError{Code: "SecretDisabled"}, + }, + mockSecretKVClient: &MockSecretKVClient{ + GetSecretFunc: func(_ context.Context, _ string, _ string) (azsecrets.GetSecretResponse, error) { + rawResponse := `{ + "error": { + "code": "Forbidden", + "message": "Operation get is not allowed on a disabled secret.", + "innererror": { + "code": "SecretDisabled" + } + } + }` + + httpErr := &azcore.ResponseError{ + StatusCode: http.StatusForbidden, + RawResponse: &http.Response{ + Body: io.NopCloser(strings.NewReader(rawResponse)), }, } - return kv.SecretBundle{}, err + return azsecrets.GetSecretResponse{}, httpErr }, }, expectedErr: false, }, { name: "Certificate disabled error", - mockKvClient: &MockKvClient{ - GetCertificateFunc: func(_ context.Context, _ string, _ string, _ string) (kv.CertificateBundle, error) { - return kv.CertificateBundle{}, errors.New("error") + mockCertificateKVClient: &MockCertificateKVClient{ + GetCertificateFunc: func(_ context.Context, _ string, _ string) (azcertificates.GetCertificateResponse, error) { + return azcertificates.GetCertificateResponse{}, errors.New("error") }, - GetSecretFunc: func(_ context.Context, _ string, _ string, _ string) (kv.SecretBundle, error) { - err := autorest.DetailedError{ - Original: &azure.RequestError{ - ServiceError: &azure.ServiceError{Code: "SecretDisabled"}, + }, + mockSecretKVClient: &MockSecretKVClient{ + GetSecretFunc: func(_ context.Context, _ string, _ string) (azsecrets.GetSecretResponse, error) { + rawResponse := `{ + "error": { + "code": "Forbidden", + "message": "Operation get is not allowed on a disabled secret.", + "innererror": { + "code": "SecretDisabled" + } + } + }` + + httpErr := &azcore.ResponseError{ + StatusCode: http.StatusForbidden, + RawResponse: &http.Response{ + Body: io.NopCloser(strings.NewReader(rawResponse)), }, } - return kv.SecretBundle{}, err + return azsecrets.GetSecretResponse{}, httpErr }, }, expectedErr: true, }, { name: "Certificate enabled", - mockKvClient: &MockKvClient{ - GetCertificateFunc: func(_ context.Context, _ string, _ string, _ string) (kv.CertificateBundle, error) { - return kv.CertificateBundle{ - ID: to.StringPtr("https://testkv.vault.azure.net/certificates/cert1"), - Kid: to.StringPtr("https://testkv.vault.azure.net/keys/key1"), - Attributes: &kv.CertificateAttributes{ - Enabled: to.BoolPtr(true), + mockCertificateKVClient: &MockCertificateKVClient{ + GetCertificateFunc: func(_ context.Context, _ string, _ string) (azcertificates.GetCertificateResponse, error) { + return azcertificates.GetCertificateResponse{ + CertificateBundle: azcertificates.CertificateBundle{ + ID: &certID, + KID: stringPtr("https://testkv.vault.azure.net/keys/key1"), + Attributes: &azcertificates.CertificateAttributes{ + Enabled: boolPtr(true), + }, }, }, nil }, - GetSecretFunc: func(_ context.Context, _ string, _ string, _ string) (kv.SecretBundle, error) { - return kv.SecretBundle{ - ID: to.StringPtr("https://testkv.vault.azure.net/secrets/secret1"), - Kid: to.StringPtr("https://testkv.vault.azure.net/keys/key1"), - ContentType: to.StringPtr("application/x-pem-file"), - Attributes: &kv.SecretAttributes{ - Enabled: to.BoolPtr(true), + }, + mockSecretKVClient: &MockSecretKVClient{ + GetSecretFunc: func(_ context.Context, _ string, _ string) (azsecrets.GetSecretResponse, error) { + return azsecrets.GetSecretResponse{ + SecretBundle: azsecrets.SecretBundle{ + ID: &secretID, + Kid: stringPtr("https://testkv.vault.azure.net/keys/key1"), + ContentType: stringPtr("application/x-pem-file"), + Attributes: &azsecrets.SecretAttributes{ + Enabled: boolPtr(true), + }, + Value: stringPtr("-----BEGIN CERTIFICATE-----\nMIIC8TCCAdmgAwIBAgIUaNrwbhs/I1ecqUYdzD2xuAVNdmowDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzdaFw0yNDA2MjAwMTIyMzdaMBkxFzAVBgNVBAMMDnJhdGlm\neS5kZWZhdWx0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtskG1BUt\n4Fw2lbm53KbwZb1hnLmWdwRotZyznhhk/yrUDcq3uF6klwpk/E2IKfUKIo6doHSk\nXaEZXR68UtXygvA4wdg7xZ6kKpXy0gu+RxGE6CGtDHTyDDzITu+NBjo21ZSsyGpQ\nJeIKftUCHdwdygKf0CdJx8A29GBRpHGCmJadmt7tTzOnYjmbuPVLeqJo/Ex9qXcG\nZbxoxnxr5NCocFeKx+EbLo+k/KjdFB2PKnhgzxAaMMMP6eXPr8l5AlzkC83EmPvN\ntveuaBbamdlFkD+53TZeZlxt3GIdq93Iw/UpbQ/pvhbrztMT+UVEkm15sShfX8Xn\nL2st5A4n0V+66QIDAQABoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIH\ngDANBgkqhkiG9w0BAQsFAAOCAQEAGpOqozyfDSBjoTepsRroxxcZ4sq65gw45Bme\nm36BS6FG0WHIg3cMy6KIIBefTDSKrPkKNTtuF25AeGn9jM+26cnfDM78ZH0+Lnn7\n7hs0MA64WMPQaWs9/+89aM9NADV9vp2zdG4xMi6B7DruvKWyhJaNoRqK/qP6LdSQ\nw8M+21sAHvXgrRkQtJlVOzVhgwt36NOb1hzRlQiZB+nhv2Wbw7fbtAaADk3JAumf\nvM+YdPS1KfAFaYefm4yFd+9/C0KOkHico3LTbELO5hG0Mo/EYvtjM+Fljb42EweF\n3nAx1GSPe5Tn8p3h6RyJW5HIKozEKyfDuLS0ccB/nqT3oNjcTw==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDRTCCAi2gAwIBAgIUcC33VfaMhOnsl7avNTRVQozoVtUwDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzZaFw0yMzA2MjIwMTIyMzZaMCoxDzANBgNVBAoMBlJhdGlm\neTEXMBUGA1UEAwwOUmF0aWZ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQDDFhDnyPrVDZaeRu6Tbg1a/iTwus+IuX+h8aKhKS1yHz4EF/Lz\nxCy7lNSQ9srGMMVumWuNom/ydIphff6PejZM1jFKPU6OQR/0JX5epcVIjbKa562T\nDguUxJ+h5V3EIyM4RqOWQ2g/xZo86x5TzyNJXiVdHHRvmDvUNwPpMeDjr/EHVAni\n5YQObxkJRiiZ7XOa5zz3YztVm8sSZAwPWroY1HIfvtP+KHpiNDIKSymmuJkH4SEr\nJn++iqN8na18a9DFBPTTrLPe3CxATGrMfosCMZ6LP3iFLLc/FaSpwcnugWdewsUK\nYs+sUY7jFWR7x7/1nyFWyRrQviM4f4TY+K7NAgMBAAGjYzBhMB0GA1UdDgQWBBQH\nYePW7QPP2p1utr3r6gqzEkKs+DAfBgNVHSMEGDAWgBQHYePW7QPP2p1utr3r6gqz\nEkKs+DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B\nAQsFAAOCAQEAjKp4vx3bFaKVhAbQeTsDjWJgmXLK2vLgt74MiUwSF6t0wehlfszE\nIcJagGJsvs5wKFf91bnwiqwPjmpse/thPNBAxh1uEoh81tOklv0BN790vsVpq3t+\ncnUvWPiCZdRlAiGGFtRmKk3Keq4sM6UdiUki9s+wnxypHVb4wIpVxu5R271Lnp5I\n+rb2EQ48iblt4XZPczf/5QJdTgbItjBNbuO8WVPOqUIhCiFuAQziLtNUq3p81dHO\nQ2BPgmaitCpIUYHVYighLauBGCH8xOFzj4a4KbOxKdxyJTd0La/vRCKaUtJX67Lc\nfQYVR9HXQZ0YlmwPcmIG5v7wBfcW34NUvA==\n-----END CERTIFICATE-----\n"), }, - Value: to.StringPtr("-----BEGIN CERTIFICATE-----\nMIIC8TCCAdmgAwIBAgIUaNrwbhs/I1ecqUYdzD2xuAVNdmowDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzdaFw0yNDA2MjAwMTIyMzdaMBkxFzAVBgNVBAMMDnJhdGlm\neS5kZWZhdWx0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtskG1BUt\n4Fw2lbm53KbwZb1hnLmWdwRotZyznhhk/yrUDcq3uF6klwpk/E2IKfUKIo6doHSk\nXaEZXR68UtXygvA4wdg7xZ6kKpXy0gu+RxGE6CGtDHTyDDzITu+NBjo21ZSsyGpQ\nJeIKftUCHdwdygKf0CdJx8A29GBRpHGCmJadmt7tTzOnYjmbuPVLeqJo/Ex9qXcG\nZbxoxnxr5NCocFeKx+EbLo+k/KjdFB2PKnhgzxAaMMMP6eXPr8l5AlzkC83EmPvN\ntveuaBbamdlFkD+53TZeZlxt3GIdq93Iw/UpbQ/pvhbrztMT+UVEkm15sShfX8Xn\nL2st5A4n0V+66QIDAQABoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIH\ngDANBgkqhkiG9w0BAQsFAAOCAQEAGpOqozyfDSBjoTepsRroxxcZ4sq65gw45Bme\nm36BS6FG0WHIg3cMy6KIIBefTDSKrPkKNTtuF25AeGn9jM+26cnfDM78ZH0+Lnn7\n7hs0MA64WMPQaWs9/+89aM9NADV9vp2zdG4xMi6B7DruvKWyhJaNoRqK/qP6LdSQ\nw8M+21sAHvXgrRkQtJlVOzVhgwt36NOb1hzRlQiZB+nhv2Wbw7fbtAaADk3JAumf\nvM+YdPS1KfAFaYefm4yFd+9/C0KOkHico3LTbELO5hG0Mo/EYvtjM+Fljb42EweF\n3nAx1GSPe5Tn8p3h6RyJW5HIKozEKyfDuLS0ccB/nqT3oNjcTw==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDRTCCAi2gAwIBAgIUcC33VfaMhOnsl7avNTRVQozoVtUwDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzZaFw0yMzA2MjIwMTIyMzZaMCoxDzANBgNVBAoMBlJhdGlm\neTEXMBUGA1UEAwwOUmF0aWZ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQDDFhDnyPrVDZaeRu6Tbg1a/iTwus+IuX+h8aKhKS1yHz4EF/Lz\nxCy7lNSQ9srGMMVumWuNom/ydIphff6PejZM1jFKPU6OQR/0JX5epcVIjbKa562T\nDguUxJ+h5V3EIyM4RqOWQ2g/xZo86x5TzyNJXiVdHHRvmDvUNwPpMeDjr/EHVAni\n5YQObxkJRiiZ7XOa5zz3YztVm8sSZAwPWroY1HIfvtP+KHpiNDIKSymmuJkH4SEr\nJn++iqN8na18a9DFBPTTrLPe3CxATGrMfosCMZ6LP3iFLLc/FaSpwcnugWdewsUK\nYs+sUY7jFWR7x7/1nyFWyRrQviM4f4TY+K7NAgMBAAGjYzBhMB0GA1UdDgQWBBQH\nYePW7QPP2p1utr3r6gqzEkKs+DAfBgNVHSMEGDAWgBQHYePW7QPP2p1utr3r6gqz\nEkKs+DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B\nAQsFAAOCAQEAjKp4vx3bFaKVhAbQeTsDjWJgmXLK2vLgt74MiUwSF6t0wehlfszE\nIcJagGJsvs5wKFf91bnwiqwPjmpse/thPNBAxh1uEoh81tOklv0BN790vsVpq3t+\ncnUvWPiCZdRlAiGGFtRmKk3Keq4sM6UdiUki9s+wnxypHVb4wIpVxu5R271Lnp5I\n+rb2EQ48iblt4XZPczf/5QJdTgbItjBNbuO8WVPOqUIhCiFuAQziLtNUq3p81dHO\nQ2BPgmaitCpIUYHVYighLauBGCH8xOFzj4a4KbOxKdxyJTd0La/vRCKaUtJX67Lc\nfQYVR9HXQZ0YlmwPcmIG5v7wBfcW34NUvA==\n-----END CERTIFICATE-----\n"), }, nil }, }, + expectedErr: false, }, { name: "getCertsFromSecretBundle error", - mockKvClient: &MockKvClient{ - GetSecretFunc: func(_ context.Context, _ string, _ string, _ string) (kv.SecretBundle, error) { - return kv.SecretBundle{ - ContentType: to.StringPtr("test"), - ID: to.StringPtr("https://testkv.vault.azure.net/secrets/secret1"), - Kid: to.StringPtr("https://testkv.vault.azure.net/keys/key1"), - Attributes: &kv.SecretAttributes{ - Enabled: to.BoolPtr(true), + mockSecretKVClient: &MockSecretKVClient{ + GetSecretFunc: func(_ context.Context, _ string, _ string) (azsecrets.GetSecretResponse, error) { + return azsecrets.GetSecretResponse{ + SecretBundle: azsecrets.SecretBundle{ + ContentType: stringPtr("test"), + ID: &secretID, + Kid: stringPtr("https://testkv.vault.azure.net/keys/key1"), + Attributes: &azsecrets.SecretAttributes{ + Enabled: boolPtr(true), + }, + Value: stringPtr("-----BEGIN CERTIFICATE-----\nMIIC8TCCAdmgAwIBAgIUaNrwbhs/I1ecqUYdzD2xuAVNdmowDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzdaFw0yNDA2MjAwMTIyMzdaMBkxFzAVBgNVBAMMDnJhdGlm\neS5kZWZhdWx0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtskG1BUt\n4Fw2lbm53KbwZb1hnLmWdwRotZyznhhk/yrUDcq3uF6klwpk/E2IKfUKIo6doHSk\nXaEZXR68UtXygvA4wdg7xZ6kKpXy0gu+RxGE6CGtDHTyDDzITu+NBjo21ZSsyGpQ\nJeIKftUCHdwdygKf0CdJx8A29GBRpHGCmJadmt7tTzOnYjmbuPVLeqJo/Ex9qXcG\nZbxoxnxr5NCocFeKx+EbLo+k/KjdFB2PKnhgzxAaMMMP6eXPr8l5AlzkC83EmPvN\ntveuaBbamdlFkD+53TZeZlxt3GIdq93Iw/UpbQ/pvhbrztMT+UVEkm15sShfX8Xn\nL2st5A4n0V+66QIDAQABoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIH\ngDANBgkqhkiG9w0BAQsFAAOCAQEAGpOqozyfDSBjoTepsRroxxcZ4sq65gw45Bme\nm36BS6FG0WHIg3cMy6KIIBefTDSKrPkKNTtuF25AeGn9jM+26cnfDM78ZH0+Lnn7\n7hs0MA64WMPQaWs9/+89aM9NADV9vp2zdG4xMi6B7DruvKWyhJaNoRqK/qP6LdSQ\nw8M+21sAHvXgrRkQtJlVOzVhgwt36NOb1hzRlQiZB+nhv2Wbw7fbtAaADk3JAumf\nvM+YdPS1KfAFaYefm4yFd+9/C0KOkHico3LTbELO5hG0Mo/EYvtjM+Fljb42EweF\n3nAx1GSPe5Tn8p3h6RyJW5HIKozEKyfDuLS0ccB/nqT3oNjcTw==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDRTCCAi2gAwIBAgIUcC33VfaMhOnsl7avNTRVQozoVtUwDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzZaFw0yMzA2MjIwMTIyMzZaMCoxDzANBgNVBAoMBlJhdGlm\neTEXMBUGA1UEAwwOUmF0aWZ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQDDFhDnyPrVDZaeRu6Tbg1a/iTwus+IuX+h8aKhKS1yHz4EF/Lz\nxCy7lNSQ9srGMMVumWuNom/ydIphff6PejZM1jFKPU6OQR/0JX5epcVIjbKa562T\nDguUxJ+h5V3EIyM4RqOWQ2g/xZo86x5TzyNJXiVdHHRvmDvUNwPpMeDjr/EHVAni\n5YQObxkJRiiZ7XOa5zz3YztVm8sSZAwPWroY1HIfvtP+KHpiNDIKSymmuJkH4SEr\nJn++iqN8na18a9DFBPTTrLPe3CxATGrMfosCMZ6LP3iFLLc/FaSpwcnugWdewsUK\nYs+sUY7jFWR7x7/1nyFWyRrQviM4f4TY+K7NAgMBAAGjYzBhMB0GA1UdDgQWBBQH\nYePW7QPP2p1utr3r6gqzEkKs+DAfBgNVHSMEGDAWgBQHYePW7QPP2p1utr3r6gqz\nEkKs+DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B\nAQsFAAOCAQEAjKp4vx3bFaKVhAbQeTsDjWJgmXLK2vLgt74MiUwSF6t0wehlfszE\nIcJagGJsvs5wKFf91bnwiqwPjmpse/thPNBAxh1uEoh81tOklv0BN790vsVpq3t+\ncnUvWPiCZdRlAiGGFtRmKk3Keq4sM6UdiUki9s+wnxypHVb4wIpVxu5R271Lnp5I\n+rb2EQ48iblt4XZPczf/5QJdTgbItjBNbuO8WVPOqUIhCiFuAQziLtNUq3p81dHO\nQ2BPgmaitCpIUYHVYighLauBGCH8xOFzj4a4KbOxKdxyJTd0La/vRCKaUtJX67Lc\nfQYVR9HXQZ0YlmwPcmIG5v7wBfcW34NUvA==\n-----END CERTIFICATE-----\n"), }, - Value: to.StringPtr("-----BEGIN CERTIFICATE-----\nMIIC8TCCAdmgAwIBAgIUaNrwbhs/I1ecqUYdzD2xuAVNdmowDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzdaFw0yNDA2MjAwMTIyMzdaMBkxFzAVBgNVBAMMDnJhdGlm\neS5kZWZhdWx0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtskG1BUt\n4Fw2lbm53KbwZb1hnLmWdwRotZyznhhk/yrUDcq3uF6klwpk/E2IKfUKIo6doHSk\nXaEZXR68UtXygvA4wdg7xZ6kKpXy0gu+RxGE6CGtDHTyDDzITu+NBjo21ZSsyGpQ\nJeIKftUCHdwdygKf0CdJx8A29GBRpHGCmJadmt7tTzOnYjmbuPVLeqJo/Ex9qXcG\nZbxoxnxr5NCocFeKx+EbLo+k/KjdFB2PKnhgzxAaMMMP6eXPr8l5AlzkC83EmPvN\ntveuaBbamdlFkD+53TZeZlxt3GIdq93Iw/UpbQ/pvhbrztMT+UVEkm15sShfX8Xn\nL2st5A4n0V+66QIDAQABoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIH\ngDANBgkqhkiG9w0BAQsFAAOCAQEAGpOqozyfDSBjoTepsRroxxcZ4sq65gw45Bme\nm36BS6FG0WHIg3cMy6KIIBefTDSKrPkKNTtuF25AeGn9jM+26cnfDM78ZH0+Lnn7\n7hs0MA64WMPQaWs9/+89aM9NADV9vp2zdG4xMi6B7DruvKWyhJaNoRqK/qP6LdSQ\nw8M+21sAHvXgrRkQtJlVOzVhgwt36NOb1hzRlQiZB+nhv2Wbw7fbtAaADk3JAumf\nvM+YdPS1KfAFaYefm4yFd+9/C0KOkHico3LTbELO5hG0Mo/EYvtjM+Fljb42EweF\n3nAx1GSPe5Tn8p3h6RyJW5HIKozEKyfDuLS0ccB/nqT3oNjcTw==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDRTCCAi2gAwIBAgIUcC33VfaMhOnsl7avNTRVQozoVtUwDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzZaFw0yMzA2MjIwMTIyMzZaMCoxDzANBgNVBAoMBlJhdGlm\neTEXMBUGA1UEAwwOUmF0aWZ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQDDFhDnyPrVDZaeRu6Tbg1a/iTwus+IuX+h8aKhKS1yHz4EF/Lz\nxCy7lNSQ9srGMMVumWuNom/ydIphff6PejZM1jFKPU6OQR/0JX5epcVIjbKa562T\nDguUxJ+h5V3EIyM4RqOWQ2g/xZo86x5TzyNJXiVdHHRvmDvUNwPpMeDjr/EHVAni\n5YQObxkJRiiZ7XOa5zz3YztVm8sSZAwPWroY1HIfvtP+KHpiNDIKSymmuJkH4SEr\nJn++iqN8na18a9DFBPTTrLPe3CxATGrMfosCMZ6LP3iFLLc/FaSpwcnugWdewsUK\nYs+sUY7jFWR7x7/1nyFWyRrQviM4f4TY+K7NAgMBAAGjYzBhMB0GA1UdDgQWBBQH\nYePW7QPP2p1utr3r6gqzEkKs+DAfBgNVHSMEGDAWgBQHYePW7QPP2p1utr3r6gqz\nEkKs+DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B\nAQsFAAOCAQEAjKp4vx3bFaKVhAbQeTsDjWJgmXLK2vLgt74MiUwSF6t0wehlfszE\nIcJagGJsvs5wKFf91bnwiqwPjmpse/thPNBAxh1uEoh81tOklv0BN790vsVpq3t+\ncnUvWPiCZdRlAiGGFtRmKk3Keq4sM6UdiUki9s+wnxypHVb4wIpVxu5R271Lnp5I\n+rb2EQ48iblt4XZPczf/5QJdTgbItjBNbuO8WVPOqUIhCiFuAQziLtNUq3p81dHO\nQ2BPgmaitCpIUYHVYighLauBGCH8xOFzj4a4KbOxKdxyJTd0La/vRCKaUtJX67Lc\nfQYVR9HXQZ0YlmwPcmIG5v7wBfcW34NUvA==\n-----END CERTIFICATE-----\n"), }, nil }, }, @@ -323,7 +358,9 @@ func TestGetCertificates(t *testing.T) { Version: "c1f03df1113d460491d970737dfdc35d", }, }, - kvClient: tc.mockKvClient, + keyKVClient: tc.mockKeyKVClient, + secretKVClient: tc.mockSecretKVClient, + certificateKVClient: tc.mockCertificateKVClient, } _, _, err := provider.GetCertificates(context.Background()) @@ -336,30 +373,34 @@ func TestGetCertificates(t *testing.T) { // TestGetKeys tests the GetKeys function func TestGetKeys(t *testing.T) { + keyID := azkeys.ID("https://testkv.vault.azure.net/keys/key1") + keyTY := azkeys.JSONWebKeyTypeRSA testCases := []struct { - name string - mockKvClient *MockKvClient - expectedErr bool + name string + mockKeyKVClient *MockKeyKVClient + expectedErr bool }{ { name: "GetKey error", - mockKvClient: &MockKvClient{ - GetKeyFunc: func(_ context.Context, _ string, _ string, _ string) (kv.KeyBundle, error) { - return kv.KeyBundle{}, errors.New("error") + mockKeyKVClient: &MockKeyKVClient{ + GetKeyFunc: func(_ context.Context, _ string, _ string) (azkeys.GetKeyResponse, error) { + return azkeys.GetKeyResponse{}, errors.New("error") }, }, expectedErr: true, }, { name: "Key disabled", - mockKvClient: &MockKvClient{ - GetKeyFunc: func(_ context.Context, _ string, _ string, _ string) (kv.KeyBundle, error) { - return kv.KeyBundle{ - Key: &kv.JSONWebKey{ - Kid: to.StringPtr("https://testkv.vault.azure.net/keys/key1"), - }, - Attributes: &kv.KeyAttributes{ - Enabled: to.BoolPtr(false), + mockKeyKVClient: &MockKeyKVClient{ + GetKeyFunc: func(_ context.Context, _ string, _ string) (azkeys.GetKeyResponse, error) { + return azkeys.GetKeyResponse{ + KeyBundle: azkeys.KeyBundle{ + Key: &azkeys.JSONWebKey{ + KID: &keyID, + }, + Attributes: &azkeys.KeyAttributes{ + Enabled: boolPtr(false), + }, }, }, nil }, @@ -368,14 +409,16 @@ func TestGetKeys(t *testing.T) { }, { name: "getKeyFromKeyBundle error", - mockKvClient: &MockKvClient{ - GetKeyFunc: func(_ context.Context, _ string, _ string, _ string) (kv.KeyBundle, error) { - return kv.KeyBundle{ - Key: &kv.JSONWebKey{ - Kid: to.StringPtr("https://testkv.vault.azure.net/keys/key1"), - }, - Attributes: &kv.KeyAttributes{ - Enabled: to.BoolPtr(true), + mockKeyKVClient: &MockKeyKVClient{ + GetKeyFunc: func(_ context.Context, _ string, _ string) (azkeys.GetKeyResponse, error) { + return azkeys.GetKeyResponse{ + KeyBundle: azkeys.KeyBundle{ + Key: &azkeys.JSONWebKey{ + KID: &keyID, + }, + Attributes: &azkeys.KeyAttributes{ + Enabled: boolPtr(true), + }, }, }, nil }, @@ -384,17 +427,19 @@ func TestGetKeys(t *testing.T) { }, { name: "Key enabled", - mockKvClient: &MockKvClient{ - GetKeyFunc: func(_ context.Context, _ string, _ string, _ string) (kv.KeyBundle, error) { - return kv.KeyBundle{ - Key: &kv.JSONWebKey{ - Kid: to.StringPtr("https://testkv.vault.azure.net/keys/key1"), - Kty: kv.RSA, - N: to.StringPtr(base64.StdEncoding.EncodeToString([]byte("n"))), - E: to.StringPtr(base64.StdEncoding.EncodeToString([]byte("e"))), - }, - Attributes: &kv.KeyAttributes{ - Enabled: to.BoolPtr(true), + mockKeyKVClient: &MockKeyKVClient{ + GetKeyFunc: func(_ context.Context, _ string, _ string) (azkeys.GetKeyResponse, error) { + return azkeys.GetKeyResponse{ + KeyBundle: azkeys.KeyBundle{ + Key: &azkeys.JSONWebKey{ + KID: &keyID, + Kty: &keyTY, + N: []byte("n"), + E: []byte("e"), + }, + Attributes: &azkeys.KeyAttributes{ + Enabled: boolPtr(true), + }, }, }, nil }, @@ -412,7 +457,7 @@ func TestGetKeys(t *testing.T) { Version: "c1f03df1113d460491d970737dfdc35d", }, }, - kvClient: tc.mockKvClient, + keyKVClient: tc.mockKeyKVClient, } _, _, err := provider.GetKeys(context.Background()) @@ -423,6 +468,34 @@ func TestGetKeys(t *testing.T) { } } +// TestGetKeys tests the GetKeys function +func TestGetKeys_original(t *testing.T) { + factory := &akvKMProviderFactory{} + config := config.KeyManagementProviderConfig{ + "vaultUri": "https://testkv.vault.azure.net/", + "tenantID": "tid", + "clientID": "clientid", + "keys": []map[string]interface{}{ + { + "name": "key1", + }, + }, + } + + initKVClient = func(_, _, _ string, _ azcore.TokenCredential) (*azkeys.Client, *azsecrets.Client, *azcertificates.Client, error) { + return &azkeys.Client{}, &azsecrets.Client{}, &azcertificates.Client{}, nil + } + provider, err := factory.Create("v1", config, "") + if err != nil { + t.Fatalf("expected no err but got error = %v", err) + } + + keys, keyStatus, err := provider.GetKeys(context.Background()) + assert.NotNil(t, err) + assert.Nil(t, keys) + assert.Nil(t, keyStatus) +} + func TestIsRefreshable(t *testing.T) { factory := &akvKMProviderFactory{} config := config.KeyManagementProviderConfig{ @@ -486,7 +559,7 @@ func TestGetCertsFromSecretBundle(t *testing.T) { desc string value string contentType string - id string + id azsecrets.ID expectedErr bool }{ { @@ -528,7 +601,7 @@ func TestGetCertsFromSecretBundle(t *testing.T) { for i, tc := range cases { t.Run(tc.desc, func(t *testing.T) { - testdata := kv.SecretBundle{ + testdata := azsecrets.SecretBundle{ Value: &cases[i].value, ID: &cases[i].id, ContentType: &cases[i].contentType, @@ -547,24 +620,37 @@ func TestGetCertsFromSecretBundle(t *testing.T) { } func TestGetKeyFromKeyBundle(t *testing.T) { + unsupportedType := azkeys.JSONWebKeyType("abc") cases := []struct { desc string - keyBundle kv.KeyBundle + keyBundle azkeys.KeyBundle expectedErr bool output crypto.PublicKey }{ { desc: "no key in key bundle", - keyBundle: kv.KeyBundle{ + keyBundle: azkeys.KeyBundle{ Key: nil, }, expectedErr: true, output: nil, }, { - desc: "invalid key in key bundle", - keyBundle: kv.KeyBundle{ - Key: &kv.JSONWebKey{}, + desc: "invalid key in key bundle with nil Kty", + keyBundle: azkeys.KeyBundle{ + Key: &azkeys.JSONWebKey{ + Kty: nil, + }, + }, + expectedErr: true, + output: nil, + }, + { + desc: "key with unsupported Kty value", + keyBundle: azkeys.KeyBundle{ + Key: &azkeys.JSONWebKey{ + Kty: &unsupportedType, // Unsupported key type + }, }, expectedErr: true, output: nil, @@ -693,14 +779,60 @@ func TestValidate(t *testing.T) { } } +// Mock clients +type MockAzKeysClient struct { + mock.Mock +} + +type MockAzSecretsClient struct { + mock.Mock +} + +type MockAzCertificatesClient struct { + mock.Mock +} + +type MockWorkloadIdentityCredential struct { + mock.Mock +} + +// Mock functions +func (m *MockWorkloadIdentityCredential) NewWorkloadIdentityCredential(options *azidentity.WorkloadIdentityCredentialOptions) (*MockWorkloadIdentityCredential, error) { + args := m.Called(options) + return args.Get(0).(*MockWorkloadIdentityCredential), args.Error(1) +} + +func (m *MockAzKeysClient) NewClient(endpoint string, credential *azidentity.WorkloadIdentityCredential, options *azkeys.ClientOptions) (*azkeys.Client, error) { + args := m.Called(endpoint, credential, options) + return args.Get(0).(*azkeys.Client), args.Error(1) +} + +func (m *MockAzSecretsClient) NewClient(endpoint string, credential *azidentity.WorkloadIdentityCredential, options *azsecrets.ClientOptions) (*azsecrets.Client, error) { + args := m.Called(endpoint, credential, options) + return args.Get(0).(*azsecrets.Client), args.Error(1) +} + +func (m *MockAzCertificatesClient) NewClient(endpoint string, credential *azidentity.WorkloadIdentityCredential, options *azcertificates.ClientOptions) (*azcertificates.Client, error) { + args := m.Called(endpoint, credential, options) + return args.Get(0).(*azcertificates.Client), args.Error(1) +} + func TestInitializeKvClient(t *testing.T) { + mockCredential := new(MockWorkloadIdentityCredential) + mockKeysClient := new(MockAzKeysClient) + mockSecretsClient := new(MockAzSecretsClient) + mockCertificatesClient := new(MockAzCertificatesClient) + tests := []struct { - name string - kvEndpoint string - userAgent string - tenantID string - clientID string - expectedErr bool + name string + kvEndpoint string + userAgent string + tenantID string + clientID string + mockCredentialErr error + mockKeysErr error + mockSecretsErr error + expectedErr bool }{ { name: "Empty user agent", @@ -711,19 +843,214 @@ func TestInitializeKvClient(t *testing.T) { { name: "Auth failure", kvEndpoint: "https://test.vault.azure.net", - userAgent: version.UserAgent, tenantID: "testTenantID", clientID: "testClientID", expectedErr: true, }, + { + name: "credential creation error", + kvEndpoint: "https://test-keyvault.vault.azure.net", + tenantID: "test-tenant-id", + clientID: "test-client-id", + mockCredentialErr: errors.New("failed to create workload identity credential"), + expectedErr: true, + }, + { + name: "azkeys client creation error", + kvEndpoint: "https://test-keyvault.vault.azure.net", + tenantID: "test-tenant-id", + clientID: "test-client-id", + mockKeysErr: errors.New("failed to create azkeys client"), + expectedErr: true, + }, + { + name: "azsecrets client creation error", + kvEndpoint: "https://test-keyvault.vault.azure.net", + tenantID: "test-tenant-id", + clientID: "test-client-id", + mockSecretsErr: errors.New("failed to create azsecrets client"), + expectedErr: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + // Set up mocks + mockCredential.On("NewWorkloadIdentityCredential", mock.Anything).Return(mockCredential, tt.mockCredentialErr) + mockKeysClient.On("NewClient", tt.kvEndpoint, mockCredential, mock.Anything).Return(mockKeysClient, tt.mockKeysErr) + mockSecretsClient.On("NewClient", tt.kvEndpoint, mockCredential, mock.Anything).Return(mockSecretsClient, tt.mockSecretsErr) + mockCertificatesClient.On("NewClient", tt.kvEndpoint, mockCredential, mock.Anything).Return(mockCertificatesClient, tt.mockSecretsErr) + + // Call function under test + keysKVClient, secretsKVClient, certificatesKVClient, err := initializeKvClient(tt.kvEndpoint, tt.tenantID, tt.clientID, nil) + + // Validate expectations + if tt.expectedErr { + assert.Error(t, err) + assert.Nil(t, keysKVClient) + assert.Nil(t, secretsKVClient) + assert.Nil(t, certificatesKVClient) + } else { + assert.NoError(t, err) + assert.NotNil(t, keysKVClient) + assert.NotNil(t, secretsKVClient) + assert.Nil(t, certificatesKVClient) + } + }) + } +} + +// Test cases for keyType switch case handling +func TestGetKeyFromKeyBundlex(t *testing.T) { + tests := []struct { + name string + keyType azkeys.JSONWebKeyType + expected azkeys.JSONWebKeyType + curve azkeys.JSONWebKeyCurveName + x []byte + y []byte + n []byte + e []byte + }{ + { + name: "Test ECHSM to EC", + keyType: azkeys.JSONWebKeyTypeECHSM, + expected: azkeys.JSONWebKeyTypeEC, + curve: azkeys.JSONWebKeyCurveNameP256, // Example curve name + x: []byte{0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96}, // Valid x-coordinate for P-256 + y: []byte{0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5}, // Valid y-coordinate for P-256 + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, err := initializeKvClient(context.Background(), tt.kvEndpoint, tt.tenantID, tt.clientID, tt.userAgent) - if tt.expectedErr != (err != nil) { - t.Fatalf("expected error: %v, got: %v", tt.expectedErr, err) + webKey := &azkeys.JSONWebKey{ + Kty: &tt.keyType, + } + if tt.keyType == azkeys.JSONWebKeyTypeECHSM { + webKey.Crv = &tt.curve + webKey.X = tt.x + webKey.Y = tt.y + } + keyBundle := azkeys.KeyBundle{ + Key: webKey, } + + _, err := getKeyFromKeyBundle(keyBundle) + assert.NoError(t, err) + assert.Equal(t, tt.expected, *webKey.Kty) + }) + } +} + +const tenantID = "tenant-id" +const clientID = "client-id" + +func TestInitializeKvClient_Success(t *testing.T) { + // Mock the context and input parameters + keyVaultEndpoint := "https://myvault.vault.azure.net/" + + // Create a mock credential provider + mockCredential, err := azidentity.NewClientSecretCredential(tenantID, clientID, "fake-secret", nil) + if err != nil { + t.Fatalf("Failed to create mock credential: %v", err) + } + + // Run the function with the mock credential + keysKVClient, secretsKVClient, certificatesKVClient, err := initializeKvClient(keyVaultEndpoint, tenantID, clientID, mockCredential) + + // Assert the function succeeds without errors and clients are created + assert.NotNil(t, keysKVClient) + assert.NotNil(t, secretsKVClient) + assert.NotNil(t, certificatesKVClient) + assert.NoError(t, err) +} + +func TestInitializeKvClient_FailureInAzKeysClient(t *testing.T) { + // Mock the context and input parameters + keyVaultEndpoint := "https://invalid-vault.vault.azure.net/" + + // Run the function + keysKVClient, secretsKVClient, certificatesKVClient, err := initializeKvClient(keyVaultEndpoint, tenantID, clientID, nil) + + // Assert that an error occurred and clients were not created + assert.Nil(t, keysKVClient) + assert.Nil(t, secretsKVClient) + assert.Nil(t, certificatesKVClient) + assert.Error(t, err) + assert.Contains(t, err.Error(), "failed to create workload identity credential") +} + +func TestInitializeKvClient_FailureInAzSecretsClient(t *testing.T) { + // Mock the context and input parameters + keyVaultEndpoint := "https://valid-vault.vault.azure.net/" + + // Modify the azsecrets.NewClient function to simulate failure + // Run the function + keysKVClient, secretsKVClient, certificatesKVClient, err := initializeKvClient(keyVaultEndpoint, tenantID, clientID, nil) + + // Assert that an error occurred and clients were not created + assert.Nil(t, keysKVClient) + assert.Nil(t, secretsKVClient) + assert.Nil(t, certificatesKVClient) + assert.Error(t, err) + assert.Contains(t, err.Error(), "failed to create workload identity credential") +} + +func TestInitializeKvClient_FailureInAzCertificatesClient(t *testing.T) { + // Mock the context and input parameters + keyVaultEndpoint := "https://valid-vault.vault.azure.net/" + + // Modify the azsecrets.NewClient function to simulate failure + // Run the function + keysKVClient, secretsKVClient, certificatesKVClient, err := initializeKvClient(keyVaultEndpoint, tenantID, clientID, nil) + + // Assert that an error occurred and clients were not created + assert.Nil(t, keysKVClient) + assert.Nil(t, secretsKVClient) + assert.Nil(t, certificatesKVClient) + assert.Error(t, err) + assert.Contains(t, err.Error(), "failed to create workload identity credential") +} +func TestIsSecretDisabledError(t *testing.T) { + rawResponse := `{ + "error": { + "code": "Forbidden", + "message": "Operation get is not allowed on a disabled secret.", + "innererror": { + "code": "SecretDisabled" + } + } + }` + + httpErr := &azcore.ResponseError{ + StatusCode: http.StatusForbidden, + RawResponse: &http.Response{ + Body: io.NopCloser(strings.NewReader(rawResponse)), + }, + } + + testCases := []struct { + name string + err error + expectedRes bool + }{ + { + name: "SecretDisabledError", + err: httpErr, + expectedRes: true, + }, + { + name: "NonSecretDisabledError", + err: errors.New("some other error"), + expectedRes: false, + }, + } + + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + res := isSecretDisabledError(tc.err) + assert.Equal(t, tc.expectedRes, res) }) } } diff --git a/pkg/keymanagementprovider/azurekeyvault/types/types.go b/pkg/keymanagementprovider/azurekeyvault/types/types.go index cae860773..e51650dab 100644 --- a/pkg/keymanagementprovider/azurekeyvault/types/types.go +++ b/pkg/keymanagementprovider/azurekeyvault/types/types.go @@ -26,7 +26,7 @@ const ( // Certificate version string for the certificate status property StatusVersion = "Version" // Enabled string for the certificate status property - StatusEnabled = "True" + StatusEnabled = "Enabled" // Last refreshed string for the certificate status property StatusLastRefreshed = "LastRefreshed" ) diff --git a/pkg/keymanagementprovider/keymanagementprovider_test.go b/pkg/keymanagementprovider/keymanagementprovider_test.go index 57a2828ee..c4ac13866 100644 --- a/pkg/keymanagementprovider/keymanagementprovider_test.go +++ b/pkg/keymanagementprovider/keymanagementprovider_test.go @@ -85,7 +85,7 @@ func TestDecodeCertificates_ByteArrayToCertificates(t *testing.T) { r, err := DecodeCertificates(c1) if err != nil { - t.Fatalf(err.Error()) + t.Fatal(err.Error()) } expectedLen := 1 diff --git a/pkg/keymanagementprovider/refresh/kubeRefresh.go b/pkg/keymanagementprovider/refresh/kubeRefresh.go index 895cb7d8d..cd296e0e2 100644 --- a/pkg/keymanagementprovider/refresh/kubeRefresh.go +++ b/pkg/keymanagementprovider/refresh/kubeRefresh.go @@ -24,6 +24,7 @@ import ( re "github.com/ratify-project/ratify/errors" kmp "github.com/ratify-project/ratify/pkg/keymanagementprovider" + nv "github.com/ratify-project/ratify/pkg/verifier/notation" "github.com/sirupsen/logrus" ctrl "sigs.k8s.io/controller-runtime" ) @@ -35,6 +36,7 @@ type KubeRefresher struct { Resource string Result ctrl.Result Status kmp.KeyManagementProviderStatus + CRLHandler nv.RevocationFactory } // Register registers the kubeRefresher factory @@ -54,6 +56,15 @@ func (kr *KubeRefresher) Refresh(ctx context.Context) error { return kmpErr } + // fetch CRLs and cache them + crlFetcher, err := kr.CRLHandler.NewFetcher() + if err != nil { + // log error and continue + logger.Warnf("Unable to create CRL fetcher for key management provider %s of type %s with error: %v", kr.Resource, kr.ProviderType, err) + } + for _, cert := range certificates { + nv.CacheCRL(ctx, cert, crlFetcher) + } // fetch keys and store in map keys, keyAttributes, err := kr.Provider.GetKeys(ctx) if err != nil { @@ -109,5 +120,6 @@ func (kr *KubeRefresher) Create(config RefresherConfig) (Refresher, error) { ProviderType: config.ProviderType, ProviderRefreshInterval: config.ProviderRefreshInterval, Resource: config.Resource, + CRLHandler: nv.NewCRLHandler(), }, nil } diff --git a/pkg/keymanagementprovider/refresh/kubeRefresh_test.go b/pkg/keymanagementprovider/refresh/kubeRefresh_test.go index 9875098b8..0e930f931 100644 --- a/pkg/keymanagementprovider/refresh/kubeRefresh_test.go +++ b/pkg/keymanagementprovider/refresh/kubeRefresh_test.go @@ -21,14 +21,19 @@ import ( "crypto" "crypto/x509" "errors" + "net/http" "reflect" "testing" "time" + "github.com/notaryproject/notation-core-go/revocation" + corecrl "github.com/notaryproject/notation-core-go/revocation/crl" + re "github.com/ratify-project/ratify/errors" "github.com/ratify-project/ratify/pkg/keymanagementprovider" "github.com/ratify-project/ratify/pkg/keymanagementprovider/config" _ "github.com/ratify-project/ratify/pkg/keymanagementprovider/inline" mock "github.com/ratify-project/ratify/pkg/keymanagementprovider/mocks" + nv "github.com/ratify-project/ratify/pkg/verifier/notation" ctrl "sigs.k8s.io/controller-runtime" ) @@ -41,6 +46,7 @@ func TestKubeRefresher_Refresh(t *testing.T) { GetCertsFunc func(_ context.Context) (map[keymanagementprovider.KMPMapKey][]*x509.Certificate, keymanagementprovider.KeyManagementProviderStatus, error) GetKeysFunc func(_ context.Context) (map[keymanagementprovider.KMPMapKey]crypto.PublicKey, keymanagementprovider.KeyManagementProviderStatus, error) IsRefreshableFunc func() bool + NewCRLHandler nv.RevocationFactory expectedResult ctrl.Result expectedError bool }{ @@ -49,6 +55,7 @@ func TestKubeRefresher_Refresh(t *testing.T) { providerRawParameters: []byte(`{"contentType": "certificate", "value": "-----BEGIN CERTIFICATE-----\nMIID2jCCAsKgAwIBAgIQXy2VqtlhSkiZKAGhsnkjbDANBgkqhkiG9w0BAQsFADBvMRswGQYDVQQD\nExJyYXRpZnkuZXhhbXBsZS5jb20xDzANBgNVBAsTBk15IE9yZzETMBEGA1UEChMKTXkgQ29tcGFu\neTEQMA4GA1UEBxMHUmVkbW9uZDELMAkGA1UECBMCV0ExCzAJBgNVBAYTAlVTMB4XDTIzMDIwMTIy\nNDUwMFoXDTI0MDIwMTIyNTUwMFowbzEbMBkGA1UEAxMScmF0aWZ5LmV4YW1wbGUuY29tMQ8wDQYD\nVQQLEwZNeSBPcmcxEzARBgNVBAoTCk15IENvbXBhbnkxEDAOBgNVBAcTB1JlZG1vbmQxCzAJBgNV\nBAgTAldBMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL10bM81\npPAyuraORABsOGS8M76Bi7Guwa3JlM1g2D8CuzSfSTaaT6apy9GsccxUvXd5cmiP1ffna5z+EFmc\nizFQh2aq9kWKWXDvKFXzpQuhyqD1HeVlRlF+V0AfZPvGt3VwUUjNycoUU44ctCWmcUQP/KShZev3\n6SOsJ9q7KLjxxQLsUc4mg55eZUThu8mGB8jugtjsnLUYvIWfHhyjVpGrGVrdkDMoMn+u33scOmrt\nsBljvq9WVo4T/VrTDuiOYlAJFMUae2Ptvo0go8XTN3OjLblKeiK4C+jMn9Dk33oGIT9pmX0vrDJV\nX56w/2SejC1AxCPchHaMuhlwMpftBGkCAwEAAaNyMHAwDgYDVR0PAQH/BAQDAgeAMAkGA1UdEwQC\nMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU0eaKkZj+MS9jCp9Dg1zdv3v/aKww\nHQYDVR0OBBYEFNHmipGY/jEvYwqfQ4Nc3b97/2isMA0GCSqGSIb3DQEBCwUAA4IBAQBNDcmSBizF\nmpJlD8EgNcUCy5tz7W3+AAhEbA3vsHP4D/UyV3UgcESx+L+Nye5uDYtTVm3lQejs3erN2BjW+ds+\nXFnpU/pVimd0aYv6mJfOieRILBF4XFomjhrJOLI55oVwLN/AgX6kuC3CJY2NMyJKlTao9oZgpHhs\nLlxB/r0n9JnUoN0Gq93oc1+OLFjPI7gNuPXYOP1N46oKgEmAEmNkP1etFrEjFRgsdIFHksrmlOlD\nIed9RcQ087VLjmuymLgqMTFX34Q3j7XgN2ENwBSnkHotE9CcuGRW+NuiOeJalL8DBmFXXWwHTKLQ\nPp5g6m1yZXylLJaFLKz7tdMmO355\n-----END CERTIFICATE-----\n"}`), providerType: "inline", IsRefreshableFunc: func() bool { return false }, + NewCRLHandler: nv.NewCRLHandler(), expectedResult: ctrl.Result{}, expectedError: false, }, @@ -57,6 +64,7 @@ func TestKubeRefresher_Refresh(t *testing.T) { providerRawParameters: []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`), providerType: "test-kmp", providerRefreshInterval: "", + NewCRLHandler: nv.NewCRLHandler(), IsRefreshableFunc: func() bool { return true }, expectedResult: ctrl.Result{}, expectedError: false, @@ -66,6 +74,7 @@ func TestKubeRefresher_Refresh(t *testing.T) { providerRawParameters: []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`), providerType: "test-kmp", providerRefreshInterval: "1m", + NewCRLHandler: nv.NewCRLHandler(), IsRefreshableFunc: func() bool { return true }, expectedResult: ctrl.Result{RequeueAfter: time.Minute}, expectedError: false, @@ -75,6 +84,7 @@ func TestKubeRefresher_Refresh(t *testing.T) { providerRawParameters: []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`), providerType: "test-kmp", providerRefreshInterval: "1mm", + NewCRLHandler: nv.NewCRLHandler(), IsRefreshableFunc: func() bool { return true }, expectedResult: ctrl.Result{}, expectedError: true, @@ -88,6 +98,7 @@ func TestKubeRefresher_Refresh(t *testing.T) { providerRawParameters: []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`), providerType: "test-kmp-error", IsRefreshableFunc: func() bool { return true }, + NewCRLHandler: nv.NewCRLHandler(), expectedError: true, }, { @@ -99,14 +110,29 @@ func TestKubeRefresher_Refresh(t *testing.T) { providerRawParameters: []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`), providerType: "test-kmp-error", IsRefreshableFunc: func() bool { return true }, + NewCRLHandler: nv.NewCRLHandler(), expectedError: true, }, + { + name: "Error Caching with CRL Fetcher (non-blocking)", + GetCertsFunc: func(_ context.Context) (map[keymanagementprovider.KMPMapKey][]*x509.Certificate, keymanagementprovider.KeyManagementProviderStatus, error) { + return map[keymanagementprovider.KMPMapKey][]*x509.Certificate{ + {Name: "sample"}: {&x509.Certificate{}}, + }, keymanagementprovider.KeyManagementProviderStatus{}, nil + }, + providerRawParameters: []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`), + providerType: "test-kmp", + providerRefreshInterval: "1m", + IsRefreshableFunc: func() bool { return true }, + NewCRLHandler: &MockCRLHandler{CacheEnabled: true, httpClient: &http.Client{}}, + expectedResult: ctrl.Result{RequeueAfter: time.Minute}, + expectedError: false, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { var factory mock.TestKeyManagementProviderFactory - if tt.GetCertsFunc != nil { factory = mock.TestKeyManagementProviderFactory{ GetCertsFunc: tt.GetCertsFunc, @@ -130,6 +156,7 @@ func TestKubeRefresher_Refresh(t *testing.T) { ProviderType: tt.providerType, ProviderRefreshInterval: tt.providerRefreshInterval, Resource: "kmpname", + CRLHandler: tt.NewCRLHandler, } err := kr.Refresh(context.Background()) @@ -144,9 +171,24 @@ func TestKubeRefresher_Refresh(t *testing.T) { } } +type MockCRLHandler struct { + CacheEnabled bool + Fetcher corecrl.Fetcher + httpClient *http.Client +} + +func (h *MockCRLHandler) NewFetcher() (corecrl.Fetcher, error) { + return nil, re.ErrorCodeConfigInvalid.WithDetail("failed to create CRL fetcher") +} + +func (h *MockCRLHandler) NewValidator(_ revocation.Options) (revocation.Validator, error) { + return nil, nil +} + func TestKubeRefresher_GetResult(t *testing.T) { kr := &KubeRefresher{ - Result: ctrl.Result{RequeueAfter: time.Minute}, + Result: ctrl.Result{RequeueAfter: time.Minute}, + CRLHandler: nv.NewCRLHandler(), } result := kr.GetResult() @@ -162,6 +204,7 @@ func TestKubeRefresher_GetStatus(t *testing.T) { "attribute1": "value1", "attribute2": "value2", }, + CRLHandler: nv.NewCRLHandler(), } status := kr.GetStatus() @@ -210,7 +253,7 @@ func TestKubeRefresher_Create(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - kr := &KubeRefresher{} + kr := &KubeRefresher{CRLHandler: nv.NewCRLHandler()} refresher, err := kr.Create(tt.config) if err != nil { t.Fatalf("Expected no error, but got %v", err) diff --git a/pkg/manager/manager.go b/pkg/manager/manager.go index f284ceaea..6726f39cd 100644 --- a/pkg/manager/manager.go +++ b/pkg/manager/manager.go @@ -105,7 +105,7 @@ func StartServer(httpServerAddress, configFilePath, certDirectory, caCertFile st logrus.Errorf("initialize server failed with error %v, exiting..", err) os.Exit(1) } - logrus.Infof("starting server at" + httpServerAddress) + logrus.Infof("starting server at %s", httpServerAddress) if err := server.Run(certRotatorReady); err != nil { logrus.Errorf("starting server failed with error %v, exiting..", err) os.Exit(1) diff --git a/pkg/verifier/notation/notation.go b/pkg/verifier/notation/notation.go index 52fdcbda6..de54857f4 100644 --- a/pkg/verifier/notation/notation.go +++ b/pkg/verifier/notation/notation.go @@ -95,7 +95,8 @@ func init() { } func (f *notationPluginVerifierFactory) Create(_ string, verifierConfig config.VerifierConfig, pluginDirectory string, namespace string) (verifier.ReferenceVerifier, error) { - logger.GetLogger(context.Background(), logOpt).Debugf("creating Notation verifier with config %v, namespace '%v'", verifierConfig, namespace) + ctx := context.Background() + logger.GetLogger(ctx, logOpt).Debugf("creating Notation verifier with config %v, namespace '%v'", verifierConfig, namespace) verifierName := fmt.Sprintf("%s", verifierConfig[types.Name]) verifierTypeStr := "" if _, ok := verifierConfig[types.Type]; ok { @@ -105,7 +106,7 @@ func (f *notationPluginVerifierFactory) Create(_ string, verifierConfig config.V if err != nil { return nil, re.ErrorCodePluginInitFailure.WithDetail("Failed to create the Notation Verifier").WithError(err) } - verifyService, err := getVerifierService(conf, pluginDirectory, NewRevocationFactoryImpl()) + verifyService, err := getVerifierService(ctx, conf, pluginDirectory, NewCRLHandler()) if err != nil { return nil, re.ErrorCodePluginInitFailure.WithDetail("Failed to create the Notation Verifier").WithError(err) } @@ -177,7 +178,7 @@ func (v *notationPluginVerifier) Verify(ctx context.Context, return verifier.NewVerifierResult("", v.name, v.verifierType, "Notation signature verification success", true, nil, extensions), nil } -func getVerifierService(conf *NotationPluginVerifierConfig, pluginDirectory string, revocationFactory RevocationFactory) (notation.Verifier, error) { +func getVerifierService(ctx context.Context, conf *NotationPluginVerifierConfig, pluginDirectory string, revocationFactory RevocationFactory) (notation.Verifier, error) { store, err := newTrustStore(conf.VerificationCerts, conf.VerificationCertStores) if err != nil { return nil, err @@ -190,7 +191,7 @@ func getVerifierService(conf *NotationPluginVerifierConfig, pluginDirectory stri // Related File: https://github.com/notaryproject/notation/commits/main/cmd/notation/verify.go5 crlFetcher, err := revocationFactory.NewFetcher() if err != nil { - return nil, err + logger.GetLogger(ctx, logOpt).Warnf("Unable to create CRL fetcher for notation verifier %s with error: %s", conf.Name, err) } revocationCodeSigningValidator, err := revocationFactory.NewValidator(revocation.Options{ CRLFetcher: crlFetcher, diff --git a/pkg/verifier/notation/notation_test.go b/pkg/verifier/notation/notation_test.go index bf2fa4abb..c0ae0d226 100644 --- a/pkg/verifier/notation/notation_test.go +++ b/pkg/verifier/notation/notation_test.go @@ -625,7 +625,7 @@ func TestGetVerifierService(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - _, err := getVerifierService(tt.conf, tt.pluginDir, tt.RevocationFactory) + _, err := getVerifierService(context.Background(), tt.conf, tt.pluginDir, tt.RevocationFactory) if (err != nil) != tt.expectErr { t.Errorf("error = %v, expectErr = %v", err, tt.expectErr) } diff --git a/pkg/verifier/notation/notationrevocationfactory.go b/pkg/verifier/notation/notationrevocationfactory.go index 47cc35606..b8687f5ea 100644 --- a/pkg/verifier/notation/notationrevocationfactory.go +++ b/pkg/verifier/notation/notationrevocationfactory.go @@ -15,49 +15,63 @@ package notation import ( "net/http" + "sync" "github.com/notaryproject/notation-core-go/revocation" corecrl "github.com/notaryproject/notation-core-go/revocation/crl" "github.com/notaryproject/notation-go/dir" - "github.com/notaryproject/notation-go/verifier/crl" + re "github.com/ratify-project/ratify/errors" ) -type RevocationFactoryImpl struct { - cacheRoot string - httpClient *http.Client +type CRLHandler struct { + CacheEnabled bool + Fetcher corecrl.Fetcher + httpClient *http.Client } -// NewRevocationFactoryImpl returns a new NewRevocationFactoryImpl instance -func NewRevocationFactoryImpl() RevocationFactory { - return &RevocationFactoryImpl{ - cacheRoot: dir.PathCRLCache, - httpClient: &http.Client{}, - } +var fetcherOnce sync.Once + +// NewCRLHandler returns a new NewCRLHandler instance. Enable cache by default. +func NewCRLHandler() RevocationFactory { + return &CRLHandler{CacheEnabled: true, httpClient: &http.Client{}} } -// NewFetcher returns a new fetcher instance -func (f *RevocationFactoryImpl) NewFetcher() (corecrl.Fetcher, error) { - crlFetcher, err := corecrl.NewHTTPFetcher(f.httpClient) +// NewFetcher creates a new instance of a Fetcher if it doesn't already exist. +// If a Fetcher instance is already present, it returns the existing instance. +// The method also configures the cache for the Fetcher. +// Returns an instance of corecrl.Fetcher or an error if the Fetcher creation fails. +func (h *CRLHandler) NewFetcher() (corecrl.Fetcher, error) { + var err error + fetcherOnce.Do(func() { + h.Fetcher, err = CreateCRLFetcher(h.httpClient, dir.PathCRLCache) + if err == nil { + h.configureCache() + } + }) if err != nil { return nil, err } - crlFetcher.Cache, err = newFileCache(f.cacheRoot) - if err != nil { - return nil, err + // Check if the fetcher is nil, return an error if it is. + // one possible edge case is that an error happened in the first call, + // the following calls will not get the error since the sync.Once block will be skipped. + if h.Fetcher == nil { + return nil, re.ErrorCodeConfigInvalid.WithDetail("failed to create CRL fetcher") } - return crlFetcher, nil + return h.Fetcher, nil } // NewValidator returns a new validator instance -func (f *RevocationFactoryImpl) NewValidator(opts revocation.Options) (revocation.Validator, error) { +func (h *CRLHandler) NewValidator(opts revocation.Options) (revocation.Validator, error) { return revocation.NewWithOptions(opts) } -// newFileCache returns a new file cache instance -func newFileCache(root string) (*crl.FileCache, error) { - cacheRoot, err := dir.CacheFS().SysPath(root) - if err != nil { - return nil, err +// configureCache disables the cache for the HTTPFetcher if caching is not enabled. +// If the EnableCache field is set to false, this method sets the Cache field of the +// HTTPFetcher to nil, effectively disabling caching for HTTP fetch operations. +func (h *CRLHandler) configureCache() { + if !h.CacheEnabled { + if httpFetcher, ok := h.Fetcher.(*corecrl.HTTPFetcher); ok { + httpFetcher.Cache = nil + } } - return crl.NewFileCache(cacheRoot) } diff --git a/pkg/verifier/notation/notationrevocationfactory_test.go b/pkg/verifier/notation/notationrevocationfactory_test.go index b5355f83c..d30e619b3 100644 --- a/pkg/verifier/notation/notationrevocationfactory_test.go +++ b/pkg/verifier/notation/notationrevocationfactory_test.go @@ -14,16 +14,20 @@ package notation import ( + "context" "net/http" "runtime" "testing" "github.com/notaryproject/notation-core-go/revocation" + corecrl "github.com/notaryproject/notation-core-go/revocation/crl" + "github.com/notaryproject/notation-go/dir" + "github.com/notaryproject/notation-go/verifier/crl" "github.com/stretchr/testify/assert" ) func TestNewRevocationFactoryImpl(t *testing.T) { - factory := NewRevocationFactoryImpl() + factory := NewCRLHandler() assert.NotNil(t, factory) } @@ -41,8 +45,8 @@ func TestNewFetcher(t *testing.T) { wantErr: false, }, { - name: "invalid fetcher with nil httpClient", - cacheRoot: "/valid/path", + name: "invalid fetcher", + cacheRoot: "", httpClient: nil, wantErr: true, }, @@ -50,11 +54,7 @@ func TestNewFetcher(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - factory := &RevocationFactoryImpl{ - cacheRoot: tt.cacheRoot, - httpClient: tt.httpClient, - } - + factory := &CRLHandler{httpClient: tt.httpClient} fetcher, err := factory.NewFetcher() if tt.wantErr { assert.Error(t, err) @@ -65,7 +65,7 @@ func TestNewFetcher(t *testing.T) { } func TestNewValidator(t *testing.T) { - factory := &RevocationFactoryImpl{} + factory := NewCRLHandler() opts := revocation.Options{} validator, err := factory.NewValidator(opts) @@ -101,3 +101,55 @@ func TestNewFileCache(t *testing.T) { }) } } +func TestConfigureCache(t *testing.T) { + testCache, _ := crl.NewFileCache(dir.PathCRLCache) + tests := []struct { + name string + cacheEnabled bool + fetcher corecrl.Fetcher + expectCache bool + }{ + { + name: "cache enabled", + cacheEnabled: true, + fetcher: &corecrl.HTTPFetcher{Cache: testCache}, + expectCache: true, + }, + { + name: "cache disabled", + cacheEnabled: false, + fetcher: &corecrl.HTTPFetcher{Cache: testCache}, + expectCache: false, + }, + { + name: "non-HTTP fetcher", + cacheEnabled: false, + fetcher: &mockFetcher{}, + expectCache: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + handler := &CRLHandler{ + CacheEnabled: tt.cacheEnabled, + Fetcher: tt.fetcher, + } + handler.configureCache() + + if httpFetcher, ok := handler.Fetcher.(*corecrl.HTTPFetcher); ok { + if tt.expectCache { + assert.NotNil(t, httpFetcher.Cache) + } else { + assert.Nil(t, httpFetcher.Cache) + } + } + }) + } +} + +type mockFetcher struct{} + +func (m *mockFetcher) Fetch(_ context.Context, _ string) (*corecrl.Bundle, error) { + return nil, nil +} diff --git a/pkg/verifier/notation/revocationfactory.go b/pkg/verifier/notation/revocationfactory.go index 7860ec2a7..d0c576fe0 100644 --- a/pkg/verifier/notation/revocationfactory.go +++ b/pkg/verifier/notation/revocationfactory.go @@ -14,10 +14,21 @@ package notation import ( + "context" + "crypto/x509" + "net/http" + "sync" + "github.com/notaryproject/notation-core-go/revocation" corecrl "github.com/notaryproject/notation-core-go/revocation/crl" + "github.com/notaryproject/notation-go/dir" + "github.com/notaryproject/notation-go/verifier/crl" + "github.com/ratify-project/ratify/internal/logger" ) +// RevocationFactory is an interface that defines methods for creating instances +// related to revocation. It provides methods to create a new fetcher and a new +// validator. type RevocationFactory interface { // NewFetcher returns a new fetcher instance NewFetcher() (corecrl.Fetcher, error) @@ -25,3 +36,62 @@ type RevocationFactory interface { // NewValidator returns a new validator instance NewValidator(revocation.Options) (revocation.Validator, error) } + +// CreateCRLFetcher returns a new fetcher instance +func CreateCRLFetcher(httpClient *http.Client, cacheRoot string) (corecrl.Fetcher, error) { + crlFetcher, err := corecrl.NewHTTPFetcher(httpClient) + if err != nil { + return nil, err + } + crlFetcher.Cache, err = newFileCache(cacheRoot) + if err != nil { + return nil, err + } + return crlFetcher, nil +} + +// SupportCRL checks if the certificate supports CRL +func SupportCRL(cert *x509.Certificate) bool { + return cert != nil && len(cert.CRLDistributionPoints) > 0 +} + +// cacheCRL caches the Certificate Revocation Lists (CRLs) for the given certificates using the provided CRL fetcher. +// It logs a warning if fetching the CRL fails but does not return an error to ensure the process is not blocked. +func CacheCRL(ctx context.Context, certs []*x509.Certificate, fetcher corecrl.Fetcher) { + if fetcher == nil { + logger.GetLogger(ctx, logOpt).Warn("CRL fetcher is nil") + return + } + var wg sync.WaitGroup + for _, cert := range certs { + if !SupportCRL(cert) { + continue + } + cacheCertificateCRL(ctx, cert.CRLDistributionPoints, fetcher, &wg) + } + wg.Wait() +} + +func cacheCertificateCRL(ctx context.Context, crlURLs []string, crlFetcher corecrl.Fetcher, wg *sync.WaitGroup) { + for _, crlURL := range crlURLs { + crlURL := crlURL // capture loop variable + wg.Add(1) + go fetchCRL(ctx, crlURL, crlFetcher, wg) + } +} + +func fetchCRL(ctx context.Context, url string, crlFetcher corecrl.Fetcher, wg *sync.WaitGroup) { + defer wg.Done() + if _, err := crlFetcher.Fetch(ctx, url); err != nil { + logger.GetLogger(ctx, logOpt).Errorf("failed to download CRL from %s : %v", url, err) + } +} + +// newFileCache returns a new file cache instance +func newFileCache(root string) (*crl.FileCache, error) { + cacheRoot, err := dir.CacheFS().SysPath(root) + if err != nil { + return nil, err + } + return crl.NewFileCache(cacheRoot) +} diff --git a/pkg/verifier/notation/revocationfactory_test.go b/pkg/verifier/notation/revocationfactory_test.go new file mode 100644 index 000000000..8b295031d --- /dev/null +++ b/pkg/verifier/notation/revocationfactory_test.go @@ -0,0 +1,143 @@ +// Copyright The Ratify Authors. +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at + +// http://www.apache.org/licenses/LICENSE-2.0 + +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package notation + +import ( + "context" + "crypto/x509" + "fmt" + "net/http" + "testing" + + corecrl "github.com/notaryproject/notation-core-go/revocation/crl" + "github.com/stretchr/testify/assert" +) + +func TestCRLNewFetcher(t *testing.T) { + httpClient := &http.Client{} + cacheRoot := "/tmp/cache" + + t.Run("successful fetcher creation", func(t *testing.T) { + fetcher, err := CreateCRLFetcher(httpClient, cacheRoot) + assert.NoError(t, err) + assert.NotNil(t, fetcher) + }) + + t.Run("error in creating HTTP fetcher", func(t *testing.T) { + // Simulate error by passing nil httpClient + fetcher, err := CreateCRLFetcher(nil, cacheRoot) + assert.Error(t, err) + assert.Nil(t, fetcher) + }) +} +func TestSupportCRL(t *testing.T) { + t.Run("certificate with CRL distribution points", func(t *testing.T) { + cert := &x509.Certificate{ + CRLDistributionPoints: []string{"http://example.com/crl"}, + } + assert.True(t, SupportCRL(cert)) + }) + + t.Run("certificate without CRL distribution points", func(t *testing.T) { + cert := &x509.Certificate{} + assert.False(t, SupportCRL(cert)) + }) + + t.Run("nil certificate", func(t *testing.T) { + assert.False(t, SupportCRL(nil)) + }) +} +func TestCacheCRL(t *testing.T) { + ctx := context.Background() + httpClient := &http.Client{} + cacheRoot := "/tmp/cache" + fetcher, _ := CreateCRLFetcher(httpClient, cacheRoot) + + t.Run("nil fetcher", func(t *testing.T) { + certs := []*x509.Certificate{ + { + CRLDistributionPoints: []string{"http://example.com/crl"}, + }, + } + CacheCRL(ctx, certs, nil) + // Check logs if necessary + t.Log("CRL fetcher is nil") + }) + + t.Run("certificate without CRL distribution points", func(t *testing.T) { + certs := []*x509.Certificate{ + {}, + } + CacheCRL(ctx, certs, fetcher) + // Check logs if necessary + t.Log("Certificate does not support CRL") + }) + + t.Run("certificates with CRL distribution points", func(t *testing.T) { + certs := []*x509.Certificate{ + { + CRLDistributionPoints: []string{"http://example.com/crl1"}, + }, + { + CRLDistributionPoints: []string{"http://example.com/crl2"}, + }, + } + CacheCRL(ctx, certs, fetcher) + // Check logs if necessary + t.Log("Completed fetching CRLs") + }) +} +func TestIntermittentFailCacheCRL(t *testing.T) { + ctx := context.Background() + t.Run("fetch CRL fails", func(t *testing.T) { + // Mock fetcher to simulate failure + mockFetcher := &MockFetcher{ + flag: true, + FetchFunc: func(_ context.Context, _ string) (*corecrl.Bundle, error) { + return &corecrl.Bundle{}, nil + }, + } + certs := []*x509.Certificate{ + { + CRLDistributionPoints: []string{"http://example.com/crl1"}, + }, + { + CRLDistributionPoints: []string{"http://example.com/crl2"}, + }, + { + CRLDistributionPoints: []string{"http://example.com/crl3"}, + }, + { + CRLDistributionPoints: []string{"http://example.com/crl4"}, + }, + } + CacheCRL(ctx, certs, mockFetcher) + // Check logs if necessary + t.Log("Completed fetching CRLs with intermittent failures") + }) +} + +// MockFetcher is a mock implementation of corecrl.Fetcher for testing purposes +type MockFetcher struct { + flag bool + FetchFunc func(ctx context.Context, url string) (*corecrl.Bundle, error) +} + +func (m *MockFetcher) Fetch(ctx context.Context, url string) (*corecrl.Bundle, error) { + m.flag = !m.flag + if m.flag { + return nil, fmt.Errorf("failed to fetch CRL from %s", url) + } + return m.FetchFunc(ctx, url) +} diff --git a/pkg/verifier/notation/truststore_test.go b/pkg/verifier/notation/truststore_test.go index eb64c042d..964f97cb6 100644 --- a/pkg/verifier/notation/truststore_test.go +++ b/pkg/verifier/notation/truststore_test.go @@ -133,7 +133,7 @@ func TestGetCertificates_ErrorFromKMPReconcile(t *testing.T) { } store, err := newTrustStore(nil, certStore) if err != nil { - t.Fatalf("failed to parse verificationCertStores: " + err.Error()) + t.Fatalf("failed to parse verificationCertStores: %s", err.Error()) } controllers.NamespacedCertStores = &mockCertStores{ diff --git a/pkg/verifier/result_test.go b/pkg/verifier/result_test.go index 64efd2c52..67ceec690 100644 --- a/pkg/verifier/result_test.go +++ b/pkg/verifier/result_test.go @@ -16,9 +16,10 @@ limitations under the License. package verifier import ( - "fmt" "testing" + e "errors" + "github.com/ratify-project/ratify/errors" ) @@ -47,7 +48,7 @@ func TestNewVerifierResult(t *testing.T) { { name: "error without detail", message: testMsg1, - err: errors.ErrorCodeUnknown.WithError(fmt.Errorf(testErrReason)).WithRemediation(testRemediation), + err: errors.ErrorCodeUnknown.WithError(e.New(testErrReason)).WithRemediation(testRemediation), expectedMsg: testMsg1, expectedErrReason: testErrReason, expectedRemediation: testRemediation, @@ -55,7 +56,7 @@ func TestNewVerifierResult(t *testing.T) { { name: "error with detail", message: testMsg1, - err: errors.ErrorCodeUnknown.WithError(fmt.Errorf(testErrReason)).WithRemediation(testRemediation).WithDetail(testMsg2), + err: errors.ErrorCodeUnknown.WithError(e.New(testErrReason)).WithRemediation(testRemediation).WithDetail(testMsg2), expectedMsg: testMsg2, expectedErrReason: testErrReason, expectedRemediation: testRemediation, diff --git a/pkg/verifier/types/types_test.go b/pkg/verifier/types/types_test.go index ce1cd39f6..c2d097a33 100644 --- a/pkg/verifier/types/types_test.go +++ b/pkg/verifier/types/types_test.go @@ -16,9 +16,10 @@ limitations under the License. package types import ( - "fmt" "testing" + e "errors" + "github.com/ratify-project/ratify/errors" ) @@ -47,7 +48,7 @@ func TestCreateVerifierResult(t *testing.T) { { name: "error without detail", message: testMsg1, - err: errors.ErrorCodeUnknown.WithError(fmt.Errorf(testErrReason)).WithRemediation(testRemediation), + err: errors.ErrorCodeUnknown.WithError(e.New(testErrReason)).WithRemediation(testRemediation), expectedMsg: testMsg1, expectedErrReason: testErrReason, expectedRemediation: testRemediation, @@ -55,7 +56,7 @@ func TestCreateVerifierResult(t *testing.T) { { name: "error with detail", message: testMsg1, - err: errors.ErrorCodeUnknown.WithError(fmt.Errorf(testErrReason)).WithRemediation(testRemediation).WithDetail(testMsg2), + err: errors.ErrorCodeUnknown.WithError(e.New(testErrReason)).WithRemediation(testRemediation).WithDetail(testMsg2), expectedMsg: testMsg2, expectedErrReason: testErrReason, expectedRemediation: testRemediation, diff --git a/scripts/azure-ci-test.sh b/scripts/azure-ci-test.sh index b5ddce9ce..6c5ff9c63 100755 --- a/scripts/azure-ci-test.sh +++ b/scripts/azure-ci-test.sh @@ -27,8 +27,8 @@ export AKS_NAME="${AKS_NAME:-ratify-aks-${SUFFIX}}" export KEYVAULT_NAME="${KEYVAULT_NAME:-ratify-akv-${SUFFIX}}" export USER_ASSIGNED_IDENTITY_NAME="${USER_ASSIGNED_IDENTITY_NAME:-ratify-e2e-identity-${SUFFIX}}" export LOCATION="westus2" -export KUBERNETES_VERSION=${1:-1.29.2} -GATEKEEPER_VERSION=${2:-3.17.0} +export KUBERNETES_VERSION=${1:-1.30.6} +GATEKEEPER_VERSION=${2:-3.18.0} TENANT_ID=$3 export RATIFY_NAMESPACE=${4:-gatekeeper-system} CERT_DIR=${5:-"~/ratify/certs"} diff --git a/terraform/azure/main.tf b/terraform/azure/main.tf index 512aedf37..78ef5fcbc 100644 --- a/terraform/azure/main.tf +++ b/terraform/azure/main.tf @@ -107,7 +107,7 @@ resource "azurerm_kubernetes_cluster" "aks" { location = azurerm_resource_group.rg.location resource_group_name = azurerm_resource_group.rg.name dns_prefix = "${var.cluster_name}-dns" - kubernetes_version = "1.29.2" + kubernetes_version = "1.30.6" workload_identity_enabled = true oidc_issuer_enabled = true