Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add sbom verifier to helm chart #1204

Merged
merged 2 commits into from
Dec 10, 2023

Conversation

susanshi
Copy link
Collaborator

@susanshi susanshi commented Dec 7, 2023

Description

Doc walk through at ratify-project/ratify-web#44
Sample command:

helm install ratify
./charts/ratify --atomic
--namespace gatekeeper-system
--set featureFlags.RATIFY_CERT_ROTATION=true
--set sbom.enabled=true
--set sbom.disallowedLicenses={"Zlib"}
--set sbom.disallowedPackages[0].name="busybox"
--set sbom.disallowedPackages[0].version="1.36.1-r0"

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)
  • This change requires a documentation update

How Has This Been Tested?

Validation #1 , modiefied local chart to populate disallowed license and package
validation #2, manual testing with installing command below:

helm install ratify
./charts/ratify --atomic
--namespace gatekeeper-system
--set featureFlags.RATIFY_CERT_ROTATION=true
--set sbom.enabled=true
--set sbom.disallowedLicenses={"Zlib"}
--set sbom.disallowedPackages[0].name="busybox"
--set sbom.disallowedPackages[0].version="1.36.1-r0"

Checklist:

  • Does the affected code have corresponding tests?
  • Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
  • Does this introduce breaking changes that would require an announcement or bumping the major version?
  • Do all new files have appropriate license header?

Post Merge Requirements

  • MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

Copy link

codecov bot commented Dec 7, 2023

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (74e575a) 55.09% compared to head (dfe622d) 55.09%.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #1204   +/-   ##
=======================================
  Coverage   55.09%   55.09%           
=======================================
  Files         104      104           
  Lines        6865     6865           
=======================================
  Hits         3782     3782           
  Misses       2751     2751           
  Partials      332      332           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@susanshi susanshi marked this pull request as ready for review December 8, 2023 05:30
Copy link
Collaborator

@binbin-li binbin-li left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one minor comment, lgtm overall

| sbom.enabled | Enables/disables installation of sbom verification configuration | `false` |
| sbom.notaryProjectSignatureRequired | requires validation of sbom notation signature | `false` |
| sbom.disallowedLicenses | list of disallowed licenses | [] |
| sbom.disallowedPackages | list of disallowed packages defined by package name and version | [] |
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wonder if we should provide an example for package name/version pair?

Copy link
Collaborator

@akashsinghal akashsinghal Dec 8, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1. You could consider pointing to the doc if the plan is to add that there. Not a blocker for this PR for me

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks , I will merge this PR first to unblock release changes. and will add the example in a separate PR.

@susanshi susanshi merged commit 34abe0a into ratify-project:main Dec 10, 2023
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants