Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: merge from staging to main #1388

Merged
merged 22 commits into from
Apr 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
84cb90c
refactor: refactor verifiers to support namespaced
binbin-li Apr 1, 2024
e716f54
feat: add verifiers interface to wrap up operations on namespaced ver…
binbin-li Apr 1, 2024
2061199
feat: add context to getExecutor method
binbin-li Apr 2, 2024
810c93e
chore: address comments
binbin-li Apr 9, 2024
d1acec0
chore: Bump codecov/codecov-action from 4.2.0 to 4.3.0
dependabot[bot] Apr 10, 2024
73ef709
Merge branch 'staging' into multi-tenancy-pr-2
binbin-li Apr 10, 2024
6a93bbf
Merge pull request #1358 from binbin-li/multi-tenancy-pr-2
binbin-li Apr 10, 2024
8c87951
Merge branch 'staging' into dependabot/github_actions/codecov/codecov…
binbin-li Apr 10, 2024
9ac7d5a
Merge pull request #1379 from deislabs/dependabot/github_actions/code…
binbin-li Apr 10, 2024
2894b51
feat: add key support to key management provider (#1333)
akashsinghal Apr 10, 2024
3872e05
fix: enable workflow for staging (#1369)
susanshi Apr 11, 2024
7958056
feat: add PolicyManager interface to wrap operations on namespaced po…
binbin-li Apr 12, 2024
003fe00
feat: add ReferrerStoreManager interface to wrap operations on namesp…
binbin-li Apr 12, 2024
8acd52b
fix: update azure tenantId casing (#1385)
akashsinghal Apr 12, 2024
f201712
Merge branch 'main' into staging
akashsinghal Apr 12, 2024
a1a739f
chore: Bump github.com/sigstore/cosign/v2 from 2.2.3 to 2.2.4 (#1383)
dependabot[bot] Apr 12, 2024
9c11f81
build: update Bridge to Kubernetes debugging steps (#1384)
akashsinghal Apr 12, 2024
f5089fc
chore: Bump github.com/aws/aws-sdk-go-v2 from 1.26.0 to 1.26.1 (#1394)
dependabot[bot] Apr 15, 2024
62c00fb
chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.17.9 to 1…
dependabot[bot] Apr 15, 2024
03bde0e
chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.5…
dependabot[bot] Apr 15, 2024
bce6b4c
chore: Bump google.golang.org/grpc from 1.62.1 to 1.62.2 (#1391)
dependabot[bot] Apr 15, 2024
7c75d59
chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.27.9 to 1.27.1…
dependabot[bot] Apr 15, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,12 @@ on:
push:
branches:
- main
- staging
- 1.0.0*
pull_request:
branches:
- main
- staging
- 1.0.0*
schedule:
- cron: '30 1 * * 0'
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/e2e-cli.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ jobs:
- name: Check build
run: bin/ratify version
- name: Upload coverage to codecov.io
uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0
uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
- name: Run helm lint
Expand Down Expand Up @@ -64,7 +64,7 @@ jobs:
make install ratify-config install-bats
make test-e2e-cli GOCOVERDIR=${GITHUB_WORKSPACE}/test/e2e/.cover
- name: Upload coverage to codecov.io
uses: codecov/codecov-action@7afa10ed9b269c561c2336fd862446844e0cbf71 # v4.2.0
uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
markdown-link-check:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/golangci-lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ on:
push:
branches:
- main
- staging
- 1.0.0*
pull_request:
workflow_dispatch:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/high-availability.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,13 @@ on:
pull_request:
branches:
- main
- staging
- 1.0.0*
push:
branches:
- 1.0.0*
- main
- staging
workflow_dispatch:

permissions: read-all
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/quick-start.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,12 @@ on:
pull_request:
branches:
- main
- staging
- 1.0.0*
push:
branches:
- 1.0.0*
- staging
- main
workflow_dispatch:

Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,9 @@ on:
# Weekly on Saturdays.
- cron: '30 1 * * 6'
push:
branches: [ main ]
branches:
- main
- staging
workflow_dispatch:

permissions: read-all
Expand Down
29 changes: 18 additions & 11 deletions .vscode/launch.json
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,15 @@
"program": "${workspaceFolder}/cmd/ratify",
"env": {
"RATIFY_EXPERIMENTAL_DYNAMIC_PLUGINS": "1",
"RATIFY_LOG_LEVEL": "debug",
"RATIFY_LOG_LEVEL": "debug"
},
"args": [
"verify",
"-s",
"${input:subject}",
"-c",
"${input:configPath}",
],
"${input:configPath}"
]
},
{
"name": "Serve",
Expand All @@ -35,10 +35,9 @@
"serve",
"--http",
":6001"
],
]
},
{
// This requires your kubeconfig to be pointed at a cluster with Ratify CRDs installed
"name": "Serve w/ CRD manager",
"type": "go",
"request": "launch",
Expand All @@ -47,18 +46,19 @@
"env": {
"RATIFY_LOG_LEVEL": "debug",
"RATIFY_EXPERIMENTAL_DYNAMIC_PLUGINS": "1",
"RATIFY_NAMESPACE": "gatekeeper-system",
"RATIFY_NAMESPACE": "gatekeeper-system"
},
"args": [
"serve",
"--enable-crd-manager",
"--http",
":6001"
],
]
},
{
// This requires your kubeconfig to be pointed at a cluster with Ratify CRDs installed
// This requires you to have generated tls.crt and tls.key and placed them in a single directory
// This requires you to have generated server TLS certs: tls.crt, tls.key, ca.crt, ca.key and placed them in a single directory
// This requires you to have a client CA cert (Gatekeeper CA cert) to verify the client cert
"name": "Serve w/ CRD manager and TLS enabled",
"type": "go",
"request": "launch",
Expand All @@ -73,8 +73,9 @@
"--enable-crd-manager",
"--http",
":6001",
"--cert-dir=${input:tlsDir}"
],
"--cert-dir=${input:tlsDir}",
"--ca-cert-file=${input:clientCACert}",
]
},
{
"name": "Debug SBOM Plugin",
Expand All @@ -87,7 +88,7 @@
"RATIFY_LOG_LEVEL": "debug",
"RATIFY_VERIFIER_COMMAND": "VERIFY",
"RATIFY_VERIFIER_SUBJECT": "wabbitnetworks.azurecr.io/test/image:sbom",
"RATIFY_VERIFIER_VERSION": "1.0.0",
"RATIFY_VERIFIER_VERSION": "1.0.0"
},
"console": "integratedTerminal"
}
Expand All @@ -111,5 +112,11 @@
"description": "Absolute path to tls cert and key directory",
"default": "${workspaceFolder}/tls/certs"
},
{
"id": "clientCACert",
"type": "promptString",
"description": "Absolute path to client CA cert (Gatekeeper CA cert)",
"default": "${workspaceFolder}/client-ca-cert/ca.crt"
}
]
}
20 changes: 13 additions & 7 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -269,19 +269,25 @@ Gatekeeper requires TLS for external data provider interactions. As such ratify
helm install ratify \
./charts/ratify --atomic \
--namespace gatekeeper-system \
--set-file notationCert=./test/testdata/notation.crt \
--set logger.level=debug \
--set-file notationCerts[0]=./test/testdata/notation.crt \
--set-file provider.tls.crt=./tls/certs/tls.crt \
--set-file provider.tls.key=./tls/certs/tls.key \
--set-file provider.tls.cabundle=./tls/certs/ca.crt
--set-file provider.tls.cabundle="$(cat ./tls/certs/ca.crt | base64 | tr -d '\n\r')" \
--set-file provider.tls.caCert=./tls/certs/ca.crt \
--set-file provider.tls.caKey=./tls/certs/ca.key
```
Update the `KubernetesLocalProcessConfig.yaml` with updated directory/file paths:
- In the file, set the `<INSERT WORKLOAD IDENTITY TOKEN LOCAL PATH>` to an absolute directory accessible on local environment. This is the directory where Bridge to K8s will download the Azure Workload Identity JWT token.
- In the file, set the `<INSERT CLIENT CA CERT LOCAL PATH>` to an absolute directory accessible on local environment. This is the directory where Bridge to K8s will download the `client-ca-cert` volume (Gatekeeper's `ca.crt`).

Configure Bridge to Kubernetes (Comprehensive guide [here](https://learn.microsoft.com/en-us/visualstudio/bridge/bridge-to-kubernetes-vs-code))
1. Open the `Command Palette` in VSCode `CTRL-SHIFT-P`
1. Select `Bridge to Kubernetes: Configure`
1. Select `Ratify` from the list as the service to redirect to
1. Set port to be 6001
1. Select `Serve w/ CRD manager and TLS enabled` as the launch config
1. Select 'No' for request isolation
2. Select `Bridge to Kubernetes: Configure`
3. Select `Ratify` from the list as the service to redirect to
4. Set port to be 6001
5. Select `Serve w/ CRD manager and TLS enabled` as the launch config
6. Select 'No' for request isolation

This should automatically append a new Bridge to Kubernetes configuration to the launch.json file and add a new tasks.json file.

Expand Down
15 changes: 15 additions & 0 deletions KubernetesLocalProcessConfig.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
version: 0.1
env:
- name: azure-identity-token # REMOVE if not using Azure Workload Identity
value: $(volumeMounts:azure-identity-token) # REMOVE if not using Azure Workload Identity
- name: client-ca-cert
value: $(volumeMounts:client-ca-cert)
- name: AZURE_FEDERATED_TOKEN_FILE # REMOVE if not using Azure Workload Identity
value: <INSERT WORKLOAD IDENTITY TOKEN LOCAL PATH>/azure-identity-token # REMOVE if not using Azure Workload Identity
- name: RATIFY_NAMESPACE
value: gatekeeper-system
volumeMounts:
- name: client-ca-cert
localPath: <INSERT CLIENT CA CERT LOCAL PATH>
- name: azure-identity-token # REMOVE if not using Azure Workload Identity
localPath: <INSERT WORKLOAD IDENTITY TOKEN LOCAL PATH> # REMOVE if not using Azure Workload Identity
2 changes: 1 addition & 1 deletion RELEASES.md
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,6 @@ helm install ratify \
--set image.repository=ghcr.io/deislabs/ratify-dev
--set image.crdRepository=ghcr.io/deislabs/ratify-crds-dev
--set image.tag=dev.<YYYYMMDD>.<ABBREVIATED_GIT_HASH_COMMIT>
--set-file notationCert=./test/testdata/notation.crt
--set-file notationCerts[0]=./test/testdata/notation.crt
```
NOTE: the tag field is the only value that will change when updating to newer dev build images
Loading
Loading