From bf66dacef3cc6a010c78bb490bd877b5723e9aaf Mon Sep 17 00:00:00 2001 From: "huish@microsoft.com" Date: Fri, 31 May 2024 03:50:08 +0000 Subject: [PATCH 1/6] update charts to 1.2 --- charts/ratify/Chart.yaml | 4 ++-- charts/ratify/values.yaml | 2 +- helmfile.yaml | 13 ++++++++---- high-availability.helmfile.yaml | 35 ++++++++++++++++++++++++++++++--- 4 files changed, 44 insertions(+), 10 deletions(-) diff --git a/charts/ratify/Chart.yaml b/charts/ratify/Chart.yaml index 173ba0f0b..57fba1d69 100644 --- a/charts/ratify/Chart.yaml +++ b/charts/ratify/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v2 name: ratify description: A Helm chart for Ratify -version: 1.12.0 -appVersion: v1.1.0 +version: 1.13.0 +appVersion: v1.2.0 home: https://github.com/deislabs/ratify icon: https://raw.githubusercontent.com/deislabs/ratify/main/logo.svg diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml index 34a20ad41..7d97c5489 100644 --- a/charts/ratify/values.yaml +++ b/charts/ratify/values.yaml @@ -1,7 +1,7 @@ image: repository: ghcr.io/deislabs/ratify crdRepository: ghcr.io/deislabs/ratify-crds - tag: v1.1.0 + tag: v1.2.0 pullPolicy: IfNotPresent nameOverride: "" diff --git a/helmfile.yaml b/helmfile.yaml index 310facfe6..cd5e3e5d4 100644 --- a/helmfile.yaml +++ b/helmfile.yaml @@ -3,13 +3,13 @@ repositories: url: https://open-policy-agent.github.io/gatekeeper/charts - name: ratify url: https://deislabs.github.io/ratify - + releases: - name: gatekeeper namespace: gatekeeper-system createNamespace: true chart: gatekeeper/gatekeeper - version: 3.14.0 + version: 3.16.0 wait: true set: - name: enableExternalData @@ -23,7 +23,7 @@ releases: - name: ratify namespace: gatekeeper-system chart: ratify/ratify - version: 1.12.1 # Make sure this matches Chart.yaml + version: v1.2.0 wait: true needs: - gatekeeper @@ -60,6 +60,11 @@ releases: - "verifiers.config.ratify.deislabs.io" - "certificatestores.config.ratify.deislabs.io" - "policies.config.ratify.deislabs.io" + - "keymanagementproviders.config.ratify.deislabs.io" + - "namespacedkeymanagementproviders.config.ratify.deislabs.io" + - "namespacedpolicies.config.ratify.deislabs.io" + - "namespacedstores.config.ratify.deislabs.io" + - "namespacedverifiers.config.ratify.deislabs.io" - events: ["postuninstall"] showlogs: true command: "kubectl" @@ -70,7 +75,7 @@ releases: - "-n" - "gatekeeper-system" set: - - name: notationCert + - name: notationCerts[0] value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }} - name: featureFlags.RATIFY_CERT_ROTATION value: true diff --git a/high-availability.helmfile.yaml b/high-availability.helmfile.yaml index f99e1b92b..2ff7573c8 100644 --- a/high-availability.helmfile.yaml +++ b/high-availability.helmfile.yaml @@ -1,4 +1,6 @@ repositories: + - name: gatekeeper + url: https://open-policy-agent.github.io/gatekeeper/charts - name: dapr url: https://dapr.github.io/helm-charts/ - name: bitnami @@ -11,10 +13,26 @@ releases: namespace: dapr-system createNamespace: true chart: dapr/dapr - version: 1.11.1 + version: 1.13.2 wait: true + - name: gatekeeper + namespace: gatekeeper-system + createNamespace: true + chart: gatekeeper/gatekeeper + version: 3.16.0 + wait: true + set: + - name: enableExternalData + value: true + - name: validatingWebhookTimeoutSeconds + value: 5 + - name: mutatingWebhookTimeoutSeconds + value: 2 + - name: externaldataProviderResponseCacheTTL + value: 10s - name: redis namespace: gatekeeper-system + createNamespace: true chart: bitnami/redis version: 17.11.6 wait: true @@ -32,11 +50,12 @@ releases: - name: ratify namespace: gatekeeper-system chart: ratify/ratify - version: 1.12.1 # Make sure this matches Chart.yaml + version: v1.2.0 wait: true needs: - dapr-system/dapr - gatekeeper-system/redis + - gatekeeper-system/gatekeeper hooks: - events: ["presync"] showlogs: true @@ -53,6 +72,12 @@ releases: - "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/dapr/dapr-redis.yaml" - "-n" - "gatekeeper-system" + - events: ["presync"] + showlogs: true + command: "bash" + args: + - "-c" + - "kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml && kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml" - events: ["postuninstall"] showlogs: true command: "kubectl" @@ -99,6 +124,10 @@ releases: - "verifiers.config.ratify.deislabs.io" - "certificatestores.config.ratify.deislabs.io" - "policies.config.ratify.deislabs.io" + - "namespacedkeymanagementproviders.config.ratify.deislabs.io" + - "namespacedpolicies.config.ratify.deislabs.io" + - "namespacedstores.config.ratify.deislabs.io" + - "namespacedverifiers.config.ratify.deislabs.io" - events: ["postuninstall"] showlogs: true command: "kubectl" @@ -115,7 +144,7 @@ releases: value: true - name: logger.level value: debug - - name: notationCert + - name: notationCerts[0] value: {{ exec "curl" (list "-sSL" "https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notation.crt") | quote }} - name: replicaCount value: 2 From 19a7d650199dcf5f6c383bdba3edfc11990f4e6b Mon Sep 17 00:00:00 2001 From: "huish@microsoft.com" Date: Fri, 31 May 2024 03:55:42 +0000 Subject: [PATCH 2/6] adding back comments --- high-availability.helmfile.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/high-availability.helmfile.yaml b/high-availability.helmfile.yaml index 2ff7573c8..d0b1fe402 100644 --- a/high-availability.helmfile.yaml +++ b/high-availability.helmfile.yaml @@ -50,7 +50,7 @@ releases: - name: ratify namespace: gatekeeper-system chart: ratify/ratify - version: v1.2.0 + version: v1.2.0 # Make sure this matches Chart.yaml wait: true needs: - dapr-system/dapr From 20dc21b0cfe70f76666bea19d889e2b5b2f0c4c2 Mon Sep 17 00:00:00 2001 From: "huish@microsoft.com" Date: Fri, 31 May 2024 03:56:12 +0000 Subject: [PATCH 3/6] adding back comments --- helmfile.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helmfile.yaml b/helmfile.yaml index cd5e3e5d4..f7d12f9e8 100644 --- a/helmfile.yaml +++ b/helmfile.yaml @@ -23,7 +23,7 @@ releases: - name: ratify namespace: gatekeeper-system chart: ratify/ratify - version: v1.2.0 + version: v1.2.0 # Make sure this matches Chart.yaml wait: true needs: - gatekeeper From 6052ce7923f00833ed8c440e70f5619462f8b379 Mon Sep 17 00:00:00 2001 From: "huish@microsoft.com" Date: Fri, 31 May 2024 05:43:12 +0000 Subject: [PATCH 4/6] fix helmfile verison --- helmfile.yaml | 2 +- high-availability.helmfile.yaml | 2 +- notation.crt | 20 ++++++++++++++++++++ 3 files changed, 22 insertions(+), 2 deletions(-) create mode 100644 notation.crt diff --git a/helmfile.yaml b/helmfile.yaml index f7d12f9e8..2702c672d 100644 --- a/helmfile.yaml +++ b/helmfile.yaml @@ -23,7 +23,7 @@ releases: - name: ratify namespace: gatekeeper-system chart: ratify/ratify - version: v1.2.0 # Make sure this matches Chart.yaml + version: 1.13.0 # Make sure this matches Chart.yaml wait: true needs: - gatekeeper diff --git a/high-availability.helmfile.yaml b/high-availability.helmfile.yaml index d0b1fe402..996094d90 100644 --- a/high-availability.helmfile.yaml +++ b/high-availability.helmfile.yaml @@ -50,7 +50,7 @@ releases: - name: ratify namespace: gatekeeper-system chart: ratify/ratify - version: v1.2.0 # Make sure this matches Chart.yaml + version: 1.13.0 # Make sure this matches Chart.yaml wait: true needs: - dapr-system/dapr diff --git a/notation.crt b/notation.crt new file mode 100644 index 000000000..c488f9f66 --- /dev/null +++ b/notation.crt @@ -0,0 +1,20 @@ +-----BEGIN CERTIFICATE----- +MIIDQzCCAiugAwIBAgIUDxHQ9JxxmnrLWTA5rAtIZCzY8mMwDQYJKoZIhvcNAQEL +BQAwKTEPMA0GA1UECgwGUmF0aWZ5MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMB4X +DTIzMDYyOTA1MjgzMloXDTMzMDYyNjA1MjgzMlowKTEPMA0GA1UECgwGUmF0aWZ5 +MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A +MIIBCgKCAQEAshmsL2VM9ojhgTVUUuEsZro9jfI27VKZJ4naWSHJihmOki7IoZS8 +3/3ATpkE1lGbduJ77M9UxQbEW1PnESB0bWtMQtjIbser3mFCn15yz4nBXiTIu/K4 +FYv6HVdc6/cds3jgfEFNw/8RVMBUGNUiSEWa1lV1zDM2v/8GekUr6SNvMyqtY8oo +ItwxfUvlhgMNlLgd96mVnnPVLmPkCmXFN9iBMhSce6sn6P9oDIB+pr1ZpE4F5bwa +gRBg2tWN3Tz9H/z2a51Xbn7hCT5OLBRlkorHJl2HKKRoXz1hBgR8xOL+zRySH9Qo +3yx6WvluYDNfVbCREzKJf9fFiQeVe0EJOwIDAQABo2MwYTAdBgNVHQ4EFgQUKzci +EKCDwPBn4I1YZ+sDdnxEir4wHwYDVR0jBBgwFoAUKzciEKCDwPBn4I1YZ+sDdnxE +ir4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZIhvcNAQEL +BQADggEBAGh6duwc1MvV+PUYvIkDfgj158KtYX+bv4PmcV/aemQUoArqM1ECYFjt +BlBVmTRJA0lijU5I0oZje80zW7P8M8pra0BM6x3cPnh/oZGrsuMizd4h5b5TnwuJ +hRvKFFUVeHn9kORbyQwRQ5SpL8cRGyYp+T6ncEmo0jdIOM5dgfdhwHgb+i3TejcF +90sUs65zovUjv1wa11SqOdu12cCj/MYp+H8j2lpaLL2t0cbFJlBY6DNJgxr5qync +cz8gbXrZmNbzC7W5QK5J7fcx6tlffOpt5cm427f9NiK2tira50HU7gC3HJkbiSTp +Xw10iXXMZzSbQ0/Hj2BF4B40WfAkgRg= +-----END CERTIFICATE----- From 991ecb593cbfa5ec0b421d834bdc059e3ee5aefd Mon Sep 17 00:00:00 2001 From: "huish@microsoft.com" Date: Fri, 31 May 2024 05:44:18 +0000 Subject: [PATCH 5/6] fix spaces --- helmfile.yaml | 2 +- high-availability.helmfile.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/helmfile.yaml b/helmfile.yaml index 2702c672d..ef854c134 100644 --- a/helmfile.yaml +++ b/helmfile.yaml @@ -23,7 +23,7 @@ releases: - name: ratify namespace: gatekeeper-system chart: ratify/ratify - version: 1.13.0 # Make sure this matches Chart.yaml + version: 1.13.0 # Make sure this matches Chart.yaml wait: true needs: - gatekeeper diff --git a/high-availability.helmfile.yaml b/high-availability.helmfile.yaml index 996094d90..bc2a2f952 100644 --- a/high-availability.helmfile.yaml +++ b/high-availability.helmfile.yaml @@ -50,7 +50,7 @@ releases: - name: ratify namespace: gatekeeper-system chart: ratify/ratify - version: 1.13.0 # Make sure this matches Chart.yaml + version: 1.13.0 # Make sure this matches Chart.yaml wait: true needs: - dapr-system/dapr From e35754a87dadeb9120083e9304a504690b5229a2 Mon Sep 17 00:00:00 2001 From: "huish@microsoft.com" Date: Fri, 31 May 2024 05:45:10 +0000 Subject: [PATCH 6/6] remove local files --- notation.crt | 20 -------------------- 1 file changed, 20 deletions(-) delete mode 100644 notation.crt diff --git a/notation.crt b/notation.crt deleted file mode 100644 index c488f9f66..000000000 --- a/notation.crt +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDQzCCAiugAwIBAgIUDxHQ9JxxmnrLWTA5rAtIZCzY8mMwDQYJKoZIhvcNAQEL -BQAwKTEPMA0GA1UECgwGUmF0aWZ5MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMB4X -DTIzMDYyOTA1MjgzMloXDTMzMDYyNjA1MjgzMlowKTEPMA0GA1UECgwGUmF0aWZ5 -MRYwFAYDVQQDDA1SYXRpZnkgU2FtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAshmsL2VM9ojhgTVUUuEsZro9jfI27VKZJ4naWSHJihmOki7IoZS8 -3/3ATpkE1lGbduJ77M9UxQbEW1PnESB0bWtMQtjIbser3mFCn15yz4nBXiTIu/K4 -FYv6HVdc6/cds3jgfEFNw/8RVMBUGNUiSEWa1lV1zDM2v/8GekUr6SNvMyqtY8oo -ItwxfUvlhgMNlLgd96mVnnPVLmPkCmXFN9iBMhSce6sn6P9oDIB+pr1ZpE4F5bwa -gRBg2tWN3Tz9H/z2a51Xbn7hCT5OLBRlkorHJl2HKKRoXz1hBgR8xOL+zRySH9Qo -3yx6WvluYDNfVbCREzKJf9fFiQeVe0EJOwIDAQABo2MwYTAdBgNVHQ4EFgQUKzci -EKCDwPBn4I1YZ+sDdnxEir4wHwYDVR0jBBgwFoAUKzciEKCDwPBn4I1YZ+sDdnxE -ir4wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAgQwDQYJKoZIhvcNAQEL -BQADggEBAGh6duwc1MvV+PUYvIkDfgj158KtYX+bv4PmcV/aemQUoArqM1ECYFjt -BlBVmTRJA0lijU5I0oZje80zW7P8M8pra0BM6x3cPnh/oZGrsuMizd4h5b5TnwuJ -hRvKFFUVeHn9kORbyQwRQ5SpL8cRGyYp+T6ncEmo0jdIOM5dgfdhwHgb+i3TejcF -90sUs65zovUjv1wa11SqOdu12cCj/MYp+H8j2lpaLL2t0cbFJlBY6DNJgxr5qync -cz8gbXrZmNbzC7W5QK5J7fcx6tlffOpt5cm427f9NiK2tira50HU7gC3HJkbiSTp -Xw10iXXMZzSbQ0/Hj2BF4B40WfAkgRg= ------END CERTIFICATE-----