v1.2.0
🚨 Deprecations
CertificateStore
is deprecated in favor ofKeyManagementProvider
. Please migrate toKeyManagementProvider
by following guide here. Support will be removed in Ratify v2.0.0- Certain helm values have been deprecated in favor of new ones. (Note: deprecated values will continue to be supported)
.Values.notationCert
is deprecated. Use.Values.notationCerts[*]
to provide a list certificates to configure with notation verifier.Values.akvCertConfig.*
section has been deprecated. Use the equivalent.Values.azurekeyvault.*
section for configuring keys + certificates from Azure Key Vault
✨ New Features
-
Cosign Verifier enhancements:
- feat: move cosign to be a built in verifier by @akashsinghal in #1343
- feat: add key support to key management provider including akv integration by @akashsinghal in #1333
- feat: add cosign trust policies by @akashsinghal in #1381
-
Kubernetes multi-tenancy support:
- feat: refactor CertStore and KMP Crd to support multi-tenancy by @binbin-li in #1423
- feat: add NamespacedPolicy, NamespacedStore, NamespacedVerifier CRD by @binbin-li in #1402, #1413
- feat: add cache isolation by @binbin-li in #1213
- feat: add Verifiers, policyManager , ReferrerStoreManagers, certStoreManager interface by @binbin-li in #1358 , #1359, #1380, #1382
-
CRD improvements:
- feat: add version to CRD spec by @susanshi in #1215
- feat: validate plugin name on CR create by @susanshi in #1265
- feat: add key management provider resource by @akashsinghal in #1293
- feat: add NamespacedKMP and switch KMP scope to cluster [multi-tenancy PR 9] by @binbin-li in #1422
📄 Documentation
- docs: add roadmap by @yizha1 in #1344
- docs: updated docs with the latest verifier report format by @junczhu in #1236
- docs: add multi-tenancy support discussions by @binbin-li in #1175
- docs: Update log format in doc by @junczhu in #1240
- docs: update COC and add adopters.md by @FeynmanZhou in #1360
- fix: updated community meeting time to UTC by @susanshi in #1364
- build: update Bridge to Kubernetes debugging steps by @akashsinghal in #1384
- docs: cosign upgrade design document by @akashsinghal in #1246
- docs: Create BREAKING_CHANGE_AND_DEPRECATION.md by @susanshi in #1399
🎉 New Contributors
- @duffney made their first contribution in #1254
- @mannbiher made their first contribution in #1418
🐛 🩹 Bug Fixes
- fix: surface plugin error in exec.go by @susanshi in #1228
- fix: SBOM verifier license match support for deprecated license by @susanshi in #1230
- fix: update constraint templates to work with new type field by @akashsinghal in #1217
- fix: improve vuln report verifier report messages by @akashsinghal in #1238
- fix: dynamic plugin should support pulling image with digest by @susanshi in #1280
- fix: add missing CRD conversion methods by @binbin-li in #1289
- fix: fix unit tests that fail in local environment by @binbin-li in #1292
- fix: add check for disabled keys from azure key vault by @akashsinghal in #1474
- fix: update azure tenantId casing by @akashsinghal in #1385
- fix: rename staging to dev branch by @susanshi in #1401
- fix: update ReferrerNotFound error to be more accurate by @binbin-li in #1408
- fix: add top-level read permission by @binbin-li in #1419
- fix: add akv keys check on cosign-verifier by @binbin-li in #1427
- fix: handle empty trust policies by @akashsinghal in #1431
- fix: fix missing separator in helm template by @binbin-li in #1463
- fix: check label value on pull_request_target by @binbin-li in #1471
- fix: DecodeCertificates cert length check by @susanshi in #1470
- fix: update cosign chart and remove extra logs by @akashsinghal in #1475
Changes since v1.2.0-rc.1
- 63c7bb2 Merge pull request #1519 from deislabs/cherry-pick-for-1.2.0
- 35aad7f chore: ignore CVE-2023-42363 CVE-2023-42364 CVE-2023-42365 (#1498)
- dbc2d74 chore: ignore CVE-2023-42366 (#1494)
- da2cdca chore: prepare for release 1.2 (#1524)
- 7e00bb2 ci: switch azure ci test to use rbac for key vault access (#1523)
- 1e79038 fix: bump github.com/aws/aws-sdk-go-v2/service/ecr version (#1505)
- c6f9483 fix: full validation should run on release branch (#1511)
- 510dd58 go mod tidy