-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: add doc KMP Refresh #103
Conversation
✅ Deploy Preview for ratify-dev ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Are there any other docs I should mention the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. thanks!
@@ -102,6 +102,7 @@ metadata: | |||
name: # a unique name | |||
spec: | |||
type: azurekeyvault | |||
refreshInterval: # OPTIONAL: [string], time duration to refresh the certificates/keys. Disabled by default. Example: 1h, 30m, 1h30m. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion to add an example for refresh enabled KMPs in the example section, or link to the /sample
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@susanshi I added samples to the inline and akv sections to point to the samples in the ratify repo. :) Thanks for the suggestion.
@@ -130,7 +131,7 @@ spec: | |||
|
|||
- If a key/certificate is in disabled state, KMP resource creation will FAIL. Users must remove reference to a disabled Key/Certificate or re-enable in Azure Key Vault. | |||
|
|||
- Ratify does NOT yet support periodic refresh and polling of certificates/keys. If the default latest version changes, object is disabled/expired, or deleted, Ratify will only become aware once the KMP resource is reconciled (edited, deleted, added). | |||
- Ratify supports periodic refresh and polling of certificates/keys from Azure Key Vault. The `refreshInterval` field can be set to a time duration to refresh the certificates/keys. When no version of the certificate or key is specified, the latest version will be fetched and the resource will be updated. However, if a version is specified, the resource will be locked to that version and will not be updated. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we might also want to talk about limitation that auto fetching latest might result in verification failure if previous image signed are with other version of the cert. We can also link N version issue so reader is aware of the road map.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good call out, I'll add that limitation to the doc. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@susanshi do you have a link to that issue? Or does one need to be created since the n-verion feature isn't included in the refresher for the 1.3 release?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't find the n-version issue, @duffney could you help create one?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Certainly, here's a link. ratify-project/ratify#1751 :) It's also been added to the doc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Left some comments. thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks for adding it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
No description provided.