feat: add more notation attributes to values.yaml

Signed-off-by: Shahram Kalantari <[email protected]>
ratify-project · Dec 12, 2024 · c4f857c · c4f857c
1 parent 77419d5
commit c4f857c
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 8 deletions.
diff --git a/charts/ratify/templates/verifier.yaml b/charts/ratify/templates/verifier.yaml
@@ -22,22 +22,32 @@ spec:
           {{- fail "Please specify notation certs with .Values.notationCerts, single certificate .Values.notationCert has been deprecated, will soon be removed." }}
           {{- end }}
         - {{$fullname}}-notation-inline-cert
-        {{- end }} 
+        {{- end }}
         {{- range $i, $cert := .Values.notationCerts }}
         - {{$fullname}}-notation-inline-cert-{{$i}}
-        {{- end }} 
+        {{- end }}
     trustPolicyDoc:
       version: "1.0"
       trustPolicies:
-        - name: default
+        {{- range .Values.notation.trustPolicies }}
+        - name: {{ .name }}
           registryScopes:
-            - "*"
+            {{- range .registryScopes }}
+            - "{{ . }}"
+            {{- end }}
           signatureVerification:
-            level: strict
+            level: "{{ .signatureVerification.level }}"
           trustStores:
-            - ca:certs
-          trustedIdentities:
-            - "*"
+            {{- range .trustStores }}
+            - {{- range $key, $value := . }}
+              {{ $key }}: {{ $value }}
+              {{- end }}
+            {{- end }}
+          trustIdentities:
+            {{- range .trustIdentities }}
+            - "{{ . }}"
+            {{- end }}
+        {{- end }}
 {{- end }}
 ---
 {{- if .Values.cosign.enabled }}

diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml
@@ -14,6 +14,29 @@ cosignKeys: []
 
 notation:
   enabled: true
+  trustPolicies:
+    - name: acme-rockets-images
+      registryScopes:
+        - "registry.acme-rockets.io/software/net-monitor"
+        - "registry.acme-rockets.io/software/net-logger"
+      signatureVerification:
+        level: "strict"
+      trustStores:
+        - ca: cert1
+          tsa: cert2
+      trustIdentities:
+        - "C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Finance, CN=SecureBuilder"
+        - "C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Design, CN=SecureBuilder"
+    - name: public-images
+      registryScopes:
+        - "registry.wabbit-networks.io/software/net-utils"
+      signatureVerification:
+        level: "strict"
+      trustStores:
+        - ca: cert3
+          tsa: cert2
+      trustIdentities:
+        - "C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools"
 
 cosign:
   enabled: true