From c4f857c09f738296142b5ff04989567287c96c1e Mon Sep 17 00:00:00 2001 From: Shahram Kalantari Date: Thu, 12 Dec 2024 22:42:35 +1000 Subject: [PATCH] feat: add more notation attributes to values.yaml Signed-off-by: Shahram Kalantari --- charts/ratify/templates/verifier.yaml | 26 ++++++++++++++++++-------- charts/ratify/values.yaml | 23 +++++++++++++++++++++++ 2 files changed, 41 insertions(+), 8 deletions(-) diff --git a/charts/ratify/templates/verifier.yaml b/charts/ratify/templates/verifier.yaml index 8ac23e5d8..f52c87a68 100644 --- a/charts/ratify/templates/verifier.yaml +++ b/charts/ratify/templates/verifier.yaml @@ -22,22 +22,32 @@ spec: {{- fail "Please specify notation certs with .Values.notationCerts, single certificate .Values.notationCert has been deprecated, will soon be removed." }} {{- end }} - {{$fullname}}-notation-inline-cert - {{- end }} + {{- end }} {{- range $i, $cert := .Values.notationCerts }} - {{$fullname}}-notation-inline-cert-{{$i}} - {{- end }} + {{- end }} trustPolicyDoc: version: "1.0" trustPolicies: - - name: default + {{- range .Values.notation.trustPolicies }} + - name: {{ .name }} registryScopes: - - "*" + {{- range .registryScopes }} + - "{{ . }}" + {{- end }} signatureVerification: - level: strict + level: "{{ .signatureVerification.level }}" trustStores: - - ca:certs - trustedIdentities: - - "*" + {{- range .trustStores }} + - {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + trustIdentities: + {{- range .trustIdentities }} + - "{{ . }}" + {{- end }} + {{- end }} {{- end }} --- {{- if .Values.cosign.enabled }} diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml index 1b9cc4ba4..2edec1865 100644 --- a/charts/ratify/values.yaml +++ b/charts/ratify/values.yaml @@ -14,6 +14,29 @@ cosignKeys: [] notation: enabled: true + trustPolicies: + - name: acme-rockets-images + registryScopes: + - "registry.acme-rockets.io/software/net-monitor" + - "registry.acme-rockets.io/software/net-logger" + signatureVerification: + level: "strict" + trustStores: + - ca: cert1 + tsa: cert2 + trustIdentities: + - "C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Finance, CN=SecureBuilder" + - "C=US, ST=WA, L=Seattle, O=acme-rockets.io, OU=Design, CN=SecureBuilder" + - name: public-images + registryScopes: + - "registry.wabbit-networks.io/software/net-utils" + signatureVerification: + level: "strict" + trustStores: + - ca: cert3 + tsa: cert2 + trustIdentities: + - "C=US, ST=WA, L=Seattle, O=wabbit-networks.io, OU=Security Tools" cosign: enabled: true