From f9a011df02119c4319893846d2166cb871294d12 Mon Sep 17 00:00:00 2001 From: Shahram Kalantari Date: Thu, 12 Dec 2024 22:42:35 +1000 Subject: [PATCH 01/10] feat: add more notation attributes to values.yaml Signed-off-by: Shahram Kalantari --- charts/ratify/templates/verifier.yaml | 24 +++++++++++++++++------- charts/ratify/values.yaml | 10 ++++++++++ 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/charts/ratify/templates/verifier.yaml b/charts/ratify/templates/verifier.yaml index 8ac23e5d8..54ba4e2bb 100644 --- a/charts/ratify/templates/verifier.yaml +++ b/charts/ratify/templates/verifier.yaml @@ -22,22 +22,32 @@ spec: {{- fail "Please specify notation certs with .Values.notationCerts, single certificate .Values.notationCert has been deprecated, will soon be removed." }} {{- end }} - {{$fullname}}-notation-inline-cert - {{- end }} + {{- end }} {{- range $i, $cert := .Values.notationCerts }} - {{$fullname}}-notation-inline-cert-{{$i}} - {{- end }} + {{- end }} trustPolicyDoc: version: "1.0" trustPolicies: - - name: default + {{- range .Values.notation.trustPolicies }} + - name: {{ .name }} registryScopes: - - "*" + {{- range .registryScopes }} + - "{{ . }}" + {{- end }} signatureVerification: - level: strict + level: {{ .signatureVerification.level }} trustStores: - - ca:certs + {{- range .trustStores }} + {{- range $key, $value := . }} + - {{ $key }}:{{ $value }} + {{- end }} + {{- end }} trustedIdentities: - - "*" + {{- range .trustedIdentities }} + - "{{ . }}" + {{- end }} + {{- end }} {{- end }} --- {{- if .Values.cosign.enabled }} diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml index 46e5ae920..4063c2867 100644 --- a/charts/ratify/values.yaml +++ b/charts/ratify/values.yaml @@ -14,6 +14,16 @@ cosignKeys: [] notation: enabled: true + trustPolicies: + - name: default + registryScopes: + - "*" + signatureVerification: + level: strict + trustStores: + - ca: certs + trustedIdentities: + - "*" cosign: enabled: true From f5e06238d13a05c436da7c125ebe6500d3151ad5 Mon Sep 17 00:00:00 2001 From: Shahram Kalantari Date: Mon, 16 Dec 2024 14:53:47 +1000 Subject: [PATCH 02/10] chore: provide default values to notation verifier's verificationCertStores Signed-off-by: Shahram Kalantari --- .../inline-key-management-provider.yaml | 8 ++-- charts/ratify/templates/verifier.yaml | 41 +++++++++++++------ charts/ratify/values.yaml | 17 ++++++-- 3 files changed, 46 insertions(+), 20 deletions(-) diff --git a/charts/ratify/templates/inline-key-management-provider.yaml b/charts/ratify/templates/inline-key-management-provider.yaml index 0d46ae200..3704f422e 100644 --- a/charts/ratify/templates/inline-key-management-provider.yaml +++ b/charts/ratify/templates/inline-key-management-provider.yaml @@ -4,7 +4,7 @@ apiVersion: config.ratify.deislabs.io/v1beta1 kind: KeyManagementProvider metadata: - name: {{$fullname}}-notation-inline-cert + name: {{ .Values.notationCert.name }} # {{$fullname}}-notation-inline-cert annotations: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-weight: "5" @@ -12,14 +12,14 @@ spec: type: inline parameters: contentType: certificate - value: {{ .Values.notationCert | quote }} + value: {{ .Values.notationCert.value | quote }} {{- end }} --- {{- range $i, $cert := .Values.notationCerts }} apiVersion: config.ratify.deislabs.io/v1beta1 kind: KeyManagementProvider metadata: - name: {{$fullname}}-notation-inline-cert-{{$i}} + name: {{ $cert.name }} # {{$fullname}}-notation-inline-cert-{{$i}} annotations: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-weight: "5" @@ -27,7 +27,7 @@ spec: type: inline parameters: contentType: certificate - value: {{ $cert | quote }} + value: {{ $cert.value | quote }} --- {{- end }} {{- range $i, $key := .Values.cosignKeys }} diff --git a/charts/ratify/templates/verifier.yaml b/charts/ratify/templates/verifier.yaml index 54ba4e2bb..a21f5dc56 100644 --- a/charts/ratify/templates/verifier.yaml +++ b/charts/ratify/templates/verifier.yaml @@ -13,19 +13,34 @@ spec: artifactTypes: application/vnd.cncf.notary.signature parameters: verificationCertStores: - certs: - {{- if or .Values.azurekeyvault.enabled .Values.akvCertConfig.enabled }} - - kmprovider-akv - {{- end }} - {{- if .Values.notationCert }} - {{- if .Values.notationCerts }} - {{- fail "Please specify notation certs with .Values.notationCerts, single certificate .Values.notationCert has been deprecated, will soon be removed." }} + {{- if $.Values.notation.verificationCertStores }} + {{- range $cert_type, $stores := .Values.notation.verificationCertStores }} + {{ $cert_type }}: + {{- range $stores }} + {{- range $store_name, $certs := . }} + - {{ $store_name }}: + {{- range $certs }} + - {{ . }} + {{- end }} {{- end }} - - {{$fullname}}-notation-inline-cert - {{- end }} - {{- range $i, $cert := .Values.notationCerts }} - - {{$fullname}}-notation-inline-cert-{{$i}} {{- end }} + {{- end }} + {{- else }} + ca: + - certs-1: + {{- if or .Values.azurekeyvault.enabled .Values.akvCertConfig.enabled }} + - {{ .Values.azurekeyvault.name }} + {{- end }} + {{- if .Values.notationCert }} + {{- if .Values.notationCerts }} + {{- fail "Please specify notation certs with .Values.notationCerts, single certificate .Values.notationCert has been deprecated, will soon be removed." }} + {{- end }} + - {{ .Values.notationCert.name }} # - {{$fullname}}-notation-inline-cert + {{- end }} + {{- range $i, $cert := .Values.notationCerts }} + - {{ $cert.name }} # - {{$fullname}}-notation-inline-cert-{{$i}} + {{- end }} + {{- end }} trustPolicyDoc: version: "1.0" trustPolicies: @@ -39,8 +54,8 @@ spec: level: {{ .signatureVerification.level }} trustStores: {{- range .trustStores }} - {{- range $key, $value := . }} - - {{ $key }}:{{ $value }} + {{- range $cert_type, $store := . }} + - {{ $cert_type }}:{{ $store }} {{- end }} {{- end }} trustedIdentities: diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml index 4063c2867..66179f72e 100644 --- a/charts/ratify/values.yaml +++ b/charts/ratify/values.yaml @@ -9,11 +9,18 @@ fullnameOverride: "" replicaCount: 1 affinity: {} tolerations: [] -notationCerts: [] +notationCerts: + - name: + value: cosignKeys: [] notation: enabled: true + verificationCertStores: + ca: + - certs-1: + tsa: + signingAuthority: trustPolicies: - name: default registryScopes: @@ -21,7 +28,7 @@ notation: signatureVerification: level: strict trustStores: - - ca: certs + - ca: certs-1 trustedIdentities: - "*" @@ -85,6 +92,7 @@ azureManagedIdentity: tenantId: azurekeyvault: + name: kmprovider-akv enabled: false vaultURI: tenantId: @@ -180,8 +188,11 @@ featureFlags: # RATIFY_EXPERIMENTAL_HIGH_AVAILABILITY enables high availability mode including distributed caching. RATIFY_EXPERIMENTAL_HIGH_AVAILABILITY: false -notationCert: "" # DEPRECATED: Use notationCerts instead +notationCert: # DEPRECATED: Use notationCerts instead + name: + value: akvCertConfig: # DEPRECATED: Use azurekeyvault instead + name: # DEPRECATED: Use azurekeyvault.name instead enabled: false # DEPRECATED: Use azurekeyvault.enabled instead vaultURI: # DEPRECATED: Use azurekeyvault.vaultURI instead cert1Name: # DEPRECATED: Use azurekeyvault.certificates instead From 02d3b983e0fd04db17dcf9d90c76e04c008ac214 Mon Sep 17 00:00:00 2001 From: Shahram Kalantari Date: Mon, 16 Dec 2024 15:43:59 +1000 Subject: [PATCH 03/10] chore: revert and remove name attribute changing notationCertStores Signed-off-by: Shahram Kalantari --- .../inline-key-management-provider.yaml | 8 ++-- charts/ratify/templates/verifier.yaml | 39 +++++++++---------- charts/ratify/values.yaml | 13 +------ 3 files changed, 24 insertions(+), 36 deletions(-) diff --git a/charts/ratify/templates/inline-key-management-provider.yaml b/charts/ratify/templates/inline-key-management-provider.yaml index 3704f422e..0d46ae200 100644 --- a/charts/ratify/templates/inline-key-management-provider.yaml +++ b/charts/ratify/templates/inline-key-management-provider.yaml @@ -4,7 +4,7 @@ apiVersion: config.ratify.deislabs.io/v1beta1 kind: KeyManagementProvider metadata: - name: {{ .Values.notationCert.name }} # {{$fullname}}-notation-inline-cert + name: {{$fullname}}-notation-inline-cert annotations: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-weight: "5" @@ -12,14 +12,14 @@ spec: type: inline parameters: contentType: certificate - value: {{ .Values.notationCert.value | quote }} + value: {{ .Values.notationCert | quote }} {{- end }} --- {{- range $i, $cert := .Values.notationCerts }} apiVersion: config.ratify.deislabs.io/v1beta1 kind: KeyManagementProvider metadata: - name: {{ $cert.name }} # {{$fullname}}-notation-inline-cert-{{$i}} + name: {{$fullname}}-notation-inline-cert-{{$i}} annotations: helm.sh/hook: pre-install,pre-upgrade helm.sh/hook-weight: "5" @@ -27,7 +27,7 @@ spec: type: inline parameters: contentType: certificate - value: {{ $cert.value | quote }} + value: {{ $cert | quote }} --- {{- end }} {{- range $i, $key := .Values.cosignKeys }} diff --git a/charts/ratify/templates/verifier.yaml b/charts/ratify/templates/verifier.yaml index a21f5dc56..3430402b1 100644 --- a/charts/ratify/templates/verifier.yaml +++ b/charts/ratify/templates/verifier.yaml @@ -12,34 +12,31 @@ spec: version: 1.0.0 artifactTypes: application/vnd.cncf.notary.signature parameters: - verificationCertStores: + verificationCertStores: {{- if $.Values.notation.verificationCertStores }} - {{- range $cert_type, $stores := .Values.notation.verificationCertStores }} + {{- range $cert_type, $stores := $.Values.notation.verificationCertStores }} {{ $cert_type }}: - {{- range $stores }} - {{- range $store_name, $certs := . }} - - {{ $store_name }}: - {{- range $certs }} + {{- range $store_name, $certs := $stores }} + {{ $store_name }}: + {{- range $certs }} - {{ . }} - {{- end }} {{- end }} {{- end }} {{- end }} {{- else }} - ca: - - certs-1: - {{- if or .Values.azurekeyvault.enabled .Values.akvCertConfig.enabled }} - - {{ .Values.azurekeyvault.name }} - {{- end }} - {{- if .Values.notationCert }} - {{- if .Values.notationCerts }} - {{- fail "Please specify notation certs with .Values.notationCerts, single certificate .Values.notationCert has been deprecated, will soon be removed." }} - {{- end }} - - {{ .Values.notationCert.name }} # - {{$fullname}}-notation-inline-cert - {{- end }} - {{- range $i, $cert := .Values.notationCerts }} - - {{ $cert.name }} # - {{$fullname}}-notation-inline-cert-{{$i}} - {{- end }} + certs: + {{- if or .Values.azurekeyvault.enabled .Values.akvCertConfig.enabled }} + - kmprovider-akv + {{- end }} + {{- if .Values.notationCert }} + {{- if .Values.notationCerts }} + {{- fail "Please specify notation certs with .Values.notationCerts, single certificate .Values.notationCert has been deprecated, will soon be removed." }} + {{- end }} + - {{$fullname}}-notation-inline-cert + {{- end }} + {{- range $i, $cert := .Values.notationCerts }} + - {{$fullname}}-notation-inline-cert-{{$i}} + {{- end }} {{- end }} trustPolicyDoc: version: "1.0" diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml index 66179f72e..c7b0a1cb6 100644 --- a/charts/ratify/values.yaml +++ b/charts/ratify/values.yaml @@ -9,18 +9,12 @@ fullnameOverride: "" replicaCount: 1 affinity: {} tolerations: [] -notationCerts: - - name: - value: +notationCerts: [] cosignKeys: [] notation: enabled: true verificationCertStores: - ca: - - certs-1: - tsa: - signingAuthority: trustPolicies: - name: default registryScopes: @@ -28,7 +22,7 @@ notation: signatureVerification: level: strict trustStores: - - ca: certs-1 + - ca: certs trustedIdentities: - "*" @@ -92,7 +86,6 @@ azureManagedIdentity: tenantId: azurekeyvault: - name: kmprovider-akv enabled: false vaultURI: tenantId: @@ -189,8 +182,6 @@ featureFlags: RATIFY_EXPERIMENTAL_HIGH_AVAILABILITY: false notationCert: # DEPRECATED: Use notationCerts instead - name: - value: akvCertConfig: # DEPRECATED: Use azurekeyvault instead name: # DEPRECATED: Use azurekeyvault.name instead enabled: false # DEPRECATED: Use azurekeyvault.enabled instead From d031e1fde41ea5fed9a70087956789ffc9434398 Mon Sep 17 00:00:00 2001 From: Shahram Kalantari Date: Thu, 19 Dec 2024 18:18:44 +1000 Subject: [PATCH 04/10] parse the command line args in th everifier Signed-off-by: Shahram Kalantari --- charts/ratify/templates/verifier.yaml | 54 ++++++++++++--------------- charts/ratify/values.yaml | 12 ++---- 2 files changed, 26 insertions(+), 40 deletions(-) diff --git a/charts/ratify/templates/verifier.yaml b/charts/ratify/templates/verifier.yaml index 3430402b1..34ecde67c 100644 --- a/charts/ratify/templates/verifier.yaml +++ b/charts/ratify/templates/verifier.yaml @@ -12,48 +12,40 @@ spec: version: 1.0.0 artifactTypes: application/vnd.cncf.notary.signature parameters: - verificationCertStores: - {{- if $.Values.notation.verificationCertStores }} - {{- range $cert_type, $stores := $.Values.notation.verificationCertStores }} - {{ $cert_type }}: - {{- range $store_name, $certs := $stores }} - {{ $store_name }}: - {{- range $certs }} - - {{ . }} - {{- end }} - {{- end }} - {{- end }} - {{- else }} - certs: - {{- if or .Values.azurekeyvault.enabled .Values.akvCertConfig.enabled }} - - kmprovider-akv - {{- end }} - {{- if .Values.notationCert }} - {{- if .Values.notationCerts }} - {{- fail "Please specify notation certs with .Values.notationCerts, single certificate .Values.notationCert has been deprecated, will soon be removed." }} - {{- end }} - - {{$fullname}}-notation-inline-cert - {{- end }} - {{- range $i, $cert := .Values.notationCerts }} - - {{$fullname}}-notation-inline-cert-{{$i}} + verificationCertStores: + {{- $certStoreIndex := 0 }} + {{- range $i, $policy := .Values.notation.trustPolicies }} + {{- range $j, $store := $policy.trustStores }} + {{- $certName := printf "cert-%d" $certStoreIndex }} + {{- $certStoreIndex = add $certStoreIndex 1 }} + {{ $certName }}: + {{- range $k, $certRef := $store }} + {{- if hasPrefix "notationcerts" (lower $certRef) }} + - {{ printf "%s-notation-inline-cert-%d" $fullname (int (regexReplaceAll "[^0-9]" $certRef "")) }} + {{- else if (eq (lower $certRef) "azurekeyvault") }} + - kmprovider-akv + {{- else }} + {{ fail (printf "Unknown trust store reference: %s" $certRef) }} + {{- end}} + {{- end }} {{- end }} {{- end }} trustPolicyDoc: version: "1.0" trustPolicies: - {{- range .Values.notation.trustPolicies }} - - name: {{ .name }} + {{- $trustStoreIndex := 0 }} + {{- range $i, $policy := .Values.notation.trustPolicies }} + - name: trustPolicy-{{$i}} registryScopes: {{- range .registryScopes }} - "{{ . }}" {{- end }} signatureVerification: - level: {{ .signatureVerification.level }} + level: strict trustStores: - {{- range .trustStores }} - {{- range $cert_type, $store := . }} - - {{ $cert_type }}:{{ $store }} - {{- end }} + {{- range $j, $store := $policy.trustStores }} + - ca: {{ printf "cert-%d" $trustStoreIndex }} + {{- $trustStoreIndex = add $trustStoreIndex 1 }} {{- end }} trustedIdentities: {{- range .trustedIdentities }} diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml index c7b0a1cb6..baa6b6c61 100644 --- a/charts/ratify/values.yaml +++ b/charts/ratify/values.yaml @@ -14,17 +14,11 @@ cosignKeys: [] notation: enabled: true - verificationCertStores: trustPolicies: - - name: default - registryScopes: - - "*" - signatureVerification: - level: strict - trustStores: - - ca: certs - trustedIdentities: + - registryScopes: - "*" + trustedIdentities: [] + trustStores: [] cosign: enabled: true From 4b81f1ed2752f0d416c628ae239ce20b64809c0f Mon Sep 17 00:00:00 2001 From: Shahram Kalantari Date: Fri, 20 Dec 2024 13:11:39 +1000 Subject: [PATCH 05/10] Add support for tsa and signingAuthority Signed-off-by: Shahram Kalantari --- charts/ratify/templates/verifier.yaml | 65 ++++++++++++++++++++++----- charts/ratify/values.yaml | 6 ++- 2 files changed, 57 insertions(+), 14 deletions(-) diff --git a/charts/ratify/templates/verifier.yaml b/charts/ratify/templates/verifier.yaml index 34ecde67c..1a5ad4d24 100644 --- a/charts/ratify/templates/verifier.yaml +++ b/charts/ratify/templates/verifier.yaml @@ -13,40 +13,81 @@ spec: artifactTypes: application/vnd.cncf.notary.signature parameters: verificationCertStores: + {{- if and (eq (len .Values.notation.trustPolicies) 1) (eq (len (index .Values.notation.trustPolicies 0).trustStores) 0) }} + certs: + {{- else }} + {{- $certStoreMap := dict }} {{- $certStoreIndex := 0 }} {{- range $i, $policy := .Values.notation.trustPolicies }} {{- range $j, $store := $policy.trustStores }} + {{- $storeParts := split ":" $store }} + {{- $certType := $storeParts._0 }} {{- $certName := printf "cert-%d" $certStoreIndex }} {{- $certStoreIndex = add $certStoreIndex 1 }} - {{ $certName }}: - {{- range $k, $certRef := $store }} - {{- if hasPrefix "notationcerts" (lower $certRef) }} - - {{ printf "%s-notation-inline-cert-%d" $fullname (int (regexReplaceAll "[^0-9]" $certRef "")) }} - {{- else if (eq (lower $certRef) "azurekeyvault") }} - - kmprovider-akv - {{- else }} + {{- $certRef := $storeParts._1 }} + {{- if eq $certType "ca" }} + {{- if hasPrefix "notationcerts" (lower $certRef) }} + {{- $certStoreMap = merge $certStoreMap (dict "ca" (dict $certName (list (printf "%s-notation-inline-cert-%d" $fullname (int (regexReplaceAll "[^0-9]" $certRef "")))))) }} + {{- else if (eq (lower $certRef) "azurekeyvault") }} + {{- $certStoreMap = merge $certStoreMap (dict "ca" (dict $certName (list (printf "kmprovider-akv" )))) }} + {{- else }} {{ fail (printf "Unknown trust store reference: %s" $certRef) }} - {{- end}} - {{- end }} + {{- end}} + {{- else if eq $certType "tsa" }} + {{- if hasPrefix "notationcerts" (lower $certRef) }} + {{- $certStoreMap = merge $certStoreMap (dict "tsa" (dict $certName (list (printf "%s-notation-inline-cert-%d" $fullname (int (regexReplaceAll "[^0-9]" $certRef "")))))) }} + {{- else if (eq (lower $certRef) "azurekeyvault") }} + {{- $certStoreMap = merge $certStoreMap (dict "tsa" (dict $certName (list (printf "kmprovider-akv" )))) }} + {{- else }} + {{ fail (printf "Unknown trust store reference: %s" $certRef) }} + {{- end}} + {{- else if eq $certType "signingAuthority" }} + {{- if hasPrefix "notationcerts" (lower $certRef) }} + {{- $certStoreMap = merge $certStoreMap (dict "signingAuthority" (dict $certName (list (printf "%s-notation-inline-cert-%d" $fullname (int (regexReplaceAll "[^0-9]" $certRef "")))))) }} + {{- else if (eq (lower $certRef) "azurekeyvault") }} + {{- $certStoreMap = merge $certStoreMap (dict "signingAuthority" (dict $certName (list (printf "kmprovider-akv" )))) }} + {{- else }} + {{ fail (printf "Unknown trust store reference: %s" $certRef) }} + {{- end}} + {{- else }} + {{ fail (printf "Unknown certificate type: %s" $certType) }} + {{- end }} {{- end }} {{- end }} + {{- range $key, $value := $certStoreMap }} + {{ $key }}: + {{- range $certName, $certRefList := $value }} + {{ $certName }}: + {{- range $certRefList }} + - {{ . }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} trustPolicyDoc: version: "1.0" trustPolicies: {{- $trustStoreIndex := 0 }} {{- range $i, $policy := .Values.notation.trustPolicies }} - - name: trustPolicy-{{$i}} + - name: {{ .name | default (printf "trustPolicy-%d" $i) }} registryScopes: {{- range .registryScopes }} - "{{ . }}" {{- end }} signatureVerification: - level: strict + level: {{ .level | default "strict" }} trustStores: + {{- if eq (len $policy.trustStores) 0 }} + - ca:certs + {{- else}} {{- range $j, $store := $policy.trustStores }} - - ca: {{ printf "cert-%d" $trustStoreIndex }} + {{- $storeParts := split ":" $store }} + {{- $certType := $storeParts._0 }} + {{- $certName := printf "cert-%d" $trustStoreIndex }} {{- $trustStoreIndex = add $trustStoreIndex 1 }} + - {{ $certType }}:{{ $certName }} {{- end }} + {{- end}} trustedIdentities: {{- range .trustedIdentities }} - "{{ . }}" diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml index baa6b6c61..7da314be5 100644 --- a/charts/ratify/values.yaml +++ b/charts/ratify/values.yaml @@ -15,9 +15,11 @@ cosignKeys: [] notation: enabled: true trustPolicies: - - registryScopes: + - name: default + verificatonLevel: strict + registryScopes: - "*" - trustedIdentities: [] + trustedIdentities: ["*"] trustStores: [] cosign: From f6d158e1e1ff634940877c2686db6221c28ef5a1 Mon Sep 17 00:00:00 2001 From: Shahram Kalantari Date: Mon, 23 Dec 2024 09:50:36 +1000 Subject: [PATCH 06/10] add 'x509.subject: ' to the beginning of trustedIdentities Signed-off-by: Shahram Kalantari --- charts/ratify/templates/verifier.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ratify/templates/verifier.yaml b/charts/ratify/templates/verifier.yaml index 1a5ad4d24..d051aabd9 100644 --- a/charts/ratify/templates/verifier.yaml +++ b/charts/ratify/templates/verifier.yaml @@ -79,7 +79,7 @@ spec: trustStores: {{- if eq (len $policy.trustStores) 0 }} - ca:certs - {{- else}} + {{- else }} {{- range $j, $store := $policy.trustStores }} {{- $storeParts := split ":" $store }} {{- $certType := $storeParts._0 }} @@ -90,7 +90,7 @@ spec: {{- end}} trustedIdentities: {{- range .trustedIdentities }} - - "{{ . }}" + - "x509.subject: {{ . }}" {{- end }} {{- end }} {{- end }} From 27ae4b0826a3299f117368ee4a03c4dd6e9b1fd8 Mon Sep 17 00:00:00 2001 From: Shahram Kalantari Date: Mon, 23 Dec 2024 12:37:40 +1000 Subject: [PATCH 07/10] fix: solve the issue with default setting Signed-off-by: Shahram Kalantari --- charts/ratify/templates/verifier.yaml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/charts/ratify/templates/verifier.yaml b/charts/ratify/templates/verifier.yaml index d051aabd9..faefa03d3 100644 --- a/charts/ratify/templates/verifier.yaml +++ b/charts/ratify/templates/verifier.yaml @@ -15,6 +15,18 @@ spec: verificationCertStores: {{- if and (eq (len .Values.notation.trustPolicies) 1) (eq (len (index .Values.notation.trustPolicies 0).trustStores) 0) }} certs: + {{- if or .Values.azurekeyvault.enabled .Values.akvCertConfig.enabled }} + - kmprovider-akv + {{- end }} + {{- if .Values.notationCert }} + {{- if .Values.notationCerts }} + {{- fail "Please specify notation certs with .Values.notationCerts, single certificate .Values.notationCert has been deprecated, will soon be removed." }} + {{- end }} + - {{$fullname}}-notation-inline-cert + {{- end }} + {{- range $i, $cert := .Values.notationCerts }} + - {{$fullname}}-notation-inline-cert-{{$i}} + {{- end }} {{- else }} {{- $certStoreMap := dict }} {{- $certStoreIndex := 0 }} @@ -89,9 +101,13 @@ spec: {{- end }} {{- end}} trustedIdentities: - {{- range .trustedIdentities }} + {{- range $j, $store := $policy.trustedIdentities }} + {{- if eq $store "*" }} + - "*" + {{- else }} - "x509.subject: {{ . }}" {{- end }} + {{- end }} {{- end }} {{- end }} --- From a4d6744fdb1435ed63803c189e440aae2bce399d Mon Sep 17 00:00:00 2001 From: Shahram Kalantari Date: Mon, 23 Dec 2024 12:57:18 +1000 Subject: [PATCH 08/10] remove unused input from values.yaml Signed-off-by: Shahram Kalantari --- charts/ratify/values.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml index 7da314be5..43317023e 100644 --- a/charts/ratify/values.yaml +++ b/charts/ratify/values.yaml @@ -177,9 +177,8 @@ featureFlags: # RATIFY_EXPERIMENTAL_HIGH_AVAILABILITY enables high availability mode including distributed caching. RATIFY_EXPERIMENTAL_HIGH_AVAILABILITY: false -notationCert: # DEPRECATED: Use notationCerts instead +notationCert: "" # DEPRECATED: Use notationCerts instead akvCertConfig: # DEPRECATED: Use azurekeyvault instead - name: # DEPRECATED: Use azurekeyvault.name instead enabled: false # DEPRECATED: Use azurekeyvault.enabled instead vaultURI: # DEPRECATED: Use azurekeyvault.vaultURI instead cert1Name: # DEPRECATED: Use azurekeyvault.certificates instead From 82fcabfead91b5db9a5415a1fa054eadfb966529 Mon Sep 17 00:00:00 2001 From: Shahram Kalantari Date: Mon, 23 Dec 2024 12:59:03 +1000 Subject: [PATCH 09/10] rename to a meaningful variable Signed-off-by: Shahram Kalantari --- charts/ratify/templates/verifier.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/ratify/templates/verifier.yaml b/charts/ratify/templates/verifier.yaml index faefa03d3..95286526f 100644 --- a/charts/ratify/templates/verifier.yaml +++ b/charts/ratify/templates/verifier.yaml @@ -66,8 +66,8 @@ spec: {{- end }} {{- end }} {{- end }} - {{- range $key, $value := $certStoreMap }} - {{ $key }}: + {{- range $storeType, $value := $certStoreMap }} + {{ $storeType }}: {{- range $certName, $certRefList := $value }} {{ $certName }}: {{- range $certRefList }} From 319b6e9902e42a33ce63885e84c0a9336e4694b2 Mon Sep 17 00:00:00 2001 From: Shahram Kalantari Date: Mon, 23 Dec 2024 13:12:34 +1000 Subject: [PATCH 10/10] add description of the new parameters to the readme file Signed-off-by: Shahram Kalantari --- charts/ratify/README.md | 5 +++++ charts/ratify/templates/verifier.yaml | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/charts/ratify/README.md b/charts/ratify/README.md index 82a49c116..721328ed5 100644 --- a/charts/ratify/README.md +++ b/charts/ratify/README.md @@ -51,6 +51,11 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t | notationCerts | An array of public certificate/certificate chain used to create inline certstore used by Notation verifier | `` | | cosignKeys | An array of public keys used to create inline key management providers used by Cosign verifier | `[]` | | notation.enabled | Enables/disables the built-in notation verifier. MUST be set to true for notation verification. | `true` | +| notation.trustPolicies | An array of trustPolicies. Each [trustPolicy](https://github.com/notaryproject/specifications/blob/main/specs/trust-store-trust-policy.md#trust-policy-properties:~:text=Trust%20Policy%20Properties) must define the following three attributes: `registryScopes`, `trustedIdentities`, `trustStores` | [] | +| notation.trustPolicies[0].registryScopes | An array of scopes relevant to the single trust policy configured in notation verifier. | `["*"]` | +| notation.trustPolicies[0].trustedIdentities | An array of trusted identities relevant to the single trust policy configured in notation verifier. | `["*"]` | +| notation.trustPolicies[0].trustStores | An array of trust stores relevant to the single trust policy configured in notation verifier. Each trustStore is defined as [ca\|tsa\|signingAuthority]:[notationCerts[i]\|AzureKeyVault]. Example: ca:notationCerts[0] | `` | +| notation.trustPolicies[0].registryScopes | An array of registryScopes relevant to the single trust policy configured in notation verifier. | `["*"]` | | cosign.enabled | Enables/disables cosign tag-based signature lookup in ORAS store. MUST be set to true for cosign verification. | `true` | | cosign.scopes | An array of scopes relevant to the single trust policy configured in Cosign verifier. A scope of '*' is a global wildcard character to represent all images apply. | `["*"]` | | cosign.rekorURL | URL string reference to remote rekor server. If not specified, implementation will default to use Rekor public good instance `https://rekor.sigstore.dev`. | `` | diff --git a/charts/ratify/templates/verifier.yaml b/charts/ratify/templates/verifier.yaml index 95286526f..bdf953291 100644 --- a/charts/ratify/templates/verifier.yaml +++ b/charts/ratify/templates/verifier.yaml @@ -104,7 +104,7 @@ spec: {{- range $j, $store := $policy.trustedIdentities }} {{- if eq $store "*" }} - "*" - {{- else }} + {{- else }} - "x509.subject: {{ . }}" {{- end }} {{- end }}