Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add more notation attributes to values.yaml #1982

Draft
wants to merge 1 commit into
base: dev
Choose a base branch
from
+27 −7
Draft

feat: add more notation attributes to values.yaml #1982

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 17 additions & 7 deletions charts/ratify/templates/verifier.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,22 +22,32 @@ spec:
{{- fail "Please specify notation certs with .Values.notationCerts, single certificate .Values.notationCert has been deprecated, will soon be removed." }}
{{- end }}
- {{$fullname}}-notation-inline-cert
{{- end }}
{{- end }}
{{- range $i, $cert := .Values.notationCerts }}
- {{$fullname}}-notation-inline-cert-{{$i}}
{{- end }}
{{- end }}
trustPolicyDoc:
version: "1.0"
trustPolicies:
- name: default
{{- range .Values.notation.trustPolicies }}
- name: {{ .name }}
registryScopes:
- "*"
{{- range .registryScopes }}
- "{{ . }}"
{{- end }}
signatureVerification:
level: strict
level: {{ .signatureVerification.level }}
trustStores:
- ca:certs
{{- range .trustStores }}
{{- range $key, $value := . }}
- {{ $key }}:{{ $value }}
{{- end }}
{{- end }}
trustedIdentities:
- "*"
{{- range .trustedIdentities }}
- "{{ . }}"
{{- end }}
{{- end }}
{{- end }}
---
{{- if .Values.cosign.enabled }}
Expand Down
10 changes: 10 additions & 0 deletions charts/ratify/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,16 @@ cosignKeys: []

notation:
enabled: true
trustPolicies:
- name: default
registryScopes:
- "*"
signatureVerification:
level: strict
trustStores:
- ca: certs
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can different trust policies use different stores?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can different trust policies use different stores?

Consider the following verifier.yaml:

apiVersion: config.ratify.deislabs.io/v1beta1
kind: Verifier
metadata:
  name: verifier-notation
spec:
  name: notation
  artifactTypes: application/vnd.cncf.notary.signature
  parameters:
    verificationCertStores:
      my_private_cert:
        - kmpprovider-akv
      my_public_cert:
        - inline_mar_images
    trustPolicyDoc:
      version: "1.0"
      trustPolicies:
        - name: my_private_registry
          registryScopes:
            - "skalantari_registry.azurecr.io/*"
          signatureVerification:
            level: strict
          trustStores:
            - ca:my_private_cert
          trustedIdentities:
            - "my identity"
        - name: mar_images
          registryScopes:
            - "mcr.azurecr.io/*"
          signatureVerification:
            level: strict
          trustStores:
            - ca:inline_mar_images
          trustedIdentities:
            - "mar identity"

It defines two trustPolicies, each include their trustStores, trustedIdentities, and registryScopes. In my PR, I moved this section to values.yaml so that the user can configure it before the installation. Note that verificationCertStores is filled with the values specified in values.yaml too (notationCerts in values.yaml is used)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you describe how users configure values.yaml for the verifier.yaml example?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think what @yizha1 is getting is how would the user from the helm chart be able to set up the verificationCertStores field because that would require the mapping between the notation trust store name and the ratify KMP names that belong to that trust store.

trustedIdentities:
- "*"

cosign:
enabled: true
Expand Down
Loading