Releases: deislabs/ratify
v1.2.0
🚨 Deprecations
CertificateStore
is deprecated in favor ofKeyManagementProvider
. Please migrate toKeyManagementProvider
by following guide here. Support will be removed in Ratify v2.0.0
✨ New Features
-
Cosign Verifier enhancements:
- feat: move cosign to be a built in verifier by @akashsinghal in #1343
- feat: add key support to key management provider by @akashsinghal in #1333
- feat: add cosign trust policies by @akashsinghal in #1381
-
Kubernetes multi-tenancy support:
- feat: refactor CertStore and KMP Crd to support multi-tenancy by @binbin-li in #1423
- feat: add NamespacedPolicy, NamespacedStore, NamespacedVerifier CRD by @binbin-li in #1402, #1413
- feat: add cache isolation by @binbin-li in #1213
- feat: add Verifiers, policyManager , ReferrerStoreManagers, certStoreManager interface by @binbin-li in #1358 , #1359, #1380, #1382
-
CRD improvements:
- feat: add version to CRD spec by @susanshi in #1215
- feat: validate plugin name on CR create by @susanshi in #1265
- feat: add key management provider resource by @akashsinghal in #1293
- feat: add NamespacedKMP and switch KMP scope to cluster [multi-tenancy PR 9] by @binbin-li in #1422
📄 Documentation
- docs: add roadmap by @yizha1 in #1344
- docs: updated docs with the latest verifier report format by @junczhu in #1236
- docs: add multi-tenancy support discussions by @binbin-li in #1175
- docs: Update log format in doc by @junczhu in #1240
- docs: update COC and add adopters.md by @FeynmanZhou in #1360
- fix: updated community meeting time to UTC by @susanshi in #1364
- build: update Bridge to Kubernetes debugging steps by @akashsinghal in #1384
- docs: cosign upgrade design document by @akashsinghal in #1246
- docs: Create BREAKING_CHANGE_AND_DEPRECATION.md by @susanshi in #1399
🎉 New Contributors
- @duffney made their first contribution in #1254
- @mannbiher made their first contribution in #1418
🐛 🩹 Bug Fixes
- fix: surface plugin error in exec.go by @susanshi in #1228
- fix: SBOM verifier license match support for deprecated license by @susanshi in #1230
- fix: update constraint templates to work with new type field by @akashsinghal in #1217
- fix: improve vuln report verifier report messages by @akashsinghal in #1238
- fix: dynamic plugin should support pulling image with digest by @susanshi in #1280
- fix: add missing CRD conversion methods by @binbin-li in #1289
- fix: fix unit tests that fail in local environment by @binbin-li in #1292
- fix: add check for disabled keys from azure key vault by @akashsinghal in #1474
- fix: update azure tenantId casing by @akashsinghal in #1385
- fix: rename staging to dev branch by @susanshi in #1401
- fix: update ReferrerNotFound error to be more accurate by @binbin-li in #1408
- fix: add top-level read permission by @binbin-li in #1419
- fix: add akv keys check on cosign-verifier by @binbin-li in #1427
- fix: handle empty trust policies by @akashsinghal in #1431
- fix: fix missing separator in helm template by @binbin-li in #1463
- fix: check label value on pull_request_target by @binbin-li in #1471
- fix: DecodeCertificates cert length check by @susanshi in #1470
- fix: update cosign chart and remove extra logs by @akashsinghal in #1475
Changes since v1.2.0-rc.1
- 63c7bb2 Merge pull request #1519 from deislabs/cherry-pick-for-1.2.0
- 35aad7f chore: ignore CVE-2023-42363 CVE-2023-42364 CVE-2023-42365 (#1498)
- dbc2d74 chore: ignore CVE-2023-42366 (#1494)
- da2cdca chore: prepare for release 1.2 (#1524)
- 7e00bb2 ci: switch azure ci test to use rbac for key vault access (#1523)
- 1e79038 fix: bump github.com/aws/aws-sdk-go-v2/service/ecr version (#1505)
- c6f9483 fix: full validation should run on release branch (#1511)
- 510dd58 go mod tidy
v1.2.0-rc.1
🚨 Deprecations
CertificateStore
is deprecated in favor ofKeyManagementProvider
. Please migrate toKeyManagementProvider
by following guide here. Support will be removed in Ratify v2.0.0
✨ New Features
-
Cosign Verifier enhancements:
- feat: move cosign to be a built in verifier by @akashsinghal in #1343
- feat: add key support to key management provider by @akashsinghal in #1333
- feat: add cosign trust policies by @akashsinghal in #1381
-
Kubernetes multi-tenancy support:
- feat: refactor CertStore and KMP Crd to support multi-tenancy by @binbin-li in #1423
- feat: add NamespacedPolicy, NamespacedStore, NamespacedVerifier CRD by @binbin-li in #1402, #1413
- feat: add cache isolation by @binbin-li in #1213
- feat: add Verifiers, policyManager , ReferrerStoreManagers, certStoreManager interface by @binbin-li in #1358 , #1359, #1380, #1382
-
CRD improvements:
- feat: add version to CRD spec by @susanshi in #1215
- feat: validate plugin name on CR create by @susanshi in #1265
- feat: add key management provider resource by @akashsinghal in #1293
- feat: add NamespacedKMP and switch KMP scope to cluster [multi-tenancy PR 9] by @binbin-li in #1422
📄 Documentation
- docs: add roadmap by @yizha1 in #1344
- docs: updated docs with the latest verifier report format by @junczhu in #1236
- docs: add multi-tenancy support discussions by @binbin-li in #1175
- docs: Update log format in doc by @junczhu in #1240
- docs: update COC and add adopters.md by @FeynmanZhou in #1360
- fix: updated community meeting time to UTC by @susanshi in #1364
- build: update Bridge to Kubernetes debugging steps by @akashsinghal in #1384
- docs: cosign upgrade design document by @akashsinghal in #1246
- docs: Create BREAKING_CHANGE_AND_DEPRECATION.md by @susanshi in #1399
🎉 New Contributors
- @duffney made their first contribution in #1254
- @mannbiher made their first contribution in #1418
🐛 🩹 Bug Fixes
- fix: surface plugin error in exec.go by @susanshi in #1228
- fix: SBOM verifier license match support for deprecated license by @susanshi in #1230
- fix: update constraint templates to work with new type field by @akashsinghal in #1217
- fix: improve vuln report verifier report messages by @akashsinghal in #1238
- fix: dynamic plugin should support pulling image with digest by @susanshi in #1280
- fix: add missing CRD conversion methods by @binbin-li in #1289
- fix: fix unit tests that fail in local environment by @binbin-li in #1292
- fix: add check for disabled keys from azure key vault by @akashsinghal in #1474
- fix: update azure tenantId casing by @akashsinghal in #1385
- fix: rename staging to dev branch by @susanshi in #1401
- fix: update ReferrerNotFound error to be more accurate by @binbin-li in #1408
- fix: add top-level read permission by @binbin-li in #1419
- fix: add akv keys check on cosign-verifier by @binbin-li in #1427
- fix: handle empty trust policies by @akashsinghal in #1431
- fix: fix missing separator in helm template by @binbin-li in #1463
- fix: check label value on pull_request_target by @binbin-li in #1471
- fix: DecodeCertificates cert length check by @susanshi in #1470
- fix: update cosign chart and remove extra logs by @akashsinghal in #1475
What's Changed
- fix: bump dev helmfile ratify chart versions by @akashsinghal in #1216
- feat: add namespace to external data request key by @binbin-li in #1201
- chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.9 to 1.16.12 by @dependabot in #1224
- chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.9.0 to 1.9.1 by @dependabot in #1225
- chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.25.11 to 1.25.12 by @dependabot in #1226
- build: bump up upload-artifact action to v4.0.0 by @binbin-li in #1227
- chore: Bump golang.org/x/crypto from 0.16.0 to 0.17.0 by @dependabot in #1229
- feat: add version to CRD spec by @susanshi in #1215
- fix: surface plugin error in exec.go by @susanshi in #1228
- chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.12 to 1.16.13 by @dependabot in #1235
- chore: Bump k8s.io/client-go from 0.28.4 to 0.28.5 by @dependabot in #1232
- chore: Bump apache/skywalking-eyes from ee81ff786927ea6ffa48b1e29c48e5289f4753aa to ed436a5593c63a25f394ea29da61b0ac3731a9fe by @dependabot in #1231
- feat: add cache isolation by @binbin-li in #1213
- chore: update codecov config by @junczhu in #1237
- docs: updated docs with the latest verifier report format by @junczhu in #1236
- fix: SBOM verifier license match support for deprecated license by @susanshi in #1230
- docs: add multi-tenancy support discussions by @binbin-li in #1175
- fix: differentiate aks logs from e2e log by @susanshi in #1243
- ci: add cache cleanup post merge by @akashsinghal in #1242
- docs: Update log format in doc by @junczhu in #1240
- ci: switch to fail-fast from continue-on-error by @binbin-li in #1245
- ci: add dev helm chart publishing workflow by @akashsinghal in #1209
- fix: update constraint templates to work with new type field by @akashsinghal in #1217
- fix: improve vuln report verifier report messages by @akashsinghal in #1238
- feat: improve plugin config dependency by @junczhu in #1223
- chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.13 to 1.16.14 by @dependabot in #1250
- chore: Bump github.com/AzureAD/microsoft-authentication-library-for-go from 1.2.0 to 1.2.1 by @dependabot in #1252
- chore: Bump github.com/cloudflare/circl from 1.3.5 to 1.3.7 by @dependabot in #1253
- chore: Bump azure/login from 1.5.1 to 1.6.0 by @dependabot in #1255
- chore: rename func for readability by @junczhu in #1257
- chore: Bump actions/upload-artifact from 4.0.0 to 4.1.0 by @dependabot in #1261
- chore: Bump azure/login from 1.6.0 to 1.6.1 by @dependabot in #1266
- chore: Bump actions/upload-artifact from 4.1.0 to 4.2.0 by @dependabot in #1270
- chore: Bump k8s.io/client-go from 0.28.5 to 0.28.6 by @dependabot in #1273
- chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.16.14 to 1.16.16 by @dependabot in #1275
- chore: Bump github.com/opencontainers/image-spec from 1.1.0-rc5 to 1.1.0-rc6 by @dependabot in #1271
- chore: Bump actions/upload-artifact from 4.2.0 to 4.3.0 by @dependabot in #1279
- chore: Bump codecov/codecov-action from 3.1.4 to 3.1.5 by @dependabot in #1281
- chore: Bump github.com/docker/cli from 24.0.7+incompatible to 24.0.8+inco...
v1.1.1
Changelog
Bug Fixes
v1.1.0
💥 🚨 CRD BREAKING CHANGES 🚨 💥
- Certificate Store is a namespaced CR. We have made a fix in this release so that Certificate Store CR can be uniquely referenced by Verifier CR. Please follow migration steps here
✨ New Features
- Enables SBOM verifier improvements:
- Add deny license and deny package properties to the existing SBOM verifier
- Add SBOM verifier to Helm chart
- Introduce new Vulnerability report verifier for Sarif reports generated by Trivy and Grype
- Enforces report content to match Sarif schema
- Enforces a MaximumAge duration (ex: '24h')
- Enforces against existence of disallowedSeverity levels (ex: 'critical')
- Enforces against existence of denylistCVEs (ex: CVE-2021-44228 log4shell)
- Introduce a passthrough flag which will bypass all checks and append sarif content in verifier report
- Adds vulnerability report verifier to Helm chart
- For documentation on how to use refer to the docs
- Introduce a verifier name and a verifier type (specName) to the existing VerifierConfig and VerifierPlugin. This enables support for multiple verifiers of the same verifier type. You can find more info here.
- Introduce new –debug flag to Ratify CLI that sets the logger level to DEBUG.
- Introduce support for notation-go logs with trace-id support
📄 Documentation
Note: We’ve moved most of our feature documentation to the Ratify Website.
- docs: add design docs by @akashsinghal in #1136
- docs: add design docs by @binbin-li in #1143
- docs: update notation tsg doc link by @binbin-li in #1152
- docs: move cosign doc to website by @akashsinghal in #1168
- docs: add vulnerability report verifier design doc by @akashsinghal in #1208
🧪 Tests
- Added new E2E CLI test for SBOM verifier
- Added unit tests and E2E tests for vulnerability report verifier
- Add more unit tests to increase the test coverage for authProvider.
CLI
- Verifier Scenarios
- Notation
- Cosign
- Keyed
- Keyless
- SBOM
- License Checker
- JSON Schema Validation
- All verifier types in one
- Vulnerability Report
- Dynamic OCI Plugins
- Verifier Plugin
- Store Plugin
Kubernetes
- Verifier Scenarios
- Notation
- Cosign
- SBOM
- License Checker
- JSON Schema Validation
- All verifier types in one
- Vulnerability Report
- ORAS Store Authentication Providers
- Docker
- Kubernetes Secrets
- Azure Workload Identity
- Azure Managed Identity
- Certificate Store Providers
- Inline Certificate
- Azure Key Vault Certificate
- Mutation Provider
- Dynamic OCI Plugins
- Verifier Plugin
- CertificateProvider CRD Status
- TLS Certificate
- TLS Certificate Watcher
- TLS Certificate Rotation
- High Availability Tests
- 2 Replicas, Redis + Dapr, Notation
- Quick Start helmfile.yaml test
🐛 🩹 Bug Fixes
- fix: update auth cache miss error handling by @akashsinghal in #1105
- fix: rename error for verifier plugins to be more generic by @akashsinghal in #1129
- fix: set default certstore namespace in notation verifier to uniquely identify certificate store resource by @susanshi in #1134
- fix: allow multiple notationCert in default chart by @susanshi in #1151
- fix: add certificates to chart value by @susanshi in #1172
- fix: remove trailing hyphen in notation template by @akashsinghal in #1197
🎉 New Contributors
- @bspaans made their first contribution in #1130
- @Two-Hearts made their first contribution in #1188
📝 Changelog
- chore: bump helmfile versions to match v1.0 chart released by @akashsinghal in #1101
- docs: remove non production notice by @akashsinghal in #1102
- docs: add helm chart readme by @akashsinghal in #1099
- chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.42 to 1.18.44 by @dependabot in #1112
- chore: Bump ossf/scorecard-action from 2.2.0 to 2.3.0 by @dependabot in #1116
- chore: downgrade some logging from info to debug by @akashsinghal in #1111
- chore: bump chart versions in dev helmfiles by @akashsinghal in #1108
- chore: Bump github.com/docker/distribution from 2.8.2+incompatible to 2.8.3+incompatible by @dependabot in #1115
- fix: update auth cache miss error handling by @akashsinghal in #1105
- chore: Bump golang.org/x/net from 0.14.0 to 0.17.0 by @dependabot in #1118
- ci: add retry to cosign keyless test by @akashsinghal in #1109
- chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.42 to 1.13.43 by @dependabot in #1128
- chore: Bump google.golang.org/grpc from 1.56.2 to 1.56.3 by @dependabot in #1125
- chore: Bump github.com/sigstore/sigstore from 1.7.3 to 1.7.4 by @dependabot in #1127
- chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.44 to 1.18.45 by @dependabot in #1124
- chore: Add ability to configure affinity and tolerations to Helm chart by @bspaans in #1130
- chore: Bump actions/checkout from 4.1.0 to 4.1.1 by @dependabot in #1132
- fix: rename error for verifier plugins to be more generic by @akashsinghal in #1129
- feat: support notation-go logs by @binbin-li in #1135
- chore: Bump k8s.io/api from 0.27.6 to 0.27.7 by @dependabot in #1139
- chore: Bump k8s.io/client-go from 0.27.6 to 0.27.7 by @dependabot in #1137
- docs: add design docs by @akashsinghal in #1136
- chore: Bump ossf/scorecard-action from 2.3.0 to 2.3.1 by @dependabot in #1141
- docs: add design docs by @binbin-li in #1143
- chore: upgrade devcontainer config by @junczhu in #1144
- fix: set default certstore namespace in notation verifier to uniquely identify certificate store resource by @susanshi in #1134
- chore: Bump github.com/docker/cli from 24.0.6+incompatible to 24.0.7+incompatible by @dependabot in #1153
- chore: Bump oras.land/oras-go/v2 from 2.3.0 to 2.3.1 by @dependabot in #1155
- chore: Bump github.com/notaryproject/notation-core-go from 1.0.0 to 1.0.1 by @dependabot in #1157
- chore: Bump github.com/sigstore/sigstore from 1.7.4 to 1.7.5 by @dependabot in #1156
- chore: Bump sigs.k8s.io/controller-runtime from 0.15.2 to 0.15.3 by @dependabot in #1154
- chore: Bump github.com/docker/docker from 24.0.0+incompatible to 24.0.7+incompatible by @dependabot in #1158
- docs: update notation tsg doc link by @binbin-li in #1152
- chore: add chart icon by @binbin-li in #1161
- chore: Bump github.com/gorilla/mux from 1.8.0 to 1.8.1 by @dependabot in #1163
- chore: Bump github.com/notaryproject/notation-go from 1.0.0 to 1.0.1 by @dependabot in #1162
- docs: move cosign doc to website by @akashsinghal in #1168
- fix: allow multiple notationCert in default chart by @susanshi in #1151
- chore: wrap notation-go error by @binbin-li in #1169
- chore: Bump github.com/sigstore/cosign/v2 from 2.1.1 to 2.2.1 by @dependabot in #1171
- fix: add certificates to chart value by @susanshi in #1172
- test: Authprovider test improvement by @junczhu in #1170
- chore: Bump k8s.io/api from 0.28.3 to 0.28.4 by @dependabot in #1179
- chore: Bump k8s.io/client-go from 0.28.3 to 0.28.4 by @dependabot in #1178
- chore: Bump azure/login from 1.4.7 to 1.5.0 by @dependabot in #1184
- chore: Bump github.com/go-jose/go-jose/v3 from 3.0.0 to 3.0.1 by @dependabot in #1185
- build: add lic...
v1.0.0
Ratify v1
Ratify is a verification engine available as a binary executable and on Kubernetes that enables customers to author policies to verify security artifact metadata, such as image signatures and SBOMs, and allows deployment of only those that comply with these policies. This is the first stable release v1.0.0
🎉.
Important
Experimental features are only intended for testing in a development environment and should not be used in production. Please adhere to the specified feature and performance limits for production workloads. More information can be found in the ratify documentation.
Key Features
- Ratify as a CLI binary for verifying artifacts stored in a registry
- Out-of-box support in published helm chart for running Ratify as an External Data Provider for Gatekeeper admission controller
- Native Kubernetes support for managing and running Ratify as a scalable & reliable service
- Verifier, Store, Certificate Store, and Policy CRDs for simple Ratify configuration
- TLS certificate management and rotation for mTLS service-to-service communication
- Standardized logging and prometheus metrics support + Grafana dashboard.
- Extensible plugin model to support new verifier and referrer store plugins
- Built-in policy evaluation engine support using embedded OPA engine or config-based policies.
- Built-in certificate stores makes interacting with Key Management Systems (KMS) simple.
Experimental Features
- Ratify in High Availability (HA) mode using a distributed cache (dapr + redis)
✨ What's Changed since v1.0.0-rc8
- Add end-to-end test for init containers and ephemeral container mutation/verification. See #1086
- Update Policy CRD to contain a
type
instead of metadata for determing policy provider. See #1079
💥 🚨 BREAKING CHANGES 🚨 💥
- Policy CRD now REQUIRES crd's
metadata.name
to beratify-policy
.spec.type
must berego-policy
orconfig-policy
ONLY.- See #1079 for more information
📄 Documentation
- docs: create ratify-weekly-notes-2023-Jan-2023-Jul.md by @susanshi in #1081
- docs: redirect to website by @susanshi in #1087
🧪 Tests
CLI
- Verifier Scenarios
- Notation
- Cosign
- Keyed
- Keyless
- SBOM
- License Checker
- JSON Schema Validation
- All verifier types in one
- Dynamic OCI Plugins
- Verifier Plugin
- Store Plugin
Kubernetes
- Verifier Scenarios
- Notation
- Cosign
- SBOM
- License Checker
- JSON Schema Validation
- All verifier types in one
- ORAS Store Authentication Providers
- Docker
- Kubernetes Secrets
- Azure Workload Identity
- Azure Managed Identity
- Certificate Store Providers
- Inline Certificate
- Azure Key Vault Certificate
- Mutation Provider
- Dynamic OCI Plugins
- Verifier Plugin
- CertificateProvider CRD Status
- TLS Certificate
- TLS Certificate Watcher
- TLS Certificate Rotation
- High Availability Tests
- 2 Replicas, Redis + Dapr, Notation
- Quick Start helmfile.yaml test
🐛 🩹 Bug Fixes
- fix: update helmfile.yaml for rc8 by @susanshi in #1069
- fix: update e2e resource for initContainers and ephemeralContainers by @junczhu in #1088
- fix: update errors doc reference links by @akashsinghal in #1098
📝 Changelog
- fix: update helmfile.yaml for rc8 by @susanshi in #1069
- chore: Bump github.com/docker/cli from 24.0.0+incompatible to 24.0.6+incompatible by @dependabot in #1070
- chore: Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 by @dependabot in #1077
- chore: Bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in #1063
- chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.38 to 1.18.39 by @dependabot in #1073
- chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.7.1 to 1.7.2 by @dependabot in #1071
- chore: Bump docker/login-action from 2.2.0 to 3.0.0 by @dependabot in #1080
- docs: create ratify-weekly-notes-2023-Jan-2023-Jul.md by @susanshi in #1081
- chore: update local build doc by @junczhu in #1075
- chore: Bump k8s.io/client-go from 0.27.5 to 0.27.6 by @dependabot in #1085
- test: add constraint template e2e test for initContainers and ephemeralContainers by @junczhu in #1086
- chore: Bump github.com/opencontainers/image-spec from 1.1.0-rc4 to 1.1.0-rc5 by @dependabot in #1082
- fix: update e2e resource for initContainers and ephemeralContainers by @junczhu in #1088
- feat: add type to policy CRD by @binbin-li in #1079
- chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.39 to 1.18.42 by @dependabot in #1094
- chore: Bump actions/checkout from 4.0.0 to 4.1.0 by @dependabot in #1092
- docs: redirect to website by @susanshi in #1087
- fix: update errors doc reference links by @akashsinghal in #1098
- chore: prepare for v1.0.0 release by @akashsinghal in #1097
Full Changelog: v1.0.0-rc.8...v1.0.0
v1.0.0-rc.8
✨ New Features
- User agent header by Ratify now includes OS/Arch and version.
- Introducing new health probe.
- Add liveness probes to deployment files
- Allows probe port to be configured
- Updated oras-go to v2.3.0 and GK 3.13 support
📄 Documentation
- docs: fix broken link and add link check by @susanshi in #1016
- docs: add badge linking to pkg.go.dev by @binbin-li in #1056
- doc: update document about install ratify on azure policy enabled aks cluster by @fseldow and @susanshi in #1041
🧪 Tests
- Added new automated test for quick start test.
CLI
- Verifier Scenarios
- Notation
- Cosign
- Keyed
- Keyless
- SBOM
- License Checker
- JSON Schema Validation
- All verifier types in one
- Dynamic OCI Plugins
- Verifier Plugin
- Store Plugin
Kubernetes
- Verifier Scenarios
- Notation
- Cosign
- SBOM
- License Checker
- JSON Schema Validation
- All verifier types in one
- ORAS Store Authentication Providers
- Docker
- Kubernetes Secrets
- Azure Workload Identity
- Azure Managed Identity
- Certificate Store Providers
- Inline Certificate
- Azure Key Vault Certificate
- Mutation Provider
- Dynamic OCI Plugins
- Verifier Plugin
- CertifacteProvider CRD Status
- TLS Certificate
- TLS Certificate Watcher
- TLS Certificate Rotation
- High Availability Tests
- 2 Replicas, Redis + Dapr, Notation
🐛 🩹 Bug Fixes
- fix: fix cert watcher by @binbin-li in #1054
- fix: fix azure test by @binbin-li in #1065
📝 Changelog
- chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.34 to 1.13.35 by @dependabot in #1037
- chore: Bump sigs.k8s.io/controller-runtime from 0.15.1 to 0.15.2 by @dependabot in #1034
- chore: Bump k8s.io/apimachinery from 0.27.4 to 0.27.5 by @dependabot in #1035
- chore: Bump github.com/google/uuid from 1.3.0 to 1.3.1 by @dependabot in #1036
- chore: Bump k8s.io/client-go from 0.27.4 to 0.27.5 by @dependabot in #1033
- chore: update terraform AKV permissions by @duffney in #1024
- release: retract v1.1.0-alpha.1 by @binbin-li in #1038
- docs: fix broken link and add link check by @susanshi in #1016
- chore: Bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in #1043
- build: add dev helmfiles by @akashsinghal in #1018
- feat: add version and OS/Arch to user-agent header by @binbin-li in #1044
- chore: bump to GK 3.13 by @akashsinghal in #1019
- feat: Add automated test for quick start test by @susanshi in #1045
- feat: upgrade oras-go v2.3.0 by @junczhu in #1050
- chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.35 to 1.18.38 by @dependabot in #1053
- chore: Bump github.com/sigstore/sigstore from 1.7.2 to 1.7.3 by @dependabot in #1051
- chore: Bump actions/checkout from 3.6.0 to 4.0.0 by @dependabot in #1055
- docs: add badge linking to pkg.go.dev by @binbin-li in #1056
- fix: fix cert watcher by @binbin-li in #1054
- chore: Bump goreleaser/goreleaser-action from 4.4.0 to 4.6.0 by @dependabot in #1059
- doc: update document about install ratify on azure policy enabled aks cluster by @fseldow in #1041
- feat: add health Probe by @susanshi in #1058
- feat: update chart for rc8 by @susanshi in #1064
- fix: fix azure test by @binbin-li in #1065
Full Changelog: v1.0.0-rc.7...v1.0.0-rc.8
v1.0.0-rc.7
✨ New Features
- Introducing OPA engine integration to support Rego Policy
- Embeds OPA engine in Ratify so that service can make verifications using the OPA engine for Rego Policies.
- Adds support for multiple verifiers against the same artifact.
- Users can still provide a configuration Policy which is the default option.
- Introduces new Policy controller and CRD that allows switching between configuration policy and Rego Policy at runtime
- More information here
- Introducing support to enable High Availability (HA) for Ratify
- Unifies all existing in-memory caches through a new cache interface that allows registering and specifying new cache providers
- Implements Ristretto as the default cache provider
- Implements support for Dapr cache provider
- More info here
- Introducing integration with Helmfile Tool
- Simplifies helm install for upgrade scenarios to HA support
- Simplifies helm install for quick start experience
- Introducing Terraform configs for Azure
- Adds Terraform configs to simplify the deployment of Azure Resources for Ratify
- Enable optional image mutation in Helm chart
- Allows image mutation to be optional in helm chart since there might be scenarios where OPA Gatekeeper constraints are based on image tags.
- Introduce graceful shutdown for http server
- Adds support for ‘Shutdown’ command to be invoked on SIGTERM signal or interrupt OS command
- Adds channel to wait on shutdown process to complete (6 second context timeout)
- Introducing improved error handling
- Refactor most errors to a custom error struct
- Introduce error codes for faster searching
- Adds stacks to improve debuggability
- Adds a configurable internal logger utility that initializes the logger for Ratify and configures the context with a trace-id from requests
- More info here
- Introducing new Ratify arm64 & arm/v7 images
- Introducing new Ratify Logo
- We are improving the project branding. Check out the new Ratify Logo here
💥 🚨 BREAKING CHANGES 🚨 💥
- Notation signature verifier name now registered using name
notation
instead ofnotaryv2
- More information here
logLevel
helm chart value now found atlogger.level
- More information here
- TLS certs are NOT auto generated by Ratify chart. It's recommended to set
featureFlags.RATIFY_CERT_ROTATION
to true. - PKCS12 certs with Azure Key Vault setup is NOT supported
📄 Documentation
- docs: add examples for using AWS Signer by @byronchien in #875
- docs: update community meeting to weekly wed by @susanshi in #896
- docs: redesign docs structure to improve navigation by @duffney in #897
- docs: add notaryv2 upgrade doc by @binbin-li in #999
- docs: fix the link for terraform installation by @yizha1 in #1014
🧪 Tests
CLI
- Verifier Scenarios
- Notation
- Cosign
- Keyed
- Keyless
- SBOM
- License Checker
- JSON Schema Validation
- All verifier types in one
- Dynamic OCI Plugins
- Verifier Plugin
- Store Plugin
Kubernetes
- Verifier Scenarios
- Notation
- Cosign
- SBOM
- License Checker
- JSON Schema Validation
- All verifier types in one
- ORAS Store Authentication Providers
- Docker
- Kubernetes Secrets
- Azure Workload Identity
- Azure Managed Identity
- Certificate Store Providers
- Inline Certificate
- Azure Key Vault Certificate
- Mutation Provider
- Dynamic OCI Plugins
- Verifier Plugin
- CertifacteProvider CRD Status
- TLS Certificate
- TLS Certificate Watcher
- TLS Certificate Rotation
- High Availability Tests
- 2 Replicas, Redis + Dapr, Notation
🐛 🩹 Bug Fixes
- fix: helm chart generated cert refers to helm release name in subject by @fseldow in #885
- fix: new sample images should be signed by notation rc7 by @susanshi in #905
- fix: update quick start to ghcr image by @susanshi in #906
- fix: update notary.crt to reflect latest sample by @susanshi in #909
- fix: publish ratify image with plugin by @susanshi in #916
- fix: downgrade goreleaser to last stable version by @susanshi in #922
- fix: upgrade notation rc3->rc7 by @junczhu in #923
- fix: fix Policy CRD by @binbin-li in #962
- fix: change name of notation cert file in helmfile by @akashsinghal in #975
- fix: update links in ratify configuration doc by @susanshi in #985
- fix: Updating akv cert provider to use getSecret by @susanshi in #957
- fix: adding experimental to dynamic plugin flag by @susanshi in #980
- fix: fix broken Azure tests by @binbin-li in #1009
- fix: display cert store status by @susanshi in #1021
🎉 New Contributors
- @duffney made their first contribution in #884
- @junczhu made their first contribution in #923
- @yizha1 made their first contribution in #926
- @mannbiher made their first contribution in #944
📝 Changelog
- docs: add examples for using AWS Signer by @byronchien in #875
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.25 to 1.18.27 by @dependabot in #895
- chore: bump k8s.io/api from 0.26.5 to 0.26.6 by @dependabot in #894
- fix: helm chart generated cert refers to helm release name in subject by @fseldow in #885
- docs: update community meeting to weekly wed by @susanshi in #896
- feat: add Terraform configs for Azure by @duffney in #884
- build: upgrade go lint by @akashsinghal in #892
- chore: add ratify logo by @FeynmanZhou in #898
- chore: bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @dependabot in #903
- chore: bump k8s.io/client-go from 0.26.1 to 0.26.6 by @dependabot in #902
- chore: bump sigs.k8s.io/controller-runtime from 0.14.2 to 0.14.6 by @dependabot in #904
- chore: create publish-sample.yml by @susanshi in #900
- chore: add logo to README by @akashsinghal in #899
- fix: new sample images should be signed by notation rc7 by @susanshi in #905
- fix: update quick start to ghcr image by @susanshi in #906
- fix: update notary.crt to reflect latest sample by @susanshi in #909
- fix: publish ratify image with plugin by @susanshi in #916
- chore: update chart for v1.0.0-rc.6 by @susanshi in #921
- fix: downgrade goreleaser to last stable version by @susanshi in #922
- fix: upgrade notation rc3->rc7 by @junczhu in #923
- build: use latest sbom-tool by @binbin-li in #917
- docs: redesign docs structure to improve navigation by @duffney in #897
- chore: bump google.golang.org/grpc from 1.55.0 to 1.55.1 by @dependabot in #925
- chore: add triage label to issue template by @yizha1 in #926
- feat: add opa engine and support Rego policy by @binbin-li in #798
- ci: delete oci artifact tests by @akashsinghal in #928
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.27 to 1.18.28 by @dependabot in #934
- chore: upgrade to image spec rc4 and oras-go 2.2.1 by @akashsinghal in #931
- feat: add policy crd and controller by @binbin-li in #933
- feat: unify caches, add ristretto and Dapr cache providers by @akashsinghal in #901
- chore: bump k8s.io/api from 0.26.6 to 0.26.7 by @dependabot in #947
- chore: bump k8s.io/client-go from 0.26.6 to 0.26.7 by @dependabot in #946
- chore: bump github.com/sigstore/sigstore from 1.6.4 to 1.6.5 by @dependabo...
v1.0.0-rc.6
v1.0.0-rc.5
New Features
- Introducing support for TLS Certificate Management
- Adds a custom configuration fetcher for TLS config so that every new TLS connection reads the cert files from disk. You can learn more here and here.
- Adopt the cert-controller used in Gatekeeper which checks the validation of certificates every 12 hours and generates a new certificate.
- Design doc is here.
- Update Go to 1.20 to use coverage profiling for integration tests.
- Helps to report coverage for integration tests. You can find more here.
- Improved error messages from Certificate Store CRD
- Shortens out the error message to Certificate Store Status. You can learn more here.
- Introduce ability to build external plugins conditionally
- Updates the dockerfile and tests to be able to select which external plugins to be built. You can find out more here.
Documentation
- docs: update CRD version to v1beta1 by @binbin-li in #844
Tests
CLI
- Verifier Scenarios
- Notation v2
- Cosign
- Keyed
- Keyless
- SBOM
- License Checker
- JSON Schema Validation
- All verifier types in one
- Dynamic OCI Plugins
- Verifier Plugin
- Store Plugin
- OCI 1.0 spec compatability test
Kubernetes
- Verifier Scenarios
- Notation v2
- Cosign
- SBOM
- License Checker
- JSON Schema Validation
- All verifier types in one
- ORAS Store Authentication Providers
- Docker
- Kubernetes Secrets
- Azure Workload Identity
- Azure Managed Identity
- Certificate Store Providers
- Inline Certificate
- Azure Key Vault Certificate
- Mutation Provider
- Dynamic OCI Plugins
- Verifier Plugin
- CertifacteProvider CRD Status
- TLS Certificate
- TLS Certificate Watcher
- TLS Certificate Rotation
Bug Fixes
- fix: fix go version in build-pr.yml by @binbin-li in #842
- fix: switch to working version of sbom-tool by @binbin-li in #873
- fix: update Azure build steps by @akashsinghal in #882
- fix: update go releaser to use quoted go version by @akashsinghal in #891
Changelog
- chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.22 to 1.13.24 by @dependabot in #826
- chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.23 to 1.18.25 by @dependabot in #828
- chore: Bump github.com/docker/cli from 23.0.5+incompatible to 23.0.6+incompatible by @dependabot in #827
- chore: Bump codecov/codecov-action from 3.1.3 to 3.1.4 by @dependabot in #830
- chore: Bump actions/setup-go from 4.0.0 to 4.0.1 by @dependabot in #829
- chore: bump rekor to 1.1, cosign to 2.0, msal-go to 1.0 by @dependabot in #812
- chore: bump github.com/cloudflare/circl from 1.1.0 to 1.3.3 by @dependabot in #832
- feat: upgrade go to 1.20 to use coverage profiling for integration tests. by @binbin-li in #833
- chore: bump github.com/stretchr/testify from 1.8.2 to 1.8.3 by @dependabot in #841
- chore: bump k8s.io/apimachinery from 0.26.1 to 0.26.5 by @dependabot in #840
- chore: bump github.com/sirupsen/logrus from 1.9.0 to 1.9.2 by @dependabot in #839
- chore: bump google.golang.org/grpc from 1.54.0 to 1.54.1 by @dependabot in #838
- chore: bump codecov/codecov-action from 3.1.3 to 3.1.4 by @dependabot in #837
- fix: fix go version in build-pr.yml by @binbin-li in #842
- docs: update CRD version to v1beta1 by @binbin-li in #844
- chore: bump github/codeql-action from 2.3.3 to 2.3.4 by @dependabot in #847
- chore: bump github/codeql-action from 2.3.4 to 2.3.5 by @dependabot in #849
- feat: support tls cert rotation by @akashsinghal in #831
- feat: add brief err to CertificateStore CRD by @binbin-li in #846
- chore: bump github.com/sigstore/rekor from 1.1.1 to 1.2.0 by @dependabot in #850
- chore: bump github.com/notaryproject/notation-core-go from 1.0.0-rc.3 to 1.0.0-rc.4 by @dependabot in #853
- chore: bump k8s.io/client-go from 0.25.4 to 0.25.10 by @dependabot in #852
- chore: bump github.com/spdx/tools-golang from 0.5.0 to 0.5.1 by @dependabot in #854
- chore: bump k8s.io/api from 0.26.1 to 0.26.5 by @dependabot in #851
- test: testscript change echo file to printf by @fseldow in #859
- chore: bump github/codeql-action from 2.3.5 to 2.3.6 by @dependabot in #862
- chore: bump github.com/sirupsen/logrus from 1.9.2 to 1.9.3 by @dependabot in #867
- chore: bump github.com/stretchr/testify from 1.8.3 to 1.8.4 by @dependabot in #866
- build: build external plugins conditionally by @binbin-li in #860
- chore: bump github.com/notaryproject/notation-go from 1.0.0-rc.4 to 1.0.0-rc.6 by @dependabot in #864
- chore: bump golangci/golangci-lint-action from 3.4.0 to 3.5.0 by @dependabot in #868
- test: switch to splitted bats test by @binbin-li in #870
- fix: switch to working version of sbom-tool by @binbin-li in #873
- chore: bump actions/checkout from 3.5.2 to 3.5.3 by @dependabot in #879
- chore: bump github/codeql-action from 2.3.6 to 2.13.4 by @dependabot in #878
- chore: bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.6.0 to 1.6.1 by @dependabot in #877
- chore: bump github.com/spdx/tools-golang from 0.5.1 to 0.5.2 by @dependabot in #876
- chore: bump docker/login-action from 2.1.0 to 2.2.0 by @dependabot in #872
- chore: bump golangci/golangci-lint-action from 3.5.0 to 3.6.0 by @dependabot in #880
- chore: bump goreleaser/goreleaser-action from 4.2.0 to 4.3.0 by @dependabot in #881
- fix: update Azure build steps by @akashsinghal in #882
- feat: add cert rotator by @binbin-li in #869
- fix: Azure workload identity fails to refresh token by @susanshi in #883
- test: move cert rotator to plugin test since it will deploy image with plugins by @fseldow in #888
- chore: update chart for v1.0.0-rc.5 by @akashsinghal in #890
- fix: update go releaser to use quoted go version by @akashsinghal in #891
Full Changelog: v1.0.0-rc.4...v1.0.0-rc.5
v1.0.0-rc.4
New Features
- Introducing new dependency metrics
- Adds metrics and supporting dashboards for registry requests, blob cache hit, AAD exchange duration, ACR Exchange duration, and AKV cert fetch duration. More information can be found here.
- Introducing support for multiple signature report in verifier report for Cosign
- Cosign allows for multiple signatures to be attached as layers in a single OCI Image. Ratify now provides support to bubble up failures/successes per signature layer.
- More information can be found here.
- Introducing fixes for ECR Basic Auth registry parse and new notation plugin manager for use with the notation verifier
- Adds a new plugin manager that can be used with the Notation verifier. It allows users to download notation plugins through the ratify Dynamic Plugins feature to use in verification.
- Fix an issue with ECR basic auth when downloading objects through the Dynamic Plugins feature.
- More information can be found here.
- Introducing pre-install hook for Ratify CRs
- Add pre-install hook to CR templates so that they can skip rendering and only be installed after CRDs are updated.
Documentation
- docs: add cache doc by @akashsinghal in #786
- docs: Update AWS docs to reference notation and IRSA by @byronchien in #824
- docs: Add new notation-validation sample policy by @byronchien in #823
Tests
CLI
- Verifier Scenarios
- Notation v2
- Cosign
- Keyed
- Keyless
- SBOM
- License Checker
- JSON Schema Validation
- All verifier types in one
- Dynamic OCI Plugins
- Verifier Plugin
- Store Plugin
- OCI 1.0 spec compatability test
Kubernetes
- Verifier Scenarios
- Notation v2
- Cosign
- SBOM
- License Checker
- JSON Schema Validation
- All verifier types in one
- ORAS Store Authentication Providers
- Docker
- Kubernetes Secrets
- Azure Workload Identity
- Azure Managed Identity
- Certificate Store Providers
- Inline Certificate
- Azure Key Vault Certificate
- Mutation Provider
- Dynamic OCI Plugins
- Verifier Plugin
- CertifacteProvider CRD Status
Bug Fixes
- fix: update notation plugin manager directory by @akashsinghal in #815
Changelog
- feat: add pre-install hook to Ratify CRs by @binbin-li in #772
- chore: Bump github/codeql-action from 2.2.11 to 2.2.12 by @dependabot in #776
- chore: Bump k8s.io/apimachinery from 0.24.12 to 0.24.13 by @dependabot in #782
- chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.19 to 1.13.20 by @dependabot in #781
- chore: Bump k8s.io/client-go from 0.24.12 to 0.24.13 by @dependabot in #778
- chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.20 to 1.18.21 by @dependabot in #780
- ci: enforce semantic title on PR by @binbin-li in #783
- docs: update community meeting schedule by @akashsinghal in #785
- feat: add dependency metrics by @akashsinghal in #774
- feat: add multi signature report in verifier report for cosign by @akashsinghal in #784
- docs: add cache doc by @akashsinghal in #786
- chore: Bump github.com/docker/cli from 23.0.3+incompatible to 23.0.4+incompatible by @dependabot in #793
- chore: Bump github/codeql-action from 2.2.12 to 2.3.0 by @dependabot in #792
- chore: Bump github.com/notaryproject/notation-go from 1.0.0-rc.3 to 1.0.0-rc.4 by @dependabot in #794
- ci: Harden GitHub Actions by @step-security-bot in #797
- chore: Bump actions/checkout from 3.1.0 to 3.5.2 by @dependabot in #800
- chore: Bump github/codeql-action from 2.3.0 to 2.3.1 by @dependabot in #801
- chore: Bump github/codeql-action from 2.3.1 to 2.3.2 by @dependabot in #802
- chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.21 to 1.18.22 by @dependabot in #807
- chore: Bump github.com/Azure/go-autorest/autorest from 0.11.28 to 0.11.29 by @dependabot in #806
- chore: Bump github.com/docker/cli from 23.0.4+incompatible to 23.0.5+incompatible by @dependabot in #808
- feat: ECR basic auth registry parse and add notation plugin manager by @byronchien in #804
- chore: Bump github/codeql-action from 2.3.2 to 2.3.3 by @dependabot in #813
- chore: Bump actions/upload-artifact from 3.1.0 to 3.1.2 by @dependabot in #814
- chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.22 to 1.18.23 by @dependabot in #816
- fix: update notation plugin manager directory by @akashsinghal in #815
- chore: Bump github.com/docker/distribution from 2.8.1+incompatible to 2.8.2+incompatible by @dependabot in #822
- docs: Update AWS docs to reference notation and IRSA by @byronchien in #824
- docs: Add new notation-validation sample policy by @byronchien in #823
- chore: prepare chart for rc4 release by @akashsinghal in #825
New Contributors
- @byronchien made their first contribution in #804
Full Changelog: v1.0.0-rc.3...v1.0.0-rc.4