notaryproject/ratify v1.0.0-rc.2

on GitHub

New Features

• Introduce new plugin support as OCI Artifacts
Adds the ability for Ratify to download plugins from OCI artifacts as they are registered. It eliminates the need for users to build their own Ratify image, hack the Helm chart output and so on. You can find more info here.

• Introduce new code coverage reports by CodeCov on every change.

• Introduce new inline certificate provider
With this release, a new “inline” cert provider has been added here. A PEM-format certificate (chain) can be directly specified.

• Release adds a logr -> logrus adapter sink so that k8s controller-runtime components emit the same output as the rest of the Ratify codebase.

• Introduce support for keyless verification of images signed by Fulcio and stored in Rekor.

• Update workload identity auth provider configuration to consume client id. This allows users to specify client id directly without modifying service account when having to change the ORAS store configuration.

• Introduce support for cosign for auth enabled registries

• Support for OCI Image across all verifiers

Documentation

• docs: add CRD doc template by @susanshi in #627
• docs: add new feature/ideas template by @susanshi in #645
• doc: update doc for Azure Workload Identity setup by @binbin-li in #649
• doc: Verifiers and CertificateStore CRD by @susanshi in #654

Tests

CLI

• Verifier Scenarios
  • Notation v2
  • Cosign
    • Keyed
    • Keyless
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• Dynamic OCI Plugins
  • Verifier Plugin
  • Store Plugin

Kubernetes

• Verifier Scenarios
  • Notation v2
  • Cosign
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• ORAS Store Authentication Providers
  • Docker
  • Kubernetes Secrets
  • Azure Workload Identity
  • Azure Managed Identity
• Certificate Store Providers
  • Inline Certificate
  • Azure Key Vault Certificate
• Mutation Provider
• Dynamic OCI Plugins
  • Verifier Plugin

Bug Fixes

• fix: add docker domain prefix as default by @akashsinghal in #604
• fix: disable cosign in default chart by @susanshi in #616
• fix: add pod label for workload identity by @noelbundick-msft in #632
• fix: fix broken Azure e2e tests due to cosign update by @binbin-li in #626
• fix: make gatekeeper namespace configurable by @akashsinghal in #635
• fix: remove default notary cert by @susanshi in #634
• fix: remove unused authProvider field in cosign verifier by @akashsinghal in #656
• fix: fix e2e logs by @binbin-li in #657
• fix: retract v1.1.0-alpha.1 by @noelbundick-msft in #677
• fix: pin notation to specific version in e2e test by @akashsinghal in #682

Changelog

• feat: plugins as OCI artifacts by @noelbundick-msft in #519
• test: add local registry support by @akashsinghal in #584
• test: add codecov by @binbin-li in #605
• fix: add docker domain prefix as default by @akashsinghal in #604
• ci: bump up ossf/scorecard-action and actions/upload-artifact by @binbin-li in #609
• chore: Bump github.com/aws/aws-sdk-go-v2 from 1.17.3 to 1.17.4 by @dependabot in #614
• chore: Bump github.com/Azure/go-autorest/autorest/adal from 0.9.21 to 0.9.22 by @dependabot in #611
• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.10 to 1.13.12 by @dependabot in #612
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.10 to 1.18.12 by @dependabot in #613
• fix: disable cosign in default chart by @susanshi in #616
• chore: Bump github/codeql-action from 2.2.1 to 2.2.2 by @dependabot in #618
• ci: run build-pr job workflow for each push event by @binbin-li in #623
• chore: Bump github/codeql-action from 2.2.2 to 2.2.3 by @dependabot in #628
• feat: add inline cert provider by @noelbundick-msft in #601
• fix: add pod label for workload identity by @noelbundick-msft in #632
• fix: fix broken Azure e2e tests due to cosign update by @binbin-li in #626
• chore: Bump github.com/emicklei/go-restful from 2.9.5+incompatible to 2.16.0+incompatible by @dependabot in #631
• chore: Bump github.com/docker/cli from 20.10.23+incompatible to 23.0.0+incompatible by @dependabot in #610
• docs: add CRD doc template by @susanshi in #627
• feat: use logrus for CRD manager for common log format by @noelbundick-msft in #636
• chore: Bump github.com/docker/cli from 23.0.0+incompatible to 23.0.1+incompatible by @dependabot in #637
• chore: Bump github/codeql-action from 2.2.3 to 2.2.4 by @dependabot in #638
• test: add docker and k8secret auth provider tests by @akashsinghal in #633
• fix: make gatekeeper namespace configurable by @akashsinghal in #635
• docs: add new feature/ideas template by @susanshi in #645
• fix: remove default notary cert by @susanshi in #634
• ci: let helm generate certs for TLS if not provided by @binbin-li in #585
• test: changes for schemavalidator by @mluker in #607
• feat: add cosign fulcio and rekor support by @sozercan in #615
• fix: remove unused authProvider field in cosign verifier by @akashsinghal in #656
• chore: Bump github.com/notaryproject/notation-core-go from 1.0.0-rc.1 to 1.0.0-rc.2 by @dependabot in #658
• chore: Bump github.com/notaryproject/notation-go from 1.0.0-rc.1 to 1.0.0-rc.3 by @dependabot in #661
• chore: Bump golang.org/x/net from 0.5.0 to 0.7.0 by @dependabot in #662
• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.12 to 1.13.13 by @dependabot in #659
• fix: fix e2e logs by @binbin-li in #657
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.12 to 1.18.14 by @dependabot in #663
• test: enable debug logging for e2e k8 tests by @akashsinghal in #668
• feat: add client id specification for oras store workload identity auth provider by @fseldow in #667
• test: add e2e test for AKV by @binbin-li in #644
• doc: update doc for Azure Workload Identity setup by @binbin-li in #649
• test: fix azure managed identity client id quote by @akashsinghal in #670
• chore: Bump github/codeql-action from 2.2.4 to 2.2.5 by @dependabot in #675
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.14 to 1.18.15 by @dependabot in #674
• chore: Bump github.com/stretchr/testify from 1.8.1 to 1.8.2 by @dependabot in #672
• feat: add cosign support for private registries by @akashsinghal in #646
• fix: retract v1.1.0-alpha.1 by @noelbundick-msft in #677
• doc: Verifiers and CertificateStore CRD by @susanshi in #654
• fix: pin notation to specific version in e2e test by @akashsinghal in #682
• feat: support OCI Image by @akashsinghal in #683
• chore: prepare for 1.0.0-rc.2 release by @akashsinghal in #686