notaryproject/ratify v1.0.0-rc.3

on GitHub

New Features

• CRD version upgrade from v1alpha1 to v1beta1
  • Introducing Certificate Store CRD status, new properties includes IsSuccess, Error, LastFetchedTime properties. More info here.
  • Please note that users of previous CRD versions are now required to delete any Ratify CRDs manually when uninstalling Ratify.
  • More info here.
• Adding cross-region support for AWS auth provider
  • Adds region to the ECR client cfg for call to get AuthZ tokens. Maps retrieved creds to ECR registry host.
  • More info here
• Introducing initial Ratify metrics support
  • Introduces a new metrics exporter and provider implementation based on OpenTelemetry
  • Adds Prometheus as an exporter provider
  • Adds sample Grafana dashboard
  • More info here
• Introducing weekly dev builds and on-demand build request process
  • Cron schedule task that runs every Monday @ 08:30 UTC (12:30 am PST)
  • Also adds a manual workflow dispatch option for Maintainers
  • If you want to request a dev build on demand, you can check the guidelines here.

Documentation

• doc: update Ratify on Azure walkthrough by @FeynmanZhou in #665
• doc: Update quick start with local chart option by @susanshi in #681
• doc: Update doc guidance to use inline cert provider when working with certificate chain by @susanshi in #717
• docs: add support for bridge to kubernetes by @akashsinghal in #736
• doc: add "helm repo update" in README by @FeynmanZhou in #747
• docs: update k8s secrets auth provider by @akashsinghal in #749
• doc: delete CRDs when uninstalling Ratify by @binbin-li in #767
• doc: cert store status doc by @susanshi in #760

Tests

CLI

• Verifier Scenarios
  • Notation v2
  • Cosign
    • Keyed
    • Keyless
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• Dynamic OCI Plugins
  • Verifier Plugin
  • Store Plugin
• OCI 1.0 spec compatability test

Kubernetes

• Verifier Scenarios
  • Notation v2
  • Cosign
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• ORAS Store Authentication Providers
  • Docker
  • Kubernetes Secrets
  • Azure Workload Identity
  • Azure Managed Identity
• Certificate Store Providers
  • Inline Certificate
  • Azure Key Vault Certificate
• Mutation Provider
• Dynamic OCI Plugins
  • Verifier Plugin
• CertifacteProvider CRD Status

Bug Fixes

• fix: update plugin download logic for oci image support by @akashsinghal in #699
  fix: switch reference normalization to use docker parsing by @akashsinghal in #712
• fix: add cert validation logic to notation TrustStore by @binbin-li in #709
• fix: move azure specific code to azure auth package by @susanshi in #730
• fix: support multi signature verification in cosign verifier by @suganyas in #728
• fix: make notary cert optional rather than mandatory since it is not always required in helm ratify deploy by @suganyas in #733
• fix: pin licensechecker test to specific version by @akashsinghal in #753
• fix: update k8s version matrix for Azure e2e test by @binbin-li in #756
• fix: add time delay for prometheus exporter test by @akashsinghal in #770

Changelog

• chore: Bump k8s.io/api from 0.24.10 to 0.24.11 by @dependabot in #690
• chore: Bump k8s.io/client-go from 0.24.10 to 0.24.11 by @dependabot in #689
• ci: add weekly dev build by @akashsinghal in #679
• doc: update Ratify on Azure walkthrough by @FeynmanZhou in #665
• doc: Update quick start with local chart option by @susanshi in #681
• feat: bump up CRD version to v1beta1 by @binbin-li in #664
• test: build azure e2e test images by @binbin-li in #676
• ci: add commit hash to dev build tag by @akashsinghal in #697
• test: add more unit tests by @akashsinghal in #671
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.15 to 1.18.16 by @dependabot in #708
• chore: Bump github/codeql-action from 2.2.5 to 2.2.6 by @dependabot in #704
• chore: Bump github.com/golang/protobuf from 1.5.2 to 1.5.3 by @dependabot in #707
• fix: update plugin download logic for oci image support by @akashsinghal in #699
• test: add oci 1.0 fallback e2e test by @akashsinghal in #711
• refactor: Update cert store to a factory pattern by @susanshi in #691
• chore: add dev build guidance by @akashsinghal in #698
• chore: Bump actions/setup-go from 3 to 4 by @dependabot in #715
• chore: Bump github/codeql-action from 2.2.6 to 2.2.7 by @dependabot in #714
• chore: Bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.16 to 1.13.17 by @dependabot in #720
• chore: Bump oras.land/oras-go/v2 from 2.0.0 to 2.0.2 by @dependabot in #722
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.16 to 1.18.18 by @dependabot in #721
• chore: Bump github.com/Azure/go-autorest/autorest/adal from 0.9.22 to 0.9.23 by @dependabot in #724
• chore: Bump k8s.io/client-go from 0.24.11 to 0.24.12 by @dependabot in #723
• fix: switch reference normalization to use docker parsing by @akashsinghal in #712
• doc: Update doc guidance to use inline cert provider when working with certificate chain by @susanshi in #717
• fix: add cert validation logic to notation TrustStore by @binbin-li in #709
• fix: move azure specific code to azure auth package by @susanshi in #730
• chore: Bump github/codeql-action from 2.2.7 to 2.2.8 by @dependabot in #732
• fix: support multi signature verification in cosign verifier by @suganyas in #728
• fix: make notary cert optional rather than mandatory since it is not always required in helm ratify deploy by @suganyas in #733
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.18 to 1.18.19 by @dependabot in #742
• docs: add support for bridge to kubernetes by @akashsinghal in #736
• doc: add "helm repo update" in README by @FeynmanZhou in #747
• chore: Bump github/codeql-action from 2.2.8 to 2.2.9 by @dependabot in #746
• refactor: switch retry client to native oras client by @akashsinghal in #745
• chore: Bump ossf/scorecard-action from 2.1.2 to 2.1.3 by @dependabot in #748
• fix: pin licensechecker test to specific version by @akashsinghal in #753
• chore: Bump github.com/go-logr/logr from 1.2.3 to 1.2.4 by @dependabot in #752
• chore: Bump github.com/docker/cli from 23.0.1+incompatible to 23.0.2+incompatible by @dependabot in #751
• docs: update k8s secrets auth provider by @akashsinghal in #749
• chore: Bump github.com/docker/docker from 20.10.20+incompatible to 20.10.24+incompatible by @dependabot in #754
• feat: add initial metrics support by @akashsinghal in #726
• chore: Bump github/codeql-action from 2.2.9 to 2.2.10 by @dependabot in #757
• chore: Bump github/codeql-action from 2.2.10 to 2.2.11 by @dependabot in #759
• chore: Bump github.com/aws/aws-sdk-go-v2 from 1.17.7 to 1.17.8 by @dependabot in #761
• chore: Bump github.com/docker/cli from 23.0.2+incompatible to 23.0.3+incompatible by @dependabot in #764
• chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.19 to 1.18.20 by @dependabot in #762
• fix: update k8s version matrix for Azure e2e test by @binbin-li in #756
• feat: Certificate store CRD status by @susanshi in #725
• doc: delete CRDs when uninstalling Ratify by @binbin-li in #767
• doc: cert store status doc by @susanshi in #760
• feat: xregion aws ecr auth by @jimmyraywv in #769
• fix: add time delay for prometheus exporter test by @akashsinghal in #770
• chore: Bump spdx tools-golang to 0.5.0 and associated refactor by @jeremyrickard in #768
• chore: update chart for rc3 release by @akashsinghal in #771

New Contributors

• @suganyas made their first contribution in #728
• @jeremyrickard made their first contribution in #768

Full Changelog: v1.0.0-rc.2...v1.0.0-rc.3