chore: update constraint templates (#1027)

Added initContainers, ephemeralContainers into current constraint templates

charts/ratify/templates/assign.yaml

@@ -64,4 +64,136 @@ spec:
     assign:
       externalData:
         provider: ratify-mutation-provider
+---
+{{ include "ratify.assignGKVersion" . }}
+kind: Assign
+metadata:
+  name: mutate-pod-image-init
+spec:
+  match:
+    scope: Namespaced
+    kinds:
+    - apiGroups: ["*"]
+      kinds: ["Pod"]
+    excludedNamespaces:
+      {{ include "ratify.assignExcludedNamespaces" . | nindent 6 }}
+  applyTo:
+  - groups: [""]
+    kinds: ["Pod"]
+    versions: ["v1"]
+  location: "spec.initContainers[name:*].image"
+  parameters:
+    assign:
+      externalData:
+        provider: ratify-mutation-provider
+---
+{{ include "ratify.assignGKVersion" . }}
+kind: Assign
+metadata:
+  name: mutate-workload-image-init
+spec:
+  match:
+    scope: Namespaced
+    kinds:
+    - apiGroups: ["apps", "batch"]
+      kinds: ["Deployment", "ReplicaSet", "StatefulSet", "DaemonSet", "Job"]
+    excludedNamespaces:
+      {{ include "ratify.assignExcludedNamespaces" . | nindent 6 }}
+  applyTo:
+  - groups: ["apps", "batch"]
+    kinds: ["Deployment", "ReplicaSet", "StatefulSet", "DaemonSet", "Job", "ReplicationController"]
+    versions: ["v1"]
+  location: "spec.template.spec.initContainers[name:*].image"
+  parameters:
+    assign:
+      externalData:
+        provider: ratify-mutation-provider
+---
+{{ include "ratify.assignGKVersion" . }}
+kind: Assign
+metadata:
+  name: mutate-cronjob-image-init
+spec:
+  match:
+    scope: Namespaced
+    kinds:
+    - apiGroups: ["batch"]
+      kinds: ["CronJob"]
+    excludedNamespaces:
+      {{ include "ratify.assignExcludedNamespaces" . | nindent 6 }}
+  applyTo:
+  - groups: ["batch"]
+    kinds: ["CronJob"]
+    versions: ["v1"]
+  location: "spec.jobTemplate.spec.template.spec.initContainers[name:*].image"
+  parameters:
+    assign:
+      externalData:
+        provider: ratify-mutation-provider
+---
+{{ include "ratify.assignGKVersion" . }}
+kind: Assign
+metadata:
+  name: mutate-pod-image-ephemeral
+spec:
+  match:
+    scope: Namespaced
+    kinds:
+    - apiGroups: ["*"]
+      kinds: ["Pod"]
+    excludedNamespaces:
+      {{ include "ratify.assignExcludedNamespaces" . | nindent 6 }}
+  applyTo:
+  - groups: [""]
+    kinds: ["Pod"]
+    versions: ["v1"]
+  location: "spec.ephemeralContainers[name:*].image"
+  parameters:
+    assign:
+      externalData:
+        provider: ratify-mutation-provider
+---
+{{ include "ratify.assignGKVersion" . }}
+kind: Assign
+metadata:
+  name: mutate-workload-image-ephemeral
+spec:
+  match:
+    scope: Namespaced
+    kinds:
+    - apiGroups: ["apps", "batch"]
+      kinds: ["Deployment", "ReplicaSet", "StatefulSet", "DaemonSet", "Job"]
+    excludedNamespaces:
+      {{ include "ratify.assignExcludedNamespaces" . | nindent 6 }}
+  applyTo:
+  - groups: ["apps", "batch"]
+    kinds: ["Deployment", "ReplicaSet", "StatefulSet", "DaemonSet", "Job", "ReplicationController"]
+    versions: ["v1"]
+  location: "spec.template.spec.ephemeralContainers[name:*].image"
+  parameters:
+    assign:
+      externalData:
+        provider: ratify-mutation-provider
+---
+{{ include "ratify.assignGKVersion" . }}
+kind: Assign
+metadata:
+  name: mutate-cronjob-image-ephemeral
+spec:
+  match:
+    scope: Namespaced
+    kinds:
+    - apiGroups: ["batch"]
+      kinds: ["CronJob"]
+    excludedNamespaces:
+      {{ include "ratify.assignExcludedNamespaces" . | nindent 6 }}
+  applyTo:
+  - groups: ["batch"]
+    kinds: ["CronJob"]
+    versions: ["v1"]
+  location: "spec.jobTemplate.spec.template.spec.ephemeralContainers[name:*].image"
+  parameters:
+    assign:
+      externalData:
+        provider: ratify-mutation-provider
 {{- end }}

library/default/template.yaml

@@ -15,7 +15,11 @@ spec:
         # Get data from Ratify
         remote_data := response {
           images := [img | img = input.review.object.spec.containers[_].image]
-          response := external_data({"provider": "ratify-provider", "keys": images})
+          images_init := [img | img = input.review.object.spec.initContainers[_].image]
+          images_ephemeral := [img | img = input.review.object.spec.ephemeralContainers[_].image]
+          other_images := array.concat(images_init, images_ephemeral)
+          all_images := array.concat(other_images, images)
+          response := external_data({"provider": "ratify-provider", "keys": all_images})
         }
 
         # Base Gatekeeper violation

library/notation-issuer-validation/template.yaml

@@ -21,7 +21,11 @@ spec:
         # Get data from Ratify
         remote_data := response {
           images := [img | img = input.review.object.spec.containers[_].image]
-          response := external_data({"provider": "ratify-provider", "keys": images})
+          images_init := [img | img = input.review.object.spec.initContainers[_].image]
+          images_ephemeral := [img | img = input.review.object.spec.ephemeralContainers[_].image]
+          other_images := array.concat(images_init, images_ephemeral)
+          all_images := array.concat(other_images, images)
+          response := external_data({"provider": "ratify-provider", "keys": all_images})
         }
 
         # Base Gatekeeper violation

library/notation-validation/template.yml

@@ -15,7 +15,11 @@ spec:
         # Get data from Ratify
         remote_data := response {
           images := [img | img = input.review.object.spec.containers[_].image]
-          response := external_data({"provider": "ratify-provider", "keys": images})
+          images_init := [img | img = input.review.object.spec.initContainers[_].image]
+          images_ephemeral := [img | img = input.review.object.spec.ephemeralContainers[_].image]
+          other_images := array.concat(images_init, images_ephemeral)
+          all_images := array.concat(other_images, images)
+          response := external_data({"provider": "ratify-provider", "keys": all_images})
         }
 
         # Base Gatekeeper violation

library/sbom-validation/template.yaml

@@ -15,7 +15,11 @@ spec:
         # Get data from Ratify
         remote_data := response {
           images := [img | img = input.review.object.spec.containers[_].image]
-          response := external_data({"provider": "ratify-provider", "keys": images})
+          images_init := [img | img = input.review.object.spec.initContainers[_].image]
+          images_ephemeral := [img | img = input.review.object.spec.ephemeralContainers[_].image]
+          other_images := array.concat(images_init, images_ephemeral)
+          all_images := array.concat(other_images, images)
+          response := external_data({"provider": "ratify-provider", "keys": all_images})
         }
 
         # Base Gatekeeper violation