Skip to content

v1.0.0
Compare
Choose a tag to compare
@github-actions github-actions released this 26 Sep 20:22
· 604 commits to main since this release
v1.0.0
6cceec1
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

Ratify v1

Ratify is a verification engine available as a binary executable and on Kubernetes that enables customers to author policies to verify security artifact metadata, such as image signatures and SBOMs, and allows deployment of only those that comply with these policies. This is the first stable release v1.0.0🎉.

Important

Experimental features are only intended for testing in a development environment and should not be used in production. Please adhere to the specified feature and performance limits for production workloads. More information can be found in the ratify documentation.

Key Features

  • Ratify as a CLI binary for verifying artifacts stored in a registry
  • Out-of-box support in published helm chart for running Ratify as an External Data Provider for Gatekeeper admission controller
  • Native Kubernetes support for managing and running Ratify as a scalable & reliable service
    • Verifier, Store, Certificate Store, and Policy CRDs for simple Ratify configuration
    • TLS certificate management and rotation for mTLS service-to-service communication
    • Standardized logging and prometheus metrics support + Grafana dashboard.
  • Extensible plugin model to support new verifier and referrer store plugins
    • 1st party support for Notation verifier and registry interaction via ORAS referrer store.
    • External verifiers such as Cosign, SBOM, SPDX, Licensechecker, etc.
  • Built-in policy evaluation engine support using embedded OPA engine or config-based policies.
  • Built-in certificate stores makes interacting with Key Management Systems (KMS) simple.

Experimental Features

  • Ratify in High Availability (HA) mode using a distributed cache (dapr + redis)

What's Changed since v1.0.0-rc8

  • Add end-to-end test for init containers and ephemeral container mutation/verification. See #1086
  • Update Policy CRD to contain a type instead of metadata for determing policy provider. See #1079

💥 🚨 BREAKING CHANGES 🚨 💥

  • Policy CRD now REQUIRES crd's metadata.name to be ratify-policy. spec.type must be rego-policy or config-policy ONLY.
    • See #1079 for more information

📄 Documentation

🧪 Tests

CLI

  • Verifier Scenarios
    • Notation
    • Cosign
      • Keyed
      • Keyless
    • SBOM
    • License Checker
    • JSON Schema Validation
    • All verifier types in one
  • Dynamic OCI Plugins
    • Verifier Plugin
    • Store Plugin

Kubernetes

  • Verifier Scenarios
    • Notation
    • Cosign
    • SBOM
    • License Checker
    • JSON Schema Validation
    • All verifier types in one
  • ORAS Store Authentication Providers
    • Docker
    • Kubernetes Secrets
    • Azure Workload Identity
    • Azure Managed Identity
  • Certificate Store Providers
    • Inline Certificate
    • Azure Key Vault Certificate
  • Mutation Provider
  • Dynamic OCI Plugins
    • Verifier Plugin
  • CertificateProvider CRD Status
  • TLS Certificate
    • TLS Certificate Watcher
    • TLS Certificate Rotation
  • High Availability Tests
    • 2 Replicas, Redis + Dapr, Notation
  • Quick Start helmfile.yaml test

🐛 🩹 Bug Fixes

📝 Changelog

  • fix: update helmfile.yaml for rc8 by @susanshi in #1069
  • chore: Bump github.com/docker/cli from 24.0.0+incompatible to 24.0.6+incompatible by @dependabot in #1070
  • chore: Bump goreleaser/goreleaser-action from 4.6.0 to 5.0.0 by @dependabot in #1077
  • chore: Bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in #1063
  • chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.38 to 1.18.39 by @dependabot in #1073
  • chore: Bump github.com/Azure/azure-sdk-for-go/sdk/azcore from 1.7.1 to 1.7.2 by @dependabot in #1071
  • chore: Bump docker/login-action from 2.2.0 to 3.0.0 by @dependabot in #1080
  • docs: create ratify-weekly-notes-2023-Jan-2023-Jul.md by @susanshi in #1081
  • chore: update local build doc by @junczhu in #1075
  • chore: Bump k8s.io/client-go from 0.27.5 to 0.27.6 by @dependabot in #1085
  • test: add constraint template e2e test for initContainers and ephemeralContainers by @junczhu in #1086
  • chore: Bump github.com/opencontainers/image-spec from 1.1.0-rc4 to 1.1.0-rc5 by @dependabot in #1082
  • fix: update e2e resource for initContainers and ephemeralContainers by @junczhu in #1088
  • feat: add type to policy CRD by @binbin-li in #1079
  • chore: Bump github.com/aws/aws-sdk-go-v2/config from 1.18.39 to 1.18.42 by @dependabot in #1094
  • chore: Bump actions/checkout from 4.0.0 to 4.1.0 by @dependabot in #1092
  • docs: redirect to website by @susanshi in #1087
  • fix: update errors doc reference links by @akashsinghal in #1098
  • chore: prepare for v1.0.0 release by @akashsinghal in #1097

Full Changelog: v1.0.0-rc.8...v1.0.0

Contributors

binbin-li, susanshi, and 3 other contributors
Assets 8
Loading