v1.0.0-rc.7
Pre-release
Pre-release
github-actions
released this
25 Aug 22:01
·
647 commits
to main
since this release
✨ New Features
- Introducing OPA engine integration to support Rego Policy
- Embeds OPA engine in Ratify so that service can make verifications using the OPA engine for Rego Policies.
- Adds support for multiple verifiers against the same artifact.
- Users can still provide a configuration Policy which is the default option.
- Introduces new Policy controller and CRD that allows switching between configuration policy and Rego Policy at runtime
- More information here
- Introducing support to enable High Availability (HA) for Ratify
- Unifies all existing in-memory caches through a new cache interface that allows registering and specifying new cache providers
- Implements Ristretto as the default cache provider
- Implements support for Dapr cache provider
- More info here
- Introducing integration with Helmfile Tool
- Simplifies helm install for upgrade scenarios to HA support
- Simplifies helm install for quick start experience
- Introducing Terraform configs for Azure
- Adds Terraform configs to simplify the deployment of Azure Resources for Ratify
- Enable optional image mutation in Helm chart
- Allows image mutation to be optional in helm chart since there might be scenarios where OPA Gatekeeper constraints are based on image tags.
- Introduce graceful shutdown for http server
- Adds support for ‘Shutdown’ command to be invoked on SIGTERM signal or interrupt OS command
- Adds channel to wait on shutdown process to complete (6 second context timeout)
- Introducing improved error handling
- Refactor most errors to a custom error struct
- Introduce error codes for faster searching
- Adds stacks to improve debuggability
- Adds a configurable internal logger utility that initializes the logger for Ratify and configures the context with a trace-id from requests
- More info here
- Introducing new Ratify arm64 & arm/v7 images
- Introducing new Ratify Logo
- We are improving the project branding. Check out the new Ratify Logo here
💥 🚨 BREAKING CHANGES 🚨 💥
- Notation signature verifier name now registered using name
notation
instead ofnotaryv2
- More information here
logLevel
helm chart value now found atlogger.level
- More information here
- TLS certs are NOT auto generated by Ratify chart. It's recommended to set
featureFlags.RATIFY_CERT_ROTATION
to true. - PKCS12 certs with Azure Key Vault setup is NOT supported
📄 Documentation
- docs: add examples for using AWS Signer by @byronchien in #875
- docs: update community meeting to weekly wed by @susanshi in #896
- docs: redesign docs structure to improve navigation by @duffney in #897
- docs: add notaryv2 upgrade doc by @binbin-li in #999
- docs: fix the link for terraform installation by @yizha1 in #1014
🧪 Tests
CLI
- Verifier Scenarios
- Notation
- Cosign
- Keyed
- Keyless
- SBOM
- License Checker
- JSON Schema Validation
- All verifier types in one
- Dynamic OCI Plugins
- Verifier Plugin
- Store Plugin
Kubernetes
- Verifier Scenarios
- Notation
- Cosign
- SBOM
- License Checker
- JSON Schema Validation
- All verifier types in one
- ORAS Store Authentication Providers
- Docker
- Kubernetes Secrets
- Azure Workload Identity
- Azure Managed Identity
- Certificate Store Providers
- Inline Certificate
- Azure Key Vault Certificate
- Mutation Provider
- Dynamic OCI Plugins
- Verifier Plugin
- CertifacteProvider CRD Status
- TLS Certificate
- TLS Certificate Watcher
- TLS Certificate Rotation
- High Availability Tests
- 2 Replicas, Redis + Dapr, Notation
🐛 🩹 Bug Fixes
- fix: helm chart generated cert refers to helm release name in subject by @fseldow in #885
- fix: new sample images should be signed by notation rc7 by @susanshi in #905
- fix: update quick start to ghcr image by @susanshi in #906
- fix: update notary.crt to reflect latest sample by @susanshi in #909
- fix: publish ratify image with plugin by @susanshi in #916
- fix: downgrade goreleaser to last stable version by @susanshi in #922
- fix: upgrade notation rc3->rc7 by @junczhu in #923
- fix: fix Policy CRD by @binbin-li in #962
- fix: change name of notation cert file in helmfile by @akashsinghal in #975
- fix: update links in ratify configuration doc by @susanshi in #985
- fix: Updating akv cert provider to use getSecret by @susanshi in #957
- fix: adding experimental to dynamic plugin flag by @susanshi in #980
- fix: fix broken Azure tests by @binbin-li in #1009
- fix: display cert store status by @susanshi in #1021
🎉 New Contributors
- @duffney made their first contribution in #884
- @junczhu made their first contribution in #923
- @yizha1 made their first contribution in #926
- @mannbiher made their first contribution in #944
📝 Changelog
- docs: add examples for using AWS Signer by @byronchien in #875
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.25 to 1.18.27 by @dependabot in #895
- chore: bump k8s.io/api from 0.26.5 to 0.26.6 by @dependabot in #894
- fix: helm chart generated cert refers to helm release name in subject by @fseldow in #885
- docs: update community meeting to weekly wed by @susanshi in #896
- feat: add Terraform configs for Azure by @duffney in #884
- build: upgrade go lint by @akashsinghal in #892
- chore: add ratify logo by @FeynmanZhou in #898
- chore: bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @dependabot in #903
- chore: bump k8s.io/client-go from 0.26.1 to 0.26.6 by @dependabot in #902
- chore: bump sigs.k8s.io/controller-runtime from 0.14.2 to 0.14.6 by @dependabot in #904
- chore: create publish-sample.yml by @susanshi in #900
- chore: add logo to README by @akashsinghal in #899
- fix: new sample images should be signed by notation rc7 by @susanshi in #905
- fix: update quick start to ghcr image by @susanshi in #906
- fix: update notary.crt to reflect latest sample by @susanshi in #909
- fix: publish ratify image with plugin by @susanshi in #916
- chore: update chart for v1.0.0-rc.6 by @susanshi in #921
- fix: downgrade goreleaser to last stable version by @susanshi in #922
- fix: upgrade notation rc3->rc7 by @junczhu in #923
- build: use latest sbom-tool by @binbin-li in #917
- docs: redesign docs structure to improve navigation by @duffney in #897
- chore: bump google.golang.org/grpc from 1.55.0 to 1.55.1 by @dependabot in #925
- chore: add triage label to issue template by @yizha1 in #926
- feat: add opa engine and support Rego policy by @binbin-li in #798
- ci: delete oci artifact tests by @akashsinghal in #928
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.27 to 1.18.28 by @dependabot in #934
- chore: upgrade to image spec rc4 and oras-go 2.2.1 by @akashsinghal in #931
- feat: add policy crd and controller by @binbin-li in #933
- feat: unify caches, add ristretto and Dapr cache providers by @akashsinghal in #901
- chore: bump k8s.io/api from 0.26.6 to 0.26.7 by @dependabot in #947
- chore: bump k8s.io/client-go from 0.26.6 to 0.26.7 by @dependabot in #946
- chore: bump github.com/sigstore/sigstore from 1.6.4 to 1.6.5 by @dependabot in #865
- chore: bump github.com/notaryproject/notation-go from 1.0.0-rc.6 to 1.0.0 by @dependabot in #954
- chore: bump github.com/aws/aws-sdk-go-v2 from 1.19.0 to 1.19.1 by @dependabot in #955
- chore: bump k8s.io/client-go from 0.27.3 to 0.27.4 by @dependabot in #953
- chore: bump google.golang.org/grpc from 1.56.0 to 1.56.2 by @dependabot in #952
- chore: bump github.com/spdx/tools-golang from 0.5.2 to 0.5.3 by @dependabot in #951
- build: pin sbom-tool version to v1.2.0 by @binbin-li in #967
- fix: fix Policy CRD by @binbin-li in #962
- feat: add helmfile support by @akashsinghal in #948
- feat: optional image mutation in helm chart by @mannbiher in #944
- chore: bump sigs.k8s.io/controller-runtime from 0.15.0 to 0.15.1 by @dependabot in #970
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.28 to 1.18.32 by @dependabot in #969
- chore!: update-notation ref by @junczhu in #940
- fix: change name of notation cert file in helmfile by @akashsinghal in #975
- chore: bump actions/setup-go from 4.0.1 to 4.1.0 by @dependabot in #976
- chore: bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 by @dependabot in #979
- feat: restrict list/watch/update/create access of Secrets namespaced by @binbin-li in #961
- fix: update links in ratify configuration doc by @susanshi in #985
- chore: add Policy definition in PROJECT by @binbin-li in #986
- feat: skip helm genCA if cert-rotator enabled by @binbin-li in #965
- chore: bump github.com/sigstore/sigstore from 1.7.1 to 1.7.2 by @dependabot in #989
- chore: bump github.com/aws/aws-sdk-go-v2 from 1.20.0 to 1.20.1 by @dependabot in #990
- fix: fix cert-rotator test by @binbin-li in #992
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.32 to 1.18.33 by @dependabot in #988
- feat: add graceful shutdown for http server by @akashsinghal in #949
- fix: Updating akv cert provider to use getSecret by @susanshi in #957
- chore: bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 by @dependabot in #997
- chore: bump actions/setup-go from 4.0.1 to 4.1.0 by @dependabot in #996
- fix: adding experimental to dynamic plugin flag by @susanshi in #980
- refactor: refactor error handling by @binbin-li in #956
- docs: add notaryv2 upgrade doc by @binbin-li in #999
- chore: bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.32 to 1.13.34 by @dependabot in #1005
- chore: bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.3.0 to 1.3.1 by @dependabot in #1007
- chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.33 to 1.18.35 by @dependabot in #1004
- fix: fix broken Azure tests by @binbin-li in #1009
- feat: update ratify release pipeline to support arm64 image by @susanshi in #987
- docs: fix the link for terraform installation by @yizha1 in #1014
- refactor: refactor log by @binbin-li in #1008
- fix: display cert store status by @susanshi in #1021
- refactor: use new logger util to replace logrus by @binbin-li in #1023
- chore: Bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in #1028
- chore: update constraint templates by @junczhu in #1027
- chore: prepare rc7 release by @akashsinghal in #1031
Full Changelog: v1.0.0-rc.5...v1.0.0-rc.7