test: add e2e tests for multi-tenancy

.github/workflows/build-pr.yml

@@ -73,7 +73,7 @@ jobs:
       - name: Check out code into the Go module directory
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Set up Go 1.21
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: '1.21'
 

.github/workflows/codeql.yml

@@ -29,7 +29,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # tag=3.0.2
       - name: setup go environment
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: "1.21"
       - name: Initialize CodeQL

.github/workflows/e2e-aks.yml

@@ -30,7 +30,7 @@ jobs:
       - name: Check out code into the Go module directory
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Set up Go 1.21
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: '1.21'
 

.github/workflows/e2e-cli.yml

@@ -29,7 +29,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b
       - name: setup go environment
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: "1.21"
       - name: Run tidy
@@ -39,7 +39,7 @@ jobs:
       - name: Check build
         run: bin/ratify version
       - name: Upload coverage to codecov.io
-        uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0
+        uses: codecov/codecov-action@5ecb98a3c6b747ed38dc09f787459979aebb39be # v4.3.1
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
       - name: Run helm lint
@@ -53,7 +53,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: setup go environment
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: "1.21"
       - name: Run tidy
@@ -67,7 +67,7 @@ jobs:
           make install ratify-config install-bats
           make test-e2e-cli GOCOVERDIR=${GITHUB_WORKSPACE}/test/e2e/.cover
       - name: Upload coverage to codecov.io
-        uses: codecov/codecov-action@84508663e988701840491b86de86b666e8a86bed # v4.3.0
+        uses: codecov/codecov-action@5ecb98a3c6b747ed38dc09f787459979aebb39be # v4.3.1
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   markdown-link-check:

.github/workflows/e2e-k8s.yml

@@ -28,7 +28,7 @@ jobs:
       - name: Check out code into the Go module directory
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Set up Go 1.21
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: '1.21'
 

.github/workflows/golangci-lint.yml

@@ -14,11 +14,11 @@ jobs:
     name: lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: '1.21'
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@9d1e0624a798bb64f6c3cea93db47765312263dc # v5.1.0
+        uses: golangci/golangci-lint-action@38e1018663fa5173f3968ea0777460d3de38f256 # v5.3.0
         with:
           version: v1.55.2

.github/workflows/high-availability.yml

@@ -32,7 +32,7 @@ jobs:
       - name: Check out code into the Go module directory
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Set up Go 1.21
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: '1.21'
 

.github/workflows/quick-start.yml

@@ -32,7 +32,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: setup go environment
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: "1.21"
       - name: Run tidy

.github/workflows/release.yml

@@ -21,7 +21,7 @@ jobs:
           fetch-depth: 0
 
     - name: Set up Go
-      uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
       with:
         go-version: '1.21'
 

.github/workflows/run-full-validation.yml

@@ -63,7 +63,7 @@ jobs:
       - name: Check out code into the Go module directory
         uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
       - name: Set up Go 1.21
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: '1.21'
 

Makefile

@@ -125,17 +125,17 @@ delete-ratify:
 
 .PHONY: deploy-demo-constraints
 deploy-demo-constraints:
-	kubectl apply -f ./library/default/template.yaml
-	kubectl apply -f ./library/default/samples/constraint.yaml
+	kubectl apply -f ./library/multi-tenancy-validation/template.yaml
+	kubectl apply -f ./library/multi-tenancy-validation/samples/constraint.yaml
 
 .PHONY: delete-demo-constraints
 delete-demo-constraints:
-	kubectl delete -f ./library/default/template.yaml
-	kubectl delete -f ./library/default/samples/constraint.yaml
+	kubectl delete -f ./library/multi-tenancy-validation/template.yaml
+	kubectl delete -f ./library/multi-tenancy-validation/samples/constraint.yaml
 
 .PHONY: deploy-rego-policy
 deploy-rego-policy:
-	kubectl apply -f ./config/samples/clustered/policy/config_v1beta1_policy_rego.yaml
+	kubectl replace -f ./config/samples/clustered/policy/config_v1beta1_policy_rego.yaml
 
 .PHONY: deploy-gatekeeper
 deploy-gatekeeper:

config/samples/namespaced/verifier/config_v1beta1_verifier_cosign.yaml

@@ -11,4 +11,4 @@ spec:
         scopes:
           - "*"
         keys:
-          - provider: ratify-cosign-inline-key-0
+          - provider: default/ratify-cosign-inline-key-0

config/samples/namespaced/verifier/config_v1beta1_verifier_notation.yaml

@@ -8,7 +8,7 @@ spec:
   parameters:
      verificationCertStores:
        certs:
-         - ratify-notation-inline-cert-0
+         - default/ratify-notation-inline-cert-0
      trustPolicyDoc:
       version: "1.0"
       trustPolicies:

internal/context/utils.go

@@ -22,16 +22,16 @@ import (
 
 type contextKey string
 
-const contextKeyNamespace = contextKey("namespace")
+const ContextKeyNamespace = contextKey("namespace")
 
 // SetContextWithNamespace embeds namespace to the context.
 func SetContextWithNamespace(ctx context.Context, namespace string) context.Context {
-	return context.WithValue(ctx, contextKeyNamespace, namespace)
+	return context.WithValue(ctx, ContextKeyNamespace, namespace)
 }
 
 // GetNamespace returns the embedded namespace from the context.
 func GetNamespace(ctx context.Context) string {
-	namespace := ctx.Value(contextKeyNamespace)
+	namespace := ctx.Value(ContextKeyNamespace)
 	if namespace == nil {
 		return ""
 	}
@@ -40,7 +40,7 @@ func GetNamespace(ctx context.Context) string {
 
 // CreateCacheKey creates a new cache key prefixed with embedded namespace.
 func CreateCacheKey(ctx context.Context, key string) string {
-	namespace := ctx.Value(contextKeyNamespace)
+	namespace := ctx.Value(ContextKeyNamespace)
 	if namespace == nil {
 		return key
 	}

internal/context/utils_test.go

@@ -28,7 +28,7 @@ const (
 func TestSetContext(t *testing.T) {
 	ctx := context.Background()
 	ctx = SetContextWithNamespace(ctx, testNamespace)
-	namespace := ctx.Value(contextKeyNamespace).(string)
+	namespace := ctx.Value(ContextKeyNamespace).(string)
 	if namespace != testNamespace {
 		t.Fatalf("expected namespace %s, got %s", testNamespace, namespace)
 	}

internal/logger/logger.go

@@ -23,6 +23,7 @@ import (
 
 	logstash "github.com/bshuster-repo/logrus-logstash-hook"
 	re "github.com/deislabs/ratify/errors"
+	icontext "github.com/deislabs/ratify/internal/context"
 	dcontext "github.com/docker/distribution/context"
 	"github.com/google/uuid"
 	"github.com/sirupsen/logrus"
@@ -93,6 +94,7 @@ func InitContext(ctx context.Context, r *http.Request) context.Context {
 
 // GetLogger returns a logger with provided values.
 func GetLogger(ctx context.Context, opt Option) dcontext.Logger {
+	ctx = dcontext.WithLogger(ctx, dcontext.GetLogger(ctx, icontext.ContextKeyNamespace))
 	ctx = context.WithValue(ctx, ContextKeyComponentType, opt.ComponentType)
 	return dcontext.GetLogger(ctx, ContextKeyComponentType)
 }

library/multi-tenancy-validation/samples/constraint.yaml

@@ -0,0 +1,11 @@
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: RatifyVerification
+metadata:
+  name: ratify-constraint
+spec:
+  enforcementAction: deny
+  match:
+    kinds:
+      - apiGroups: [""]
+        kinds: ["Pod"]
+    namespaces: ["default", "new-namespace"]

library/multi-tenancy-validation/template.yaml

@@ -0,0 +1,48 @@
+apiVersion: templates.gatekeeper.sh/v1beta1
+kind: ConstraintTemplate
+metadata:
+  name: ratifyverification
+spec:
+  crd:
+    spec:
+      names:
+        kind: RatifyVerification
+  targets:
+    - target: admission.k8s.gatekeeper.sh
+      rego: |
+        package ratifyverification
+
+        # Get data from Ratify
+        remote_data := response {
+          images := [img | img = concat("", ["[",input.review.object.metadata.namespace,"]",input.review.object.spec.containers[_].image])]
+          images_init := [img | img = concat("", ["[",input.review.object.metadata.namespace,"]",input.review.object.spec.initContainers[_].image])]
+          images_ephemeral := [img | img = concat("", ["[",input.review.object.metadata.namespace,"]",input.review.object.spec.ephemeralContainers[_].image])]
+          other_images := array.concat(images_init, images_ephemeral)
+          all_images := array.concat(other_images, images)
+          response := external_data({"provider": "ratify-provider", "keys": all_images})
+        }
+
+        # Base Gatekeeper violation
+        violation[{"msg": msg}] {
+          general_violation[{"result": msg}]
+        }
+
+        # Check if there are any system errors
+        general_violation[{"result": result}] {
+          err := remote_data.system_error
+          err != ""
+          result := sprintf("System error calling external data provider: %s", [err])
+        }
+
+        # Check if there are errors for any of the images
+        general_violation[{"result": result}] {
+          count(remote_data.errors) > 0
+          result := sprintf("Error validating one or more images: %s", remote_data.errors)
+        }
+
+        # Check if the success criteria is true
+        general_violation[{"result": result}] {
+          subject_validation := remote_data.responses[_]
+          subject_validation[1].isSuccess == false
+          result := sprintf("Subject failed verification: %s", [subject_validation[0]])
+        }