Merge branch 'main' into multi-tenancy-design

.devcontainer/Dockerfile

@@ -1,3 +1,16 @@
+# Copyright The Ratify Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 # See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.245.2/containers/go/.devcontainer/base.Dockerfile
 
 # [Choice] Go version (use -bullseye variants on local arm64/Apple Silicon): 1, 1.19, 1.18, 1-bullseye, 1.19-bullseye, 1.18-bullseye, 1-buster, 1.19-buster, 1.18-buster

.devcontainer/post-create.sh

@@ -1,3 +1,16 @@
+# Copyright The Ratify Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 #!/bin/bash
 set -euo pipefail
 

.github/licenserc.yml

@@ -0,0 +1,59 @@
+# Copyright The Ratify Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+header:
+  license:
+    spdx-id: Apache-2.0
+    content: |
+      Copyright The Ratify Authors.
+      Licensed under the Apache License, Version 2.0 (the "License");
+      you may not use this file except in compliance with the License.
+      You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+      Unless required by applicable law or agreed to in writing, software
+      distributed under the License is distributed on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+      See the License for the specific language governing permissions and
+      limitations under the License.
+
+  paths-ignore:
+    - "**/*.{md,svg,yaml,crt,json,pub,yml,pb.go,proto}"
+    - "CODEOWNERS"
+    - "PROJECT"
+    - "NOTICE"
+    - "LICENSE"
+    - "MAINTAINERS"
+    - "go.mod"
+    - "go.sum"
+    - "**/testdata/**"
+    - "charts/**/*"
+    - ".gitignore"
+    - ".devcontainer/gatekeeper.http"
+
+  comment: on-failure
+
+dependency:
+  files:
+    - go.mod
+  licenses:
+    - name: github.com/spdx/tools-golang
+      version: v0.5.3
+      license: Apache-2.0
+    - name: github.com/alibabacloud-go/cr-20160607 # TODO: remove this when library is upgraded to v2.0.0
+      version: v1.0.1
+      license: Apache-2.0
+    - name: github.com/rcrowley/go-metrics # TODO: remove this when library is removed or under compatible license
+      version: v0.0.0-20201227073835-cf1acfcdf475
+      license: BSD-2-Clause

.github/workflows/build-pr.yml

@@ -16,6 +16,22 @@ on:
 permissions: read-all
 
 jobs:
+  check-license:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      - name: Check license header
+        uses: apache/skywalking-eyes/header@a790ab8dd23a7f861c18bd6aaa9b012e3a234bce
+        with:
+          mode: check
+          config: .github/licenserc.yml
+      - name: Check dependencies license
+        uses: apache/skywalking-eyes/dependency@a790ab8dd23a7f861c18bd6aaa9b012e3a234bce
+        with:
+          config: .github/licenserc.yml
+          flags:
+            --weak-compatible=true
   build:
     runs-on: ubuntu-latest
     steps:
@@ -70,8 +86,8 @@ jobs:
       contents: read
     strategy:
       matrix:
-        KUBERNETES_VERSION: ["1.25.8", "1.26.3"]
-        GATEKEEPER_VERSION: ["3.11.0", "3.12.0", "3.13.0"]
+        KUBERNETES_VERSION: ["1.26.10", "1.27.7"]
+        GATEKEEPER_VERSION: ["3.12.0", "3.13.0", "3.14.0"]
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -130,8 +146,8 @@ jobs:
       contents: read
     strategy:
       matrix:
-        KUBERNETES_VERSION: ["1.25.6", "1.26.6"]
-        GATEKEEPER_VERSION: ["3.11.0", "3.12.0", "3.13.0"]
+        KUBERNETES_VERSION: ["1.26.10", "1.27.7"]
+        GATEKEEPER_VERSION: ["3.12.0", "3.13.0", "3.14.0"]
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -141,7 +157,7 @@ jobs:
           go-version: '1.20'
 
       - name: Az CLI login
-        uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+        uses: azure/login@4c88f01b0e3a5600e08a37889921afd060f75cf0 # v1.5.0
         with:
           creds: '{"clientId":"${{ env.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ env.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ env.AZURE_TENANT_ID }}"}'
 
@@ -197,7 +213,7 @@ jobs:
           go-version: '1.20'
 
       - name: Az CLI login
-        uses: azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
+        uses: azure/login@4c88f01b0e3a5600e08a37889921afd060f75cf0 # v1.5.0
         with:
           creds: '{"clientId":"${{ env.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","subscriptionId":"${{ env.AZURE_SUBSCRIPTION_ID }}","tenantId":"${{ env.AZURE_TENANT_ID }}"}'
 

.github/workflows/publish-package.yml

@@ -54,7 +54,7 @@ jobs:
       - name: docker build ratify-crds
         run: |
           docker buildx create --use
-          docker buildx build --build-arg KUBE_VERSION="1.25.4" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds
+          docker buildx build --build-arg KUBE_VERSION="1.27.7" -f crd.Dockerfile --platform linux/amd64,linux/arm64,linux/arm/v7 --label org.opencontainers.image.revision=${{ github.sha }} -t ${{ steps.prepare.outputs.crdref }} --push ./charts/ratify/crds
       - name: docker build ratify base
         run: |
           docker buildx create --use         

.github/workflows/quick-start.yml

@@ -22,7 +22,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        KUBERNETES_VERSION: ["1.26.3"]
+        KUBERNETES_VERSION: ["1.27.7"]
     steps:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

CONTRIBUTING.md

@@ -145,7 +145,7 @@ export REGISTRY=yourregistry
 docker buildx create --use
 
 docker buildx build -f httpserver/Dockerfile --platform linux/amd64 --build-arg build_cosign=true --build-arg build_sbom=true --build-arg build_licensechecker=true --build-arg build_schemavalidator=true -t ${REGISTRY}/deislabs/ratify:yourtag .
-docker build --progress=plain --build-arg KUBE_VERSION="1.25.0" --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -f crd.Dockerfile -t ${REGISTRY}/localbuildcrd:yourtag ./charts/ratify/crds
+docker build --progress=plain --build-arg KUBE_VERSION="1.27.7" --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -f crd.Dockerfile -t ${REGISTRY}/localbuildcrd:yourtag ./charts/ratify/crds
 ```
 
 #### [Authenticate](https://docs.docker.com/engine/reference/commandline/login/#usage) with your registry,  and push the newly built image
@@ -184,7 +184,7 @@ image:
 ```
 
 Deploy using one of the following deployments.
-Note: Ratify is compatible with Gatkeeper >= 3.11.0. Server auth is required to be enabled.
+Note: Ratify is compatible with Gatekeeper >= 3.12.0. Server auth is required to be enabled.
 
 **Option 1**
 Client auth disabled and server auth enabled using self signed certificate

Makefile

@@ -1,3 +1,16 @@
+# Copyright The Ratify Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 BINARY_NAME		= ratify
 INSTALL_DIR		= ~/.ratify
 CERT_DIR        = ${GITHUB_WORKSPACE}/tls/certs
@@ -13,8 +26,9 @@ LDFLAGS += -X $(GO_PKG)/internal/version.GitTreeState=$(GIT_TREE_STATE)
 LDFLAGS += -X $(GO_PKG)/internal/version.GitTag=$(GIT_TAG)
 
 KIND_VERSION ?= 0.14.0
-KUBERNETES_VERSION ?= 1.26.3
-GATEKEEPER_VERSION ?= 3.13.0
+KUBERNETES_VERSION ?= 1.27.7
+KIND_KUBERNETES_VERSION ?= 1.27.3
+GATEKEEPER_VERSION ?= 3.14.0
 DAPR_VERSION ?= 1.11.1
 COSIGN_VERSION ?= 1.13.1
 NOTATION_VERSION ?= 1.0.0-rc.7
@@ -195,7 +209,7 @@ e2e-dependencies:
 	mv oras-install/oras ${GITHUB_WORKSPACE}/bin
 	rm -rf oras*.tar.gz oras-install/
 
-KIND_NODE_VERSION := kindest/node:v$(KUBERNETES_VERSION)
+KIND_NODE_VERSION := kindest/node:v$(KIND_KUBERNETES_VERSION)
 
 e2e-create-local-registry: e2e-run-local-registry e2e-create-all-image
 
@@ -417,16 +431,10 @@ e2e-azure-setup: e2e-create-all-image e2e-notation-setup e2e-notation-leaf-cert-
 
 e2e-deploy-gatekeeper: e2e-helm-install
 	./.staging/helm/linux-amd64/helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
-	./.staging/helm/linux-amd64/helm install gatekeeper/gatekeeper  \
-	--version ${GATEKEEPER_VERSION} \
-    --name-template=gatekeeper \
-    --namespace ${GATEKEEPER_NAMESPACE} --create-namespace \
-    --set enableExternalData=true \
-    --set validatingWebhookTimeoutSeconds=5 \
-    --set mutatingWebhookTimeoutSeconds=2 \
-    --set auditInterval=0
-
+	if [ ${GATEKEEPER_VERSION} = "3.12.0" ] || [ ${GATEKEEPER_VERSION} = "3.13.0" ]; then ./.staging/helm/linux-amd64/helm install gatekeeper/gatekeeper --version ${GATEKEEPER_VERSION} --name-template=gatekeeper --namespace ${GATEKEEPER_NAMESPACE} --create-namespace --set enableExternalData=true --set validatingWebhookTimeoutSeconds=5 --set mutatingWebhookTimeoutSeconds=2 --set auditInterval=0; fi
 	if [ ${GATEKEEPER_VERSION} = "3.13.0" ]; then kubectl -n ${GATEKEEPER_NAMESPACE} patch deployment gatekeeper-controller-manager --type=json -p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value": "--external-data-provider-response-cache-ttl=1s"}]' && sleep 60; fi
+	# Gatekeeper versions >= 3.14.0 need a special helm value to override the default external data response cache ttl to 10s
+	if [ ${GATEKEEPER_VERSION} != "3.12.0" ] && [ ${GATEKEEPER_VERSION} != "3.13.0" ]; then ./.staging/helm/linux-amd64/helm install gatekeeper/gatekeeper --version ${GATEKEEPER_VERSION} --name-template=gatekeeper --namespace ${GATEKEEPER_NAMESPACE} --create-namespace --set enableExternalData=true --set validatingWebhookTimeoutSeconds=5 --set mutatingWebhookTimeoutSeconds=2 --set auditInterval=0 --set externaldataProviderResponseCacheTTL=1s; fi
 
 e2e-build-crd-image:
 	docker build --progress=plain --no-cache --build-arg KUBE_VERSION=${KUBERNETES_VERSION} --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -f crd.Dockerfile -t localbuildcrd:test ./charts/ratify/crds

charts/ratify/README.md

@@ -53,7 +53,7 @@ $ helm upgrade -n gatekeeper-system [RELEASE_NAME] ratify/ratify
 | resources.requests.memory                          | Memory request of Ratify Deployment                                                                                                                                                                                                 | `512Mi`                        |
 | serviceAccount.create                              | Create new dedicated Ratify service account                                                                                                                                                                                         | `true`                         |
 | serviceAccount.name                                | Name of Ratify service account to create                                                                                                                                                                                            | `ratify-admin`                 |
-| gatekeeper.version                                 | Determines the Gatekeeper CRD versioning                                                                                                                                                                                            | `3.13.0`                       |
+| gatekeeper.version                                 | Determines the Gatekeeper CRD versioning                                                                                                                                                                                            | `3.14.0`                       |
 | gatekeeper.namespace                               | Namespace Gatekeeper is installed                                                                                                                                                                                                   | `gatekeeper-system`            |
 | instrumentation.metricsEnabled                     | Initializes the configured metrics provider                                                                                                                                                                                         | `true`                         |
 | instrumentation.metricsType                        | Specifies the metrics provider type                                                                                                                                                                                                 | `prometheus`                   |

charts/ratify/values.yaml

@@ -26,7 +26,7 @@ serviceAccount:
   create: true
   name: ratify-admin
 gatekeeper:
-  version: "3.13.0"
+  version: "3.14.0"
   namespace: # default is gatekeeper-system
 instrumentation:
   metricsEnabled: true

cmd/ratify/cmd/root.go

@@ -30,12 +30,18 @@ const (
 var Root = New(use, shortDesc)
 
 func New(use, short string) *cobra.Command {
-	common.SetLoggingLevelFromEnv(logrus.StandardLogger())
 	featureflag.InitFeatureFlagsFromEnv()
-
+	var enableDebug bool
 	root := &cobra.Command{
 		Use:   use,
 		Short: short,
+		PersistentPreRun: func(cmd *cobra.Command, args []string) {
+			if enableDebug {
+				common.SetLoggingLevel("debug", logrus.StandardLogger())
+			} else {
+				common.SetLoggingLevelFromEnv(logrus.StandardLogger())
+			}
+		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			return cmd.Usage()
 		},
@@ -50,6 +56,6 @@ func New(use, short string) *cobra.Command {
 	root.AddCommand(NewCmdVersion(use, versionUse))
 	root.AddCommand(NewCmdResolve(use, resolveUse))
 
-	// TODO debug logging
+	root.PersistentFlags().BoolVarP(&enableDebug, "debug", "d", false, "Enable debug mode. If enabled, set logger level to debug")
 	return root
 }

cmd/ratify/cmd/version.go

@@ -1,3 +1,16 @@
+// Copyright The Ratify Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+// http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package cmd
 
 import (

crd.Dockerfile

@@ -1,3 +1,16 @@
+# Copyright The Ratify Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 FROM alpine as builder
 
 ARG TARGETOS

dev.helmfile.yaml

@@ -9,7 +9,7 @@ releases:
     namespace: gatekeeper-system
     createNamespace: true
     chart: gatekeeper/gatekeeper
-    version: 3.13.0
+    version: 3.14.0
     wait: true
     set:
       - name: enableExternalData
@@ -18,6 +18,8 @@ releases:
         value: 5
       - name: mutatingWebhookTimeoutSeconds
         value: 2
+      - name: externaldataProviderResponseCacheTTL
+        value: 10s
   - name: ratify
     namespace: gatekeeper-system
     chart: charts/ratify # PRERELEASE: Change to 'ratify/ratify' before copying to helmfile.yaml

experimental/generate-protos.sh

@@ -1,3 +1,16 @@
+# Copyright The Ratify Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
 #! /bin/bash
 
 

go.mod

@@ -47,9 +47,9 @@ require (
 	golang.org/x/sync v0.5.0
 	google.golang.org/grpc v1.59.0
 	google.golang.org/protobuf v1.31.0
-	k8s.io/api v0.28.3
-	k8s.io/apimachinery v0.28.3
-	k8s.io/client-go v0.28.3
+	k8s.io/api v0.28.4
+	k8s.io/apimachinery v0.28.4
+	k8s.io/client-go v0.28.4
 	oras.land/oras-go/v2 v2.3.1
 )
 
@@ -92,7 +92,7 @@ require (
 	github.com/gabriel-vasile/mimetype v1.4.3 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.5 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.1 // indirect
 	github.com/go-ldap/ldap/v3 v3.4.6 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/golang-jwt/jwt/v5 v5.0.0 // indirect