v1.0.0-rc.7

✨ New Features

• Introducing OPA engine integration to support Rego Policy
  • Embeds OPA engine in Ratify so that service can make verifications using the OPA engine for Rego Policies.
  • Adds support for multiple verifiers against the same artifact.
  • Users can still provide a configuration Policy which is the default option.
  • Introduces new Policy controller and CRD that allows switching between configuration policy and Rego Policy at runtime
  • More information here
• Introducing support to enable High Availability (HA) for Ratify
  • Unifies all existing in-memory caches through a new cache interface that allows registering and specifying new cache providers
  • Implements Ristretto as the default cache provider
  • Implements support for Dapr cache provider
  • More info here
• Introducing integration with Helmfile Tool
  • Simplifies helm install for upgrade scenarios to HA support
  • Simplifies helm install for quick start experience
• Introducing Terraform configs for Azure
  • Adds Terraform configs to simplify the deployment of Azure Resources for Ratify
• Enable optional image mutation in Helm chart
  • Allows image mutation to be optional in helm chart since there might be scenarios where OPA Gatekeeper constraints are based on image tags.
• Introduce graceful shutdown for http server
  • Adds support for ‘Shutdown’ command to be invoked on SIGTERM signal or interrupt OS command
  • Adds channel to wait on shutdown process to complete (6 second context timeout)
• Introducing improved error handling
  • Refactor most errors to a custom error struct
  • Introduce error codes for faster searching
  • Adds stacks to improve debuggability
  • Adds a configurable internal logger utility that initializes the logger for Ratify and configures the context with a trace-id from requests
  • More info here
• Introducing new Ratify arm64 & arm/v7 images
• Introducing new Ratify Logo
  • We are improving the project branding. Check out the new Ratify Logo here

💥 🚨 BREAKING CHANGES 🚨 💥

• Notation signature verifier name now registered using name notation instead of notaryv2
  • More information here
• logLevel helm chart value now found at logger.level
  • More information here
• TLS certs are NOT auto generated by Ratify chart. It's recommended to set featureFlags.RATIFY_CERT_ROTATION to true.
• PKCS12 certs with Azure Key Vault setup is NOT supported
  • More details here
  • Workaround here

📄 Documentation

• docs: add examples for using AWS Signer by @byronchien in #875
• docs: update community meeting to weekly wed by @susanshi in #896
• docs: redesign docs structure to improve navigation by @duffney in #897
• docs: add notaryv2 upgrade doc by @binbin-li in #999
• docs: fix the link for terraform installation by @yizha1 in #1014

🧪 Tests

CLI

• Verifier Scenarios
  • Notation
  • Cosign
    • Keyed
    • Keyless
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• Dynamic OCI Plugins
  • Verifier Plugin
  • Store Plugin

Kubernetes

• Verifier Scenarios
  • Notation
  • Cosign
  • SBOM
  • License Checker
  • JSON Schema Validation
  • All verifier types in one
• ORAS Store Authentication Providers
  • Docker
  • Kubernetes Secrets
  • Azure Workload Identity
  • Azure Managed Identity
• Certificate Store Providers
  • Inline Certificate
  • Azure Key Vault Certificate
• Mutation Provider
• Dynamic OCI Plugins
  • Verifier Plugin
• CertifacteProvider CRD Status
• TLS Certificate
  • TLS Certificate Watcher
  • TLS Certificate Rotation
• High Availability Tests
  • 2 Replicas, Redis + Dapr, Notation

🐛 🩹 Bug Fixes

• fix: helm chart generated cert refers to helm release name in subject by @fseldow in #885
• fix: new sample images should be signed by notation rc7 by @susanshi in #905
• fix: update quick start to ghcr image by @susanshi in #906
• fix: update notary.crt to reflect latest sample by @susanshi in #909
• fix: publish ratify image with plugin by @susanshi in #916
• fix: downgrade goreleaser to last stable version by @susanshi in #922
• fix: upgrade notation rc3->rc7 by @junczhu in #923
• fix: fix Policy CRD by @binbin-li in #962
• fix: change name of notation cert file in helmfile by @akashsinghal in #975
• fix: update links in ratify configuration doc by @susanshi in #985
• fix: Updating akv cert provider to use getSecret by @susanshi in #957
• fix: adding experimental to dynamic plugin flag by @susanshi in #980
• fix: fix broken Azure tests by @binbin-li in #1009
• fix: display cert store status by @susanshi in #1021

🎉 New Contributors

• @duffney made their first contribution in #884
• @junczhu made their first contribution in #923
• @yizha1 made their first contribution in #926
• @mannbiher made their first contribution in #944

📝 Changelog

• docs: add examples for using AWS Signer by @byronchien in #875
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.25 to 1.18.27 by @dependabot in #895
• chore: bump k8s.io/api from 0.26.5 to 0.26.6 by @dependabot in #894
• fix: helm chart generated cert refers to helm release name in subject by @fseldow in #885
• docs: update community meeting to weekly wed by @susanshi in #896
• feat: add Terraform configs for Azure by @duffney in #884
• build: upgrade go lint by @akashsinghal in #892
• chore: add ratify logo by @FeynmanZhou in #898
• chore: bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @dependabot in #903
• chore: bump k8s.io/client-go from 0.26.1 to 0.26.6 by @dependabot in #902
• chore: bump sigs.k8s.io/controller-runtime from 0.14.2 to 0.14.6 by @dependabot in #904
• chore: create publish-sample.yml by @susanshi in #900
• chore: add logo to README by @akashsinghal in #899
• fix: new sample images should be signed by notation rc7 by @susanshi in #905
• fix: update quick start to ghcr image by @susanshi in #906
• fix: update notary.crt to reflect latest sample by @susanshi in #909
• fix: publish ratify image with plugin by @susanshi in #916
• chore: update chart for v1.0.0-rc.6 by @susanshi in #921
• fix: downgrade goreleaser to last stable version by @susanshi in #922
• fix: upgrade notation rc3->rc7 by @junczhu in #923
• build: use latest sbom-tool by @binbin-li in #917
• docs: redesign docs structure to improve navigation by @duffney in #897
• chore: bump google.golang.org/grpc from 1.55.0 to 1.55.1 by @dependabot in #925
• chore: add triage label to issue template by @yizha1 in #926
• feat: add opa engine and support Rego policy by @binbin-li in #798
• ci: delete oci artifact tests by @akashsinghal in #928
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.27 to 1.18.28 by @dependabot in #934
• chore: upgrade to image spec rc4 and oras-go 2.2.1 by @akashsinghal in #931
• feat: add policy crd and controller by @binbin-li in #933
• feat: unify caches, add ristretto and Dapr cache providers by @akashsinghal in #901
• chore: bump k8s.io/api from 0.26.6 to 0.26.7 by @dependabot in #947
• chore: bump k8s.io/client-go from 0.26.6 to 0.26.7 by @dependabot in #946
• chore: bump github.com/sigstore/sigstore from 1.6.4 to 1.6.5 by @dependabot in #865
• chore: bump github.com/notaryproject/notation-go from 1.0.0-rc.6 to 1.0.0 by @dependabot in #954
• chore: bump github.com/aws/aws-sdk-go-v2 from 1.19.0 to 1.19.1 by @dependabot in #955
• chore: bump k8s.io/client-go from 0.27.3 to 0.27.4 by @dependabot in #953
• chore: bump google.golang.org/grpc from 1.56.0 to 1.56.2 by @dependabot in #952
• chore: bump github.com/spdx/tools-golang from 0.5.2 to 0.5.3 by @dependabot in #951
• build: pin sbom-tool version to v1.2.0 by @binbin-li in #967
• fix: fix Policy CRD by @binbin-li in #962
• feat: add helmfile support by @akashsinghal in #948
• feat: optional image mutation in helm chart by @mannbiher in #944
• chore: bump sigs.k8s.io/controller-runtime from 0.15.0 to 0.15.1 by @dependabot in #970
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.28 to 1.18.32 by @dependabot in #969
• chore!: update-notation ref by @junczhu in #940
• fix: change name of notation cert file in helmfile by @akashsinghal in #975
• chore: bump actions/setup-go from 4.0.1 to 4.1.0 by @dependabot in #976
• chore: bump goreleaser/goreleaser-action from 4.3.0 to 4.4.0 by @dependabot in #979
• feat: restrict list/watch/update/create access of Secrets namespaced by @binbin-li in #961
• fix: update links in ratify configuration doc by @susanshi in #985
• chore: add Policy definition in PROJECT by @binbin-li in #986
• feat: skip helm genCA if cert-rotator enabled by @binbin-li in #965
• chore: bump github.com/sigstore/sigstore from 1.7.1 to 1.7.2 by @dependabot in #989
• chore: bump github.com/aws/aws-sdk-go-v2 from 1.20.0 to 1.20.1 by @dependabot in #990
• fix: fix cert-rotator test by @binbin-li in #992
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.32 to 1.18.33 by @dependabot in #988
• feat: add graceful shutdown for http server by @akashsinghal in #949
• fix: Updating akv cert provider to use getSecret by @susanshi in #957
• chore: bump golangci/golangci-lint-action from 3.6.0 to 3.7.0 by @dependabot in #997
• chore: bump actions/setup-go from 4.0.1 to 4.1.0 by @dependabot in #996
• fix: adding experimental to dynamic plugin flag by @susanshi in #980
• refactor: refactor error handling by @binbin-li in #956
• docs: add notaryv2 upgrade doc by @binbin-li in #999
• chore: bump github.com/aws/aws-sdk-go-v2/credentials from 1.13.32 to 1.13.34 by @dependabot in #1005
• chore: bump github.com/Azure/azure-sdk-for-go/sdk/azidentity from 1.3.0 to 1.3.1 by @dependabot in #1007
• chore: bump github.com/aws/aws-sdk-go-v2/config from 1.18.33 to 1.18.35 by @dependabot in #1004
• fix: fix broken Azure tests by @binbin-li in #1009
• feat: update ratify release pipeline to support arm64 image by @susanshi in #987
• docs: fix the link for terraform installation by @yizha1 in #1014
• refactor: refactor log by @binbin-li in #1008
• fix: display cert store status by @susanshi in #1021
• refactor: use new logger util to replace logrus by @binbin-li in #1023
• chore: Bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in #1028
• chore: update constraint templates by @junczhu in #1027
• chore: prepare rc7 release by @akashsinghal in #1031

Full Changelog: v1.0.0-rc.5...v1.0.0-rc.7