Skip to content

Commit

Permalink
feat: support alibaba cloud rrsa in oras store
Browse files Browse the repository at this point in the history 
Signed-off-by: dahu.kdh <[email protected]>
  • Loading branch information
@DahuK
DahuK committed Nov 14, 2024
1 parent e73d4f5 commit 2ad167f
Show file tree
Hide file tree
Showing 12 changed files with 612 additions and 19 deletions.
7 changes: 5 additions & 2 deletions charts/ratify/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| oras.authProviders.awsApiOverride.endpoint | Overrides ECR endpoint | `` |
| oras.authProviders.awsApiOverride.partition | Overrides ECR partition in the endpoint URL | `aws` |
| oras.authProviders.awsApiOverride.region | Overrides ECR region in the endpoint URL | `` |
| oras.authProviders.alibabacloudAcrBasicEnabled | Enables Alibaba Cloud ACR basic authentication provider | `false` |
| oras.cache.enabled | Enables ORAS store cache for ListReferrers and GetSubjectDescriptor. TTL-based cache may cause inconsistency between cache and data source. Please disable it if strong consistency is required.operations | `true` |
| oras.cache.ttl | Sets the ttl for ORAS store in seconds. cache | `10` |
| provider.tls.crt | Ratify server's tls public certificate | `` |
Expand Down Expand Up @@ -138,8 +139,10 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| azurekeyvault.vaultURI | Vault URI for Azure Key Vault | `` |
| azurekeyvault.tenantId | Tenant ID of the configured Azure Key Vault resource | `` |
| azurekeyvault.certificates | An array of certificate objects identified by `name` and `version` (optional) stored in Azure Key Vault | `[]` |
| azurekeyvault.keys | An array of key objects identified by `name` and `version` (optional) stored in Azure Key Vault | `[]` |
| azurekeyvault.refreshInterval | time duration to refresh the certificates/keys. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Example: 1h, 30m, 1h30m. If it's not set, the refresh functionality will be disabled. | `` |
| azurekeyvault.keys | An array of key objects identified by `name` and `version` (optional) stored in Azure Key Vault | `[]` |
| azurekeyvault.refreshInterval | time duration to refresh the certificates/keys. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Example: 1h, 30m, 1h30m. If it's not set, the refresh functionality will be disabled. | `` |
| alibabacloudAcrConfig.defaultInstanceId | Default instance ID of the Alibaba Cloud Registry where the target artifacts stored | `` |
| alibabacloudAcrConfig.acrInstancesConfig | When images need to be pulled from multiple instances of Aliababa Cloud Registry, the instanceName and instanceId of the instances need to be defined separately in the list, e.g. acrInstancesConfig:<br/> - instanceName: name1<br/> instanceId: cri-xxx1<br/> - instanceName: name2<br/> instanceId: cri-xxx2<br /> | `[]` |
| notationCert | **DEPRECATED** Please switch to `notationCerts` to specify an array of verification certificates. Public certificate/certificate chain used to create inline certstore used by Notation verifier. | `` |
| akvCertConfig.enabled | **DEPRECATED** Please use `azurekeyvault.enabled` instead. Enables/disables Azure Key Vault certificate store. If you are using a custom chart, certificate store should be referenced through a Verifier CR. References in ConfigMap will not be correctly resolved. | `false` |
| akvCertConfig.vaultURI | **DEPRECATED** Please use `azurekeyvault.vaultURI` instead. Vault URI for AKV configured | `` |
Expand Down
7 changes: 7 additions & 0 deletions charts/ratify/templates/store.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,13 @@ spec:
authProvider:
name: awsEcrBasic
{{- end }}
{{- if .Values.oras.authProviders.alibabacloudAcrBasicEnabled }}
authProvider:
name: alibabacloudAcrBasic
defaultInstanceId: {{ .Values.alibabacloudAcrConfig.defaultInstanceId }}
acrInstancesConfig:
{{- toYaml .Values.alibabacloudAcrConfig.acrInstancesConfig | nindent 8 }}
{{- end }}
{{- if .Values.oras.cache.enabled }}
cacheEnabled: true
ttl: {{ .Values.oras.cache.ttl }}
Expand Down
6 changes: 6 additions & 0 deletions charts/ratify/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,10 @@ azurekeyvault:
keys: []
refreshInterval:

alibabacloudAcrConfig:
defaultInstanceId:
acrInstancesConfig: []

oras:
useHttp: false
authProviders:
Expand All @@ -94,6 +98,8 @@ oras:
endpoint: ""
partition: "" # defaults to aws
region: ""
alibabacloudAcrBasicEnabled: false

cache:
# Please tune your cache parameters to get better performance on the Oras Store performance.
enabled: true # ttl-based cache may cause inconsistency between cache and data source, please disable it if strong consistency is required.
Expand Down
7 changes: 7 additions & 0 deletions errors/errors.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,4 +132,11 @@ var (
Message: "operation forbidden",
Description: "The requested operation is forbidden. Please verify the permission to the requested resource.",
})

// ErrorCodeConfigInvalid is returned if provided alibabacloud image is invalid.
ErrorCodeAlibabaCloudImageInvalid = Register("errcode", ErrorDescriptor{
Value: "ALIBABACLOUD_IMAGE_INVALID",
Message: "image invalid",
Description: `Invalid Alibaba Cloud Registry image format. Please verify your image configuration.`,
})
)
11 changes: 7 additions & 4 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@ require (
github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry v0.2.2
github.com/Azure/go-autorest/autorest/to v0.4.0
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.3
github.com/alibabacloud-go/cr-20181201/v2 v2.5.0
github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.10
github.com/alibabacloud-go/tea v1.2.2
github.com/alibabacloud-go/tea-utils/v2 v2.0.7
github.com/aliyun/credentials-go v1.3.10
github.com/aws/aws-sdk-go-v2 v1.32.4
github.com/aws/aws-sdk-go-v2/config v1.27.43
github.com/aws/aws-sdk-go-v2/credentials v1.17.44
Expand Down Expand Up @@ -70,17 +75,15 @@ require (
github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
github.com/agnivade/levenshtein v1.1.1 // indirect
github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect
github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect
github.com/alibabacloud-go/darabonba-openapi v0.2.1 // indirect
github.com/alibabacloud-go/debug v1.0.0 // indirect
github.com/alibabacloud-go/debug v1.0.1 // indirect
github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
github.com/alibabacloud-go/openapi-util v0.1.0 // indirect
github.com/alibabacloud-go/tea v1.2.1 // indirect
github.com/alibabacloud-go/tea-utils v1.4.5 // indirect
github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
github.com/aliyun/credentials-go v1.3.1 // indirect
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.7 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 // indirect
Expand Down
Loading

0 comments on commit 2ad167f

Please sign in to comment.