Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support alibaba cloud rrsa store auth provider #1909

Merged
merged 1 commit into from
Nov 14, 2024
Merged

feat: support alibaba cloud rrsa store auth provider #1909

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 5 additions & 2 deletions charts/ratify/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,6 +93,7 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| oras.authProviders.awsApiOverride.endpoint | Overrides ECR endpoint | `` |
| oras.authProviders.awsApiOverride.partition | Overrides ECR partition in the endpoint URL | `aws` |
| oras.authProviders.awsApiOverride.region | Overrides ECR region in the endpoint URL | `` |
| oras.authProviders.alibabacloudAcrBasicEnabled | Enables Alibaba Cloud ACR basic authentication provider | `false` |
| oras.cache.enabled | Enables ORAS store cache for ListReferrers and GetSubjectDescriptor. TTL-based cache may cause inconsistency between cache and data source. Please disable it if strong consistency is required.operations | `true` |
| oras.cache.ttl | Sets the ttl for ORAS store in seconds. cache | `10` |
| provider.tls.crt | Ratify server's tls public certificate | `` |
Expand Down Expand Up @@ -138,8 +139,10 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| azurekeyvault.vaultURI | Vault URI for Azure Key Vault | `` |
| azurekeyvault.tenantId | Tenant ID of the configured Azure Key Vault resource | `` |
| azurekeyvault.certificates | An array of certificate objects identified by `name` and `version` (optional) stored in Azure Key Vault | `[]` |
| azurekeyvault.keys | An array of key objects identified by `name` and `version` (optional) stored in Azure Key Vault | `[]` |
| azurekeyvault.refreshInterval | time duration to refresh the certificates/keys. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Example: 1h, 30m, 1h30m. If it's not set, the refresh functionality will be disabled. | `` |
| azurekeyvault.keys | An array of key objects identified by `name` and `version` (optional) stored in Azure Key Vault | `[]` |
| azurekeyvault.refreshInterval | time duration to refresh the certificates/keys. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h". Example: 1h, 30m, 1h30m. If it's not set, the refresh functionality will be disabled. | `` |
| alibabacloudAcrConfig.defaultInstanceId | Default instance ID of the Alibaba Cloud Registry where the target artifacts stored | `` |
| alibabacloudAcrConfig.acrInstancesConfig | When images need to be pulled from multiple instances of Aliababa Cloud Registry, the instanceName and instanceId of the instances need to be defined separately in the list, e.g. acrInstancesConfig:<br/> - instanceName: name1<br/> instanceId: cri-xxx1<br/> - instanceName: name2<br/> instanceId: cri-xxx2<br /> | `[]` |
| notationCert | **DEPRECATED** Please switch to `notationCerts` to specify an array of verification certificates. Public certificate/certificate chain used to create inline certstore used by Notation verifier. | `` |
| akvCertConfig.enabled | **DEPRECATED** Please use `azurekeyvault.enabled` instead. Enables/disables Azure Key Vault certificate store. If you are using a custom chart, certificate store should be referenced through a Verifier CR. References in ConfigMap will not be correctly resolved. | `false` |
| akvCertConfig.vaultURI | **DEPRECATED** Please use `azurekeyvault.vaultURI` instead. Vault URI for AKV configured | `` |
Expand Down
7 changes: 7 additions & 0 deletions charts/ratify/templates/store.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,13 @@ spec:
authProvider:
name: awsEcrBasic
{{- end }}
{{- if .Values.oras.authProviders.alibabacloudAcrBasicEnabled }}
authProvider:
name: alibabacloudAcrBasic
defaultInstanceId: {{ .Values.alibabacloudAcrConfig.defaultInstanceId }}
acrInstancesConfig:
{{- toYaml .Values.alibabacloudAcrConfig.acrInstancesConfig | nindent 8 }}
{{- end }}
{{- if .Values.oras.cache.enabled }}
cacheEnabled: true
ttl: {{ .Values.oras.cache.ttl }}
Expand Down
6 changes: 6 additions & 0 deletions charts/ratify/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,10 @@ azurekeyvault:
keys: []
refreshInterval:

alibabacloudAcrConfig:
defaultInstanceId:
acrInstancesConfig: []

oras:
useHttp: false
authProviders:
Expand All @@ -94,6 +98,8 @@ oras:
endpoint: ""
partition: "" # defaults to aws
region: ""
alibabacloudAcrBasicEnabled: false

cache:
# Please tune your cache parameters to get better performance on the Oras Store performance.
enabled: true # ttl-based cache may cause inconsistency between cache and data source, please disable it if strong consistency is required.
Expand Down
7 changes: 7 additions & 0 deletions errors/errors.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,4 +132,11 @@ var (
Message: "operation forbidden",
Description: "The requested operation is forbidden. Please verify the permission to the requested resource.",
})

// ErrorCodeConfigInvalid is returned if provided alibabacloud image is invalid.
ErrorCodeAlibabaCloudImageInvalid = Register("errcode", ErrorDescriptor{
Value: "ALIBABACLOUD_IMAGE_INVALID",
Message: "image invalid",
Description: `Invalid Alibaba Cloud Registry image format. Please verify your image configuration.`,
})
)
11 changes: 7 additions & 4 deletions go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@ require (
github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry v0.2.2
github.com/Azure/go-autorest/autorest/to v0.4.0
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.3
github.com/alibabacloud-go/cr-20181201/v2 v2.5.0
github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.10
github.com/alibabacloud-go/tea v1.2.2
github.com/alibabacloud-go/tea-utils/v2 v2.0.7
github.com/aliyun/credentials-go v1.3.10
github.com/aws/aws-sdk-go-v2 v1.32.4
github.com/aws/aws-sdk-go-v2/config v1.27.43
github.com/aws/aws-sdk-go-v2/credentials v1.17.44
Expand Down Expand Up @@ -70,17 +75,15 @@ require (
github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
github.com/ThalesIgnite/crypto11 v1.2.5 // indirect
github.com/agnivade/levenshtein v1.1.1 // indirect
github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.4 // indirect
github.com/alibabacloud-go/alibabacloud-gateway-spi v0.0.5 // indirect
github.com/alibabacloud-go/cr-20160607 v1.0.1 // indirect
github.com/alibabacloud-go/cr-20181201 v1.0.10 // indirect
github.com/alibabacloud-go/darabonba-openapi v0.2.1 // indirect
github.com/alibabacloud-go/debug v1.0.0 // indirect
github.com/alibabacloud-go/debug v1.0.1 // indirect
github.com/alibabacloud-go/endpoint-util v1.1.1 // indirect
github.com/alibabacloud-go/openapi-util v0.1.0 // indirect
github.com/alibabacloud-go/tea v1.2.1 // indirect
github.com/alibabacloud-go/tea-utils v1.4.5 // indirect
github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
github.com/aliyun/credentials-go v1.3.1 // indirect
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.7 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 // indirect
Expand Down
Loading
Loading