You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ratify should be configurable through either config.json or, in a Kubernetes environment, through dynamically configurable CRDs. We propose 2 CRDs: a Store and a Verifier. Both CRDs should be thought of as representing a specific type of store/verifier with a specific configuration – aka, a notaryv2 verifier with keys A and B is distinct from a notaryv2 verifier with key C.
kind: Storemetadata:
name: string # Cluster-unique name for this storenamespace: string # Namespace in which to use this storespec:
type: string # ORAS, FilePath, Sigstore, etcaddress: string # Optional (required for custom store). URL or file pathauth:
mode: string # K8sSecrets, AzureWorkloadIdentity, etc# may need additional fields here
kind: Verifiermetadata:
name: string # Cluster-unique name for this verifiernamespace: string # Namespace in which to use this verifierspec:
type: string # NotaryV2, SBOM, VulnerabilityScan, etcaddress: string # Optional. URL/file pathartifactType: stringparams: object # Verifier-specific field. For ex. NotaryV2 takes certs
It may be beneficial to have an additional CRD for Keys to allow for flexibility in how keys are stored/fetched - this is worthy of further discussion. @etrexel I think you have more familiarity with options around keys and how they are handed to Notation/the notation verifier?
David Tesar edit 8/9/2022: I'd like to break this down into smaller parts.
Ratify should be configurable through either config.json or, in a Kubernetes environment, through dynamically configurable CRDs. We propose 2 CRDs: a Store and a Verifier. Both CRDs should be thought of as representing a specific type of store/verifier with a specific configuration – aka, a notaryv2 verifier with keys A and B is distinct from a notaryv2 verifier with key C.
It may be beneficial to have an additional CRD for Keys to allow for flexibility in how keys are stored/fetched - this is worthy of further discussion. @etrexel I think you have more familiarity with options around keys and how they are handed to Notation/the notation verifier?
David Tesar edit 8/9/2022: I'd like to break this down into smaller parts.
The text was updated successfully, but these errors were encountered: