feat: optional image mutation in helm chart

[mannbiher]

Description

Allow image mutation to be optional in helm chart. This change introduces one new property in helm chart under provider.
provider.enableMutation=true
When provider.enableMutation is set to false, it disables creation of

1. All mutation assign CRDs
2. ratify-mutation provider CRD

What this PR does / why we need it:

Current ratify helm chart allows image mutation by default. All image tags are replaced with image digest. This may not be desirable in some use cases. E.g. if there are OPA gatekeper constraints based on image tags or if the image tags reflects application revision.

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):

Fixes #943

Type of change

Please delete options that are not relevant.

• New feature (non-breaking change which adds functionality)
• Helm Chart Change (any edit/addition/update that is necessary for changes merged to the main branch)

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Please also list any relevant details for your test configuration

• Run helm template ratify . from within the helm chart repository. Generated yaml is same as current yaml.
• Run helm template ratify . --set provider.enableMutation=false from within helm repository. Mutation assign CRDs and ratify-mutation provider CRD are removed from generated template.

Checklist:

• Does the affected code have corresponding tests?
• Are the changes documented, not just with inline documentation, but also with conceptual documentation such as an overview of a new feature, or task-based documentation like a tutorial? Consider if this change should be announced on your project blog.
• Does this introduce breaking changes that would require an announcement or bumping the major version?
• Do all new files have appropriate license header?

Post Merge Requirements

• MAINTAINERS: manually trigger the "Publish Package" workflow after merging any PR that indicates Helm Chart Change

[mannbiher]

@microsoft-github-policy-service agree

[codecov]

Codecov Report

Patch coverage: 100.00% and project coverage change: +0.02% 🎉

Comparison is base (7522b52) 56.87% compared to head (bb2306c) 56.90%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #944      +/-   ##
==========================================
+ Coverage   56.87%   56.90%   +0.02%     
==========================================
  Files          90       90              
  Lines        5269     5272       +3     
==========================================
+ Hits         2997     3000       +3     
  Misses       1969     1969              
  Partials      303      303              

Files Changed	Coverage Δ
httpserver/handlers.go	74.34% <100.00%> (+0.40%)	⬆️

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[akashsinghal]

Thanks @mannbiher for the PR! We will discuss this PR at our next community call on 7/26 4:30pm PST (details on our README.md).

We had not considered use cases where a tag should be preserved since from a security perspective, verifying supply chain artifacts (such as signatures) based on a tag which is mutable is not recommended. The application versioning of tags is a compelling scenario.

[FeynmanZhou]

Thanks @mannbiher for the PR! We will discuss this PR at our next community call on 7/26 4:30pm PST (details on our README.md).

We had not considered use cases where a tag should be preserved since from a security perspective, verifying supply chain artifacts (such as signatures) based on a tag which is mutable is not recommended. The application versioning of tags is a compelling scenario.

Agree with @akashsinghal that verifying a tag is not a recommendation from the supply chain security's perspective. I am fine that having this optional image mutation setting for Ratify Helm Chart. But I would suggest there should be a WARNING log output as a reminder from Ratify when users set provider.enableMutation=false (disable mutation).

[akashsinghal]

Thanks for the discussion on the last community call @mannbiher! As discussed, I think we should a warning on the /verify handler if a tagged reference is provided. Here's a suggested way of doing this:
https://github.com/akashsinghal/ratify/blob/38978a72db2da59bfd3044bdd726b96fe75a4ff8/httpserver/handlers.go#L82-L84

[binbin-li]

Thanks for the discussion on the last community call @mannbiher! As discussed, I think we should a warning on the /verify handler if a tagged reference is provided. Here's a suggested way of doing this: https://github.com/akashsinghal/ratify/blob/38978a72db2da59bfd3044bdd726b96fe75a4ff8/httpserver/handlers.go#L82-L84

might be out of scope, wonder if we should let CLI verify command print out the warning if verifying against a tag? @akashsinghal

[mannbiher]

Thanks for the discussion on the last community call @mannbiher! As discussed, I think we should a warning on the /verify handler if a tagged reference is provided. Here's a suggested way of doing this: https://github.com/akashsinghal/ratify/blob/38978a72db2da59bfd3044bdd726b96fe75a4ff8/httpserver/handlers.go#L82-L84

@akashsinghal I have made the code change as requested. Could you please review and approve if changes look good?

[akashsinghal]

LGTM. Thanks!

[mannbiher]

LGTM. Thanks!

Hi @akashsinghal Sorry, I had to amend my commit to add the signature. Could you please review and approve again.