diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
index 272f4333e9..f3c43e693f 100644
--- a/.github/workflows/build-pr.yml
+++ b/.github/workflows/build-pr.yml
@@ -24,8 +24,8 @@ jobs:
strategy:
fail-fast: false
matrix:
- KUBERNETES_VERSION: ["1.29.2"]
- GATEKEEPER_VERSION: ["3.17.0"]
+ KUBERNETES_VERSION: ["1.30.6"]
+ GATEKEEPER_VERSION: ["3.18.0"]
uses: ./.github/workflows/e2e-k8s.yml
with:
k8s_version: ${{ matrix.KUBERNETES_VERSION }}
@@ -37,8 +37,8 @@ jobs:
strategy:
fail-fast: false
matrix:
- KUBERNETES_VERSION: ["1.28.12", "1.29.2"]
- GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"]
+ KUBERNETES_VERSION: ["1.29.10", "1.30.6"]
+ GATEKEEPER_VERSION: ["3.16.0", "3.17.0", "3.18.0"]
uses: ./.github/workflows/e2e-k8s.yml
with:
k8s_version: ${{ matrix.KUBERNETES_VERSION }}
@@ -53,8 +53,8 @@ jobs:
strategy:
fail-fast: false
matrix:
- KUBERNETES_VERSION: ["1.28.12", "1.29.2"]
- GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"]
+ KUBERNETES_VERSION: ["1.29.10", "1.30.6"]
+ GATEKEEPER_VERSION: ["3.16.0", "3.17.0", "3.18.0"]
uses: ./.github/workflows/e2e-aks.yml
with:
k8s_version: ${{ matrix.KUBERNETES_VERSION }}
@@ -70,14 +70,14 @@ jobs:
environment: azure-test
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Check out code into the Go module directory
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go 1.22
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+ uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: "1.22"
diff --git a/.github/workflows/cache-cleanup.yml b/.github/workflows/cache-cleanup.yml
index 46042f7f1f..af26b9253c 100644
--- a/.github/workflows/cache-cleanup.yml
+++ b/.github/workflows/cache-cleanup.yml
@@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
diff --git a/.github/workflows/clean-dev-package.yml b/.github/workflows/clean-dev-package.yml
index 0a53bd8d0b..0cbdbb534f 100644
--- a/.github/workflows/clean-dev-package.yml
+++ b/.github/workflows/clean-dev-package.yml
@@ -13,7 +13,7 @@ jobs:
packages: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index edbb6eea13..a0bb75e4fe 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -26,18 +26,18 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=3.0.2
- name: setup go environment
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+ uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: "1.22"
- name: Initialize CodeQL
- uses: github/codeql-action/init@396bb3e45325a47dd9ef434068033c6d5bb0d11a # tag=v3.27.3
+ uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # tag=v3.27.9
with:
languages: go
- name: Run tidy
@@ -45,4 +45,4 @@ jobs:
- name: Build CLI
run: make build
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@396bb3e45325a47dd9ef434068033c6d5bb0d11a # tag=v3.27.3
+ uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # tag=v3.27.9
diff --git a/.github/workflows/e2e-aks.yml b/.github/workflows/e2e-aks.yml
index 2cb7fbdf48..82cd13ed2c 100644
--- a/.github/workflows/e2e-aks.yml
+++ b/.github/workflows/e2e-aks.yml
@@ -9,12 +9,12 @@ on:
k8s_version:
description: "Kubernetes version"
required: true
- default: "1.29.2"
+ default: "1.30.6"
type: string
gatekeeper_version:
description: "Gatekeeper version"
required: true
- default: "3.17.0"
+ default: "3.18.0"
type: string
jobs:
@@ -28,14 +28,14 @@ jobs:
contents: read
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Check out code into the Go module directory
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go 1.22
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+ uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: "1.22"
- name: Az CLI login
diff --git a/.github/workflows/e2e-cli.yml b/.github/workflows/e2e-cli.yml
index 5a2366f34d..c301c58ee6 100644
--- a/.github/workflows/e2e-cli.yml
+++ b/.github/workflows/e2e-cli.yml
@@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
@@ -34,14 +34,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- name: setup go environment
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+ uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: "1.22"
- name: Run tidy
@@ -51,7 +51,7 @@ jobs:
- name: Check build
run: bin/ratify version
- name: Upload coverage to codecov.io
- uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
+ uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1
with:
token: ${{ secrets.CODECOV_TOKEN }}
- name: Run helm lint
@@ -63,14 +63,14 @@ jobs:
contents: read
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: setup go environment
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+ uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: "1.22"
- name: Run tidy
@@ -86,14 +86,14 @@ jobs:
make install ratify-config install-bats
make test-e2e-cli GOCOVERDIR=${GITHUB_WORKSPACE}/test/e2e/.cover
- name: Upload coverage to codecov.io
- uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
+ uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1
with:
token: ${{ secrets.CODECOV_TOKEN }}
markdown-link-check:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
diff --git a/.github/workflows/e2e-k8s.yml b/.github/workflows/e2e-k8s.yml
index 2d911b56bf..9d6465244d 100644
--- a/.github/workflows/e2e-k8s.yml
+++ b/.github/workflows/e2e-k8s.yml
@@ -9,12 +9,12 @@ on:
k8s_version:
description: "Kubernetes version"
required: true
- default: "1.29.2"
+ default: "1.30.6"
type: string
gatekeeper_version:
description: "Gatekeeper version"
required: true
- default: "3.17.0"
+ default: "3.18.0"
type: string
jobs:
@@ -26,14 +26,14 @@ jobs:
contents: read
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Check out code into the Go module directory
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go 1.22
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+ uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: "1.22"
- name: Restore Trivy cache
diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml
index f6eaa93318..d74fea83b2 100644
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -15,16 +15,16 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+ - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: "1.22"
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: golangci-lint
uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
with:
- version: v1.59.1
+ version: v1.62.2
args: --timeout=10m
diff --git a/.github/workflows/high-availability.yml b/.github/workflows/high-availability.yml
index be52813548..d4326df6b4 100644
--- a/.github/workflows/high-availability.yml
+++ b/.github/workflows/high-availability.yml
@@ -27,17 +27,17 @@ jobs:
contents: read
strategy:
matrix:
- DAPR_VERSION: ["1.13.2"]
+ DAPR_VERSION: ["1.14.4"]
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Check out code into the Go module directory
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go 1.22
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+ uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: "1.22"
diff --git a/.github/workflows/pr-to-main.yml b/.github/workflows/pr-to-main.yml
index 325158903e..df966cf9e8 100644
--- a/.github/workflows/pr-to-main.yml
+++ b/.github/workflows/pr-to-main.yml
@@ -13,7 +13,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
diff --git a/.github/workflows/publish-charts.yml b/.github/workflows/publish-charts.yml
index fd1d16a250..aa2069e473 100644
--- a/.github/workflows/publish-charts.yml
+++ b/.github/workflows/publish-charts.yml
@@ -13,7 +13,7 @@ jobs:
contents: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
diff --git a/.github/workflows/publish-cosign-sample.yml b/.github/workflows/publish-cosign-sample.yml
index 36f3a897c6..e2064dbf9f 100644
--- a/.github/workflows/publish-cosign-sample.yml
+++ b/.github/workflows/publish-cosign-sample.yml
@@ -20,7 +20,7 @@ jobs:
id-token: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
diff --git a/.github/workflows/publish-dev-assets.yml b/.github/workflows/publish-dev-assets.yml
index 0426b2bf7f..4e4d1bf65c 100644
--- a/.github/workflows/publish-dev-assets.yml
+++ b/.github/workflows/publish-dev-assets.yml
@@ -17,7 +17,7 @@ jobs:
environment: azure-publish
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout
@@ -37,6 +37,10 @@ jobs:
az version
# Key Vault:
az account get-access-token --scope https://vault.azure.net/.default --output none
+ - name: Prepare notation certificate
+ run: |
+ mkdir -p truststore/x509/ca/ratify-verify
+ cp ./.well-known/pki-validation/ratify-verification.crt truststore/x509/ca/ratify-verify
- name: prepare
id: prepare
run: |
@@ -69,7 +73,7 @@ jobs:
docker buildx build \
--attest type=sbom \
--attest type=provenance,mode=max \
- --build-arg KUBE_VERSION="1.29.2" \
+ --build-arg KUBE_VERSION="1.30.6" \
-f crd.Dockerfile \
--platform linux/amd64,linux/arm64,linux/arm/v7 \
--label org.opencontainers.image.revision=${{ github.sha }} \
@@ -138,6 +142,44 @@ jobs:
cosign sign --yes ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
cosign sign --yes ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
+ - name: Verify with Notation
+ uses: notaryproject/notation-action/verify@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
+ with:
+ target_artifact_reference: |-
+ ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
+ ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
+ ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
+ ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
+ ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
+ trust_policy: ./.well-known/pki-validation/trustpolicy.json
+ trust_store: truststore
+ - name: Verify with Cosign
+ run: |
+ cosign verify \
+ --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \
+ --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+ --certificate-github-workflow-repository ratify-project/ratify \
+ ${{ steps.prepare.outputs.crdref }}:${{ steps.prepare.outputs.version }}
+ cosign verify \
+ --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \
+ --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+ --certificate-github-workflow-repository ratify-project/ratify \
+ ${{ steps.prepare.outputs.baseref }}:${{ steps.prepare.outputs.version }}
+ cosign verify \
+ --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \
+ --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+ --certificate-github-workflow-repository ratify-project/ratify \
+ ${{ steps.prepare.outputs.ref }}:${{ steps.prepare.outputs.version }}
+ cosign verify \
+ --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \
+ --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+ --certificate-github-workflow-repository ratify-project/ratify \
+ ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversionrolling }}
+ cosign verify \
+ --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-dev-assets.yml@*" \
+ --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+ --certificate-github-workflow-repository ratify-project/ratify \
+ ${{ steps.prepare.outputs.chartrepo }}/ratify:${{ steps.prepare.outputs.semversion }}
- name: clear
if: always()
run: |
diff --git a/.github/workflows/publish-package.yml b/.github/workflows/publish-package.yml
index 11bee4cee2..e8036f28a2 100644
--- a/.github/workflows/publish-package.yml
+++ b/.github/workflows/publish-package.yml
@@ -14,13 +14,34 @@ jobs:
permissions:
packages: write
contents: read
+ id-token: write
+ environment: azure-publish
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+ - name: Install Notation
+ uses: notaryproject/notation-action/setup@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
+ - name: Install cosign
+ uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+ - name: Az CLI login
+ uses: azure/login@a65d910e8af852a8061c627c456678983e180302 # v2.2.0
+ with:
+ client-id: ${{ secrets.AZURE_CLIENT_ID }}
+ tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+ subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+ - name: Cache AAD tokens
+ run: |
+ az version
+ # Key Vault:
+ az account get-access-token --scope https://vault.azure.net/.default --output none
+ - name: Prepare notation certificate
+ run: |
+ mkdir -p truststore/x509/ca/ratify-verify
+ cp ./.well-known/pki-validation/ratify-verification.crt truststore/x509/ca/ratify-verify
- name: prepare
id: prepare
run: |
@@ -51,7 +72,7 @@ jobs:
docker buildx build \
--attest type=sbom \
--attest type=provenance,mode=max \
- --build-arg KUBE_VERSION="1.29.2" \
+ --build-arg KUBE_VERSION="1.30.6" \
-f crd.Dockerfile \
--platform linux/amd64,linux/arm64,linux/arm/v7 \
--label org.opencontainers.image.revision=${{ github.sha }} \
@@ -83,6 +104,49 @@ jobs:
--label org.opencontainers.image.revision=${{ github.sha }} \
-t ${{ steps.prepare.outputs.ref }} \
--push .
+ - name: Sign with Notation
+ uses: notaryproject/notation-action/sign@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
+ with:
+ plugin_name: azure-kv
+ plugin_url: ${{ vars.AZURE_KV_PLUGIN_URL }}
+ plugin_checksum: ${{ vars.AZURE_KV_CHECKSUM }}
+ key_id: ${{ secrets.AZURE_KV_KEY_ID }}
+ target_artifact_reference: |-
+ ${{ steps.prepare.outputs.crdref }}
+ ${{ steps.prepare.outputs.baseref }}
+ ${{ steps.prepare.outputs.ref }}
+ signature_format: cose
+ - name: Sign with Cosign
+ run: |
+ cosign sign --yes ${{ steps.prepare.outputs.crdref }}
+ cosign sign --yes ${{ steps.prepare.outputs.baseref }}
+ cosign sign --yes ${{ steps.prepare.outputs.ref }}
+ - name: Verify with Notation
+ uses: notaryproject/notation-action/verify@03242349f62aeddc995e12c6fbcea3b87697873f # v1.2.0
+ with:
+ target_artifact_reference: |-
+ ${{ steps.prepare.outputs.crdref }}
+ ${{ steps.prepare.outputs.baseref }}
+ ${{ steps.prepare.outputs.ref }}
+ trust_policy: ./.well-known/pki-validation/trustpolicy.json
+ trust_store: truststore
+ - name: Verify with Cosign
+ run: |
+ cosign verify \
+ --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-package.yml@*" \
+ --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+ --certificate-github-workflow-repository ratify-project/ratify \
+ ${{ steps.prepare.outputs.crdref }}
+ cosign verify \
+ --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-package.yml@*" \
+ --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+ --certificate-github-workflow-repository ratify-project/ratify \
+ ${{ steps.prepare.outputs.baseref }}
+ cosign verify \
+ --certificate-identity-regexp "https://github.com/ratify-project/ratify/.github/workflows/publish-package.yml@*" \
+ --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+ --certificate-github-workflow-repository ratify-project/ratify \
+ ${{ steps.prepare.outputs.ref }}
- name: clear
if: always()
run: |
diff --git a/.github/workflows/publish-sample.yml b/.github/workflows/publish-sample.yml
index 52981797d2..54a2157a2b 100644
--- a/.github/workflows/publish-sample.yml
+++ b/.github/workflows/publish-sample.yml
@@ -19,7 +19,7 @@ jobs:
packages: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
diff --git a/.github/workflows/quick-start.yml b/.github/workflows/quick-start.yml
index 1655d725fc..c8c224c64a 100644
--- a/.github/workflows/quick-start.yml
+++ b/.github/workflows/quick-start.yml
@@ -27,17 +27,17 @@ jobs:
contents: read
strategy:
matrix:
- KUBERNETES_VERSION: ["1.29.2"]
+ KUBERNETES_VERSION: ["1.30.6"]
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: setup go environment
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+ uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: "1.22"
- name: Run tidy
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5479ad24cd..23ad45fd4b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,7 +16,7 @@ jobs:
contents: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
@@ -26,10 +26,10 @@ jobs:
fetch-depth: 0
- name: Install Syft
- uses: anchore/sbom-action/download-syft@fc46e51fd3cb168ffb36c6d1915723c47db58abb # v0.17.7
+ uses: anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9
- name: Set up Go
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+ uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: "1.22"
diff --git a/.github/workflows/run-full-validation.yml b/.github/workflows/run-full-validation.yml
index 4b2c13f193..b1f3042feb 100644
--- a/.github/workflows/run-full-validation.yml
+++ b/.github/workflows/run-full-validation.yml
@@ -26,8 +26,8 @@ jobs:
strategy:
fail-fast: false
matrix:
- KUBERNETES_VERSION: ["1.28.12", "1.29.2"]
- GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"]
+ KUBERNETES_VERSION: ["1.29.10", "1.30.6"]
+ GATEKEEPER_VERSION: ["3.16.0", "3.17.0", "3.18.0"]
uses: ./.github/workflows/e2e-k8s.yml
with:
k8s_version: ${{ matrix.KUBERNETES_VERSION }}
@@ -41,8 +41,8 @@ jobs:
strategy:
fail-fast: false
matrix:
- KUBERNETES_VERSION: ["1.28.12", "1.29.2"]
- GATEKEEPER_VERSION: ["3.15.0", "3.16.0", "3.17.0"]
+ KUBERNETES_VERSION: ["1.29.10", "1.30.6"]
+ GATEKEEPER_VERSION: ["3.16.0", "3.17.0", "3.18.0"]
uses: ./.github/workflows/e2e-aks.yml
with:
k8s_version: ${{ matrix.KUBERNETES_VERSION }}
@@ -58,14 +58,14 @@ jobs:
environment: azure-test
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Check out code into the Go module directory
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Go 1.22
- uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+ uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: "1.22"
diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml
index fc9d9c9a9a..1d0b85298d 100644
--- a/.github/workflows/scan-vulns.yaml
+++ b/.github/workflows/scan-vulns.yaml
@@ -23,11 +23,11 @@ jobs:
timeout-minutes: 15
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
+ - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: "1.22"
check-latest: true
@@ -41,7 +41,7 @@ jobs:
TRIVY_VERSION: 0.49.1
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 2614909122..94cc48a171 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -30,7 +30,7 @@ jobs:
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
@@ -55,6 +55,6 @@ jobs:
retention-days: 5
- name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@396bb3e45325a47dd9ef434068033c6d5bb0d11a # tag=v3.27.3
+ uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # tag=v3.27.9
with:
sarif_file: results.sarif
diff --git a/.github/workflows/sync-gh-pages.yml b/.github/workflows/sync-gh-pages.yml
index 54a05e0cbc..55069d724c 100644
--- a/.github/workflows/sync-gh-pages.yml
+++ b/.github/workflows/sync-gh-pages.yml
@@ -17,7 +17,7 @@ jobs:
repository-projects: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+ uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
diff --git a/.github/workflows/update-trivy-cache.yml b/.github/workflows/update-trivy-cache.yml
index 6d2fea0bed..15e411b39e 100644
--- a/.github/workflows/update-trivy-cache.yml
+++ b/.github/workflows/update-trivy-cache.yml
@@ -36,7 +36,7 @@ jobs:
rm db.tar.gz
- name: Cache DBs
- uses: actions/cache/save@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
+ uses: actions/cache/save@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: ${{ github.workspace }}/.cache/trivy
key: cache-trivy-${{ steps.date.outputs.date }}
\ No newline at end of file
diff --git a/.well-known/pki-validation/trustpolicy.json b/.well-known/pki-validation/trustpolicy.json
new file mode 100644
index 0000000000..779f096a5b
--- /dev/null
+++ b/.well-known/pki-validation/trustpolicy.json
@@ -0,0 +1,24 @@
+{
+ "version": "1.0",
+ "trustPolicies": [
+ {
+ "name": "ratify-images",
+ "registryScopes": [
+ "ghcr.io/ratify-project/ratify",
+ "ghcr.io/ratify-project/ratify-base",
+ "ghcr.io/ratify-project/ratify-crds",
+ "ghcr.io/ratify-project/ratify-dev",
+ "ghcr.io/ratify-project/ratify-base-dev",
+ "ghcr.io/ratify-project/ratify-crds-dev",
+ "ghcr.io/ratify-project/ratify-chart-dev/ratify"
+ ],
+ "signatureVerification": {
+ "level" : "strict"
+ },
+ "trustStores": [ "ca:ratify-verify" ],
+ "trustedIdentities": [
+ "x509.subject: CN=ratify.dev,O=ratify-project,L=Seattle,ST=WA,C=US"
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index b634fac3a4..7ac0a452b6 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -207,7 +207,7 @@ export REGISTRY=yourregistry
docker buildx create --use
docker buildx build -f httpserver/Dockerfile --platform linux/amd64 --build-arg build_sbom=true --build-arg build_licensechecker=true --build-arg build_schemavalidator=true --build-arg build_vulnerabilityreport=true -t ${REGISTRY}/ratify-project/ratify:yourtag .
-docker build --progress=plain --build-arg KUBE_VERSION="1.29.2" --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -f crd.Dockerfile -t ${REGISTRY}/localbuildcrd:yourtag ./charts/ratify/crds
+docker build --progress=plain --build-arg KUBE_VERSION="1.30.6" --build-arg TARGETOS="linux" --build-arg TARGETARCH="amd64" -f crd.Dockerfile -t ${REGISTRY}/localbuildcrd:yourtag ./charts/ratify/crds
```
#### [Authenticate](https://docs.docker.com/engine/reference/commandline/login/#usage) with your registry, and push the newly built image
diff --git a/Makefile b/Makefile
index fde9cad09b..1bfc547fd2 100644
--- a/Makefile
+++ b/Makefile
@@ -25,33 +25,33 @@ LDFLAGS += -X $(GO_PKG)/internal/version.GitCommitHash=$(GIT_COMMIT_HASH)
LDFLAGS += -X $(GO_PKG)/internal/version.GitTreeState=$(GIT_TREE_STATE)
LDFLAGS += -X $(GO_PKG)/internal/version.GitTag=$(GIT_TAG)
-KIND_VERSION ?= 0.22.0
-KUBERNETES_VERSION ?= 1.29.2
-KIND_KUBERNETES_VERSION ?= 1.29.2
-GATEKEEPER_VERSION ?= 3.17.0
-DAPR_VERSION ?= 1.12.5
-COSIGN_VERSION ?= 2.2.3
+KIND_VERSION ?= 0.25.0
+KUBERNETES_VERSION ?= 1.30.6
+KIND_KUBERNETES_VERSION ?= 1.30.6
+GATEKEEPER_VERSION ?= 3.18.0
+DAPR_VERSION ?= 1.14.4
+COSIGN_VERSION ?= 2.4.1
NOTATION_VERSION ?= 1.2.0
-ORAS_VERSION ?= 1.1.0
+ORAS_VERSION ?= 1.2.1
-HELM_VERSION ?= 3.14.2
-HELMFILE_VERSION ?= 0.162.0
+HELM_VERSION ?= 3.16.3
+HELMFILE_VERSION ?= 0.169.2
BATS_BASE_TESTS_FILE ?= test/bats/base-test.bats
BATS_PLUGIN_TESTS_FILE ?= test/bats/plugin-test.bats
BATS_CLI_TESTS_FILE ?= test/bats/cli-test.bats
BATS_QUICKSTART_TESTS_FILE ?= test/bats/quickstart-test.bats
BATS_HA_TESTS_FILE ?= test/bats/high-availability.bats
-BATS_VERSION ?= 1.10.0
-SYFT_VERSION ?= v1.0.0
-YQ_VERSION ?= v4.42.1
+BATS_VERSION ?= 1.11.1
+SYFT_VERSION ?= v1.18.0
+YQ_VERSION ?= v4.44.6
YQ_BINARY ?= yq_linux_amd64
ALPINE_IMAGE ?= alpine@sha256:93d5a28ff72d288d69b5997b8ba47396d2cbb62a72b5d87cd3351094b5d578a0
ALPINE_IMAGE_VULNERABLE ?= alpine@sha256:25fad2a32ad1f6f510e528448ae1ec69a28ef81916a004d3629874104f8a7f70
-REDIS_IMAGE_TAG ?= 7.0-debian-11
+REDIS_IMAGE_TAG ?= 7.4-debian-12
CERT_ROTATION_ENABLED ?= false
REGO_POLICY_ENABLED ?= false
-SBOM_TOOL_VERSION ?=v2.2.3
-TRIVY_VERSION ?= 0.49.1
+SBOM_TOOL_VERSION ?=v2.2.9
+TRIVY_VERSION ?= 0.58.0
GATEKEEPER_NAMESPACE = gatekeeper-system
RATIFY_NAME = ratify
@@ -202,7 +202,7 @@ e2e-dependencies:
# Download and install kind
curl -L https://github.com/kubernetes-sigs/kind/releases/download/v${KIND_VERSION}/kind-linux-amd64 --output ${GITHUB_WORKSPACE}/bin/kind && chmod +x ${GITHUB_WORKSPACE}/bin/kind
# Download and install kubectl
- curl -L https://storage.googleapis.com/kubernetes-release/release/v${KUBERNETES_VERSION}/bin/linux/amd64/kubectl --output ${GITHUB_WORKSPACE}/bin/kubectl && chmod +x ${GITHUB_WORKSPACE}/bin/kubectl
+ curl -L https://dl.k8s.io/release/v${KUBERNETES_VERSION}/bin/linux/amd64/kubectl --output ${GITHUB_WORKSPACE}/bin/kubectl && chmod +x ${GITHUB_WORKSPACE}/bin/kubectl
# Download and install bats
curl -sSLO https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.tar.gz && tar -zxvf v${BATS_VERSION}.tar.gz && bash bats-core-${BATS_VERSION}/install.sh ${GITHUB_WORKSPACE}
# Download and install jq
diff --git a/RELEASES.md b/RELEASES.md
index 1069f3f1f3..28d6754ace 100644
--- a/RELEASES.md
+++ b/RELEASES.md
@@ -92,13 +92,13 @@ After a successful release, please prepare a [PR](https://github.com/ratify-proj
* Contributors MUST select the `Helm Chart Change` option under the `Type of Change` section if there is ANY update to the helm chart that is required for proposed changes in PR.
* Maintainers MUST manually trigger the "Publish Package" workflow after merging any PR that indicates `Helm Chart Change`
* Go to the `Actions` tab for the Ratify repository
- * Select `publish-ghcr` option from list of workflows on left pane
+ * Select `publish-dev-assets` option from list of workflows on left pane
* Select the `Run workflow` drop down on the right side above the list of action runs
- * Choose `Branch: main`
+ * Choose `Branch: dev`
* Select `Run workflow`
* Process to Request an off-schedule dev build be published
* Submit a new feature request issue prefixed with `[Dev Build Request]`
- * In the the `What this PR does / why we need it` section, briefly explain why an off schedule build is needed
+ * In the the `What would you like to be added?` section, briefly explain why an off schedule build is needed
* Once issue is created, post in the `#ratify` slack channel and tag the maintainers
* Maintainers should acknowledge request by approving/denying request as a follow up comment
diff --git a/charts/ratify/README.md b/charts/ratify/README.md
index 7dc6ee02d2..82a49c1166 100644
--- a/charts/ratify/README.md
+++ b/charts/ratify/README.md
@@ -79,7 +79,7 @@ Values marked `# DEPRECATED` in the `values.yaml` as well as **DEPRECATED** in t
| serviceAccount.create | Create new dedicated Ratify service account | `true` |
| serviceAccount.name | Name of Ratify service account to create | `ratify-admin` |
| serviceAccount.annotations | Annotations to add to the service account | `{}` |
-| gatekeeper.version | Determines the Gatekeeper CRD versioning | `3.17.0` |
+| gatekeeper.version | Determines the Gatekeeper CRD versioning | `3.18.0` |
| gatekeeper.namespace | Namespace Gatekeeper is installed | `gatekeeper-system` |
| instrumentation.metricsEnabled | Initializes the configured metrics provider | `true` |
| instrumentation.metricsType | Specifies the metrics provider type | `prometheus` |
diff --git a/charts/ratify/templates/_helpers.tpl b/charts/ratify/templates/_helpers.tpl
index cc56acb9e1..db0e4da187 100644
--- a/charts/ratify/templates/_helpers.tpl
+++ b/charts/ratify/templates/_helpers.tpl
@@ -8,7 +8,13 @@ Expand the name of the chart.
{{- define "ratify.podLabels" -}}
{{- if .Values.podLabels }}
-{{- toYaml .Values.podLabels | nindent 8 }}
+{{- toYaml .Values.podLabels }}
+{{- end }}
+{{- end }}
+
+{{- define "ratify.podAnnotations" -}}
+{{- if .Values.podAnnotations }}
+{{- toYaml .Values.podAnnotations }}
{{- end }}
{{- end }}
diff --git a/charts/ratify/templates/deployment.yaml b/charts/ratify/templates/deployment.yaml
index 46ed544ae8..3c3a630eef 100644
--- a/charts/ratify/templates/deployment.yaml
+++ b/charts/ratify/templates/deployment.yaml
@@ -13,11 +13,13 @@ spec:
template:
metadata:
labels:
+ {{- include "ratify.podLabels" . | nindent 8 }}
{{- include "ratify.selectorLabels" . | nindent 8 }}
{{- if ne .Values.azureWorkloadIdentity.clientId "" }}
azure.workload.identity/use: "true"
{{- end }}
annotations:
+ {{- include "ratify.podAnnotations" . | nindent 8 }}
{{- if eq .Values.instrumentation.metricsType "prometheus" }}
prometheus.io/scrape: "true"
prometheus.io/port: {{ .Values.instrumentation.metricsPort | quote }}
diff --git a/charts/ratify/templates/upgrade-crds-hook.yaml b/charts/ratify/templates/upgrade-crds-hook.yaml
index a843c66cca..48e21f020a 100644
--- a/charts/ratify/templates/upgrade-crds-hook.yaml
+++ b/charts/ratify/templates/upgrade-crds-hook.yaml
@@ -78,7 +78,7 @@ spec:
annotations:
{{- toYaml .Values.podAnnotations | trim | nindent 8 }}
labels:
- {{- include "ratify.podLabels" . }}
+ {{- include "ratify.podLabels" . | nindent 8 }}
app: '{{ template "ratify.name" . }}'
chart: '{{ template "ratify.name" . }}'
ratify.sh/system: "yes"
diff --git a/charts/ratify/values.yaml b/charts/ratify/values.yaml
index 1b9cc4ba47..46e5ae9205 100644
--- a/charts/ratify/values.yaml
+++ b/charts/ratify/values.yaml
@@ -57,7 +57,7 @@ serviceAccount:
annotations: {}
gatekeeper:
- version: "3.17.0"
+ version: "3.18.0"
namespace: # default is gatekeeper-system
instrumentation:
metricsEnabled: true
diff --git a/cmd/ratify/cmd/serve.go b/cmd/ratify/cmd/serve.go
index ab0f872f0b..373ad12efd 100644
--- a/cmd/ratify/cmd/serve.go
+++ b/cmd/ratify/cmd/serve.go
@@ -118,7 +118,7 @@ func serve(opts serveCmdOptions) error {
if err != nil {
return err
}
- logrus.Infof("starting server at" + opts.httpServerAddress)
+ logrus.Infof("starting server at %s", opts.httpServerAddress)
if err := server.Run(nil); err != nil {
return err
}
diff --git a/config/config.go b/config/config.go
index 7bc3e0f9f5..e2a556c4f0 100644
--- a/config/config.go
+++ b/config/config.go
@@ -52,6 +52,7 @@ type Config struct {
PoliciesConfig pcConfig.PoliciesConfig `json:"policy,omitempty"`
VerifiersConfig vfConfig.VerifiersConfig `json:"verifier,omitempty"`
ExecutorConfig exConfig.ExecutorConfig `json:"executor,omitempty"`
+ CRLConfig CRLConfig `json:"crl,omitempty"`
LoggerConfig logger.Config `json:"logger,omitempty"`
fileHash string `json:"-"`
}
diff --git a/config/config.json b/config/config.json
index 21facc6b1b..c71a2f38e1 100644
--- a/config/config.json
+++ b/config/config.json
@@ -68,5 +68,8 @@
"denylistCVEs": ["CVE-2021-44228"]
}
]
+ },
+ "crl": {
+ "cacheEnabled" : true
}
}
diff --git a/config/config_cli.json b/config/config_cli.json
index 04170bf079..5fbbffd36c 100644
--- a/config/config_cli.json
+++ b/config/config_cli.json
@@ -51,5 +51,8 @@
}
}
]
+ },
+ "crl": {
+ "cacheEnabled" : true
}
}
\ No newline at end of file
diff --git a/config/crl_config.go b/config/crl_config.go
new file mode 100644
index 0000000000..6544dde344
--- /dev/null
+++ b/config/crl_config.go
@@ -0,0 +1,20 @@
+/*
+Copyright The Ratify Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package config
+
+type CRLConfig struct {
+ CacheEnabled bool `json:"cache_enabled,omitempty"`
+}
diff --git a/crd.Dockerfile b/crd.Dockerfile
index 6606aa0af9..d4578a4dac 100644
--- a/crd.Dockerfile
+++ b/crd.Dockerfile
@@ -11,7 +11,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-FROM alpine@sha256:beefdbd8a1da6d2915566fde36db9db0b524eb737fc57cd1367effd16dc0d06d as builder
+FROM alpine@sha256:21dc6063fd678b478f57c0e13f47560d0ea4eeba26dfc947b2a4f81f686b9f45 as builder
ARG TARGETOS
ARG TARGETARCH
@@ -20,7 +20,7 @@ ARG KUBE_VERSION
RUN echo "Ratify crd building on $TARGETOS, building for $TARGETARCH"
RUN apk add --no-cache curl && \
- curl -LO https://storage.googleapis.com/kubernetes-release/release/v${KUBE_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl && \
+ curl -LO https://dl.k8s.io/release/v${KUBE_VERSION}/bin/${TARGETOS}/${TARGETARCH}/kubectl && \
chmod +x kubectl
FROM scratch as build
diff --git a/dev.helmfile.yaml b/dev.helmfile.yaml
index bec894af99..896bc619c8 100644
--- a/dev.helmfile.yaml
+++ b/dev.helmfile.yaml
@@ -10,7 +10,7 @@ releases:
namespace: gatekeeper-system
createNamespace: true
chart: gatekeeper/gatekeeper
- version: 3.17.0
+ version: 3.18.0
wait: true
set:
- name: enableExternalData
diff --git a/dev.high-availability.helmfile.yaml b/dev.high-availability.helmfile.yaml
index 29c40fe8ac..38bf1f0a69 100644
--- a/dev.high-availability.helmfile.yaml
+++ b/dev.high-availability.helmfile.yaml
@@ -14,13 +14,13 @@ releases:
namespace: dapr-system
createNamespace: true
chart: dapr/dapr
- version: 1.13.2
+ version: 1.14.4
wait: true
- name: gatekeeper
namespace: gatekeeper-system
createNamespace: true
chart: gatekeeper/gatekeeper
- version: 3.17.0
+ version: 3.18.0
wait: true
set:
- name: enableExternalData
diff --git a/go.mod b/go.mod
index dbad99c359..76a85a5922 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
module github.com/ratify-project/ratify
-go 1.22.8
+go 1.23.3
// Accidentally published prior to 1.0.0 release
retract (
@@ -9,20 +9,21 @@ retract (
)
require (
- github.com/Azure/azure-sdk-for-go v68.0.0+incompatible
- github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
- github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
+ github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0
+ github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0
github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry v0.2.2
- github.com/Azure/go-autorest/autorest/to v0.4.0
+ github.com/Azure/azure-sdk-for-go/sdk/keyvault/azcertificates v0.9.0
+ github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0
+ github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.3
github.com/alibabacloud-go/cr-20181201/v2 v2.5.0
github.com/alibabacloud-go/darabonba-openapi/v2 v2.0.10
github.com/alibabacloud-go/tea v1.2.2
github.com/alibabacloud-go/tea-utils/v2 v2.0.7
- github.com/aliyun/credentials-go v1.3.10
- github.com/aws/aws-sdk-go-v2 v1.32.4
- github.com/aws/aws-sdk-go-v2/config v1.27.43
- github.com/aws/aws-sdk-go-v2/credentials v1.17.44
+ github.com/aliyun/credentials-go v1.3.11
+ github.com/aws/aws-sdk-go-v2 v1.32.6
+ github.com/aws/aws-sdk-go-v2/config v1.28.6
+ github.com/aws/aws-sdk-go-v2/credentials v1.17.47
github.com/aws/aws-sdk-go-v2/service/ecr v1.28.6
github.com/cespare/xxhash/v2 v2.3.0
github.com/dapr/go-sdk v1.8.0
@@ -35,8 +36,8 @@ require (
github.com/golang/protobuf v1.5.4
github.com/google/go-containerregistry v0.20.2
github.com/gorilla/mux v1.8.1
- github.com/notaryproject/notation-core-go v1.2.0-rc.1
- github.com/notaryproject/notation-go v1.3.0-rc.1
+ github.com/notaryproject/notation-core-go v1.2.0-rc.2
+ github.com/notaryproject/notation-go v1.3.0-rc.2
github.com/notaryproject/notation-plugin-framework-go v1.0.0
github.com/open-policy-agent/cert-controller v0.8.0
github.com/open-policy-agent/frameworks/constraint v0.0.0-20230411224310-3f237e2710fa
@@ -46,17 +47,17 @@ require (
github.com/owenrumney/go-sarif/v2 v2.3.3
github.com/pkg/errors v0.9.1
github.com/sigstore/cosign/v2 v2.2.4
- github.com/sigstore/sigstore v1.8.10
+ github.com/sigstore/sigstore v1.8.11
github.com/sirupsen/logrus v1.9.3
github.com/spdx/tools-golang v0.5.5
github.com/spf13/cobra v1.8.1
github.com/xlab/treeprint v1.1.0
go.opentelemetry.io/otel/exporters/prometheus v0.49.0
- go.opentelemetry.io/otel/metric v1.28.0
+ go.opentelemetry.io/otel/metric v1.29.0
go.opentelemetry.io/otel/sdk/metric v1.27.0
- golang.org/x/sync v0.8.0
- google.golang.org/grpc v1.66.3
- google.golang.org/protobuf v1.34.2
+ golang.org/x/sync v0.10.0
+ google.golang.org/grpc v1.68.1
+ google.golang.org/protobuf v1.35.2
k8s.io/api v0.28.15
k8s.io/apimachinery v0.28.15
k8s.io/client-go v0.28.15
@@ -64,12 +65,13 @@ require (
)
require (
- cloud.google.com/go/compute/metadata v0.3.0 // indirect
+ cloud.google.com/go/compute/metadata v0.5.2 // indirect
filippo.io/edwards25519 v1.1.0 // indirect
github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0 // indirect
+ github.com/Azure/azure-sdk-for-go v68.0.0+incompatible // indirect
+ github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
github.com/Azure/go-autorest/autorest/azure/auth v0.5.12 // indirect
github.com/Azure/go-autorest/autorest/azure/cli v0.4.6 // indirect
- github.com/Azure/go-autorest/autorest/validation v0.3.1 // indirect
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c // indirect
@@ -86,8 +88,7 @@ require (
github.com/alibabacloud-go/tea-xml v1.1.3 // indirect
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.7 // indirect
- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 // indirect
- github.com/aws/aws-sdk-go-v2/service/kms v1.31.3 // indirect
+ github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 // indirect
github.com/chrismellard/docker-credential-acr-env v0.0.0-20230304212654-82a0ddb27589 // indirect
github.com/clbanning/mxj/v2 v2.7.0 // indirect
@@ -113,7 +114,7 @@ require (
github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
github.com/miekg/pkcs11 v1.1.1 // indirect
github.com/mozillazg/docker-credential-acr-helper v0.3.0 // indirect
- github.com/notaryproject/tspclient-go v0.2.0 // indirect
+ github.com/notaryproject/tspclient-go v1.0.0-rc.1 // indirect
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 // indirect
github.com/sagikazarmark/locafero v0.4.0 // indirect
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
@@ -128,31 +129,31 @@ require (
github.com/tjfoc/gmsm v1.4.1 // indirect
github.com/xanzy/go-gitlab v0.102.0 // indirect
github.com/yashtewari/glob-intersection v0.2.0 // indirect
- go.step.sm/crypto v0.44.2 // indirect
- google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 // indirect
+ go.step.sm/crypto v0.54.2 // indirect
+ google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 // indirect
gotest.tools/v3 v3.1.0 // indirect
- sigs.k8s.io/release-utils v0.7.7 // indirect
+ sigs.k8s.io/release-utils v0.8.5 // indirect
)
require (
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
github.com/Azure/go-autorest v14.2.0+incompatible // indirect
- github.com/Azure/go-autorest/autorest v0.11.29
+ github.com/Azure/go-autorest/autorest v0.11.29 // indirect
github.com/Azure/go-autorest/autorest/adal v0.9.24 // indirect
github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
github.com/Azure/go-autorest/logger v0.2.1 // indirect
github.com/Azure/go-autorest/tracing v0.6.0 // indirect
github.com/OneOfOne/xxhash v1.2.8 // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19 // indirect
- github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23 // indirect
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23 // indirect
+ github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.21 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.25 // indirect
+ github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.25 // indirect
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4 // indirect
- github.com/aws/aws-sdk-go-v2/service/sso v1.24.5 // indirect
- github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4 // indirect
- github.com/aws/aws-sdk-go-v2/service/sts v1.32.4 // indirect
- github.com/aws/smithy-go v1.22.0 // indirect
+ github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.6 // indirect
+ github.com/aws/aws-sdk-go-v2/service/sso v1.24.7 // indirect
+ github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.6 // indirect
+ github.com/aws/aws-sdk-go-v2/service/sts v1.33.2 // indirect
+ github.com/aws/smithy-go v1.22.1 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver v3.5.1+incompatible // indirect
github.com/bshuster-repo/logrus-logstash-hook v1.1.0
@@ -177,7 +178,7 @@ require (
github.com/go-openapi/validate v0.24.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v4 v4.5.1 // indirect
- github.com/golang/glog v1.2.1 // indirect
+ github.com/golang/glog v1.2.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/snappy v0.0.4 // indirect
github.com/google/certificate-transparency-go v1.1.8 // indirect
@@ -189,7 +190,7 @@ require (
github.com/in-toto/in-toto-golang v0.9.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 // indirect
- github.com/jmespath/go-jmespath v0.4.0 // indirect
+ github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/klauspost/compress v1.17.9 // indirect
@@ -204,7 +205,7 @@ require (
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/oklog/ulid v1.3.1 // indirect
github.com/opentracing/opentracing-go v1.2.0 // indirect
- github.com/pelletier/go-toml/v2 v2.1.0 // indirect
+ github.com/pelletier/go-toml/v2 v2.2.2 // indirect
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/prometheus/client_golang v1.20.5
@@ -215,11 +216,11 @@ require (
github.com/sassoftware/relic v7.2.1+incompatible // indirect
github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
github.com/shibumi/go-pathspec v1.3.0 // indirect
- github.com/sigstore/rekor v1.3.6
+ github.com/sigstore/rekor v1.3.7
github.com/spf13/afero v1.11.0 // indirect
- github.com/spf13/cast v1.6.0 // indirect
+ github.com/spf13/cast v1.7.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
- github.com/spf13/viper v1.18.2 // indirect
+ github.com/spf13/viper v1.19.0 // indirect
github.com/stretchr/testify v1.9.0
github.com/subosito/gotenv v1.6.0 // indirect
github.com/syndtr/goleveldb v1.0.1-0.20220721030215-126854af5e6d // indirect
@@ -227,27 +228,27 @@ require (
github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
github.com/transparency-dev/merkle v0.0.2 // indirect
github.com/vbatts/tar-split v0.11.5 // indirect
- github.com/veraison/go-cose v1.2.1 // indirect
+ github.com/veraison/go-cose v1.3.0 // indirect
github.com/x448/float16 v0.8.4 // indirect
github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
github.com/xeipuuv/gojsonschema v1.2.0
go.mongodb.org/mongo-driver v1.14.0 // indirect
- go.opentelemetry.io/otel v1.28.0
+ go.opentelemetry.io/otel v1.29.0
go.opentelemetry.io/otel/sdk v1.28.0
- go.opentelemetry.io/otel/trace v1.28.0 // indirect
+ go.opentelemetry.io/otel/trace v1.29.0 // indirect
go.uber.org/atomic v1.11.0 // indirect
go.uber.org/multierr v1.11.0 // indirect
go.uber.org/zap v1.27.0 // indirect
- golang.org/x/crypto v0.28.0
- golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 // indirect
- golang.org/x/mod v0.21.0 // indirect
- golang.org/x/net v0.29.0 // indirect
- golang.org/x/oauth2 v0.23.0 // indirect
- golang.org/x/sys v0.26.0 // indirect
- golang.org/x/term v0.25.0 // indirect
- golang.org/x/text v0.19.0 // indirect
- golang.org/x/time v0.6.0 // indirect
+ golang.org/x/crypto v0.31.0
+ golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8 // indirect
+ golang.org/x/mod v0.22.0 // indirect
+ golang.org/x/net v0.31.0 // indirect
+ golang.org/x/oauth2 v0.24.0 // indirect
+ golang.org/x/sys v0.28.0 // indirect
+ golang.org/x/term v0.27.0 // indirect
+ golang.org/x/text v0.21.0 // indirect
+ golang.org/x/time v0.8.0 // indirect
gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/ini.v1 v1.67.0 // indirect
@@ -255,9 +256,9 @@ require (
gopkg.in/yaml.v3 v3.0.1
k8s.io/apiextensions-apiserver v0.27.7 // indirect
k8s.io/component-base v0.27.7 // indirect
- k8s.io/klog/v2 v2.120.1 // indirect
+ k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
- k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
+ k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 // indirect
sigs.k8s.io/controller-runtime v0.15.3
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
diff --git a/go.sum b/go.sum
index c7be23e9a1..660ea4a930 100644
--- a/go.sum
+++ b/go.sum
@@ -1,11 +1,18 @@
cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.112.1 h1:uJSeirPke5UNZHIb4SxfZklVSiWWVqW4oXlETwZziwM=
-cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
-cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
-cloud.google.com/go/iam v1.1.6 h1:bEa06k05IO4f4uJonbB5iAgKTPpABy1ayxaIZV/GHVc=
-cloud.google.com/go/iam v1.1.6/go.mod h1:O0zxdPeGBoFdWW3HWmBxJsk0pfvNM/p/qa82rWOGTwI=
-cloud.google.com/go/kms v1.15.8 h1:szIeDCowID8th2i8XE4uRev5PMxQFqW+JjwYxL9h6xs=
-cloud.google.com/go/kms v1.15.8/go.mod h1:WoUHcDjD9pluCg7pNds131awnH429QGvRM3N/4MyoVs=
+cloud.google.com/go v0.116.0 h1:B3fRrSDkLRt5qSHWe40ERJvhvnQwdZiHu0bJOpldweE=
+cloud.google.com/go v0.116.0/go.mod h1:cEPSRWPzZEswwdr9BxE6ChEn01dWlTaF05LiC2Xs70U=
+cloud.google.com/go/auth v0.10.2 h1:oKF7rgBfSHdp/kuhXtqU/tNDr0mZqhYbEh+6SiqzkKo=
+cloud.google.com/go/auth v0.10.2/go.mod h1:xxA5AqpDrvS+Gkmo9RqrGGRh6WSNKKOXhY3zNOr38tI=
+cloud.google.com/go/auth/oauth2adapt v0.2.5 h1:2p29+dePqsCHPP1bqDJcKj4qxRyYCcbzKpFyKGt3MTk=
+cloud.google.com/go/auth/oauth2adapt v0.2.5/go.mod h1:AlmsELtlEBnaNTL7jCj8VQFLy6mbZv0s4Q7NGBeQ5E8=
+cloud.google.com/go/compute/metadata v0.5.2 h1:UxK4uu/Tn+I3p2dYWTfiX4wva7aYlKixAHn3fyqngqo=
+cloud.google.com/go/compute/metadata v0.5.2/go.mod h1:C66sj2AluDcIqakBq/M8lw8/ybHgOZqin2obFxa/E5k=
+cloud.google.com/go/iam v1.2.2 h1:ozUSofHUGf/F4tCNy/mu9tHLTaxZFLOUiKzjcgWHGIA=
+cloud.google.com/go/iam v1.2.2/go.mod h1:0Ys8ccaZHdI1dEUilwzqng/6ps2YB6vRsjIe00/+6JY=
+cloud.google.com/go/kms v1.20.1 h1:og29Wv59uf2FVaZlesaiDAqHFzHaoUyHI3HYp9VUHVg=
+cloud.google.com/go/kms v1.20.1/go.mod h1:LywpNiVCvzYNJWS9JUcGJSVTNSwPwi0vBAotzDqn2nc=
+cloud.google.com/go/longrunning v0.6.2 h1:xjDfh1pQcWPEvnfjZmwjKQEcHnpz6lHjfy7Fo0MK+hc=
+cloud.google.com/go/longrunning v0.6.2/go.mod h1:k/vIs83RN4bE3YCswdXC5PFfWVILjm3hpEUlSko4PiI=
cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e h1:GwCVItFUPxwdsEYnlUcJ6PJxOjTeFFCKOh6QWg4oAzQ=
cuelabs.dev/go/oci/ociregistry v0.0.0-20240314152124-224736b49f2e/go.mod h1:ApHceQLLwcOkCEXM1+DyCXTHEJhNGDpJ2kmV6axsx24=
cuelang.org/go v0.8.1 h1:VFYsxIFSPY5KgSaH1jQ2GxHOrbu6Ga3kEI70yCZwnOg=
@@ -18,14 +25,24 @@ github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo
github.com/AliyunContainerService/ack-ram-tool/pkg/credentials/alibabacloudsdkgo/helper v0.2.0/go.mod h1:GgeIE+1be8Ivm7Sh4RgwI42aTtC9qrcj+Y9Y6CjJhJs=
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
github.com/Azure/azure-sdk-for-go v68.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 h1:nyQWyZvwGTvunIMxi1Y9uXkcyr+I7TeNrr/foo4Kpk8=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0/go.mod h1:l38EPgmsp71HHLq9j7De57JcKOWPyhrsW1Awm1JS6K0=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 h1:JZg6HRh6W6U4OLl6lk7BZ7BLisIzM9dG1R50zUk9C/M=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0/go.mod h1:YL1xnZ6QejvQHWJrX/AvhFl4WW4rqHVoKspWNVwFk0M=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 h1:B/dfvscEQtew9dVuoxqxrUKKv8Ih2f55PydknDamU+g=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0/go.mod h1:fiPSssYvltE08HJchL04dOy+RD4hgrjph0cwGGMntdI=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0 h1:+m0M/LFxN43KvULkDNfdXOgrjtg6UYJPFBJyuEcRCAw=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity/cache v0.3.0/go.mod h1:PwOyop78lveYMRs6oCxjiVyBdyCgIYH6XHIVZO9/SFQ=
github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry v0.2.2 h1:wBx10efdJcl8FSewgc41kAW4AvHPgmJZmN7fpNxn8rc=
github.com/Azure/azure-sdk-for-go/sdk/containers/azcontainerregistry v0.2.2/go.mod h1:zzmu18cpAinSbhC86oWd47nmgbb91Fl+Yac2PE8NdYk=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY=
+github.com/Azure/azure-sdk-for-go/sdk/keyvault/azcertificates v0.9.0 h1:btEsytNrA4TG3edZnnUnzOz8W2MjOd6Bu3/7xyOXSOY=
+github.com/Azure/azure-sdk-for-go/sdk/keyvault/azcertificates v0.9.0/go.mod h1:5SlTxxL1U4LLipEr7pAbnu6Ck5y3aIEu4L/tVbGmpsY=
+github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 h1:m/sWOGCREuSBqg2htVQTBY8nOZpyajYztF0vUvSZTuM=
+github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0/go.mod h1:Pu5Zksi2KrU7LPbZbNINx6fuVrUp/ffvpxdDj+i8LeE=
+github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0 h1:xnO4sFyG8UH2fElBkcqLTOZsAajvKfnSlgBBW8dXYjw=
+github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets v0.12.0/go.mod h1:XD3DIOOVgBCO03OleB1fHjgktVRFxlT++KwKgIOewdM=
+github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 h1:FbH3BbSb4bvGluTesZZ+ttN/MDsnMmQP36OSnDuSXqw=
+github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1/go.mod h1:9V2j0jn9jDEkCkv8w/bKTNppX/d0FVA1ud77xCIP4KA=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0 h1:DRiANoJTiW6obBQe3SqZizkuV1PEgfiiGivmVocDy64=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.1.0/go.mod h1:qLIye2hwb/ZouqhpSD9Zn3SJipvpEnz1Ywl3VUk9Y0s=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80=
@@ -49,16 +66,14 @@ github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSY
github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
github.com/Azure/go-autorest/autorest/mocks v0.4.2 h1:PGN4EDXnuQbojHbU0UWoNvmu9AGVwYHG9/fkDYhtAfw=
github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU=
-github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk=
-github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE=
-github.com/Azure/go-autorest/autorest/validation v0.3.1 h1:AgyqjAd94fwNAoTjl/WQXg4VvFeRFpO+UhNyRXqF1ac=
-github.com/Azure/go-autorest/autorest/validation v0.3.1/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E=
github.com/Azure/go-autorest/logger v0.2.1 h1:IG7i4p/mDa2Ce4TRyAO8IHnVhAVF3RFU+ZtXWSmf4Tg=
github.com/Azure/go-autorest/logger v0.2.1/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
+github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1 h1:WJTmL004Abzc5wDB5VtZG2PJk5ndYDgVacGqfirKxjM=
+github.com/AzureAD/microsoft-authentication-extensions-for-go/cache v0.1.1/go.mod h1:tCcJZ0uHAmvjsVYzEFivsRTN00oz5BEsRgQHu5JZ9WE=
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.3 h1:6LyjnnaLpcOKK0fbYisI+mb8CE7iNe7i89nMNQxFxs8=
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.3/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
@@ -143,8 +158,9 @@ github.com/alibabacloud-go/tea-xml v1.1.3/go.mod h1:Rq08vgCcCAjHyRi/M7xlHKUykZCE
github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw=
github.com/aliyun/credentials-go v1.3.1/go.mod h1:8jKYhQuDawt8x2+fusqa1Y6mPxemTsBEN04dgcAcYz0=
github.com/aliyun/credentials-go v1.3.6/go.mod h1:1LxUuX7L5YrZUWzBrRyk0SwSdH4OmPrib8NVePL3fxM=
-github.com/aliyun/credentials-go v1.3.10 h1:45Xxrae/evfzQL9V10zL3xX31eqgLWEaIdCoPipOEQA=
github.com/aliyun/credentials-go v1.3.10/go.mod h1:Jm6d+xIgwJVLVWT561vy67ZRP4lPTQxMbEYRuT2Ti1U=
+github.com/aliyun/credentials-go v1.3.11 h1:8CjGRa0wAoNC0zGMar+PRushZkd1n4xdijpdV4vlCho=
+github.com/aliyun/credentials-go v1.3.11/go.mod h1:Jm6d+xIgwJVLVWT561vy67ZRP4lPTQxMbEYRuT2Ti1U=
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc=
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=
github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
@@ -152,40 +168,40 @@ github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig
github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
-github.com/aws/aws-sdk-go v1.51.6 h1:Ld36dn9r7P9IjU8WZSaswQ8Y/XUCRpewim5980DwYiU=
-github.com/aws/aws-sdk-go v1.51.6/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
-github.com/aws/aws-sdk-go-v2 v1.32.4 h1:S13INUiTxgrPueTmrm5DZ+MiAo99zYzHEFh1UNkOxNE=
-github.com/aws/aws-sdk-go-v2 v1.32.4/go.mod h1:2SK5n0a2karNTv5tbP1SjsX0uhttou00v/HpXKM1ZUo=
-github.com/aws/aws-sdk-go-v2/config v1.27.43 h1:p33fDDihFC390dhhuv8nOmX419wjOSDQRb+USt20RrU=
-github.com/aws/aws-sdk-go-v2/config v1.27.43/go.mod h1:pYhbtvg1siOOg8h5an77rXle9tVG8T+BWLWAo7cOukc=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.44 h1:qqfs5kulLUHUEXlHEZXLJkgGoF3kkUeFUTVA585cFpU=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.44/go.mod h1:0Lm2YJ8etJdEdw23s+q/9wTpOeo2HhNE97XcRa7T8MA=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19 h1:woXadbf0c7enQ2UGCi8gW/WuKmE0xIzxBF/eD94jMKQ=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.19/go.mod h1:zminj5ucw7w0r65bP6nhyOd3xL6veAUMc3ElGMoLVb4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23 h1:A2w6m6Tmr+BNXjDsr7M90zkWjsu4JXHwrzPg235STs4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.23/go.mod h1:35EVp9wyeANdujZruvHiQUAo9E3vbhnIO1mTCAxMlY0=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23 h1:pgYW9FCabt2M25MoHYCfMrVY2ghiiBKYWUVXfwZs+sU=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.23/go.mod h1:c48kLgzO19wAu3CPkDWC28JbaJ+hfQlsdl7I2+oqIbk=
+github.com/aws/aws-sdk-go v1.55.5 h1:KKUZBfBoyqy5d3swXyiC7Q76ic40rYcbqH7qjh59kzU=
+github.com/aws/aws-sdk-go v1.55.5/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
+github.com/aws/aws-sdk-go-v2 v1.32.6 h1:7BokKRgRPuGmKkFMhEg/jSul+tB9VvXhcViILtfG8b4=
+github.com/aws/aws-sdk-go-v2 v1.32.6/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U=
+github.com/aws/aws-sdk-go-v2/config v1.28.6 h1:D89IKtGrs/I3QXOLNTH93NJYtDhm8SYa9Q5CsPShmyo=
+github.com/aws/aws-sdk-go-v2/config v1.28.6/go.mod h1:GDzxJ5wyyFSCoLkS+UhGB0dArhb9mI+Co4dHtoTxbko=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.47 h1:48bA+3/fCdi2yAwVt+3COvmatZ6jUDNkDTIsqDiMUdw=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.47/go.mod h1:+KdckOejLW3Ks3b0E3b5rHsr2f9yuORBum0WPnE5o5w=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.21 h1:AmoU1pziydclFT/xRV+xXE/Vb8fttJCLRPv8oAkprc0=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.21/go.mod h1:AjUdLYe4Tgs6kpH4Bv7uMZo7pottoyHMn4eTcIcneaY=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.25 h1:s/fF4+yDQDoElYhfIVvSNyeCydfbuTKzhxSXDXCPasU=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.25/go.mod h1:IgPfDv5jqFIzQSNbUEMoitNooSMXjRSDkhXv8jiROvU=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.25 h1:ZntTCl5EsYnhN/IygQEUugpdwbhdkom9uHcbCftiGgA=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.25/go.mod h1:DBdPrgeocww+CSl1C8cEV8PN1mHMBhuCDLpXezyvWkE=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ=
github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
github.com/aws/aws-sdk-go-v2/service/ecr v1.28.6 h1:CnQNpQv+WGl5aECyAXrJ4w+Qccz2aC/uXg2OjxiPl30=
github.com/aws/aws-sdk-go-v2/service/ecr v1.28.6/go.mod h1:1FKdZMR/Tfx40IKjdLDRlFz/UKlff8CKQuC7mhlTAMM=
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.7 h1:dsmihXaPkhFuUTiL+ygm9RtUYEmhOeIl7DXNIHCoKDg=
github.com/aws/aws-sdk-go-v2/service/ecrpublic v1.23.7/go.mod h1:g7If3uXj+mKcmIuxh08qh8I9ju6f/aOSWMyc6hEEi58=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0 h1:TToQNkvGguu209puTojY/ozlqy2d/SFNcoLIqTFi42g=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.0/go.mod h1:0jp+ltwkf+SwG2fm/PKo8t4y8pJSgOCO4D8Lz3k0aHQ=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4 h1:tHxQi/XHPK0ctd/wdOw0t7Xrc2OxcRCnVzv8lwWPu0c=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.4/go.mod h1:4GQbF1vJzG60poZqWatZlhP31y8PGCCVTvIGPdaaYJ0=
-github.com/aws/aws-sdk-go-v2/service/kms v1.31.3 h1:wLBgq6nDNYdd0A5CvscVAKV5SVlHKOHVPedpgtigATg=
-github.com/aws/aws-sdk-go-v2/service/kms v1.31.3/go.mod h1:8lETO9lelSG2B6KMXFh2OwPPqGV6WQM3RqLAEjP1xaU=
-github.com/aws/aws-sdk-go-v2/service/sso v1.24.5 h1:HJwZwRt2Z2Tdec+m+fPjvdmkq2s9Ra+VR0hjF7V2o40=
-github.com/aws/aws-sdk-go-v2/service/sso v1.24.5/go.mod h1:wrMCEwjFPms+V86TCQQeOxQF/If4vT44FGIOFiMC2ck=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4 h1:zcx9LiGWZ6i6pjdcoE9oXAB6mUdeyC36Ia/QEiIvYdg=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.4/go.mod h1:Tp/ly1cTjRLGBBmNccFumbZ8oqpZlpdhFf80SrRh4is=
-github.com/aws/aws-sdk-go-v2/service/sts v1.32.4 h1:yDxvkz3/uOKfxnv8YhzOi9m+2OGIxF+on3KOISbK5IU=
-github.com/aws/aws-sdk-go-v2/service/sts v1.32.4/go.mod h1:9XEUty5v5UAsMiFOBJrNibZgwCeOma73jgGwwhgffa8=
-github.com/aws/smithy-go v1.22.0 h1:uunKnWlcoL3zO7q+gG2Pk53joueEOsnNB28QdMsmiMM=
-github.com/aws/smithy-go v1.22.0/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1/go.mod h1:9nu0fVANtYiAePIBh2/pFUSwtJ402hLnp854CNoDOeE=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.6 h1:50+XsN70RS7dwJ2CkVNXzj7U2L1HKP8nqTd3XWEXBN4=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.6/go.mod h1:WqgLmwY7so32kG01zD8CPTJWVWM+TzJoOVHwTg4aPug=
+github.com/aws/aws-sdk-go-v2/service/kms v1.37.5 h1:5dQJ6Q5QrQOqZxXjSbRXukBqU8Pgu6Ro6Qqtyd8yiz4=
+github.com/aws/aws-sdk-go-v2/service/kms v1.37.5/go.mod h1:A9vfQcNHVBCE7ZZN6H+UUJpXtbH26Vv6L7Zhk5nIJAY=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.7 h1:rLnYAfXQ3YAccocshIH5mzNNwZBkBo+bP6EhIxak6Hw=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.7/go.mod h1:ZHtuQJ6t9A/+YDuxOLnbryAmITtr8UysSny3qcyvJTc=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.6 h1:JnhTZR3PiYDNKlXy50/pNeix9aGMo6lLpXwJ1mw8MD4=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.6/go.mod h1:URronUEGfXZN1VpdktPSD1EkAL9mfrV+2F4sjH38qOY=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.2 h1:s4074ZO1Hk8qv65GqNXqDjmkf4HSQqJukaLuuW0TpDA=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.2/go.mod h1:mVggCnIWoM09jP71Wh+ea7+5gAp53q+49wDFs1SW5z8=
+github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro=
+github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8 h1:SoFYaT9UyGkR0+nogNyD/Lj+bsixB+SNuAS4ABlEs6M=
github.com/awslabs/amazon-ecr-credential-helper/ecr-login v0.0.0-20231024185945-8841054dbdb8/go.mod h1:2JF49jcDOrLStIXN/j/K1EKRq8a8R2qRnlZA6/o/c7c=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
@@ -203,8 +219,6 @@ github.com/buildkite/interpolate v0.0.0-20200526001904-07f35b4ae251/go.mod h1:gb
github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA=
github.com/bytecodealliance/wasmtime-go/v3 v3.0.2/go.mod h1:RnUjnIXxEJcL6BgCvNyzCCRzZcxCgsZCi+RNlvYor5Q=
-github.com/cenkalti/backoff/v3 v3.2.2 h1:cfUAAO3yvKMYKPrvhDuHSwQnhZNk/RMHKdZqKTxfm6M=
-github.com/cenkalti/backoff/v3 v3.2.2/go.mod h1:cIeZDE3IrqwwJl6VUwCN6trj1oXrTS4rc0ij+ULvLYs=
github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
@@ -256,6 +270,8 @@ github.com/dgraph-io/ristretto v0.1.1/go.mod h1:S1GPSBCYCIhmVNfcth17y2zZtQT6wzkz
github.com/dgryski/go-farm v0.0.0-20190423205320-6a90982ecee2/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13 h1:fAjc9m62+UWV/WAFKLNi6ZS0675eEUC9y3AlwSbQu1Y=
github.com/dgryski/go-farm v0.0.0-20200201041132-a6ae2369ad13/go.mod h1:SqUrOPUnsFjfmXRMNPybcSiG0BgUW2AuFH8PAnS2iTw=
+github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
+github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48 h1:fRzb/w+pyskVMQ+UbP35JkH8yB7MYb4q/qhBarqZE6g=
github.com/dgryski/trifles v0.0.0-20200323201526-dd97f9abfb48/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
github.com/digitorus/pkcs7 v0.0.0-20230713084857-e76b763bdc49/go.mod h1:SKVExuS+vpu2l9IoOc0RwqE7NYnb0JlcFHFnEJkVDzc=
@@ -366,8 +382,8 @@ github.com/golang-jwt/jwt/v4 v4.5.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w
github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
-github.com/golang/glog v1.2.1 h1:OptwRhECazUx5ix5TTWC3EZhsZEHWcYWY4FQHTIubm4=
-github.com/golang/glog v1.2.1/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/golang/glog v1.2.2 h1:1+mZ9upx1Dh6FmUTFR1naJ77miKiXgALjWOZ3NVFPmY=
+github.com/golang/glog v1.2.2/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
@@ -413,20 +429,20 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b h1:RMpPgZTSApbPf7xaVel+QkoGPRLFLrwFO89uDUHEGf0=
-github.com/google/pprof v0.0.0-20231023181126-ff6d637d2a7b/go.mod h1:czg5+yv1E0ZGTi6S6vVK1mke0fV+FaUhNGcd6VRS9Ik=
-github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
-github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
+github.com/google/pprof v0.0.0-20240528025155-186aa0362fba h1:ql1qNgCyOB7iAEk8JTNM+zJrgIbnyCKX/wdlyPufP5g=
+github.com/google/pprof v0.0.0-20240528025155-186aa0362fba/go.mod h1:K1liHPHnj73Fdn/EKuT8nrFqBihUSKXoLYU0BuatOYo=
+github.com/google/s2a-go v0.1.8 h1:zZDs9gcbt9ZPLV0ndSyQk6Kacx2g/X+SKYovpnz3SMM=
+github.com/google/s2a-go v0.1.8/go.mod h1:6iNWHTpQ+nfNRN5E00MSdfDwVesa8hhS32PhPO8deJA=
github.com/google/tink/go v1.7.0 h1:6Eox8zONGebBFcCBqkVmt60LaWZa6xg1cl/DwAh/J1w=
github.com/google/tink/go v1.7.0/go.mod h1:GAUOd+QE3pgj9q8VKIGTCP33c/B7eb4NhxLcgTJZStM=
-github.com/google/trillian v1.6.0 h1:jMBeDBIkINFvS2n6oV5maDqfRlxREAc6CW9QYWQ0qT4=
-github.com/google/trillian v1.6.0/go.mod h1:Yu3nIMITzNhhMJEHjAtp6xKiu+H/iHu2Oq5FjV2mCWI=
+github.com/google/trillian v1.6.1 h1:jWU5BGz24GQ5IsHNr+qbmISLkt+73jLv8BOIPN8RtD4=
+github.com/google/trillian v1.6.1/go.mod h1:TvwtNkJViJgWZ5VmAMXDwsTjzPBHaPjQO85Kt37JPmM=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
-github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
-github.com/googleapis/gax-go/v2 v2.12.3 h1:5/zPPDvw8Q1SuXjrqrZslrqT7dL/uJT2CQii/cLCKqA=
-github.com/googleapis/gax-go/v2 v2.12.3/go.mod h1:AKloxT6GtNbaLm8QTNSidHUVsHYcBHwWRvkNFJUQcS4=
+github.com/googleapis/enterprise-certificate-proxy v0.3.4 h1:XYIDZApgAnrN1c855gTgghdIA6Stxb52D5RnLI1SLyw=
+github.com/googleapis/enterprise-certificate-proxy v0.3.4/go.mod h1:YKe7cfqYXjKGpGvmSg28/fFvhNzinZQm8DGnaburhGA=
+github.com/googleapis/gax-go/v2 v2.14.0 h1:f+jMrjBPl+DL9nI4IQzLUxMq7XrAqFYB7hBPqMNIe8o=
+github.com/googleapis/gax-go/v2 v2.14.0/go.mod h1:lhBCnjdLrWRaPvLWhmc8IS24m9mr07qSYnHncrgo+zk=
github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
github.com/gopherjs/gopherjs v0.0.0-20200217142428-fce0ec30dd00/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
@@ -459,8 +475,8 @@ github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/C
github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
github.com/hashicorp/hcl v1.0.1-vault-5 h1:kI3hhbbyzr4dldA8UdTb7ZlVVlI2DACdCfz31RPDgJM=
github.com/hashicorp/hcl v1.0.1-vault-5/go.mod h1:XYhtn6ijBSAj6n4YqAaf7RBPS4I06AItNorpy+MoQNM=
-github.com/hashicorp/vault/api v1.12.2 h1:7YkCTE5Ni90TcmYHDBExdt4WGJxhpzaHqR6uGbQb/rE=
-github.com/hashicorp/vault/api v1.12.2/go.mod h1:LSGf1NGT1BnvFFnKVtnvcaLBM2Lz+gJdpL6HUYed8KE=
+github.com/hashicorp/vault/api v1.15.0 h1:O24FYQCWwhwKnF7CuSqP30S51rTV7vz1iACXE/pj5DA=
+github.com/hashicorp/vault/api v1.15.0/go.mod h1:+5YTO09JGn0u+b6ySD/LLVf8WkJCPLAL2Vkmrn2+CM8=
github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef h1:A9HsByNhogrvm9cWb28sjiS3i7tcKCkflWFEkHfuAgM=
github.com/howeyc/gopass v0.0.0-20210920133722-c8aef6fb66ef/go.mod h1:lADxMC39cJJqL93Duh1xhAs4I2Zs8mKS89XWXFGp9cs=
github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
@@ -485,11 +501,11 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267 h1:TMtDYDHKYY15rFihtRfck/bfFqNfvcabqvXAFQfAUpY=
github.com/jedisct1/go-minisign v0.0.0-20230811132847-661be99b8267/go.mod h1:h1nSAbGFqGVzn6Jyl1R/iCcBUHN4g+gW1u9CoBTrb9E=
-github.com/jellydator/ttlcache/v3 v3.2.0 h1:6lqVJ8X3ZaUwvzENqPAobDsXNExfUJd61u++uW8a3LE=
-github.com/jellydator/ttlcache/v3 v3.2.0/go.mod h1:hi7MGFdMAwZna5n2tuvh63DvFLzVKySzCVW6+0gA2n4=
+github.com/jellydator/ttlcache/v3 v3.3.0 h1:BdoC9cE81qXfrxeb9eoJi9dWrdhSuwXMAnHTbnBm4Wc=
+github.com/jellydator/ttlcache/v3 v3.3.0/go.mod h1:bj2/e0l4jRnQdrnSTaGTsh4GSXvMjQcy41i7th0GVGw=
github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
-github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
-github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 h1:liMMTbpW34dhU4az1GN0pTPADwNmvoRSeoZ6PItiqnY=
+github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
github.com/jmhodges/clock v1.2.0 h1:eq4kys+NI0PLngzaHEe7AmPT90XMGIEySD1JfV1PDIs=
@@ -500,6 +516,8 @@ github.com/json-iterator/go v1.1.10/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6 h1:IsMZxCuZqKuao2vNdfD82fjjgPLfyHLpR41Z88viRWs=
+github.com/keybase/go-keychain v0.0.0-20231219164618-57a3676c3af6/go.mod h1:3VeWNIJaW+O5xpRQbPp0Ybqu1vJd/pm7s2F473HRrkw=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
@@ -546,14 +564,14 @@ github.com/mozillazg/docker-credential-acr-helper v0.3.0/go.mod h1:cZlu3tof523uj
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/notaryproject/notation-core-go v1.2.0-rc.1 h1:VMFlG+9a1JoNAQ3M96g8iqCq0cDRtE7XBaiTD8Ouvqw=
-github.com/notaryproject/notation-core-go v1.2.0-rc.1/go.mod h1:b/70rA4OgOHlg0A7pb8zTWKJadFO6781zS3a37KHEJQ=
-github.com/notaryproject/notation-go v1.3.0-rc.1 h1:pm9tdUy2tWYqlwyRDZyKXgLwAscDATPUYv0ul2RK/Iw=
-github.com/notaryproject/notation-go v1.3.0-rc.1/go.mod h1:W4o45yolX4Q+3PKlcpGleLLXEKWHa3BshEqw/JX5c6I=
+github.com/notaryproject/notation-core-go v1.2.0-rc.2 h1:0jOItalNwBNUhyuc5PPHQxO3jIZ5xRYq+IvRMQXNbuE=
+github.com/notaryproject/notation-core-go v1.2.0-rc.2/go.mod h1:7aIcavfywFvBQoYyfVFJB501kt7Etqyubrt5mhJBG2c=
+github.com/notaryproject/notation-go v1.3.0-rc.2 h1:uugL3kruAAWPMFoOhjcoPAhUnIqMF1pcc8nIlqOKpeU=
+github.com/notaryproject/notation-go v1.3.0-rc.2/go.mod h1:l7C6xVLPy5cBb+6MpsM9iLyFrVYxgS6+QjBdrl/KSY8=
github.com/notaryproject/notation-plugin-framework-go v1.0.0 h1:6Qzr7DGXoCgXEQN+1gTZWuJAZvxh3p8Lryjn5FaLzi4=
github.com/notaryproject/notation-plugin-framework-go v1.0.0/go.mod h1:RqWSrTOtEASCrGOEffq0n8pSg2KOgKYiWqFWczRSics=
-github.com/notaryproject/tspclient-go v0.2.0 h1:g/KpQGmyk/h7j60irIRG1mfWnibNOzJ8WhLqAzuiQAQ=
-github.com/notaryproject/tspclient-go v0.2.0/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
+github.com/notaryproject/tspclient-go v1.0.0-rc.1 h1:KcHxlqg6Adt4kzGLw012i0YMLlwGwToiR129c6IQ7Ys=
+github.com/notaryproject/tspclient-go v1.0.0-rc.1/go.mod h1:LGyA/6Kwd2FlM0uk8Vc5il3j0CddbWSHBj/4kxQDbjs=
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481 h1:Up6+btDp321ZG5/zdSLo48H9Iaq0UQGthrhWC6pCxzE=
github.com/nozzle/throttler v0.0.0-20180817012639-2ea982251481/go.mod h1:yKZQO8QE2bHlgozqWDiRVqTFlLQSj30K/6SAK8EeYFw=
github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
@@ -595,8 +613,8 @@ github.com/owenrumney/go-sarif/v2 v2.3.3 h1:ubWDJcF5i3L/EIOER+ZyQ03IfplbSU1BLOE2
github.com/owenrumney/go-sarif/v2 v2.3.3/go.mod h1:MSqMMx9WqlBSY7pXoOZWgEsVB4FDNfhcaXDA1j6Sr+w=
github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
github.com/pborman/uuid v1.2.1/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
-github.com/pelletier/go-toml/v2 v2.1.0 h1:FnwAJ4oYMvbT/34k9zzHuZNrhlz48GB3/s6at6/MHO4=
-github.com/pelletier/go-toml/v2 v2.1.0/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdUvyaeZurnPPDc=
+github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
+github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -618,6 +636,8 @@ github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf h1:014O62
github.com/protocolbuffers/txtpbfmt v0.0.0-20231025115547-084445ff1adf/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c=
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475 h1:N/ElC8H3+5XpJzTSTfLsJV/mx9Q9g7kxmchpfZyxgzM=
github.com/rcrowley/go-metrics v0.0.0-20201227073835-cf1acfcdf475/go.mod h1:bCqnVzQkZxMG4s8nGwiZ5l3QUCyqpo9Y+/ZMZ9VjZe4=
+github.com/redis/go-redis/v9 v9.7.0 h1:HhLSs+B6O021gwzl+locl0zEDnyNkxMtf/Z3NNBMa9E=
+github.com/redis/go-redis/v9 v9.7.0/go.mod h1:f6zhXITC7JUJIlPEiBOTXxJgPLdZcA93GewI7inzyWw=
github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
@@ -641,18 +661,18 @@ github.com/sigstore/cosign/v2 v2.2.4 h1:iY4vtEacmu2hkNj1Fh+8EBqBwKs2DHM27/lbNWDF
github.com/sigstore/cosign/v2 v2.2.4/go.mod h1:JZlRD2uaEjVAvZ1XJ3QkkZJhTqSDVtLaet+C/TMR81Y=
github.com/sigstore/fulcio v1.4.5 h1:WWNnrOknD0DbruuZWCbN+86WRROpEl3Xts+WT2Ek1yc=
github.com/sigstore/fulcio v1.4.5/go.mod h1:oz3Qwlma8dWcSS/IENR/6SjbW4ipN0cxpRVfgdsjMU8=
-github.com/sigstore/rekor v1.3.6 h1:QvpMMJVWAp69a3CHzdrLelqEqpTM3ByQRt5B5Kspbi8=
-github.com/sigstore/rekor v1.3.6/go.mod h1:JDTSNNMdQ/PxdsS49DJkJ+pRJCO/83nbR5p3aZQteXc=
-github.com/sigstore/sigstore v1.8.10 h1:r4t+TYzJlG9JdFxMy+um9GZhZ2N1hBTyTex0AHEZxFs=
-github.com/sigstore/sigstore v1.8.10/go.mod h1:BekjqxS5ZtHNJC4u3Q3Stvfx2eyisbW/lUZzmPU2u4A=
-github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3 h1:LTfPadUAo+PDRUbbdqbeSl2OuoFQwUFTnJ4stu+nwWw=
-github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.3/go.mod h1:QV/Lxlxm0POyhfyBtIbTWxNeF18clMlkkyL9mu45y18=
-github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3 h1:xgbPRCr2npmmsuVVteJqi/ERw9+I13Wou7kq0Yk4D8g=
-github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.3/go.mod h1:G4+I83FILPX6MtnoaUdmv/bRGEVtR3JdLeJa/kXdk/0=
-github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3 h1:vDl2fqPT0h3D/k6NZPlqnKFd1tz3335wm39qjvpZNJc=
-github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.3/go.mod h1:9uOJXbXEXj+M6QjMKH5PaL5WDMu43rHfbIMgXzA8eKI=
-github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.3 h1:h9G8j+Ds21zqqulDbA/R/ft64oQQIyp8S7wJYABYSlg=
-github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.3/go.mod h1:zgCeHOuqF6k7A7TTEvftcA9V3FRzB7mrPtHOhXAQBnc=
+github.com/sigstore/rekor v1.3.7 h1:Z5UW5TmqbTZnyOFkMRfi32q/CWcxK6VuzIkx+33mbq8=
+github.com/sigstore/rekor v1.3.7/go.mod h1:TihqJscZ6L6398x68EHY82t0AOnGYfrQ0siXe3WgbR4=
+github.com/sigstore/sigstore v1.8.11 h1:tEqeQqbT+awtM87ec9KEeSUxT/AFvJNawneYJyAkFrQ=
+github.com/sigstore/sigstore v1.8.11/go.mod h1:fdrFQosxCQ4wTL5H1NrZcQkqQ72AQbPjtpcL2QOGKV0=
+github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.10 h1:e5GfVngPjGap/N3ODefayt7vKIPS1/v3hWLZ9+4MrN4=
+github.com/sigstore/sigstore/pkg/signature/kms/aws v1.8.10/go.mod h1:HOr3AdFPKdND2FNl/sUD5ZifPl1OMJvrbf9xIaaWcus=
+github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.10 h1:9tZEpfIL/ewAG9G87AHe3aVoy8Ujos2F1qLfCckX6jQ=
+github.com/sigstore/sigstore/pkg/signature/kms/azure v1.8.10/go.mod h1:VnIAcitund62R45ezK/dtUeEhuRtB3LsAgJ8m0H34zc=
+github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.10 h1:Xre51HdjIIaVo5ox5zyL+6h0tkrx7Ke9Neh7fLmmZK0=
+github.com/sigstore/sigstore/pkg/signature/kms/gcp v1.8.10/go.mod h1:VNfdklQDbyGJog8S7apdxiEfmYmCkKyxrsCL9xprkTY=
+github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.10 h1:HjfjL3x3dP2kaGqQHVog974cTcKfzFaGjfZyLQ9KXrg=
+github.com/sigstore/sigstore/pkg/signature/kms/hashivault v1.8.10/go.mod h1:jaeEjkTW1p3gUyPjz9lTcT4TydCs208FoyAwIs6bIT4=
github.com/sigstore/timestamp-authority v1.2.2 h1:X4qyutnCQqJ0apMewFyx+3t7Tws00JQ/JonBiu3QvLE=
github.com/sigstore/timestamp-authority v1.2.2/go.mod h1:nEah4Eq4wpliDjlY342rXclGSO7Kb9hoRrl9tqLW13A=
github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
@@ -672,15 +692,15 @@ github.com/spdx/tools-golang v0.5.5 h1:61c0KLfAcNqAjlg6UNMdkwpMernhw3zVRwDZ2x9XO
github.com/spdx/tools-golang v0.5.5/go.mod h1:MVIsXx8ZZzaRWNQpUDhC4Dud34edUYJYecciXgrw5vE=
github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
-github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
-github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
+github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ=
-github.com/spf13/viper v1.18.2/go.mod h1:EKmWIqdnk5lOcmR72yw6hS+8OPYcwD0jteitLMVB+yk=
+github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI=
+github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg=
github.com/spiffe/go-spiffe/v2 v2.2.0 h1:9Vf06UsvsDbLYK/zJ4sYsIsHmMFknUD+feA7IYoWMQY=
github.com/spiffe/go-spiffe/v2 v2.2.0/go.mod h1:Urzb779b3+IwDJD2ZbN8fVl3Aa8G4N/PiUe6iXC0XxU=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -721,8 +741,8 @@ github.com/transparency-dev/merkle v0.0.2 h1:Q9nBoQcZcgPamMkGn7ghV8XiTZ/kRxn1yCG
github.com/transparency-dev/merkle v0.0.2/go.mod h1:pqSy+OXefQ1EDUVmAJ8MUhHB9TXGuzVAT58PqBoHz1A=
github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts=
github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk=
-github.com/veraison/go-cose v1.2.1 h1:Gj4x20D0YP79J2+cK3anjGEMwIkg2xX+TKVVGUXwNAc=
-github.com/veraison/go-cose v1.2.1/go.mod h1:t6V8WJzHm1PD5HNsuDjW3KLv577uWb6UTzbZGvdQHD8=
+github.com/veraison/go-cose v1.3.0 h1:2/H5w8kdSpQJyVtIhx8gmwPJ2uSz1PkyWFx0idbd7rk=
+github.com/veraison/go-cose v1.3.0/go.mod h1:df09OV91aHoQWLmy1KsDdYiagtXgyAwAl8vFeFn1gMc=
github.com/vmihailenco/msgpack/v4 v4.3.12/go.mod h1:gborTTJjAo/GWTqqRjrLCn9pgNN+NXzzngzBKDPIqw4=
github.com/vmihailenco/tagparser v0.1.1/go.mod h1:OeAg3pn3UbLjkWt+rN9oFYB6u/cQgqMEUPoW2WPyhdI=
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
@@ -763,30 +783,30 @@ go.mongodb.org/mongo-driver v1.14.0 h1:P98w8egYRjYe3XDjxhYJagTokP/H6HzlsnojRgZRd
go.mongodb.org/mongo-driver v1.14.0/go.mod h1:Vzb0Mk/pa7e6cWw85R4F/endUC3u0U9jGcNU603k65c=
go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0 h1:vS1Ao/R55RNV4O7TA2Qopok8yN+X0LIP6RVWLFkprck=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.52.0/go.mod h1:BMsdeOxN04K0L5FNUBfjFdvwWGNe/rkmSwH4Aelu/X0=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
-go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
-go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0 h1:r6I7RJCN86bpD/FQwedZ0vSixDpwuWREjW9oRMsmqDc=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.54.0/go.mod h1:B9yO6b04uB80CzjedvewuqDhxJxi11s7/GtiGa8bAjI=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8=
+go.opentelemetry.io/otel v1.29.0 h1:PdomN/Al4q/lN6iBJEN3AwPvUiHPMlt93c8bqTG5Llw=
+go.opentelemetry.io/otel v1.29.0/go.mod h1:N/WtXPs1CNCUEx+Agz5uouwCba+i+bJGFicT8SR4NP8=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 h1:R3X6ZXmNPRR8ul6i3WgFURCHzaXjHdm0karRG/+dj3s=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0/go.mod h1:QWFXnDavXWwMx2EEcZsf3yxgEKAqsxQ+Syjp+seyInw=
go.opentelemetry.io/otel/exporters/prometheus v0.49.0 h1:Er5I1g/YhfYv9Affk9nJLfH/+qCCVVg1f2R9AbJfqDQ=
go.opentelemetry.io/otel/exporters/prometheus v0.49.0/go.mod h1:KfQ1wpjf3zsHjzP149P4LyAwWRupc6c7t1ZJ9eXpKQM=
-go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
-go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
+go.opentelemetry.io/otel/metric v1.29.0 h1:vPf/HFWTNkPu1aYeIsc98l4ktOQaL6LeSoeV2g+8YLc=
+go.opentelemetry.io/otel/metric v1.29.0/go.mod h1:auu/QWieFVWx+DmQOUMgj0F8LHWdgalxXqvp7BII/W8=
go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE=
go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg=
go.opentelemetry.io/otel/sdk/metric v1.27.0 h1:5uGNOlpXi+Hbo/DRoI31BSb1v+OGcpv2NemcCrOL8gI=
go.opentelemetry.io/otel/sdk/metric v1.27.0/go.mod h1:we7jJVrYN2kh3mVBlswtPU22K0SA+769l93J6bsyvqw=
-go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
-go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
+go.opentelemetry.io/otel/trace v1.29.0 h1:J/8ZNK4XgR7a21DZUAsbF8pZ5Jcw1VhACmnYt39JTi4=
+go.opentelemetry.io/otel/trace v1.29.0/go.mod h1:eHl3w0sp3paPkYstJOmAimxhiFXPg+MMTlEh3nsQgWQ=
go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
-go.step.sm/crypto v0.44.2 h1:t3p3uQ7raP2jp2ha9P6xkQF85TJZh+87xmjSLaib+jk=
-go.step.sm/crypto v0.44.2/go.mod h1:x1439EnFhadzhkuaGX7sz03LEMQ+jV4gRamf5LCZJQQ=
+go.step.sm/crypto v0.54.2 h1:3LSA5nYDQvcd484OSx7xsS3XDqQ7/WZjVqvq0+a0fWc=
+go.step.sm/crypto v0.54.2/go.mod h1:1+OjUozd5aA3TkBJfr5Aobd6vNt9F70n1DagcoBh3Pc=
go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
@@ -813,11 +833,11 @@ golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq
golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
-golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
-golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3 h1:hNQpMuAJe5CtcUqCXaWga3FHu+kQvCqcsoVaQgSV60o=
-golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3/go.mod h1:idGWGoKP1toJGkd5/ig9ZLuPcZBC3ewk7SzmH0uou08=
+golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8 h1:aAcj0Da7eBAtrTp03QXWvm88pSyOt+UgdZw2BFZ+lEw=
+golang.org/x/exp v0.0.0-20240325151524-a685a6edb6d8/go.mod h1:CQ1k9gNrJ50XIzaKCRR2hssIjF07kZFEiieALBM/ARQ=
golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
@@ -825,8 +845,8 @@ golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
-golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -859,11 +879,11 @@ golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
-golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/net v0.31.0 h1:68CPQngjLL0r2AlUKiSxtQFKvzRVbnzLwMUn5SzcLHo=
+golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
-golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
+golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -872,8 +892,8 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
-golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -909,8 +929,8 @@ golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
-golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
@@ -923,8 +943,8 @@ golang.org/x/term v0.15.0/go.mod h1:BDl952bC7+uMoWR75FIrCDx79TPU9oHkTZ9yRbYOrX0=
golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
-golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
-golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -938,10 +958,10 @@ golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
golang.org/x/text v0.10.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
-golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
-golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
-golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
+golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@@ -965,25 +985,25 @@ golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8T
golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc=
gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
-google.golang.org/api v0.172.0 h1:/1OcMZGPmW1rX2LCu2CmGUD1KXK1+pfzxotxyRUCCdk=
-google.golang.org/api v0.172.0/go.mod h1:+fJZq6QXWfa9pXhnIzsjx4yI22d4aI9ZpLb58gvXjis=
+google.golang.org/api v0.206.0 h1:A27GClesCSheW5P2BymVHjpEeQ2XHH8DI8Srs2HI2L8=
+google.golang.org/api v0.206.0/go.mod h1:BtB8bfjTYIrai3d8UyvPmV9REGgox7coh+ZRwm0b+W8=
google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
-google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 h1:ImUcDPHjTrAqNhlOkSocDLfG9rrNHH7w7uoKWPaWZ8s=
-google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7/go.mod h1:/3XmxOjePkvmKrHuBy4zNFw7IzxJXtAgdpXi8Ll990U=
-google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094 h1:0+ozOGcrp+Y8Aq8TLNN2Aliibms5LEzsq99ZZmAGYm0=
-google.golang.org/genproto/googleapis/api v0.0.0-20240701130421-f6361c86f094/go.mod h1:fJ/e3If/Q67Mj99hin0hMhiNyCRmt6BQ2aWIJshUSJw=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094 h1:BwIjyKYGsK9dMCBOorzRri8MQwmi7mT9rGHsCEinZkA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240701130421-f6361c86f094/go.mod h1:Ue6ibwXGpU+dqIcODieyLOcgj7z8+IcskoNIgZxtrFY=
+google.golang.org/genproto v0.0.0-20241104194629-dd2ea8efbc28 h1:KJjNNclfpIkVqrZlTWcgOOaVQ00LdBnoEaRfkUx760s=
+google.golang.org/genproto v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:mt9/MofW7AWQ+Gy179ChOnvmJatV8YHUmrcedo9CIFI=
+google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28 h1:M0KvPgPmDZHPlbRbaNU1APr28TvwvvdUPlSv7PUvy8g=
+google.golang.org/genproto/googleapis/api v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:dguCy7UOdZhTvLzDyt15+rOrawrpM4q7DD9dQ1P11P4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28 h1:XVhgTWWV3kGQlwJHR3upFWZeTsei6Oks1apkZSeonIE=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241104194629-dd2ea8efbc28/go.mod h1:GX3210XPVPUjJbTUbvwI8f2IpZDMZuPJWDzDuebbviI=
google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak=
-google.golang.org/grpc v1.66.3 h1:TWlsh8Mv0QI/1sIbs1W36lqRclxrmF+eFJ4DbI0fuhA=
-google.golang.org/grpc v1.66.3/go.mod h1:s3/l6xSSCURdVfAnL+TqCNMyTDAGN6+lZeVxnZR128Y=
+google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0=
+google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw=
google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -992,8 +1012,8 @@ google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzi
google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
-google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
+google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io=
+google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -1030,22 +1050,22 @@ k8s.io/client-go v0.28.15 h1:+g6Ub+i6tacV3tYJaoyK6bizpinPkamcEwsiKyHcIxc=
k8s.io/client-go v0.28.15/go.mod h1:/4upIpTbhWQVSXKDqTznjcAegj2Bx73mW/i0aennJrY=
k8s.io/component-base v0.27.7 h1:kngM58HR9W9Nqpv7e4rpdRyWnKl/ABpUhLAZ+HoliMs=
k8s.io/component-base v0.27.7/go.mod h1:YGjlCVL1oeKvG3HSciyPHFh+LCjIEqsxz4BDR3cfHRs=
-k8s.io/klog/v2 v2.120.1 h1:QXU6cPEOIslTGvZaXvFWiP9VKyeet3sawzTOvdXb4Vw=
-k8s.io/klog/v2 v2.120.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kube-aggregator v0.27.2 h1:jfHoPip+qN/fn3OcrYs8/xMuVYvkJHKo0H0DYciqdns=
k8s.io/kube-aggregator v0.27.2/go.mod h1:mwrTt4ESjQ7A6847biwohgZWn8P/KzSFHegEScbSGY4=
k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
-k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
-k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0 h1:jgGTlFYnhF1PM1Ax/lAlxUPE+KfCIXHaathvJg1C3ak=
+k8s.io/utils v0.0.0-20240502163921-fe8a2dddb1d0/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
oras.land/oras-go/v2 v2.5.0 h1:o8Me9kLY74Vp5uw07QXPiitjsw7qNXi8Twd+19Zf02c=
oras.land/oras-go/v2 v2.5.0/go.mod h1:z4eisnLP530vwIOUOJeBIj0aGI0L1C3d53atvCBqZHg=
sigs.k8s.io/controller-runtime v0.15.3 h1:L+t5heIaI3zeejoIyyvLQs5vTVu/67IU2FfisVzFlBc=
sigs.k8s.io/controller-runtime v0.15.3/go.mod h1:kp4jckA4vTx281S/0Yk2LFEEQe67mjg+ev/yknv47Ds=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/release-utils v0.7.7 h1:JKDOvhCk6zW8ipEOkpTGDH/mW3TI+XqtPp16aaQ79FU=
-sigs.k8s.io/release-utils v0.7.7/go.mod h1:iU7DGVNi3umZJ8q6aHyUFzsDUIaYwNnNKGHo3YE5E3s=
+sigs.k8s.io/release-utils v0.8.5 h1:FUtFqEAN621gSXv0L7kHyWruBeS7TUU9aWf76olX7uQ=
+sigs.k8s.io/release-utils v0.8.5/go.mod h1:qsm5bdxdgoHkD8HsXpgme2/c3mdsNaiV53Sz2HmKeJA=
sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6LvqCRm4VUVKk=
sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
diff --git a/helmfile.yaml b/helmfile.yaml
index 6e142d469b..88e536d8d4 100644
--- a/helmfile.yaml
+++ b/helmfile.yaml
@@ -9,7 +9,7 @@ releases:
namespace: gatekeeper-system
createNamespace: true
chart: gatekeeper/gatekeeper
- version: 3.17.0
+ version: 3.18.0
wait: true
set:
- name: enableExternalData
diff --git a/high-availability.helmfile.yaml b/high-availability.helmfile.yaml
index e43ff3d0c4..311cd3e3dd 100644
--- a/high-availability.helmfile.yaml
+++ b/high-availability.helmfile.yaml
@@ -13,13 +13,13 @@ releases:
namespace: dapr-system
createNamespace: true
chart: dapr/dapr
- version: 1.13.2
+ version: 1.14.4
wait: true
- name: gatekeeper
namespace: gatekeeper-system
createNamespace: true
chart: gatekeeper/gatekeeper
- version: 3.17.0
+ version: 3.18.0
wait: true
set:
- name: enableExternalData
diff --git a/httpserver/Dockerfile b/httpserver/Dockerfile
index 87cdeacec1..c02233f82d 100644
--- a/httpserver/Dockerfile
+++ b/httpserver/Dockerfile
@@ -11,7 +11,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
-FROM --platform=$BUILDPLATFORM golang:1.22@sha256:4cfe4a9a7ff5817f93e70bcc016ea269401290ec9bd9509b4f0a2dd553640944 as builder
+FROM --platform=$BUILDPLATFORM golang:1.23@sha256:574185e5c6b9d09873f455a7c205ea0514bfd99738c5dc7750196403a44ed4b7 as builder
ARG TARGETPLATFORM
ARG TARGETOS
@@ -41,7 +41,7 @@ RUN if [ "$build_licensechecker" = "true" ]; then go build -o /app/out/plugins/
RUN if [ "$build_schemavalidator" = "true" ]; then go build -o /app/out/plugins/ /app/plugins/verifier/schemavalidator; fi
RUN if [ "$build_vulnerabilityreport" = "true" ]; then go build -o /app/out/plugins/ /app/plugins/verifier/vulnerabilityreport; fi
-FROM gcr.io/distroless/static:nonroot@sha256:3a03fc0826340c7deb82d4755ca391bef5adcedb8892e58412e1a6008199fa91
+FROM gcr.io/distroless/static:nonroot@sha256:6cd937e9155bdfd805d1b94e037f9d6a899603306030936a3b11680af0c2ed58
LABEL org.opencontainers.image.source https://github.com/ratify-project/ratify
ARG RATIFY_FOLDER=$HOME/.ratify/
diff --git a/httpserver/server.go b/httpserver/server.go
index 782e3c83d4..10fcb87ee8 100644
--- a/httpserver/server.go
+++ b/httpserver/server.go
@@ -140,7 +140,9 @@ func (server *Server) Run(certRotatorReady chan struct{}) error {
}
if server.CertDirectory != "" {
- <-certRotatorReady
+ if certRotatorReady != nil {
+ <-certRotatorReady
+ }
certFile := filepath.Join(server.CertDirectory, certName)
keyFile := filepath.Join(server.CertDirectory, keyName)
diff --git a/pkg/certificateprovider/azurekeyvault/auth.go b/pkg/certificateprovider/azurekeyvault/auth.go
index b347000e7f..9323f46070 100644
--- a/pkg/certificateprovider/azurekeyvault/auth.go
+++ b/pkg/certificateprovider/azurekeyvault/auth.go
@@ -18,16 +18,10 @@ package azurekeyvault
// This class is based on implementation from azure secret store csi provider
// Source: https://github.com/Azure/secrets-store-csi-driver-provider-azure/tree/release-1.4/pkg/auth
import (
- "context"
"encoding/json"
"fmt"
"strconv"
- "strings"
"time"
-
- "github.com/ratify-project/ratify/pkg/utils/azureauth"
-
- "github.com/Azure/go-autorest/autorest"
)
const (
@@ -41,44 +35,6 @@ const (
DefaultTokenAudience = "api://AzureADTokenExchange" //nolint
)
-// authResult contains the subset of results from token acquisition operation in ConfidentialClientApplication
-// For details see https://aka.ms/msal-net-authenticationresult
-type authResult struct {
- accessToken string
- expiresOn time.Time
- grantedScopes []string
- declinedScopes []string
-}
-
-func getAuthorizerForWorkloadIdentity(ctx context.Context, tenantID, clientID, resource string) (autorest.Authorizer, error) {
- scope := resource
- // .default needs to be added to the scope
- if !strings.Contains(resource, ".default") {
- scope = fmt.Sprintf("%s/.default", resource)
- }
-
- result, err := azureauth.GetAADAccessToken(ctx, tenantID, clientID, scope)
- if err != nil {
- return nil, fmt.Errorf("failed to acquire token: %w", err)
- }
-
- if _, err = parseExpiresOn(result.ExpiresOn.UTC().Local().Format(expiresOnDateFormat)); err != nil {
- return nil, fmt.Errorf("failed to parse expires_on: %w", err)
- }
-
- return autorest.NewBearerAuthorizer(authResult{
- accessToken: result.AccessToken,
- expiresOn: result.ExpiresOn,
- grantedScopes: result.GrantedScopes,
- declinedScopes: result.DeclinedScopes,
- }), nil
-}
-
-// OAuthToken implements the OAuthTokenProvider interface. It returns the current access token.
-func (ar authResult) OAuthToken() string {
- return ar.accessToken
-}
-
// Vendored from https://github.com/Azure/go-autorest/blob/79575dd7ba2e88e7ce7ab84e167ec6653dcb70c1/autorest/adal/token.go
// converts expires_on to the number of seconds
func parseExpiresOn(s interface{}) (json.Number, error) {
diff --git a/pkg/certificateprovider/azurekeyvault/provider.go b/pkg/certificateprovider/azurekeyvault/provider.go
index 6565bca075..d93dccb6c2 100644
--- a/pkg/certificateprovider/azurekeyvault/provider.go
+++ b/pkg/certificateprovider/azurekeyvault/provider.go
@@ -34,8 +34,9 @@ import (
"github.com/ratify-project/ratify/pkg/metrics"
"golang.org/x/crypto/pkcs12"
- kv "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault"
- "github.com/Azure/go-autorest/autorest/azure"
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore"
+ "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+ "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
"gopkg.in/yaml.v2"
)
@@ -65,7 +66,6 @@ func Create() certificateprovider.CertificateProvider {
// get certificate retrieve the entire cert chain using getSecret API call
func (s *akvCertProvider) GetCertificates(ctx context.Context, attrib map[string]string) ([]*x509.Certificate, certificateprovider.CertificatesStatus, error) {
keyvaultURI := types.GetKeyVaultURI(attrib)
- cloudName := types.GetCloudName(attrib)
tenantID := types.GetTenantID(attrib)
workloadIdentityClientID := types.GetClientID(attrib)
@@ -79,11 +79,6 @@ func (s *akvCertProvider) GetCertificates(ctx context.Context, attrib map[string
return nil, nil, re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.AKVLink, nil, "clientID is not set", re.HideStackTrace)
}
- azureCloudEnv, err := parseAzureEnvironment(cloudName)
- if err != nil {
- return nil, nil, re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, nil, fmt.Sprintf("cloudName %s is not valid", cloudName), re.HideStackTrace)
- }
-
keyVaultCerts, err := getKeyvaultRequestObj(ctx, attrib)
if err != nil {
return nil, nil, re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.AKVLink, err, "failed to get keyvault request object from provider attributes", re.HideStackTrace)
@@ -93,9 +88,10 @@ func (s *akvCertProvider) GetCertificates(ctx context.Context, attrib map[string
return nil, nil, re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, nil, "no keyvault certificate configured", re.HideStackTrace)
}
- logger.GetLogger(ctx, logOpt).Debugf("vaultURI %s", keyvaultURI)
-
- kvClient, err := initializeKvClient(ctx, azureCloudEnv.KeyVaultEndpoint, tenantID, workloadIdentityClientID)
+ // credProvider is nil, so we will create a new workload identity credential inside the function
+ // For testing purposes, we can pass in a mock credential provider
+ var credProvider azcore.TokenCredential
+ secretKVClient, err := initializeKvClient(keyvaultURI, tenantID, workloadIdentityClientID, credProvider)
if err != nil {
return nil, nil, re.ErrorCodePluginInitFailure.NewError(re.CertProvider, providerName, re.AKVLink, err, "failed to get keyvault client", re.HideStackTrace)
}
@@ -108,11 +104,12 @@ func (s *akvCertProvider) GetCertificates(ctx context.Context, attrib map[string
// fetch the object from Key Vault
// GetSecret is required so we can fetch the entire cert chain. See issue https://github.com/ratify-project/ratify/issues/695 for details
startTime := time.Now()
- secretBundle, err := kvClient.GetSecret(ctx, keyvaultURI, keyVaultCert.CertificateName, keyVaultCert.CertificateVersion)
+ secretResponse, err := secretKVClient.GetSecret(ctx, keyVaultCert.CertificateName, keyVaultCert.CertificateVersion, nil)
if err != nil {
return nil, nil, fmt.Errorf("failed to get secret objectName:%s, objectVersion:%s, error: %w", keyVaultCert.CertificateName, keyVaultCert.CertificateVersion, err)
}
+ secretBundle := secretResponse.SecretBundle
certResult, certProperty, err := getCertsFromSecretBundle(ctx, secretBundle, keyVaultCert.CertificateName)
@@ -195,42 +192,39 @@ func formatKeyVaultCertificate(object *types.KeyVaultCertificate) {
}
}
-// parseAzureEnvironment returns azure environment by name
-func parseAzureEnvironment(cloudName string) (*azure.Environment, error) {
- var env azure.Environment
- var err error
- if cloudName == "" {
- env = azure.PublicCloud
- } else {
- env, err = azure.EnvironmentFromName(cloudName)
- }
- return &env, err
-}
-
-func initializeKvClient(ctx context.Context, keyVaultEndpoint, tenantID, clientID string) (*kv.BaseClient, error) {
- kvClient := kv.New()
+func initializeKvClient(keyVaultEndpoint, tenantID, clientID string, credProvider azcore.TokenCredential) (*azsecrets.Client, error) {
+ // Trim any trailing slash from the endpoint
kvEndpoint := strings.TrimSuffix(keyVaultEndpoint, "/")
- err := kvClient.AddToUserAgent("ratify")
- if err != nil {
- return nil, re.ErrorCodeConfigInvalid.NewError(re.CertProvider, providerName, re.AKVLink, err, "failed to add user agent to keyvault client", re.HideStackTrace)
+ // If credProvider is nil, create the default credential
+ if credProvider == nil {
+ var err error
+ credProvider, err = azidentity.NewWorkloadIdentityCredential(&azidentity.WorkloadIdentityCredentialOptions{
+ ClientID: clientID,
+ TenantID: tenantID,
+ })
+ if err != nil {
+ return nil, re.ErrorCodeAuthDenied.WithDetail("failed to create workload identity credential").WithError(err)
+ }
}
- kvClient.Authorizer, err = getAuthorizerForWorkloadIdentity(ctx, tenantID, clientID, kvEndpoint)
+ // create azsecrets client
+ secretKVClient, err := azsecrets.NewClient(kvEndpoint, credProvider, nil)
if err != nil {
- return nil, re.ErrorCodeAuthDenied.NewError(re.CertProvider, providerName, re.AKVLink, err, "failed to get authorizer for keyvault client", re.HideStackTrace)
+ return nil, re.ErrorCodeConfigInvalid.WithDetail("Failed to create Key Vault client").WithError(err)
}
- return &kvClient, nil
+
+ return secretKVClient, nil
}
// Parse the secret bundle and return an array of certificates
// In a certificate chain scenario, all certificates from root to leaf will be returned
-func getCertsFromSecretBundle(ctx context.Context, secretBundle kv.SecretBundle, certName string) ([]*x509.Certificate, []map[string]string, error) {
+func getCertsFromSecretBundle(ctx context.Context, secretBundle azsecrets.SecretBundle, certName string) ([]*x509.Certificate, []map[string]string, error) {
if secretBundle.ContentType == nil || secretBundle.Value == nil || secretBundle.ID == nil {
return nil, nil, re.ErrorCodeCertInvalid.NewError(re.CertProvider, providerName, re.EmptyLink, nil, "found invalid secret bundle for certificate %s, contentType, value, and id must not be nil", re.HideStackTrace)
}
- version := getObjectVersion(*secretBundle.ID)
+ version := getObjectVersion(string(*secretBundle.ID))
// This aligns with notation akv implementation
// akv plugin supports both PKCS12 and PEM. https://github.com/Azure/notation-azure-kv/blob/558e7345ef8318783530de6a7a0a8420b9214ba8/Notation.Plugin.AzureKeyVault/KeyVault/KeyVaultClient.cs#L192
diff --git a/pkg/certificateprovider/azurekeyvault/provider_test.go b/pkg/certificateprovider/azurekeyvault/provider_test.go
index f11f31eedc..35b03c4bdd 100644
--- a/pkg/certificateprovider/azurekeyvault/provider_test.go
+++ b/pkg/certificateprovider/azurekeyvault/provider_test.go
@@ -19,40 +19,19 @@ package azurekeyvault
// Source: https://github.com/Azure/secrets-store-csi-driver-provider-azure/tree/release-1.4/pkg/provider
import (
"context"
+ "errors"
"reflect"
- "strings"
"testing"
"time"
- kv "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault"
- "github.com/Azure/go-autorest/autorest/azure"
- "github.com/ratify-project/ratify/internal/version"
+ "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+ "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
"github.com/ratify-project/ratify/pkg/certificateprovider/azurekeyvault/types"
"github.com/sirupsen/logrus"
"github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/mock"
)
-func TestParseAzureEnvironment(t *testing.T) {
- envNamesArray := []string{"AZURECHINACLOUD", "AZUREGERMANCLOUD", "AZUREPUBLICCLOUD", "AZUREUSGOVERNMENTCLOUD", ""}
- for _, envName := range envNamesArray {
- azureEnv, err := parseAzureEnvironment(envName)
- if err != nil {
- t.Fatalf("expected no error, got %v", err)
- }
- if strings.EqualFold(envName, "") && !strings.EqualFold(azureEnv.Name, "AZUREPUBLICCLOUD") {
- t.Fatalf("string doesn't match, expected AZUREPUBLICCLOUD, got %s", azureEnv.Name)
- } else if !strings.EqualFold(envName, "") && !strings.EqualFold(envName, azureEnv.Name) {
- t.Fatalf("string doesn't match, expected %s, got %s", envName, azureEnv.Name)
- }
- }
-
- wrongEnvName := "AZUREWRONGCLOUD"
- _, err := parseAzureEnvironment(wrongEnvName)
- if err == nil {
- t.Fatalf("expected error for wrong azure environment name")
- }
-}
-
func TestFormatKeyVaultCertificate(t *testing.T) {
cases := []struct {
desc string
@@ -93,21 +72,110 @@ func TestFormatKeyVaultCertificate(t *testing.T) {
}
}
-func SkipTestInitializeKVClient(t *testing.T) {
- testEnvs := []azure.Environment{
- azure.PublicCloud,
- azure.GermanCloud,
- azure.ChinaCloud,
- azure.USGovernmentCloud,
+// Mock clients
+type MockAzSecretsClient struct {
+ mock.Mock
+}
+
+type MockWorkloadIdentityCredential struct {
+ mock.Mock
+}
+
+// Mock functions
+func (m *MockWorkloadIdentityCredential) NewWorkloadIdentityCredential(options *azidentity.WorkloadIdentityCredentialOptions) (*MockWorkloadIdentityCredential, error) {
+ args := m.Called(options)
+ return args.Get(0).(*MockWorkloadIdentityCredential), args.Error(1)
+}
+
+func (m *MockAzSecretsClient) NewClient(endpoint string, credential *azidentity.WorkloadIdentityCredential, options *azsecrets.ClientOptions) (*azsecrets.Client, error) {
+ args := m.Called(endpoint, credential, options)
+ return args.Get(0).(*azsecrets.Client), args.Error(1)
+}
+
+func TestInitializeKvClient(t *testing.T) {
+ mockCredential := new(MockWorkloadIdentityCredential)
+ mockSecretsClient := new(MockAzSecretsClient)
+
+ tests := []struct {
+ name string
+ kvEndpoint string
+ userAgent string
+ tenantID string
+ clientID string
+ mockCredentialErr error
+ mockSecretsErr error
+ expectedErr bool
+ }{
+ {
+ name: "Empty user agent",
+ kvEndpoint: "https://test.vault.azure.net",
+ userAgent: "",
+ expectedErr: true,
+ },
+ {
+ name: "Auth failure",
+ kvEndpoint: "https://test.vault.azure.net",
+ tenantID: "testTenantID",
+ clientID: "testClientID",
+ expectedErr: true,
+ },
+ {
+ name: "credential creation error",
+ kvEndpoint: "https://test-keyvault.vault.azure.net",
+ tenantID: "test-tenant-id",
+ clientID: "test-client-id",
+ mockCredentialErr: errors.New("failed to create workload identity credential"),
+ expectedErr: true,
+ },
+ {
+ name: "azsecrets client creation error",
+ kvEndpoint: "https://test-keyvault.vault.azure.net",
+ tenantID: "test-tenant-id",
+ clientID: "test-client-id",
+ mockSecretsErr: errors.New("failed to create azsecrets client"),
+ expectedErr: true,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ // Set up mocks
+ mockCredential.On("NewWorkloadIdentityCredential", mock.Anything).Return(mockCredential, tt.mockCredentialErr)
+ mockSecretsClient.On("NewClient", tt.kvEndpoint, mockCredential, mock.Anything).Return(mockSecretsClient, tt.mockSecretsErr)
+
+ // Call function under test
+ secretsClient, err := initializeKvClient(tt.kvEndpoint, tt.tenantID, tt.clientID, nil)
+
+ // Validate expectations
+ if tt.expectedErr {
+ assert.Error(t, err)
+ assert.Nil(t, secretsClient)
+ } else {
+ assert.NoError(t, err)
+ assert.NotNil(t, secretsClient)
+ }
+ })
}
+}
+
+func TestInitializeKvClient_Success(t *testing.T) {
+ // Mock the context and input parameters
+ keyVaultEndpoint := "https://myvault.vault.azure.net/"
+ tenantID := "tenant-id"
+ clientID := "client-id"
- for i := range testEnvs {
- kvBaseClient, err := initializeKvClient(context.TODO(), testEnvs[i].KeyVaultEndpoint, "", "")
- assert.NoError(t, err)
- assert.NotNil(t, kvBaseClient)
- assert.NotNil(t, kvBaseClient.Authorizer)
- assert.Contains(t, kvBaseClient.UserAgent, version.UserAgent)
+ // Create a mock credential provider
+ mockCredential, err := azidentity.NewClientSecretCredential(tenantID, clientID, "fake-secret", nil)
+ if err != nil {
+ t.Fatalf("Failed to create mock credential: %v", err)
}
+
+ // Run the function with the mock credential
+ kvClientSecrets, err := initializeKvClient(keyVaultEndpoint, tenantID, clientID, mockCredential)
+
+ // Assert the function succeeds without errors and clients are created
+ assert.NotNil(t, kvClientSecrets)
+ assert.NoError(t, err)
}
func TestGetCertificates(t *testing.T) {
@@ -137,15 +205,6 @@ func TestGetCertificates(t *testing.T) {
},
expectedErr: true,
},
- {
- desc: "invalid cloud name",
- parameters: map[string]string{
- "vaultUri": "https://testkv.vault.azure.net/",
- "tenantID": "tid",
- "cloudName": "AzureCloud",
- },
- expectedErr: true,
- },
{
desc: "certificates array not set",
parameters: map[string]string{
@@ -261,7 +320,6 @@ func TestGetKeyvaultRequestObj(t *testing.T) {
attrib := map[string]string{}
attrib["vaultURI"] = "https://testvault.vault.azure.net/"
attrib["clientID"] = "TestClient"
- attrib["cloudName"] = "TestCloud"
attrib["tenantID"] = "TestIDABC"
attrib["certificates"] = "array:\n- |\n certificateName: wabbit-networks-io \n certificateVersion: \"testversion\"\n"
@@ -280,7 +338,7 @@ func Test(t *testing.T) {
desc string
value string
contentType string
- id string
+ id azsecrets.ID
expectedErr bool
}{
{
@@ -322,7 +380,7 @@ func Test(t *testing.T) {
for i, tc := range cases {
t.Run(tc.desc, func(t *testing.T) {
- testdata := kv.SecretBundle{
+ testdata := azsecrets.SecretBundle{
Value: &cases[i].value,
ID: &cases[i].id,
ContentType: &cases[i].contentType,
diff --git a/pkg/certificateprovider/certificate_provider_test.go b/pkg/certificateprovider/certificate_provider_test.go
index 78d70c4393..2b6309be43 100644
--- a/pkg/certificateprovider/certificate_provider_test.go
+++ b/pkg/certificateprovider/certificate_provider_test.go
@@ -78,7 +78,7 @@ func TestDecodeCertificates_ByteArrayToCertificates(t *testing.T) {
r, err := DecodeCertificates(c1)
if err != nil {
- t.Fatalf(err.Error())
+ t.Fatal(err.Error())
}
expectedLen := 1
diff --git a/pkg/controllers/logging.go b/pkg/controllers/logging.go
index 7ad3429f69..90abce740e 100644
--- a/pkg/controllers/logging.go
+++ b/pkg/controllers/logging.go
@@ -122,7 +122,7 @@ func (sink *LogrusSink) createEntry(keysAndValues ...interface{}) *logrus.Entry
}
func (sink *LogrusSink) formatMessage(msg string) string {
- if sink.names == nil || len(sink.names) == 0 {
+ if len(sink.names) == 0 {
return msg
}
diff --git a/pkg/keymanagementprovider/azurekeyvault/auth.go b/pkg/keymanagementprovider/azurekeyvault/auth.go
index cd4d248f7e..1de94181ad 100644
--- a/pkg/keymanagementprovider/azurekeyvault/auth.go
+++ b/pkg/keymanagementprovider/azurekeyvault/auth.go
@@ -18,16 +18,10 @@ package azurekeyvault
// This class is based on implementation from azure secret store csi provider
// Source: https://github.com/Azure/secrets-store-csi-driver-provider-azure/tree/release-1.4/pkg/auth
import (
- "context"
"encoding/json"
"fmt"
"strconv"
- "strings"
"time"
-
- "github.com/ratify-project/ratify/pkg/utils/azureauth"
-
- "github.com/Azure/go-autorest/autorest"
)
const (
@@ -41,44 +35,6 @@ const (
DefaultTokenAudience = "api://AzureADTokenExchange" //nolint
)
-// authResult contains the subset of results from token acquisition operation in ConfidentialClientApplication
-// For details see https://aka.ms/msal-net-authenticationresult
-type authResult struct {
- accessToken string
- expiresOn time.Time
- grantedScopes []string
- declinedScopes []string
-}
-
-func getAuthorizerForWorkloadIdentity(ctx context.Context, tenantID, clientID, resource string) (autorest.Authorizer, error) {
- scope := resource
- // .default needs to be added to the scope
- if !strings.Contains(resource, ".default") {
- scope = fmt.Sprintf("%s/.default", resource)
- }
-
- result, err := azureauth.GetAADAccessToken(ctx, tenantID, clientID, scope)
- if err != nil {
- return nil, fmt.Errorf("failed to acquire token: %w", err)
- }
-
- if _, err = parseExpiresOn(result.ExpiresOn.UTC().Local().Format(expiresOnDateFormat)); err != nil {
- return nil, fmt.Errorf("failed to parse expires_on: %w", err)
- }
-
- return autorest.NewBearerAuthorizer(authResult{
- accessToken: result.AccessToken,
- expiresOn: result.ExpiresOn,
- grantedScopes: result.GrantedScopes,
- declinedScopes: result.DeclinedScopes,
- }), nil
-}
-
-// OAuthToken implements the OAuthTokenProvider interface. It returns the current access token.
-func (ar authResult) OAuthToken() string {
- return ar.accessToken
-}
-
// Vendored from https://github.com/Azure/go-autorest/blob/79575dd7ba2e88e7ce7ab84e167ec6653dcb70c1/autorest/adal/token.go
// converts expires_on to the number of seconds
func parseExpiresOn(s interface{}) (json.Number, error) {
diff --git a/pkg/keymanagementprovider/azurekeyvault/provider.go b/pkg/keymanagementprovider/azurekeyvault/provider.go
index 22c3fba6a4..5a77692d5f 100644
--- a/pkg/keymanagementprovider/azurekeyvault/provider.go
+++ b/pkg/keymanagementprovider/azurekeyvault/provider.go
@@ -26,6 +26,8 @@ import (
"encoding/pem"
"errors"
"fmt"
+ "io"
+ "net/http"
"strconv"
"strings"
"time"
@@ -33,7 +35,6 @@ import (
"github.com/go-jose/go-jose/v3"
re "github.com/ratify-project/ratify/errors"
"github.com/ratify-project/ratify/internal/logger"
- "github.com/ratify-project/ratify/internal/version"
"github.com/ratify-project/ratify/pkg/keymanagementprovider"
"github.com/ratify-project/ratify/pkg/keymanagementprovider/azurekeyvault/types"
"github.com/ratify-project/ratify/pkg/keymanagementprovider/config"
@@ -41,9 +42,11 @@ import (
"github.com/ratify-project/ratify/pkg/metrics"
"golang.org/x/crypto/pkcs12"
- kv "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault"
- "github.com/Azure/go-autorest/autorest"
- "github.com/Azure/go-autorest/autorest/azure"
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore"
+ "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+ "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azcertificates"
+ "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys"
+ "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
)
const (
@@ -61,54 +64,63 @@ type AKVKeyManagementProviderConfig struct {
VaultURI string `json:"vaultURI"`
TenantID string `json:"tenantID"`
ClientID string `json:"clientID"`
- CloudName string `json:"cloudName,omitempty"`
Resource string `json:"resource,omitempty"`
Certificates []types.KeyVaultValue `json:"certificates,omitempty"`
Keys []types.KeyVaultValue `json:"keys,omitempty"`
}
type akvKMProvider struct {
- provider string
- vaultURI string
- tenantID string
- clientID string
- cloudName string
- resource string
- certificates []types.KeyVaultValue
- keys []types.KeyVaultValue
- cloudEnv *azure.Environment
- kvClient kvClient
+ provider string
+ vaultURI string
+ tenantID string
+ clientID string
+ resource string
+ certificates []types.KeyVaultValue
+ keys []types.KeyVaultValue
+ keyKVClient keyKVClient
+ secretKVClient secretKVClient
+ certificateKVClient certificateKVClient
}
type akvKMProviderFactory struct{}
// kvClient is an interface to interact with the keyvault client used for mocking purposes
-type kvClient interface {
- // GetCertificate retrieves a certificate from the keyvault
- GetCertificate(ctx context.Context, vaultBaseURL string, certificateName string, certificateVersion string) (kv.CertificateBundle, error)
+type keyKVClient interface {
// GetKey retrieves a key from the keyvault
- GetKey(ctx context.Context, vaultBaseURL string, keyName string, keyVersion string) (kv.KeyBundle, error)
+ GetKey(ctx context.Context, keyName string, keyVersion string) (azkeys.GetKeyResponse, error)
+}
+type secretKVClient interface {
// GetSecret retrieves a secret from the keyvault
- GetSecret(ctx context.Context, vaultBaseURL string, secretName string, secretVersion string) (kv.SecretBundle, error)
+ GetSecret(ctx context.Context, secretName string, secretVersion string) (azsecrets.GetSecretResponse, error)
+}
+type certificateKVClient interface {
+ // GetCertificate retrieves a certificate from the keyvault
+ GetCertificate(ctx context.Context, certificateName string, certificateVersion string) (azcertificates.GetCertificateResponse, error)
}
-type kvClientImpl struct {
- kv.BaseClient
+type keyKVClientImpl struct {
+ azkeys.Client
+}
+type secretKVClientImpl struct {
+ azsecrets.Client
+}
+type certificateKVClientImpl struct {
+ azcertificates.Client
}
// GetCertificate retrieves a certificate from the keyvault
-func (c *kvClientImpl) GetCertificate(ctx context.Context, vaultBaseURL string, certificateName string, certificateVersion string) (kv.CertificateBundle, error) {
- return c.BaseClient.GetCertificate(ctx, vaultBaseURL, certificateName, certificateVersion)
+func (c *certificateKVClientImpl) GetCertificate(ctx context.Context, certificateName string, certificateVersion string) (azcertificates.GetCertificateResponse, error) {
+ return c.Client.GetCertificate(ctx, certificateName, certificateVersion, nil)
}
// GetKey retrieves a key from the keyvault
-func (c *kvClientImpl) GetKey(ctx context.Context, vaultBaseURL string, keyName string, keyVersion string) (kv.KeyBundle, error) {
- return c.BaseClient.GetKey(ctx, vaultBaseURL, keyName, keyVersion)
+func (c *keyKVClientImpl) GetKey(ctx context.Context, keyName string, keyVersion string) (azkeys.GetKeyResponse, error) {
+ return c.Client.GetKey(ctx, keyName, keyVersion, nil)
}
// GetSecret retrieves a secret from the keyvault
-func (c *kvClientImpl) GetSecret(ctx context.Context, vaultBaseURL string, secretName string, secretVersion string) (kv.SecretBundle, error) {
- return c.BaseClient.GetSecret(ctx, vaultBaseURL, secretName, secretVersion)
+func (c *secretKVClientImpl) GetSecret(ctx context.Context, secretName string, secretVersion string) (azsecrets.GetSecretResponse, error) {
+ return c.Client.GetSecret(ctx, secretName, secretVersion, nil)
}
// initKVClient is a function to initialize the keyvault client
@@ -133,11 +145,6 @@ func (f *akvKMProviderFactory) Create(_ string, keyManagementProviderConfig conf
return nil, re.ErrorCodeConfigInvalid.NewError(re.KeyManagementProvider, "", re.EmptyLink, err, "failed to parse AKV key management provider configuration", re.HideStackTrace)
}
- azureCloudEnv, err := parseAzureEnvironment(conf.CloudName)
- if err != nil {
- return nil, re.ErrorCodeConfigInvalid.NewError(re.KeyManagementProvider, ProviderName, re.EmptyLink, nil, fmt.Sprintf("cloudName %s is not valid", conf.CloudName), re.HideStackTrace)
- }
-
if len(conf.Certificates) == 0 && len(conf.Keys) == 0 {
return nil, re.ErrorCodeConfigInvalid.NewError(re.KeyManagementProvider, ProviderName, re.EmptyLink, nil, "no keyvault certificates or keys configured", re.HideStackTrace)
}
@@ -147,23 +154,25 @@ func (f *akvKMProviderFactory) Create(_ string, keyManagementProviderConfig conf
vaultURI: strings.TrimSpace(conf.VaultURI),
tenantID: strings.TrimSpace(conf.TenantID),
clientID: strings.TrimSpace(conf.ClientID),
- cloudName: strings.TrimSpace(conf.CloudName),
certificates: conf.Certificates,
keys: conf.Keys,
- cloudEnv: azureCloudEnv,
resource: conf.Resource,
}
if err := provider.validate(); err != nil {
return nil, err
}
- logger.GetLogger(context.Background(), logOpt).Debugf("vaultURI %s", provider.vaultURI)
-
- kvClient, err := initKVClient(context.Background(), provider.cloudEnv.KeyVaultEndpoint, provider.tenantID, provider.clientID, version.UserAgent)
+ // credProvider is nil, so we will create a new workload identity credential inside the function
+ // For testing purposes, we can pass in a mock credential provider
+ var credProvider azcore.TokenCredential
+ keyKVClient, secretKVClient, certificateKVClient, err := initKVClient(provider.vaultURI, provider.tenantID, provider.clientID, credProvider)
if err != nil {
return nil, re.ErrorCodePluginInitFailure.NewError(re.KeyManagementProvider, ProviderName, re.AKVLink, err, "failed to create keyvault client", re.HideStackTrace)
}
- provider.kvClient = &kvClientImpl{*kvClient}
+
+ provider.keyKVClient = &keyKVClientImpl{*keyKVClient}
+ provider.secretKVClient = &secretKVClientImpl{*secretKVClient}
+ provider.certificateKVClient = &certificateKVClientImpl{*certificateKVClient}
return provider, nil
}
@@ -174,20 +183,19 @@ func (s *akvKMProvider) GetCertificates(ctx context.Context) (map[keymanagementp
certsMap := map[keymanagementprovider.KMPMapKey][]*x509.Certificate{}
certsStatus := []map[string]string{}
for _, keyVaultCert := range s.certificates {
- logger.GetLogger(ctx, logOpt).Debugf("fetching secret from key vault, certName %v, keyvault %v", keyVaultCert.Name, s.vaultURI)
+ logger.GetLogger(ctx, logOpt).Debugf("fetching secret from key vault, certName %v, certVersion %v, vaultURI: %v", keyVaultCert.Name, keyVaultCert.Version, s.vaultURI)
startTime := time.Now()
-
- // GetSecret is required so we can fetch the entire cert chain. See issue https://github.com/ratify-project/ratify/issues/695 for details
- secretBundle, err := s.kvClient.GetSecret(ctx, s.vaultURI, keyVaultCert.Name, keyVaultCert.Version)
+ secretResponse, err := s.secretKVClient.GetSecret(ctx, keyVaultCert.Name, keyVaultCert.Version)
if err != nil {
if isSecretDisabledError(err) {
// if secret is disabled, get the version of the certificate for status
- certBundle, err := s.kvClient.GetCertificate(ctx, s.vaultURI, keyVaultCert.Name, keyVaultCert.Version)
+ certResponse, err := s.certificateKVClient.GetCertificate(ctx, keyVaultCert.Name, keyVaultCert.Version)
if err != nil {
return nil, nil, fmt.Errorf("failed to get certificate objectName:%s, objectVersion:%s, error: %w", keyVaultCert.Name, keyVaultCert.Version, err)
}
- keyVaultCert.Version = getObjectVersion(*certBundle.Kid)
+ certBundle := certResponse.CertificateBundle
+ keyVaultCert.Version = getObjectVersion(*certBundle.KID)
isEnabled := *certBundle.Attributes.Enabled
lastRefreshed := startTime.Format(time.RFC3339)
certProperty := getStatusProperty(keyVaultCert.Name, keyVaultCert.Version, lastRefreshed, isEnabled)
@@ -196,10 +204,10 @@ func (s *akvKMProvider) GetCertificates(ctx context.Context) (map[keymanagementp
keymanagementprovider.DeleteCertificateFromMap(s.resource, mapKey)
continue
}
-
return nil, nil, fmt.Errorf("failed to get secret objectName:%s, objectVersion:%s, error: %w", keyVaultCert.Name, keyVaultCert.Version, err)
}
+ secretBundle := secretResponse.SecretBundle
isEnabled := *secretBundle.Attributes.Enabled
certResult, certProperty, err := getCertsFromSecretBundle(ctx, secretBundle, keyVaultCert.Name, isEnabled)
@@ -225,14 +233,14 @@ func (s *akvKMProvider) GetKeys(ctx context.Context) (map[keymanagementprovider.
// fetch the key object from Key Vault
startTime := time.Now()
- keyBundle, err := s.kvClient.GetKey(ctx, s.vaultURI, keyVaultKey.Name, keyVaultKey.Version)
+ keyResponse, err := s.keyKVClient.GetKey(ctx, keyVaultKey.Name, keyVaultKey.Version)
if err != nil {
return nil, nil, fmt.Errorf("failed to get key objectName:%s, objectVersion:%s, error: %w", keyVaultKey.Name, keyVaultKey.Version, err)
}
-
+ keyBundle := keyResponse.KeyBundle
isEnabled := *keyBundle.Attributes.Enabled
// if version is set as "" in the config, use the version from the key bundle
- keyVaultKey.Version = getObjectVersion(*keyBundle.Key.Kid)
+ keyVaultKey.Version = getObjectVersion(string(*keyBundle.Key.KID))
if !isEnabled {
startTime := time.Now()
@@ -278,42 +286,53 @@ func getStatusProperty(name, version, lastRefreshed string, enabled bool) map[st
return properties
}
-// parseAzureEnvironment returns azure environment by name
-func parseAzureEnvironment(cloudName string) (*azure.Environment, error) {
- var env azure.Environment
- var err error
- if cloudName == "" {
- env = azure.PublicCloud
- } else {
- env, err = azure.EnvironmentFromName(cloudName)
+// initializeKvClient creates a new keyvault client for keys, secrets and certificates
+// TODO: credProvider in only added to params for testing purposes. Make sure it is handled properly in future
+func initializeKvClient(keyVaultURI, tenantID, clientID string, credProvider azcore.TokenCredential) (*azkeys.Client, *azsecrets.Client, *azcertificates.Client, error) {
+ // Trim any trailing slash from the endpoint
+ kvEndpoint := strings.TrimSuffix(keyVaultURI, "/")
+
+ // If credProvider is nil, create the default credential
+ if credProvider == nil {
+ var err error
+ credProvider, err = azidentity.NewWorkloadIdentityCredential(&azidentity.WorkloadIdentityCredentialOptions{
+ ClientID: clientID,
+ TenantID: tenantID,
+ })
+ if err != nil {
+ return nil, nil, nil, re.ErrorCodeAuthDenied.WithDetail("failed to create workload identity credential").WithError(err)
+ }
}
- return &env, err
-}
-func initializeKvClient(ctx context.Context, keyVaultEndpoint, tenantID, clientID, userAgent string) (*kv.BaseClient, error) {
- kvClient := kv.New()
- kvEndpoint := strings.TrimSuffix(keyVaultEndpoint, "/")
+ // create azkeys client
+ keyKVClient, err := azkeys.NewClient(kvEndpoint, credProvider, nil)
+ if err != nil {
+ return nil, nil, nil, re.ErrorCodeConfigInvalid.WithDetail("Failed to create keys Key Vault client").WithError(err)
+ }
- err := kvClient.Client.AddToUserAgent(userAgent)
+ // create azsecrets client
+ secretKVClient, err := azsecrets.NewClient(kvEndpoint, credProvider, nil)
if err != nil {
- return nil, re.ErrorCodeConfigInvalid.WithDetail("Failed to add user agent to keyvault client.").WithRemediation(re.AKVLink).WithError(err)
+ return nil, nil, nil, re.ErrorCodeConfigInvalid.WithDetail("Failed to create secrets Key Vault client").WithError(err)
}
- kvClient.Authorizer, err = getAuthorizerForWorkloadIdentity(ctx, tenantID, clientID, kvEndpoint)
+ // create azcertificates client
+ certificateKVClient, err := azcertificates.NewClient(kvEndpoint, credProvider, nil)
if err != nil {
- return nil, re.ErrorCodeAuthDenied.WithDetail("failed to get authorizer for keyvault client").WithRemediation(re.AKVLink).WithError(err)
+ return nil, nil, nil, re.ErrorCodeConfigInvalid.WithDetail("Failed to create certificates Key Vault client").WithError(err)
}
- return &kvClient, nil
+
+ return keyKVClient, secretKVClient, certificateKVClient, nil
}
// Parse the secret bundle and return an array of certificates
// In a certificate chain scenario, all certificates from root to leaf will be returned
-func getCertsFromSecretBundle(ctx context.Context, secretBundle kv.SecretBundle, certName string, enabled bool) ([]*x509.Certificate, []map[string]string, error) {
+func getCertsFromSecretBundle(ctx context.Context, secretBundle azsecrets.SecretBundle, certName string, enabled bool) ([]*x509.Certificate, []map[string]string, error) {
if secretBundle.ContentType == nil || secretBundle.Value == nil || secretBundle.ID == nil {
return nil, nil, re.ErrorCodeCertInvalid.NewError(re.KeyManagementProvider, ProviderName, re.EmptyLink, nil, "found invalid secret bundle for certificate %s, contentType, value, and id must not be nil", re.HideStackTrace)
}
- version := getObjectVersion(*secretBundle.ID)
+ version := getObjectVersion(string(*secretBundle.ID))
// This aligns with notation akv implementation
// akv plugin supports both PKCS12 and PEM. https://github.com/Azure/notation-azure-kv/blob/558e7345ef8318783530de6a7a0a8420b9214ba8/Notation.Plugin.AzureKeyVault/KeyVault/KeyVaultClient.cs#L192
@@ -378,18 +397,24 @@ func getCertsFromSecretBundle(ctx context.Context, secretBundle kv.SecretBundle,
}
// Based on https://github.com/sigstore/sigstore/blob/8b208f7d608b80a7982b2a66358b8333b1eec542/pkg/signature/kms/azure/client.go#L258
-func getKeyFromKeyBundle(keyBundle kv.KeyBundle) (crypto.PublicKey, error) {
+func getKeyFromKeyBundle(keyBundle azkeys.KeyBundle) (crypto.PublicKey, error) {
webKey := keyBundle.Key
if webKey == nil {
return nil, re.ErrorCodeKeyInvalid.NewError(re.KeyManagementProvider, ProviderName, re.EmptyLink, nil, "found invalid key bundle, key must not be nil", re.HideStackTrace)
}
- keyType := webKey.Kty
+ if webKey.Kty == nil {
+ return nil, re.ErrorCodeKeyInvalid.NewError(re.KeyManagementProvider, ProviderName, re.EmptyLink, nil, "found invalid key bundle, keytype must not be nil", re.HideStackTrace)
+ }
+
+ keyType := *webKey.Kty
switch keyType {
- case kv.ECHSM:
- webKey.Kty = kv.EC
- case kv.RSAHSM:
- webKey.Kty = kv.RSA
+ case azkeys.JSONWebKeyTypeECHSM:
+ ecType := azkeys.JSONWebKeyTypeEC
+ webKey.Kty = &ecType
+ case azkeys.JSONWebKeyTypeRSAHSM:
+ rsaType := azkeys.JSONWebKeyTypeRSA
+ webKey.Kty = &rsaType
}
keyBytes, err := json.Marshal(webKey)
@@ -417,15 +442,39 @@ func getObjectVersion(id string) string {
}
func isSecretDisabledError(err error) bool {
- var de autorest.DetailedError
- if errors.As(err, &de) {
- var re *azure.RequestError
- if errors.As(de.Original, &re) {
- if re.ServiceError.Code == "SecretDisabled" {
- return true
- }
+ // AzureError defines the structure of the error response from Azure Key Vault
+ // This structure is defined according to https://learn.microsoft.com/en-us/rest/api/keyvault/keys/get-keys/get-keys?view=rest-keyvault-keys-7.4&tabs=HTTP#error
+ type AzureError struct {
+ Error struct {
+ Code string `json:"code"`
+ Message string `json:"message"`
+ InnerError struct {
+ Code string `json:"code"`
+ } `json:"innererror"`
+ } `json:"error"`
+ }
+
+ // Parse err and make sure it is a secretDisabled error and return true
+ const ErrorCodeForbidden = "Forbidden"
+ const SecretDisabledCode = "SecretDisabled"
+ var httpErr *azcore.ResponseError
+ if errors.As(err, &httpErr) {
+ if httpErr.StatusCode != http.StatusForbidden {
+ return false
+ }
+
+ var azureError AzureError
+ errorResponseBody, readErr := io.ReadAll(httpErr.RawResponse.Body)
+ if readErr != nil {
+ return false
+ }
+ jsonErr := json.Unmarshal(errorResponseBody, &azureError)
+ if jsonErr == nil && azureError.Error.Code == ErrorCodeForbidden && azureError.Error.InnerError.Code == SecretDisabledCode {
+ return true
}
}
+
+ // Return false if it's not a secretDisabled error
return false
}
diff --git a/pkg/keymanagementprovider/azurekeyvault/provider_test.go b/pkg/keymanagementprovider/azurekeyvault/provider_test.go
index 98effa5c4f..9bb444ae68 100644
--- a/pkg/keymanagementprovider/azurekeyvault/provider_test.go
+++ b/pkg/keymanagementprovider/azurekeyvault/provider_test.go
@@ -20,61 +20,24 @@ package azurekeyvault
import (
"context"
"crypto"
- "encoding/base64"
"errors"
+ "io"
+ "net/http"
"strings"
"testing"
"time"
- kv "github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault"
- "github.com/Azure/go-autorest/autorest"
- "github.com/Azure/go-autorest/autorest/azure"
- "github.com/Azure/go-autorest/autorest/to"
- "github.com/ratify-project/ratify/internal/version"
+ "github.com/Azure/azure-sdk-for-go/sdk/azcore"
+ "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+ "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azcertificates"
+ "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys"
+ "github.com/Azure/azure-sdk-for-go/sdk/keyvault/azsecrets"
"github.com/ratify-project/ratify/pkg/keymanagementprovider/azurekeyvault/types"
"github.com/ratify-project/ratify/pkg/keymanagementprovider/config"
"github.com/stretchr/testify/assert"
+ "github.com/stretchr/testify/mock"
)
-// TestParseAzureEnvironment tests the parseAzureEnvironment function
-func TestParseAzureEnvironment(t *testing.T) {
- envNamesArray := []string{"AZURECHINACLOUD", "AZUREGERMANCLOUD", "AZUREPUBLICCLOUD", "AZUREUSGOVERNMENTCLOUD", ""}
- for _, envName := range envNamesArray {
- azureEnv, err := parseAzureEnvironment(envName)
- if err != nil {
- t.Fatalf("expected no error, got %v", err)
- }
- if strings.EqualFold(envName, "") && !strings.EqualFold(azureEnv.Name, "AZUREPUBLICCLOUD") {
- t.Fatalf("string doesn't match, expected AZUREPUBLICCLOUD, got %s", azureEnv.Name)
- } else if !strings.EqualFold(envName, "") && !strings.EqualFold(envName, azureEnv.Name) {
- t.Fatalf("string doesn't match, expected %s, got %s", envName, azureEnv.Name)
- }
- }
-
- wrongEnvName := "AZUREWRONGCLOUD"
- _, err := parseAzureEnvironment(wrongEnvName)
- if err == nil {
- t.Fatalf("expected error for wrong azure environment name")
- }
-}
-
-func SkipTestInitializeKVClient(t *testing.T) {
- testEnvs := []azure.Environment{
- azure.PublicCloud,
- azure.GermanCloud,
- azure.ChinaCloud,
- azure.USGovernmentCloud,
- }
-
- for i := range testEnvs {
- kvBaseClient, err := initializeKvClient(context.TODO(), testEnvs[i].KeyVaultEndpoint, "", "", version.UserAgent)
- assert.NoError(t, err)
- assert.NotNil(t, kvBaseClient)
- assert.NotNil(t, kvBaseClient.Authorizer)
- assert.Contains(t, kvBaseClient.UserAgent, version.UserAgent)
- }
-}
-
// TestCreate tests the Create function
func TestCreate(t *testing.T) {
factory := &akvKMProviderFactory{}
@@ -118,15 +81,6 @@ func TestCreate(t *testing.T) {
},
expectErr: true,
},
- {
- name: "invalid cloud name",
- config: config.KeyManagementProviderConfig{
- "vaultUri": "https://testkv.vault.azure.net/",
- "tenantID": "tid",
- "cloudName": "AzureCloud",
- },
- expectErr: true,
- },
{
name: "certificates & keys array not set",
config: config.KeyManagementProviderConfig{
@@ -178,8 +132,8 @@ func TestCreate(t *testing.T) {
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
- initKVClient = func(_ context.Context, _, _, _, _ string) (*kv.BaseClient, error) {
- return &kv.BaseClient{}, nil
+ initKVClient = func(_, _, _ string, _ azcore.TokenCredential) (*azkeys.Client, *azsecrets.Client, *azcertificates.Client, error) {
+ return &azkeys.Client{}, &azsecrets.Client{}, &azcertificates.Client{}, nil
}
_, err := factory.Create("v1", tc.config, "")
if tc.expectErr != (err != nil) {
@@ -189,124 +143,205 @@ func TestCreate(t *testing.T) {
}
}
-type MockKvClient struct {
- GetCertificateFunc func(ctx context.Context, certificateName string, certificateVersion string, arg string) (kv.CertificateBundle, error)
- GetSecretFunc func(ctx context.Context, secretName string, secretVersion string, arg string) (kv.SecretBundle, error)
- GetKeyFunc func(ctx context.Context, keyName string, keyVersion string, arg string) (kv.KeyBundle, error)
+// TestGetCertificates tests the GetCertificates function
+func TestGetCertificates_original(t *testing.T) {
+ factory := &akvKMProviderFactory{}
+ config := config.KeyManagementProviderConfig{
+ "vaultUri": "https://testkv.vault.azure.net/",
+ "tenantID": "tid",
+ "clientID": "clientid",
+ "certificates": []map[string]interface{}{
+ {
+ "name": "cert1",
+ "version": "",
+ },
+ },
+ }
+
+ provider, err := factory.Create("v1", config, "")
+ if err != nil {
+ t.Fatalf("expected no err but got error = %v", err)
+ }
+
+ certs, certStatus, err := provider.GetCertificates(context.Background())
+ assert.NotNil(t, err)
+ assert.Nil(t, certs)
+ assert.Nil(t, certStatus)
}
-func (m *MockKvClient) GetCertificate(ctx context.Context, certificateName string, certificateVersion string, arg string) (kv.CertificateBundle, error) {
- if m.GetCertificateFunc != nil {
- return m.GetCertificateFunc(ctx, certificateName, certificateVersion, arg)
+type MockKeyKVClient struct {
+ GetKeyFunc func(ctx context.Context, keyName string, keyVersion string) (azkeys.GetKeyResponse, error)
+}
+type MockSecretKVClient struct {
+ GetSecretFunc func(ctx context.Context, secretName string, secretVersion string) (azsecrets.GetSecretResponse, error)
+}
+type MockCertificateKVClient struct {
+ GetCertificateFunc func(ctx context.Context, certificateName string, certificateVersion string) (azcertificates.GetCertificateResponse, error)
+}
+
+func (m *MockKeyKVClient) GetKey(ctx context.Context, keyName string, keyVersion string) (azkeys.GetKeyResponse, error) {
+ if m.GetKeyFunc != nil {
+ return m.GetKeyFunc(ctx, keyName, keyVersion)
}
- return kv.CertificateBundle{}, nil
+ return azkeys.GetKeyResponse{}, nil
}
-func (m *MockKvClient) GetSecret(ctx context.Context, secretName string, secretVersion string, arg string) (kv.SecretBundle, error) {
+func (m *MockSecretKVClient) GetSecret(ctx context.Context, secretName string, secretVersion string) (azsecrets.GetSecretResponse, error) {
if m.GetSecretFunc != nil {
- return m.GetSecretFunc(ctx, secretName, secretVersion, arg)
+ return m.GetSecretFunc(ctx, secretName, secretVersion)
}
- return kv.SecretBundle{}, nil
+ return azsecrets.GetSecretResponse{}, nil
}
-func (m *MockKvClient) GetKey(ctx context.Context, keyName string, keyVersion string, arg string) (kv.KeyBundle, error) {
- if m.GetKeyFunc != nil {
- return m.GetKeyFunc(ctx, keyName, keyVersion, arg)
+func (m *MockCertificateKVClient) GetCertificate(ctx context.Context, certificateName string, certificateVersion string) (azcertificates.GetCertificateResponse, error) {
+ if m.GetCertificateFunc != nil {
+ return m.GetCertificateFunc(ctx, certificateName, certificateVersion)
}
- return kv.KeyBundle{}, nil
+ return azcertificates.GetCertificateResponse{}, nil
+}
+
+// stringPtr returns a pointer to the given string.
+func stringPtr(s string) *string {
+ return &s
+}
+
+// boolPtr returns a pointer to the given bool.
+func boolPtr(b bool) *bool {
+ return &b
}
// TestGetCertificates tests the GetCertificates function
func TestGetCertificates(t *testing.T) {
+ certID := azcertificates.ID("https://testkv.vault.azure.net/certificates/cert1")
+ secretID := azsecrets.ID("https://testkv.vault.azure.net/secrets/secret1")
testCases := []struct {
- name string
- mockKvClient *MockKvClient
- expectedErr bool
+ name string
+ mockKeyKVClient *MockKeyKVClient
+ mockSecretKVClient *MockSecretKVClient
+ mockCertificateKVClient *MockCertificateKVClient
+ expectedErr bool
}{
{
name: "GetSecret error",
- mockKvClient: &MockKvClient{
- GetSecretFunc: func(_ context.Context, _ string, _ string, _ string) (kv.SecretBundle, error) {
- return kv.SecretBundle{}, errors.New("error")
+ mockSecretKVClient: &MockSecretKVClient{
+ GetSecretFunc: func(_ context.Context, _ string, _ string) (azsecrets.GetSecretResponse, error) {
+ return azsecrets.GetSecretResponse{}, errors.New("error")
},
},
expectedErr: true,
},
{
name: "Certificate disabled",
- mockKvClient: &MockKvClient{
- GetCertificateFunc: func(_ context.Context, _ string, _ string, _ string) (kv.CertificateBundle, error) {
- return kv.CertificateBundle{
- ID: to.StringPtr("https://testkv.vault.azure.net/certificates/cert1"),
- Kid: to.StringPtr("https://testkv.vault.azure.net/keys/key1"),
- Attributes: &kv.CertificateAttributes{
- Enabled: to.BoolPtr(false),
+ mockCertificateKVClient: &MockCertificateKVClient{
+ GetCertificateFunc: func(_ context.Context, _ string, _ string) (azcertificates.GetCertificateResponse, error) {
+ return azcertificates.GetCertificateResponse{
+ CertificateBundle: azcertificates.CertificateBundle{
+ ID: &certID,
+ KID: stringPtr("https://testkv.vault.azure.net/keys/key1"),
+ Attributes: &azcertificates.CertificateAttributes{
+ Enabled: boolPtr(false),
+ },
},
}, nil
},
- GetSecretFunc: func(_ context.Context, _ string, _ string, _ string) (kv.SecretBundle, error) {
- err := autorest.DetailedError{
- Original: &azure.RequestError{
- ServiceError: &azure.ServiceError{Code: "SecretDisabled"},
+ },
+ mockSecretKVClient: &MockSecretKVClient{
+ GetSecretFunc: func(_ context.Context, _ string, _ string) (azsecrets.GetSecretResponse, error) {
+ rawResponse := `{
+ "error": {
+ "code": "Forbidden",
+ "message": "Operation get is not allowed on a disabled secret.",
+ "innererror": {
+ "code": "SecretDisabled"
+ }
+ }
+ }`
+
+ httpErr := &azcore.ResponseError{
+ StatusCode: http.StatusForbidden,
+ RawResponse: &http.Response{
+ Body: io.NopCloser(strings.NewReader(rawResponse)),
},
}
- return kv.SecretBundle{}, err
+ return azsecrets.GetSecretResponse{}, httpErr
},
},
expectedErr: false,
},
{
name: "Certificate disabled error",
- mockKvClient: &MockKvClient{
- GetCertificateFunc: func(_ context.Context, _ string, _ string, _ string) (kv.CertificateBundle, error) {
- return kv.CertificateBundle{}, errors.New("error")
+ mockCertificateKVClient: &MockCertificateKVClient{
+ GetCertificateFunc: func(_ context.Context, _ string, _ string) (azcertificates.GetCertificateResponse, error) {
+ return azcertificates.GetCertificateResponse{}, errors.New("error")
},
- GetSecretFunc: func(_ context.Context, _ string, _ string, _ string) (kv.SecretBundle, error) {
- err := autorest.DetailedError{
- Original: &azure.RequestError{
- ServiceError: &azure.ServiceError{Code: "SecretDisabled"},
+ },
+ mockSecretKVClient: &MockSecretKVClient{
+ GetSecretFunc: func(_ context.Context, _ string, _ string) (azsecrets.GetSecretResponse, error) {
+ rawResponse := `{
+ "error": {
+ "code": "Forbidden",
+ "message": "Operation get is not allowed on a disabled secret.",
+ "innererror": {
+ "code": "SecretDisabled"
+ }
+ }
+ }`
+
+ httpErr := &azcore.ResponseError{
+ StatusCode: http.StatusForbidden,
+ RawResponse: &http.Response{
+ Body: io.NopCloser(strings.NewReader(rawResponse)),
},
}
- return kv.SecretBundle{}, err
+ return azsecrets.GetSecretResponse{}, httpErr
},
},
expectedErr: true,
},
{
name: "Certificate enabled",
- mockKvClient: &MockKvClient{
- GetCertificateFunc: func(_ context.Context, _ string, _ string, _ string) (kv.CertificateBundle, error) {
- return kv.CertificateBundle{
- ID: to.StringPtr("https://testkv.vault.azure.net/certificates/cert1"),
- Kid: to.StringPtr("https://testkv.vault.azure.net/keys/key1"),
- Attributes: &kv.CertificateAttributes{
- Enabled: to.BoolPtr(true),
+ mockCertificateKVClient: &MockCertificateKVClient{
+ GetCertificateFunc: func(_ context.Context, _ string, _ string) (azcertificates.GetCertificateResponse, error) {
+ return azcertificates.GetCertificateResponse{
+ CertificateBundle: azcertificates.CertificateBundle{
+ ID: &certID,
+ KID: stringPtr("https://testkv.vault.azure.net/keys/key1"),
+ Attributes: &azcertificates.CertificateAttributes{
+ Enabled: boolPtr(true),
+ },
},
}, nil
},
- GetSecretFunc: func(_ context.Context, _ string, _ string, _ string) (kv.SecretBundle, error) {
- return kv.SecretBundle{
- ID: to.StringPtr("https://testkv.vault.azure.net/secrets/secret1"),
- Kid: to.StringPtr("https://testkv.vault.azure.net/keys/key1"),
- ContentType: to.StringPtr("application/x-pem-file"),
- Attributes: &kv.SecretAttributes{
- Enabled: to.BoolPtr(true),
+ },
+ mockSecretKVClient: &MockSecretKVClient{
+ GetSecretFunc: func(_ context.Context, _ string, _ string) (azsecrets.GetSecretResponse, error) {
+ return azsecrets.GetSecretResponse{
+ SecretBundle: azsecrets.SecretBundle{
+ ID: &secretID,
+ Kid: stringPtr("https://testkv.vault.azure.net/keys/key1"),
+ ContentType: stringPtr("application/x-pem-file"),
+ Attributes: &azsecrets.SecretAttributes{
+ Enabled: boolPtr(true),
+ },
+ Value: stringPtr("-----BEGIN CERTIFICATE-----\nMIIC8TCCAdmgAwIBAgIUaNrwbhs/I1ecqUYdzD2xuAVNdmowDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzdaFw0yNDA2MjAwMTIyMzdaMBkxFzAVBgNVBAMMDnJhdGlm\neS5kZWZhdWx0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtskG1BUt\n4Fw2lbm53KbwZb1hnLmWdwRotZyznhhk/yrUDcq3uF6klwpk/E2IKfUKIo6doHSk\nXaEZXR68UtXygvA4wdg7xZ6kKpXy0gu+RxGE6CGtDHTyDDzITu+NBjo21ZSsyGpQ\nJeIKftUCHdwdygKf0CdJx8A29GBRpHGCmJadmt7tTzOnYjmbuPVLeqJo/Ex9qXcG\nZbxoxnxr5NCocFeKx+EbLo+k/KjdFB2PKnhgzxAaMMMP6eXPr8l5AlzkC83EmPvN\ntveuaBbamdlFkD+53TZeZlxt3GIdq93Iw/UpbQ/pvhbrztMT+UVEkm15sShfX8Xn\nL2st5A4n0V+66QIDAQABoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIH\ngDANBgkqhkiG9w0BAQsFAAOCAQEAGpOqozyfDSBjoTepsRroxxcZ4sq65gw45Bme\nm36BS6FG0WHIg3cMy6KIIBefTDSKrPkKNTtuF25AeGn9jM+26cnfDM78ZH0+Lnn7\n7hs0MA64WMPQaWs9/+89aM9NADV9vp2zdG4xMi6B7DruvKWyhJaNoRqK/qP6LdSQ\nw8M+21sAHvXgrRkQtJlVOzVhgwt36NOb1hzRlQiZB+nhv2Wbw7fbtAaADk3JAumf\nvM+YdPS1KfAFaYefm4yFd+9/C0KOkHico3LTbELO5hG0Mo/EYvtjM+Fljb42EweF\n3nAx1GSPe5Tn8p3h6RyJW5HIKozEKyfDuLS0ccB/nqT3oNjcTw==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDRTCCAi2gAwIBAgIUcC33VfaMhOnsl7avNTRVQozoVtUwDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzZaFw0yMzA2MjIwMTIyMzZaMCoxDzANBgNVBAoMBlJhdGlm\neTEXMBUGA1UEAwwOUmF0aWZ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQDDFhDnyPrVDZaeRu6Tbg1a/iTwus+IuX+h8aKhKS1yHz4EF/Lz\nxCy7lNSQ9srGMMVumWuNom/ydIphff6PejZM1jFKPU6OQR/0JX5epcVIjbKa562T\nDguUxJ+h5V3EIyM4RqOWQ2g/xZo86x5TzyNJXiVdHHRvmDvUNwPpMeDjr/EHVAni\n5YQObxkJRiiZ7XOa5zz3YztVm8sSZAwPWroY1HIfvtP+KHpiNDIKSymmuJkH4SEr\nJn++iqN8na18a9DFBPTTrLPe3CxATGrMfosCMZ6LP3iFLLc/FaSpwcnugWdewsUK\nYs+sUY7jFWR7x7/1nyFWyRrQviM4f4TY+K7NAgMBAAGjYzBhMB0GA1UdDgQWBBQH\nYePW7QPP2p1utr3r6gqzEkKs+DAfBgNVHSMEGDAWgBQHYePW7QPP2p1utr3r6gqz\nEkKs+DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B\nAQsFAAOCAQEAjKp4vx3bFaKVhAbQeTsDjWJgmXLK2vLgt74MiUwSF6t0wehlfszE\nIcJagGJsvs5wKFf91bnwiqwPjmpse/thPNBAxh1uEoh81tOklv0BN790vsVpq3t+\ncnUvWPiCZdRlAiGGFtRmKk3Keq4sM6UdiUki9s+wnxypHVb4wIpVxu5R271Lnp5I\n+rb2EQ48iblt4XZPczf/5QJdTgbItjBNbuO8WVPOqUIhCiFuAQziLtNUq3p81dHO\nQ2BPgmaitCpIUYHVYighLauBGCH8xOFzj4a4KbOxKdxyJTd0La/vRCKaUtJX67Lc\nfQYVR9HXQZ0YlmwPcmIG5v7wBfcW34NUvA==\n-----END CERTIFICATE-----\n"),
},
- Value: to.StringPtr("-----BEGIN CERTIFICATE-----\nMIIC8TCCAdmgAwIBAgIUaNrwbhs/I1ecqUYdzD2xuAVNdmowDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzdaFw0yNDA2MjAwMTIyMzdaMBkxFzAVBgNVBAMMDnJhdGlm\neS5kZWZhdWx0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtskG1BUt\n4Fw2lbm53KbwZb1hnLmWdwRotZyznhhk/yrUDcq3uF6klwpk/E2IKfUKIo6doHSk\nXaEZXR68UtXygvA4wdg7xZ6kKpXy0gu+RxGE6CGtDHTyDDzITu+NBjo21ZSsyGpQ\nJeIKftUCHdwdygKf0CdJx8A29GBRpHGCmJadmt7tTzOnYjmbuPVLeqJo/Ex9qXcG\nZbxoxnxr5NCocFeKx+EbLo+k/KjdFB2PKnhgzxAaMMMP6eXPr8l5AlzkC83EmPvN\ntveuaBbamdlFkD+53TZeZlxt3GIdq93Iw/UpbQ/pvhbrztMT+UVEkm15sShfX8Xn\nL2st5A4n0V+66QIDAQABoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIH\ngDANBgkqhkiG9w0BAQsFAAOCAQEAGpOqozyfDSBjoTepsRroxxcZ4sq65gw45Bme\nm36BS6FG0WHIg3cMy6KIIBefTDSKrPkKNTtuF25AeGn9jM+26cnfDM78ZH0+Lnn7\n7hs0MA64WMPQaWs9/+89aM9NADV9vp2zdG4xMi6B7DruvKWyhJaNoRqK/qP6LdSQ\nw8M+21sAHvXgrRkQtJlVOzVhgwt36NOb1hzRlQiZB+nhv2Wbw7fbtAaADk3JAumf\nvM+YdPS1KfAFaYefm4yFd+9/C0KOkHico3LTbELO5hG0Mo/EYvtjM+Fljb42EweF\n3nAx1GSPe5Tn8p3h6RyJW5HIKozEKyfDuLS0ccB/nqT3oNjcTw==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDRTCCAi2gAwIBAgIUcC33VfaMhOnsl7avNTRVQozoVtUwDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzZaFw0yMzA2MjIwMTIyMzZaMCoxDzANBgNVBAoMBlJhdGlm\neTEXMBUGA1UEAwwOUmF0aWZ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQDDFhDnyPrVDZaeRu6Tbg1a/iTwus+IuX+h8aKhKS1yHz4EF/Lz\nxCy7lNSQ9srGMMVumWuNom/ydIphff6PejZM1jFKPU6OQR/0JX5epcVIjbKa562T\nDguUxJ+h5V3EIyM4RqOWQ2g/xZo86x5TzyNJXiVdHHRvmDvUNwPpMeDjr/EHVAni\n5YQObxkJRiiZ7XOa5zz3YztVm8sSZAwPWroY1HIfvtP+KHpiNDIKSymmuJkH4SEr\nJn++iqN8na18a9DFBPTTrLPe3CxATGrMfosCMZ6LP3iFLLc/FaSpwcnugWdewsUK\nYs+sUY7jFWR7x7/1nyFWyRrQviM4f4TY+K7NAgMBAAGjYzBhMB0GA1UdDgQWBBQH\nYePW7QPP2p1utr3r6gqzEkKs+DAfBgNVHSMEGDAWgBQHYePW7QPP2p1utr3r6gqz\nEkKs+DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B\nAQsFAAOCAQEAjKp4vx3bFaKVhAbQeTsDjWJgmXLK2vLgt74MiUwSF6t0wehlfszE\nIcJagGJsvs5wKFf91bnwiqwPjmpse/thPNBAxh1uEoh81tOklv0BN790vsVpq3t+\ncnUvWPiCZdRlAiGGFtRmKk3Keq4sM6UdiUki9s+wnxypHVb4wIpVxu5R271Lnp5I\n+rb2EQ48iblt4XZPczf/5QJdTgbItjBNbuO8WVPOqUIhCiFuAQziLtNUq3p81dHO\nQ2BPgmaitCpIUYHVYighLauBGCH8xOFzj4a4KbOxKdxyJTd0La/vRCKaUtJX67Lc\nfQYVR9HXQZ0YlmwPcmIG5v7wBfcW34NUvA==\n-----END CERTIFICATE-----\n"),
}, nil
},
},
+ expectedErr: false,
},
{
name: "getCertsFromSecretBundle error",
- mockKvClient: &MockKvClient{
- GetSecretFunc: func(_ context.Context, _ string, _ string, _ string) (kv.SecretBundle, error) {
- return kv.SecretBundle{
- ContentType: to.StringPtr("test"),
- ID: to.StringPtr("https://testkv.vault.azure.net/secrets/secret1"),
- Kid: to.StringPtr("https://testkv.vault.azure.net/keys/key1"),
- Attributes: &kv.SecretAttributes{
- Enabled: to.BoolPtr(true),
+ mockSecretKVClient: &MockSecretKVClient{
+ GetSecretFunc: func(_ context.Context, _ string, _ string) (azsecrets.GetSecretResponse, error) {
+ return azsecrets.GetSecretResponse{
+ SecretBundle: azsecrets.SecretBundle{
+ ContentType: stringPtr("test"),
+ ID: &secretID,
+ Kid: stringPtr("https://testkv.vault.azure.net/keys/key1"),
+ Attributes: &azsecrets.SecretAttributes{
+ Enabled: boolPtr(true),
+ },
+ Value: stringPtr("-----BEGIN CERTIFICATE-----\nMIIC8TCCAdmgAwIBAgIUaNrwbhs/I1ecqUYdzD2xuAVNdmowDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzdaFw0yNDA2MjAwMTIyMzdaMBkxFzAVBgNVBAMMDnJhdGlm\neS5kZWZhdWx0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtskG1BUt\n4Fw2lbm53KbwZb1hnLmWdwRotZyznhhk/yrUDcq3uF6klwpk/E2IKfUKIo6doHSk\nXaEZXR68UtXygvA4wdg7xZ6kKpXy0gu+RxGE6CGtDHTyDDzITu+NBjo21ZSsyGpQ\nJeIKftUCHdwdygKf0CdJx8A29GBRpHGCmJadmt7tTzOnYjmbuPVLeqJo/Ex9qXcG\nZbxoxnxr5NCocFeKx+EbLo+k/KjdFB2PKnhgzxAaMMMP6eXPr8l5AlzkC83EmPvN\ntveuaBbamdlFkD+53TZeZlxt3GIdq93Iw/UpbQ/pvhbrztMT+UVEkm15sShfX8Xn\nL2st5A4n0V+66QIDAQABoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIH\ngDANBgkqhkiG9w0BAQsFAAOCAQEAGpOqozyfDSBjoTepsRroxxcZ4sq65gw45Bme\nm36BS6FG0WHIg3cMy6KIIBefTDSKrPkKNTtuF25AeGn9jM+26cnfDM78ZH0+Lnn7\n7hs0MA64WMPQaWs9/+89aM9NADV9vp2zdG4xMi6B7DruvKWyhJaNoRqK/qP6LdSQ\nw8M+21sAHvXgrRkQtJlVOzVhgwt36NOb1hzRlQiZB+nhv2Wbw7fbtAaADk3JAumf\nvM+YdPS1KfAFaYefm4yFd+9/C0KOkHico3LTbELO5hG0Mo/EYvtjM+Fljb42EweF\n3nAx1GSPe5Tn8p3h6RyJW5HIKozEKyfDuLS0ccB/nqT3oNjcTw==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDRTCCAi2gAwIBAgIUcC33VfaMhOnsl7avNTRVQozoVtUwDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzZaFw0yMzA2MjIwMTIyMzZaMCoxDzANBgNVBAoMBlJhdGlm\neTEXMBUGA1UEAwwOUmF0aWZ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQDDFhDnyPrVDZaeRu6Tbg1a/iTwus+IuX+h8aKhKS1yHz4EF/Lz\nxCy7lNSQ9srGMMVumWuNom/ydIphff6PejZM1jFKPU6OQR/0JX5epcVIjbKa562T\nDguUxJ+h5V3EIyM4RqOWQ2g/xZo86x5TzyNJXiVdHHRvmDvUNwPpMeDjr/EHVAni\n5YQObxkJRiiZ7XOa5zz3YztVm8sSZAwPWroY1HIfvtP+KHpiNDIKSymmuJkH4SEr\nJn++iqN8na18a9DFBPTTrLPe3CxATGrMfosCMZ6LP3iFLLc/FaSpwcnugWdewsUK\nYs+sUY7jFWR7x7/1nyFWyRrQviM4f4TY+K7NAgMBAAGjYzBhMB0GA1UdDgQWBBQH\nYePW7QPP2p1utr3r6gqzEkKs+DAfBgNVHSMEGDAWgBQHYePW7QPP2p1utr3r6gqz\nEkKs+DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B\nAQsFAAOCAQEAjKp4vx3bFaKVhAbQeTsDjWJgmXLK2vLgt74MiUwSF6t0wehlfszE\nIcJagGJsvs5wKFf91bnwiqwPjmpse/thPNBAxh1uEoh81tOklv0BN790vsVpq3t+\ncnUvWPiCZdRlAiGGFtRmKk3Keq4sM6UdiUki9s+wnxypHVb4wIpVxu5R271Lnp5I\n+rb2EQ48iblt4XZPczf/5QJdTgbItjBNbuO8WVPOqUIhCiFuAQziLtNUq3p81dHO\nQ2BPgmaitCpIUYHVYighLauBGCH8xOFzj4a4KbOxKdxyJTd0La/vRCKaUtJX67Lc\nfQYVR9HXQZ0YlmwPcmIG5v7wBfcW34NUvA==\n-----END CERTIFICATE-----\n"),
},
- Value: to.StringPtr("-----BEGIN CERTIFICATE-----\nMIIC8TCCAdmgAwIBAgIUaNrwbhs/I1ecqUYdzD2xuAVNdmowDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzdaFw0yNDA2MjAwMTIyMzdaMBkxFzAVBgNVBAMMDnJhdGlm\neS5kZWZhdWx0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtskG1BUt\n4Fw2lbm53KbwZb1hnLmWdwRotZyznhhk/yrUDcq3uF6klwpk/E2IKfUKIo6doHSk\nXaEZXR68UtXygvA4wdg7xZ6kKpXy0gu+RxGE6CGtDHTyDDzITu+NBjo21ZSsyGpQ\nJeIKftUCHdwdygKf0CdJx8A29GBRpHGCmJadmt7tTzOnYjmbuPVLeqJo/Ex9qXcG\nZbxoxnxr5NCocFeKx+EbLo+k/KjdFB2PKnhgzxAaMMMP6eXPr8l5AlzkC83EmPvN\ntveuaBbamdlFkD+53TZeZlxt3GIdq93Iw/UpbQ/pvhbrztMT+UVEkm15sShfX8Xn\nL2st5A4n0V+66QIDAQABoyAwHjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIH\ngDANBgkqhkiG9w0BAQsFAAOCAQEAGpOqozyfDSBjoTepsRroxxcZ4sq65gw45Bme\nm36BS6FG0WHIg3cMy6KIIBefTDSKrPkKNTtuF25AeGn9jM+26cnfDM78ZH0+Lnn7\n7hs0MA64WMPQaWs9/+89aM9NADV9vp2zdG4xMi6B7DruvKWyhJaNoRqK/qP6LdSQ\nw8M+21sAHvXgrRkQtJlVOzVhgwt36NOb1hzRlQiZB+nhv2Wbw7fbtAaADk3JAumf\nvM+YdPS1KfAFaYefm4yFd+9/C0KOkHico3LTbELO5hG0Mo/EYvtjM+Fljb42EweF\n3nAx1GSPe5Tn8p3h6RyJW5HIKozEKyfDuLS0ccB/nqT3oNjcTw==\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nMIIDRTCCAi2gAwIBAgIUcC33VfaMhOnsl7avNTRVQozoVtUwDQYJKoZIhvcNAQEL\nBQAwKjEPMA0GA1UECgwGUmF0aWZ5MRcwFQYDVQQDDA5SYXRpZnkgUm9vdCBDQTAe\nFw0yMzA2MjEwMTIyMzZaFw0yMzA2MjIwMTIyMzZaMCoxDzANBgNVBAoMBlJhdGlm\neTEXMBUGA1UEAwwOUmF0aWZ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB\nDwAwggEKAoIBAQDDFhDnyPrVDZaeRu6Tbg1a/iTwus+IuX+h8aKhKS1yHz4EF/Lz\nxCy7lNSQ9srGMMVumWuNom/ydIphff6PejZM1jFKPU6OQR/0JX5epcVIjbKa562T\nDguUxJ+h5V3EIyM4RqOWQ2g/xZo86x5TzyNJXiVdHHRvmDvUNwPpMeDjr/EHVAni\n5YQObxkJRiiZ7XOa5zz3YztVm8sSZAwPWroY1HIfvtP+KHpiNDIKSymmuJkH4SEr\nJn++iqN8na18a9DFBPTTrLPe3CxATGrMfosCMZ6LP3iFLLc/FaSpwcnugWdewsUK\nYs+sUY7jFWR7x7/1nyFWyRrQviM4f4TY+K7NAgMBAAGjYzBhMB0GA1UdDgQWBBQH\nYePW7QPP2p1utr3r6gqzEkKs+DAfBgNVHSMEGDAWgBQHYePW7QPP2p1utr3r6gqz\nEkKs+DAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwICBDANBgkqhkiG9w0B\nAQsFAAOCAQEAjKp4vx3bFaKVhAbQeTsDjWJgmXLK2vLgt74MiUwSF6t0wehlfszE\nIcJagGJsvs5wKFf91bnwiqwPjmpse/thPNBAxh1uEoh81tOklv0BN790vsVpq3t+\ncnUvWPiCZdRlAiGGFtRmKk3Keq4sM6UdiUki9s+wnxypHVb4wIpVxu5R271Lnp5I\n+rb2EQ48iblt4XZPczf/5QJdTgbItjBNbuO8WVPOqUIhCiFuAQziLtNUq3p81dHO\nQ2BPgmaitCpIUYHVYighLauBGCH8xOFzj4a4KbOxKdxyJTd0La/vRCKaUtJX67Lc\nfQYVR9HXQZ0YlmwPcmIG5v7wBfcW34NUvA==\n-----END CERTIFICATE-----\n"),
}, nil
},
},
@@ -323,7 +358,9 @@ func TestGetCertificates(t *testing.T) {
Version: "c1f03df1113d460491d970737dfdc35d",
},
},
- kvClient: tc.mockKvClient,
+ keyKVClient: tc.mockKeyKVClient,
+ secretKVClient: tc.mockSecretKVClient,
+ certificateKVClient: tc.mockCertificateKVClient,
}
_, _, err := provider.GetCertificates(context.Background())
@@ -336,30 +373,34 @@ func TestGetCertificates(t *testing.T) {
// TestGetKeys tests the GetKeys function
func TestGetKeys(t *testing.T) {
+ keyID := azkeys.ID("https://testkv.vault.azure.net/keys/key1")
+ keyTY := azkeys.JSONWebKeyTypeRSA
testCases := []struct {
- name string
- mockKvClient *MockKvClient
- expectedErr bool
+ name string
+ mockKeyKVClient *MockKeyKVClient
+ expectedErr bool
}{
{
name: "GetKey error",
- mockKvClient: &MockKvClient{
- GetKeyFunc: func(_ context.Context, _ string, _ string, _ string) (kv.KeyBundle, error) {
- return kv.KeyBundle{}, errors.New("error")
+ mockKeyKVClient: &MockKeyKVClient{
+ GetKeyFunc: func(_ context.Context, _ string, _ string) (azkeys.GetKeyResponse, error) {
+ return azkeys.GetKeyResponse{}, errors.New("error")
},
},
expectedErr: true,
},
{
name: "Key disabled",
- mockKvClient: &MockKvClient{
- GetKeyFunc: func(_ context.Context, _ string, _ string, _ string) (kv.KeyBundle, error) {
- return kv.KeyBundle{
- Key: &kv.JSONWebKey{
- Kid: to.StringPtr("https://testkv.vault.azure.net/keys/key1"),
- },
- Attributes: &kv.KeyAttributes{
- Enabled: to.BoolPtr(false),
+ mockKeyKVClient: &MockKeyKVClient{
+ GetKeyFunc: func(_ context.Context, _ string, _ string) (azkeys.GetKeyResponse, error) {
+ return azkeys.GetKeyResponse{
+ KeyBundle: azkeys.KeyBundle{
+ Key: &azkeys.JSONWebKey{
+ KID: &keyID,
+ },
+ Attributes: &azkeys.KeyAttributes{
+ Enabled: boolPtr(false),
+ },
},
}, nil
},
@@ -368,14 +409,16 @@ func TestGetKeys(t *testing.T) {
},
{
name: "getKeyFromKeyBundle error",
- mockKvClient: &MockKvClient{
- GetKeyFunc: func(_ context.Context, _ string, _ string, _ string) (kv.KeyBundle, error) {
- return kv.KeyBundle{
- Key: &kv.JSONWebKey{
- Kid: to.StringPtr("https://testkv.vault.azure.net/keys/key1"),
- },
- Attributes: &kv.KeyAttributes{
- Enabled: to.BoolPtr(true),
+ mockKeyKVClient: &MockKeyKVClient{
+ GetKeyFunc: func(_ context.Context, _ string, _ string) (azkeys.GetKeyResponse, error) {
+ return azkeys.GetKeyResponse{
+ KeyBundle: azkeys.KeyBundle{
+ Key: &azkeys.JSONWebKey{
+ KID: &keyID,
+ },
+ Attributes: &azkeys.KeyAttributes{
+ Enabled: boolPtr(true),
+ },
},
}, nil
},
@@ -384,17 +427,19 @@ func TestGetKeys(t *testing.T) {
},
{
name: "Key enabled",
- mockKvClient: &MockKvClient{
- GetKeyFunc: func(_ context.Context, _ string, _ string, _ string) (kv.KeyBundle, error) {
- return kv.KeyBundle{
- Key: &kv.JSONWebKey{
- Kid: to.StringPtr("https://testkv.vault.azure.net/keys/key1"),
- Kty: kv.RSA,
- N: to.StringPtr(base64.StdEncoding.EncodeToString([]byte("n"))),
- E: to.StringPtr(base64.StdEncoding.EncodeToString([]byte("e"))),
- },
- Attributes: &kv.KeyAttributes{
- Enabled: to.BoolPtr(true),
+ mockKeyKVClient: &MockKeyKVClient{
+ GetKeyFunc: func(_ context.Context, _ string, _ string) (azkeys.GetKeyResponse, error) {
+ return azkeys.GetKeyResponse{
+ KeyBundle: azkeys.KeyBundle{
+ Key: &azkeys.JSONWebKey{
+ KID: &keyID,
+ Kty: &keyTY,
+ N: []byte("n"),
+ E: []byte("e"),
+ },
+ Attributes: &azkeys.KeyAttributes{
+ Enabled: boolPtr(true),
+ },
},
}, nil
},
@@ -412,7 +457,7 @@ func TestGetKeys(t *testing.T) {
Version: "c1f03df1113d460491d970737dfdc35d",
},
},
- kvClient: tc.mockKvClient,
+ keyKVClient: tc.mockKeyKVClient,
}
_, _, err := provider.GetKeys(context.Background())
@@ -423,6 +468,34 @@ func TestGetKeys(t *testing.T) {
}
}
+// TestGetKeys tests the GetKeys function
+func TestGetKeys_original(t *testing.T) {
+ factory := &akvKMProviderFactory{}
+ config := config.KeyManagementProviderConfig{
+ "vaultUri": "https://testkv.vault.azure.net/",
+ "tenantID": "tid",
+ "clientID": "clientid",
+ "keys": []map[string]interface{}{
+ {
+ "name": "key1",
+ },
+ },
+ }
+
+ initKVClient = func(_, _, _ string, _ azcore.TokenCredential) (*azkeys.Client, *azsecrets.Client, *azcertificates.Client, error) {
+ return &azkeys.Client{}, &azsecrets.Client{}, &azcertificates.Client{}, nil
+ }
+ provider, err := factory.Create("v1", config, "")
+ if err != nil {
+ t.Fatalf("expected no err but got error = %v", err)
+ }
+
+ keys, keyStatus, err := provider.GetKeys(context.Background())
+ assert.NotNil(t, err)
+ assert.Nil(t, keys)
+ assert.Nil(t, keyStatus)
+}
+
func TestIsRefreshable(t *testing.T) {
factory := &akvKMProviderFactory{}
config := config.KeyManagementProviderConfig{
@@ -486,7 +559,7 @@ func TestGetCertsFromSecretBundle(t *testing.T) {
desc string
value string
contentType string
- id string
+ id azsecrets.ID
expectedErr bool
}{
{
@@ -528,7 +601,7 @@ func TestGetCertsFromSecretBundle(t *testing.T) {
for i, tc := range cases {
t.Run(tc.desc, func(t *testing.T) {
- testdata := kv.SecretBundle{
+ testdata := azsecrets.SecretBundle{
Value: &cases[i].value,
ID: &cases[i].id,
ContentType: &cases[i].contentType,
@@ -547,24 +620,37 @@ func TestGetCertsFromSecretBundle(t *testing.T) {
}
func TestGetKeyFromKeyBundle(t *testing.T) {
+ unsupportedType := azkeys.JSONWebKeyType("abc")
cases := []struct {
desc string
- keyBundle kv.KeyBundle
+ keyBundle azkeys.KeyBundle
expectedErr bool
output crypto.PublicKey
}{
{
desc: "no key in key bundle",
- keyBundle: kv.KeyBundle{
+ keyBundle: azkeys.KeyBundle{
Key: nil,
},
expectedErr: true,
output: nil,
},
{
- desc: "invalid key in key bundle",
- keyBundle: kv.KeyBundle{
- Key: &kv.JSONWebKey{},
+ desc: "invalid key in key bundle with nil Kty",
+ keyBundle: azkeys.KeyBundle{
+ Key: &azkeys.JSONWebKey{
+ Kty: nil,
+ },
+ },
+ expectedErr: true,
+ output: nil,
+ },
+ {
+ desc: "key with unsupported Kty value",
+ keyBundle: azkeys.KeyBundle{
+ Key: &azkeys.JSONWebKey{
+ Kty: &unsupportedType, // Unsupported key type
+ },
},
expectedErr: true,
output: nil,
@@ -693,14 +779,60 @@ func TestValidate(t *testing.T) {
}
}
+// Mock clients
+type MockAzKeysClient struct {
+ mock.Mock
+}
+
+type MockAzSecretsClient struct {
+ mock.Mock
+}
+
+type MockAzCertificatesClient struct {
+ mock.Mock
+}
+
+type MockWorkloadIdentityCredential struct {
+ mock.Mock
+}
+
+// Mock functions
+func (m *MockWorkloadIdentityCredential) NewWorkloadIdentityCredential(options *azidentity.WorkloadIdentityCredentialOptions) (*MockWorkloadIdentityCredential, error) {
+ args := m.Called(options)
+ return args.Get(0).(*MockWorkloadIdentityCredential), args.Error(1)
+}
+
+func (m *MockAzKeysClient) NewClient(endpoint string, credential *azidentity.WorkloadIdentityCredential, options *azkeys.ClientOptions) (*azkeys.Client, error) {
+ args := m.Called(endpoint, credential, options)
+ return args.Get(0).(*azkeys.Client), args.Error(1)
+}
+
+func (m *MockAzSecretsClient) NewClient(endpoint string, credential *azidentity.WorkloadIdentityCredential, options *azsecrets.ClientOptions) (*azsecrets.Client, error) {
+ args := m.Called(endpoint, credential, options)
+ return args.Get(0).(*azsecrets.Client), args.Error(1)
+}
+
+func (m *MockAzCertificatesClient) NewClient(endpoint string, credential *azidentity.WorkloadIdentityCredential, options *azcertificates.ClientOptions) (*azcertificates.Client, error) {
+ args := m.Called(endpoint, credential, options)
+ return args.Get(0).(*azcertificates.Client), args.Error(1)
+}
+
func TestInitializeKvClient(t *testing.T) {
+ mockCredential := new(MockWorkloadIdentityCredential)
+ mockKeysClient := new(MockAzKeysClient)
+ mockSecretsClient := new(MockAzSecretsClient)
+ mockCertificatesClient := new(MockAzCertificatesClient)
+
tests := []struct {
- name string
- kvEndpoint string
- userAgent string
- tenantID string
- clientID string
- expectedErr bool
+ name string
+ kvEndpoint string
+ userAgent string
+ tenantID string
+ clientID string
+ mockCredentialErr error
+ mockKeysErr error
+ mockSecretsErr error
+ expectedErr bool
}{
{
name: "Empty user agent",
@@ -711,19 +843,214 @@ func TestInitializeKvClient(t *testing.T) {
{
name: "Auth failure",
kvEndpoint: "https://test.vault.azure.net",
- userAgent: version.UserAgent,
tenantID: "testTenantID",
clientID: "testClientID",
expectedErr: true,
},
+ {
+ name: "credential creation error",
+ kvEndpoint: "https://test-keyvault.vault.azure.net",
+ tenantID: "test-tenant-id",
+ clientID: "test-client-id",
+ mockCredentialErr: errors.New("failed to create workload identity credential"),
+ expectedErr: true,
+ },
+ {
+ name: "azkeys client creation error",
+ kvEndpoint: "https://test-keyvault.vault.azure.net",
+ tenantID: "test-tenant-id",
+ clientID: "test-client-id",
+ mockKeysErr: errors.New("failed to create azkeys client"),
+ expectedErr: true,
+ },
+ {
+ name: "azsecrets client creation error",
+ kvEndpoint: "https://test-keyvault.vault.azure.net",
+ tenantID: "test-tenant-id",
+ clientID: "test-client-id",
+ mockSecretsErr: errors.New("failed to create azsecrets client"),
+ expectedErr: true,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ // Set up mocks
+ mockCredential.On("NewWorkloadIdentityCredential", mock.Anything).Return(mockCredential, tt.mockCredentialErr)
+ mockKeysClient.On("NewClient", tt.kvEndpoint, mockCredential, mock.Anything).Return(mockKeysClient, tt.mockKeysErr)
+ mockSecretsClient.On("NewClient", tt.kvEndpoint, mockCredential, mock.Anything).Return(mockSecretsClient, tt.mockSecretsErr)
+ mockCertificatesClient.On("NewClient", tt.kvEndpoint, mockCredential, mock.Anything).Return(mockCertificatesClient, tt.mockSecretsErr)
+
+ // Call function under test
+ keysKVClient, secretsKVClient, certificatesKVClient, err := initializeKvClient(tt.kvEndpoint, tt.tenantID, tt.clientID, nil)
+
+ // Validate expectations
+ if tt.expectedErr {
+ assert.Error(t, err)
+ assert.Nil(t, keysKVClient)
+ assert.Nil(t, secretsKVClient)
+ assert.Nil(t, certificatesKVClient)
+ } else {
+ assert.NoError(t, err)
+ assert.NotNil(t, keysKVClient)
+ assert.NotNil(t, secretsKVClient)
+ assert.Nil(t, certificatesKVClient)
+ }
+ })
+ }
+}
+
+// Test cases for keyType switch case handling
+func TestGetKeyFromKeyBundlex(t *testing.T) {
+ tests := []struct {
+ name string
+ keyType azkeys.JSONWebKeyType
+ expected azkeys.JSONWebKeyType
+ curve azkeys.JSONWebKeyCurveName
+ x []byte
+ y []byte
+ n []byte
+ e []byte
+ }{
+ {
+ name: "Test ECHSM to EC",
+ keyType: azkeys.JSONWebKeyTypeECHSM,
+ expected: azkeys.JSONWebKeyTypeEC,
+ curve: azkeys.JSONWebKeyCurveNameP256, // Example curve name
+ x: []byte{0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, 0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, 0xc2, 0x96}, // Valid x-coordinate for P-256
+ y: []byte{0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5}, // Valid y-coordinate for P-256
+ },
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
- _, err := initializeKvClient(context.Background(), tt.kvEndpoint, tt.tenantID, tt.clientID, tt.userAgent)
- if tt.expectedErr != (err != nil) {
- t.Fatalf("expected error: %v, got: %v", tt.expectedErr, err)
+ webKey := &azkeys.JSONWebKey{
+ Kty: &tt.keyType,
+ }
+ if tt.keyType == azkeys.JSONWebKeyTypeECHSM {
+ webKey.Crv = &tt.curve
+ webKey.X = tt.x
+ webKey.Y = tt.y
+ }
+ keyBundle := azkeys.KeyBundle{
+ Key: webKey,
}
+
+ _, err := getKeyFromKeyBundle(keyBundle)
+ assert.NoError(t, err)
+ assert.Equal(t, tt.expected, *webKey.Kty)
+ })
+ }
+}
+
+const tenantID = "tenant-id"
+const clientID = "client-id"
+
+func TestInitializeKvClient_Success(t *testing.T) {
+ // Mock the context and input parameters
+ keyVaultEndpoint := "https://myvault.vault.azure.net/"
+
+ // Create a mock credential provider
+ mockCredential, err := azidentity.NewClientSecretCredential(tenantID, clientID, "fake-secret", nil)
+ if err != nil {
+ t.Fatalf("Failed to create mock credential: %v", err)
+ }
+
+ // Run the function with the mock credential
+ keysKVClient, secretsKVClient, certificatesKVClient, err := initializeKvClient(keyVaultEndpoint, tenantID, clientID, mockCredential)
+
+ // Assert the function succeeds without errors and clients are created
+ assert.NotNil(t, keysKVClient)
+ assert.NotNil(t, secretsKVClient)
+ assert.NotNil(t, certificatesKVClient)
+ assert.NoError(t, err)
+}
+
+func TestInitializeKvClient_FailureInAzKeysClient(t *testing.T) {
+ // Mock the context and input parameters
+ keyVaultEndpoint := "https://invalid-vault.vault.azure.net/"
+
+ // Run the function
+ keysKVClient, secretsKVClient, certificatesKVClient, err := initializeKvClient(keyVaultEndpoint, tenantID, clientID, nil)
+
+ // Assert that an error occurred and clients were not created
+ assert.Nil(t, keysKVClient)
+ assert.Nil(t, secretsKVClient)
+ assert.Nil(t, certificatesKVClient)
+ assert.Error(t, err)
+ assert.Contains(t, err.Error(), "failed to create workload identity credential")
+}
+
+func TestInitializeKvClient_FailureInAzSecretsClient(t *testing.T) {
+ // Mock the context and input parameters
+ keyVaultEndpoint := "https://valid-vault.vault.azure.net/"
+
+ // Modify the azsecrets.NewClient function to simulate failure
+ // Run the function
+ keysKVClient, secretsKVClient, certificatesKVClient, err := initializeKvClient(keyVaultEndpoint, tenantID, clientID, nil)
+
+ // Assert that an error occurred and clients were not created
+ assert.Nil(t, keysKVClient)
+ assert.Nil(t, secretsKVClient)
+ assert.Nil(t, certificatesKVClient)
+ assert.Error(t, err)
+ assert.Contains(t, err.Error(), "failed to create workload identity credential")
+}
+
+func TestInitializeKvClient_FailureInAzCertificatesClient(t *testing.T) {
+ // Mock the context and input parameters
+ keyVaultEndpoint := "https://valid-vault.vault.azure.net/"
+
+ // Modify the azsecrets.NewClient function to simulate failure
+ // Run the function
+ keysKVClient, secretsKVClient, certificatesKVClient, err := initializeKvClient(keyVaultEndpoint, tenantID, clientID, nil)
+
+ // Assert that an error occurred and clients were not created
+ assert.Nil(t, keysKVClient)
+ assert.Nil(t, secretsKVClient)
+ assert.Nil(t, certificatesKVClient)
+ assert.Error(t, err)
+ assert.Contains(t, err.Error(), "failed to create workload identity credential")
+}
+func TestIsSecretDisabledError(t *testing.T) {
+ rawResponse := `{
+ "error": {
+ "code": "Forbidden",
+ "message": "Operation get is not allowed on a disabled secret.",
+ "innererror": {
+ "code": "SecretDisabled"
+ }
+ }
+ }`
+
+ httpErr := &azcore.ResponseError{
+ StatusCode: http.StatusForbidden,
+ RawResponse: &http.Response{
+ Body: io.NopCloser(strings.NewReader(rawResponse)),
+ },
+ }
+
+ testCases := []struct {
+ name string
+ err error
+ expectedRes bool
+ }{
+ {
+ name: "SecretDisabledError",
+ err: httpErr,
+ expectedRes: true,
+ },
+ {
+ name: "NonSecretDisabledError",
+ err: errors.New("some other error"),
+ expectedRes: false,
+ },
+ }
+
+ for _, tc := range testCases {
+ t.Run(tc.name, func(t *testing.T) {
+ res := isSecretDisabledError(tc.err)
+ assert.Equal(t, tc.expectedRes, res)
})
}
}
diff --git a/pkg/keymanagementprovider/azurekeyvault/types/types.go b/pkg/keymanagementprovider/azurekeyvault/types/types.go
index cae860773a..e51650daba 100644
--- a/pkg/keymanagementprovider/azurekeyvault/types/types.go
+++ b/pkg/keymanagementprovider/azurekeyvault/types/types.go
@@ -26,7 +26,7 @@ const (
// Certificate version string for the certificate status property
StatusVersion = "Version"
// Enabled string for the certificate status property
- StatusEnabled = "True"
+ StatusEnabled = "Enabled"
// Last refreshed string for the certificate status property
StatusLastRefreshed = "LastRefreshed"
)
diff --git a/pkg/keymanagementprovider/keymanagementprovider_test.go b/pkg/keymanagementprovider/keymanagementprovider_test.go
index 57a2828ee8..c4ac13866c 100644
--- a/pkg/keymanagementprovider/keymanagementprovider_test.go
+++ b/pkg/keymanagementprovider/keymanagementprovider_test.go
@@ -85,7 +85,7 @@ func TestDecodeCertificates_ByteArrayToCertificates(t *testing.T) {
r, err := DecodeCertificates(c1)
if err != nil {
- t.Fatalf(err.Error())
+ t.Fatal(err.Error())
}
expectedLen := 1
diff --git a/pkg/keymanagementprovider/refresh/kubeRefresh.go b/pkg/keymanagementprovider/refresh/kubeRefresh.go
index 895cb7d8dd..cd296e0e2d 100644
--- a/pkg/keymanagementprovider/refresh/kubeRefresh.go
+++ b/pkg/keymanagementprovider/refresh/kubeRefresh.go
@@ -24,6 +24,7 @@ import (
re "github.com/ratify-project/ratify/errors"
kmp "github.com/ratify-project/ratify/pkg/keymanagementprovider"
+ nv "github.com/ratify-project/ratify/pkg/verifier/notation"
"github.com/sirupsen/logrus"
ctrl "sigs.k8s.io/controller-runtime"
)
@@ -35,6 +36,7 @@ type KubeRefresher struct {
Resource string
Result ctrl.Result
Status kmp.KeyManagementProviderStatus
+ CRLHandler nv.RevocationFactory
}
// Register registers the kubeRefresher factory
@@ -54,6 +56,15 @@ func (kr *KubeRefresher) Refresh(ctx context.Context) error {
return kmpErr
}
+ // fetch CRLs and cache them
+ crlFetcher, err := kr.CRLHandler.NewFetcher()
+ if err != nil {
+ // log error and continue
+ logger.Warnf("Unable to create CRL fetcher for key management provider %s of type %s with error: %v", kr.Resource, kr.ProviderType, err)
+ }
+ for _, cert := range certificates {
+ nv.CacheCRL(ctx, cert, crlFetcher)
+ }
// fetch keys and store in map
keys, keyAttributes, err := kr.Provider.GetKeys(ctx)
if err != nil {
@@ -109,5 +120,6 @@ func (kr *KubeRefresher) Create(config RefresherConfig) (Refresher, error) {
ProviderType: config.ProviderType,
ProviderRefreshInterval: config.ProviderRefreshInterval,
Resource: config.Resource,
+ CRLHandler: nv.NewCRLHandler(),
}, nil
}
diff --git a/pkg/keymanagementprovider/refresh/kubeRefresh_test.go b/pkg/keymanagementprovider/refresh/kubeRefresh_test.go
index 9875098b82..0e930f931d 100644
--- a/pkg/keymanagementprovider/refresh/kubeRefresh_test.go
+++ b/pkg/keymanagementprovider/refresh/kubeRefresh_test.go
@@ -21,14 +21,19 @@ import (
"crypto"
"crypto/x509"
"errors"
+ "net/http"
"reflect"
"testing"
"time"
+ "github.com/notaryproject/notation-core-go/revocation"
+ corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
+ re "github.com/ratify-project/ratify/errors"
"github.com/ratify-project/ratify/pkg/keymanagementprovider"
"github.com/ratify-project/ratify/pkg/keymanagementprovider/config"
_ "github.com/ratify-project/ratify/pkg/keymanagementprovider/inline"
mock "github.com/ratify-project/ratify/pkg/keymanagementprovider/mocks"
+ nv "github.com/ratify-project/ratify/pkg/verifier/notation"
ctrl "sigs.k8s.io/controller-runtime"
)
@@ -41,6 +46,7 @@ func TestKubeRefresher_Refresh(t *testing.T) {
GetCertsFunc func(_ context.Context) (map[keymanagementprovider.KMPMapKey][]*x509.Certificate, keymanagementprovider.KeyManagementProviderStatus, error)
GetKeysFunc func(_ context.Context) (map[keymanagementprovider.KMPMapKey]crypto.PublicKey, keymanagementprovider.KeyManagementProviderStatus, error)
IsRefreshableFunc func() bool
+ NewCRLHandler nv.RevocationFactory
expectedResult ctrl.Result
expectedError bool
}{
@@ -49,6 +55,7 @@ func TestKubeRefresher_Refresh(t *testing.T) {
providerRawParameters: []byte(`{"contentType": "certificate", "value": "-----BEGIN CERTIFICATE-----\nMIID2jCCAsKgAwIBAgIQXy2VqtlhSkiZKAGhsnkjbDANBgkqhkiG9w0BAQsFADBvMRswGQYDVQQD\nExJyYXRpZnkuZXhhbXBsZS5jb20xDzANBgNVBAsTBk15IE9yZzETMBEGA1UEChMKTXkgQ29tcGFu\neTEQMA4GA1UEBxMHUmVkbW9uZDELMAkGA1UECBMCV0ExCzAJBgNVBAYTAlVTMB4XDTIzMDIwMTIy\nNDUwMFoXDTI0MDIwMTIyNTUwMFowbzEbMBkGA1UEAxMScmF0aWZ5LmV4YW1wbGUuY29tMQ8wDQYD\nVQQLEwZNeSBPcmcxEzARBgNVBAoTCk15IENvbXBhbnkxEDAOBgNVBAcTB1JlZG1vbmQxCzAJBgNV\nBAgTAldBMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL10bM81\npPAyuraORABsOGS8M76Bi7Guwa3JlM1g2D8CuzSfSTaaT6apy9GsccxUvXd5cmiP1ffna5z+EFmc\nizFQh2aq9kWKWXDvKFXzpQuhyqD1HeVlRlF+V0AfZPvGt3VwUUjNycoUU44ctCWmcUQP/KShZev3\n6SOsJ9q7KLjxxQLsUc4mg55eZUThu8mGB8jugtjsnLUYvIWfHhyjVpGrGVrdkDMoMn+u33scOmrt\nsBljvq9WVo4T/VrTDuiOYlAJFMUae2Ptvo0go8XTN3OjLblKeiK4C+jMn9Dk33oGIT9pmX0vrDJV\nX56w/2SejC1AxCPchHaMuhlwMpftBGkCAwEAAaNyMHAwDgYDVR0PAQH/BAQDAgeAMAkGA1UdEwQC\nMAAwEwYDVR0lBAwwCgYIKwYBBQUHAwMwHwYDVR0jBBgwFoAU0eaKkZj+MS9jCp9Dg1zdv3v/aKww\nHQYDVR0OBBYEFNHmipGY/jEvYwqfQ4Nc3b97/2isMA0GCSqGSIb3DQEBCwUAA4IBAQBNDcmSBizF\nmpJlD8EgNcUCy5tz7W3+AAhEbA3vsHP4D/UyV3UgcESx+L+Nye5uDYtTVm3lQejs3erN2BjW+ds+\nXFnpU/pVimd0aYv6mJfOieRILBF4XFomjhrJOLI55oVwLN/AgX6kuC3CJY2NMyJKlTao9oZgpHhs\nLlxB/r0n9JnUoN0Gq93oc1+OLFjPI7gNuPXYOP1N46oKgEmAEmNkP1etFrEjFRgsdIFHksrmlOlD\nIed9RcQ087VLjmuymLgqMTFX34Q3j7XgN2ENwBSnkHotE9CcuGRW+NuiOeJalL8DBmFXXWwHTKLQ\nPp5g6m1yZXylLJaFLKz7tdMmO355\n-----END CERTIFICATE-----\n"}`),
providerType: "inline",
IsRefreshableFunc: func() bool { return false },
+ NewCRLHandler: nv.NewCRLHandler(),
expectedResult: ctrl.Result{},
expectedError: false,
},
@@ -57,6 +64,7 @@ func TestKubeRefresher_Refresh(t *testing.T) {
providerRawParameters: []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`),
providerType: "test-kmp",
providerRefreshInterval: "",
+ NewCRLHandler: nv.NewCRLHandler(),
IsRefreshableFunc: func() bool { return true },
expectedResult: ctrl.Result{},
expectedError: false,
@@ -66,6 +74,7 @@ func TestKubeRefresher_Refresh(t *testing.T) {
providerRawParameters: []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`),
providerType: "test-kmp",
providerRefreshInterval: "1m",
+ NewCRLHandler: nv.NewCRLHandler(),
IsRefreshableFunc: func() bool { return true },
expectedResult: ctrl.Result{RequeueAfter: time.Minute},
expectedError: false,
@@ -75,6 +84,7 @@ func TestKubeRefresher_Refresh(t *testing.T) {
providerRawParameters: []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`),
providerType: "test-kmp",
providerRefreshInterval: "1mm",
+ NewCRLHandler: nv.NewCRLHandler(),
IsRefreshableFunc: func() bool { return true },
expectedResult: ctrl.Result{},
expectedError: true,
@@ -88,6 +98,7 @@ func TestKubeRefresher_Refresh(t *testing.T) {
providerRawParameters: []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`),
providerType: "test-kmp-error",
IsRefreshableFunc: func() bool { return true },
+ NewCRLHandler: nv.NewCRLHandler(),
expectedError: true,
},
{
@@ -99,14 +110,29 @@ func TestKubeRefresher_Refresh(t *testing.T) {
providerRawParameters: []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`),
providerType: "test-kmp-error",
IsRefreshableFunc: func() bool { return true },
+ NewCRLHandler: nv.NewCRLHandler(),
expectedError: true,
},
+ {
+ name: "Error Caching with CRL Fetcher (non-blocking)",
+ GetCertsFunc: func(_ context.Context) (map[keymanagementprovider.KMPMapKey][]*x509.Certificate, keymanagementprovider.KeyManagementProviderStatus, error) {
+ return map[keymanagementprovider.KMPMapKey][]*x509.Certificate{
+ {Name: "sample"}: {&x509.Certificate{}},
+ }, keymanagementprovider.KeyManagementProviderStatus{}, nil
+ },
+ providerRawParameters: []byte(`{"vaultURI": "https://yourkeyvault.vault.azure.net/", "certificates": [{"name": "cert1", "version": "1"}], "tenantID": "yourtenantID", "clientID": "yourclientID"}`),
+ providerType: "test-kmp",
+ providerRefreshInterval: "1m",
+ IsRefreshableFunc: func() bool { return true },
+ NewCRLHandler: &MockCRLHandler{CacheEnabled: true, httpClient: &http.Client{}},
+ expectedResult: ctrl.Result{RequeueAfter: time.Minute},
+ expectedError: false,
+ },
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
var factory mock.TestKeyManagementProviderFactory
-
if tt.GetCertsFunc != nil {
factory = mock.TestKeyManagementProviderFactory{
GetCertsFunc: tt.GetCertsFunc,
@@ -130,6 +156,7 @@ func TestKubeRefresher_Refresh(t *testing.T) {
ProviderType: tt.providerType,
ProviderRefreshInterval: tt.providerRefreshInterval,
Resource: "kmpname",
+ CRLHandler: tt.NewCRLHandler,
}
err := kr.Refresh(context.Background())
@@ -144,9 +171,24 @@ func TestKubeRefresher_Refresh(t *testing.T) {
}
}
+type MockCRLHandler struct {
+ CacheEnabled bool
+ Fetcher corecrl.Fetcher
+ httpClient *http.Client
+}
+
+func (h *MockCRLHandler) NewFetcher() (corecrl.Fetcher, error) {
+ return nil, re.ErrorCodeConfigInvalid.WithDetail("failed to create CRL fetcher")
+}
+
+func (h *MockCRLHandler) NewValidator(_ revocation.Options) (revocation.Validator, error) {
+ return nil, nil
+}
+
func TestKubeRefresher_GetResult(t *testing.T) {
kr := &KubeRefresher{
- Result: ctrl.Result{RequeueAfter: time.Minute},
+ Result: ctrl.Result{RequeueAfter: time.Minute},
+ CRLHandler: nv.NewCRLHandler(),
}
result := kr.GetResult()
@@ -162,6 +204,7 @@ func TestKubeRefresher_GetStatus(t *testing.T) {
"attribute1": "value1",
"attribute2": "value2",
},
+ CRLHandler: nv.NewCRLHandler(),
}
status := kr.GetStatus()
@@ -210,7 +253,7 @@ func TestKubeRefresher_Create(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
- kr := &KubeRefresher{}
+ kr := &KubeRefresher{CRLHandler: nv.NewCRLHandler()}
refresher, err := kr.Create(tt.config)
if err != nil {
t.Fatalf("Expected no error, but got %v", err)
diff --git a/pkg/manager/manager.go b/pkg/manager/manager.go
index f284ceaeae..6726f39cd9 100644
--- a/pkg/manager/manager.go
+++ b/pkg/manager/manager.go
@@ -105,7 +105,7 @@ func StartServer(httpServerAddress, configFilePath, certDirectory, caCertFile st
logrus.Errorf("initialize server failed with error %v, exiting..", err)
os.Exit(1)
}
- logrus.Infof("starting server at" + httpServerAddress)
+ logrus.Infof("starting server at %s", httpServerAddress)
if err := server.Run(certRotatorReady); err != nil {
logrus.Errorf("starting server failed with error %v, exiting..", err)
os.Exit(1)
diff --git a/pkg/verifier/notation/notation.go b/pkg/verifier/notation/notation.go
index 52fdcbda63..de54857f42 100644
--- a/pkg/verifier/notation/notation.go
+++ b/pkg/verifier/notation/notation.go
@@ -95,7 +95,8 @@ func init() {
}
func (f *notationPluginVerifierFactory) Create(_ string, verifierConfig config.VerifierConfig, pluginDirectory string, namespace string) (verifier.ReferenceVerifier, error) {
- logger.GetLogger(context.Background(), logOpt).Debugf("creating Notation verifier with config %v, namespace '%v'", verifierConfig, namespace)
+ ctx := context.Background()
+ logger.GetLogger(ctx, logOpt).Debugf("creating Notation verifier with config %v, namespace '%v'", verifierConfig, namespace)
verifierName := fmt.Sprintf("%s", verifierConfig[types.Name])
verifierTypeStr := ""
if _, ok := verifierConfig[types.Type]; ok {
@@ -105,7 +106,7 @@ func (f *notationPluginVerifierFactory) Create(_ string, verifierConfig config.V
if err != nil {
return nil, re.ErrorCodePluginInitFailure.WithDetail("Failed to create the Notation Verifier").WithError(err)
}
- verifyService, err := getVerifierService(conf, pluginDirectory, NewRevocationFactoryImpl())
+ verifyService, err := getVerifierService(ctx, conf, pluginDirectory, NewCRLHandler())
if err != nil {
return nil, re.ErrorCodePluginInitFailure.WithDetail("Failed to create the Notation Verifier").WithError(err)
}
@@ -177,7 +178,7 @@ func (v *notationPluginVerifier) Verify(ctx context.Context,
return verifier.NewVerifierResult("", v.name, v.verifierType, "Notation signature verification success", true, nil, extensions), nil
}
-func getVerifierService(conf *NotationPluginVerifierConfig, pluginDirectory string, revocationFactory RevocationFactory) (notation.Verifier, error) {
+func getVerifierService(ctx context.Context, conf *NotationPluginVerifierConfig, pluginDirectory string, revocationFactory RevocationFactory) (notation.Verifier, error) {
store, err := newTrustStore(conf.VerificationCerts, conf.VerificationCertStores)
if err != nil {
return nil, err
@@ -190,7 +191,7 @@ func getVerifierService(conf *NotationPluginVerifierConfig, pluginDirectory stri
// Related File: https://github.com/notaryproject/notation/commits/main/cmd/notation/verify.go5
crlFetcher, err := revocationFactory.NewFetcher()
if err != nil {
- return nil, err
+ logger.GetLogger(ctx, logOpt).Warnf("Unable to create CRL fetcher for notation verifier %s with error: %s", conf.Name, err)
}
revocationCodeSigningValidator, err := revocationFactory.NewValidator(revocation.Options{
CRLFetcher: crlFetcher,
diff --git a/pkg/verifier/notation/notation_test.go b/pkg/verifier/notation/notation_test.go
index bf2fa4abb0..c0ae0d2260 100644
--- a/pkg/verifier/notation/notation_test.go
+++ b/pkg/verifier/notation/notation_test.go
@@ -625,7 +625,7 @@ func TestGetVerifierService(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
- _, err := getVerifierService(tt.conf, tt.pluginDir, tt.RevocationFactory)
+ _, err := getVerifierService(context.Background(), tt.conf, tt.pluginDir, tt.RevocationFactory)
if (err != nil) != tt.expectErr {
t.Errorf("error = %v, expectErr = %v", err, tt.expectErr)
}
diff --git a/pkg/verifier/notation/notationrevocationfactory.go b/pkg/verifier/notation/notationrevocationfactory.go
index 47cc35606c..b8687f5eab 100644
--- a/pkg/verifier/notation/notationrevocationfactory.go
+++ b/pkg/verifier/notation/notationrevocationfactory.go
@@ -15,49 +15,63 @@ package notation
import (
"net/http"
+ "sync"
"github.com/notaryproject/notation-core-go/revocation"
corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
"github.com/notaryproject/notation-go/dir"
- "github.com/notaryproject/notation-go/verifier/crl"
+ re "github.com/ratify-project/ratify/errors"
)
-type RevocationFactoryImpl struct {
- cacheRoot string
- httpClient *http.Client
+type CRLHandler struct {
+ CacheEnabled bool
+ Fetcher corecrl.Fetcher
+ httpClient *http.Client
}
-// NewRevocationFactoryImpl returns a new NewRevocationFactoryImpl instance
-func NewRevocationFactoryImpl() RevocationFactory {
- return &RevocationFactoryImpl{
- cacheRoot: dir.PathCRLCache,
- httpClient: &http.Client{},
- }
+var fetcherOnce sync.Once
+
+// NewCRLHandler returns a new NewCRLHandler instance. Enable cache by default.
+func NewCRLHandler() RevocationFactory {
+ return &CRLHandler{CacheEnabled: true, httpClient: &http.Client{}}
}
-// NewFetcher returns a new fetcher instance
-func (f *RevocationFactoryImpl) NewFetcher() (corecrl.Fetcher, error) {
- crlFetcher, err := corecrl.NewHTTPFetcher(f.httpClient)
+// NewFetcher creates a new instance of a Fetcher if it doesn't already exist.
+// If a Fetcher instance is already present, it returns the existing instance.
+// The method also configures the cache for the Fetcher.
+// Returns an instance of corecrl.Fetcher or an error if the Fetcher creation fails.
+func (h *CRLHandler) NewFetcher() (corecrl.Fetcher, error) {
+ var err error
+ fetcherOnce.Do(func() {
+ h.Fetcher, err = CreateCRLFetcher(h.httpClient, dir.PathCRLCache)
+ if err == nil {
+ h.configureCache()
+ }
+ })
if err != nil {
return nil, err
}
- crlFetcher.Cache, err = newFileCache(f.cacheRoot)
- if err != nil {
- return nil, err
+ // Check if the fetcher is nil, return an error if it is.
+ // one possible edge case is that an error happened in the first call,
+ // the following calls will not get the error since the sync.Once block will be skipped.
+ if h.Fetcher == nil {
+ return nil, re.ErrorCodeConfigInvalid.WithDetail("failed to create CRL fetcher")
}
- return crlFetcher, nil
+ return h.Fetcher, nil
}
// NewValidator returns a new validator instance
-func (f *RevocationFactoryImpl) NewValidator(opts revocation.Options) (revocation.Validator, error) {
+func (h *CRLHandler) NewValidator(opts revocation.Options) (revocation.Validator, error) {
return revocation.NewWithOptions(opts)
}
-// newFileCache returns a new file cache instance
-func newFileCache(root string) (*crl.FileCache, error) {
- cacheRoot, err := dir.CacheFS().SysPath(root)
- if err != nil {
- return nil, err
+// configureCache disables the cache for the HTTPFetcher if caching is not enabled.
+// If the EnableCache field is set to false, this method sets the Cache field of the
+// HTTPFetcher to nil, effectively disabling caching for HTTP fetch operations.
+func (h *CRLHandler) configureCache() {
+ if !h.CacheEnabled {
+ if httpFetcher, ok := h.Fetcher.(*corecrl.HTTPFetcher); ok {
+ httpFetcher.Cache = nil
+ }
}
- return crl.NewFileCache(cacheRoot)
}
diff --git a/pkg/verifier/notation/notationrevocationfactory_test.go b/pkg/verifier/notation/notationrevocationfactory_test.go
index b5355f83c6..d30e619b31 100644
--- a/pkg/verifier/notation/notationrevocationfactory_test.go
+++ b/pkg/verifier/notation/notationrevocationfactory_test.go
@@ -14,16 +14,20 @@
package notation
import (
+ "context"
"net/http"
"runtime"
"testing"
"github.com/notaryproject/notation-core-go/revocation"
+ corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
+ "github.com/notaryproject/notation-go/dir"
+ "github.com/notaryproject/notation-go/verifier/crl"
"github.com/stretchr/testify/assert"
)
func TestNewRevocationFactoryImpl(t *testing.T) {
- factory := NewRevocationFactoryImpl()
+ factory := NewCRLHandler()
assert.NotNil(t, factory)
}
@@ -41,8 +45,8 @@ func TestNewFetcher(t *testing.T) {
wantErr: false,
},
{
- name: "invalid fetcher with nil httpClient",
- cacheRoot: "/valid/path",
+ name: "invalid fetcher",
+ cacheRoot: "",
httpClient: nil,
wantErr: true,
},
@@ -50,11 +54,7 @@ func TestNewFetcher(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
- factory := &RevocationFactoryImpl{
- cacheRoot: tt.cacheRoot,
- httpClient: tt.httpClient,
- }
-
+ factory := &CRLHandler{httpClient: tt.httpClient}
fetcher, err := factory.NewFetcher()
if tt.wantErr {
assert.Error(t, err)
@@ -65,7 +65,7 @@ func TestNewFetcher(t *testing.T) {
}
func TestNewValidator(t *testing.T) {
- factory := &RevocationFactoryImpl{}
+ factory := NewCRLHandler()
opts := revocation.Options{}
validator, err := factory.NewValidator(opts)
@@ -101,3 +101,55 @@ func TestNewFileCache(t *testing.T) {
})
}
}
+func TestConfigureCache(t *testing.T) {
+ testCache, _ := crl.NewFileCache(dir.PathCRLCache)
+ tests := []struct {
+ name string
+ cacheEnabled bool
+ fetcher corecrl.Fetcher
+ expectCache bool
+ }{
+ {
+ name: "cache enabled",
+ cacheEnabled: true,
+ fetcher: &corecrl.HTTPFetcher{Cache: testCache},
+ expectCache: true,
+ },
+ {
+ name: "cache disabled",
+ cacheEnabled: false,
+ fetcher: &corecrl.HTTPFetcher{Cache: testCache},
+ expectCache: false,
+ },
+ {
+ name: "non-HTTP fetcher",
+ cacheEnabled: false,
+ fetcher: &mockFetcher{},
+ expectCache: false,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ handler := &CRLHandler{
+ CacheEnabled: tt.cacheEnabled,
+ Fetcher: tt.fetcher,
+ }
+ handler.configureCache()
+
+ if httpFetcher, ok := handler.Fetcher.(*corecrl.HTTPFetcher); ok {
+ if tt.expectCache {
+ assert.NotNil(t, httpFetcher.Cache)
+ } else {
+ assert.Nil(t, httpFetcher.Cache)
+ }
+ }
+ })
+ }
+}
+
+type mockFetcher struct{}
+
+func (m *mockFetcher) Fetch(_ context.Context, _ string) (*corecrl.Bundle, error) {
+ return nil, nil
+}
diff --git a/pkg/verifier/notation/revocationfactory.go b/pkg/verifier/notation/revocationfactory.go
index 7860ec2a77..d0c576fe00 100644
--- a/pkg/verifier/notation/revocationfactory.go
+++ b/pkg/verifier/notation/revocationfactory.go
@@ -14,10 +14,21 @@
package notation
import (
+ "context"
+ "crypto/x509"
+ "net/http"
+ "sync"
+
"github.com/notaryproject/notation-core-go/revocation"
corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
+ "github.com/notaryproject/notation-go/dir"
+ "github.com/notaryproject/notation-go/verifier/crl"
+ "github.com/ratify-project/ratify/internal/logger"
)
+// RevocationFactory is an interface that defines methods for creating instances
+// related to revocation. It provides methods to create a new fetcher and a new
+// validator.
type RevocationFactory interface {
// NewFetcher returns a new fetcher instance
NewFetcher() (corecrl.Fetcher, error)
@@ -25,3 +36,62 @@ type RevocationFactory interface {
// NewValidator returns a new validator instance
NewValidator(revocation.Options) (revocation.Validator, error)
}
+
+// CreateCRLFetcher returns a new fetcher instance
+func CreateCRLFetcher(httpClient *http.Client, cacheRoot string) (corecrl.Fetcher, error) {
+ crlFetcher, err := corecrl.NewHTTPFetcher(httpClient)
+ if err != nil {
+ return nil, err
+ }
+ crlFetcher.Cache, err = newFileCache(cacheRoot)
+ if err != nil {
+ return nil, err
+ }
+ return crlFetcher, nil
+}
+
+// SupportCRL checks if the certificate supports CRL
+func SupportCRL(cert *x509.Certificate) bool {
+ return cert != nil && len(cert.CRLDistributionPoints) > 0
+}
+
+// cacheCRL caches the Certificate Revocation Lists (CRLs) for the given certificates using the provided CRL fetcher.
+// It logs a warning if fetching the CRL fails but does not return an error to ensure the process is not blocked.
+func CacheCRL(ctx context.Context, certs []*x509.Certificate, fetcher corecrl.Fetcher) {
+ if fetcher == nil {
+ logger.GetLogger(ctx, logOpt).Warn("CRL fetcher is nil")
+ return
+ }
+ var wg sync.WaitGroup
+ for _, cert := range certs {
+ if !SupportCRL(cert) {
+ continue
+ }
+ cacheCertificateCRL(ctx, cert.CRLDistributionPoints, fetcher, &wg)
+ }
+ wg.Wait()
+}
+
+func cacheCertificateCRL(ctx context.Context, crlURLs []string, crlFetcher corecrl.Fetcher, wg *sync.WaitGroup) {
+ for _, crlURL := range crlURLs {
+ crlURL := crlURL // capture loop variable
+ wg.Add(1)
+ go fetchCRL(ctx, crlURL, crlFetcher, wg)
+ }
+}
+
+func fetchCRL(ctx context.Context, url string, crlFetcher corecrl.Fetcher, wg *sync.WaitGroup) {
+ defer wg.Done()
+ if _, err := crlFetcher.Fetch(ctx, url); err != nil {
+ logger.GetLogger(ctx, logOpt).Errorf("failed to download CRL from %s : %v", url, err)
+ }
+}
+
+// newFileCache returns a new file cache instance
+func newFileCache(root string) (*crl.FileCache, error) {
+ cacheRoot, err := dir.CacheFS().SysPath(root)
+ if err != nil {
+ return nil, err
+ }
+ return crl.NewFileCache(cacheRoot)
+}
diff --git a/pkg/verifier/notation/revocationfactory_test.go b/pkg/verifier/notation/revocationfactory_test.go
new file mode 100644
index 0000000000..8b295031d9
--- /dev/null
+++ b/pkg/verifier/notation/revocationfactory_test.go
@@ -0,0 +1,143 @@
+// Copyright The Ratify Authors.
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+// http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package notation
+
+import (
+ "context"
+ "crypto/x509"
+ "fmt"
+ "net/http"
+ "testing"
+
+ corecrl "github.com/notaryproject/notation-core-go/revocation/crl"
+ "github.com/stretchr/testify/assert"
+)
+
+func TestCRLNewFetcher(t *testing.T) {
+ httpClient := &http.Client{}
+ cacheRoot := "/tmp/cache"
+
+ t.Run("successful fetcher creation", func(t *testing.T) {
+ fetcher, err := CreateCRLFetcher(httpClient, cacheRoot)
+ assert.NoError(t, err)
+ assert.NotNil(t, fetcher)
+ })
+
+ t.Run("error in creating HTTP fetcher", func(t *testing.T) {
+ // Simulate error by passing nil httpClient
+ fetcher, err := CreateCRLFetcher(nil, cacheRoot)
+ assert.Error(t, err)
+ assert.Nil(t, fetcher)
+ })
+}
+func TestSupportCRL(t *testing.T) {
+ t.Run("certificate with CRL distribution points", func(t *testing.T) {
+ cert := &x509.Certificate{
+ CRLDistributionPoints: []string{"http://example.com/crl"},
+ }
+ assert.True(t, SupportCRL(cert))
+ })
+
+ t.Run("certificate without CRL distribution points", func(t *testing.T) {
+ cert := &x509.Certificate{}
+ assert.False(t, SupportCRL(cert))
+ })
+
+ t.Run("nil certificate", func(t *testing.T) {
+ assert.False(t, SupportCRL(nil))
+ })
+}
+func TestCacheCRL(t *testing.T) {
+ ctx := context.Background()
+ httpClient := &http.Client{}
+ cacheRoot := "/tmp/cache"
+ fetcher, _ := CreateCRLFetcher(httpClient, cacheRoot)
+
+ t.Run("nil fetcher", func(t *testing.T) {
+ certs := []*x509.Certificate{
+ {
+ CRLDistributionPoints: []string{"http://example.com/crl"},
+ },
+ }
+ CacheCRL(ctx, certs, nil)
+ // Check logs if necessary
+ t.Log("CRL fetcher is nil")
+ })
+
+ t.Run("certificate without CRL distribution points", func(t *testing.T) {
+ certs := []*x509.Certificate{
+ {},
+ }
+ CacheCRL(ctx, certs, fetcher)
+ // Check logs if necessary
+ t.Log("Certificate does not support CRL")
+ })
+
+ t.Run("certificates with CRL distribution points", func(t *testing.T) {
+ certs := []*x509.Certificate{
+ {
+ CRLDistributionPoints: []string{"http://example.com/crl1"},
+ },
+ {
+ CRLDistributionPoints: []string{"http://example.com/crl2"},
+ },
+ }
+ CacheCRL(ctx, certs, fetcher)
+ // Check logs if necessary
+ t.Log("Completed fetching CRLs")
+ })
+}
+func TestIntermittentFailCacheCRL(t *testing.T) {
+ ctx := context.Background()
+ t.Run("fetch CRL fails", func(t *testing.T) {
+ // Mock fetcher to simulate failure
+ mockFetcher := &MockFetcher{
+ flag: true,
+ FetchFunc: func(_ context.Context, _ string) (*corecrl.Bundle, error) {
+ return &corecrl.Bundle{}, nil
+ },
+ }
+ certs := []*x509.Certificate{
+ {
+ CRLDistributionPoints: []string{"http://example.com/crl1"},
+ },
+ {
+ CRLDistributionPoints: []string{"http://example.com/crl2"},
+ },
+ {
+ CRLDistributionPoints: []string{"http://example.com/crl3"},
+ },
+ {
+ CRLDistributionPoints: []string{"http://example.com/crl4"},
+ },
+ }
+ CacheCRL(ctx, certs, mockFetcher)
+ // Check logs if necessary
+ t.Log("Completed fetching CRLs with intermittent failures")
+ })
+}
+
+// MockFetcher is a mock implementation of corecrl.Fetcher for testing purposes
+type MockFetcher struct {
+ flag bool
+ FetchFunc func(ctx context.Context, url string) (*corecrl.Bundle, error)
+}
+
+func (m *MockFetcher) Fetch(ctx context.Context, url string) (*corecrl.Bundle, error) {
+ m.flag = !m.flag
+ if m.flag {
+ return nil, fmt.Errorf("failed to fetch CRL from %s", url)
+ }
+ return m.FetchFunc(ctx, url)
+}
diff --git a/pkg/verifier/notation/truststore_test.go b/pkg/verifier/notation/truststore_test.go
index eb64c042d0..964f97cb64 100644
--- a/pkg/verifier/notation/truststore_test.go
+++ b/pkg/verifier/notation/truststore_test.go
@@ -133,7 +133,7 @@ func TestGetCertificates_ErrorFromKMPReconcile(t *testing.T) {
}
store, err := newTrustStore(nil, certStore)
if err != nil {
- t.Fatalf("failed to parse verificationCertStores: " + err.Error())
+ t.Fatalf("failed to parse verificationCertStores: %s", err.Error())
}
controllers.NamespacedCertStores = &mockCertStores{
diff --git a/pkg/verifier/result_test.go b/pkg/verifier/result_test.go
index 64efd2c52d..67ceec690b 100644
--- a/pkg/verifier/result_test.go
+++ b/pkg/verifier/result_test.go
@@ -16,9 +16,10 @@ limitations under the License.
package verifier
import (
- "fmt"
"testing"
+ e "errors"
+
"github.com/ratify-project/ratify/errors"
)
@@ -47,7 +48,7 @@ func TestNewVerifierResult(t *testing.T) {
{
name: "error without detail",
message: testMsg1,
- err: errors.ErrorCodeUnknown.WithError(fmt.Errorf(testErrReason)).WithRemediation(testRemediation),
+ err: errors.ErrorCodeUnknown.WithError(e.New(testErrReason)).WithRemediation(testRemediation),
expectedMsg: testMsg1,
expectedErrReason: testErrReason,
expectedRemediation: testRemediation,
@@ -55,7 +56,7 @@ func TestNewVerifierResult(t *testing.T) {
{
name: "error with detail",
message: testMsg1,
- err: errors.ErrorCodeUnknown.WithError(fmt.Errorf(testErrReason)).WithRemediation(testRemediation).WithDetail(testMsg2),
+ err: errors.ErrorCodeUnknown.WithError(e.New(testErrReason)).WithRemediation(testRemediation).WithDetail(testMsg2),
expectedMsg: testMsg2,
expectedErrReason: testErrReason,
expectedRemediation: testRemediation,
diff --git a/pkg/verifier/types/types_test.go b/pkg/verifier/types/types_test.go
index ce1cd39f65..c2d097a33c 100644
--- a/pkg/verifier/types/types_test.go
+++ b/pkg/verifier/types/types_test.go
@@ -16,9 +16,10 @@ limitations under the License.
package types
import (
- "fmt"
"testing"
+ e "errors"
+
"github.com/ratify-project/ratify/errors"
)
@@ -47,7 +48,7 @@ func TestCreateVerifierResult(t *testing.T) {
{
name: "error without detail",
message: testMsg1,
- err: errors.ErrorCodeUnknown.WithError(fmt.Errorf(testErrReason)).WithRemediation(testRemediation),
+ err: errors.ErrorCodeUnknown.WithError(e.New(testErrReason)).WithRemediation(testRemediation),
expectedMsg: testMsg1,
expectedErrReason: testErrReason,
expectedRemediation: testRemediation,
@@ -55,7 +56,7 @@ func TestCreateVerifierResult(t *testing.T) {
{
name: "error with detail",
message: testMsg1,
- err: errors.ErrorCodeUnknown.WithError(fmt.Errorf(testErrReason)).WithRemediation(testRemediation).WithDetail(testMsg2),
+ err: errors.ErrorCodeUnknown.WithError(e.New(testErrReason)).WithRemediation(testRemediation).WithDetail(testMsg2),
expectedMsg: testMsg2,
expectedErrReason: testErrReason,
expectedRemediation: testRemediation,
diff --git a/scripts/azure-ci-test.sh b/scripts/azure-ci-test.sh
index b5ddce9cee..6c5ff9c631 100755
--- a/scripts/azure-ci-test.sh
+++ b/scripts/azure-ci-test.sh
@@ -27,8 +27,8 @@ export AKS_NAME="${AKS_NAME:-ratify-aks-${SUFFIX}}"
export KEYVAULT_NAME="${KEYVAULT_NAME:-ratify-akv-${SUFFIX}}"
export USER_ASSIGNED_IDENTITY_NAME="${USER_ASSIGNED_IDENTITY_NAME:-ratify-e2e-identity-${SUFFIX}}"
export LOCATION="westus2"
-export KUBERNETES_VERSION=${1:-1.29.2}
-GATEKEEPER_VERSION=${2:-3.17.0}
+export KUBERNETES_VERSION=${1:-1.30.6}
+GATEKEEPER_VERSION=${2:-3.18.0}
TENANT_ID=$3
export RATIFY_NAMESPACE=${4:-gatekeeper-system}
CERT_DIR=${5:-"~/ratify/certs"}
diff --git a/terraform/azure/main.tf b/terraform/azure/main.tf
index 512aedf379..78ef5fcbcb 100644
--- a/terraform/azure/main.tf
+++ b/terraform/azure/main.tf
@@ -107,7 +107,7 @@ resource "azurerm_kubernetes_cluster" "aks" {
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
dns_prefix = "${var.cluster_name}-dns"
- kubernetes_version = "1.29.2"
+ kubernetes_version = "1.30.6"
workload_identity_enabled = true
oidc_issuer_enabled = true