fix: add akv keys check on cosign-verifier (#1427)

charts/ratify/templates/verifier.yaml

@@ -50,7 +50,7 @@ spec:
   name: cosign
   artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json
   parameters:
-    {{- if gt (len .Values.cosignKeys) 0 }}
+    {{- if or (gt (len .Values.cosignKeys) 0) (and .Values.azurekeyvault.enabled (gt (len .Values.azurekeyvault.keys) 0)) }}
     trustPolicies:
       - name: default
         version: 1.0.0

test/bats/azure-test.bats

@@ -58,7 +58,7 @@ SLEEP_TIME=1
     assert_success
     run kubectl apply -f ./library/default/samples/constraint.yaml
     assert_success
-   
+
     # verify that the image can be run with a root cert, root verification cert should have been configured on deployment
     run kubectl run demo-leaf --namespace default --image=${TEST_REGISTRY}/notation:leafSigned
     assert_success
@@ -112,6 +112,9 @@ SLEEP_TIME=1
     run kubectl apply -f ./library/default/samples/constraint.yaml
     assert_success
     sleep 5
+    run kubectl apply -f ./test/bats/tests/config/config_v1beta1_verifier_cosign_akv.yaml
+    assert_success
+    sleep 5
 
     run kubectl run cosign-demo --namespace default --image=${TEST_REGISTRY}/cosign:signed-key
     assert_success

test/bats/tests/config/config_v1beta1_verifier_cosign_akv.yaml

@@ -0,0 +1,18 @@
+apiVersion: config.ratify.deislabs.io/v1beta1
+kind: Verifier
+metadata:
+  name: verifier-cosign
+  annotations:
+    helm.sh/hook: pre-install,pre-upgrade
+    helm.sh/hook-weight: "5"
+spec:
+  name: cosign
+  artifactTypes: application/vnd.dev.cosign.artifact.sig.v1+json
+  parameters:
+    trustPolicies:
+      - name: default
+        version: 1.0.0
+        scopes:
+          - "*"
+        keys:
+          - provider: gatekeeper-system/kmprovider-akv