feat: add cert rotator

Signed-off-by: Binbin Li <libinbin@microsoft.com>

Makefile

@@ -450,9 +450,6 @@ e2e-deploy-base-ratify: e2e-notaryv2-setup e2e-notation-leaf-cert-setup e2e-inli
 	--set image.crdRepository=localbuildcrd \
 	--set image.tag=test \
 	--set gatekeeper.version=${GATEKEEPER_VERSION} \
-	--set-file provider.tls.crt=${CERT_DIR}/server.crt \
-	--set-file provider.tls.key=${CERT_DIR}/server.key \
-	--set provider.tls.cabundle="$(shell cat ${CERT_DIR}/ca.crt | base64 | tr -d '\n')" \
 	--set notaryCert="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
 	--set oras.useHttp=true \
 	--set cosign.enabled=false \
@@ -479,14 +476,11 @@ e2e-deploy-ratify: e2e-notaryv2-setup e2e-notation-leaf-cert-setup e2e-cosign-se
 	--set image.crdRepository=localbuildcrd \
 	--set image.tag=test \
 	--set gatekeeper.version=${GATEKEEPER_VERSION} \
-	--set-file provider.tls.crt=${CERT_DIR}/server.crt \
-	--set-file provider.tls.key=${CERT_DIR}/server.key \
-	--set provider.tls.cabundle="$(shell cat ${CERT_DIR}/ca.crt | base64 | tr -d '\n')" \
 	--set notaryCert="$$(cat ~/.config/notation/localkeys/ratify-bats-test.crt)" \
 	--set cosign.key="$$(cat .staging/cosign/cosign.pub)" \
 	--set oras.useHttp=true \
 	--set-file dockerConfig="mount_config.json" \
-	--set logLevel=debug
+	--set logLevel=debug --debug
 
 	rm mount_config.json
 e2e-aks:

charts/ratify/templates/_helpers.tpl

@@ -108,13 +108,18 @@ Choose the certificate/key pair to enable TLS for HTTP server
 */}}
 {{- define "ratify.tlsSecret" -}}
 {{- $top := index . 0 -}}
-{{- if and $top.Values.provider.tls.crt $top.Values.provider.tls.key $top.Values.provider.tls.cabundle }}
+{{- if and $top.Values.provider.tls.crt $top.Values.provider.tls.key $top.Values.provider.tls.cabundle $top.Values.provider.tls.caCert $top.Values.provider.tls.caKey }}
 tls.crt: {{ $top.Values.provider.tls.crt | b64enc | quote }}  
 tls.key: {{ $top.Values.provider.tls.key | b64enc | quote }}
+ca.crt: {{ $top.Values.provider.tls.caCert | b64enc | quote }}
+ca.key: {{ $top.Values.provider.tls.caKey | b64enc | quote }}
 {{- else }}
 {{- $cert := index . 1 -}}
+{{- $ca := index . 2 -}}
 tls.crt: {{ $cert.Cert | b64enc | quote }}
 tls.key: {{ $cert.Key | b64enc | quote }}
+ca.crt: {{ $ca.Cert | b64enc | quote }}
+ca.key: {{ $ca.Key | b64enc | quote }}
 {{- end }}
 {{- end }}
 

charts/ratify/templates/deployment.yaml

@@ -114,6 +114,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            - name: RATIFY_NAME
+              value: {{ include "ratify.fullname" . }}
           {{- range $k, $v := .Values.featureFlags }}
             - name: {{ $k }}
               value: {{ $v | ternary 1 0 | quote }}

charts/ratify/templates/provider.yaml

@@ -32,4 +32,4 @@ kind: Secret
 metadata:
   name: {{ include "ratify.fullname" . }}-tls
 data:
-  {{ include "ratify.tlsSecret" (list . $cert) | nindent 2}}
+  {{ include "ratify.tlsSecret" (list . $cert $ca) | nindent 2}}

charts/ratify/templates/roles.yaml

@@ -5,7 +5,7 @@ metadata:
 rules:
 - apiGroups: [""]
   resources: ["secrets", "serviceaccounts"]
-  verbs: ["get"]
+  verbs: ["get", "list", "update", "create", "watch"]
 
 ---
 

charts/ratify/values.yaml

@@ -1,8 +1,8 @@
 image:
-  repository: ghcr.io/deislabs/ratify
-  crdRepository: ghcr.io/deislabs/ratify-crds
-  tag: v1.0.0-rc.4
-  pullPolicy: IfNotPresent
+  repository: libinbinacr.azurecr.io/deislabs/ratify
+  crdRepository: libinbinacr.azurecr.io/localbuildcrd
+  tag: v1
+  pullPolicy: Always
 
 nameOverride: ""
 fullnameOverride: ""
@@ -71,6 +71,8 @@ provider:
   tls:
     crt: "" # crt used by ratify (httpserver), please provide your own crt
     key: "" # key used by ratify (httpserver), please provide your own key
+    caCert: "" # CA crt used by ratify (httpserver), please provide your own CA crt
+    caKey: "" # CA key used by ratify (httpserver), please provide your own CA key
     cabundle: "" # base64 encoded CA bundle used for the 'caBundle' property for the ratify provider within gatekeeper
   timeout:
     # timeout values must match gatekeeper webhook timeouts
@@ -108,4 +110,5 @@ crds:
 
 # See https://github.com/deislabs/ratify/blob/main/docs/reference/usage.md for a list of available feature flags
 featureFlags:
-  # RATIFY_FEATURE_NAME: true
+  # RATIFY_FEATURE_NAME: true
+  RATIFY_CERT_ROTATION: true

go.mod

@@ -24,7 +24,7 @@ require (
 	github.com/gorilla/mux v1.8.0
 	github.com/notaryproject/notation-core-go v1.0.0-rc.4
 	github.com/notaryproject/notation-go v1.0.0-rc.6
-	github.com/open-policy-agent/frameworks/constraint v0.0.0-20220627162905-95c012350402
+	github.com/open-policy-agent/frameworks/constraint v0.0.0-20230201235642-777dc99a6669
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.0-rc2
 	github.com/pkg/errors v0.9.1
@@ -42,7 +42,7 @@ require (
 	google.golang.org/protobuf v1.30.0
 	k8s.io/api v0.26.5
 	k8s.io/apimachinery v0.26.5
-	k8s.io/client-go v0.25.10
+	k8s.io/client-go v0.26.1
 	oras.land/oras-go/v2 v2.2.0
 )
 
@@ -79,7 +79,8 @@ require (
 	github.com/digitorus/pkcs7 v0.0.0-20221212123742-001c36b64ec3 // indirect
 	github.com/digitorus/timestamp v0.0.0-20221019182153-ef3b63b79b31 // indirect
 	github.com/dimchansky/utfbom v1.1.1 // indirect
-	github.com/emicklei/go-restful/v3 v3.8.0 // indirect
+	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/evanphx/json-patch/v5 v5.6.0 // indirect
 	github.com/frankban/quicktest v1.14.4 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.4 // indirect
@@ -132,7 +133,6 @@ require (
 	github.com/docker/docker v23.0.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/fxamacker/cbor/v2 v2.4.0 // indirect
 	github.com/ghodss/yaml v1.0.0 // indirect
 	github.com/go-chi/chi v4.1.2+incompatible // indirect
@@ -183,6 +183,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/ulid v1.3.1 // indirect
+	github.com/open-policy-agent/cert-controller v0.7.0
 	github.com/open-policy-agent/opa v0.51.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
@@ -238,12 +239,12 @@ require (
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/apiextensions-apiserver v0.24.2 // indirect
-	k8s.io/component-base v0.24.2 // indirect
+	k8s.io/apiextensions-apiserver v0.26.1 // indirect
+	k8s.io/component-base v0.26.1 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
 	k8s.io/utils v0.0.0-20230115233650-391b47cb4029 // indirect
-	sigs.k8s.io/controller-runtime v0.12.3
+	sigs.k8s.io/controller-runtime v0.14.2
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect