From 46dea08855c9e589b091e797a9e6d37e6293c4f5 Mon Sep 17 00:00:00 2001 From: xinhl Date: Wed, 17 Jun 2026 16:13:27 +1000 Subject: [PATCH] fix: address review comments Signed-off-by: xinhl --- .../tests/config/executor_cosign_akv.yaml | 38 ++++++++++++++++++ .../tests/config/executor_cosign_keyless.yaml | 33 +++++++++++++++ .../tests/config/executor_cosign_legacy.yaml | 40 +++++++++++++++++++ .../executor_cosign_legacy_keyless.yaml | 33 +++++++++++++++ .../tests/config/executor_invalid_store.yaml | 29 ++++++++++++++ .../config/executor_k8s_secret_auth.yaml | 40 +++++++++++++++++++ .../config/executor_namespace_cosign.yaml | 33 +++++++++++++++ .../config/executor_namespace_notation.yaml | 29 ++++++++++++++ .../tests/config/executor_no_notation.yaml | 33 +++++++++++++++ .../tests/config/executor_no_verifiers.yaml | 32 +++++++++++++++ .../tests/config/executor_notation_akv.yaml | 34 ++++++++++++++++ .../config_v1beta1_certstore_inline.yaml | 0 ...nfig_v1beta1_certstore_inline_invalid.yaml | 0 ..._v1beta1_keymanagementprovider_inline.yaml | 0 .../config_v1beta1_verifier_cosign_akv.yaml | 0 ...onfig_v1beta1_verifier_cosign_keyless.yaml | 0 .../config_v1beta1_verifier_notation.yaml | 0 .../config_v1beta1_verifier_notation_akv.yaml | 0 ...g_v1beta1_verifier_notation_audit_crl.yaml | 0 ..._v1beta1_verifier_notation_kmprovider.yaml | 0 .../config_v1beta1_verifier_notation_tsa.yaml | 0 21 files changed, 374 insertions(+) create mode 100644 test/bats/tests/config/executor_cosign_akv.yaml create mode 100644 test/bats/tests/config/executor_cosign_keyless.yaml create mode 100644 test/bats/tests/config/executor_cosign_legacy.yaml create mode 100644 test/bats/tests/config/executor_cosign_legacy_keyless.yaml create mode 100644 test/bats/tests/config/executor_invalid_store.yaml create mode 100644 test/bats/tests/config/executor_k8s_secret_auth.yaml create mode 100644 test/bats/tests/config/executor_namespace_cosign.yaml create mode 100644 test/bats/tests/config/executor_namespace_notation.yaml create mode 100644 test/bats/tests/config/executor_no_notation.yaml create mode 100644 test/bats/tests/config/executor_no_verifiers.yaml create mode 100644 test/bats/tests/config/executor_notation_akv.yaml rename test/bats/tests/config/{ => v1}/config_v1beta1_certstore_inline.yaml (100%) rename test/bats/tests/config/{ => v1}/config_v1beta1_certstore_inline_invalid.yaml (100%) rename test/bats/tests/config/{ => v1}/config_v1beta1_keymanagementprovider_inline.yaml (100%) rename test/bats/tests/config/{ => v1}/config_v1beta1_verifier_cosign_akv.yaml (100%) rename test/bats/tests/config/{ => v1}/config_v1beta1_verifier_cosign_keyless.yaml (100%) rename test/bats/tests/config/{ => v1}/config_v1beta1_verifier_notation.yaml (100%) rename test/bats/tests/config/{ => v1}/config_v1beta1_verifier_notation_akv.yaml (100%) rename test/bats/tests/config/{ => v1}/config_v1beta1_verifier_notation_audit_crl.yaml (100%) rename test/bats/tests/config/{ => v1}/config_v1beta1_verifier_notation_kmprovider.yaml (100%) rename test/bats/tests/config/{ => v1}/config_v1beta1_verifier_notation_tsa.yaml (100%) diff --git a/test/bats/tests/config/executor_cosign_akv.yaml b/test/bats/tests/config/executor_cosign_akv.yaml new file mode 100644 index 000000000..0d9091093 --- /dev/null +++ b/test/bats/tests/config/executor_cosign_akv.yaml @@ -0,0 +1,38 @@ +apiVersion: config.ratify.dev/v2alpha1 +kind: Executor +metadata: + name: ratify-ratify-gatekeeper-provider-executor-1 +spec: + scopes: + - "registry:5000" + stores: + - type: registry-store + parameters: + plainHttp: true + allowCosignTag: true + credential: + provider: "static" + username: "test_user" + password: "test_pw" + verifiers: + - name: cosign + type: cosign + parameters: + ignoreTLog: true + trustPolicies: + - scopes: + - "registry:5000" + keys: + azurekeyvault: + vaultURL: "__VAULT_URI__" + clientID: "__CLIENT_ID__" + tenantID: "__TENANT_ID__" + keys: + - name: "__COSIGN_KEY_NAME__" + policyEnforcer: + type: "threshold-policy" + parameters: + policy: + threshold: 1 + rules: + - verifierName: "cosign" diff --git a/test/bats/tests/config/executor_cosign_keyless.yaml b/test/bats/tests/config/executor_cosign_keyless.yaml new file mode 100644 index 000000000..bf36e55ae --- /dev/null +++ b/test/bats/tests/config/executor_cosign_keyless.yaml @@ -0,0 +1,33 @@ +apiVersion: config.ratify.dev/v2alpha1 +kind: Executor +metadata: + name: ratify-ratify-gatekeeper-provider-executor-1 +spec: + scopes: + - "wabbitnetworks.azurecr.io" + stores: + - type: registry-store + parameters: + allowCosignTag: true + credential: + provider: "static" + verifiers: + - name: cosign + type: cosign + parameters: + trustPolicies: + - scopes: + - "wabbitnetworks.azurecr.io" + certificateIdentity: "" + certificateIdentityRegex: ".*" + certificateOIDCIssuer: "" + certificateOIDCIssuerRegex: ".*" + ignoreTLog: false + ignoreCTLog: false + policyEnforcer: + type: "threshold-policy" + parameters: + policy: + threshold: 1 + rules: + - verifierName: "cosign" diff --git a/test/bats/tests/config/executor_cosign_legacy.yaml b/test/bats/tests/config/executor_cosign_legacy.yaml new file mode 100644 index 000000000..943e535f1 --- /dev/null +++ b/test/bats/tests/config/executor_cosign_legacy.yaml @@ -0,0 +1,40 @@ +apiVersion: config.ratify.dev/v2alpha1 +kind: Executor +metadata: + name: ratify-ratify-gatekeeper-provider-executor-1 +spec: + scopes: + - "registry:5000" + stores: + - type: registry-store + parameters: + plainHttp: true + allowCosignTag: true + credential: + provider: "static" + username: "test_user" + password: "test_pw" + verifiers: + - name: notation + type: notation + parameters: + certificates: + - type: "ca" + inline: __NOTATION_CERT__ + - name: cosign + type: cosign + parameters: + trustPolicies: + - scopes: + - "registry:5000" + keys: + inline: + keys: __COSIGN_KEY__ + policyEnforcer: + type: "threshold-policy" + parameters: + policy: + threshold: 1 + rules: + - verifierName: "notation" + - verifierName: "cosign" diff --git a/test/bats/tests/config/executor_cosign_legacy_keyless.yaml b/test/bats/tests/config/executor_cosign_legacy_keyless.yaml new file mode 100644 index 000000000..bf36e55ae --- /dev/null +++ b/test/bats/tests/config/executor_cosign_legacy_keyless.yaml @@ -0,0 +1,33 @@ +apiVersion: config.ratify.dev/v2alpha1 +kind: Executor +metadata: + name: ratify-ratify-gatekeeper-provider-executor-1 +spec: + scopes: + - "wabbitnetworks.azurecr.io" + stores: + - type: registry-store + parameters: + allowCosignTag: true + credential: + provider: "static" + verifiers: + - name: cosign + type: cosign + parameters: + trustPolicies: + - scopes: + - "wabbitnetworks.azurecr.io" + certificateIdentity: "" + certificateIdentityRegex: ".*" + certificateOIDCIssuer: "" + certificateOIDCIssuerRegex: ".*" + ignoreTLog: false + ignoreCTLog: false + policyEnforcer: + type: "threshold-policy" + parameters: + policy: + threshold: 1 + rules: + - verifierName: "cosign" diff --git a/test/bats/tests/config/executor_invalid_store.yaml b/test/bats/tests/config/executor_invalid_store.yaml new file mode 100644 index 000000000..727a237e3 --- /dev/null +++ b/test/bats/tests/config/executor_invalid_store.yaml @@ -0,0 +1,29 @@ +apiVersion: config.ratify.dev/v2alpha1 +kind: Executor +metadata: + name: ratify-ratify-gatekeeper-provider-executor-1 +spec: + scopes: + - "registry:5000" + stores: + - type: invalid-store-type + parameters: + plainHttp: true + credential: + provider: "static" + username: "test_user" + password: "test_pw" + verifiers: + - name: notation + type: notation + parameters: + certificates: + - type: "ca" + inline: __NOTATION_CERT__ + policyEnforcer: + type: "threshold-policy" + parameters: + policy: + threshold: 1 + rules: + - verifierName: "notation" diff --git a/test/bats/tests/config/executor_k8s_secret_auth.yaml b/test/bats/tests/config/executor_k8s_secret_auth.yaml new file mode 100644 index 000000000..823d3f952 --- /dev/null +++ b/test/bats/tests/config/executor_k8s_secret_auth.yaml @@ -0,0 +1,40 @@ +apiVersion: config.ratify.dev/v2alpha1 +kind: Executor +metadata: + name: ratify-ratify-gatekeeper-provider-executor-1 +spec: + scopes: + - "registry:5000" + stores: + - type: registry-store + parameters: + plainHttp: true + allowCosignTag: true + credential: + provider: "static" + username: "test_user" + password: "test_pw" + verifiers: + - name: notation + type: notation + parameters: + certificates: + - type: "ca" + inline: __NOTATION_CERT__ + - name: cosign + type: cosign + parameters: + trustPolicies: + - scopes: + - "registry:5000" + keys: + inline: + keys: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvjrMZFyaBDsvg5e0C8JaHqw8ULuc\nn947ODVAMvfdqtjqK2eW77OGrsFLdkbG3BET9U4Dj37odn4kI5lC4Lj9Eg==\n-----END PUBLIC KEY-----\n" + policyEnforcer: + type: "threshold-policy" + parameters: + policy: + threshold: 1 + rules: + - verifierName: "notation" + - verifierName: "cosign" diff --git a/test/bats/tests/config/executor_namespace_cosign.yaml b/test/bats/tests/config/executor_namespace_cosign.yaml new file mode 100644 index 000000000..782a9e950 --- /dev/null +++ b/test/bats/tests/config/executor_namespace_cosign.yaml @@ -0,0 +1,33 @@ +apiVersion: config.ratify.dev/v2alpha1 +kind: Executor +metadata: + name: executor-cosign-default +spec: + scopes: + - "registry:5000/cosign" + stores: + - type: registry-store + parameters: + plainHttp: true + allowCosignTag: true + credential: + provider: "static" + username: "test_user" + password: "test_pw" + verifiers: + - name: cosign + type: cosign + parameters: + trustPolicies: + - scopes: + - "registry:5000/cosign" + keys: + inline: + keys: __COSIGN_KEY__ + policyEnforcer: + type: "threshold-policy" + parameters: + policy: + threshold: 1 + rules: + - verifierName: "cosign" diff --git a/test/bats/tests/config/executor_namespace_notation.yaml b/test/bats/tests/config/executor_namespace_notation.yaml new file mode 100644 index 000000000..f6ee4a4be --- /dev/null +++ b/test/bats/tests/config/executor_namespace_notation.yaml @@ -0,0 +1,29 @@ +apiVersion: config.ratify.dev/v2alpha1 +kind: Executor +metadata: + name: executor-notation-default +spec: + scopes: + - "registry:5000/notation" + stores: + - type: registry-store + parameters: + plainHttp: true + credential: + provider: "static" + username: "test_user" + password: "test_pw" + verifiers: + - name: notation + type: notation + parameters: + certificates: + - type: "ca" + inline: __NOTATION_CERT__ + policyEnforcer: + type: "threshold-policy" + parameters: + policy: + threshold: 1 + rules: + - verifierName: "notation" diff --git a/test/bats/tests/config/executor_no_notation.yaml b/test/bats/tests/config/executor_no_notation.yaml new file mode 100644 index 000000000..d8dd01870 --- /dev/null +++ b/test/bats/tests/config/executor_no_notation.yaml @@ -0,0 +1,33 @@ +apiVersion: config.ratify.dev/v2alpha1 +kind: Executor +metadata: + name: ratify-ratify-gatekeeper-provider-executor-1 +spec: + scopes: + - "registry:5000" + stores: + - type: registry-store + parameters: + plainHttp: true + allowCosignTag: true + credential: + provider: "static" + username: "test_user" + password: "test_pw" + verifiers: + - name: cosign + type: cosign + parameters: + trustPolicies: + - scopes: + - "registry:5000" + keys: + inline: + keys: "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvjrMZFyaBDsvg5e0C8JaHqw8ULuc\nn947ODVAMvfdqtjqK2eW77OGrsFLdkbG3BET9U4Dj37odn4kI5lC4Lj9Eg==\n-----END PUBLIC KEY-----\n" + policyEnforcer: + type: "threshold-policy" + parameters: + policy: + threshold: 1 + rules: + - verifierName: "cosign" diff --git a/test/bats/tests/config/executor_no_verifiers.yaml b/test/bats/tests/config/executor_no_verifiers.yaml new file mode 100644 index 000000000..85cc7d6a5 --- /dev/null +++ b/test/bats/tests/config/executor_no_verifiers.yaml @@ -0,0 +1,32 @@ +apiVersion: config.ratify.dev/v2alpha1 +kind: Executor +metadata: + name: ratify-ratify-gatekeeper-provider-executor-1 +spec: + scopes: + - "registry:5000" + stores: + - type: registry-store + parameters: + plainHttp: true + allowCosignTag: true + credential: + provider: "static" + username: "test_user" + password: "test_pw" + verifiers: + - name: dummy + type: notation + parameters: + scopes: + - "does-not-match.example.com" + certificates: + - type: "ca" + inline: __NOTATION_CERT__ + policyEnforcer: + type: "threshold-policy" + parameters: + policy: + threshold: 1 + rules: + - verifierName: "dummy" diff --git a/test/bats/tests/config/executor_notation_akv.yaml b/test/bats/tests/config/executor_notation_akv.yaml new file mode 100644 index 000000000..7febd52e3 --- /dev/null +++ b/test/bats/tests/config/executor_notation_akv.yaml @@ -0,0 +1,34 @@ +apiVersion: config.ratify.dev/v2alpha1 +kind: Executor +metadata: + name: ratify-ratify-gatekeeper-provider-executor-1 +spec: + scopes: + - "registry:5000" + stores: + - type: registry-store + parameters: + plainHttp: true + credential: + provider: "static" + username: "test_user" + password: "test_pw" + verifiers: + - name: notation + type: notation + parameters: + certificates: + - type: "ca" + azurekeyvault: + vaultURL: "__VAULT_URI__" + clientID: "__CLIENT_ID__" + tenantID: "__TENANT_ID__" + certificates: + - name: "__NOTATION_CERT_NAME__" + policyEnforcer: + type: "threshold-policy" + parameters: + policy: + threshold: 1 + rules: + - verifierName: "notation" diff --git a/test/bats/tests/config/config_v1beta1_certstore_inline.yaml b/test/bats/tests/config/v1/config_v1beta1_certstore_inline.yaml similarity index 100% rename from test/bats/tests/config/config_v1beta1_certstore_inline.yaml rename to test/bats/tests/config/v1/config_v1beta1_certstore_inline.yaml diff --git a/test/bats/tests/config/config_v1beta1_certstore_inline_invalid.yaml b/test/bats/tests/config/v1/config_v1beta1_certstore_inline_invalid.yaml similarity index 100% rename from test/bats/tests/config/config_v1beta1_certstore_inline_invalid.yaml rename to test/bats/tests/config/v1/config_v1beta1_certstore_inline_invalid.yaml diff --git a/test/bats/tests/config/config_v1beta1_keymanagementprovider_inline.yaml b/test/bats/tests/config/v1/config_v1beta1_keymanagementprovider_inline.yaml similarity index 100% rename from test/bats/tests/config/config_v1beta1_keymanagementprovider_inline.yaml rename to test/bats/tests/config/v1/config_v1beta1_keymanagementprovider_inline.yaml diff --git a/test/bats/tests/config/config_v1beta1_verifier_cosign_akv.yaml b/test/bats/tests/config/v1/config_v1beta1_verifier_cosign_akv.yaml similarity index 100% rename from test/bats/tests/config/config_v1beta1_verifier_cosign_akv.yaml rename to test/bats/tests/config/v1/config_v1beta1_verifier_cosign_akv.yaml diff --git a/test/bats/tests/config/config_v1beta1_verifier_cosign_keyless.yaml b/test/bats/tests/config/v1/config_v1beta1_verifier_cosign_keyless.yaml similarity index 100% rename from test/bats/tests/config/config_v1beta1_verifier_cosign_keyless.yaml rename to test/bats/tests/config/v1/config_v1beta1_verifier_cosign_keyless.yaml diff --git a/test/bats/tests/config/config_v1beta1_verifier_notation.yaml b/test/bats/tests/config/v1/config_v1beta1_verifier_notation.yaml similarity index 100% rename from test/bats/tests/config/config_v1beta1_verifier_notation.yaml rename to test/bats/tests/config/v1/config_v1beta1_verifier_notation.yaml diff --git a/test/bats/tests/config/config_v1beta1_verifier_notation_akv.yaml b/test/bats/tests/config/v1/config_v1beta1_verifier_notation_akv.yaml similarity index 100% rename from test/bats/tests/config/config_v1beta1_verifier_notation_akv.yaml rename to test/bats/tests/config/v1/config_v1beta1_verifier_notation_akv.yaml diff --git a/test/bats/tests/config/config_v1beta1_verifier_notation_audit_crl.yaml b/test/bats/tests/config/v1/config_v1beta1_verifier_notation_audit_crl.yaml similarity index 100% rename from test/bats/tests/config/config_v1beta1_verifier_notation_audit_crl.yaml rename to test/bats/tests/config/v1/config_v1beta1_verifier_notation_audit_crl.yaml diff --git a/test/bats/tests/config/config_v1beta1_verifier_notation_kmprovider.yaml b/test/bats/tests/config/v1/config_v1beta1_verifier_notation_kmprovider.yaml similarity index 100% rename from test/bats/tests/config/config_v1beta1_verifier_notation_kmprovider.yaml rename to test/bats/tests/config/v1/config_v1beta1_verifier_notation_kmprovider.yaml diff --git a/test/bats/tests/config/config_v1beta1_verifier_notation_tsa.yaml b/test/bats/tests/config/v1/config_v1beta1_verifier_notation_tsa.yaml similarity index 100% rename from test/bats/tests/config/config_v1beta1_verifier_notation_tsa.yaml rename to test/bats/tests/config/v1/config_v1beta1_verifier_notation_tsa.yaml