ratify icon indicating copy to clipboard operation
ratify copied to clipboard
verified publisher icon ratify-project

Ratify helm chart should provide way to override notation trusted identities

Open mannbiher opened this issue 1 year ago • 2 comments

What would you like to be added?

Provide way to override notation trusted identities in helm chart. Currently it is set to *. https://github.com/ratify-project/ratify/blob/dev/charts/ratify/templates/verifier.yaml#L40

          trustedIdentities:
            - "*"

Values could have notation.trustedIdentities property.

notation:
  enabled: true
  trustedIdentities:
  - arn:aws:signer:us-west-2:1234567890:/signing-profiles/my-account-signer

Anything else you would like to add?

The feature is required as we use AWS signer and want to verify signature created only by our account specific AWS signer. The current workaround is disable the helm chart notation verifier and create one outside helm chart with required trusted identities.

Are you willing to submit PRs to contribute to this feature?

  • [X] Yes, I am willing to implement it.

mannbiher avatar Nov 20 '24 17:11 mannbiher

Hi @mannbiher , I assume you can override the * with your aws signer identity in trustedIdentities, without additional development. Is there anything fails?

FeynmanZhou avatar Nov 21 '24 00:11 FeynmanZhou

Hi @FeynmanZhou, It can be be done today ( by maintaining custom charts), but would be a better user experience if Ratify can expose this in the default chart.

susanshi avatar Nov 28 '24 23:11 susanshi