Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Release Notes
Release notes for Red Hat's Trusted Artifact Signer 1.0.2
Abstract
Chapter 1. Introduction
Red Hat’s Trusted Artifact Signer (RHTAS) service enhances software supply chain security by simplifying cryptographic signing and verifying of software artifacts, such as container images, binaries, and Git commits. Trusted Artifact Signer provides a production ready deployment of the SecureSign community project.
The Trusted Artifact Signer software Release Notes documents new features and enhancements, bug fixes, and known issues for the latest version, 1.0.2. We add the newest items to the top in each chapter, as we build upon the official release notes over the lifecycle of the major, and minor releases.
The Red Hat Trusted Artifact Signer documentation is available here.
Chapter 2. New features and enhancements
A list of all major enhancements, and new features introduced in this release of Red Hat Trusted Artifact Signer (RHTAS).
The features and enhancements added by this release are:
Enterprise Contract supports inspecting multiple architecture types for container images
With this release, Enterprise Contract (EC) now supports artifact verification, and policy enforcement on multiple architecture types for container images. The ec validate image command can inspect individual container images for different system architectures from the image index.
Adding rule data by using a command line argument
With this release, you can inject additional rule data on the command line by using the --extra-rule-data argument to the ec validate image command. For example, you can use this to influence policies so that the behavior for a release pipeline can differ from the behavior in a continuous integration and continuous delivery (CICD) pipeline.
A new report format for Enterprise Contract when validating container images
With this release, the ec validate image command can generate a new report format. You can use the --output text argument with the ec validate image command to produce a new user-friendly output format. This new report format provides details about the violations and warnings only. To view additional details use the JSON or YAML formats.
Support for OpenShift 4.16 and 4.17
With this release, we added support for the Trusted Artifact Signer service running on OpenShift Container Platform 4.16 and 4.17. Customers can install the RHTAS operator from OperatorHub on currently supported releases of OpenShift Container Platform.
Auto-closing for the confirmation page
With this release, we updated the gitsign binary to version 0.10.2. This version enables the auto-closing feature for the Sigstore confirmation page. After a successful authentication, the confirmation page will close in 10 seconds.
Install Trusted Artifact Signer to different namespaces on the same OpenShift cluster
With this release, you can now install the RHTAS service in different namespaces on the same OpenShift cluster.
A new release channel for upgrades
With this release, we added the stable-v1.0 channel that users can subscribe to. Subscribing to this channel gives users automatic upgrades only to the 1.0.x release line. To receive all the latest updates for upcoming minor releases, then subscribe to the stable channel. Also, with this release, we removed the alpha channel.
Monitoring for Trillian
With this release, you can enable monitoring for the Trillian server. To enable monitoring, add the monitoring stanza underneath the trillian stanza, and set enabled to true for the Securesign instance. For example:
...
trillian:
monitoring:
enabled: true
...
...
trillian:
monitoring:
enabled: true
...With monitoring enabled, you can view and query the collected metrics from the OpenShift web console by expanding Observe on the navigational menu, and clicking Metrics.
Monitoring for Certificate Transparency logs
With this release, you can enable monitoring for the Certificate Transparency logs (CTlog) server. To enable monitoring, add the monitoring stanza underneath the ctlog stanza, and set enabled to true for the Securesign instance. For example:
...
ctlog:
monitoring:
enabled: true
...
...
ctlog:
monitoring:
enabled: true
...With monitoring enabled, you can view and query the collected metrics from the OpenShift web console by expanding Observe on the navigational menu, and clicking Metrics.
Improvements to the segment backup jobs
With this release, the Trusted Artifact Signer service has several improvements to the segment backup jobs. Because of existing vulnerabilities, the segment backup jobs have been rewritten in Python, and verifies if cluster-level metrics are allowable.
Chapter 3. Bug fixes
In this release of Red Hat Trusted Artifact Signer (RHTAS), we fixed the following bugs. In addition to these fixes, we list the descriptions of previously known issues found in earlier versions that we fixed.
An update to operator logic when detecting the OpenShift environment
During OpenShift cluster reboots, the RHTAS operator logic to detect the OpenShift environment was unreliable. The operator would mistakenly believe it was running in a non-OpenShift environment, and configured the system improperly. This was causing the APIs to be unavailable, and the Trillian database pods failing to start. This was also causing violations of the OpenShift Security Context Constraints (SCC).
With this release, we removed the dynamic detection of the OpenShift environment in the RHTAS operator. The target environment must be explicitly configured during the installation of the RHTAS operator by using the new OPENSHIFT environment variable. Doing this ensure that the RHTAS operator consistently applies the correct configuration for the deployment. Deploying the RHTAS operator by using the Operator Lifecycle Manager (OLM) has the OPENSHIFT environment variable set to true by default. As a result, the RHTAS operator consistently configures the system properly preventing service startup issues on reboot, and no longer violates the OpenShift SCC.
Enterprise Contract is faster and more efficient
Before this update, Enterprise Contract (EC) would download the policy and policy data from a configured source for validating each component. This caused the ec validate image command to run longer by downloading more data than it needed. For this release, when the ec validate image command detects the same policy source to validate different container images, it no longer downloads the policy data more than once.
The operator terminates on a nil pointer exception
When the Certificate Transparency logs' (CTlog) password for fulcio.spec.privateKeyPasswordRef is set incorrectly, the RHTAS operator terminates with no meaningful error messages. With this release, we added more robust error handling for this scenario, and more meaningful operator error messages when the CTlog is not set correctly.
Wrong common name for Fulcio certificates
The sigstore.issuer field was hard-coded to use the common name value specified in spec.certificate.commonName for Fulcio certificates. With this release, we added logic to set the sigstore.issuer field properly. If spec.certificate.commonName is empty, then we set sigstore.issuer based on the spec.externalAccess.host value. If spec.certificate.commonName and spec.externalAccess.host is empty, then we set sigstore.issuer to the OpenShift cluster’s domain name. As a result, we have a properly set common name for Fulcio certificates.
Removed kube-rbac-proxy from the operator
With the deprecating of the --tls-cert-file and --tls-private-key-file flags for kube-rbac-proxy, we removed the role-based access controls (RBAC) HTTP proxy resource when installing the RHTAS operator. Because of this, you need to have a predefined certificate and private key in the namespace of the operator. The default operator namespace is openshift-operators. As a result of this, we no longer use this RBAC HTTP proxy resource to protect the /metrics API endpoint for the operator controller.
Enabled the Rekor search UI by default
With this release, the user is no longer required to manually install the Rekor search user interface (UI). We enable the Rekor search UI by default.
The CreateTree task continues running after a failed installation
When deleting and then reinstalling the RHTAS service, the CreateTree task could continuously run in some scenarios, therefore preventing later installations from succeeding. With this release, if the RHTAS installation process detects the CreateTree task running, then it cleans up the task without any user intervention. See GitHub issue #230 for more details.
Replaced the upstream version of kube-rbac-proxy with the supported version
Red Hat Trusted Artifact Signer 1.0 shipped with the upstream version of the Role-base access controls (RBAC) proxy container, gcr.io/kubebuilder/kube-rbac-proxy. With this release, we replaced the upstream version with the official, supported Red Hat version, registry.redhat.io/openshift4/ose-kube-rbac-proxy.
Trusted Artifact Signer operator can crash when not enough memory is available
During the installation of the RHTAS operator, if there was not enough memory allocated this would cause a CrashLoopBackoff status. This crashing prevented the RHTAS operator from installing properly.
With this release, we increased the memory allocation for the RHTAS operator, allowing it to install successfully.
The Enterprise Contract binary download was missing
When a user tried to download the Enterprise Contract (EC) binary, they received a 404 page. Because the path to the EC binary for Windows was set incorrectly, this generated the 404 page. With this release, the path to the EC binary for Windows is set correctly, and no longer gives a 404 page.
The cosign Windows executable was missing the .exe extension
The cosign binary for Windows was missing the .exe file name extension when downloading the binary. Missing the .exe file name extension would not allow the cosign binary to run on Windows. With this release, the cosign binary has the .exe file name extension, and runs as expected on Windows.
Upgrading the Technical Preview version of the Trusted Artifact Signer operator fails
Previously, the Technical Preview version (0.0.2) of the RHTAS operator was automatically upgraded to the generally available version (1.0.0), causing an upgrade failure. Upgrading from the Technical Preview version no longer fails if the Securesign instance, and its custom resources (CR) already exist.
Cluster permissions for segment backup jobs
Previously, a misconfiguration of the role-based access controls (RBAC) for the segment backup service account responsible for gathering Rekor and Fulcio metrics had elevated privileges. When enabling the segment backup jobs, these elevated privileges could read cluster-wide secrets.
With this release of RHTAS, we fixed the misconfiguration by limiting the privileges for the segment backup service account. We now enable the gathering of these metrics by default.
Chapter 4. Known issues
Previous known issues that have been resolved:
A list of known issues found in this release of Red Hat Trusted Artifact Signer (RHTAS):
Rekor Search UI does not show records after upgrade
After upgrading the RHTAS operator to the latest version (1.0.1), the existing Rekor data is not found when searching by email address. The backfill-redis CronJob, which ensures that Rekor Search UI can query the transparency log only runs once per day, at midnight. To workaround this issue, you can trigger the backfill-redis job manually, instead of waiting until midnight.
To trigger the backfill-redis job from the command-line interface, run the following command:
oc create job --from=cronjob/backfill-redis backfill-redis -n trusted-artifact-signer
oc create job --from=cronjob/backfill-redis backfill-redis -n trusted-artifact-signerDoing this adds the missing data back to the Rekor Search UI.
Version number is reported incorrectly on OpenShift 4.13
The installation of the RHTAS operator on OpenShift Container Platform 4.13 incorrectly shows version 0.0.2, when version 1.0.1 is actually installed. Currently, there is no workaround to resolve this issue.
Chapter 5. Deprecated functionality
An overview of deprecated functionality in all supported releases up to this release of Red Hat Trusted Artifact Signer.
Deprecating the Helm deployment of the Red Hat Trusted Artifact Signer software stack
With this release, Red Hat is deprecating the deployment of Red Hat’s Trusted Artifact Signer product by using a Helm chart. Deploying Trusted Artifact Signer with Helm is no longer supported.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}