Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.

Chapter 2. New features and enhancements


A list of all major enhancements, and new features introduced in this release of Red Hat Trusted Artifact Signer (RHTAS).

The features and enhancements added by this release are:

Log sharding for Rekor

If left alone, Rekor’s log will grow indefinitely, which can impact overall performance. With this release, we added log sharding for Rekor to help manage scaling, and minimizing any potential performance degradation from having large logs. You can configure sharding by directly modifying the Rekor custom resource (CR). For more information about how to configure log sharding for Rekor’s signer key rotation, see the RHTAS Administration Guide.

Log sharding for CT log

If left alone, Certificate Transparency (CT) log will grow indefinitely, which can impact overall performance. With this release, we added log sharding for CT log to help manage scaling, and minimizing any potential performance degradation from having large logs. You can configure sharding by directly modifying the CT log custom resource (CR). For more information about how to configure log sharding for CT log’s signer key rotation, see the RHTAS Administration Guide.

Deploy Trillian independently

With this release, you can deploy the Trillian service independently of all other RHTAS components. You can now deploy an independent version of Trillian that uses the RHTAS operator.

Deploy Rekor independently from Trillian

In earlier releases of RHTAS, Rekor required the Trillian service, along with the Trillian database, to be running in the same namespace as Rekor. Because of this dependency, deploying Rekor in complex or segmented environments was more challenging. With this release, we made Rekor independent from Trillian, giving users the flexibility to implement Trillian in a way that is more adaptable to complex infrastructure configurations. Because of this new feature, we extended the API, which allows you to specify connection information for the Trillian service. You can specify the Trillian connection information by providing the appropriate values to the spec.trillian.host and spec.trillian.port options in the Securesign resource.

Proxy support for the Trusted Artifact Signer operator

Connections are often established by using proxies in OpenShift environments, and this might be a hard requirement for some organizations. With this release, we added support for configured proxies in OpenShift environments to the RHTAS operator and operands.

Trusted Timestamp Authority support added

By default, the timestamp comes from Rekor’s own internal clock, which is not externally verifiable or immutable. By using signed timestamps from trusted Timestamp Authorities (TSAs) this mitigates the risk of Rekor’s internal clock being tampered with. With this release, you can configure a trusted TSA instead of using Rekor’s internal clock.

Support for custom Rekor UI route for Ingress sharding

With this release, you can set a custom route for the Rekor user interface (UI) to work with OpenShift’s Ingress Controller sharding feature.

You can configure this by modifying the externalAccess section of ingress and route resources, adding the type: dev label under the routeSelectorlabels section. For example:

...
    externalAccess:
      enabled: true
      routeSelectorLabels:
        type: dev
...

This allows the Ingress Controller to identify these resources for specific preset routes, in this case the dev route.

The operator supports custom CA bundles with certificate injection

With this release, the RHTAS operator now supports custom Certificate Authority (CA) bundles by using certificate injection. To ensure secure communications with OpenShift Proxy or other services needing to trust a specific CA, the RHTAS operator automatically injects trusted CA bundles into its managed services. These managed services are: Trillian, Fulcio, Rekor, Certificate Transparency (CT) log, and Timestamp Authority (TSA).

You can trust additional CA bundles by referencing the config map containing the custom CA bundle in one of two ways:

  • In the relevant custom resource (CR) file, under the metadata.annotations section, add rhtas.redhat.com/trusted-ca.
  • Configure a custom CA bundle directly in the CR file by adding the trustedCA field in the spec.

Configure a CT log prefix for Fulcio

With this release, we added the ability to configure a Certificate Transparency (CT) log prefix for Fulcio. In earlier releases, we hard-coded the prefix to trusted-artifact-signer. Making the prefix configurable, gives you more flexibility, and allows you to target specific CT logs within the CT service. The Fulcio custom resource definition (CRD) has a new spec.ctlog.prefix field, where you can set the prefix.

Enterprise Contract can initialize the TUF root

With this release, you can now use the ec sigstore initialize --root ${TUF_URL} command to initialize Enterprise Contract with The Update Framework (TUF) root deployed by RHTAS. Doing this initialization stores the trusted metadata locally in $HOME/.sigstore/root.

Support for excluding rules for specific images in an Enterprise Contract policy

With this release, you can add an exclude directive in the volatileConfig section of an Enterprise Contract (EC) policy for a specific image digest. You can specify an image digest by using the imageRef key, which limits the policy exception to one specific image.

Support for organizational level OCI registry authentication

With this release, Enterprise Contract (EC) supports Open Container Initiative (OCI) registry credentials specified by using a subpath of the full repository path. If many matching credentials are available, then it tries them in order of specificity. For more information, see the authentication against container image registries specification.

Improved the auditing of Enterprise Contract policy sources

With this release, we log an entry for a Git SHA, or a bundle image digest for each policy source. This allows for better auditing of Enterprise Contract (EC) results, showing you the exact version of the policies and policy data used by EC, allowing for reproducibility.

Displaying plain text as the default for Enterprise Contract reports

With this release, we changed the default output format for the Enterprise Contract (EC) report to plain text. The plain text format makes reading the EC results report much easier.

Red Hat logoGithubRedditYoutubeTwitter

Lernen

Testen, kaufen und verkaufen

Communitys

Über Red Hat Dokumentation

Wir helfen Red Hat Benutzern, mit unseren Produkten und Diensten innovativ zu sein und ihre Ziele zu erreichen – mit Inhalten, denen sie vertrauen können.

Mehr Inklusion in Open Source

Red Hat hat sich verpflichtet, problematische Sprache in unserem Code, unserer Dokumentation und unseren Web-Eigenschaften zu ersetzen. Weitere Einzelheiten finden Sie in Red Hat Blog.

Über Red Hat

Wir liefern gehärtete Lösungen, die es Unternehmen leichter machen, plattform- und umgebungsübergreifend zu arbeiten, vom zentralen Rechenzentrum bis zum Netzwerkrand.

© 2024 Red Hat, Inc.