Red Hat SummitChapter 2. New features and enhancements
A list of all major enhancements, and new features introduced in this release of Red Hat Trusted Artifact Signer (RHTAS).
The features and enhancements added by this release are:
Ability to add OIDC providers for Ansible deployments of RHTAS
With this release, you can configure OpenID Connect (OIDC) providers under the tas_single_node_fulcio.fulcio_config section of the RHTAS Ansible Playbook. Update the playbook by adding your OIDC provider URL to the oidc_issuers variable, save your changes, and then re-run the playbook. You can have many OIDC providers defined in the oidc_issuers variable.
Monitoring for RHTAS containers
With this release, you can monitor and manage the RHTAS containers with the Cockpit web interface. This gives users a web-based user interface to simplify container management, and improves maintainability.
Expose passphrase variables for RHTAS components
When the Ansible collection creates a passphrase, they are easily guessable, and therefore a security risk. With this release, we expose the passphrase variables for each RHTAS component. This allows users to configure the passphrase as they see fit in the RHTAS Ansible Playbook.
tas_single_node_fulcio: ca_passphrase: TODO ct_log_prefix: TODO tas_single_node_rekor: ca_passphrase: TODO tas_single_node_tsa: signer_passphrase: TODO ca_passphrase: TODO tas_single_node_ctlog_ca_passphrase: TODO
Replace each TODO with your passphrase, and run the playbook.
Producing a warning or violation dynamically for policy checks
With this release of Enterprise Contract (EC), a single policy check can be either a warning or a violation based on logic defined in the policy check. You can select the warning or violation based on dynamic criteria, such as an effective date, or other runtime logic.
Improvements to the validation output
With this release, we added more details to the output of the ec validate image command for better auditing. The output shows the Git SHA or image digest when resolving a non-permanent reference, such as a tag or Git branch, if defined in the policy source for Enterprise Contract (EC). With this additional information you can see exactly which policies and policy data used during the validation.
Support for running Enterprise Contract commands without a timeout
With this release, you can specify the --timeout 0 on Enterprise Contract (EC) commands to override the default timeout of 5 minutes. This is helpful in Continuous Integration and Continuous Deployment (CI/CD) environments where they manage their own task timeouts.
Support for policy exceptions for specific components
In earlier versions of Enterprise Contract (EC), any policy exception was applied to all components being evaluated. With this release, you can specify which component a particular policy exception applies to. This gives you more fine-grained control when applying policy exceptions.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}