Chapter 2. New features and enhancements
A list of all major enhancements, and new features introduced in this release of Red Hat Trusted Artifact Signer (RHTAS).
The features and enhancements added by this release are:
Log sharding for Rekor
If left alone, Rekor’s log will grow indefinitely, which can impact overall performance. With this release, we added log sharding for Rekor to help manage scaling, and minimizing any potential performance degradation from having large logs. You can configure sharding by directly modifying the Rekor custom resource (CR). For more information about how to configure log sharding for Rekor’s signer key rotation, see the RHTAS Administration Guide.
Log sharding for CT log
If left alone, Certificate Transparency (CT) log will grow indefinitely, which can impact overall performance. With this release, we added log sharding for CT log to help manage scaling, and minimizing any potential performance degradation from having large logs. You can configure sharding by directly modifying the CT log custom resource (CR). For more information about how to configure log sharding for CT log’s signer key rotation, see the RHTAS Administration Guide.
Deploy Trillian independently
With this release, you can deploy the Trillian service independently of all other RHTAS components. You can now deploy an independent version of Trillian that uses the RHTAS operator.
Deploy Rekor independently from Trillian
In earlier releases of RHTAS, Rekor required the Trillian service, along with the Trillian database, to be running in the same namespace as Rekor. Because of this dependency, deploying Rekor in complex or segmented environments was more challenging. With this release, we made Rekor independent from Trillian, giving users the flexibility to implement Trillian in a way that is more adaptable to complex infrastructure configurations. Because of this new feature, we extended the API, which allows you to specify connection information for the Trillian service. You can specify the Trillian connection information by providing the appropriate values to the spec.trillian.host and spec.trillian.port options in the Securesign resource.
Proxy support for the Trusted Artifact Signer operator
Connections are often established by using proxies in OpenShift environments, and this might be a hard requirement for some organizations. With this release, we added support for configured proxies in OpenShift environments to the RHTAS operator and operands.
Support for custom Rekor UI route for Ingress sharding
With this release, you can set a custom route for the Rekor user interface (UI) to work with OpenShift’s Ingress Controller sharding feature.
You can configure this by modifying the externalAccess section of ingress and route resources, adding the type: dev label under the routeSelectorlabels section. For example:
...
externalAccess:
enabled: true
routeSelectorLabels:
type: dev
...
This allows the Ingress Controller to identify these resources for specific preset routes, in this case the dev route.
The operator supports custom CA bundles with certificate injection
With this release, the RHTAS operator now supports custom Certificate Authority (CA) bundles by using certificate injection. To ensure secure communications with OpenShift Proxy or other services needing to trust a specific CA, the RHTAS operator automatically injects trusted CA bundles into its managed services. These managed services are: Trillian, Fulcio, Rekor, Certificate Transparency (CT) log, and Timestamp Authority (TSA).
You can trust additional CA bundles by referencing the config map containing the custom CA bundle in one of two ways:
-
In the relevant custom resource (CR) file, under the
metadata.annotationssection, addrhtas.redhat.com/trusted-ca. -
Configure a custom CA bundle directly in the CR file by adding the
trustedCAfield in thespec.
Configure a CT log prefix for Fulcio
With this release, we added the ability to configure a Certificate Transparency (CT) log prefix for Fulcio. In earlier releases, we hard-coded the prefix to trusted-artifact-signer. Making the prefix configurable, gives you more flexibility, and allows you to target specific CT logs within the CT service. The Fulcio custom resource definition (CRD) has a new spec.ctlog.prefix field, where you can set the prefix.
Enterprise Contract can initialize the TUF root
With this release, you can now use the ec sigstore initialize --root ${TUF_URL} command to initialize Enterprise Contract with The Update Framework (TUF) root deployed by RHTAS. Doing this initialization stores the trusted metadata locally in $HOME/.sigstore/root.
Support for excluding rules for specific images in an Enterprise Contract policy
With this release, you can add an exclude directive in the volatileConfig section of an Enterprise Contract (EC) policy for a specific image digest. You can specify an image digest by using the imageRef key, which limits the policy exception to one specific image.
Support for organizational level OCI registry authentication
With this release, Enterprise Contract (EC) supports Open Container Initiative (OCI) registry credentials specified by using a subpath of the full repository path. If many matching credentials are available, then it tries them in order of specificity. For more information, see the authentication against container image registries specification.
Improved the auditing of Enterprise Contract policy sources
With this release, we log an entry for a Git SHA, or a bundle image digest for each policy source. This allows for better auditing of Enterprise Contract (EC) results, showing you the exact version of the policies and policy data used by EC, allowing for reproducibility.
Displaying plain text as the default for Enterprise Contract reports
With this release, we changed the default output format for the Enterprise Contract (EC) report to plain text. The plain text format makes reading the EC results report much easier.
