Red Hat Summitこのコンテンツは選択した言語では利用できません。
Chapter 3. New features and enhancements
A list of all major enhancements, and new features introduced in this release of Red Hat Trusted Artifact Signer (RHTAS). Some of these features and enhancements were introduced as Technology Previews in earlier releases, and are now generally available (GA) and fully supported in this release.
The features and enhancements added by this release are:
- Including Cosign version 3.0.4
-
With this release, we have fully migrated to Cosign version 3.0.4, to help streamline our infrastructure. The modernized cache layout of Sigstore and the simplified initialization patterns of the latest major version are now in use. This shift reduces boilerplate code by adopting the
signingConfigapproach, generated directly throughcosign initialize. Additionally, Gitsign and Conforma have been updated to their latest versions, ensuring compatibility with updated Cosign packages andsigstore-golibraries. You can view the latest RHTAS component versions in the appendix.
- Automated job to update the TUF repository after upgrading the RHTAS Operator
With this release, the RHTAS Operator introduces an integrated migration job that automates the update of The Update Framework (TUF) repository during the upgrade from version 1.3.x to 1.4.0. This enhancement streamlines the upgrade process by automatically adopting the new TUF repository structure necessary for Cosign version 3, thereby reducing the risk of a broken "trusted root" state. Users can now do Operator Lifecycle Manager (OLM) upgrades without manual intervention, and both Cosign v2 and v3, and the RHTAS Console, function correctly post-upgrade. This ensures an enterprise-grade experience by guaranteeing that the update is seamless.
If you store your signer keys outside of Red Hat OpenShift, then you must manually update the TUF repository by following this procedure, before you can use the new features of Cosign version 3.
- Command line binaries for RHTAS are available on the Red Hat Developer Portal
- With this release, the command-line interface (CLI) binaries used with RHTAS are now accessible on the Red Hat Developer Portal. Initially, these binaries were exclusively available within OpenShift or Red Hat Enterprise Linux deployments of RHTAS, but customers can now download the binaries for all supported architectures on the Developer Portal, without the need for deploying the RHTAS service.
- Added the Sigstore Policy Controller admission controller
- With this release, users can deploy the Sigstore Policy Controller admission controller alongside RHTAS deployments running on Red Hat OpenShift. This integration offers users a method to manage the container images that are permitted to operate on their OpenShift clusters, based on signatures or attestations generated by RHTAS. Users can install and manage the Sigstore Policy Controller admission controller by installing an Operator that reconciles the upstream Helm chart. This Operator ensures that cluster workloads are only allowed if they comply with the specified cluster image policies. For more information about the Sigstore Policy Controller, you can refer to the RHTAS Administration Guide.
- High availability support added for Trusted Artifact Signer on Red Hat OpenShift
- With this release, users can now configure RHTAS for High Availability (HA) in single cluster deployments, enhancing service reliability and performance. The RHTAS deployment now keeps key components replicated to eliminate single points of failure, provides load balancing, fail over mechanisms, and health checks. This allows the system to manage workloads effectively, ensuring the uptime required for continuous CI/CD pipelines that rely on the Trusted Artifact Signer service, and maintaining operational continuity. For more information about configuring RHTAS for High Availability, you can refer to the RHTAS Administration Guide.
- New configuration options for scaling Trusted Artifact Signer’s services
-
With this release, we implemented enhanced pod scheduling and resource management for RHTAS. This enhancement provides granular control over scaling, scheduling, and resource allocation through a new
PodRequirementsspecification. This addresses the need for fine-grained deployment options by offering control over Custom Resources (CR) such as: Fulcio, Certificate Transparency log (CTlog), Rekor, Trillian, Timestamp Authority (TSA), and The Update Framework (TUF) Trust Root. Users can now manage pod affinity rules, define a matching toleration for node taints, specify the number of replicas for high availability, and set compute resource requests and limits. These new configuration options are also exposed in the OpenShift console UI for easier management.
- New configuration options for Rekor external search index
- With this release, users can use their own Redis database to serve as the search index for Rekor. This integration enables connection with external, highly-available, and managed database or caching services. For production environments that demand greater scalability, reliability, and the ability to use existing infrastructure is essential. When an external search index is configured, the RHTAS Operator will not deploy the embedded Redis instance. Instead, the Rekor service actively uses the specified external connection configuration, which includes support for TLS-enabled connections. This gives users more flexibility, along with an enterprise-ready deployment of RHTAS, simplifying management and enhancing overall performance.
- New configuration options for Rekor attestation storage
- With this release, you can now configure external storage for Rekor attestations. This new feature enhances scalability and flexibility when managing Rekor attestations. This allows for the use of many Rekor replicas simultaneously. We expanded Rekor’s Custom Resource Definition (CRD) with a new attestations section. In this section you can specify a storage URL from storage providers such as: Amazon Web Services (AWS) S3, Google Cloud Storage (GCS), or a file-based persistent volume claim (PVC).
- Added the
--show-warningsoption to Conforma commands -
With this release, we added the
--show-warningsoption to Conforma commands. By default, displaying warning lines are enabled, but they can be disabled when necessary, by setting--show-warnings=false. This enhancement aims to improve logs for users primarily concerned with failures and specific messages.
- Human-readable output for the
ec validate inputcommand -
With this release, users can now validate input by using the
ec validate input --output textcommand, which provides readable, line-oriented results similar to theec validate imagecommand. This improves interactive use, and aligns with the default friendly-text mode commonly used when validating images. As a result, validate-input runs now support showing compact human-readable output instead of JSON or YAML.
- Support for using component names as exemptions
-
With this release, users can now refine exemptions on the
EnterpriseContractPolicyby using specific component names. This enhancement allows for a more precise policy, as it does not relax the policy for unrelated images, and improves the effectiveness of the policy.
- Support for skipping image signature verification in key-less mode
-
With this release, the
ec validate imagecommand now includes the--skip-image-sig-checkoption. By default, image signature verification is enabled. However, when using this option, the command will bypass the image signature verification step, while still performing attestation checks. In public-key mode, both image and attestation signature checks remain unchanged.
- Conforma support for Linux
ppc64leands390xarchitectures -
With this release, Conforma is now available for
ppc64leands390xarchitectures.
- Support for ANSI colors for Conforma command outputs
-
With this release, the
ec validate inputcommand now employs American National Standards Institute (ANSI) colors for a more uniform visual experience, aligning with the visual cues provided byec validate imageand related commands. This change makes it easier to distinguish pass or fail, and emphasis within a standard terminal, enhancing overall usability.
- One-step validation for exported snapshot resources
-
With this release, you can validate exported snapshot resources in a single step by using the following command,
ec validate image. This command reads the snapshot body from.specwhen present. As a result, this minimizes potential errors, and streamlines the process for users by allowing them to pipe theoc get snapshotcommand directly into theec validate imagecommand, therefore eliminating the need for an extrajq .specstep.
- The Conforma CLI properly supports SLSA version 1
- With this release, the Conforma command-line interface (CLI) now consistently handles Supply-chain Levels for Software Artifacts (SLSA) provenance version 1 in both validation and inspection paths. This aligns with the format’s structure and expectations. This enhancement ensures that users receive first-class handling comparable to earlier iterations. As a result, policies can now be evaluated, and tools can inspect attestations reliably, as SLSA version 1 provenance is handled consistently.
- Support for fetching files inside a Tekton task bundle
-
With this release, we defined a new Open Policy Agent (OPA) rego function named
ec.oci.blob_files. This new rego function helps policy authors to directly access and view files from Open Container Initiative (OCI) blob layer tarballs within Tekton task bundles and similar artifacts. As a result, this eliminates the need for manually extracting the contents of the tar file, and streamlines the process.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}