Skip to main content
Version: 1.3

Configuration

Ratify's configuration consist of Store, Verifier, and Executor.

Configuration file

When Ratify runs in cli serve mode, configuration file can be dynamically updated while the server is running, subsequent verification will be based on the updated configuration.

CRDs

Ratify also supports configuration through K8s CRDs. The configuration can be updated using natively supported kubectl commands.

When running Ratify in a pod, the ConfigMap will be mounted in the pod at the default configuration file path. Ratify will initialize with specifications from the configuration file. CRDs will override store and verifier defined in the configuration file if they exist at runtime. Our team is in the process of converting configuration components into Ratify CRDs to support a more native k8s experience. Please review ratify CRDs samples here.

Currently supported components through CRDs are:

Get CRDs

Our helms charts are wired up to initialize CRs based on chart values. After Ratify installation, you can use the kubectl command to review the currently active configuration.

Sample command:

kubectl get stores.config.ratify.deislabs.io --namespace default
kubectl get verifiers.config.ratify.deislabs.io --namespace default
kubectl get certificatestores.config.ratify.deislabs.io --namespace default

Update Crds

You can choose to add / remove / update crds. Sample command to update a verifier:

kubectl apply -f .../ratify/config/samples/config_v1alpha1_verifier_schemavalidator.yaml

Sample command to remove a verifier:

kubectl delete verifiers.config.ratify.deislabs.io/verifier-notary 

Limitations

Currently Ratify only supports single namespace, Ratify cannot distinguish CRs with the same metadata name from different namespaces. To ensure predictable results, please install all CRs in a single namespace. This limitation is being tracked by issue 1061