Skip to main content
Version: 1.3

stores

Store

A Store resource defines how to discover and retrieve reference types for a subject. Please review doc here for a full list of store capabilities.

Table of Contents

Scope

Stores can be defined as cluster-wide resources(using the kind Store) or namespaced resources(using the kind NamespacedStore).

Namespaced stores will only apply to the namespace in which they are defined. If a verification request targeting a namespace cannot find a store in required namespace, it will look up the cluster-wide stores.

Cluster-wide stores are applied as the default global store if no namespaced store is specified in required namespace.

Common properties

To see more sample store configuration, click here. Each resource must specify the name of the store.

apiVersion: config.ratify.deislabs.io/v1beta1
kind: Store # NamespacedStore has the same spec.
metadata:
name:
spec:
name: required, name of the store
address: optional. Plugin path, defaults to value of env "RATIFY_CONFIG" or "~/.ratify/plugins"
version: optional. Version of the external plugin, defaults to 1.0.0. On ratify initialization, the specified version will be validated against the supported plugin version.
source: optional. Source location to download the plugin binary, learn more at docs/reference/dynamic-plugins.md
parameters: optional. Parameters specific to this store

Configuration guidelines

Currently Ratify only supports oras-store as the default implementation of ReferrerStore.

Oras Store

Template

apiVersion: config.ratify.deislabs.io/v1beta1
kind: Store
metadata:
name: store-oras
spec:
name: oras
parameters:
cacheEnabled: # defaults to true
ttl: # TTL in seconds for ORAS cache. Default is 10
useHttp: # Local testing ONLY. Disables TLS checks uses HTTP. Default is false.
cosignEnabled: # enables discovery of cosign artifacts from registry. Default is false.
localCachePath: # absolute file path to an existing/new ORAS OCI local store
authProvider:
name: # name of the auth provider type
# auth provider specific fields here
NameRequiredDescriptionDefault Value
cosignEnablednoThis must be true if cosign verifier is enabled. Read more about cosign verifier here.false
authProvidernoThis is only required if pulling from a private repository. For all supported auth mode, please review oras-auth-provider docdockerConfig
cacheEnablednoOras cache, cache for all referrers for a subject. Note: global cache must be enabled firstfalse
ttlnoTime to live for entries in oras cache10 seconds
useHttpnoLocal testing ONLY. This needs to be set to true for local insecure registriesfalse
localCachePathnoAbsolute file path to an existing/new ORAS OCI local store/.ratify/local_oras_cache

Auth provider configurations

Oras uses authentication credentials to authenticate with registry. The following auth providers are supported:

  1. Docker config file
  2. Azure workload identity
  3. Kubernetes secrets
  4. AWS IAM Roles for Service Accounts(IRSA)
  5. Azure Managed Identity

Please refer to Supported Providers for more details.

Docker config file
Template
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Store
metadata:
name: store-oras
spec:
name: oras
parameters:
authProvider:
name: dockerConfig
configPath: # OPTIONAL: [string] path to the docker config file
NameRequiredDescriptionDefault Value
configPathnoPath to the docker config file.used.""
Kubernets secrets
Template
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Store
metadata:
name: store-oras
spec:
name: oras
parameters:
authProvider:
name: k8Secrets
serviceAccountName: # OPTIONAL: [string] name of the service account
secrets: # OPTIONAL: [array] list of secrets to be used for authentication
- secretName: # REQUIRED: [string] name of the secret
namespace: # OPTIONAL: [string] namespace of the secret
NameRequiredDescriptionDefault Value
serviceAccountNamenoName of the service account. If not provided, the default service account will be used.default
secretsnoList of secrets to be used for authentication.[]
secretNameyesName of the secret.""
namespacenoNamespace of the secret.namespace that Ratify deployed
Azure workload identity
Template
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Store
metadata:
name: store-oras
spec:
name: oras
parameters:
authProvider:
name: azureWorkloadIdentity
clientID: # OPTIONAL: [string] client id of the identity
NameRequiredDescriptionDefault Value
clientIDnoClient id of the identity.value of environment var AZURE_CLIENT_ID
Azure managed identity
Template
apiVersion: config.ratify.deislabs.io/v1beta1
kind: Store
metadata:
name: store-oras
spec:
name: oras
parameters:
authProvider:
name: azureManagedIdentity
clientID: # OPTIONAL: [string] client id of the identity
NameRequiredDescriptionDefault Value
clientIDnoClient id of the identity.value of environment var AZURE_CLIENT_ID