docs: add doc KMP Refresh #103
Conversation
duffney
requested review from
akashsinghal,
binbin-li,
luisdlp,
susanshi and
toddysm
as code owners
✅ Deploy Preview for ratify-dev ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
Are there any other docs I should mention the |
| @@ -102,6 +102,7 @@ metadata: | |||
| name: # a unique name | |||
| spec: | |||
| type: azurekeyvault | |||
| refreshInterval: # OPTIONAL: [string], time duration to refresh the certificates/keys. Disabled by default. Example: 1h, 30m, 1h30m. Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h" | |||
There was a problem hiding this comment.
suggestion to add an example for refresh enabled KMPs in the example section, or link to the /sample
There was a problem hiding this comment.
@susanshi I added samples to the inline and akv sections to point to the samples in the ratify repo. :) Thanks for the suggestion.
| @@ -130,7 +131,7 @@ spec: | |||
|
|
|||
| - If a key/certificate is in disabled state, KMP resource creation will FAIL. Users must remove reference to a disabled Key/Certificate or re-enable in Azure Key Vault. | |||
|
|
|||
| - Ratify does NOT yet support periodic refresh and polling of certificates/keys. If the default latest version changes, object is disabled/expired, or deleted, Ratify will only become aware once the KMP resource is reconciled (edited, deleted, added). | |||
| - Ratify supports periodic refresh and polling of certificates/keys from Azure Key Vault. The `refreshInterval` field can be set to a time duration to refresh the certificates/keys. When no version of the certificate or key is specified, the latest version will be fetched and the resource will be updated. However, if a version is specified, the resource will be locked to that version and will not be updated. | |||
There was a problem hiding this comment.
we might also want to talk about limitation that auto fetching latest might result in verification failure if previous image signed are with other version of the cert. We can also link N version issue so reader is aware of the road map.
There was a problem hiding this comment.
Good call out, I'll add that limitation to the doc. :)
There was a problem hiding this comment.
@susanshi do you have a link to that issue? Or does one need to be created since the n-verion feature isn't included in the refresher for the 1.3 release?
There was a problem hiding this comment.
I didn't find the n-version issue, @duffney could you help create one?
There was a problem hiding this comment.
Certainly, here's a link. ratify-project/ratify#1751 :) It's also been added to the doc.
No description provided.