docs: add ratify on alibabacloud and add rrsa auth provider into oras…

… doc Signed-off-by: dahu.kdh <[email protected]>
ratify-project · Dec 20, 2024 · d67a3ab · d67a3ab
1 parent f16e196
commit d67a3ab
Show file tree

Hide file tree

Showing 8 changed files with 720 additions and 0 deletions.
diff --git a/docs/imgs/alibabacloud-policy-governance.png b/docs/imgs/alibabacloud-policy-governance.png
diff --git a/docs/imgs/ratify-alibabacloud-marketplace.png b/docs/imgs/ratify-alibabacloud-marketplace.png
diff --git a/docs/plugins/store/oras.md b/docs/plugins/store/oras.md
@@ -141,6 +141,7 @@ NOTE: ORAS will attempt to use anonymous access if the authentication provider f
 1. [Kubernetes Secrets](#kubernetes-secrets)
 1. [AWS IAM Roles for Service Accounts (IRSA)](#aws-iam-roles-for-service-accounts-irsa)
 1. Azure Managed Identity
+1. [Alibaba Cloud RAM Roles for Service Accounts (RRSA)](#alibaba-cloud-ram-roles-for-service-accounts-rrsa)
 
 #### Docker Config
 
@@ -410,6 +411,12 @@ kubectl -n ratify get cm ratify-configuration -oyaml
 ...
 ```
 
+#### Alibaba Cloud RAM Roles for Service Accounts (RRSA)
+
+Ratify pulls artifacts from a private AlibabaCloud Container Registry (ACR) using an ACR authorization token. This token is accessed using the federated workload identity assigned to pods via [RAM Roles for Service Accounts](https://www.alibabacloud.com/help/en/ack/serverless-kubernetes/user-guide/use-rrsa-to-authorize-pods-to-access-different-cloud-services). The AlibabaCloud RRSA Auth provider uses the [Alibaba SDK V2.0 GO SDK](https://www.alibabacloud.com/help/en/sdk/developer-reference/v2-manage-go-access-credentials#ec8021b053aqe) to retrieve basic auth credentials based on a role assigned to a Kubernetes Service Account referenced by a pod specification. For an overview on how to enable and work with RAM Roles for Service Accounts, a.k.a. RRSA,  please refer to [official document](https://www.alibabacloud.com/help/en/ack/serverless-kubernetes/user-guide/use-rrsa-to-authorize-pods-to-access-different-cloud-services#section-rmr-eeh-878).
+
+Please refer to [quick start](../../quickstarts/ratify-on-alibabacloud.md#pulling-acr-private-image-signature-manifest-with-rrsa) to configure Ratify for pulling from ACR private repository using RRSA.
+
 ## Notational Conventions
 
 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in [RFC 2119](http://tools.ietf.org/html/rfc2119).

diff --git a/docs/quickstarts/ratify-on-alibabacloud.md b/docs/quickstarts/ratify-on-alibabacloud.md
diff --git a/versioned_docs/version-1.3/imgs/alibabacloud-policy-governance.png b/versioned_docs/version-1.3/imgs/alibabacloud-policy-governance.png
diff --git a/versioned_docs/version-1.3/imgs/ratify-alibabacloud-marketplace.png b/versioned_docs/version-1.3/imgs/ratify-alibabacloud-marketplace.png
diff --git a/versioned_docs/version-1.3/plugins/store/oras.md b/versioned_docs/version-1.3/plugins/store/oras.md
@@ -141,6 +141,7 @@ NOTE: ORAS will attempt to use anonymous access if the authentication provider f
 1. [Kubernetes Secrets](#kubernetes-secrets)
 1. [AWS IAM Roles for Service Accounts (IRSA)](#aws-iam-roles-for-service-accounts-irsa)
 1. Azure Managed Identity
+1. [Alibaba Cloud RAM Roles for Service Accounts (RRSA)](#alibaba-cloud-ram-roles-for-service-accounts-rrsa)
 
 #### Docker Config
 
@@ -410,6 +411,12 @@ kubectl -n ratify get cm ratify-configuration -oyaml
 ...
 ```
 
+#### Alibaba Cloud RAM Roles for Service Accounts (RRSA)
+
+Ratify pulls artifacts from a private AlibabaCloud Container Registry (ACR) using an ACR authorization token. This token is accessed using the federated workload identity assigned to pods via [RAM Roles for Service Accounts](https://www.alibabacloud.com/help/en/ack/serverless-kubernetes/user-guide/use-rrsa-to-authorize-pods-to-access-different-cloud-services). The AlibabaCloud RRSA Auth provider uses the [Alibaba SDK V2.0 GO SDK](https://www.alibabacloud.com/help/en/sdk/developer-reference/v2-manage-go-access-credentials#ec8021b053aqe) to retrieve basic auth credentials based on a role assigned to a Kubernetes Service Account referenced by a pod specification. For an overview on how to enable and work with RAM Roles for Service Accounts, a.k.a. RRSA,  please refer to [official document](https://www.alibabacloud.com/help/en/ack/serverless-kubernetes/user-guide/use-rrsa-to-authorize-pods-to-access-different-cloud-services#section-rmr-eeh-878).
+
+Please refer to [quick start](../../quickstarts/ratify-on-alibabacloud.md#pulling-acr-private-image-signature-manifest-with-rrsa) to configure Ratify for pulling from ACR private repository using RRSA.
+
 ## Notational Conventions
 
 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in [RFC 2119](http://tools.ietf.org/html/rfc2119).

diff --git a/versioned_docs/version-1.3/quickstarts/ratify-on-alibabacloud.md b/versioned_docs/version-1.3/quickstarts/ratify-on-alibabacloud.md