# Use Ratify to validate image before deployment in AKS
## Prerequisite
Complete the steps in [Build, Sign and Verify a container image using notation and certificate in Azure Key Vault](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-sign-build-push)
## Create a new ACR
```console
ACR_NAME=<ACR Name>
ACR_RG=<ACR Resource Group Name>
az acr create -n $ACR_NAME -g $ACR_RG --sku Standard
az acr update --name $ACR_NAME --anonymous-pull-enabled
```
## Create a new AKS cluster and integrate with an existing ACR
```console
AKS_NAME=<AKS Name>
AKS_RG=<AKS Resource Group Name>
az aks create -n $AKS_NAME -g $AKS_RG --generate-ssh-keys --attach-acr $ACR_NAME
```
> NOTE: See [here](https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?toc=%2Fazure%2Fcontainer-registry%2Ftoc.json&bc=%2Fazure%2Fcontainer-registry%2Fbreadcrumb%2Ftoc.json&tabs=azure-cli#configure-acr-integration-for-existing-aks-clusters) to configure ACR integration for existing AKS clusters.
## Set up Workload Identity with AKS and ACR
### Update AKS cluster with OIDC issuer
```console
az aks update -n $AKS_NAME -g $AKS_RG --enable-oidc-issuer
export SERVICE_ACCOUNT_ISSUER="$(az aks show -g $AKS_RG -n $AKS_NAME --query "oidcIssuerProfile.issuerUrl" -otsv)"
export SUBSCRIPTION_ID=xxx-xxx-xxx-xxx
export AZURE_TENANT_ID="$(az account show -s $SUBSCRIPTION_ID --query tenantId -otsv)"
```
### Connect to AKS
```console
az aks get-credentials -n $AKS_NAME -g $AKS_RG
```
### Install Workload Identity
```console
helm repo add azure-workload-identity https://azure.github.io/azure-workload-identity/charts
helm repo update
helm install workload-identity-webhook azure-workload-identity/workload-identity-webhook \
--namespace azure-workload-identity-system \
--create-namespace \
--set azureTenantID="${AZURE_TENANT_ID}"
```
## Create ACR AAD application
```console
export APPLICATION_NAME=ratify_test
az ad sp create-for-rbac --name $APPLICATION_NAME
export APPLICATION_CLIENT_ID="$(az ad sp list --display-name "${APPLICATION_NAME}" --query '[0].appId' -otsv)"
az role assignment create --assignee ${APPLICATION_CLIENT_ID} --role acrpull --scope subscriptions/${SUBSCRIPTION_ID}/resourceGroups/${ACR_RG}/providers/Microsoft.ContainerRegistry/registries/${ACR_NAME}
```
## Configure service account
```console
export RATIFY_NS=ratify-service
export RATIFY_SA=ratify-admin
export APPLICATION_OBJECT_ID="$(az ad app show --id ${APPLICATION_CLIENT_ID} --query id -otsv)"
```
```console
cat <<EOF > body.json
{
"name": "kubernetes-federated-credential",
"issuer": "${SERVICE_ACCOUNT_ISSUER}",
"subject": "system:serviceaccount:${RATIFY_NS}:${RATIFY_SA}",
"description": "Kubernetes service account federated credential",
"audiences": [
"api://AzureADTokenExchange"
]
}
EOF
```
```console
az rest --method POST --uri "https://graph.microsoft.com/beta/applications/${APPLICATION_OBJECT_ID}/federatedIdentityCredentials" --body @body.json
```
## Install Gatekeeper
```console
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm install gatekeeper/gatekeeper \
--name-template=gatekeeper \
--namespace gatekeeper-system --create-namespace \
--set enableExternalData=true \
--set validatingWebhookTimeoutSeconds=7
```
## Install Ratify
>NOTE: Public key used for notation sign, see [notation sign using AKV](https://hackmd.io/@yizha1/notation-sign-verify)
```console
export KEY_NAME=wabbit-networks-io
export AKV_NAME=wabbitakv
export PUBLIC_KEY=$(az keyvault certificate show -n $KEY_NAME \
--vault-name $AKV_NAME \
-o json | jq -r '.cer' | base64 -d | openssl x509 -inform DER)
```
```console
helm install ratify ratify/ratify --namespace ${RATIFY_NS} --create-namespace \
--set ratifyTestCert="${PUBLIC_KEY}" \
--set azureWorkloadIdentity.clientId=${APPLICATION_CLIENT_ID} \
--set oras.authProviders.azureWorkloadIdentityEnabled=true --atomic
kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml
kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml
```
## Deploy signed image
```console
kubectl run net-monitor --image=$IMAGE
```
## Deploy un-signed image
```console
kubectl run net-monitor --image=$IMAGE-unsigned
```
## Clean up
```consle
helm uninstall ratify --namespace ratify-service
kubectl delete -f https://deislabs.github.io/ratify/library/default/template.yaml
kubectl delete -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml
helm uninstall gatekeeper/gatekeeper --namespace gatekeeper-system
# for helm3
kubectl delete crd -l gatekeeper.sh/system=yes
```
## Reference
1. [oras-auth-provider.md](https://github.com/deislabs/ratify/blob/main/docs/reference/oras-auth-provider.md#2-azure-workload-identity)
2. [nv2-sign-verify-aks](https://github.com/Azure/notation-azure-kv/blob/main/docs/nv2-sign-verify-aks.md)
Sign in via Google
Sign in via Facebook
Sign in via X(Twitter)
Sign in via GitHub
Sign in via Dropbox
Sign in with Wallet
Connect another wallet