Refresh policy-controller installation docs#431
Draft
smythp wants to merge 2 commits intosigstore:mainfrom
Draft
Refresh policy-controller installation docs#431smythp wants to merge 2 commits intosigstore:mainfrom
smythp wants to merge 2 commits intosigstore:mainfrom
Conversation
Generated via mill crank doc_refresh. Changes: - Expand from helm install-only to a proper installation guide covering operational needs the original omitted - Bump Kubernetes prerequisite from 1.23+ to 1.27+ - Add 'Enable Policy Enforcement for Namespaces' section — validation only runs in labeled namespaces, which the old doc did not mention - Add 'Configure Image Validation Behavior' covering unmatched-image policy (deny by default) and policy/trustroot resync periods - Add 'Using a Private Sigstore Instance' covering TUF root mounting and disable-tuf for air-gapped setups (addresses sigstore#67) - Add 'Test a Policy Without a Cluster' covering policy-tester - Introduce CRD, TUF terminology with links on first mention
Drop the --set installCRDs=false guidance — the chart's CRD templates (clusterimagepolicy.yaml, trustroots.yaml) are unconditional and have no .Values.installCRDs guard, so the flag is a no-op. Replace the open-ended "Kubernetes 1.27+" claim with the actual upstream support matrix: policy-controller > 0.10.x supports Kubernetes 1.27/28/29; v0.12.0 drops 1.27/28 and adds 1.30/31/32. Signed-off-by: Patrick Smyth <patrick.smyth@chainguard.dev>
✅ Deploy Preview for docssigstore ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Refreshes
content/en/policy-controller/installation.md(33 → 126 lines) with information that was previously missing or stale.New content
> 0.10.x, 1.29/30/31/32 starting with v0.12.0) and a link to the support policypolicy.sigstore.dev/include=true, which is a hard prerequisite users hit immediatelyno-match-policyConfigMap key with the supported values (denydefault,warn,allow)ClusterImagePolicy(10h default) andTrustRoot(24h default), with the flags to override--tuf-root/--tuf-mirror/--disable-tufflag examples (addresses Guide for air-gapped deployments #67)policy-tester— how to validate aClusterImagePolicyagainst an image locally without a clusterCross-checked against upstream
no-match-policy) and values:sigstore/policy-controllerpkg/config/store.go--tuf-root,--tuf-mirror,--disable-tuf,--policy-resync-period,--trustroot-resync-period):sigstore/policy-controllercmd/webhook/main.gopolicy-testermake target:sigstore/policy-controllerMakefilesigstore/helm-chartschart README andvalues.yamlTest plan
/policy-controller/overview/...) resolvesigstore/policy-controller#support-policyresolvesNotes for reviewers
The Kubernetes prerequisite combines two upstream sources because the README's matrix table hasn't been updated post-v0.12.0 in one place — the table still shows
> 0.10.x → 1.27/28/29, while the v0.12.0 changelog entry says "drop 1.27/28 and add 1.30/31/32 k8s". The doc cites both. Happy to narrow further if there's a preferred phrasing.The previous draft of this page recommended
--set installCRDs=false; that recommendation is dropped here because the chart's CRD templates (templates/crds/clusterimagepolicy.yaml,templates/crds/trustroots.yaml) install unconditionally and theinstallCRDsvalue invalues.yamlis not currently wired to a guard.Closes #67 (private TUF root mounting documentation gap).