diff --git a/modules/guides/pages/enabling-verification-of-image-signatures.adoc b/modules/guides/pages/enabling-verification-of-image-signatures.adoc index 8fa992cec..129267053 100644 --- a/modules/guides/pages/enabling-verification-of-image-signatures.adoc +++ b/modules/guides/pages/enabling-verification-of-image-signatures.adoc @@ -56,7 +56,7 @@ To verify keyless signatures, the Policy Controller needs an up-to-date version NOTE: https://docs.sigstore.dev/cosign/signing/overview/#root-of-trust[The Update Framework (TUF){external-link-icon}^] is the mechanism used by the Policy Controller to initialize and update the root of trust. -In an air-gapped environment, this CDN is not reachable, so instead you have to provide those files yourself. You can get these files from https://github.com/sigstore/root-signing/tree/main/repository/repository[GitHub{external-link-icon}^]. +In an air-gapped environment, this CDN is not reachable, so instead you have to provide those files yourself. You can get these files from https://github.com/sigstore/root-signing/tree/main/metadata[GitHub{external-link-icon}^]. There are multiple ways how you can provide these files to the Policy Controller, please pick the one that works best for your air-gapped environment: * Serve them via an HTTP server that is reachable by the Policy Controller. + @@ -66,7 +66,7 @@ There are multiple ways how you can provide these files to the Policy Controller [source,bash] ---- git clone https://github.com/sigstore/root-signing -cd root-signing/repository/repository +cd root-signing/metadata python3 -m http.server 8081 ---- + diff --git a/modules/guides/pages/providing-resources-with-pvcs.adoc b/modules/guides/pages/providing-resources-with-pvcs.adoc index 97578980b..f3a3a7e91 100644 --- a/modules/guides/pages/providing-resources-with-pvcs.adoc +++ b/modules/guides/pages/providing-resources-with-pvcs.adoc @@ -91,7 +91,7 @@ Managed Kubernetes clusters will normally have a default storage implementation == Operator usage === Spark-k8s -Users of the xref:spark-k8s:index.adoc[Spark-k8s operator] have a variety of ways to manage SparkApplication dependencies, one of which is to xref:spark-k8s:usage-guide/examples.adoc#_pyspark_externally_located_dataset_artifact_available_via_pvcvolume_mount[mount resources on a PersistentVolumeClaim]. An example is shown https://github.com/stackabletech/spark-k8s-operator/blob/main/examples/ny-tlc-report.yaml[here{external-link-icon}^]. +Users of the xref:spark-k8s:index.adoc[Spark-k8s operator] have a variety of ways to manage SparkApplication dependencies, one of which is to xref:spark-k8s:usage-guide/examples.adoc#_pyspark_externally_located_dataset_artifact_available_via_pvcvolume_mount[mount resources on a PersistentVolumeClaim]. == Further reading diff --git a/modules/guides/pages/viewing-and-verifying-sboms.adoc b/modules/guides/pages/viewing-and-verifying-sboms.adoc index cf7d4bc36..ebcccbf93 100644 --- a/modules/guides/pages/viewing-and-verifying-sboms.adoc +++ b/modules/guides/pages/viewing-and-verifying-sboms.adoc @@ -14,7 +14,7 @@ This page is a simple wrapper on top of the Stackable OCI registry, where the SB The next step of this guide explains the single steps happening under the hood when a link is clicked, and how to do them manually. == Verifying and extracting an SBOM manually with cosign -To verify and extract the SBOM, a tool called https://github.com/sigstore/cosign[cosign{external-link-icon}^] is needed. Please have a look at the https://docs.sigstore.dev/system_config/installation/[installation instructions{external-link-icon}^] in the cosign documentation and choose your preferred installation method. Additionally, https://github.com/jqlang/jq[jq{external-link-icon}^] is used to parse the JSON output of cosign. +To verify and extract the SBOM, a tool called https://github.com/sigstore/cosign[cosign{external-link-icon}^] is needed. Please have a look at the https://docs.sigstore.dev/cosign/system_config/installation/[installation instructions{external-link-icon}^] in the cosign documentation and choose your preferred installation method. Additionally, https://github.com/jqlang/jq[jq{external-link-icon}^] is used to parse the JSON output of cosign. With the following chain of commands, the SBOM of `airflow-operator` version `24.3.0` is verified and extracted: