v1/v2 feature comparison and status tracking

[binbin-li]

We are currently working on the development of Ratify v2. This discussion is intended to compare the existing features in v1 with those planned for v2, while also tracking their implementation status.
Given the complexity of Ratify as a large system composed of multiple components, features will be organized by major components, with related minor features listed under each.

Verifier

Feature	Supported in v1	Planned for v2	Status
Dynamically apply registered verifier	yes	yes	done
Download verifier plugin as artifact	yes	no	n/a
Support Notation verifier	yes	yes	done
Support Cosign verifier	yes	yes	done, keyless cosign supported
Support SBOM verifier	yes	yes
Support Vulnerability Report verifier	yes	yes
Support Attestation verifier	no	yes
Key Management Provider	yes	yes	Done
Periodical Key Refresh	yes	yes

Store

Feature	Supported in v1	Planned for v2	Status
Support multiple stores	Partially support	yes	done
Support native authentication to AWS ECR	yes	yes
Support native authentication to Azure Container Registry	yes	yes	done
Support native authentication to Azure Key Vault	yes	yes	done, missing key/cert refresh and latest n version support
Support native authentication to Alibaba Cloud Container Registry	yes	yes
Support cache	yes	yes	done, added request cache and registry auth token cache
Support custom CA certs for registry	no	yes	yes

PolicyEnforcer

Feature	Supported in v1	Planned for v2	Status
Support config policy	yes	yes with a new config schema	done
Support Rego policy	yes	yes
Support CEL policy	no	yes
Support early termination of evaluation	no	yes	done for new config policy

Executor

Feature	Supported in v1	Planned for v2	Status
Support concurrent execution	yes	yes
Set maximum concurrency limit	no	yes
Early termination on policy failure	no	yes	done

Server

Feature	Supported in v1	Planned for v2	Status
Support verify	yes	yes	done
Support mutate	yes	yes	done
Cache	yes	yes	done
Log traceID for each request	yes	yes
Support instrumentation	yes	yes
File watch on config file	yes	yes	done
TLS cert rotation	yes	yes	done

K8s Cluster

Feature	Supported in v1	Planned for v2	Status
High Availability	yes	yes but probably remove Redis support
Multi-tenancy	yes	yes
CRD	yes	yes	Done
CRD Conversion	no	yes

CLI

ContainerD plugin

[FeynmanZhou]

The SBOM (SPDX) verifier and vulnerability report verifier are not widely used by Ratify users yet, so I am considering maybe we could deprioritize these two verifiers in v2.0.0, but keep these two relatively independent open for any contributors.