1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-13 19:28:55 +00:00

Timeout and init (#3893)

* increase timeout to 30s to match webhook timeout

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* initialize Fulcio roots at startup

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make fmt

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* add TUF root

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* fix chart

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

* make helm-gen

Signed-off-by: Jim Bugwadia <jim@nirmata.com>

Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
This commit is contained in:
Jim Bugwadia 2022-05-11 19:55:14 -07:00 committed by GitHub
parent 37a5a6652f
commit 36affff4b7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 36 additions and 3 deletions

View file

@ -136,6 +136,7 @@ The command removes all the Kubernetes components associated with the chart and
| networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
| webhooksCleanup.enable | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
| webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
| tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization |
## TLS Configuration

View file

@ -127,6 +127,8 @@ spec:
fieldPath: metadata.name
- name: KYVERNO_SVC
value: {{ template "kyverno.serviceName" . }}
- name: TUF_ROOT
value: {{ .Values.tufRootMountPath }}
{{- with .Values.envVars }}
{{- toYaml . | nindent 10 }}
{{- end }}
@ -138,3 +140,9 @@ spec:
{{- with .Values.readinessProbe }}
readinessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: {{ .Values.tufRootMountPath }}
name: sigstore
volumes:
- name: sigstore
emptyDir: {}

View file

@ -373,3 +373,6 @@ webhooksCleanup:
enable: false
# -- `kubectl` image to run commands for deleting webhooks.
image: bitnami/kubectl:latest
# -- A writable volume to use for the TUF root initialization
tufRootMountPath: /.sigstore

View file

@ -377,7 +377,7 @@ func main() {
// webhookconfigurations are registered by the leader only
webhookRegisterLeader, err := leaderelection.New("webhook-register", config.KyvernoNamespace(), kubeClient, registerWebhookConfigurations, nil, log.Log.WithName("webhookRegister/LeaderElection"))
if err != nil {
setupLog.Error(err, "failed to elector leader")
setupLog.Error(err, "failed to elect a leader")
os.Exit(1)
}
@ -386,6 +386,11 @@ func main() {
// the webhook server runs across all instances
openAPIController := startOpenAPIController(dynamicClient, stopCh)
if err := cosign.Init(); err != nil {
setupLog.Error(err, "initialization failed")
os.Exit(1)
}
// WEBHOOK
// - https server to provide endpoints called based on rules defined in Mutating & Validation webhook configuration
// - reports the results based on the response from the policy engine:

16
pkg/cosign/init.go Normal file
View file

@ -0,0 +1,16 @@
package cosign
import (
"fmt"
"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
)
func Init() error {
certs := fulcio.GetRoots()
if certs == nil {
return fmt.Errorf("failed to initialize Fulcio roots")
}
return nil
}

View file

@ -169,8 +169,8 @@ func NewWebhookServer(
MinVersion: tls.VersionTLS12,
},
Handler: mux,
ReadTimeout: 15 * time.Second,
WriteTimeout: 15 * time.Second,
ReadTimeout: 30 * time.Second,
WriteTimeout: 30 * time.Second,
}
return ws, nil
}