From d0689000b6544d41741afded1ab3e7ac5d499234 Mon Sep 17 00:00:00 2001
From: Vishal Choudhary <vishal.choudhary@nirmata.com>
Date: Thu, 12 Sep 2024 10:15:07 +0530
Subject: [PATCH] feat: add flag to pass tuf root directly (#11103)

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>
---
 CHANGELOG.md                          |  1 +
 charts/kyverno/README.md              |  3 ++-
 charts/kyverno/templates/_helpers.tpl |  3 +++
 charts/kyverno/values.yaml            |  4 +++-
 cmd/internal/flag.go                  | 10 ++++++----
 cmd/internal/tuf.go                   |  5 ++++-
 6 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ebff98b697..184eab9b9d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ### Note
 
 - Removed deprecated flag `reportsChunkSize`.
+- Added `--tufRootRaw` flag to pass tuf root for custom sigstore deployments.
 
 ## v1.11.0
 
diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md
index e2dbfc89f0..195997c50f 100644
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@@ -348,7 +348,8 @@ The chart values are organised per component.
 | features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers |
 | features.ttlController.reconciliationInterval | string | `"1m"` | Reconciliation interval for the label based cleanup manager |
 | features.tuf.enabled | bool | `false` | Enables the feature |
-| features.tuf.root | string | `nil` | Tuf root |
+| features.tuf.root | string | `nil` | Path to Tuf root |
+| features.tuf.rootRaw | string | `nil` | Raw Tuf root |
 | features.tuf.mirror | string | `nil` | Tuf mirror |
 
 ### Admission controller
diff --git a/charts/kyverno/templates/_helpers.tpl b/charts/kyverno/templates/_helpers.tpl
index 48803c82e1..fad87db354 100644
--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@@ -87,6 +87,9 @@
   {{- with .root -}}
     {{- $flags = append $flags (print "--tufRoot=" .) -}}
   {{- end -}}
+  {{- with .rootRaw -}}
+    {{- $flags = append $flags (print "--tufRootRaw=" .) -}}
+  {{- end -}}
 {{- end -}}
 {{- with $flags -}}
   {{- toYaml . -}}
diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml
index 09217d9c3c..da1571a387 100644
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@@ -696,8 +696,10 @@ features:
   tuf:
     # -- Enables the feature
     enabled: false
-    # -- (string) Tuf root
+    # -- (string) Path to Tuf root
     root: ~
+    # -- (string) Raw Tuf root
+    rootRaw: ~
     # -- (string) Tuf mirror
     mirror: ~
 
diff --git a/cmd/internal/flag.go b/cmd/internal/flag.go
index 496d4a4a0c..cc13f6c958 100644
--- a/cmd/internal/flag.go
+++ b/cmd/internal/flag.go
@@ -41,9 +41,10 @@ var (
 	exceptionNamespace     string
 	enableConfigMapCaching bool
 	// cosign
-	enableTUF bool
-	tufMirror string
-	tufRoot   string
+	enableTUF  bool
+	tufMirror  string
+	tufRoot    string
+	tufRootRaw string
 	// registry client
 	imagePullSecrets          string
 	allowInsecureRegistry     bool
@@ -112,7 +113,8 @@ func initDeferredLoadingFlags() {
 func initCosignFlags() {
 	flag.BoolVar(&enableTUF, "enableTuf", false, "enable tuf for private sigstore deployments")
 	flag.StringVar(&tufMirror, "tufMirror", tuf.DefaultRemoteRoot, "Alternate TUF mirror for sigstore. If left blank, public sigstore one is used for cosign verification.")
-	flag.StringVar(&tufRoot, "tufRoot", "", "Alternate TUF root.json for sigstore. If left blank, public sigstore one is used for cosign verification.")
+	flag.StringVar(&tufRoot, "tufRoot", "", "Path to alternate TUF root.json for sigstore (url or env). If left blank, public sigstore one is used for cosign verification.")
+	flag.StringVar(&tufRootRaw, "tufRootRaw", "", "The raw body of alternate TUF root.json for sigstore. If left blank, public sigstore one is used for cosign verification.")
 }
 
 func initRegistryClientFlags() {
diff --git a/cmd/internal/tuf.go b/cmd/internal/tuf.go
index bbd0df7e8d..2979c5db53 100644
--- a/cmd/internal/tuf.go
+++ b/cmd/internal/tuf.go
@@ -14,7 +14,7 @@ func setupSigstoreTUF(ctx context.Context, logger logr.Logger) {
 		return
 	}
 
-	logger = logger.WithName("sigstore-tuf").WithValues("tufroot", tufRoot, "tufmirror", tufMirror)
+	logger = logger.WithName("sigstore-tuf").WithValues("tufRoot", tufRoot, "tufRootRaw", tufRootRaw, "tufMirror", tufMirror)
 	logger.Info("setup tuf client for sigstore...")
 	var tufRootBytes []byte
 	var err error
@@ -23,7 +23,10 @@ func setupSigstoreTUF(ctx context.Context, logger logr.Logger) {
 		if err != nil {
 			checkError(logger, err, fmt.Sprintf("Failed to read alternate TUF root file %s : %v", tufRoot, err))
 		}
+	} else if tufRootRaw != "" {
+		tufRootBytes = []byte(tufRootRaw)
 	}
+
 	logger.Info("Initializing TUF root")
 	if err := tuf.Initialize(ctx, tufMirror, tufRootBytes); err != nil {
 		checkError(logger, err, fmt.Sprintf("Failed to initialize TUF client from %s : %v", tufRoot, err))