feat: add flag to pass tuf root directly (#11103)

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

CHANGELOG.md

@@ -3,6 +3,7 @@
 ### Note
 
 - Removed deprecated flag `reportsChunkSize`.
+- Added `--tufRootRaw` flag to pass tuf root for custom sigstore deployments.
 
 ## v1.11.0
 

charts/kyverno/README.md

@@ -348,7 +348,8 @@ The chart values are organised per component.
 | features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers |
 | features.ttlController.reconciliationInterval | string | `"1m"` | Reconciliation interval for the label based cleanup manager |
 | features.tuf.enabled | bool | `false` | Enables the feature |
-| features.tuf.root | string | `nil` | Tuf root |
+| features.tuf.root | string | `nil` | Path to Tuf root |
+| features.tuf.rootRaw | string | `nil` | Raw Tuf root |
 | features.tuf.mirror | string | `nil` | Tuf mirror |
 
 ### Admission controller

charts/kyverno/templates/_helpers.tpl

@@ -87,6 +87,9 @@
   {{- with .root -}}
     {{- $flags = append $flags (print "--tufRoot=" .) -}}
   {{- end -}}
+  {{- with .rootRaw -}}
+    {{- $flags = append $flags (print "--tufRootRaw=" .) -}}
+  {{- end -}}
 {{- end -}}
 {{- with $flags -}}
   {{- toYaml . -}}

charts/kyverno/values.yaml

@@ -696,8 +696,10 @@ features:
   tuf:
     # -- Enables the feature
     enabled: false
-    # -- (string) Tuf root
+    # -- (string) Path to Tuf root
     root: ~
+    # -- (string) Raw Tuf root
+    rootRaw: ~
     # -- (string) Tuf mirror
     mirror: ~
 

cmd/internal/flag.go

@@ -41,9 +41,10 @@ var (
 	exceptionNamespace     string
 	enableConfigMapCaching bool
 	// cosign
-	enableTUF bool
-	tufMirror string
-	tufRoot   string
+	enableTUF  bool
+	tufMirror  string
+	tufRoot    string
+	tufRootRaw string
 	// registry client
 	imagePullSecrets          string
 	allowInsecureRegistry     bool
@@ -112,7 +113,8 @@ func initDeferredLoadingFlags() {
 func initCosignFlags() {
 	flag.BoolVar(&enableTUF, "enableTuf", false, "enable tuf for private sigstore deployments")
 	flag.StringVar(&tufMirror, "tufMirror", tuf.DefaultRemoteRoot, "Alternate TUF mirror for sigstore. If left blank, public sigstore one is used for cosign verification.")
-	flag.StringVar(&tufRoot, "tufRoot", "", "Alternate TUF root.json for sigstore. If left blank, public sigstore one is used for cosign verification.")
+	flag.StringVar(&tufRoot, "tufRoot", "", "Path to alternate TUF root.json for sigstore (url or env). If left blank, public sigstore one is used for cosign verification.")
+	flag.StringVar(&tufRootRaw, "tufRootRaw", "", "The raw body of alternate TUF root.json for sigstore. If left blank, public sigstore one is used for cosign verification.")
 }
 
 func initRegistryClientFlags() {

cmd/internal/tuf.go

@@ -14,7 +14,7 @@ func setupSigstoreTUF(ctx context.Context, logger logr.Logger) {
 		return
 	}
 
-	logger = logger.WithName("sigstore-tuf").WithValues("tufroot", tufRoot, "tufmirror", tufMirror)
+	logger = logger.WithName("sigstore-tuf").WithValues("tufRoot", tufRoot, "tufRootRaw", tufRootRaw, "tufMirror", tufMirror)
 	logger.Info("setup tuf client for sigstore...")
 	var tufRootBytes []byte
 	var err error
@@ -23,7 +23,10 @@ func setupSigstoreTUF(ctx context.Context, logger logr.Logger) {
 		if err != nil {
 			checkError(logger, err, fmt.Sprintf("Failed to read alternate TUF root file %s : %v", tufRoot, err))
 		}
+	} else if tufRootRaw != "" {
+		tufRootBytes = []byte(tufRootRaw)
 	}
+
 	logger.Info("Initializing TUF root")
 	if err := tuf.Initialize(ctx, tufMirror, tufRootBytes); err != nil {
 		checkError(logger, err, fmt.Sprintf("Failed to initialize TUF client from %s : %v", tufRoot, err))