fix: missing volume for sigstore in reports controller (#6726)

Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-13 19:28:55 +00:00 · 2023-03-29 22:55:46 +02:00 · 2023-03-29 22:55:46 +02:00 · d13751c8bf
commit d13751c8bf
parent 805f7b72a9
3 changed files with 17 additions and 0 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -397,6 +397,8 @@ The command removes all the Kubernetes components associated with the chart and
 | reportsController.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Security context for the containers |
 | reportsController.podDisruptionBudget.minAvailable | int | `1` | Configures the minimum available pods for disruptions. Cannot be used if `maxUnavailable` is set. |
 | reportsController.podDisruptionBudget.maxUnavailable | string | `nil` | Configures the maximum unavailable pods for disruptions. Cannot be used if `minAvailable` is set. |
+| reportsController.tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
+| reportsController.sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. |
 | reportsController.metricsService.create | bool | `true` | Create service. |
 | reportsController.metricsService.port | int | `8000` | Service port. Metrics server will be exposed at this port. |
 | reportsController.metricsService.type | string | `"ClusterIP"` | Service type. |
--- a/charts/kyverno/templates/reports-controller/deployment.yaml
+++ b/charts/kyverno/templates/reports-controller/deployment.yaml
@ -115,6 +115,8 @@ spec:
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
+          - name: TUF_ROOT
+            value: {{ .Values.reportsController.tufRootMountPath }}
          {{- with .Values.reportsController.resources }}
          resources: {{ tpl (toYaml .) $ | nindent 12 }}
          {{- end }}
@ -122,5 +124,11 @@ spec:
          securityContext:
            {{- toYaml . | nindent 12 }}
          {{- end }}
+          volumeMounts:
+            - mountPath: {{ .Values.reportsController.tufRootMountPath }}
+              name: sigstore
+      volumes:
+      - name: sigstore
+        {{- toYaml (required "A valid .Values.reportsController.sigstoreVolume entry is required" .Values.reportsController.sigstoreVolume) | nindent 8 }}
 {{- end -}}
 {{- end -}}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -1001,6 +1001,13 @@ reportsController:
    # Cannot be used if `minAvailable` is set.
    maxUnavailable:

+  # -- A writable volume to use for the TUF root initialization.
+  tufRootMountPath: /.sigstore
+
+  # -- Volume to be mounted in pods for TUF/cosign work.
+  sigstoreVolume:
+    emptyDir: {}
+
  metricsService:
    # -- Create service.
    create: true