fix: disables TUF by default (#8509)

2025-03-31 03:45:17 +00:00 · 2023-09-22 14:32:57 +05:30 · 2023-09-22 14:32:57 +05:30 · d4d5d751b1
commit d4d5d751b1
parent a043325237
6 changed files with 14 additions and 1 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -315,6 +315,7 @@ The chart values are organised per component.
 | features.registryClient.credentialHelpers | list | `["default","google","amazon","azure","github"]` | Enable registry client helpers |
 | features.reports.chunkSize | int | `1000` | Reports chunk size |
 | features.ttlController.reconciliationInterval | string | `"1m"` | Reconciliation interval for the label based cleanup manager |
+| features.tuf.enable | bool | `false` | Enable tuf |
 | features.tuf.root | string | `nil` | Tuf root |
 | features.tuf.mirror | string | `nil` | Tuf mirror |

--- a/charts/kyverno/templates/_helpers.tpl
+++ b/charts/kyverno/templates/_helpers.tpl
@ -75,6 +75,9 @@
  {{- $flags = append $flags (print "--ttlReconciliationInterval=" .reconciliationInterval) -}}
 {{- end -}}
 {{- with .tuf -}}
+  {{- with .enable -}}
+    {{- $flags = append $flags (print "--enableTuf=" .) -}}
+  {{- end -}}
  {{- with .mirror -}}
    {{- $flags = append $flags (print "--tufMirror=" .) -}}
  {{- end -}}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -448,6 +448,8 @@ features:
    # -- Reconciliation interval for the label based cleanup manager
    reconciliationInterval: 1m
  tuf:
+    # -- Enable tuf
+    enable: false
    # -- Tuf root
    root:
    # -- Tuf mirror
--- a/cmd/internal/flag.go
+++ b/cmd/internal/flag.go
@ -39,6 +39,7 @@ var (
 	enableConfigMapCaching bool
 	// cosign
 	imageSignatureRepository string
+	enableTUF                bool
 	tufMirror                string
 	tufRoot                  string
 	// registry client
@ -101,7 +102,8 @@ func initDeferredLoadingFlags() {

 func initCosignFlags() {
 	flag.StringVar(&imageSignatureRepository, "imageSignatureRepository", "", "(DEPRECATED, will be removed in 1.12) Alternate repository for image signatures. Can be overridden per rule via `verifyImages.Repository`.")
-	flag.StringVar(&tufMirror, "tufMirror", tuf.DefaultRemoteRoot, "Alternate TUF mirror for sigstore. If left blank, public sigstore one is used for cosign verification..")
+	flag.BoolVar(&enableTUF, "enableTuf", false, "enable tuf for private sigstore deployments")
+	flag.StringVar(&tufMirror, "tufMirror", tuf.DefaultRemoteRoot, "Alternate TUF mirror for sigstore. If left blank, public sigstore one is used for cosign verification.")
 	flag.StringVar(&tufRoot, "tufRoot", "", "Alternate TUF root.json for sigstore. If left blank, public sigstore one is used for cosign verification.")
 }

--- a/cmd/internal/tuf.go
+++ b/cmd/internal/tuf.go
@ -10,6 +10,10 @@ import (
 )

 func setupSigstoreTUF(ctx context.Context, logger logr.Logger) {
+	if !enableTUF {
+		return
+	}
+
 	logger = logger.WithName("sigstore-tuf").WithValues("tufroot", tufRoot, "tufmirror", tufMirror)
 	logger.Info("setup tuf client for sigstore...")
 	var tufRootBytes []byte
--- a/scripts/config/custom-sigstore/kyverno.yaml
+++ b/scripts/config/custom-sigstore/kyverno.yaml
@ -1,5 +1,6 @@
 features:
  tuf:
+    enable: true
    root: "$(TUF_MIRROR)/root.json"
    mirror: "$(TUF_MIRROR)"