add configurable sigstore volume (#6211)

Signed-off-by: André Bauer <andre.bauer@staffbase.com> Co-authored-by: Charles-Edouard Brétéché <charled.breteche@gmail.com>
2025-03-31 03:45:17 +00:00 · 2023-02-03 17:00:39 +01:00 · 2023-02-03 17:00:39 +01:00 · e0c9d8b087
commit e0c9d8b087
parent d03ad5deb1
4 changed files with 8 additions and 5 deletions
--- a/charts/kyverno/Chart.yaml
+++ b/charts/kyverno/Chart.yaml
@ -26,7 +26,5 @@ annotations:
      url: https://kyverno.io/docs
  # valid kinds are: added, changed, deprecated, removed, fixed and security
  artifacthub.io/changes: |
-    - kind: changed
-      description: Syntax change for webhooksCleanup switch to match with the rest of the file
-    - kind: fixed
-      description: Handle multiple extraArgs in init container
+    - kind: added
+      description: make sigstore volume configurable
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -242,6 +242,7 @@ The command removes all the Kubernetes components associated with the chart and
 | webhooksCleanup.enabled | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
 | webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
 | tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization. |
+| sigstoreVolume | object | `{"emptyDir":{}}` | Volume to be mounted in pods for TUF/cosign work. |
 | grafana.enabled | bool | `false` | Enable grafana dashboard creation. |
 | grafana.configMapName | string | `"{{ include \"kyverno.fullname\" . }}-grafana"` | Configmap name template. |
 | grafana.namespace | string | `nil` | Namespace to create the grafana dashboard configmap. If not set, it will be created in the same namespace where the chart is deployed. |
--- a/charts/kyverno/templates/admission-controller/deployment.yaml
+++ b/charts/kyverno/templates/admission-controller/deployment.yaml
@ -177,7 +177,7 @@ spec:
              name: api-token
      volumes:
      - name: sigstore
-        emptyDir: {}
+        {{- toYaml (required "A valid .Values.sigstoreVolume entry is required" .Values.sigstoreVolume) | nindent 8 }}
      - name: api-token
        projected:
          sources:
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -493,6 +493,10 @@ webhooksCleanup:
 # -- A writable volume to use for the TUF root initialization.
 tufRootMountPath: /.sigstore

+# -- Volume to be mounted in pods for TUF/cosign work.
+sigstoreVolume:
+  emptyDir: {}
+
 grafana:
  # -- Enable grafana dashboard creation.
  enabled: false