From f05d86d3758f3625694b64d5462d3c48aba0295c Mon Sep 17 00:00:00 2001 From: Jim Bugwadia Date: Wed, 11 May 2022 21:16:15 -0700 Subject: [PATCH] cherry-pick #3893 (#3895) --- charts/kyverno/README.md | 1 + charts/kyverno/templates/deployment.yaml | 8 ++++++++ charts/kyverno/values.yaml | 3 +++ cmd/kyverno/main.go | 7 ++++++- pkg/cosign/init.go | 16 ++++++++++++++++ pkg/webhooks/server.go | 4 ++-- 6 files changed, 36 insertions(+), 3 deletions(-) create mode 100644 pkg/cosign/init.go diff --git a/charts/kyverno/README.md b/charts/kyverno/README.md index eabdac9bb2..b71620cfd5 100644 --- a/charts/kyverno/README.md +++ b/charts/kyverno/README.md @@ -136,6 +136,7 @@ The command removes all the Kubernetes components associated with the chart and | networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. | | webhooksCleanup.enable | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. | | webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. | +| tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization | ## TLS Configuration diff --git a/charts/kyverno/templates/deployment.yaml b/charts/kyverno/templates/deployment.yaml index 69b27e474b..a5c42bb2ce 100644 --- a/charts/kyverno/templates/deployment.yaml +++ b/charts/kyverno/templates/deployment.yaml @@ -127,6 +127,8 @@ spec: fieldPath: metadata.name - name: KYVERNO_SVC value: {{ template "kyverno.serviceName" . }} + - name: TUF_ROOT + value: {{ .Values.tufRootMountPath }} {{- with .Values.envVars }} {{- toYaml . | nindent 10 }} {{- end }} @@ -138,3 +140,9 @@ spec: {{- with .Values.readinessProbe }} readinessProbe: {{ tpl (toYaml .) $ | nindent 12 }} {{- end }} + volumeMounts: + - mountPath: {{ .Values.tufRootMountPath }} + name: sigstore + volumes: + - name: sigstore + emptyDir: {} \ No newline at end of file diff --git a/charts/kyverno/values.yaml b/charts/kyverno/values.yaml index 0cd2924ddd..87baaad6be 100644 --- a/charts/kyverno/values.yaml +++ b/charts/kyverno/values.yaml @@ -373,3 +373,6 @@ webhooksCleanup: enable: false # -- `kubectl` image to run commands for deleting webhooks. image: bitnami/kubectl:latest + +# -- A writable volume to use for the TUF root initialization +tufRootMountPath: /.sigstore diff --git a/cmd/kyverno/main.go b/cmd/kyverno/main.go index 02d9a417c2..783df8079e 100755 --- a/cmd/kyverno/main.go +++ b/cmd/kyverno/main.go @@ -370,7 +370,7 @@ func main() { // webhookconfigurations are registered by the leader only webhookRegisterLeader, err := leaderelection.New("webhook-register", config.KyvernoNamespace, kubeClient, registerWebhookConfigurations, nil, log.Log.WithName("webhookRegister/LeaderElection")) if err != nil { - setupLog.Error(err, "failed to elector leader") + setupLog.Error(err, "failed to elect a leader") os.Exit(1) } @@ -386,6 +386,11 @@ func main() { os.Exit(1) } + if err := cosign.Init(); err != nil { + setupLog.Error(err, "initialization failed") + os.Exit(1) + } + // WEBHOOK // - https server to provide endpoints called based on rules defined in Mutating & Validation webhook configuration // - reports the results based on the response from the policy engine: diff --git a/pkg/cosign/init.go b/pkg/cosign/init.go new file mode 100644 index 0000000000..be557b35f2 --- /dev/null +++ b/pkg/cosign/init.go @@ -0,0 +1,16 @@ +package cosign + +import ( + "fmt" + + "github.com/sigstore/cosign/cmd/cosign/cli/fulcio" +) + +func Init() error { + certs := fulcio.GetRoots() + if certs == nil { + return fmt.Errorf("failed to initialize Fulcio roots") + } + + return nil +} diff --git a/pkg/webhooks/server.go b/pkg/webhooks/server.go index e57af9c2ed..b0534f48f9 100644 --- a/pkg/webhooks/server.go +++ b/pkg/webhooks/server.go @@ -161,8 +161,8 @@ func NewWebhookServer( Addr: ":9443", // Listen on port for HTTPS requests TLSConfig: &tls.Config{Certificates: []tls.Certificate{pair}, MinVersion: tls.VersionTLS12}, Handler: mux, - ReadTimeout: 15 * time.Second, - WriteTimeout: 15 * time.Second, + ReadTimeout: 30 * time.Second, + WriteTimeout: 30 * time.Second, } return ws, nil }