cherry-pick #3893 (#3895)

charts/kyverno/README.md

@@ -136,6 +136,7 @@ The command removes all the Kubernetes components associated with the chart and
 | networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
 | webhooksCleanup.enable | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
 | webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
+| tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization |
 
 ## TLS Configuration
 

charts/kyverno/templates/deployment.yaml

@@ -127,6 +127,8 @@ spec:
                 fieldPath: metadata.name
           - name: KYVERNO_SVC
             value: {{ template "kyverno.serviceName" . }}
+          - name: TUF_ROOT
+            value: {{ .Values.tufRootMountPath }}
           {{- with .Values.envVars }}
           {{- toYaml . | nindent 10 }}
           {{- end }}
@@ -138,3 +140,9 @@ spec:
         {{- with .Values.readinessProbe }}
           readinessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
         {{- end }}
+          volumeMounts:
+            - mountPath: {{ .Values.tufRootMountPath }}
+              name: sigstore
+      volumes:
+      - name: sigstore
+        emptyDir: {}

charts/kyverno/values.yaml

@@ -373,3 +373,6 @@ webhooksCleanup:
   enable: false
   # -- `kubectl` image to run commands for deleting webhooks.
   image: bitnami/kubectl:latest
+
+# -- A writable volume to use for the TUF root initialization
+tufRootMountPath: /.sigstore

cmd/kyverno/main.go

@@ -370,7 +370,7 @@ func main() {
 	// webhookconfigurations are registered by the leader only
 	webhookRegisterLeader, err := leaderelection.New("webhook-register", config.KyvernoNamespace, kubeClient, registerWebhookConfigurations, nil, log.Log.WithName("webhookRegister/LeaderElection"))
 	if err != nil {
-		setupLog.Error(err, "failed to elector leader")
+		setupLog.Error(err, "failed to elect a leader")
 		os.Exit(1)
 	}
 
@@ -386,6 +386,11 @@ func main() {
 		os.Exit(1)
 	}
 
+	if err := cosign.Init(); err != nil {
+		setupLog.Error(err, "initialization failed")
+		os.Exit(1)
+	}
+
 	// WEBHOOK
 	// - https server to provide endpoints called based on rules defined in Mutating & Validation webhook configuration
 	// - reports the results based on the response from the policy engine:

pkg/cosign/init.go

@@ -0,0 +1,16 @@
+package cosign
+
+import (
+	"fmt"
+
+	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
+)
+
+func Init() error {
+	certs := fulcio.GetRoots()
+	if certs == nil {
+		return fmt.Errorf("failed to initialize Fulcio roots")
+	}
+
+	return nil
+}

pkg/webhooks/server.go

@@ -161,8 +161,8 @@ func NewWebhookServer(
 		Addr:         ":9443", // Listen on port for HTTPS requests
 		TLSConfig:    &tls.Config{Certificates: []tls.Certificate{pair}, MinVersion: tls.VersionTLS12},
 		Handler:      mux,
-		ReadTimeout:  15 * time.Second,
+		ReadTimeout:  30 * time.Second,
-		WriteTimeout: 15 * time.Second,
+		WriteTimeout: 30 * time.Second,
 	}
 	return ws, nil
 }