cherry-pick #3893 (#3895)

2025-03-06 16:06:56 +00:00 · 2022-05-11 21:16:15 -07:00 · 2022-05-11 21:16:15 -07:00 · f05d86d375
commit f05d86d375
parent a0eadad77b
6 changed files with 36 additions and 3 deletions
--- a/charts/kyverno/README.md
+++ b/charts/kyverno/README.md
@ -136,6 +136,7 @@ The command removes all the Kubernetes components associated with the chart and
 | networkPolicy.ingressFrom | list | `[]` | A list of valid from selectors according to https://kubernetes.io/docs/concepts/services-networking/network-policies. |
 | webhooksCleanup.enable | bool | `false` | Create a helm pre-delete hook to cleanup webhooks. |
 | webhooksCleanup.image | string | `"bitnami/kubectl:latest"` | `kubectl` image to run commands for deleting webhooks. |
+| tufRootMountPath | string | `"/.sigstore"` | A writable volume to use for the TUF root initialization |

 ## TLS Configuration

--- a/charts/kyverno/templates/deployment.yaml
+++ b/charts/kyverno/templates/deployment.yaml
@ -127,6 +127,8 @@ spec:
                fieldPath: metadata.name
          - name: KYVERNO_SVC
            value: {{ template "kyverno.serviceName" . }}
+          - name: TUF_ROOT
+            value: {{ .Values.tufRootMountPath }}
          {{- with .Values.envVars }}
          {{- toYaml . | nindent 10 }}
          {{- end }}
@ -138,3 +140,9 @@ spec:
        {{- with .Values.readinessProbe }}
          readinessProbe: {{ tpl (toYaml .) $ | nindent 12 }}
        {{- end }}
+          volumeMounts:
+            - mountPath: {{ .Values.tufRootMountPath }}
+              name: sigstore
+      volumes:
+      - name: sigstore
+        emptyDir: {}
--- a/charts/kyverno/values.yaml
+++ b/charts/kyverno/values.yaml
@ -373,3 +373,6 @@ webhooksCleanup:
  enable: false
  # -- `kubectl` image to run commands for deleting webhooks.
  image: bitnami/kubectl:latest
+
+# -- A writable volume to use for the TUF root initialization
+tufRootMountPath: /.sigstore
--- a/cmd/kyverno/main.go
+++ b/cmd/kyverno/main.go
@ -370,7 +370,7 @@ func main() {
 	// webhookconfigurations are registered by the leader only
 	webhookRegisterLeader, err := leaderelection.New("webhook-register", config.KyvernoNamespace, kubeClient, registerWebhookConfigurations, nil, log.Log.WithName("webhookRegister/LeaderElection"))
 	if err != nil {
-		setupLog.Error(err, "failed to elector leader")
+		setupLog.Error(err, "failed to elect a leader")
 		os.Exit(1)
 	}

@ -386,6 +386,11 @@ func main() {
 		os.Exit(1)
 	}

+	if err := cosign.Init(); err != nil {
+		setupLog.Error(err, "initialization failed")
+		os.Exit(1)
+	}
+
 	// WEBHOOK
 	// - https server to provide endpoints called based on rules defined in Mutating & Validation webhook configuration
 	// - reports the results based on the response from the policy engine:
--- a/pkg/cosign/init.go
+++ b/pkg/cosign/init.go
@ -0,0 +1,16 @@
+package cosign
+
+import (
+	"fmt"
+
+	"github.com/sigstore/cosign/cmd/cosign/cli/fulcio"
+)
+
+func Init() error {
+	certs := fulcio.GetRoots()
+	if certs == nil {
+		return fmt.Errorf("failed to initialize Fulcio roots")
+	}
+
+	return nil
+}
--- a/pkg/webhooks/server.go
+++ b/pkg/webhooks/server.go
@ -161,8 +161,8 @@ func NewWebhookServer(
 		Addr:         ":9443", // Listen on port for HTTPS requests
 		TLSConfig:    &tls.Config{Certificates: []tls.Certificate{pair}, MinVersion: tls.VersionTLS12},
 		Handler:      mux,
-		ReadTimeout:  15 * time.Second,
-		WriteTimeout: 15 * time.Second,
+		ReadTimeout:  30 * time.Second,
+		WriteTimeout: 30 * time.Second,
 	}
 	return ws, nil
 }