fix(signing): add writable volume for TUF cache in distroless container#1736
fix(signing): add writable volume for TUF cache in distroless container#1736ab-ghosh wants to merge 1 commit into
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
/retest |
1 similar comment
|
/retest |
| secret: | ||
| secretName: signing-secrets | ||
| - name: sigstore-cache | ||
| emptyDir: {} |
There was a problem hiding this comment.
Consider using medium: Memory with a size cap for this volume:
- name: sigstore-cache
emptyDir:
medium: Memory
sizeLimit: 50Mi
The TUF cache only holds public metadata (root.json, tuf.db, targets), a few MB at most.
Memory-backed tmpfs means that data never touches the node's disk, so there are no
forensic traces on the node after the pod is deleted. It also evicts instantly on pod
termination rather than waiting for the kubelet GC cycle.
The tradeoff is that it counts against the pod's memory limit, but 50Mi is well within
normal headroom for a controller pod. Not a blocker, just a hardening suggestion.
There was a problem hiding this comment.
Thank you, acknowledged. Added medium: Memory with sizeLimit: 50Mi
| - name: sigstore-cache | ||
| mountPath: /home/nonroot | ||
| env: | ||
| - name: HOME |
There was a problem hiding this comment.
Setting HOME works correctly here since os.UserHomeDir() reads $HOME, but a better alternative would be to set TUF_ROOT directly:
- name: TUF_ROOT
value: /home/nonroot/.sigstore/root
The sigstore TUF library checks TUF_ROOT before falling back to $HOME/.sigstore/root
(see vendor/github.com/sigstore/sigstore/pkg/tuf/client.go rootCacheDir()).
Using TUF_ROOT scopes the change precisely to TUF cache behaviour without altering the process-wide HOME for any other library or future code path that might also write to it.
Either approach is safe. Please check this option so that we could limit the impact specific to TUF Cache.
There was a problem hiding this comment.
Thank you for the suggestion, switched to TUF_ROOT, much cleaner since it scopes the change precisely to TUF cache behavior without any process-wide side effects. Updated the test to reflect this as well.
0f56f91 to
557a7a5
Compare
When signers.x509.tuf.mirror.url is set to a custom TUF mirror, the sigstore library tries to create a cache directory at $HOME/.sigstore/root. In the Chains distroless container, HOME defaults to "/" and readOnlyRootFilesystem is true, causing "mkdir /.sigstore: read-only file system" and blocking signing. Add an emptyDir volume mounted at /home/nonroot and set HOME to point there, giving the TUF client a writable cache location. Signed-off-by: ab-ghosh <abghosh@redhat.com>
557a7a5 to
8fac634
Compare
Changes
When
signers.x509.tuf.mirror.urlis set to a custom TUF mirror (e.g., one provided by the Trusted Artifact Signer operator), the sigstore TUF library tries to create a cache directory at$HOME/.sigstore/root. In the Chains distroless container,HOMEdefaults to/(user 65532) andreadOnlyRootFilesystem: trueis set, causing:error configuring x509 signer: initialize tuf: creating cached local store: mkdir /.sigstore: read-only file system
This blocks artifact signing when using private sigstore deployments.
Fix: Add an
emptyDirvolume (sigstore-cache) mounted at/home/nonrootand setHOME=/home/nonroot, giving the TUF client a writable cache location.The default TUF mirror (
https://tuf-repo-cdn.sigstore.dev) is unaffected since it skips TUF initialization entirely (trust root is embedded in the binary).Testing:
read-only file systemerror is gone after the fixSubmitter Checklist
As the author of this PR, please check off the items in this checklist:
functionality, content, code)
Release Notes