Add cosign initialize as an init container to initialize TUF.

[vaikas]

Signed-off-by: Ville Aikas vaikas@chainguard.dev

Summary

Release Note

Documentation

• Policy Controller now uses TUF root that gets initialized in an init container.

[codecov-commenter]

Codecov Report

Merging #157 (30f5a19) into main (9a4d6cc) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #157   +/-   ##
=======================================
  Coverage   63.40%   63.40%           
=======================================
  Files          26       26           
  Lines        2350     2350           
=======================================
  Hits         1490     1490           
  Misses        782      782           
  Partials       78       78           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[vaikas]

Hm, so cosign initialize is failing, but looks right to me:

cosign initialize --mirror http://tuf.tuf-system.172.18.255.1.sslip.io/ --root ./root.json

+ cosign initialize --mirror http://tuf.tuf-system.172.18.255.1.sslip.io/ --root ./root.json
Error: creating cached local store: stat root.json/tuf.db: not a directory
main.go:62: error during command execution: creating cached local store: stat root.json/tuf.db: not a directory
Error: Process completed with exit code 1.

[vaikas]

Ahaha, the TUF_ROOT env variable is used by sigstore/sigstore TUF to figure out where the root lives. Argh, that means I have to do some mungery until I can fix that in scaffolding.

[vaikas]

Actually, after looking more deeply at how cosign does it, I do wonder if I should actually use the code from sigstore/sigstore/tuf directly and not bake in the init container. Please hold up on merging. I'll create a different PR to see if it makes more sense.