update agent k8s workloadattestor to use new sigstore.Verifier.

Signed-off-by: Edwin Buck <edwbuck@gmail.com>
spiffe · Aug 21, 2024 · ab60481 · ab60481
1 parent 26501da
commit ab60481
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/pkg/agent/plugin/workloadattestor/k8s/k8s.go b/pkg/agent/plugin/workloadattestor/k8s/k8s.go
@@ -157,6 +157,7 @@ type k8sConfig struct {
 	ReloadInterval             time.Duration
 	DisableContainerSelectors  bool
 	ContainerHelper            ContainerHelper
+	sigstoreConfig             *sigstore.Config
 
 	Client     *kubeletClient
 	LastReload time.Time
@@ -228,6 +229,11 @@ func (p *Plugin) buildConfig(coreConfig catalog.CoreConfig, hclText string, stat
 	// Determine the node name
 	nodeName := p.getNodeName(newConfig.NodeName, newConfig.NodeNameEnv)
 
+	var sigstoreConfig *sigstore.Config
+	if newConfig.Experimental.Sigstore != nil {
+		sigstoreConfig = sigstore.NewConfigFromHCL(newConfig.Experimental.Sigstore, p.log)
+	}
+
 	// return the kubelet client
 	return &k8sConfig{
 		Secure:                     secure,
@@ -244,6 +250,7 @@ func (p *Plugin) buildConfig(coreConfig catalog.CoreConfig, hclText string, stat
 		ReloadInterval:             reloadInterval,
 		DisableContainerSelectors:  newConfig.DisableContainerSelectors,
 		ContainerHelper:            containerHelper,
+		sigstoreConfig:             sigstoreConfig,
 	}
 }
 
@@ -395,7 +402,7 @@ func (p *Plugin) Attest(ctx context.Context, req *workloadattestorv1.AttestReque
 	}
 }
 
-func (p *Plugin) Configure(_ context.Context, req *configv1.ConfigureRequest) (resp *configv1.ConfigureResponse, err error) {
+func (p *Plugin) Configure(ctx context.Context, req *configv1.ConfigureRequest) (resp *configv1.ConfigureResponse, err error) {
 	newConfig, _, err := pluginconf.Build(req, p.buildConfig)
 	if err != nil {
 		return nil, err
@@ -406,9 +413,8 @@ func (p *Plugin) Configure(_ context.Context, req *configv1.ConfigureRequest) (r
 	}
 
 	var sigstoreVerifier sigstore.Verifier
-	if config.Experimental.Sigstore != nil {
-		cfg := sigstore.NewConfigFromHCL(config.Experimental.Sigstore, p.log)
-		verifier := sigstore.NewVerifier(cfg)
+	if newConfig.sigstoreConfig != nil {
+		verifier := sigstore.NewVerifier(newConfig.sigstoreConfig)
 		err = verifier.Init(ctx)
 		if err != nil {
 			return nil, status.Errorf(codes.InvalidArgument, "error initializing sigstore verifier: %v", err)