Description

When deploying cosigned with the current version of the Helm chart (0.1.13) the filesystem is readonly and no volumes are mounted. Therefore errors are generated at run-time when the webhook tries to download artifacts and store them in a local cache

Sample error output

http: panic serving 192.168.172.222:43852: creating root cert pool: retrieving trusted root; local cache may be corrupt: creating cached local store: mkdir /.sigstore: read-only file system\n

http: panic serving 192.168.172.222:44176: initializing tuf: updating local metadata and targets: creating targets dir: mkdir /.sigstore: read-only file system

level=info msg=\"Could not save cache\" error=\"open /.ecr/.config.json.tmp1353667686: no such file or directory

Expected behavior
The Helm chart should mount emptyDir volumes to allow writing to the local cache folders

• /.sigstore
• /.ecr

Note: the /.ecr folder is specific to retrieving images from ECR, we should check if other repositories need different directories.

I am closing this issue, it is no longer affecting us. Please, feel free to re-open it.