Enable running the TUF server outside of k8s

[bkabrda]

Summary

This PR makes it possible to run the TUF server outside of k8s environment. Fixes https://github.com/sigstore/scaffolding/issues/716

Context: I'm a member of Red Hat's Trusted Artifact Signer product team and we're trying to make Sigstore work outside of k8s environment, in a podman-based Ansible deployment. This will allow us to start the simple TUF server in a podman pod.

Release Note

Made it possible to start the TUF server in a non-k8s environment.

Documentation

I don't believe this needs documentation, as the newly added flag is self-explanatory - but do let me know if you think this should be documented somewhere.

[haydentherapper]

Generally I’m ok with this, but the TUF metadata generated from scaffolding is out of date with other modern Sigstore clients. We need to complete https://github.com/sigstore/scaffolding/issues/1001. Id like to see that issue completed first rather than proliferate the use of this TUF repo implementation, but I also recognize there’s blocking work to get this done.

[bkabrda]

Thanks for sharing the link to the trusted root TUF target issue, I wasn't aware of that and I'll definitely go through it.

My aim is to mostly use this TUF server as a "quick preview" service that a user could stand up quickly, hence I didn't dive into any other issues. I think my PR doesn't make the current situation worse, it only allows running the same code outside of k8s. Would that make it good enough to be accepted right now?

[jku]

aim is to mostly use this TUF server as a "quick preview" service that a user could stand up quickly

My only worry is that some folks will think this is a reasonable way to setup a real TUF repository. That said I don't think this patch makes things worse

[bkabrda]

My only worry is that some folks will think this is a reasonable way to setup a real TUF repository.

I totally see what you mean. I think that could perhaps be fixed by explicitly stating in the README that this is not a production-grade service and maybe also emitting a warning logline saying this when starting the TUF server?

[bkabrda]

@haydentherapper hi, is there anything specific I can do to help get this PR reviewed? Or should I consider it blocked on the issue you linked?

[haydentherapper]

@bkabrda I'm OK to merge this, I don't want to block y'all, but if you are interested, we'd love some help pushing forward updates in scaffolding around generating modern TUF repos.

[bkabrda]

@haydentherapper thanks! I was just thinking about the improvements and I think I have a reasonable proposal. I'll open a separate issue to discuss it and CC you on it. I'm happy to work on the implementation of the proposal assuming it will look ok to you.

[bkabrda]

I opened the proposal for improvements here. It took a little longer than I promised as I was caught up in other things... Anyway, I'd love to hear thoughts on the proposal from both of you - and if it looks good, I would really appreciate if we could get this PR approved and merged. Thanks!