Notify users early if keymanagementprovider resource does not exist

[yizha1]

What would you like to be added?

I configured the cosign verifier with non-existing keymanagementprovider resource, the command kubectl get verifier cosign-verifier indicated a success. However, when I started to deploy an image, the deployment failed as expected. The Ratify log showed the keymanagementprovider resource did not exist.

Anything else you would like to add?

Is it feasible to proactively notify users about configuration issues? In real-world scenarios, typos or other configuration errors can occur. For instance, when users run kubectl get verifier to check the status, everything might appear fine initially. However, these configuration issues may only surface during image deployment. In large-scale deployments, multiple error logs related to the same configuration issue can accumulate, which could be better avoided to conserve cluster resources.

Are you willing to submit PRs to contribute to this feature?

• Yes, I am willing to implement it.

[susanshi]

Verifier and KMPs are reconciled separately, is there a way to guarantee the order?

[susanshi]

Discussion from PR review: We have two options:

1. The verifier would error out if referenced KMP was not found ( so a retry could be triggered)
2. We could print a warning that KMP did not exist, and move on.

[binbin-li]

As we discussed in the PR review meeting, we could also investigate the path that makes KMP reconciler to trigger Verifier reconciliation.