fluxcd
/
source-controller
mirror of https://github.com/fluxcd/source-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Set timeout for cosgin verification 

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit is contained in:
Stefan Prodan 2022-09-13 18:08:29 +03:00
parent 697f260dba
commit 7c72acc5b0
No known key found for this signature in database
GPG Key ID: 3299AEB0E4085BAF
1 changed files with 68 additions and 68 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
controllers/ocirepository_controller.go
View File

@ -503,8 +503,9 @@ func (r *OCIRepositoryReconciler) reconcileSource(ctx context.Context, obj *sour
// verifyOCISourceSignature verifies the authenticity of the given image reference url. First, it tries to keyful approach
// by looking at whether the given secret exists. Then, if it does not exist, it pushes a keyless approach for verification.
func (r *OCIRepositoryReconciler) verifyOCISourceSignature(ctx context.Context, obj *sourcev1.OCIRepository, url string, keychain authn.Keychain) error {
// Verify the image
if obj.Spec.Verify != nil {
ctxTimeout, cancel := context.WithTimeout(ctx, obj.Spec.Timeout.Duration)
defer cancel()
provider := obj.Spec.Verify.Provider
switch provider {
case "cosign":
@ -513,7 +514,7 @@ func (r *OCIRepositoryReconciler) verifyOCISourceSignature(ctx context.Context,
defaultCosignOciOpts := []soci.Options{
soci.WithAuthnKeychain(keychain),
soci.WithContext(ctx),
soci.WithContext(ctxTimeout),
}
ref, err := name.ParseReference(url)
@ -528,7 +529,7 @@ func (r *OCIRepositoryReconciler) verifyOCISourceSignature(ctx context.Context,
}
var pubSecret corev1.Secret
if err := r.Get(ctx, certSecretName, &pubSecret); err != nil {
if err := r.Get(ctxTimeout, certSecretName, &pubSecret); err != nil {
return err
}
@ -556,8 +557,7 @@ func (r *OCIRepositoryReconciler) verifyOCISourceSignature(ctx context.Context,
}
if !signatureVerified {
ctrl.LoggerFrom(ctx).Error(err, "none of the keys in the secret %s succeeded to verify for the image %s", secretRef.Name)
return fmt.Errorf("no matching signatures were found for the image %s", url)
return fmt.Errorf("no matching signatures were found for '%s'", url)
}
return nil
@ -569,7 +569,7 @@ func (r *OCIRepositoryReconciler) verifyOCISourceSignature(ctx context.Context,
return err
}
signatures, _, err := verifier.VerifyImageSignatures(ctx, ref)
signatures, _, err := verifier.VerifyImageSignatures(ctxTimeout, ref)
if err != nil {
return err
}
@ -580,7 +580,7 @@ func (r *OCIRepositoryReconciler) verifyOCISourceSignature(ctx context.Context,
}
return nil
}
}
return nil
}