Commit Graph

25 Commits

Author SHA1 Message Date
Soule BA b30404fff1
Bind cached helm index to the maximum index size
Signed-off-by: Soule BA <bah.soule@gmail.com>
2024-04-22 17:02:33 +02:00
JasonTheDeveloper 553945ab8e Add verification support for notation signed artifacts
Introduces a new verification provider `notation` to verify notation signed artifacts. Currently only cosign is supported and that is a problem if the end user utilises notation.

---------

Signed-off-by: Jason <jagoodse@microsoft.com>
Signed-off-by: JasonTheDeveloper <jagoodse@microsoft.com>
Signed-off-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Co-authored-by: souleb <bah.soule@gmail.com>
Co-authored-by: Jagpreet Singh Tamber <jagpreetstamber@gmail.com>
Co-authored-by: Sunny <github@darkowlzz.space>
2024-03-26 21:32:23 +11:00
Somtochi Onyekwere 1aa9cf2219 archive helm index in JSON format
Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
2023-08-07 16:10:03 +02:00
Hidde Beydals b2da6f0647
api: Remove deprecated `Checksum` from `Artifact`
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
2023-03-24 11:56:12 +01:00
Hidde Beydals c712fede57 internal/helm: del deprecated ChartRepo#Revision
Signed-off-by: Hidde Beydals <hello@hidde.co>
2023-02-22 23:35:21 +01:00
Hidde Beydals c0a1099719 helm: only use Digest to calculcate index revision
In #1001 bits around the Helm repository reconciliation logic were
rewritten, mostly based on the documented behavior instead of the
actual code. This resulted in the reintroduction of a YAML marshal of
the (sorted) index YAML instead of reliance of just the checksum of the
file.

This to take situations into account in which a repository would e.g.
provide a new random order on every generation. However, this approach
is (extremely) expensive as the marshal goes through a JSON -> YAML
loop, eating lots of RAM in the process.

As the further (silently) introduced behavior has not resulted in any
reported issues, I deem this approach safe and better than e.g.
encoding to just JSON which would still require a substantial amount of
memory.

Signed-off-by: Hidde Beydals <hello@hidde.co>
2023-02-22 23:33:59 +01:00
Somtochi Onyekwere 6f0384c50e Normalize path in url
Signed-off-by: Somtochi Onyekwere <somtochionyekwere@gmail.com>
2023-02-15 03:54:18 +01:00
Hidde Beydals 0aaeeee5e9 controllers: RFC-0005 fmt for HelmRepository rev
This includes changes to the `ChartRepository`, to allow calculating
the revision and digest and tidy things.

In addition, the responsibility of caching the `IndexFile` has been
moved to the reconcilers. As this allowed to remove a lot of
complexities within the `ChartRepository`, and prevented passing on
the cache in general.

Change `HelmRepository`'s Revision to digest

Signed-off-by: Hidde Beydals <hello@hidde.co>
2023-02-14 12:48:36 +01:00
Hidde Beydals 909ece4092 helm: use digest lib for checksum calculation
Signed-off-by: Hidde Beydals <hello@hidde.co>
2023-02-14 12:48:36 +01:00
Sunny 869a9df6e9 helm: return ErrExternal when loading index fails
Loading index can fail due to network error. Return ErrExternal typed
error for it.

Signed-off-by: Sunny <darkowlzz@protonmail.com>
2022-12-19 16:12:39 +05:30
Sunny 8018b450a1 helm: typed errors from GetChartVersion()
Update the implementations of the helm repository downloaders to return
implementation specific typed error from GetChartVersion(). This is
needed to distinguish between persistent build error and transient build
error.
In the case of OCI charts, a transient network failure shouldn't be
considered a persistent build failure of the chart and should be
retried.

Two repository errors, ErrReference and ErrExternal are introduced for
the repository downloader implementations to provide enough context
about the failure which can be used by the caller to add appropriate
context as per the needs. In case of chart builder, it adds the build
error context based on the repository error value.

Signed-off-by: Sunny <darkowlzz@protonmail.com>
2022-12-19 16:12:39 +05:30
Soule BA 06a55590a5
Fix verification condition
Delete a failed verification condition at the beginning of the source
reconciliation and set `SourceVerifiedCondition` to false approprietly.

Set the `BuildOptions.Verify` to true as long as Verify is enabled in the
API fields.

Signed-off-by: Soule BA <soule@weave.works>
2022-10-21 15:21:10 +02:00
Soule BA 25673ac512
addressing review comments
Signed-off-by: Soule BA <soule@weave.works>
2022-10-21 10:00:08 +02:00
Soule BA 0e97547eeb
implement Cosign verification for HelmCharts
If implemented, users will be able to enable chart verification for OCI
based helm charts.

Signed-off-by: Soule BA <soule@weave.works>
2022-10-21 10:00:08 +02:00
Soule BA 361b975bf4
Enable remote dependencies from OCI repositories
If implemented, the source controller will be able to resolve charts
dependencies from OCI repositories.

The remote builder has been refactored as part of this work.

Signed-off-by: Soule BA <soule@weave.works>
2022-07-06 19:11:01 +02:00
Soule BA b402e546bc
Refactor repository logic
Signed-off-by: Soule BA <soule@weave.works>
2022-07-06 19:11:00 +02:00
Paulo Gomes 009504b294 helm: optimise repository index loading
Avoid validating (and thus loading) indexes if the checksum already exists in storage.
In other words, if the YAML is identical to the Artifact in storage, the reconciliation should
be a no-op, and therefore can short-circuit long/heavy operations.

Co-authored-by: Hidde Beydals <hello@hidde.co>
Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
2022-04-25 17:00:27 +02:00
Soule BA 0df8dcccec
Enable dependency manager to use in memory cache
If implemented this will:
- enable the helmCharts dependency manager to use the helm in memry
  cache to retrieve reconciled HelmRepositories indexes.
- record cache events.

Signed-off-by: Soule BA <soule@weave.works>
2022-04-19 11:46:27 +02:00
Paulo Gomes 3819ac37bc
Move TransportPool to its own package
The experimental managed transport can also leverage TransportPool,
moving it to its own package to accommodate that use case.

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
2022-03-25 19:08:50 +00:00
Paulo Gomes d9d789fdb1
Reuse transport for helm chart download
Reuses the same transport across different helm chart downloads,
whilst resetting the tlsconfig to avoid cross-contamination.

Crypto material is now only processed in-memory and does not
touch the disk.

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
2022-03-02 13:02:11 +00:00
Hidde Beydals 8aad5520b6 helm: remove temp file name from index cache err
Due to the temporary file having a random suffix, it would result in
the notification-controller not rate limiting the messages as they
are "unique".

For the close error (which also makes use of the name), we keep the
information as it might be of importance to figure out why the close
failed.

Signed-off-by: Hidde Beydals <hello@hidde.co>
2022-01-13 10:54:37 +01:00
Hidde Beydals 2392326ba9 internal/helm: doc block nitpicks
Signed-off-by: Hidde Beydals <hello@hidde.co>
2021-11-19 17:16:20 +01:00
Hidde Beydals dcd5dd3db1 internal/helm: various nitpicks
- Add some more documentation around chart builders
- Ensure correct indentation in some doc comments
- Provide example of using `errors.Is` for typed `BuildError`
- Mention "bytes" in file size limit errors
- Add missing copyright header

Signed-off-by: Hidde Beydals <hello@hidde.co>
2021-11-19 17:04:00 +01:00
Hidde Beydals ef0517372b internal/helm: tweak and test chart build summary
This makes the string less verbose and deals with the safe handling
of some edge-case build states.

Signed-off-by: Hidde Beydals <hello@hidde.co>
2021-11-19 17:04:00 +01:00
Hidde Beydals 7d0f79f41b internal/helm: divide into subpackages
With all the logic that used to reside in the `controllers` package
factored into this package, it became cluttered. This commit tries to
bring a bit more structure in place.

Signed-off-by: Hidde Beydals <hello@hidde.co>
2021-11-19 17:04:00 +01:00