Many of the functions in the `conditions` package accept a format string and
(optional) arguments, just like `fmt.Printf` and friends.
In many places, the code passed an error message as the format string, causing
it to be interpreted by the `fmt` package. This leads to issues when the
message contains percent signs, e.g. URL-encoded values.
Consider the following code:
```go
// internal/controller/ocirepository_controller.go
revision, err := r.getRevision(ref, opts)
if err != nil {
e := serror.NewGeneric(
fmt.Errorf("failed to determine artifact digest: %w", err),
ociv1.OCIPullFailedReason,
)
conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, e.Reason, e.Err.Error())
return sreconcile.ResultEmpty, e
}
```
Since `getRevision()` includes the URL in the error message and the error
message is used as a format string, the resulting condition reads:
```
failed to determine artifact digest: GET https://gitlab.com/jwt/auth?scope=repository%!A(MISSING)fforster%!F(MISSING)<REDACTED>%!F(MISSING)k8s-resource-manifests%!A(MISSING)pull&service=container_registry: DENIED: access forbidden
```
This adds an explicit format string and shortens `e.Error()` and
`e.Err.Error()` to `e`, which yields the same output.
To the best of my knowledge, Go is safe from format string attacks. I **don't**
think this is a security vulnerability, but I'm also not a security expert.
Signed-off-by: Florian Forster <fforster@gitlab.com>
Introduce a new event reason for patch operation failure and update all
the returned errors from serial patcher to be a generic error so that
they are handled like any other error with an associated warning event.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Remove deprecated Event error. Event error was used for scenarios where
an error should result in an event/notification. It was introduced as a
contextual error along with Stalling and Waiting errors but was later
replaced with Generic error which doesn't have any contextual meaning.
The Generic error provided error configuration which allowed defining
how the error should be handled. This replaced the contextual error
handling with error action handlers which behaved on the error
configuration of the errors.
The Generic error was first introduced to be used in GitRepository
reconciler and was used by new reconcilers like the OCIRepository
reconcilers. The old reconcilers bucket, helmrepository and helmchart
reconcilers were still using the deprecated Event error. This change
replaces the Event errors in these reconcilers with a Generic error.
It also fixes a bug in the Generic error constructor which configured
the error to be logged by default. This resulted in an error to be
logged by the result processor and the runtime, double logging. This
behavior has been changed to not log explicitly and allow the runtime to
log the error. Since the Generic error is based on defining the error
handling behavior in the error configuration, a generic error that needs
to be ignored (not returned to the runtime), but logged can enable the
logging behavior explicitly on the Generic error instance. This is done
in GitRepository reconciler for no-op reconciliations where an ignore
error is returned.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
Move record suspend metrics next to readiness and duration metrics so
that it gets recorded along with others always at the end and the
metrics delete, which requires the knowledge of deleted finalizers,
applies to suspend too.
HelmRepository cache event metrics for a given helmrepo also continues
to be exported even after the object is deleted. This change deletes
the cache event metrics when the object is deleted.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
This adds a `--interval-jitter-percentage` flag to the controller to
add a +/- percentage jitter to the interval defined in resources
(defaults to 10%).
Effectively, this results in a reconcilation every 4.5 - 5.5 minutes
for a resource with an interval of 5 minutes.
Main reason to add this change is to mitigate spikes in memory and
CPU usage caused by many resources being configured with the same
interval.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
In Reconcile() methods, move the object deletion above add finalizer.
Finalizers can't be set when an object is being deleted.
Introduce a cacheless client in suite_test to use for testing this
change. It ensures that the Reconcile() call always operates on the
latest version of the object which has the deletion timestamp and
existing finalizer.
Signed-off-by: Sunny <darkowlzz@protonmail.com>
This deals with various breaking changes in controller-runtime, as
documented in the release notes:
https://github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.15.0
In short:
- `Watches` now use a `client.Object` instead of a `source.Kind`.
- `handler.MapFunc` signature accepts a Go context, which is used to
log any errors, instead of silently ignoring them and/or panicking.
- Fake clients used in tests are now configured using
`WithStatusSubresource` to enable the correct behavior for status
updates and patches.
- Max concurrent reconciles is configured on the manager, instead of
configuring them per reconciler instance.
- Various manager configuration options have been moved to new
structures and/or fields.
In addition to this, all other dependencies which had updates are
updated to their latest (compatible) versions as well.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This commits adds verification of the digest of the artifact in storage
to all reconcilers which manage artifacts.
When the artifact does not have a digest or if it mismatches with the
file in storage, the file is removed from the storage and status of the
object.
This hardens the storage against potential tampering, in addition to
resolving an issue where users upgrading from a (much) older version of
the controller would run into an error after the checksum field was
removed from the API.
This would cause the controller to not advertise any checksum at all,
while not producing a new one until a new revision was detected.
Resulting in fetch failures for consumers while they would try to
verify the digest of the advertised artifact.
While not strictly part of this exercise, some of the tests were
altered to prepare the storage used in test cases to become isolated
by strictly using the `storage` provided via the callback. Actually
isolating this has however been left as a task at a later moment.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Matheus Pimenta
Florian Forster
Jagpreet Singh Tamber
Stefan Prodan
Sunny
Hidde Beydals