From f07d0af5b17070a03a0b041f03cd13da094f8fd8 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Mon, 24 Jun 2024 09:14:59 -0700
Subject: [PATCH] add protection and facilitate debugging wrong assets (#2179)

There are situations where the tar extraction might fail,
we need to investigate why this happens.

via minio/minio#19510

> Tar file extraction failed for file index: 2, with: EOF
---
 pkg/controller/artifacts.go       | 10 +++++++---
 pkg/controller/main-controller.go |  3 ++-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/pkg/controller/artifacts.go b/pkg/controller/artifacts.go
index 1058d15ef95..efba6f2709b 100644
--- a/pkg/controller/artifacts.go
+++ b/pkg/controller/artifacts.go
@@ -94,6 +94,8 @@ func (c *Controller) getKeychainForTenant(ctx context.Context, ref name.Referenc
 // Attempts to fetch given image and then extracts and keeps relevant files
 // (minio, minio.sha256sum & minio.minisig) at a pre-defined location (/tmp/webhook/v1/update)
 func (c *Controller) fetchArtifacts(tenant *miniov2.Tenant) (latest string, err error) {
+	c.removeArtifacts() // remove before a fresh fetch.
+
 	basePath := updatePath
 
 	if err = os.MkdirAll(basePath, 1777); err != nil {
@@ -166,13 +168,15 @@ func (c *Controller) fetchArtifacts(tenant *miniov2.Tenant) (latest string, err
 	if err != nil {
 		return latest, err
 	}
-	defer func() {
-		_ = f.Close()
-	}()
 
 	// Tarball writes a file called image.tar
 	// This file in turn has each container layer present inside in the form `<layer-hash>.tar.gz`
 	if err = tarball.Write(ref, img, f); err != nil {
+		f.Close()
+		return latest, err
+	}
+
+	if err = f.Close(); err != nil {
 		return latest, err
 	}
 
diff --git a/pkg/controller/main-controller.go b/pkg/controller/main-controller.go
index 7466d1de14c..2973e7db9a2 100644
--- a/pkg/controller/main-controller.go
+++ b/pkg/controller/main-controller.go
@@ -1128,10 +1128,11 @@ func (c *Controller) syncHandler(key string) (Result, error) {
 			tenantName, images[0], tenant.Spec.Image)
 
 		latest, err := c.fetchArtifacts(tenant)
-		defer c.removeArtifacts()
 		if err != nil {
+			// Do not remove assets with errors, keep them for investigation.
 			return WrapResult(Result{}, err)
 		}
+		defer c.removeArtifacts()
 		updateURL, err := tenant.UpdateURL(latest, fmt.Sprintf("http://operator.%s.svc.%s:%s%s",
 			miniov2.GetNSFromFile(),
 			miniov2.GetClusterDomain(),