Skip to content

Commit

Permalink
Fix verification condition
Browse files Browse the repository at this point in the history
Delete a failed verification condition at the beginning of the source
reconciliation and set `SourceVerifiedCondition` to false approprietly.

Set the `BuildOptions.Verify` to true as long as Verify is enabled in the
API fields.

Signed-off-by: Soule BA <soule@weave.works>
  • Loading branch information
souleb committed Oct 20, 2022
1 parent 96197f7 commit 21e648e
Show file tree
Hide file tree
Showing 6 changed files with 17 additions and 16 deletions.
2 changes: 1 addition & 1 deletion api/v1beta2/helmchart_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ type HelmChartSpec struct {
// Verify contains the secret name containing the trusted public keys
// used to verify the signature and specifies which provider to use to check
// whether OCI image is authentic.
// This field is only supported for OCI sources.
// This field is only supported when using HelmRepository source with spec.type 'oci'.
// Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.
// +optional
Verify *OCIRepositoryVerification `json:"verify,omitempty"`
Expand Down
23 changes: 13 additions & 10 deletions controllers/helmchart_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -371,6 +371,12 @@ func (r *HelmChartReconciler) reconcileStorage(ctx context.Context, obj *sourcev
}

func (r *HelmChartReconciler) reconcileSource(ctx context.Context, obj *sourcev1.HelmChart, build *chart.Build) (_ sreconcile.Result, retErr error) {
// Remove any failed verification condition.
// The reason is that a failing verification should be recalculated.
if conditions.IsFalse(obj, sourcev1.SourceVerifiedCondition) {
conditions.Delete(obj, sourcev1.SourceVerifiedCondition)
}

// Retrieve the source
s, err := r.getSource(ctx, obj)
if err != nil {
Expand Down Expand Up @@ -649,15 +655,8 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
Force: obj.Generation != obj.Status.ObservedGeneration,
// The remote builder will not attempt to download the chart if
// an artifact exists with the same name and version and `Force` is false.
// It will try to verify the chart if:
// - we are on the first reconciliation
// - the HelmChart spec has changed (generation drift)
// - the previous reconciliation resulted in a failed artifact verification
// - there is no artifact in storage
Verify: obj.Spec.Verify != nil && (obj.Generation <= 0 ||
conditions.GetObservedGeneration(obj, sourcev1.SourceVerifiedCondition) != obj.Generation ||
conditions.IsFalse(obj, sourcev1.SourceVerifiedCondition) ||
obj.GetArtifact() == nil),
// It will however try to verify the chart if `obj.Spec.Verify` is set, at every reconciliation.
Verify: obj.Spec.Verify != nil && obj.Spec.Verify.Provider != "",
}
if artifact := obj.GetArtifact(); artifact != nil {
opts.CachedChart = r.Storage.LocalPath(*artifact)
Expand Down Expand Up @@ -1292,9 +1291,13 @@ func observeChartBuild(obj *sourcev1.HelmChart, build *chart.Build, err error) {
}

switch buildErr.Reason {
case chart.ErrChartMetadataPatch, chart.ErrValuesFilesMerge, chart.ErrDependencyBuild, chart.ErrChartPackage, chart.ErrChartVerification:
case chart.ErrChartMetadataPatch, chart.ErrValuesFilesMerge, chart.ErrDependencyBuild, chart.ErrChartPackage:
conditions.Delete(obj, sourcev1.FetchFailedCondition)
conditions.MarkTrue(obj, sourcev1.BuildFailedCondition, buildErr.Reason.Reason, buildErr.Error())
case chart.ErrChartVerification:
conditions.Delete(obj, sourcev1.FetchFailedCondition)
conditions.MarkTrue(obj, sourcev1.BuildFailedCondition, buildErr.Reason.Reason, buildErr.Error())
conditions.MarkTrue(obj, sourcev1.SourceVerifiedCondition, meta.FailedReason, buildErr.Error())
default:
conditions.Delete(obj, sourcev1.BuildFailedCondition)
conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, buildErr.Reason.Reason, buildErr.Error())
Expand Down
2 changes: 1 addition & 1 deletion docs/spec/v1beta2/helmcharts.md
Original file line number Diff line number Diff line change
Expand Up @@ -290,7 +290,7 @@ data:

Note that the keys must have the `.pub` extension for Flux to make use of them.

Flux will loop over the public keys and use them verify a HelmChart's signature.
Flux will loop over the public keys and use them to verify a HelmChart's signature.
This allows for older HelmCharts to be valid as long as the right key is in the secret.

#### Keyless verification
Expand Down
2 changes: 1 addition & 1 deletion docs/spec/v1beta2/ocirepositories.md
Original file line number Diff line number Diff line change
Expand Up @@ -462,7 +462,7 @@ data:

Note that the keys must have the `.pub` extension for Flux to make use of them.

Flux will loop over the public keys and use them verify an artifact's signature.
Flux will loop over the public keys and use them to verify an artifact's signature.
This allows for older artifacts to be valid as long as the right key is in the secret.

#### Keyless verification
Expand Down
2 changes: 1 addition & 1 deletion internal/helm/registry/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,7 +105,7 @@ func KeychainAdaptHelper(keyChain authn.Keychain) func(string) (registry.LoginOp
}

// AuthAdaptHelper returns an ORAS credentials callback configured with the authorization data
// from the given authn authenticator This allows for example to make use of credential helpers from
// from the given authn authenticator. This allows for example to make use of credential helpers from
// cloud providers.
// Ref: https://github.com/google/go-containerregistry/tree/main/pkg/authn
func AuthAdaptHelper(auth authn.Authenticator) (registry.LoginOption, error) {
Expand Down
2 changes: 0 additions & 2 deletions internal/helm/repository/chart_repository.go
Original file line number Diff line number Diff line change
Expand Up @@ -523,10 +523,8 @@ func (r *ChartRepository) RemoveCache() error {
}

// VerifyChart verifies the chart against a signature.
// If no signature is provided, a keyless verification is performed.
// It returns an error on failure.
func (r *ChartRepository) VerifyChart(_ context.Context, _ *repo.ChartVersion) error {
// no-op
// this is a no-op because this is not implemented yet.
return fmt.Errorf("not implemented")
}

0 comments on commit 21e648e

Please sign in to comment.