Verify digest of artifact in storage #1088
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
hiddeco
added
enhancement
hiddeco
force-pushed
the
verify-storage-digest
branch
from
488c0c6
to
a4cc55d
Compare
darkowlzz
approved these changes
May 10, 2023
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This commits adds verification of the digest of the artifact in storage to all reconcilers which manage artifacts. When the artifact does not have a digest or if it mismatches with the file in storage, the file is removed from the storage and status of the object. This hardens the storage against potential tampering, in addition to resolving an issue where users upgrading from a (much) older version of the controller would run into an error after the checksum field was removed from the API. This would cause the controller to not advertise any checksum at all, while not producing a new one until a new revision was detected. Resulting in fetch failures for consumers while they would try to verify the digest of the advertised artifact. While not strictly part of this exercise, some of the tests were altered to prepare the storage used in test cases to become isolated by strictly using the `storage` provided via the callback. Actually isolating this has however been left as a task at a later moment. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
Given: - None of the methods of the `Storage` are mutating the storage itself. - It must be instantiated to be usable, as there is a strict reliance on values. - The struct itself is light. This seems to be more fitting. Signed-off-by: Hidde Beydals <hidde@hhh.computer>
hiddeco
force-pushed
the
verify-storage-digest
branch
from
a4cc55d
to
6f762c7
Compare
9 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds verification of the digest of the artifact in storage to all
reconcilers which manage artifacts.
When the artifact does not have a digest or if it mismatches with the
file in storage, the file is removed from the storage and status of the
object.
This hardens the storage against potential tampering, in addition to
resolving an issue where users upgrading from a (much) older version of
the controller would run into an error after the checksum field was
removed from the API.
This would cause the controller to not advertise any checksum at all,
while not producing a new one until a new revision was detected.
Resulting in fetch failures for consumers while they would try to
verify the digest of the advertised artifact.
Fixes: fluxcd/flux2#3861