From c0b0e689a7127797fc09899a31585022a780fc7b Mon Sep 17 00:00:00 2001 From: Igor Soares Date: Thu, 28 Sep 2023 19:52:15 -0300 Subject: [PATCH] Enforce Helm charts uniqueness Prevent that an existing chart in a repository gets overwritten by an incoming chart with the same version or same sha256 digest. If there is a matching digest against a chart in the repository then the upload is rejected and the script exits with error code 2. If there is a matching version against a chart in the repository that has a different content then the upload is also rejected but with error code 3. Test Plan: PASS: build-pkgs && build-image PASS: AIO-SX fresh install PASS: Upload chart vault-0.24.3.tgz to stx-platform repository Check if the chart was correctly uploaded to /var/www/pages/helm_charts/stx-platform/ Check if the index.yaml file was regenerated accordingly PASS: Upload chart vault-0.24.3.tgz to stx-platform repository Try to upload the same chart again to the same repository Confirm that the upload was refused PASS: Upload chart vault-0.24.3.tgz to stx-platform repository Change an image tag and repackage the chart keeping the same version Try to upload the changed chart again to the same repository Confirm that the upload was refused Story: 2010929 Task: 48883 Change-Id: I974a627d31876c7e2cfd1df05b03c252d958a4d5 Signed-off-by: Igor Soares --- kubernetes/helm/centos/files/helm-upload | 72 +++++++++++++++++++++--- 1 file changed, 64 insertions(+), 8 deletions(-) diff --git a/kubernetes/helm/centos/files/helm-upload b/kubernetes/helm/centos/files/helm-upload index 8a1a9c9e8..66b6edfb0 100644 --- a/kubernetes/helm/centos/files/helm-upload +++ b/kubernetes/helm/centos/files/helm-upload @@ -24,6 +24,7 @@ RETVAL=0 REINDEX=0 REPO_BASE='/var/www/pages/helm_charts' +INDEX_FILENAME='index.yaml' # First argument is always the repo where the charts need to be placed if [ $# -lt 2 ]; then @@ -38,19 +39,74 @@ if [ ! -e $REPO_DIR ]; then exit 1 fi +declare -A CHARTS_INDEXED_BY_DIGEST +declare -A CHARTS_INDEXED_BY_VERSION +INDEX_PATH="${REPO_DIR}/${INDEX_FILENAME}" +FOUND_DIGEST=false +FOUND_NAME=false + +# Build an array of repository charts indexed by their digest +while read -r LINE; do + + if [[ "$LINE" = *"digest: "* ]]; then + CHART_DIGEST=$(echo "$LINE" | cut -d " " -f 2) + FOUND_DIGEST=true + fi + + if [ "$FOUND_DIGEST" = true ] && [[ "$LINE" = *"name: "* ]]; then + CHART_NAME=$(echo "$LINE" | cut -d " " -f 2) + FOUND_NAME=true + fi + + if [ "$FOUND_NAME" = true ] && [[ "$LINE" = *"version: "* ]]; then + CHART_VERSION=$(echo "$LINE" | cut -d " " -f 2) + + FOUND_DIGEST=false + FOUND_NAME=false + CHARTS_INDEXED_BY_DIGEST["$CHART_DIGEST"]="$CHART_NAME $CHART_VERSION" + CHARTS_INDEXED_BY_VERSION["$CHART_NAME-$CHART_VERSION"]="$CHART_DIGEST" + fi + +done < "$INDEX_PATH" + shift 1 for FILE in "$@"; do if [ -r $FILE ]; then - # QUESTION: should we disallow overwriting an existing file? - # The versions are embedded in the filename, so it shouldn't - # cause problems. - cp $FILE $REPO_DIR - if [ $? -ne 0 ]; then - echo Problem adding $FILE to helm chart registry. - RETVAL=1 + + INCOMING_CHART_DIGEST=$(sha256sum "$FILE" | cut -d " " -f 1) + + FOUND_NAME=false + while read -r LINE; do + if [[ "$LINE" = *"name: "* ]]; then + INCOMING_CHART_NAME=$(echo "$LINE" | cut -d " " -f 2) + FOUND_NAME=true + fi + if [ "$FOUND_NAME" = true ] && [[ "$LINE" = *"version: "* ]]; then + INCOMING_CHART_VERSION=$(echo "$LINE" | cut -d " " -f 2) + INCOMING_CHART="$INCOMING_CHART_NAME-$INCOMING_CHART_VERSION" + break + fi + done <<< "$(helm show chart "$FILE")" + + # Check if the file already exists in the repository + if [[ -v "CHARTS_INDEXED_BY_DIGEST[$INCOMING_CHART_DIGEST]" ]]; then + echo "Chart ${INCOMING_CHART_NAME} (version ${INCOMING_CHART_VERSION}) already" \ + "in the repository" + RETVAL=2 + elif [[ -v "CHARTS_INDEXED_BY_VERSION[$INCOMING_CHART]" ]]; then + echo "A chart with a different content but same name (${INCOMING_CHART_NAME})" \ + "and version (${INCOMING_CHART_VERSION}) already exists in the repository" + RETVAL=3 else - REINDEX=1 + cp $FILE $REPO_DIR + + if [ $? -ne 0 ]; then + echo Problem adding $FILE to helm chart registry. + RETVAL=1 + else + REINDEX=1 + fi fi else echo Cannot read file ${FILE}.