Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: fluxcd/helm-controller
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v0.12.2
Choose a base ref
...
head repository: fluxcd/helm-controller
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v0.13.0
Choose a head ref
  • 5 commits
  • 6 files changed
  • 1 contributor

Commits on Nov 12, 2021

  1. Verify artifacts integrity

    After downloading an artifact, compute its checksum and verify that it matches the original checksum advertised by source-controller.
    
    Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
    stefanprodan committed Nov 12, 2021

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    459984c View commit details
  2. Update source-controller/api to v0.18.0

    Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
    stefanprodan committed Nov 12, 2021

    Verified

    This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
    Copy the full SHA
    59d3d88 View commit details
  3. Merge pull request #358 from fluxcd/verify-artifact-checksum

    Verify artifacts integrity
    stefanprodan authored Nov 12, 2021
    Copy the full SHA
    4f1ac95 View commit details
  4. Release v0.13.0

    Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
    stefanprodan committed Nov 12, 2021
    Copy the full SHA
    1df4930 View commit details
  5. Merge pull request #359 from fluxcd/release-0.13.0

    Release v0.13.0
    stefanprodan authored Nov 12, 2021
    Copy the full SHA
    89552ef View commit details
Showing with 46 additions and 10 deletions.
  1. +12 −0 CHANGELOG.md
  2. +2 −2 config/default/kustomization.yaml
  3. +1 −1 config/manager/kustomization.yaml
  4. +27 −3 controllers/helmrelease_controller_chart.go
  5. +2 −2 go.mod
  6. +2 −2 go.sum
12 changes: 12 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,17 @@
# Changelog

## 0.13.0

**Release date:** 2021-11-12

This prerelease comes with artifact integrity verification.
During the acquisition of an artifact, helm-controller computes its checksum using SHA-2
and verifies that it matches the checksum advertised in the `Status` of the Source.

Improvements:
* Verify artifacts integrity
[#358](https://github.com/fluxcd/helm-controller/pull/358)

## 0.12.2

**Release date:** 2021-11-11
4 changes: 2 additions & 2 deletions config/default/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: helm-system
resources:
- https://github.com/fluxcd/source-controller/releases/download/v0.16.0/source-controller.crds.yaml
- https://github.com/fluxcd/source-controller/releases/download/v0.16.0/source-controller.deployment.yaml
- https://github.com/fluxcd/source-controller/releases/download/v0.18.0/source-controller.crds.yaml
- https://github.com/fluxcd/source-controller/releases/download/v0.18.0/source-controller.deployment.yaml
- ../crd
- ../rbac
- ../manager
2 changes: 1 addition & 1 deletion config/manager/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -5,4 +5,4 @@ resources:
images:
- name: fluxcd/helm-controller
newName: fluxcd/helm-controller
newTag: v0.12.2
newTag: v0.13.0
30 changes: 27 additions & 3 deletions controllers/helmrelease_controller_chart.go
Original file line number Diff line number Diff line change
@@ -18,9 +18,10 @@ package controllers

import (
"context"
"crypto/sha1"
"crypto/sha256"
"fmt"
"io"
"io/ioutil"
"net/http"
"net/url"
"os"
@@ -94,7 +95,7 @@ func (r *HelmReleaseReconciler) getHelmChart(ctx context.Context, hr *v2.HelmRel
// loads it into a chart.Chart, and removes the downloaded artifact.
// It returns the loaded chart.Chart on success, or an error.
func (r *HelmReleaseReconciler) loadHelmChart(source *sourcev1.HelmChart) (*chart.Chart, error) {
f, err := ioutil.TempFile("", fmt.Sprintf("%s-%s-*.tgz", source.GetNamespace(), source.GetName()))
f, err := os.CreateTemp("", fmt.Sprintf("%s-%s-*.tgz", source.GetNamespace(), source.GetName()))
if err != nil {
return nil, err
}
@@ -126,13 +127,36 @@ func (r *HelmReleaseReconciler) loadHelmChart(source *sourcev1.HelmChart) (*char
return nil, fmt.Errorf("artifact '%s' download failed (status code: %s)", source.GetArtifact().URL, resp.Status)
}

if _, err = io.Copy(f, resp.Body); err != nil {
// verify checksum matches origin
if err := r.copyAndVerifyArtifact(source.GetArtifact(), resp.Body, f); err != nil {
return nil, err
}

return loader.Load(f.Name())
}

func (r *HelmReleaseReconciler) copyAndVerifyArtifact(artifact *sourcev1.Artifact, reader io.Reader, writer io.Writer) error {
hasher := sha256.New()

// for backwards compatibility with source-controller v0.17.2 and older
if len(artifact.Checksum) == 40 {
hasher = sha1.New()
}

// compute checksum
mw := io.MultiWriter(hasher, writer)
if _, err := io.Copy(mw, reader); err != nil {
return err
}

if checksum := fmt.Sprintf("%x", hasher.Sum(nil)); checksum != artifact.Checksum {
return fmt.Errorf("failed to verify artifact: computed checksum '%s' doesn't match advertised '%s'",
checksum, artifact.Checksum)
}

return nil
}

// deleteHelmChart deletes the v1beta1.HelmChart of the v2beta1.HelmRelease.
func (r *HelmReleaseReconciler) deleteHelmChart(ctx context.Context, hr *v2.HelmRelease) error {
if hr.Status.HelmChart == "" {
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
@@ -5,11 +5,11 @@ go 1.16
replace github.com/fluxcd/helm-controller/api => ./api

require (
github.com/fluxcd/helm-controller/api v0.12.2
github.com/fluxcd/helm-controller/api v0.13.0
github.com/fluxcd/pkg/apis/kustomize v0.1.0
github.com/fluxcd/pkg/apis/meta v0.10.0
github.com/fluxcd/pkg/runtime v0.12.0
github.com/fluxcd/source-controller/api v0.16.0
github.com/fluxcd/source-controller/api v0.18.0
github.com/go-logr/logr v0.4.0
github.com/hashicorp/go-retryablehttp v0.6.8
github.com/onsi/ginkgo v1.16.4
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
@@ -245,8 +245,8 @@ github.com/fluxcd/pkg/apis/meta v0.10.0 h1:N7wVGHC1cyPdT87hrDC7UwCwRwnZdQM46PBSL
github.com/fluxcd/pkg/apis/meta v0.10.0/go.mod h1:CW9X9ijMTpNe7BwnokiUOrLl/h13miwVr/3abEQLbKE=
github.com/fluxcd/pkg/runtime v0.12.0 h1:BPZZ8bBkimpqGAPXqOf3LTaw+tcw6HgbWyCuzbbsJGs=
github.com/fluxcd/pkg/runtime v0.12.0/go.mod h1:EyaTR2TOYcjL5U//C4yH3bt2tvTgIOSXpVRbWxUn/C4=
github.com/fluxcd/source-controller/api v0.16.0 h1:xFz+K7lLg/82uOQp+a0g04GsgoWNfyzwXAoVQy4T/oI=
github.com/fluxcd/source-controller/api v0.16.0/go.mod h1:guUCCapjzE2kocwFreQTM/IGvtAglIJc4L97mokairo=
github.com/fluxcd/source-controller/api v0.18.0 h1:cK1uWHCujeEm9mjPPum5gogbMXOo0C6ieVZtTTxDNkY=
github.com/fluxcd/source-controller/api v0.18.0/go.mod h1:guUCCapjzE2kocwFreQTM/IGvtAglIJc4L97mokairo=
github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4=