-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(cas): Azure Blob Storage support #360
Conversation
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ptal @danlishka
thanks!
@@ -161,6 +164,11 @@ func (s *ByteStreamService) Read(req *bytestream.ReadRequest, stream bytestream. | |||
return sl.LogAndMaskErr(err, s.log) | |||
} | |||
|
|||
// check if the file has been tampered with and notify the client | |||
if sw.GetChecksum() != req.ResourceName { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a verification server-side that the file has not been tampered with and we deliver only the file if it matches the digest. Note that we already do this check client-side but now server side makes it more robust.
|
||
// Verify the checksum | ||
if got, want := fmt.Sprintf("%x", gotChecksum.Sum(nil)), wantChecksum.Hex; got != want { | ||
msg := fmt.Sprintf("checksums mismatch: got: %s, want: %s", got, want) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same here, we only push content to the browser if we know it matches the digest.
@@ -33,8 +35,7 @@ import ( | |||
type CASBackendProvider string | |||
|
|||
const ( | |||
CASBackendOCI CASBackendProvider = "OCI" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not needed, removed duplication.
@@ -86,7 +86,7 @@ func (s *CASBackendService) Create(ctx context.Context, req *pb.CASBackendServic | |||
} | |||
|
|||
// For now we only support one backend which is set as default | |||
res, err := s.uc.Create(ctx, currentOrg.ID, req.Location, req.Description, biz.CASBackendOCI, creds, req.Default) | |||
res, err := s.uc.Create(ctx, currentOrg.ID, req.Location, req.Description, biz.CASBackendProvider(req.Provider), creds, req.Default) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so now we create other kinds of backends, specifically azureBlob
@@ -17,6 +16,6 @@ data: | |||
private_key: /data/server-certs/tls.key | |||
{{- end }} | |||
addr: 0.0.0.0:9000 | |||
timeout: 1s | |||
timeout: 5s |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
needed to make sure we leave room for the azure requests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome. LGTM. S3 is the next one!
Adds support for Azure Blob Storage as Content Addressable Storage backend.
In practice this means:
Users can now onboard their Azure Storage Account with Chainloop
once done, it will appear in your list of registered backends
At this point there is nothing else that an user needs to do, the system automatically will upload attestations and pieces of evidence to the storageAccount/container automatically :)
Note that you can use this backend in combination of an OCI one, meaning that files that have been uploaded to an OCI backend are still accessible and routed accordingly
Refs #357