/
verify.go
157 lines (137 loc) · 5.46 KB
/
verify.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
/*
Copyright 2022 The Flux authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package action
import (
"errors"
"github.com/opencontainers/go-digest"
helmaction "helm.sh/helm/v3/pkg/action"
helmchart "helm.sh/helm/v3/pkg/chart"
helmchartutil "helm.sh/helm/v3/pkg/chartutil"
helmrelease "helm.sh/helm/v3/pkg/release"
helmdriver "helm.sh/helm/v3/pkg/storage/driver"
v2 "github.com/fluxcd/helm-controller/api/v2beta2"
"github.com/fluxcd/helm-controller/internal/chartutil"
"github.com/fluxcd/helm-controller/internal/release"
)
var (
ErrReleaseDisappeared = errors.New("release disappeared from storage")
ErrReleaseNotFound = errors.New("no release found")
ErrReleaseNotObserved = errors.New("release not observed to be made for object")
ErrReleaseDigest = errors.New("release digest verification error")
ErrChartChanged = errors.New("release chart changed")
ErrConfigDigest = errors.New("release config values changed")
)
const (
targetStorageNamespace = "storage namespace"
targetReleaseNamespace = "release namespace"
targetReleaseName = "release name"
targetChartName = "chart name"
)
// ReleaseTargetChanged returns a reason and true if the given release and/or
// chart name have been mutated in such a way that it no longer has the same
// release target as recorded in the Status.History of the object, by comparing
// the (storage) namespace, and release and chart names.
// This can be used to e.g. trigger a garbage collection of the old release
// before installing the new one.
// If no change is detected, an empty string is returned along with false.
func ReleaseTargetChanged(obj *v2.HelmRelease, chartName string) (string, bool) {
cur := obj.Status.History.Latest()
switch {
case obj.Status.StorageNamespace == "", cur == nil:
return "", false
case obj.GetStorageNamespace() != obj.Status.StorageNamespace:
return targetStorageNamespace, true
case obj.GetReleaseNamespace() != cur.Namespace:
return targetReleaseNamespace, true
case release.ShortenName(obj.GetReleaseName()) != cur.Name:
return targetReleaseName, true
case chartName != cur.ChartName:
return targetChartName, true
default:
return "", false
}
}
// LastRelease returns the last release object in the Helm storage with the
// given name.
// It returns an error of type ErrReleaseNotFound if there is no
// release with the given name.
// When the release name is too long, it will be shortened to the maximum
// allowed length using the release.ShortenName function.
func LastRelease(config *helmaction.Configuration, releaseName string) (*helmrelease.Release, error) {
rls, err := config.Releases.Last(release.ShortenName(releaseName))
if err != nil {
if errors.Is(err, helmdriver.ErrReleaseNotFound) {
return nil, ErrReleaseNotFound
}
return nil, err
}
return rls, nil
}
// VerifySnapshot verifies the data of the given v2beta2.Snapshot
// matches the release object in the Helm storage. It returns the verified
// release, or an error of type ErrReleaseNotFound, ErrReleaseDisappeared,
// ErrReleaseDigest or ErrReleaseNotObserved indicating the reason for the
// verification failure.
func VerifySnapshot(config *helmaction.Configuration, snapshot *v2.Snapshot) (rls *helmrelease.Release, err error) {
if snapshot == nil {
return nil, ErrReleaseNotFound
}
rls, err = config.Releases.Get(snapshot.Name, snapshot.Version)
if err != nil {
if errors.Is(err, helmdriver.ErrReleaseNotFound) {
return nil, ErrReleaseDisappeared
}
return nil, err
}
if err = VerifyReleaseObject(snapshot, rls); err != nil {
return nil, err
}
return rls, nil
}
// VerifyReleaseObject verifies the data of the given v2beta2.Snapshot
// matches the given Helm release object. It returns an error of type
// ErrReleaseDigest or ErrReleaseNotObserved indicating the reason for the
// verification failure, or nil.
func VerifyReleaseObject(snapshot *v2.Snapshot, rls *helmrelease.Release) error {
relDig, err := digest.Parse(snapshot.Digest)
if err != nil {
return ErrReleaseDigest
}
verifier := relDig.Verifier()
obs := release.ObserveRelease(rls)
if err = obs.Encode(verifier); err != nil {
// We are expected to be able to encode valid JSON, error out without a
// typed error assuming malfunction to signal to e.g. retry.
return err
}
if !verifier.Verified() {
return ErrReleaseNotObserved
}
return nil
}
// VerifyRelease verifies that the data of the given release matches the given
// chart metadata, and the provided values match the Snapshot.ConfigDigest.
// It returns either an error of type ErrReleaseNotFound, ErrChartChanged or
// ErrConfigDigest, or nil.
func VerifyRelease(rls *helmrelease.Release, snapshot *v2.Snapshot, chrt *helmchart.Metadata, vals helmchartutil.Values) error {
if rls == nil {
return ErrReleaseNotFound
}
if chrt != nil && (rls.Chart.Metadata.Name != chrt.Name || rls.Chart.Metadata.Version != chrt.Version) {
return ErrChartChanged
}
if snapshot == nil || !chartutil.VerifyValues(digest.Digest(snapshot.ConfigDigest), vals) {
return ErrConfigDigest
}
return nil
}