Skip to content

Commit a62a4a9

Browse files
committed
Add cosign verification to the chart Template
If implemented users can reconcile charts with cosign verification enabled. Signed-off-by: Soule BA <bah.soule@gmail.com>
1 parent 0fc4d0f commit a62a4a9

10 files changed

+140
-3
lines changed

api/go.mod

+2
Original file line numberDiff line numberDiff line change
@@ -5,12 +5,14 @@ go 1.18
55
require (
66
github.com/fluxcd/pkg/apis/kustomize v0.6.0
77
github.com/fluxcd/pkg/apis/meta v0.16.0
8+
github.com/fluxcd/source-controller/api v0.30.1
89
k8s.io/apiextensions-apiserver v0.25.2
910
k8s.io/apimachinery v0.25.2
1011
sigs.k8s.io/controller-runtime v0.13.0
1112
)
1213

1314
require (
15+
github.com/fluxcd/pkg/apis/acl v0.1.0 // indirect
1416
github.com/go-logr/logr v1.2.3 // indirect
1517
github.com/gogo/protobuf v1.3.2 // indirect
1618
github.com/google/gofuzz v1.2.0 // indirect

api/go.sum

+4
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,14 @@
11
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
22
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
33
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
4+
github.com/fluxcd/pkg/apis/acl v0.1.0 h1:EoAl377hDQYL3WqanWCdifauXqXbMyFuK82NnX6pH4Q=
5+
github.com/fluxcd/pkg/apis/acl v0.1.0/go.mod h1:zfEZzz169Oap034EsDhmCAGgnWlcWmIObZjYMusoXS8=
46
github.com/fluxcd/pkg/apis/kustomize v0.6.0 h1:Afxv3Uv+xiuettzqm3sP0ceWikDZTfHdHtLv6u2nFM8=
57
github.com/fluxcd/pkg/apis/kustomize v0.6.0/go.mod h1:iY0zSpK6eUiPfNt/yR6g0q/wQP+wH+Ax/L7KBOx5x2M=
68
github.com/fluxcd/pkg/apis/meta v0.16.0 h1:6Mj9rB0TtvCeTe3IlQDc1i2DH75Oosea9yUqS7XafVg=
79
github.com/fluxcd/pkg/apis/meta v0.16.0/go.mod h1:GrOVzWXiu22XjLNgLLe2EBYhQPqZetes5SIADb4bmHE=
10+
github.com/fluxcd/source-controller/api v0.30.1 h1:ykRiMBGcoEy3hIJY5YwL1Mhzmmab1rN+goDgFRLFuxk=
11+
github.com/fluxcd/source-controller/api v0.30.1/go.mod h1:UkjAqQ6QAXNNesNQDTArTeiTp+UuhOUIA+JyFhGP/+Q=
812
github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
913
github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
1014
github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=

api/v2beta1/helmrelease_types.go

+9
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,7 @@ import (
2828

2929
"github.com/fluxcd/pkg/apis/kustomize"
3030
"github.com/fluxcd/pkg/apis/meta"
31+
sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
3132
)
3233

3334
const HelmReleaseKind = "HelmRelease"
@@ -286,6 +287,14 @@ type HelmChartTemplateSpec struct {
286287
// +optional
287288
// +deprecated
288289
ValuesFile string `json:"valuesFile,omitempty"`
290+
291+
// Verify contains the secret name containing the trusted public keys
292+
// used to verify the signature and specifies which provider to use to check
293+
// whether OCI image is authentic.
294+
// This field is only supported for OCI sources.
295+
// Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.
296+
// +optional
297+
Verify *sourcev1.OCIRepositoryVerification `json:"verify,omitempty"`
289298
}
290299

291300
// GetInterval returns the configured interval for the v1beta2.HelmChart,

api/v2beta1/zz_generated.deepcopy.go

+6
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml

+28
Original file line numberDiff line numberDiff line change
@@ -117,6 +117,34 @@ spec:
117117
items:
118118
type: string
119119
type: array
120+
verify:
121+
description: Verify contains the secret name containing the
122+
trusted public keys used to verify the signature and specifies
123+
which provider to use to check whether OCI image is authentic.
124+
This field is only supported for OCI sources. Chart dependencies,
125+
which are not bundled in the umbrella chart artifact, are
126+
not verified.
127+
properties:
128+
provider:
129+
default: cosign
130+
description: Provider specifies the technology used to
131+
sign the OCI Artifact.
132+
enum:
133+
- cosign
134+
type: string
135+
secretRef:
136+
description: SecretRef specifies the Kubernetes Secret
137+
containing the trusted public keys.
138+
properties:
139+
name:
140+
description: Name of the referent.
141+
type: string
142+
required:
143+
- name
144+
type: object
145+
required:
146+
- provider
147+
type: object
120148
version:
121149
default: '*'
122150
description: Version semver expression, ignored for charts

controllers/helmrelease_controller_chart.go

+3
Original file line numberDiff line numberDiff line change
@@ -211,6 +211,7 @@ func buildHelmChartFromTemplate(hr *v2.HelmRelease) *sourcev1.HelmChart {
211211
ReconcileStrategy: template.Spec.ReconcileStrategy,
212212
ValuesFiles: template.Spec.ValuesFiles,
213213
ValuesFile: template.Spec.ValuesFile,
214+
Verify: template.Spec.Verify,
214215
},
215216
}
216217
}
@@ -239,6 +240,8 @@ func helmChartRequiresUpdate(hr *v2.HelmRelease, chart *sourcev1.HelmChart) bool
239240
return true
240241
case template.Spec.ValuesFile != chart.Spec.ValuesFile:
241242
return true
243+
case !reflect.DeepEqual(template.Spec.Verify, chart.Spec.Verify):
244+
return true
242245
default:
243246
return false
244247
}

controllers/helmrelease_controller_chart_test.go

+48
Original file line numberDiff line numberDiff line change
@@ -18,9 +18,11 @@ package controllers
1818

1919
import (
2020
"context"
21+
"fmt"
2122
"testing"
2223
"time"
2324

25+
"github.com/fluxcd/pkg/apis/meta"
2426
sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
2527
"github.com/go-logr/logr"
2628
. "github.com/onsi/gomega"
@@ -371,6 +373,39 @@ func Test_buildHelmChartFromTemplate(t *testing.T) {
371373
},
372374
},
373375
},
376+
{
377+
name: "take cosign verification into account",
378+
modify: func(hr *v2.HelmRelease) {
379+
hr.Spec.Chart.Spec.Verify = &sourcev1.OCIRepositoryVerification{
380+
Provider: "cosign",
381+
SecretRef: &meta.LocalObjectReference{
382+
Name: "cosign-key",
383+
},
384+
}
385+
},
386+
want: &sourcev1.HelmChart{
387+
ObjectMeta: metav1.ObjectMeta{
388+
Name: "default-test-release",
389+
Namespace: "default",
390+
},
391+
Spec: sourcev1.HelmChartSpec{
392+
Chart: "chart",
393+
Version: "1.0.0",
394+
SourceRef: sourcev1.LocalHelmChartSourceReference{
395+
Name: "test-repository",
396+
Kind: "HelmRepository",
397+
},
398+
Interval: metav1.Duration{Duration: 2 * time.Minute},
399+
ValuesFiles: []string{"values.yaml"},
400+
Verify: &sourcev1.OCIRepositoryVerification{
401+
Provider: "cosign",
402+
SecretRef: &meta.LocalObjectReference{
403+
Name: "cosign-key",
404+
},
405+
},
406+
},
407+
},
408+
},
374409
}
375410
for _, tt := range tests {
376411
t.Run(tt.name, func(t *testing.T) {
@@ -398,6 +433,9 @@ func Test_helmChartRequiresUpdate(t *testing.T) {
398433
Kind: "HelmRepository",
399434
},
400435
Interval: &metav1.Duration{Duration: 2 * time.Minute},
436+
Verify: &sourcev1.OCIRepositoryVerification{
437+
Provider: "cosign",
438+
},
401439
},
402440
},
403441
},
@@ -469,16 +507,26 @@ func Test_helmChartRequiresUpdate(t *testing.T) {
469507
},
470508
want: true,
471509
},
510+
{
511+
name: "detects verify change",
512+
modify: func(hr *v2.HelmRelease, hc *sourcev1.HelmChart) {
513+
hr.Spec.Chart.Spec.Verify.Provider = "foo-bar"
514+
},
515+
want: true,
516+
},
472517
}
473518
for _, tt := range tests {
474519
t.Run(tt.name, func(t *testing.T) {
475520
g := NewWithT(t)
476521

477522
hr := hrWithChartTemplate.DeepCopy()
478523
hc := buildHelmChartFromTemplate(hr)
524+
// second copy to avoid modifying the original
525+
hr = hrWithChartTemplate.DeepCopy()
479526
g.Expect(helmChartRequiresUpdate(hr, hc)).To(Equal(false))
480527

481528
tt.modify(hr, hc)
529+
fmt.Println("verify", hr.Spec.Chart.Spec.Verify.Provider, hc.Spec.Verify.Provider)
482530
g.Expect(helmChartRequiresUpdate(hr, hc)).To(Equal(tt.want))
483531
})
484532
}

docs/api/helmrelease.md

+32
Original file line numberDiff line numberDiff line change
@@ -566,6 +566,22 @@ for backwards compatibility the file defined here is merged before the
566566
ValuesFiles items. Ignored when omitted.</p>
567567
</td>
568568
</tr>
569+
<tr>
570+
<td>
571+
<code>verify</code><br>
572+
<em>
573+
github.com/fluxcd/source-controller/api/v1beta2.OCIRepositoryVerification
574+
</em>
575+
</td>
576+
<td>
577+
<em>(Optional)</em>
578+
<p>Verify contains the secret name containing the trusted public keys
579+
used to verify the signature and specifies which provider to use to check
580+
whether OCI image is authentic.
581+
This field is only supported for OCI sources.
582+
Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.</p>
583+
</td>
584+
</tr>
569585
</table>
570586
</td>
571587
</tr>
@@ -688,6 +704,22 @@ for backwards compatibility the file defined here is merged before the
688704
ValuesFiles items. Ignored when omitted.</p>
689705
</td>
690706
</tr>
707+
<tr>
708+
<td>
709+
<code>verify</code><br>
710+
<em>
711+
github.com/fluxcd/source-controller/api/v1beta2.OCIRepositoryVerification
712+
</em>
713+
</td>
714+
<td>
715+
<em>(Optional)</em>
716+
<p>Verify contains the secret name containing the trusted public keys
717+
used to verify the signature and specifies which provider to use to check
718+
whether OCI image is authentic.
719+
This field is only supported for OCI sources.
720+
Chart dependencies, which are not bundled in the umbrella chart artifact, are not verified.</p>
721+
</td>
722+
</tr>
691723
</tbody>
692724
</table>
693725
</div>

go.mod

+6-1
Original file line numberDiff line numberDiff line change
@@ -4,13 +4,18 @@ go 1.18
44

55
replace github.com/fluxcd/helm-controller/api => ./api
66

7+
replace (
8+
github.com/fluxcd/source-controller/api => github.com/souleb/source-controller/api v0.18.1-0.20221018233402-c3f71095a4eb
9+
github.com/fluxcd/source-controller/api/v1beta2 => github.com/souleb/source-controller/api/v1beta2 v0.18.1-0.20221018233402-c3f71095a4eb
10+
)
11+
712
require (
813
github.com/fluxcd/helm-controller/api v0.25.0
914
github.com/fluxcd/pkg/apis/acl v0.1.0
1015
github.com/fluxcd/pkg/apis/kustomize v0.6.0
1116
github.com/fluxcd/pkg/apis/meta v0.16.0
1217
github.com/fluxcd/pkg/runtime v0.19.0
13-
github.com/fluxcd/source-controller/api v0.30.0
18+
github.com/fluxcd/source-controller/api v0.30.1
1419
github.com/go-logr/logr v1.2.3
1520
github.com/hashicorp/go-retryablehttp v0.7.1
1621
github.com/onsi/gomega v1.20.2

go.sum

+2-2
Original file line numberDiff line numberDiff line change
@@ -184,8 +184,6 @@ github.com/fluxcd/pkg/apis/meta v0.16.0 h1:6Mj9rB0TtvCeTe3IlQDc1i2DH75Oosea9yUqS
184184
github.com/fluxcd/pkg/apis/meta v0.16.0/go.mod h1:GrOVzWXiu22XjLNgLLe2EBYhQPqZetes5SIADb4bmHE=
185185
github.com/fluxcd/pkg/runtime v0.19.0 h1:4lRlnZfJFhWvuaNWgNsAkPQg09633xCRCf9d0SgXIWk=
186186
github.com/fluxcd/pkg/runtime v0.19.0/go.mod h1:9Kh46LjwQeUu6o1DUQulLGyo5e5wfQxeFf4ONNobT3U=
187-
github.com/fluxcd/source-controller/api v0.30.0 h1:rPVPpwXcYG2n0DTRcRagfGDiccvCib5S09K5iMjlpRU=
188-
github.com/fluxcd/source-controller/api v0.30.0/go.mod h1:UkjAqQ6QAXNNesNQDTArTeiTp+UuhOUIA+JyFhGP/+Q=
189187
github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
190188
github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwVZI=
191189
github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
@@ -562,6 +560,8 @@ github.com/sirupsen/logrus v1.8.1 h1:dJKuHgqk1NNQlqoA6BTlM1Wf9DOH3NBjQyu0h9+AZZE
562560
github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
563561
github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
564562
github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
563+
github.com/souleb/source-controller/api v0.18.1-0.20221018233402-c3f71095a4eb h1:Nl2nOYgwek7QdItVdJvdpbaG7jZDkaT1zYgfT0RN5yI=
564+
github.com/souleb/source-controller/api v0.18.1-0.20221018233402-c3f71095a4eb/go.mod h1:UkjAqQ6QAXNNesNQDTArTeiTp+UuhOUIA+JyFhGP/+Q=
565565
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
566566
github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
567567
github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=

0 commit comments

Comments
 (0)