Enforce Helm charts uniqueness

Prevent that an existing chart in a repository gets overwritten by an incoming chart with the same version or same sha256 digest. If there is a matching digest against a chart in the repository then the upload is rejected and the script exits with error code 2. If there is a matching version against a chart in the repository that has a different content then the upload is also rejected but with error code 3. Test Plan: PASS: build-pkgs && build-image PASS: AIO-SX fresh install PASS: Upload chart vault-0.24.3.tgz to stx-platform repository Check if the chart was correctly uploaded to /var/www/pages/helm_charts/stx-platform/ Check if the index.yaml file was regenerated accordingly PASS: Upload chart vault-0.24.3.tgz to stx-platform repository Try to upload the same chart again to the same repository Confirm that the upload was refused PASS: Upload chart vault-0.24.3.tgz to stx-platform repository Change an image tag and repackage the chart keeping the same version Try to upload the changed chart again to the same repository Confirm that the upload was refused Story: 2010929 Task: 48883 Change-Id: I974a627d31876c7e2cfd1df05b03c252d958a4d5 Signed-off-by: Igor Soares <Igor.PiresSoares@windriver.com>
2023-09-28 19:52:15 -03:00 · 2023-09-28 19:52:15 -03:00 · c0b0e689a7
commit c0b0e689a7
parent 7471413e24
1 changed files with 64 additions and 8 deletions
--- a/kubernetes/helm/centos/files/helm-upload
+++ b/kubernetes/helm/centos/files/helm-upload
@ -24,6 +24,7 @@ RETVAL=0
 REINDEX=0

 REPO_BASE='/var/www/pages/helm_charts'
+INDEX_FILENAME='index.yaml'

 # First argument is always the repo where the charts need to be placed
 if [ $# -lt 2 ]; then
@ -38,19 +39,74 @@ if [ ! -e $REPO_DIR ]; then
    exit 1
 fi

+declare -A CHARTS_INDEXED_BY_DIGEST
+declare -A CHARTS_INDEXED_BY_VERSION
+INDEX_PATH="${REPO_DIR}/${INDEX_FILENAME}"
+FOUND_DIGEST=false
+FOUND_NAME=false
+
+# Build an array of repository charts indexed by their digest
+while read -r LINE; do
+
+    if [[ "$LINE" = *"digest: "* ]]; then
+        CHART_DIGEST=$(echo "$LINE" | cut -d " " -f 2)
+        FOUND_DIGEST=true
+    fi
+
+    if [ "$FOUND_DIGEST" = true ] && [[ "$LINE" = *"name: "* ]]; then
+        CHART_NAME=$(echo "$LINE" | cut -d " " -f 2)
+        FOUND_NAME=true
+    fi
+
+    if [ "$FOUND_NAME" = true ] && [[ "$LINE" = *"version: "* ]]; then
+        CHART_VERSION=$(echo "$LINE" | cut -d " " -f 2)
+
+        FOUND_DIGEST=false
+        FOUND_NAME=false
+        CHARTS_INDEXED_BY_DIGEST["$CHART_DIGEST"]="$CHART_NAME $CHART_VERSION"
+        CHARTS_INDEXED_BY_VERSION["$CHART_NAME-$CHART_VERSION"]="$CHART_DIGEST"
+    fi
+
+done < "$INDEX_PATH"
+
 shift 1

 for FILE in "$@"; do
    if [ -r $FILE ]; then
-        # QUESTION:  should we disallow overwriting an existing file?
-        # The versions are embedded in the filename, so it shouldn't
-        # cause problems.
-        cp $FILE $REPO_DIR
-        if [ $? -ne 0 ]; then
-            echo Problem adding $FILE to helm chart registry.
-            RETVAL=1
+
+        INCOMING_CHART_DIGEST=$(sha256sum "$FILE" | cut -d " " -f 1)
+
+        FOUND_NAME=false
+        while read -r LINE; do
+            if [[ "$LINE" = *"name: "* ]]; then
+                INCOMING_CHART_NAME=$(echo "$LINE" | cut -d " " -f 2)
+                FOUND_NAME=true
+            fi
+            if [ "$FOUND_NAME" = true ] && [[ "$LINE" = *"version: "* ]]; then
+                INCOMING_CHART_VERSION=$(echo "$LINE" | cut -d " " -f 2)
+                INCOMING_CHART="$INCOMING_CHART_NAME-$INCOMING_CHART_VERSION"
+                break
+            fi
+        done <<< "$(helm show chart "$FILE")"
+
+        # Check if the file already exists in the repository
+        if [[ -v "CHARTS_INDEXED_BY_DIGEST[$INCOMING_CHART_DIGEST]" ]]; then
+            echo "Chart ${INCOMING_CHART_NAME} (version ${INCOMING_CHART_VERSION}) already" \
+                 "in the repository"
+            RETVAL=2
+        elif [[ -v "CHARTS_INDEXED_BY_VERSION[$INCOMING_CHART]" ]]; then
+            echo "A chart with a different content but same name (${INCOMING_CHART_NAME})" \
+                 "and version (${INCOMING_CHART_VERSION}) already exists in the repository"
+            RETVAL=3
        else
-            REINDEX=1
+            cp $FILE $REPO_DIR
+
+            if [ $? -ne 0 ]; then
+                echo Problem adding $FILE to helm chart registry.
+                RETVAL=1
+            else
+                REINDEX=1
+            fi
        fi
    else
        echo Cannot read file ${FILE}.