Enforce Helm charts uniqueness

Prevent that an existing chart in a repository gets overwritten
by an incoming chart with the same version or same sha256 digest.

If there is a matching digest against a chart in the repository then the
upload is rejected and the script exits with error code 2. If there is a
matching version against a chart in the repository that has a different
content then the upload is also rejected but with error code 3.

Test Plan:
PASS: build-pkgs && build-image
PASS: AIO-SX fresh install
PASS: Upload chart vault-0.24.3.tgz to stx-platform repository
      Check if the chart was correctly uploaded to
      /var/www/pages/helm_charts/stx-platform/
      Check if the index.yaml file was regenerated accordingly
PASS: Upload chart vault-0.24.3.tgz to stx-platform repository
      Try to upload the same chart again to the same repository
      Confirm that the upload was refused
PASS: Upload chart vault-0.24.3.tgz to stx-platform repository
      Change an image tag and repackage the chart keeping the
      same version
      Try to upload the changed chart again to the same repository
      Confirm that the upload was refused

Story: 2010929
Task: 48883

Change-Id: I974a627d31876c7e2cfd1df05b03c252d958a4d5
Signed-off-by: Igor Soares <Igor.PiresSoares@windriver.com>
This commit is contained in:
Igor Soares 2023-09-28 19:52:15 -03:00
parent 7471413e24
commit c0b0e689a7

View File

@ -24,6 +24,7 @@ RETVAL=0
REINDEX=0
REPO_BASE='/var/www/pages/helm_charts'
INDEX_FILENAME='index.yaml'
# First argument is always the repo where the charts need to be placed
if [ $# -lt 2 ]; then
@ -38,20 +39,75 @@ if [ ! -e $REPO_DIR ]; then
exit 1
fi
declare -A CHARTS_INDEXED_BY_DIGEST
declare -A CHARTS_INDEXED_BY_VERSION
INDEX_PATH="${REPO_DIR}/${INDEX_FILENAME}"
FOUND_DIGEST=false
FOUND_NAME=false
# Build an array of repository charts indexed by their digest
while read -r LINE; do
if [[ "$LINE" = *"digest: "* ]]; then
CHART_DIGEST=$(echo "$LINE" | cut -d " " -f 2)
FOUND_DIGEST=true
fi
if [ "$FOUND_DIGEST" = true ] && [[ "$LINE" = *"name: "* ]]; then
CHART_NAME=$(echo "$LINE" | cut -d " " -f 2)
FOUND_NAME=true
fi
if [ "$FOUND_NAME" = true ] && [[ "$LINE" = *"version: "* ]]; then
CHART_VERSION=$(echo "$LINE" | cut -d " " -f 2)
FOUND_DIGEST=false
FOUND_NAME=false
CHARTS_INDEXED_BY_DIGEST["$CHART_DIGEST"]="$CHART_NAME $CHART_VERSION"
CHARTS_INDEXED_BY_VERSION["$CHART_NAME-$CHART_VERSION"]="$CHART_DIGEST"
fi
done < "$INDEX_PATH"
shift 1
for FILE in "$@"; do
if [ -r $FILE ]; then
# QUESTION: should we disallow overwriting an existing file?
# The versions are embedded in the filename, so it shouldn't
# cause problems.
INCOMING_CHART_DIGEST=$(sha256sum "$FILE" | cut -d " " -f 1)
FOUND_NAME=false
while read -r LINE; do
if [[ "$LINE" = *"name: "* ]]; then
INCOMING_CHART_NAME=$(echo "$LINE" | cut -d " " -f 2)
FOUND_NAME=true
fi
if [ "$FOUND_NAME" = true ] && [[ "$LINE" = *"version: "* ]]; then
INCOMING_CHART_VERSION=$(echo "$LINE" | cut -d " " -f 2)
INCOMING_CHART="$INCOMING_CHART_NAME-$INCOMING_CHART_VERSION"
break
fi
done <<< "$(helm show chart "$FILE")"
# Check if the file already exists in the repository
if [[ -v "CHARTS_INDEXED_BY_DIGEST[$INCOMING_CHART_DIGEST]" ]]; then
echo "Chart ${INCOMING_CHART_NAME} (version ${INCOMING_CHART_VERSION}) already" \
"in the repository"
RETVAL=2
elif [[ -v "CHARTS_INDEXED_BY_VERSION[$INCOMING_CHART]" ]]; then
echo "A chart with a different content but same name (${INCOMING_CHART_NAME})" \
"and version (${INCOMING_CHART_VERSION}) already exists in the repository"
RETVAL=3
else
cp $FILE $REPO_DIR
if [ $? -ne 0 ]; then
echo Problem adding $FILE to helm chart registry.
RETVAL=1
else
REINDEX=1
fi
fi
else
echo Cannot read file ${FILE}.
RETVAL=1