update helmchart reconciliation to verify charts using prov file

Signed-off-by: Sanskar Jaiswal <[email protected]>

Author: aryan9600

api/v1beta2/helmchart_types.go

@@ -79,6 +79,20 @@ type HelmChartSpec struct {
 	// AccessFrom defines an Access Control List for allowing cross-namespace references to this object.
 	// +optional
 	AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"`
+
+	// Keyring information for verifying the packaged chart's signature using a provenance file.
+	// +optional
+	VerificationKeyring *VerificationKeyring `json:"verificationKeyring,omitempty"`
+}
+
+type VerificationKeyring struct {
+	// +required
+	SecretRef meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// The key that corresponds to the keyring value.
+	// +kubebuilder:default:=pubring.gpg
+	// +optional
+	Key string `json:"key,omitempty"`
 }
 
 const (

config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml

@@ -400,6 +400,25 @@ spec:
                 items:
                   type: string
                 type: array
+              verificationKeyring:
+                description: Keyring information for verifying the packaged chart's
+                  signature using a provenance file.
+                properties:
+                  key:
+                    default: pubring.gpg
+                    description: The key that corresponds to the keyring value.
+                    type: string
+                  secretRef:
+                    description: LocalObjectReference contains enough information
+                      to locate the referenced Kubernetes resource object.
+                    properties:
+                      name:
+                        description: Name of the referent.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                type: object
               version:
                 default: '*'
                 description: The chart version semver expression, ignored for charts

controllers/helmchart_controller.go

@@ -91,6 +91,8 @@ var helmChartReadyConditions = summarize.Conditions{
 	},
 }
 
+const KeyringFileName = "pubring.gpg"
+
 // +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=helmcharts,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=helmcharts/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=helmcharts/finalizers,verbs=get;create;update;patch;delete
@@ -451,13 +453,20 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
 		opts.VersionMetadata = strconv.FormatInt(obj.Generation, 10)
 	}
 
+	var keyring []byte
+	keyring, err = r.getProvenanceKeyring(ctx, obj)
+	if err != nil {
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, sourcev1.AuthenticationFailedReason, err.Error())
+		return sreconcile.ResultEmpty, err
+	}
+
 	// Build the chart
 	ref := chart.RemoteReference{Name: obj.Spec.Chart, Version: obj.Spec.Version}
-	build, err := cb.Build(ctx, ref, util.TempPathForObj("", ".tgz", obj), opts)
+	build, err := cb.Build(ctx, ref, util.TempPathForObj("", ".tgz", obj), opts, keyring)
+
 	if err != nil {
 		return sreconcile.ResultEmpty, err
 	}
-
 	*b = *build
 	return sreconcile.ResultSuccess, nil
 }
@@ -576,13 +585,19 @@ func (r *HelmChartReconciler) buildFromTarballArtifact(ctx context.Context, obj
 		}
 		opts.VersionMetadata += strconv.FormatInt(obj.Generation, 10)
 	}
+	var keyring []byte
+	keyring, err = r.getProvenanceKeyring(ctx, obj)
+	if err != nil {
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, sourcev1.AuthenticationFailedReason, err.Error())
+		return sreconcile.ResultEmpty, err
+	}
 
 	// Build chart
 	cb := chart.NewLocalBuilder(dm)
 	build, err := cb.Build(ctx, chart.LocalReference{
 		WorkDir: sourceDir,
 		Path:    chartPath,
-	}, util.TempPathForObj("", ".tgz", obj), opts)
+	}, util.TempPathForObj("", ".tgz", obj), opts, keyring)
 	if err != nil {
 		return sreconcile.ResultEmpty, err
 	}
@@ -643,6 +658,18 @@ func (r *HelmChartReconciler) reconcileArtifact(ctx context.Context, obj *source
 		}
 	}
 
+	// the provenance file artifact is not recorded, but it shadows the HelmChart artifact
+	// under the assumption that the file is always available at "chart.tgz.prov"
+	if b.ProvFilePath != "" {
+		provArtifact := r.Storage.NewArtifactFor(obj.Kind, obj.GetObjectMeta(), b.Version, fmt.Sprintf("%s-%s.tgz.prov", b.Name, b.Version))
+		if err = r.Storage.CopyFromPath(&provArtifact, b.ProvFilePath); err != nil {
+			return sreconcile.ResultEmpty, &serror.Event{
+				Err:    fmt.Errorf("unable to copy Helm chart provenance file to storage: %w", err),
+				Reason: sourcev1.StorageOperationFailedReason,
+			}
+		}
+	}
+
 	// Record it on the object
 	obj.Status.Artifact = artifact.DeepCopy()
 	obj.Status.ObservedChartName = b.Name
@@ -824,6 +851,22 @@ func (r *HelmChartReconciler) getHelmRepositorySecret(ctx context.Context, repos
 	return &secret, nil
 }
 
+func (r *HelmChartReconciler) getVerificationKeyringSecret(ctx context.Context, chart *sourcev1.HelmChart) (*corev1.Secret, error) {
+	if chart.Spec.VerificationKeyring == nil {
+		return nil, nil
+	}
+	name := types.NamespacedName{
+		Namespace: chart.GetNamespace(),
+		Name:      chart.Spec.VerificationKeyring.SecretRef.Name,
+	}
+	var secret corev1.Secret
+	err := r.Client.Get(ctx, name, &secret)
+	if err != nil {
+		return nil, err
+	}
+	return &secret, nil
+}
+
 func (r *HelmChartReconciler) indexHelmRepositoryByURL(o client.Object) []string {
 	repo, ok := o.(*sourcev1.HelmRepository)
 	if !ok {
@@ -982,3 +1025,33 @@ func reasonForBuild(build *chart.Build) string {
 	}
 	return sourcev1.ChartPullSucceededReason
 }
+
+func (r *HelmChartReconciler) getProvenanceKeyring(ctx context.Context, chart *sourcev1.HelmChart) ([]byte, error) {
+	if chart.Spec.VerificationKeyring == nil {
+		return nil, nil
+	}
+	name := types.NamespacedName{
+		Namespace: chart.GetNamespace(),
+		Name:      chart.Spec.VerificationKeyring.SecretRef.Name,
+	}
+	var secret corev1.Secret
+	err := r.Client.Get(ctx, name, &secret)
+	if err != nil {
+		e := &serror.Event{
+			Err:    fmt.Errorf("failed to get secret '%s': %w", chart.Spec.VerificationKeyring.SecretRef.Name, err),
+			Reason: sourcev1.AuthenticationFailedReason,
+		}
+		return nil, e
+	}
+	key := chart.Spec.VerificationKeyring.Key
+	if val, ok := secret.Data[key]; !ok {
+		err = fmt.Errorf("secret doesn't contain the advertised verification keyring name %s", key)
+		e := &serror.Event{
+			Err:    fmt.Errorf("invalid secret '%s': %w", secret.GetName(), err),
+			Reason: sourcev1.AuthenticationFailedReason,
+		}
+		return nil, e
+	} else {
+		return val, nil
+	}
+}

controllers/storage.go

@@ -120,6 +120,7 @@ func (s *Storage) RemoveAll(artifact sourcev1.Artifact) (string, error) {
 func (s *Storage) RemoveAllButCurrent(artifact sourcev1.Artifact) ([]string, error) {
 	deletedFiles := []string{}
 	localPath := s.LocalPath(artifact)
+	localProvPath := localPath + ".prov"
 	dir := filepath.Dir(localPath)
 	var errors []string
 	_ = filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
@@ -128,7 +129,7 @@ func (s *Storage) RemoveAllButCurrent(artifact sourcev1.Artifact) ([]string, err
 			return nil
 		}
 
-		if path != localPath && !info.IsDir() && info.Mode()&os.ModeSymlink != os.ModeSymlink {
+		if path != localPath && path != localProvPath && !info.IsDir() && info.Mode()&os.ModeSymlink != os.ModeSymlink {
 			if err := os.Remove(path); err != nil {
 				errors = append(errors, info.Name())
 			} else {

go.mod

@@ -8,14 +8,14 @@ require (
 	cloud.google.com/go/storage v1.16.0
 	github.com/Masterminds/semver/v3 v3.1.1
 	github.com/ProtonMail/go-crypto v0.0.0-20220113124808-70ae35bab23f
-	github.com/cyphar/filepath-securejoin v0.2.2
+	github.com/cyphar/filepath-securejoin v0.2.3
 	github.com/darkowlzz/controller-check v0.0.0-20220119215126-648356cef22c
 	github.com/docker/go-units v0.4.0
 	github.com/elazarl/goproxy v0.0.0-20211114080932-d06c3be7c11b
 	github.com/fluxcd/pkg/apis/meta v0.12.0
 	github.com/fluxcd/pkg/gittestserver v0.5.0
 	github.com/fluxcd/pkg/gitutil v0.1.0
-	github.com/fluxcd/pkg/helmtestserver v0.4.0
+	github.com/fluxcd/pkg/helmtestserver v0.7.0
 	github.com/fluxcd/pkg/lockedfile v0.1.0
 	github.com/fluxcd/pkg/runtime v0.13.1
 	github.com/fluxcd/pkg/ssh v0.2.0
@@ -35,7 +35,7 @@ require (
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c
 	google.golang.org/api v0.62.0
 	gotest.tools v2.2.0+incompatible
-	helm.sh/helm/v3 v3.7.2
+	helm.sh/helm/v3 v3.8.0
 	k8s.io/api v0.23.3
 	k8s.io/apimachinery v0.23.3
 	k8s.io/client-go v0.23.3
@@ -48,13 +48,12 @@ require (
 require (
 	cloud.google.com/go v0.99.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
-	github.com/BurntSushi/toml v0.3.1 // indirect
+	github.com/BurntSushi/toml v0.4.1 // indirect
 	github.com/MakeNowJust/heredoc v0.0.0-20170808103936-bb23615498cd // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/sprig/v3 v3.2.2 // indirect
 	github.com/Masterminds/squirrel v1.5.2 // indirect
 	github.com/Microsoft/go-winio v0.5.2 // indirect
-	github.com/Microsoft/hcsshim v0.8.23 // indirect
 	github.com/PuerkitoBio/purell v1.1.1 // indirect
 	github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
 	github.com/acomagu/bufpipe v1.0.3 // indirect
@@ -65,13 +64,12 @@ require (
 	github.com/bugsnag/panicwrap v1.3.4 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/chai2010/gettext-go v0.0.0-20160711120539-c6fed771bfd5 // indirect
-	github.com/containerd/containerd v1.5.7 // indirect
-	github.com/containerd/continuity v0.1.0 // indirect
+	github.com/containerd/containerd v1.5.9 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/cli v20.10.7+incompatible // indirect
+	github.com/docker/cli v20.10.11+incompatible // indirect
 	github.com/docker/distribution v2.8.0+incompatible // indirect
-	github.com/docker/docker v17.12.0-ce-rc1.0.20200618181300-9dc6525e6118+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.6.3 // indirect
+	github.com/docker/docker v20.10.12+incompatible // indirect
+	github.com/docker/docker-credential-helpers v0.6.4 // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
@@ -109,17 +107,17 @@ require (
 	github.com/imdario/mergo v0.3.12 // indirect
 	github.com/inconshreveable/mousetrap v1.0.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jmoiron/sqlx v1.3.1 // indirect
+	github.com/jmoiron/sqlx v1.3.4 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
 	github.com/kevinburke/ssh_config v1.1.0 // indirect
-	github.com/klauspost/compress v1.13.5 // indirect
+	github.com/klauspost/compress v1.13.6 // indirect
 	github.com/klauspost/cpuid v1.3.1 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
-	github.com/lib/pq v1.10.0 // indirect
+	github.com/lib/pq v1.10.4 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/mailru/easyjson v0.7.6 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
@@ -128,10 +126,10 @@ require (
 	github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 // indirect
 	github.com/minio/md5-simd v1.1.0 // indirect
 	github.com/minio/sha256-simd v0.1.1 // indirect
-	github.com/mitchellh/copystructure v1.1.1 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.0 // indirect
-	github.com/mitchellh/reflectwalk v1.0.1 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/spdystream v0.2.0 // indirect
 	github.com/moby/term v0.0.0-20210610120745-9d4ed1856297 // indirect
@@ -141,7 +139,6 @@ require (
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.0.2 // indirect
-	github.com/opencontainers/runc v1.0.2 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
@@ -181,8 +178,8 @@ require (
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa // indirect
-	google.golang.org/grpc v1.42.0 // indirect
+	google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368 // indirect
+	google.golang.org/grpc v1.43.0 // indirect
 	google.golang.org/protobuf v1.27.1 // indirect
 	gopkg.in/gorp.v1 v1.7.2 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -197,7 +194,7 @@ require (
 	k8s.io/klog/v2 v2.40.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20220124234850-424119656bbf // indirect
 	k8s.io/kubectl v0.23.2 // indirect
-	oras.land/oras-go v0.4.0 // indirect
+	oras.land/oras-go v1.1.0 // indirect
 	sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2 // indirect
 	sigs.k8s.io/kustomize/api v0.10.1 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.13.0 // indirect