update helmchart reconciliation to verify charts using prov file

Signed-off-by: Sanskar Jaiswal <[email protected]>

Author: aryan9600

api/v1beta2/helmchart_types.go

@@ -84,6 +84,20 @@ type HelmChartSpec struct {
 	// NOTE: Not implemented, provisional as of https://github.com/fluxcd/flux2/pull/2092
 	// +optional
 	AccessFrom *acl.AccessFrom `json:"accessFrom,omitempty"`
+
+	// Keyring information for verifying the packaged chart's signature using a provenance file.
+	// +optional
+	VerificationKeyring *VerificationKeyring `json:"verificationKeyring,omitempty"`
+}
+
+type VerificationKeyring struct {
+	// +required
+	SecretRef meta.LocalObjectReference `json:"secretRef,omitempty"`
+
+	// The key that corresponds to the keyring value.
+	// +kubebuilder:default:=pubring.gpg
+	// +optional
+	Key string `json:"key,omitempty"`
 }
 
 const (

config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml

@@ -404,6 +404,25 @@ spec:
                 items:
                   type: string
                 type: array
+              verificationKeyring:
+                description: Keyring information for verifying the packaged chart's
+                  signature using a provenance file.
+                properties:
+                  key:
+                    default: pubring.gpg
+                    description: The key that corresponds to the keyring value.
+                    type: string
+                  secretRef:
+                    description: LocalObjectReference contains enough information
+                      to locate the referenced Kubernetes resource object.
+                    properties:
+                      name:
+                        description: Name of the referent.
+                        type: string
+                    required:
+                    - name
+                    type: object
+                type: object
               version:
                 default: '*'
                 description: Version is the chart version semver expression, ignored

controllers/helmchart_controller.go

@@ -95,6 +95,8 @@ var helmChartReadyCondition = summarize.Conditions{
 	},
 }
 
+const KeyringFileName = "pubring.gpg"
+
 // +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=helmcharts,verbs=get;list;watch;create;update;patch;delete
 // +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=helmcharts/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=source.toolkit.fluxcd.io,resources=helmcharts/finalizers,verbs=get;create;update;patch;delete
@@ -467,13 +469,20 @@ func (r *HelmChartReconciler) buildFromHelmRepository(ctx context.Context, obj *
 		opts.VersionMetadata = strconv.FormatInt(obj.Generation, 10)
 	}
 
+	var keyring []byte
+	keyring, err = r.getProvenanceKeyring(ctx, obj)
+	if err != nil {
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, sourcev1.AuthenticationFailedReason, err.Error())
+		return sreconcile.ResultEmpty, err
+	}
+
 	// Build the chart
 	ref := chart.RemoteReference{Name: obj.Spec.Chart, Version: obj.Spec.Version}
-	build, err := cb.Build(ctx, ref, util.TempPathForObj("", ".tgz", obj), opts)
+	build, err := cb.Build(ctx, ref, util.TempPathForObj("", ".tgz", obj), opts, keyring)
+
 	if err != nil {
 		return sreconcile.ResultEmpty, err
 	}
-
 	*b = *build
 	return sreconcile.ResultSuccess, nil
 }
@@ -590,13 +599,19 @@ func (r *HelmChartReconciler) buildFromTarballArtifact(ctx context.Context, obj
 		}
 		opts.VersionMetadata += strconv.FormatInt(obj.Generation, 10)
 	}
+	var keyring []byte
+	keyring, err = r.getProvenanceKeyring(ctx, obj)
+	if err != nil {
+		conditions.MarkTrue(obj, sourcev1.FetchFailedCondition, sourcev1.AuthenticationFailedReason, err.Error())
+		return sreconcile.ResultEmpty, err
+	}
 
 	// Build chart
 	cb := chart.NewLocalBuilder(dm)
 	build, err := cb.Build(ctx, chart.LocalReference{
 		WorkDir: sourceDir,
 		Path:    chartPath,
-	}, util.TempPathForObj("", ".tgz", obj), opts)
+	}, util.TempPathForObj("", ".tgz", obj), opts, keyring)
 	if err != nil {
 		return sreconcile.ResultEmpty, err
 	}
@@ -670,6 +685,18 @@ func (r *HelmChartReconciler) reconcileArtifact(ctx context.Context, obj *source
 		return sreconcile.ResultEmpty, e
 	}
 
+	// the provenance file artifact is not recorded, but it shadows the HelmChart artifact
+	// under the assumption that the file is always available at "chart.tgz.prov"
+	if b.ProvFilePath != "" {
+		provArtifact := r.Storage.NewArtifactFor(obj.Kind, obj.GetObjectMeta(), b.Version, fmt.Sprintf("%s-%s.tgz.prov", b.Name, b.Version))
+		if err = r.Storage.CopyFromPath(&provArtifact, b.ProvFilePath); err != nil {
+			return sreconcile.ResultEmpty, &serror.Event{
+				Err:    fmt.Errorf("unable to copy Helm chart provenance file to storage: %w", err),
+				Reason: sourcev1.StorageOperationFailedReason,
+			}
+		}
+	}
+
 	// Record it on the object
 	obj.Status.Artifact = artifact.DeepCopy()
 	obj.Status.ObservedChartName = b.Name
@@ -861,6 +888,22 @@ func (r *HelmChartReconciler) getHelmRepositorySecret(ctx context.Context, repos
 	return &secret, nil
 }
 
+func (r *HelmChartReconciler) getVerificationKeyringSecret(ctx context.Context, chart *sourcev1.HelmChart) (*corev1.Secret, error) {
+	if chart.Spec.VerificationKeyring == nil {
+		return nil, nil
+	}
+	name := types.NamespacedName{
+		Namespace: chart.GetNamespace(),
+		Name:      chart.Spec.VerificationKeyring.SecretRef.Name,
+	}
+	var secret corev1.Secret
+	err := r.Client.Get(ctx, name, &secret)
+	if err != nil {
+		return nil, err
+	}
+	return &secret, nil
+}
+
 func (r *HelmChartReconciler) indexHelmRepositoryByURL(o client.Object) []string {
 	repo, ok := o.(*sourcev1.HelmRepository)
 	if !ok {
@@ -1021,3 +1064,33 @@ func reasonForBuild(build *chart.Build) string {
 	}
 	return sourcev1.ChartPullSucceededReason
 }
+
+func (r *HelmChartReconciler) getProvenanceKeyring(ctx context.Context, chart *sourcev1.HelmChart) ([]byte, error) {
+	if chart.Spec.VerificationKeyring == nil {
+		return nil, nil
+	}
+	name := types.NamespacedName{
+		Namespace: chart.GetNamespace(),
+		Name:      chart.Spec.VerificationKeyring.SecretRef.Name,
+	}
+	var secret corev1.Secret
+	err := r.Client.Get(ctx, name, &secret)
+	if err != nil {
+		e := &serror.Event{
+			Err:    fmt.Errorf("failed to get secret '%s': %w", chart.Spec.VerificationKeyring.SecretRef.Name, err),
+			Reason: sourcev1.AuthenticationFailedReason,
+		}
+		return nil, e
+	}
+	key := chart.Spec.VerificationKeyring.Key
+	if val, ok := secret.Data[key]; !ok {
+		err = fmt.Errorf("secret doesn't contain the advertised verification keyring name %s", key)
+		e := &serror.Event{
+			Err:    fmt.Errorf("invalid secret '%s': %w", secret.GetName(), err),
+			Reason: sourcev1.AuthenticationFailedReason,
+		}
+		return nil, e
+	} else {
+		return val, nil
+	}
+}

controllers/storage.go

@@ -120,6 +120,7 @@ func (s *Storage) RemoveAll(artifact sourcev1.Artifact) (string, error) {
 func (s *Storage) RemoveAllButCurrent(artifact sourcev1.Artifact) ([]string, error) {
 	deletedFiles := []string{}
 	localPath := s.LocalPath(artifact)
+	localProvPath := localPath + ".prov"
 	dir := filepath.Dir(localPath)
 	var errors []string
 	_ = filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
@@ -128,7 +129,7 @@ func (s *Storage) RemoveAllButCurrent(artifact sourcev1.Artifact) ([]string, err
 			return nil
 		}
 
-		if path != localPath && !info.IsDir() && info.Mode()&os.ModeSymlink != os.ModeSymlink {
+		if path != localPath && path != localProvPath && !info.IsDir() && info.Mode()&os.ModeSymlink != os.ModeSymlink {
 			if err := os.Remove(path); err != nil {
 				errors = append(errors, info.Name())
 			} else {

internal/helm/chart/builder_local.go

@@ -148,15 +148,19 @@ func (b *localChartBuilder) Build(ctx context.Context, ref Reference, p string,
 
 	// If the chart at the path is already packaged and no custom values files
 	// options are set, we can copy the chart without making modifications
-	provFilePath = provenanceFilePath(localRef.Path)
 	if !requiresPackaging {
+		provFilePath = provenanceFilePath(p)
 		if err = copyFileToPath(localRef.Path, p); err != nil {
 			return result, &BuildError{Reason: ErrChartPull, Err: err}
 		}
+		if err = copyFileToPath(provenanceFilePath(localRef.Path), provFilePath); err != nil {
+			return result, &BuildError{Reason: ErrChartPull, Err: err}
+		}
 		if err = verifyProvFile(localRef.Path, provFilePath); err != nil {
 			return result, err
 		}
 		result.Path = p
+		result.ProvFilePath = provFilePath
 		return result, nil
 	}
 

internal/helm/chart/builder_remote.go

@@ -166,7 +166,7 @@ func (b *remoteChartBuilder) Build(_ context.Context, ref Reference, p string, o
 		// This is needed, since the verification will work only if the .tgz file is untampered.
 		// But we write the packaged chart to disk under a different name, so the provenance file
 		// will not be valid for this _new_ packaged chart.
-		chart, err := util.WriteBytesToFile(chartBuf, fmt.Sprintf("%s-%s.tgz", result.Name, result.Version), false)
+		chart, err := util.WriteBytesToFile(chartBuf, fmt.Sprintf("%s-%s.tgz", cv.Name, cv.Version), false)
 		defer os.Remove(chart.Name())
 		if err != nil {
 			return nil, err

internal/helm/chart/verify.go

@@ -11,6 +11,9 @@ import (
 	"helm.sh/helm/v3/pkg/provenance"
 )
 
+// Ref: https://github.com/helm/helm/blob/v3.8.0/pkg/downloader/chart_downloader.go#L328
+// modified to accept a custom provenance file path and an actual keyring instead of a
+// path to the file containing the keyring.
 func VerifyProvenanceFile(keyring io.Reader, chartPath, provFilePath string) error {
 	switch fi, err := os.Stat(chartPath); {
 	case err != nil:
@@ -43,15 +46,12 @@ func VerifyProvenanceFile(keyring io.Reader, chartPath, provFilePath string) err
 }
 
 // isTar tests whether the given file is a tar file.
-//
-// Currently, this simply checks extension, since a subsequent function will
-// untar the file and validate its binary format.
 func isTar(filename string) bool {
 	return strings.EqualFold(filepath.Ext(filename), ".tgz")
 }
 
-// Returns the path of a provenance file related to a packaged chart
-// Adds ".prov" at the end, as per the Helm convention.
+// Returns the path of a provenance file related to a packaged chart by
+// adding ".prov" at the end, as per the Helm convention.
 func provenanceFilePath(path string) string {
 	return path + ".prov"
 }