controllers: store HelmChart Artifact with suffix #611
Conversation
hiddeco
added
enhancement
|
@aryan9600 you probably want to have a look at this, and make suggestions if it does not combine well with your proposed changes in #605. |
This adds a Unix suffix to the HelmChart Artifact filename, to ensure it is unique for sequential builds triggered due to e.g. a controller restart. The result of this is that consumers who _think_ they are fetching an Artifact with a certain checksum run into a 404 when attempting to download a previously advertised but now unavailable file, instead of running into a checksum validation error (due to non-repetitive Helm builds). For more information, see: #610 Signed-off-by: Hidde Beydals <hello@hidde.co>
hiddeco
force-pushed
the
helmchart-artifact-name
branch
from
87bc4ab
to
6ebe460
Compare
| @@ -626,11 +626,11 @@ func (r *HelmChartReconciler) reconcileArtifact(ctx context.Context, obj *source | |||
| }() | |||
|
|
|||
| // Create artifact from build data | |||
| artifact := r.Storage.NewArtifactFor(obj.Kind, obj.GetObjectMeta(), b.Version, fmt.Sprintf("%s-%s.tgz", b.Name, b.Version)) | |||
| artifact := r.Storage.NewArtifactFor(obj.Kind, obj.GetObjectMeta(), b.Version, fmt.Sprintf("%s-%s-%d.tgz", b.Name, b.Version, time.Now().Unix())) | |||
There was a problem hiding this comment.
This will break signature verification for cached charts (ref: #605). The chart name should be exactly how it's mentioned in it's provenance file, i.e. name-version.tgz. We could probably get around this by adding a symlink linking name-version-ts.tgz to name-version.tgz.
There was a problem hiding this comment.
Was afraid this would be the case. Ack, I'll give it another shot when #605 is merged to get a better view on the options available then.
There was a problem hiding this comment.
We should go ahead and merge this now, because of: #605 (comment)
Converting PR to draft, as this is being put on hold until we reach GA (ref: fluxcd/flux2#2592)
There was a problem hiding this comment.
I would rather like to come up with a solution first that works for #605, as otherwise we're shooting ourselves in the foot with premeditation.
There was a problem hiding this comment.
This adds a Unix suffix to the HelmChart Artifact filename, to ensure
it is unique for sequential builds triggered due to e.g. a controller
restart.
The result of this is that consumers who think they are fetching an
Artifact with a certain checksum run into a 404 when attempting to
download a previously advertised but now unavailable file, instead of
running into a checksum validation error (due to non-repetitive Helm
builds).
Potentially fixes #610