-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gitrepo: add support for Git tag verification #1187
Conversation
ae37514
to
c0719ce
Compare
9d9d184
to
cdd1c17
Compare
cdd1c17
to
add5ab4
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GitRepository spec docs also need to be updated for this change.
cf9ba16
to
787f964
Compare
c6e6e93
to
b3aad37
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks really good, thanks for following up with the review comments 🥇 💯
b3aad37
to
c88b0bf
Compare
I encountered this situation when I changed the verification mode from spec:
interval: 1h
ref:
tag: 6.4.1
timeout: 60s
url: https://github.com/stefanprodan/podinfo
verify:
mode: Tag
secretRef:
name: pgp-public-keys
status:
artifact:
...
conditions:
- lastTransitionTime: "2023-08-14T14:11:35Z"
message: stored artifact for revision '6.4.1@sha1:4892983fd12e3ffffcd5a189b1549f2ef26b81c2'
observedGeneration: 18
reason: Succeeded
status: "True"
type: Ready
- lastTransitionTime: "2023-08-14T13:38:34Z"
message: stored artifact for revision '6.4.1@sha1:4892983fd12e3ffffcd5a189b1549f2ef26b81c2'
observedGeneration: 18
reason: Succeeded
status: "True"
type: ArtifactInStorage
- lastTransitionTime: "2023-08-14T14:17:51Z"
message: verified signature of commit '4892983fd12e3ffffcd5a189b1549f2ef26b81c2'
with key '4AEE18F83AFDEB23' and signature of tag '6.4.1@0edeca4929922cba44c87dde9e20b2c6c3cc53ab'
with key '3299AEB0E4085BAF'
observedGeneration: 15
reason: VerifiedTagAndCommit
status: "True"
type: SourceVerified
observedGeneration: 18
observedVerificationMode: TagAndHEAD The observations in the status don't reflect the current spec when no re-verification is required. Also, if the verification is removed, the status contains stale data: spec:
interval: 1h
ref:
tag: 6.4.1
timeout: 60s
url: https://github.com/stefanprodan/podinfo
status:
artifact:
...
conditions:
- lastTransitionTime: "2023-08-14T14:11:35Z"
message: stored artifact for revision '6.4.1@sha1:4892983fd12e3ffffcd5a189b1549f2ef26b81c2'
observedGeneration: 20
reason: Succeeded
status: "True"
type: Ready
- lastTransitionTime: "2023-08-14T13:38:34Z"
message: stored artifact for revision '6.4.1@sha1:4892983fd12e3ffffcd5a189b1549f2ef26b81c2'
observedGeneration: 20
reason: Succeeded
status: "True"
type: ArtifactInStorage
- lastTransitionTime: "2023-08-14T14:17:51Z"
message: verified signature of commit '4892983fd12e3ffffcd5a189b1549f2ef26b81c2'
with key '4AEE18F83AFDEB23' and signature of tag '6.4.1@0edeca4929922cba44c87dde9e20b2c6c3cc53ab'
with key '3299AEB0E4085BAF'
observedGeneration: 15
reason: VerifiedTagAndCommit
status: "True"
type: SourceVerified
observedGeneration: 20
observedVerificationMode: TagAndHEAD Is that okay? or maybe we should update the status without doing a re-verification? |
Given the above, I am now in addition wondering if a message constructed more like something in this format wouldn't be much easier to read:
|
thats by design, the status only gets updated when we re-verify something different. in both scenarios, the information displayed by |
NOTE: Old observation based on misunderstanding, please read the next comment. Tried a few more things and the status seemed to became more unhelpful due to the stale observed verification mode. For example: spec:
interval: 1h
ref:
branch: master
timeout: 60s
url: https://github.com/stefanprodan/podinfo
verify:
mode: Tag
secretRef:
name: pgp-public-keys
status:
artifact:
...
conditions:
- lastTransitionTime: "2023-08-14T20:11:09Z"
message: cannot verify tag object's signature if a tag reference is not specified
observedGeneration: 5
reason: InvalidVerificationMode
status: "True"
type: Stalled
- lastTransitionTime: "2023-08-14T20:09:17Z"
message: cannot verify tag object's signature if a tag reference is not specified
observedGeneration: 5
reason: InvalidVerificationMode
status: "False"
type: Ready
- lastTransitionTime: "2023-08-14T20:09:17Z"
message: cannot verify tag object's signature if a tag reference is not specified
observedGeneration: 5
reason: InvalidVerificationMode
status: "False"
type: SourceVerified
- lastTransitionTime: "2023-08-14T20:05:36Z"
message: stored artifact for revision '6.4.1@sha1:4892983fd12e3ffffcd5a189b1549f2ef26b81c2'
observedGeneration: 2
reason: Succeeded
status: "True"
type: ArtifactInStorage
observedGeneration: 5
observedVerificationMode: TagAndHEAD Spec has verification mode as I tried two things which helped me.
obj.Status.ObservedVerificationMode = ptrToVerificationMode(obj.Spec.Verification.GetMode())
// Update observations.
if obj.Status.ObservedVerificationMode != nil && obj.Spec.Verification == nil {
obj.Status.ObservedVerificationMode = nil
}
if obj.Spec.Verification != nil {
obj.Status.ObservedVerificationMode = ptrToVerificationMode(obj.Spec.Verification.GetMode())
} These two changes made the status reasonable for the above situation and for the situation when the mode is changed from spec:
interval: 1h
ref:
branch: master
timeout: 60s
url: https://github.com/stefanprodan/podinfo
verify:
mode: Tag
secretRef:
name: pgp-public-keys
status:
artifact:
...
conditions:
- lastTransitionTime: "2023-08-14T20:42:38Z"
message: cannot verify tag object's signature if a tag reference is not specified
observedGeneration: 5
reason: InvalidVerificationMode
status: "True"
type: Stalled
- lastTransitionTime: "2023-08-14T20:42:38Z"
message: cannot verify tag object's signature if a tag reference is not specified
observedGeneration: 5
reason: InvalidVerificationMode
status: "False"
type: Ready
- lastTransitionTime: "2023-08-14T20:42:38Z"
message: cannot verify tag object's signature if a tag reference is not specified
observedGeneration: 5
reason: InvalidVerificationMode
status: "False"
type: SourceVerified
- lastTransitionTime: "2023-08-14T20:30:37Z"
message: stored artifact for revision '6.4.1@sha1:4892983fd12e3ffffcd5a189b1549f2ef26b81c2'
observedGeneration: 4
reason: Succeeded
status: "True"
type: ArtifactInStorage
observedGeneration: 5
observedVerificationMode: Tag |
Another thought, I think there's also a confusion in what Update:
This appears to match with my initial understanding of the field but I think it should be changed to say that it's less about the state of the object, ready/stalled/failing, and more about the artifact in storage, as a change in git reference can result in failing reconciliation but the |
We had a discussion about it in a meeting today and there was agreement on a few things:
We can still discuss more if needed. |
your next comment regarding the meaning of
yes, now that we are recording the verification mode used in the status of the object, there's no need for a more explicit reason. |
c88b0bf
to
4346be7
Compare
api/v1/gitrepository_types.go
Outdated
const ( | ||
// ModeHEAD implies that the HEAD of the Git repository (after it has been | ||
// checked out to the required commit) should be verified. | ||
ModeHEAD GitVerificationMode = "HEAD" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It may be irrelevant and could be ignored, but I just had a thought that these new constants Mode*
don't have any prefix to indicate that they are about git source, being in a common v1 package. Looking at the other constants and types in the api package, it looks like most of the things that are specific to a source kind have something in the name to indicate that.
It may be nothing, but it just came to my mind.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
didn't add one because its not just a plain string but rather a typed string, so the type indicates the fact that these constants are related to Git. but, if later we want to add something like ModeTag OCIVerificationMode
, we won't be able to, so yes lets change it to something like ModeGitTag
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds better. I'm hesitant to suggest GitVerificationModeHEAD
, GitVerificationModeTag
and GitVerificationModeTagAndHEAD
in case there's a need to keep it short, but I personally would go with the long version. Maybe get some more opinions on it as it's in v1 package and we won't be able to get rid of it soon/easily.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i do indeed think its too long 😬
160072c
to
3a5d2c1
Compare
3a5d2c1
to
6fbcf67
Compare
6fbcf67
to
cef55c7
Compare
Add three new verification modes for `.spec.verify.mode`: * `HEAD`: Verify the commit that the HEAD of the repo points to after checking out to the ref specified in `.spec.ref`. Its the same as `head`, which cannot be removed due to backwards compatibility reasons and is converted to `HEAD` internally. * `Tag`: Verify the tag referred to by `.spec.ref.tag`. * `TagAndHEAD`: Verify the tag referred to by `.spec.ref.tag` and the commit that the tag points to. The default is `HEAD`, to ensure backwards compatibility. Furthermore, add `.status.sourceVerificationMode` to record the last successful verification mode used. Signed-off-by: Sanskar Jaiswal <[email protected]>
cef55c7
to
f3f0230
Compare
f3f0230
to
f6544e8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Did some manual testing and overall, it LGTM!
Add support for verifying tags and optionally the commit object it points to. Modify the reconciler to trigger a full reconciliation if the object contains a verification configuration that implies that we need to verify one (or more) Git objects that we haven't previosuly verified. Signed-off-by: Sanskar Jaiswal <[email protected]>
Signed-off-by: Sanskar Jaiswal <[email protected]>
Signed-off-by: Sanskar Jaiswal <[email protected]>
f6544e8
to
51d842c
Compare
Add three new verification modes for
.spec.verify.mode
:HEAD
: Verify the commit that the HEAD of the repo points to after checking out to the ref specified in.spec.ref
. Its the same ashead
, which cannot be removed due to backwards compatibility reasons and is converted toHEAD
internally.Tag
: Verify the tag referred to by.spec.ref.tag
.TagAndHEAD
: Verify the tag referred to by.spec.ref.tag
and the commit that the tag points to.The default is
HEAD
, to ensure backwards compatibility.Furthermore, add
.status.sourceVerificationMode
to record the last successful verification mode used. This is then used to determine whether we need to (re)verify any Git objects depending on the latest verification configuration.Fixes: #1133