c0b0e689a7
Prevent that an existing chart in a repository gets overwritten
by an incoming chart with the same version or same sha256 digest.
If there is a matching digest against a chart in the repository then the
upload is rejected and the script exits with error code 2. If there is a
matching version against a chart in the repository that has a different
content then the upload is also rejected but with error code 3.
Test Plan:
PASS: build-pkgs && build-image
PASS: AIO-SX fresh install
PASS: Upload chart vault-0.24.3.tgz to stx-platform repository
Check if the chart was correctly uploaded to
/var/www/pages/helm_charts/stx-platform/
Check if the index.yaml file was regenerated accordingly
PASS: Upload chart vault-0.24.3.tgz to stx-platform repository
Try to upload the same chart again to the same repository
Confirm that the upload was refused
PASS: Upload chart vault-0.24.3.tgz to stx-platform repository
Change an image tag and repackage the chart keeping the
same version
Try to upload the changed chart again to the same repository
Confirm that the upload was refused
Story: 2010929
Task: 48883
Change-Id: I974a627d31876c7e2cfd1df05b03c252d958a4d5
Signed-off-by: Igor Soares <Igor.PiresSoares@windriver.com>
125 lines
3.5 KiB
Bash
125 lines
3.5 KiB
Bash
#!/bin/bash
|
|
|
|
#
|
|
# Copyright (c) 2018 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
|
|
# This script takes the names of packaged helm charts as arguments.
|
|
# It installs them in the on-node helm chart repository and regenerates
|
|
# the repository index.
|
|
|
|
|
|
# We want to run as the "www" user and scripts can't be setuid. The
|
|
# sudoers permissions are set up to allow sysadmin to run this script
|
|
# as the "www" user without a password.
|
|
WWW_ID=$(id -u www)
|
|
if [ ${UID} -ne ${WWW_ID} ]; then
|
|
exec sudo -u www -g www "$0" "$@"
|
|
fi
|
|
|
|
|
|
RETVAL=0
|
|
REINDEX=0
|
|
|
|
REPO_BASE='/var/www/pages/helm_charts'
|
|
INDEX_FILENAME='index.yaml'
|
|
|
|
# First argument is always the repo where the charts need to be placed
|
|
if [ $# -lt 2 ]; then
|
|
echo "Usage: helm-upload <repo name> <chart 1> .. <chart N>"
|
|
exit 1
|
|
fi
|
|
|
|
# Make sure the repo directory exists
|
|
REPO_DIR="${REPO_BASE}/$1"
|
|
if [ ! -e $REPO_DIR ]; then
|
|
echo "$REPO_DIR doesn't exist."
|
|
exit 1
|
|
fi
|
|
|
|
declare -A CHARTS_INDEXED_BY_DIGEST
|
|
declare -A CHARTS_INDEXED_BY_VERSION
|
|
INDEX_PATH="${REPO_DIR}/${INDEX_FILENAME}"
|
|
FOUND_DIGEST=false
|
|
FOUND_NAME=false
|
|
|
|
# Build an array of repository charts indexed by their digest
|
|
while read -r LINE; do
|
|
|
|
if [[ "$LINE" = *"digest: "* ]]; then
|
|
CHART_DIGEST=$(echo "$LINE" | cut -d " " -f 2)
|
|
FOUND_DIGEST=true
|
|
fi
|
|
|
|
if [ "$FOUND_DIGEST" = true ] && [[ "$LINE" = *"name: "* ]]; then
|
|
CHART_NAME=$(echo "$LINE" | cut -d " " -f 2)
|
|
FOUND_NAME=true
|
|
fi
|
|
|
|
if [ "$FOUND_NAME" = true ] && [[ "$LINE" = *"version: "* ]]; then
|
|
CHART_VERSION=$(echo "$LINE" | cut -d " " -f 2)
|
|
|
|
FOUND_DIGEST=false
|
|
FOUND_NAME=false
|
|
CHARTS_INDEXED_BY_DIGEST["$CHART_DIGEST"]="$CHART_NAME $CHART_VERSION"
|
|
CHARTS_INDEXED_BY_VERSION["$CHART_NAME-$CHART_VERSION"]="$CHART_DIGEST"
|
|
fi
|
|
|
|
done < "$INDEX_PATH"
|
|
|
|
shift 1
|
|
|
|
for FILE in "$@"; do
|
|
if [ -r $FILE ]; then
|
|
|
|
INCOMING_CHART_DIGEST=$(sha256sum "$FILE" | cut -d " " -f 1)
|
|
|
|
FOUND_NAME=false
|
|
while read -r LINE; do
|
|
if [[ "$LINE" = *"name: "* ]]; then
|
|
INCOMING_CHART_NAME=$(echo "$LINE" | cut -d " " -f 2)
|
|
FOUND_NAME=true
|
|
fi
|
|
if [ "$FOUND_NAME" = true ] && [[ "$LINE" = *"version: "* ]]; then
|
|
INCOMING_CHART_VERSION=$(echo "$LINE" | cut -d " " -f 2)
|
|
INCOMING_CHART="$INCOMING_CHART_NAME-$INCOMING_CHART_VERSION"
|
|
break
|
|
fi
|
|
done <<< "$(helm show chart "$FILE")"
|
|
|
|
# Check if the file already exists in the repository
|
|
if [[ -v "CHARTS_INDEXED_BY_DIGEST[$INCOMING_CHART_DIGEST]" ]]; then
|
|
echo "Chart ${INCOMING_CHART_NAME} (version ${INCOMING_CHART_VERSION}) already" \
|
|
"in the repository"
|
|
RETVAL=2
|
|
elif [[ -v "CHARTS_INDEXED_BY_VERSION[$INCOMING_CHART]" ]]; then
|
|
echo "A chart with a different content but same name (${INCOMING_CHART_NAME})" \
|
|
"and version (${INCOMING_CHART_VERSION}) already exists in the repository"
|
|
RETVAL=3
|
|
else
|
|
cp $FILE $REPO_DIR
|
|
|
|
if [ $? -ne 0 ]; then
|
|
echo Problem adding $FILE to helm chart registry.
|
|
RETVAL=1
|
|
else
|
|
REINDEX=1
|
|
fi
|
|
fi
|
|
else
|
|
echo Cannot read file ${FILE}.
|
|
RETVAL=1
|
|
fi
|
|
done
|
|
|
|
|
|
# Now re-index the helm repository if we successfully copied in
|
|
# any new charts.
|
|
if [ $REINDEX -eq 1 ]; then
|
|
/usr/sbin/helm repo index $REPO_DIR
|
|
fi
|
|
|
|
exit $RETVAL
|