feat(helm): add 'helm fetch --prov' to fetch prov info

Previously, there was no way to get provenance data unless you were
verifying it. This allows `fetch` to get the provenance data, but not
perform any verification. Adding this will allow external plugins
to perform verification against other sources, like Keybase.
pull/1602/head
Matt Butcher 8 years ago
parent 190dafbc8e
commit 18248e5530
No known key found for this signature in database
GPG Key ID: DCD5F5E5EF32C345

@ -44,6 +44,10 @@ const (
// VerifyAlways will always attempt a verification, and will fail if the
// verification fails.
VerifyAlways
// VerifyLater will fetch verification data, but not do any verification.
// This is to accommodate the case where another step of the process will
// perform verification.
VerifyLater
)
// ChartDownloader handles downloading a chart.
@ -65,6 +69,7 @@ type ChartDownloader struct {
// If Verify is set to VerifyNever, the verification will be nil.
// If Verify is set to VerifyIfPossible, this will return a verification (or nil on failure), and print a warning on failure.
// If Verify is set to VerifyAlways, this will return a verification or an error if the verification fails.
// If Verify is set to VerifyLater, this will download the prov file (if it exists), but not verify it.
//
// For VerifyNever and VerifyIfPossible, the Verification may be empty.
//
@ -104,6 +109,7 @@ func (c *ChartDownloader) DownloadTo(ref, version, dest string) (string, *proven
return destfile, nil, err
}
if c.Verify != VerifyLater {
ver, err = VerifyChart(destfile, c.Keyring)
if err != nil {
// Fail always in this case, since it means the verification step
@ -111,6 +117,7 @@ func (c *ChartDownloader) DownloadTo(ref, version, dest string) (string, *proven
return destfile, ver, err
}
}
}
return destfile, ver, nil
}

@ -153,3 +153,47 @@ func TestDownloadTo(t *testing.T) {
return
}
}
func TestDownloadTo_VerifyLater(t *testing.T) {
hh, err := ioutil.TempDir("", "helm-downloadto-")
if err != nil {
t.Fatal(err)
}
defer os.RemoveAll(hh)
dest := filepath.Join(hh, "dest")
os.MkdirAll(dest, 0755)
// Set up a fake repo
srv := repotest.NewServer(hh)
defer srv.Stop()
if _, err := srv.CopyCharts("testdata/*.tgz*"); err != nil {
t.Error(err)
return
}
c := ChartDownloader{
HelmHome: helmpath.Home("testdata/helmhome"),
Out: os.Stderr,
Verify: VerifyLater,
}
cname := "/signtest-0.1.0.tgz"
where, _, err := c.DownloadTo(srv.URL()+cname, "", dest)
if err != nil {
t.Error(err)
return
}
if expect := filepath.Join(dest, cname); where != expect {
t.Errorf("Expected download to %s, got %s", expect, where)
}
if _, err := os.Stat(filepath.Join(dest, cname)); err != nil {
t.Error(err)
return
}
if _, err := os.Stat(filepath.Join(dest, cname+".prov")); err != nil {
t.Error(err)
return
}
}

@ -52,6 +52,7 @@ type fetchCmd struct {
version string
verify bool
verifyLater bool
keyring string
out io.Writer
@ -82,6 +83,7 @@ func newFetchCmd(out io.Writer) *cobra.Command {
f.BoolVar(&fch.untar, "untar", false, "if set to true, will untar the chart after downloading it")
f.StringVar(&fch.untardir, "untardir", ".", "if untar is specified, this flag specifies the name of the directory into which the chart is expanded")
f.BoolVar(&fch.verify, "verify", false, "verify the package against its signature")
f.BoolVar(&fch.verifyLater, "prov", false, "fetch the provenance file, but don't perform verification")
f.StringVar(&fch.version, "version", "", "specific version of a chart. Without this, the latest version is fetched")
f.StringVar(&fch.keyring, "keyring", defaultKeyring(), "keyring containing public keys")
f.StringVarP(&fch.destdir, "destination", "d", ".", "location to write the chart. If this and tardir are specified, tardir is appended to this")
@ -100,6 +102,8 @@ func (f *fetchCmd) run() error {
if f.verify {
c.Verify = downloader.VerifyAlways
} else if f.verifyLater {
c.Verify = downloader.VerifyLater
}
// If untar is set, we fetch to a tempdir, then untar and copy after

Loading…
Cancel
Save