storage: change Artifact checksum to SHA256 #423
Conversation
|
This is an incompatible change: anything depending on the existing field's containing a SHA-1 would be broken. Adherence to apimachinery rules would require a new field and maintaining a SHA-1 in |
The change is made to a development branch as clearly documented in the PR description.
This branch will eventually replace the v1beta1 API, as there have been more changes in this branch related to the API. |
|
The checksum field is not used by any of the GitOps Toolkit controllers nor is it user-facing. I see no issues with changing the SHA algorithm in v1beta1. |
This changes the format of the Artifact checksum from SHA1 to SHA256 to
mitigate chosen-prefix and length extension attacks, and ensures it can
be used to secure content against malicious modifications.
Source consumers (including our own {kustomize,helm}-controllers)
should ensure the SHA256 of a downloaded artifact matches the
advertised checksum before making use of it.
Signed-off-by: Hidde Beydals <[email protected]>
hiddeco
force-pushed
the
storage-sha256-checksum
branch
from
548910c to
e79b573
Compare
There was a problem hiding this comment.
LGTM
Thanks @hiddeco
PS. We should add a helper function to fluxcd/pkg/runtime that downloads artifacts, checks the sha then extracts the files in tmp. This function should replace: https://github.com/fluxcd/kustomize-controller/blob/main/controllers/kustomization_controller.go#L429
I think this would introduce a challenging dependency chain (runtime -> source API -> source-controller -> runtime). Instead, either the Artifact should be made generic and decoupled from the source API, or the helper utility should be introduced somewhere within this code base. |
|
From short discussion in private: idea is to introduce a |
|
I'm having trouble reconciling the statements here about changing/replacing the v1beta1 API against the statement in the August 2021 update:
On a separate topic, I've had problems with source-controller OOMing because it downloads multi-GB files (such as our Helm repository index) into memory, causing it to exceed the pod's memory limit. I was starting to look into fixing it to stream directly to disk, but it appears there's a lot of change going in that area right now. |
It will be changed to
Yes, this is a known issue, but challenging at the same time as you will run into this exact same issue when e.g. a chart revision is looked up in the index. So just preventing it from being loaded into memory when it is downloaded does not solve the whole issue. Contributions to improve the situation are however always welcome, and you have two options:
|
|
Okay, but strict adherence to apimachinery rules would require storing the SHA1 in an annotation of the If the project wants to declare parts of the API as outside of the stability guarantee, that's their decision to make. I don't have a use for the SHA1. For me, verifying a secure hash is much higher priority than saving memory. That would seem to depend on the |
Addresses part of fluxcd/flux2#1707. Other usages of SHA1 (e.g. within the
BucketReconciler) have been left untouched as they will be already addressed in e.g. #412.reconcilers-dev.