feat(cli): remote Helm Charts (#1484)

migmartri · web-flow · commit 74da1001a367 · 2024-11-06T14:58:47.000+01:00
Signed-off-by: Miguel Martinez &lt;miguel@chainloop.dev&gt;
diff --git a/pkg/attestation/crafter/api/attestation/v1/crafting_state.go b/pkg/attestation/crafter/api/attestation/v1/crafting_state.go
@@ -176,7 +176,8 @@ func (m *Attestation_Material) CraftingStateToIntotoDescriptor(name string) (*in
 	}
 
 	// Set the special annotations for container images
-	if artifactType == v1.CraftingSchema_Material_CONTAINER_IMAGE {
+	// NOTE: this is in fact an OCI artifact that can be a container image or any stored OCI artifact
+	if m.GetContainerImage() != nil {
 		if tag := m.GetContainerImage().GetTag(); tag != "" {
 			annotationsM[AnnotationContainerTag] = tag
 		}
diff --git a/pkg/attestation/crafter/materials/helmchart.go b/pkg/attestation/crafter/materials/helmchart.go
@@ -27,6 +27,7 @@ import (
 	schemaapi "github.com/chainloop-dev/chainloop/app/controlplane/api/workflowcontract/v1"
 	"github.com/chainloop-dev/chainloop/internal/casclient"
 	api "github.com/chainloop-dev/chainloop/pkg/attestation/crafter/api/attestation/v1"
+	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/rs/zerolog"
 	"gopkg.in/yaml.v2"
 )
@@ -36,26 +37,51 @@ const (
 	chartFileName = "Chart.yaml"
 	// chartValuesYamlFileName is the name of the values.yaml file in the helm chart
 	chartValuesYamlFileName = "values.yaml"
+	// OCI artifact type mime type
+	chartArtifactType = "application/vnd.cncf.helm.config.v1+json"
 )
 
 type HelmChartCrafter struct {
 	backend *casclient.CASBackend
 	*crafterCommon
+	// Helm Chart can be stored also as an OCI artifact
+	ociCrafter *OCIImageCrafter
 }
 
-func NewHelmChartCrafter(materialSchema *schemaapi.CraftingSchema_Material, backend *casclient.CASBackend,
+func NewHelmChartCrafter(materialSchema *schemaapi.CraftingSchema_Material, backend *casclient.CASBackend, ociAuth authn.Keychain,
 	l *zerolog.Logger) (*HelmChartCrafter, error) {
 	if materialSchema.Type != schemaapi.CraftingSchema_Material_HELM_CHART {
 		return nil, fmt.Errorf("material type is not HELM_CHART format")
 	}
 
+	ociCrafter, err := NewOCIImageCrafter(materialSchema, ociAuth, l, WithArtifactTypeValidation(chartArtifactType))
+	if err != nil {
+		return nil, fmt.Errorf("failed to create OCI crafter: %w", err)
+	}
+
 	return &HelmChartCrafter{
 		backend:       backend,
 		crafterCommon: &crafterCommon{logger: l, input: materialSchema},
+		ociCrafter:    ociCrafter,
 	}, nil
 }
 
-func (c *HelmChartCrafter) Craft(ctx context.Context, filepath string) (*api.Attestation_Material, error) {
+func (c *HelmChartCrafter) Craft(ctx context.Context, helmChartRef string) (*api.Attestation_Material, error) {
+	const ociProtocol = "oci://"
+
+	// if it starts with oci://, it's an OCI image
+	if strings.HasPrefix(helmChartRef, ociProtocol) {
+		c.logger.Debug().Str("name", helmChartRef).Msg("retrieving Helm Chart info from OCI registry")
+		// craft without the prefix
+		return c.ociCrafter.Craft(ctx, helmChartRef[len(ociProtocol):])
+	}
+
+	c.logger.Debug().Str("name", helmChartRef).Msg("loading from local path")
+	// otherwise, it's a local file
+	return c.craftLocalHelmChart(ctx, helmChartRef)
+}
+
+func (c *HelmChartCrafter) craftLocalHelmChart(ctx context.Context, filepath string) (*api.Attestation_Material, error) {
 	// Open the helm chart tar file
 	f, err := os.Open(filepath)
 	if err != nil {
diff --git a/pkg/attestation/crafter/materials/helmchart_test.go b/pkg/attestation/crafter/materials/helmchart_test.go
@@ -52,7 +52,7 @@ func TestNewHelmChartCrafter(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			_, err := materials.NewHelmChartCrafter(tc.input, nil, nil)
+			_, err := materials.NewHelmChartCrafter(tc.input, nil, nil, nil)
 			if tc.wantErr {
 				assert.Error(t, err)
 				return
@@ -120,7 +120,7 @@ func TestHelmChartCraft(t *testing.T) {
 			}
 
 			backend := &casclient.CASBackend{Uploader: uploader}
-			crafter, err := materials.NewHelmChartCrafter(schema, backend, &l)
+			crafter, err := materials.NewHelmChartCrafter(schema, backend, nil, &l)
 			require.NoError(t, err)
 
 			got, err := crafter.Craft(context.TODO(), tc.filePath)
diff --git a/pkg/attestation/crafter/materials/materials.go b/pkg/attestation/crafter/materials/materials.go
@@ -184,7 +184,7 @@ func Craft(ctx context.Context, materialSchema *schemaapi.CraftingSchema_Materia
 	case schemaapi.CraftingSchema_Material_SARIF:
 		crafter, err = NewSARIFCrafter(materialSchema, casBackend, logger)
 	case schemaapi.CraftingSchema_Material_HELM_CHART:
-		crafter, err = NewHelmChartCrafter(materialSchema, casBackend, logger)
+		crafter, err = NewHelmChartCrafter(materialSchema, casBackend, ociAuth, logger)
 	case schemaapi.CraftingSchema_Material_EVIDENCE:
 		crafter, err = NewEvidenceCrafter(materialSchema, casBackend, logger)
 	case schemaapi.CraftingSchema_Material_ATTESTATION:
diff --git a/pkg/attestation/crafter/materials/oci_image.go b/pkg/attestation/crafter/materials/oci_image.go
@@ -57,15 +57,26 @@ type containerSignatureInfo struct {
 type OCIImageCrafter struct {
 	*crafterCommon
 	keychain authn.Keychain
+	// validate the artifact type (optional)
+	artifactTypeValidation string
 }
+type OCICraftOpt func(*OCIImageCrafter)
 
-func NewOCIImageCrafter(schema *schemaapi.CraftingSchema_Material, ociAuth authn.Keychain, l *zerolog.Logger) (*OCIImageCrafter, error) {
-	if schema.Type != schemaapi.CraftingSchema_Material_CONTAINER_IMAGE {
-		return nil, fmt.Errorf("material type is not container image")
+func WithArtifactTypeValidation(artifactTypeValidation string) OCICraftOpt {
+	return func(opts *OCIImageCrafter) {
+		opts.artifactTypeValidation = artifactTypeValidation
 	}
+}
 
+func NewOCIImageCrafter(schema *schemaapi.CraftingSchema_Material, ociAuth authn.Keychain, l *zerolog.Logger, opts ...OCICraftOpt) (*OCIImageCrafter, error) {
 	craftCommon := &crafterCommon{logger: l, input: schema}
-	return &OCIImageCrafter{craftCommon, ociAuth}, nil
+	c := &OCIImageCrafter{crafterCommon: craftCommon, keychain: ociAuth}
+
+	for _, opt := range opts {
+		opt(c)
+	}
+
+	return c, nil
 }
 
 func (i *OCIImageCrafter) Craft(_ context.Context, imageRef string) (*api.Attestation_Material, error) {
@@ -81,6 +92,13 @@ func (i *OCIImageCrafter) Craft(_ context.Context, imageRef string) (*api.Attest
 		return nil, err
 	}
 
+	if i.artifactTypeValidation != "" {
+		i.logger.Debug().Str("name", imageRef).Str("want", i.artifactTypeValidation).Msg("validating artifact type")
+		if descriptor.ArtifactType != i.artifactTypeValidation {
+			return nil, fmt.Errorf("artifact type %s does not match expected type %s", descriptor.ArtifactType, i.artifactTypeValidation)
+		}
+	}
+
 	remoteRef := ref.Context().Digest(descriptor.Digest.String())
 
 	// FQDN of the repo, i.e bitnami/nginx => index.docker.io/bitnami/nginx

Original file line number	Diff line number	Diff line change
`@@ -176,7 +176,8 @@ func (m Attestation_Material) CraftingStateToIntotoDescriptor(name string) (in`
`176`	`176`	`}`
`177`	`177`
`178`	`178`	`// Set the special annotations for container images`
`179`		`- if artifactType == v1.CraftingSchema_Material_CONTAINER_IMAGE {`
	`179`	`+ // NOTE: this is in fact an OCI artifact that can be a container image or any stored OCI artifact`
	`180`	`+ if m.GetContainerImage() != nil {`
`180`	`181`	`if tag := m.GetContainerImage().GetTag(); tag != "" {`
`181`	`182`	`annotationsM[AnnotationContainerTag] = tag`
`182`	`183`	`}`