Merge pull request #1001 from fluxcd/artifact-digest

RFC-0005: introduction of Digest and change of Revision format
fluxcd · Feb 14, 2023 · e24ce86 · e24ce86
2 parents d18988e + 9283894
commit e24ce86
Show file tree

Hide file tree

Showing 39 changed files with 2,458 additions and 1,219 deletions.
diff --git a/api/v1beta2/artifact_types.go b/api/v1beta2/artifact_types.go
@@ -18,6 +18,7 @@ package v1beta2
 
 import (
 	"path"
+	"regexp"
 	"strings"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -43,8 +44,14 @@ type Artifact struct {
 	Revision string `json:"revision"`
 
 	// Checksum is the SHA256 checksum of the Artifact file.
+	// Deprecated: use Artifact.Digest instead.
 	// +optional
-	Checksum string `json:"checksum"`
+	Checksum string `json:"checksum,omitempty"`
+
+	// Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
+	// +optional
+	// +kubebuilder:validation:Pattern="^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$"
+	Digest string `json:"digest"`
 
 	// LastUpdateTime is the timestamp corresponding to the last update of the
 	// Artifact.
@@ -66,7 +73,7 @@ func (in *Artifact) HasRevision(revision string) bool {
 	if in == nil {
 		return false
 	}
-	return in.Revision == revision
+	return TransformLegacyRevision(in.Revision) == TransformLegacyRevision(revision)
 }
 
 // HasChecksum returns if the given checksum matches the current Checksum of
@@ -90,3 +97,60 @@ func ArtifactDir(kind, namespace, name string) string {
 func ArtifactPath(kind, namespace, name, filename string) string {
 	return path.Join(ArtifactDir(kind, namespace, name), filename)
 }
+
+// TransformLegacyRevision transforms a "legacy" revision string into a "new"
+// revision string. It accepts the following formats:
+//
+//   - main/5394cb7f48332b2de7c17dd8b8384bbc84b7e738
+//   - feature/branch/5394cb7f48332b2de7c17dd8b8384bbc84b7e738
+//   - HEAD/5394cb7f48332b2de7c17dd8b8384bbc84b7e738
+//   - tag/55609ff9d959589ed917ce32e6bc0f0a36809565f308602c15c3668965979edc
+//   - d52bde83c5b2bd0fa7910264e0afc3ac9cfe9b6636ca29c05c09742f01d5a4bd
+//
+// Which are transformed into the following formats respectively:
+//
+//   - main@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738
+//   - feature/branch@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738
+//   - sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738
+//   - tag@sha256:55609ff9d959589ed917ce32e6bc0f0a36809565f308602c15c3668965979edc
+//   - sha256:d52bde83c5b2bd0fa7910264e0afc3ac9cfe9b6636ca29c05c09742f01d5a4bd
+//
+// Deprecated, this function exists for backwards compatibility with existing
+// resources, and to provide a transition period. Will be removed in a future
+// release.
+func TransformLegacyRevision(rev string) string {
+	if rev != "" && strings.LastIndex(rev, ":") == -1 {
+		if i := strings.LastIndex(rev, "/"); i >= 0 {
+			sha := rev[i+1:]
+			if algo := determineSHAType(sha); algo != "" {
+				if name := rev[:i]; name != "HEAD" {
+					return name + "@" + algo + ":" + sha
+				}
+				return algo + ":" + sha
+			}
+		}
+		if algo := determineSHAType(rev); algo != "" {
+			return algo + ":" + rev
+		}
+	}
+	return rev
+}
+
+// isAlphaNumHex returns true if the given string only contains 0-9 and a-f
+// characters.
+var isAlphaNumHex = regexp.MustCompile(`^[0-9a-f]+$`).MatchString
+
+// determineSHAType returns the SHA algorithm used to compute the provided hex.
+// The determination is heuristic and based on the length of the hex string. If
+// the size is not recognized, an empty string is returned.
+func determineSHAType(hex string) string {
+	if isAlphaNumHex(hex) {
+		switch len(hex) {
+		case 40:
+			return "sha1"
+		case 64:
+			return "sha256"
+		}
+	}
+	return ""
+}
diff --git a/api/v1beta2/artifact_types_test.go b/api/v1beta2/artifact_types_test.go
@@ -0,0 +1,78 @@
+/*
+Copyright 2023 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta2
+
+import "testing"
+
+func TestTransformLegacyRevision(t *testing.T) {
+	tests := []struct {
+		rev  string
+		want string
+	}{
+		{
+			rev:  "HEAD/5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+			want: "sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+		},
+		{
+			rev:  "main/5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+			want: "main@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+		},
+		{
+			rev:  "main@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+			want: "main@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+		},
+		{
+			rev:  "feature/branch/5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+			want: "feature/branch@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+		},
+		{
+			rev:  "feature/branch@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+			want: "feature/branch@sha1:5394cb7f48332b2de7c17dd8b8384bbc84b7e738",
+		},
+		{
+			rev:  "5ac85ca617f3774baff4ae0a420b810b2546dbc9af9f346b1d55c5ed9873c55c",
+			want: "sha256:5ac85ca617f3774baff4ae0a420b810b2546dbc9af9f346b1d55c5ed9873c55c",
+		},
+		{
+			rev:  "v1.0.0",
+			want: "v1.0.0",
+		},
+		{
+			rev:  "v1.0.0-rc1",
+			want: "v1.0.0-rc1",
+		},
+		{
+			rev:  "v1.0.0-rc1+metadata",
+			want: "v1.0.0-rc1+metadata",
+		},
+		{
+			rev:  "arbitrary/revision",
+			want: "arbitrary/revision",
+		},
+		{
+			rev:  "5394cb7f48332b2de7c17dd8b8384bbc84b7xxxx",
+			want: "5394cb7f48332b2de7c17dd8b8384bbc84b7xxxx",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.rev, func(t *testing.T) {
+			if got := TransformLegacyRevision(tt.rev); got != tt.want {
+				t.Errorf("TransformLegacyRevision() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
diff --git a/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml b/config/crd/bases/source.toolkit.fluxcd.io_buckets.yaml
@@ -377,7 +377,12 @@ spec:
                 description: Artifact represents the last successful Bucket reconciliation.
                 properties:
                   checksum:
-                    description: Checksum is the SHA256 checksum of the Artifact file.
+                    description: 'Checksum is the SHA256 checksum of the Artifact
+                      file. Deprecated: use Artifact.Digest instead.'
+                    type: string
+                  digest:
+                    description: Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
+                    pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
                     type: string
                   lastUpdateTime:
                     description: LastUpdateTime is the timestamp corresponding to

diff --git a/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_gitrepositories.yaml
@@ -554,7 +554,12 @@ spec:
                   reconciliation.
                 properties:
                   checksum:
-                    description: Checksum is the SHA256 checksum of the Artifact file.
+                    description: 'Checksum is the SHA256 checksum of the Artifact
+                      file. Deprecated: use Artifact.Digest instead.'
+                    type: string
+                  digest:
+                    description: Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
+                    pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
                     type: string
                   lastUpdateTime:
                     description: LastUpdateTime is the timestamp corresponding to
@@ -676,8 +681,13 @@ spec:
                   description: Artifact represents the output of a Source reconciliation.
                   properties:
                     checksum:
-                      description: Checksum is the SHA256 checksum of the Artifact
-                        file.
+                      description: 'Checksum is the SHA256 checksum of the Artifact
+                        file. Deprecated: use Artifact.Digest instead.'
+                      type: string
+                    digest:
+                      description: Digest is the digest of the file in the form of
+                        '<algorithm>:<checksum>'.
+                      pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
                       type: string
                     lastUpdateTime:
                       description: LastUpdateTime is the timestamp corresponding to

diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmcharts.yaml
@@ -452,7 +452,12 @@ spec:
                   reconciliation.
                 properties:
                   checksum:
-                    description: Checksum is the SHA256 checksum of the Artifact file.
+                    description: 'Checksum is the SHA256 checksum of the Artifact
+                      file. Deprecated: use Artifact.Digest instead.'
+                    type: string
+                  digest:
+                    description: Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
+                    pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
                     type: string
                   lastUpdateTime:
                     description: LastUpdateTime is the timestamp corresponding to

diff --git a/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_helmrepositories.yaml
@@ -369,7 +369,12 @@ spec:
                   reconciliation.
                 properties:
                   checksum:
-                    description: Checksum is the SHA256 checksum of the Artifact file.
+                    description: 'Checksum is the SHA256 checksum of the Artifact
+                      file. Deprecated: use Artifact.Digest instead.'
+                    type: string
+                  digest:
+                    description: Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
+                    pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
                     type: string
                   lastUpdateTime:
                     description: LastUpdateTime is the timestamp corresponding to

diff --git a/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml b/config/crd/bases/source.toolkit.fluxcd.io_ocirepositories.yaml
@@ -195,7 +195,12 @@ spec:
                   OCI Repository sync.
                 properties:
                   checksum:
-                    description: Checksum is the SHA256 checksum of the Artifact file.
+                    description: 'Checksum is the SHA256 checksum of the Artifact
+                      file. Deprecated: use Artifact.Digest instead.'
+                    type: string
+                  digest:
+                    description: Digest is the digest of the file in the form of '<algorithm>:<checksum>'.
+                    pattern: ^[a-z0-9]+(?:[.+_-][a-z0-9]+)*:[a-zA-Z0-9=_-]+$
                     type: string
                   lastUpdateTime:
                     description: LastUpdateTime is the timestamp corresponding to

diff --git a/controllers/artifact.go b/controllers/artifact.go
@@ -37,25 +37,3 @@ outer:
 	}
 	return false
 }
-
-// hasArtifactUpdated returns true if any of the revisions in the current artifacts
-// does not match any of the artifacts in the updated artifacts
-// NOTE: artifactSet is a replacement for this. Remove this once it's not used
-// anywhere.
-func hasArtifactUpdated(current []*sourcev1.Artifact, updated []*sourcev1.Artifact) bool {
-	if len(current) != len(updated) {
-		return true
-	}
-
-OUTER:
-	for _, c := range current {
-		for _, u := range updated {
-			if u.HasRevision(c.Revision) {
-				continue OUTER
-			}
-		}
-		return true
-	}
-
-	return false
-}