chore: detect splitbrain (#463)

zreigz · web-flow · commit 92d42a12ce91 · 2025-06-13T16:02:42.000+02:00
* detect splitbrain

* make /.kube writable

* add emptyDir volume for /.kube
diff --git a/Dockerfile b/Dockerfile
@@ -31,7 +31,9 @@ RUN curl -L https://get.helm.sh/helm-${HELM_VERSION}-linux-${TARGETARCH}.tar.gz
 FROM alpine:3.21
 WORKDIR /workspace
 
-RUN mkdir /.kube && chown 65532:65532 /.kube
+RUN mkdir /.kube && \
+    chown 65532:65532 /.kube && \
+    chmod 700 /.kube
 
 COPY --from=builder /workspace/deployment-agent .
 # Copy Helm binary from builder
diff --git a/charts/deployment-operator/templates/deployment.yaml b/charts/deployment-operator/templates/deployment.yaml
@@ -67,6 +67,9 @@ spec:
           volumeMounts:
             - name: temp
               mountPath: /tmp
+            - name: kube-dir
+              mountPath: /.kube
+              readOnly: false
           {{- range $cert := .Values.certs }}
             - name: {{ $cert.name }}
               mountPath: "/etc/ssl/certs/{{ $cert.file }}"
@@ -154,6 +157,8 @@ spec:
       volumes:
         - name: temp
           emptyDir: {}
+        - name: kube-dir
+          emptyDir: {}
         - name: service-account-token-volume
           projected:
             defaultMode: 0444
diff --git a/pkg/manifests/cache.go b/pkg/manifests/cache.go
@@ -61,7 +61,7 @@ func (c *ManifestCache) Fetch(svc *console.ServiceDeploymentForAgent) (string, e
 		return "", err
 	}
 
-	dir, err := fetch(tarballURL.String(), c.token)
+	dir, err := fetch(tarballURL.String(), c.token, sha)
 	if err != nil {
 		return "", err
 	}
diff --git a/pkg/manifests/tarball.go b/pkg/manifests/tarball.go
@@ -9,6 +9,8 @@ import (
 	"time"
 )
 
+const pluralDigestHeader = "x-plrl-digest"
+
 var (
 	timeout = 60 * time.Second
 	client  = &http.Client{
@@ -20,7 +22,7 @@ var (
 )
 
 func getBody(url, token string) (string, error) {
-	resp, err := getReader(url, token)
+	resp, _, err := getReader(url, token)
 	if err != nil {
 		return "", err
 	}
@@ -35,33 +37,33 @@ func getBody(url, token string) (string, error) {
 	return string(body), nil
 }
 
-func getReader(url, token string) (io.ReadCloser, error) {
+func getReader(url, token string) (io.ReadCloser, http.Header, error) {
 	req, err := http.NewRequest(http.MethodGet, url, nil)
 	if err != nil {
-		return nil, err
+		return nil, nil, err
 	}
 	req.Header.Add("Authorization", "Token "+token)
 
 	for i := 0; i < 3; i++ {
-		resp, retriable, err := doRequest(req)
+		resp, header, retriable, err := doRequest(req)
 		if err != nil {
 			if !retriable {
-				return nil, err
+				return nil, nil, err
 			}
 
 			time.Sleep(time.Duration(50*(i+1)) * time.Millisecond)
 			continue
 		}
 
-		return resp, nil
+		return resp, header, nil
 	}
-	return nil, fmt.Errorf("could not fetch manifest, retries exhaused: %w", err)
+	return nil, nil, fmt.Errorf("could not fetch manifest, retries exhaused: %w", err)
 }
 
-func doRequest(req *http.Request) (io.ReadCloser, bool, error) {
+func doRequest(req *http.Request) (io.ReadCloser, http.Header, bool, error) {
 	resp, err := client.Do(req)
 	if err != nil {
-		return nil, false, err
+		return nil, nil, false, err
 	}
 
 	if resp.StatusCode != http.StatusOK {
@@ -71,13 +73,13 @@ func doRequest(req *http.Request) (io.ReadCloser, bool, error) {
 		err := fmt.Errorf("could not fetch manifest, error code %d", resp.StatusCode)
 
 		if resp.StatusCode == http.StatusTooManyRequests {
-			return nil, true, err
+			return nil, nil, true, err
 		}
 
-		return nil, false, err
+		return nil, nil, false, err
 	}
 
-	return resp.Body, false, nil
+	return resp.Body, resp.Header, false, nil
 }
 
 func fetchSha(consoleURL, token, serviceID string) (string, error) {
@@ -89,18 +91,21 @@ func fetchSha(consoleURL, token, serviceID string) (string, error) {
 	return getBody(url, token)
 }
 
-func fetch(url, token string) (string, error) {
+func fetch(url, token, sha string) (string, error) {
 	dir, err := os.MkdirTemp("", "manifests")
 	if err != nil {
 		return "", err
 	}
 
-	resp, err := getReader(url, token)
+	resp, header, err := getReader(url, token)
 	if err != nil {
 		return "", err
 	}
-
 	defer resp.Close()
+	tarballSha := header.Get(pluralDigestHeader)
+	if tarballSha != "" && sha != tarballSha {
+		return "", fmt.Errorf("tarball sha expected %s actual %s", sha, tarballSha)
+	}
 
 	log.V(1).Info("finished request to", "url", url)
 
diff --git a/pkg/manifests/tarball_test.go b/pkg/manifests/tarball_test.go
@@ -97,7 +97,7 @@ func TestFetch_Success(t *testing.T) {
 	}))
 	defer server.Close()
 
-	dir, err := fetch(server.URL, "dummy-token")
+	dir, err := fetch(server.URL, "dummy-token", "")
 	if err != nil {
 		t.Fatalf("fetch failed: %v", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ func (c ManifestCache) Fetch(svc console.ServiceDeploymentForAgent) (string, e`
`61`	`61`	`return "", err`
`62`	`62`	`}`
`63`	`63`
`64`		`- dir, err := fetch(tarballURL.String(), c.token)`
	`64`	`+ dir, err := fetch(tarballURL.String(), c.token, sha)`
`65`	`65`	`if err != nil {`
`66`	`66`	`return "", err`
`67`	`67`	`}`
Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,8 @@ import (`
`9`	`9`	`"time"`
`10`	`10`	`)`
`11`	`11`
	`12`	`+const pluralDigestHeader = "x-plrl-digest"`
	`13`	`+`
`12`	`14`	`var (`
`13`	`15`	`timeout = 60 * time.Second`
`14`	`16`	`client = &http.Client{`
`@@ -20,7 +22,7 @@ var (`
`20`	`22`	`)`
`21`	`23`
`22`	`24`	`func getBody(url, token string) (string, error) {`
`23`		`- resp, err := getReader(url, token)`
	`25`	`+ resp, _, err := getReader(url, token)`
`24`	`26`	`if err != nil {`
`25`	`27`	`return "", err`
`26`	`28`	`}`
`@@ -35,33 +37,33 @@ func getBody(url, token string) (string, error) {`
`35`	`37`	`return string(body), nil`
`36`	`38`	`}`
`37`	`39`
`38`		`-func getReader(url, token string) (io.ReadCloser, error) {`
	`40`	`+func getReader(url, token string) (io.ReadCloser, http.Header, error) {`
`39`	`41`	`req, err := http.NewRequest(http.MethodGet, url, nil)`
`40`	`42`	`if err != nil {`
`41`		`- return nil, err`
	`43`	`+ return nil, nil, err`
`42`	`44`	`}`
`43`	`45`	`req.Header.Add("Authorization", "Token "+token)`
`44`	`46`
`45`	`47`	`for i := 0; i < 3; i++ {`
`46`		`- resp, retriable, err := doRequest(req)`
	`48`	`+ resp, header, retriable, err := doRequest(req)`
`47`	`49`	`if err != nil {`
`48`	`50`	`if !retriable {`
`49`		`- return nil, err`
	`51`	`+ return nil, nil, err`
`50`	`52`	`}`
`51`	`53`
`52`	`54`	`time.Sleep(time.Duration(50(i+1)) time.Millisecond)`
`53`	`55`	`continue`
`54`	`56`	`}`
`55`	`57`
`56`		`- return resp, nil`
	`58`	`+ return resp, header, nil`
`57`	`59`	`}`
`58`		`- return nil, fmt.Errorf("could not fetch manifest, retries exhaused: %w", err)`
	`60`	`+ return nil, nil, fmt.Errorf("could not fetch manifest, retries exhaused: %w", err)`
`59`	`61`	`}`
`60`	`62`
`61`		`-func doRequest(req *http.Request) (io.ReadCloser, bool, error) {`
	`63`	`+func doRequest(req *http.Request) (io.ReadCloser, http.Header, bool, error) {`
`62`	`64`	`resp, err := client.Do(req)`
`63`	`65`	`if err != nil {`
`64`		`- return nil, false, err`
	`66`	`+ return nil, nil, false, err`
`65`	`67`	`}`
`66`	`68`
`67`	`69`	`if resp.StatusCode != http.StatusOK {`
`@@ -71,13 +73,13 @@ func doRequest(req *http.Request) (io.ReadCloser, bool, error) {`
`71`	`73`	`err := fmt.Errorf("could not fetch manifest, error code %d", resp.StatusCode)`
`72`	`74`
`73`	`75`	`if resp.StatusCode == http.StatusTooManyRequests {`
`74`		`- return nil, true, err`
	`76`	`+ return nil, nil, true, err`
`75`	`77`	`}`
`76`	`78`
`77`		`- return nil, false, err`
	`79`	`+ return nil, nil, false, err`
`78`	`80`	`}`
`79`	`81`
`80`		`- return resp.Body, false, nil`
	`82`	`+ return resp.Body, resp.Header, false, nil`
`81`	`83`	`}`
`82`	`84`
`83`	`85`	`func fetchSha(consoleURL, token, serviceID string) (string, error) {`
`@@ -89,18 +91,21 @@ func fetchSha(consoleURL, token, serviceID string) (string, error) {`
`89`	`91`	`return getBody(url, token)`
`90`	`92`	`}`
`91`	`93`
`92`		`-func fetch(url, token string) (string, error) {`
	`94`	`+func fetch(url, token, sha string) (string, error) {`
`93`	`95`	`dir, err := os.MkdirTemp("", "manifests")`
`94`	`96`	`if err != nil {`
`95`	`97`	`return "", err`
`96`	`98`	`}`
`97`	`99`
`98`		`- resp, err := getReader(url, token)`
	`100`	`+ resp, header, err := getReader(url, token)`
`99`	`101`	`if err != nil {`
`100`	`102`	`return "", err`
`101`	`103`	`}`
`102`		`-`
`103`	`104`	`defer resp.Close()`
	`105`	`+ tarballSha := header.Get(pluralDigestHeader)`
	`106`	`+ if tarballSha != "" && sha != tarballSha {`
	`107`	`+ return "", fmt.Errorf("tarball sha expected %s actual %s", sha, tarballSha)`
	`108`	`+ }`
`104`	`109`
`105`	`110`	`log.V(1).Info("finished request to", "url", url)`
`106`	`111`
Original file line number	Diff line number	Diff line change
`@@ -97,7 +97,7 @@ func TestFetch_Success(t *testing.T) {`
`97`	`97`	`}))`
`98`	`98`	`defer server.Close()`
`99`	`99`
`100`		`- dir, err := fetch(server.URL, "dummy-token")`
	`100`	`+ dir, err := fetch(server.URL, "dummy-token", "")`
`101`	`101`	`if err != nil {`
`102`	`102`	`t.Fatalf("fetch failed: %v", err)`
`103`	`103`	`}`