ensure OCI artifacts are handled strictly by digest

[errordeveloper]

Currently artifact revision (i.e. digest) is obtain here:

source-controller/internal/controller/ocirepository_controller.go

Lines 392 to 393 in 53ee3a3

	// Get the upstream revision from the artifact digest
	revision, err := r.getRevision(url, opts.craneOpts)

It is also observed as a condition here:

source-controller/internal/controller/ocirepository_controller.go

Lines 408 to 417 in 53ee3a3

	message := fmt.Sprintf("new revision '%s' for '%s'", revision, url)
	if obj.GetArtifact() != nil {
	conditions.MarkTrue(obj, sourcev1.ArtifactOutdatedCondition, "NewRevision", message)
	}
	rreconcile.ProgressiveStatus(true, obj, meta.ProgressingReason, "building artifact: %s", message)
	if err := sp.Patch(ctx, obj, r.patchOptions...); err != nil {
	ctrl.LoggerFrom(ctx).Error(err, "failed to patch")
	return
	}
	}

However, verification and fetching is only done by URL, and it's possible there is an update in registry in between all of these calls:

source-controller/internal/controller/ocirepository_controller.go

Line 431 in 53ee3a3

err := r.verifySignature(ctx, obj, url, opts.verifyOpts...)

source-controller/internal/controller/ocirepository_controller.go

Lines 455 to 456 in 53ee3a3

	// Pull artifact from the remote container registry
	img, err := crane.Pull(url, opts.craneOpts...)

There maybe other race coditions. It will be easy enough to address this and reinfoce use of the same digest for all of the registry API calls.

[stefanprodan]

We could make getRevision return also the digestURL and pass that to all sequential functions.

[errordeveloper]

#1244 will changed some of the underlying code, but this flow remains intact.

[errordeveloper]

We could make getRevision return also the digestURL and pass that to all sequential functions.

Exactly! I would also want to check how artifacts are stored as well, as I'm not familiar with that part yet.

[stefanprodan]

Flux has an internal artifact format common to all source types which is a gzip tarball with stripped file header info. The digest of a Flux artifact is advertised in .status.artifact.digest and all consumers (kustomize-controller, helm-controller, tf-controller, etc) verify the integrity of the artifact before the contents is extracted. The internal artifacts acquisition and verification is handled by https://github.com/fluxcd/pkg/blob/main/http/fetch/archive_fetcher.go.