Provenance Files

[gsexton]

I'm trying to upload a provenance file as part of a helm chart and it's throwing an error. Here's what I'm doing:

curl -v --user user-automation:xxxxxxxxxxxxxx --insecure -X POST 
'https://nexustest.somedomain.com/service/rest/v1/components?repository=some-repo 
-F helm.asset1=@some-artifact-1.0.0.tgz 
-F helm.asset2=@some-artifact-1.0.0.tgz.prov
…
< HTTP/1.1 400 Bad Request
[{"id":"*","message":"The assets 1 and 2 have identical coordinates"}]

Do you have any idea of what I'm doing wrong?

Also, should I be able to set values like helm.app_version or helm.maintainers as fields in my post?

Thanks.

[DarthHater]

There is no route yet to allow these to get uploaded, so you aren't doing anything wrong!

Right now the only matcher I have for Hosted (for uploading files) is:

https://github.com/sonatype-nexus-community/nexus-repository-helm/blob/master/src/main/java/org/sonatype/repository/helm/internal/hosted/HelmHostedRecipe.groovy#L126

If we want to add provenance files, we need to likely handle them as another asset type, and likely save them attached to the component for the chart.

On your other questions, I'm not sure! Does Helm normally set those? Point me at some specs and I'll take some ganders.

[DarthHater]

I'm going to start a branch for this @gsexton but it will be incomplete, maybe we can elaborate it together!

[DarthHater]

There are some more wrinkles with handling this, as I look at it:

• There are coordinates in the .prov file, but it's a fun mix of yaml, and then signature stuff, which will make parsing it SUPER fun, I imagine
• We probably need to attach this to the component we create for a chart, as it's really a part of it at the end of the day (that way if you delete a component in the UI, etc... it will also delete these files since they don't make sense without each other)

[gsexton]

Wouldn't a provenance file be another asset of the component?

[DarthHater]

Yeah, we just need to attach to it, and that can be interesting (say the provenance file gets uploaded before the chart). Not rocket science but it's just another step, and as a result of that, we need to know the coordinates. You can in theory get these from the filename but we tend to avoid doing that as some people have wacky naming conventions, so the best spot to get them from seems like .prov file, which is fun because it's a mix of yaml and not yaml by the looks of it.

[gsexton]

For my particular case, I would either upload the .prov file along with the helm chart, or after the fact. I can't think of a case where I would upload it before. Of course there's the chance that the http request contains both files and the .prov is the first one presented.

[wu105]

My understanding is that the chart package file name and the provenance file name are generated by helm according to the Chart.yaml content thus standardized, and usable as unique id after trimmed of both the .tgz and .prov file extensions.

Using the names might allow the repo to list the .prov file along with its package file if present, simply store a .prov file and make it available when requested, without further processing of the prov file.

Having a .prov file without its package file in the repo would be tolerable.

[mlukaretkyi]

Hi guys. We have implemented support for provenance files, and it will be available in a future NXRM release.