Skip to content

Extend HTTP Resolver spec to support optional hash field #8759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aThorp96 opened this issue May 12, 2025 · 3 comments
Open

Extend HTTP Resolver spec to support optional hash field #8759

aThorp96 opened this issue May 12, 2025 · 3 comments
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature.

Comments

@aThorp96
Copy link
Contributor

Feature request

Add an optional hash, digest, or more appropriately named field to the HTTP resolver spec in which a user provides a hash of the content at the URL. If the field is populated, http resolver would enforce that the http response's content hashes to the same value.

The http resolver could also have a configuration setting to require this field.

Use case

As a security-minded Tekton user, I prefer using resolvers which have some security guarantees. The git resolver provides guarantees via git hashes and the bundles resolver provides similar guarantees via the bundle digest. However in some cases the http resolver is necessary, but as of right now there are no mechanisms to guarantee the content received from the http request is the content I expect. Further, in order to better secure the pipelines I would like to enforce that anyone authoring pipelineruns in my cluster are using secure practices.
@aThorp96 aThorp96 added the kind/feature Categorizes issue or PR as related to a new feature. label May 12, 2025
@aThorp96
Copy link
Contributor Author

CC @lcarva

@afrittoli
Copy link
Member

@aThorp96 Thanks! Shall we mark this as "help wanted" or is this something you're going to work on yourself?

@vdemeester vdemeester added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label May 12, 2025
@aThorp96
Copy link
Contributor Author

@afrittoli I may work on this in the next few months but it could be a little bit before I can get around to it. No objection to the help wanted label

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/feature Categorizes issue or PR as related to a new feature.
Projects
Tekton Community Roadmap
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vdemeester @afrittoli @aThorp96
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy