feat: Add DynamoDB based locking to prevent race conditions in index.yaml generation

Mathew Robinson · Mathew Robinson · commit 7beeea35672d · 2024-07-24T09:15:48.000+01:00
I have set this up so it is sufficiently abstracted that other lock backends could be added in the future. Fixes hypnoglow#18
diff --git a/cmd/helm-s3/delete.go b/cmd/helm-s3/delete.go
@@ -10,11 +10,12 @@ import (
 	"github.com/hypnoglow/helm-s3/internal/awss3"
 	"github.com/hypnoglow/helm-s3/internal/awsutil"
 	"github.com/hypnoglow/helm-s3/internal/helmutil"
+	"github.com/hypnoglow/helm-s3/internal/locks"
 )
 
 const deleteDesc = `This command removes a chart from the repository.
 
-'helm s3 init' takes two arguments:
+'helm s3 delete' takes two arguments:
 - NAME - name of the chart to delete,
 - REPO - target repository.
 `
@@ -44,6 +45,8 @@ func newDeleteCommand(opts *options) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			act.printer = cmd
 			act.acl = opts.acl
+			act.dynamodbLockTableName = opts.dynamodbLockTableName
+			act.lockTimeoutSeconds = opts.lockTimeoutSeconds
 			act.chartName = args[0]
 			act.repoName = args[1]
 			return act.run(cmd.Context())
@@ -62,7 +65,9 @@ type deleteAction struct {
 
 	// global flags
 
-	acl string
+	acl                   string
+	dynamodbLockTableName string
+	lockTimeoutSeconds    int
 
 	// args
 
@@ -87,6 +92,23 @@ func (act *deleteAction) run(ctx context.Context) error {
 	storage := awss3.New(sess)
 
 	// Fetch current index.
+	var lock locks.Lock
+	if act.dynamodbLockTableName != "" {
+		lock, err = locks.NewDynamoDBLockWithDefaultConfig(act.dynamodbLockTableName)
+		if err != nil {
+			return errors.WithMessage(err, "loading AWS config")
+		}
+	} else {
+		lock = locks.NewFalseLock()
+	}
+
+	lockID := awss3.LockID(repoEntry.IndexURL())
+	err = locks.WaitForLock(ctx, lock, lockID, act.lockTimeoutSeconds)
+	if err != nil {
+		return errors.WithMessage(err, "waiting for index.yaml lock")
+	}
+	defer lock.Unlock(ctx, lockID)
+
 	b, err := storage.FetchRaw(ctx, repoEntry.IndexURL())
 	if err != nil {
 		return errors.WithMessage(err, "fetch current repo index")
diff --git a/cmd/helm-s3/lock.go b/cmd/helm-s3/lock.go
@@ -0,0 +1,69 @@
+package main
+
+import (
+	"context"
+
+	"github.com/hypnoglow/helm-s3/internal/awss3"
+	"github.com/hypnoglow/helm-s3/internal/helmutil"
+	"github.com/hypnoglow/helm-s3/internal/locks"
+	"github.com/spf13/cobra"
+)
+
+const lockDesc = `This command creates or removes dynamodb locks for a repository.
+
+'helm s3 lock' takes one argument:
+- REPO - target repository.
+`
+
+const lockExample = `  helm s3 lock my-repo - creates a dyanmodb lock for 'my-repo'.
+  helm s3 lock --unlock my-repo - removes the dynamodb lock for 'my-repo'`
+
+func newLockCommand(opts *options) *cobra.Command {
+	act := &lockAction{}
+
+	cmd := &cobra.Command{
+		Use:     "lock REPO",
+		Short:   "Lock or unlock the given repository.",
+		Long:    lockDesc,
+		Example: lockExample,
+		Args:    wrapPositionalArgsBadUsage(cobra.ExactArgs(1)),
+		ValidArgsFunction: func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
+			// No completions for the NAME and REPO arguments.
+			return nil, cobra.ShellCompDirectiveNoFileComp
+		},
+		RunE: func(cmd *cobra.Command, args []string) error {
+			repoEntry, err := helmutil.LookupRepoEntry(args[0])
+			if err != nil {
+				return err
+			}
+
+			act.lock, err = locks.NewDynamoDBLockWithDefaultConfig(opts.dynamodbLockTableName)
+			if err != nil {
+				return err
+			}
+
+			act.lockID = awss3.LockID(repoEntry.URL())
+			return act.run(cmd.Context())
+		},
+	}
+
+	flags := cmd.Flags()
+	flags.BoolVar(&act.unlock, "unlock", act.unlock, "If provided unlock the lock instead of acquiring it.")
+	_ = cobra.MarkFlagRequired(flags, "version")
+
+	return cmd
+}
+
+type lockAction struct {
+	lock   locks.Lock
+	unlock bool
+	lockID string
+}
+
+func (act *lockAction) run(ctx context.Context) error {
+	if act.unlock {
+		return act.lock.Unlock(ctx, act.lockID)
+	}
+
+	return act.lock.Lock(ctx, act.lockID)
+}
diff --git a/cmd/helm-s3/options.go b/cmd/helm-s3/options.go
@@ -7,16 +7,21 @@ import (
 
 // options represents global command options (global flags).
 type options struct {
-	timeout time.Duration
-	acl     string
-	verbose bool
+	timeout               time.Duration
+	acl                   string
+	verbose               bool
+	dynamodbLockTableName string
+	lockTimeoutSeconds    int
 }
 
 // newDefaultOptions returns default options.
 func newDefaultOptions() *options {
 	return &options{
-		timeout: 5 * time.Minute,
-		acl:     os.Getenv("S3_ACL"),
-		verbose: false,
+		timeout:               5 * time.Minute,
+		acl:                   os.Getenv("S3_ACL"),
+		verbose:               false,
+		dynamodbLockTableName: "",
+		// default to 10 minutes
+		lockTimeoutSeconds: 10 * 60,
 	}
 }
diff --git a/cmd/helm-s3/push.go b/cmd/helm-s3/push.go
@@ -11,6 +11,7 @@ import (
 	"github.com/hypnoglow/helm-s3/internal/awss3"
 	"github.com/hypnoglow/helm-s3/internal/awsutil"
 	"github.com/hypnoglow/helm-s3/internal/helmutil"
+	"github.com/hypnoglow/helm-s3/internal/locks"
 )
 
 const pushDesc = `This command uploads a chart to the repository.
@@ -57,6 +58,8 @@ func newPushCommand(opts *options) *cobra.Command {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			act.printer = cmd
 			act.acl = opts.acl
+			act.dynamodbLockTableName = opts.dynamodbLockTableName
+			act.lockTimeoutSeconds = opts.lockTimeoutSeconds
 			act.chartPath = args[0]
 			act.repoName = args[1]
 			return act.run(cmd.Context())
@@ -85,7 +88,9 @@ type pushAction struct {
 
 	// global args
 
-	acl string
+	acl                   string
+	lockTimeoutSeconds    int
+	dynamodbLockTableName string
 
 	// args
 
@@ -197,6 +202,23 @@ func (act *pushAction) run(ctx context.Context) error {
 
 	// Fetch current index, update it and upload it back.
 
+	var lock locks.Lock
+	if act.dynamodbLockTableName != "" {
+		lock, err = locks.NewDynamoDBLockWithDefaultConfig(act.dynamodbLockTableName)
+		if err != nil {
+			return errors.WithMessage(err, "loading AWS config")
+		}
+	} else {
+		lock = locks.NewFalseLock()
+	}
+
+	lockID := awss3.LockID(repoEntry.IndexURL())
+	err = locks.WaitForLock(ctx, lock, lockID, act.lockTimeoutSeconds)
+	if err != nil {
+		return errors.WithMessage(err, "waiting for index.yaml lock")
+	}
+	defer lock.Unlock(ctx, lockID)
+
 	b, err := storage.FetchRaw(ctx, repoEntry.IndexURL())
 	if err != nil {
 		return errors.WithMessage(err, "fetch current repo index")
diff --git a/cmd/helm-s3/reindex.go b/cmd/helm-s3/reindex.go
@@ -10,6 +10,7 @@ import (
 	"github.com/hypnoglow/helm-s3/internal/awss3"
 	"github.com/hypnoglow/helm-s3/internal/awsutil"
 	"github.com/hypnoglow/helm-s3/internal/helmutil"
+	"github.com/hypnoglow/helm-s3/internal/locks"
 )
 
 const reindexDesc = `This command performs a reindex of the repository.
@@ -59,8 +60,10 @@ type reindexAction struct {
 
 	// global flags
 
-	acl     string
-	verbose bool
+	acl                   string
+	verbose               bool
+	dynamodbLockTableName string
+	lockTimeoutSeconds    int
 
 	// args
 
@@ -85,6 +88,23 @@ func (act *reindexAction) run(ctx context.Context) error {
 
 	items, errs := storage.Traverse(ctx, repoEntry.URL())
 
+	var lock locks.Lock
+	if act.dynamodbLockTableName != "" {
+		lock, err = locks.NewDynamoDBLockWithDefaultConfig(act.dynamodbLockTableName)
+		if err != nil {
+			return errors.WithMessage(err, "loading AWS config")
+		}
+	} else {
+		lock = locks.NewFalseLock()
+	}
+
+	lockID := awss3.LockID(repoEntry.IndexURL())
+	err = locks.WaitForLock(ctx, lock, lockID, act.lockTimeoutSeconds)
+	if err != nil {
+		return errors.WithMessage(err, "waiting for index.yaml lock")
+	}
+	defer lock.Unlock(ctx, lockID)
+
 	builtIndex := make(chan helmutil.Index, 1)
 	go func() {
 		idx := helmutil.NewIndex()
diff --git a/cmd/helm-s3/root.go b/cmd/helm-s3/root.go
@@ -77,6 +77,8 @@ func newRootCmd() *cobra.Command {
 	flags.StringVar(&opts.acl, "acl", opts.acl, "S3 Object ACL to use for charts and indexes. Can be sourced from S3_ACL environment variable.")
 	flags.DurationVar(&opts.timeout, "timeout", opts.timeout, "Timeout for the whole operation to complete.")
 	flags.BoolVar(&opts.verbose, "verbose", opts.verbose, "Enable verbose output.")
+	flags.StringVar(&opts.dynamodbLockTableName, "lock-table-name", opts.dynamodbLockTableName, "DynamoDB table name to use for distributed locking.")
+	flags.IntVar(&opts.lockTimeoutSeconds, "lock-timeout", opts.lockTimeoutSeconds, "How long to wait for a lock to be free in seconds")
 
 	cmd.SetFlagErrorFunc(func(command *cobra.Command, err error) error {
 		return newBadUsageError(err)
@@ -92,6 +94,7 @@ func newRootCmd() *cobra.Command {
 		newReindexCommand(opts),
 		newDeleteCommand(opts),
 		newVersionCommand(),
+		newLockCommand(opts),
 	)
 
 	return cmd
diff --git a/go.mod b/go.mod
@@ -22,6 +22,21 @@ require (
 	github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
 	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/Microsoft/hcsshim v0.11.4 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.27 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.27 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/dynamodb v1.34.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.16 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 // indirect
+	github.com/aws/smithy-go v1.20.3 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/containerd/containerd v1.7.12 // indirect
diff --git a/go.sum b/go.sum
@@ -20,6 +20,36 @@ github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuy
 github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0=
 github.com/aws/aws-sdk-go v1.54.20 h1:FZ2UcXya7bUkvkpf7TaPmiL7EubK0go1nlXGLRwEsoo=
 github.com/aws/aws-sdk-go v1.54.20/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
+github.com/aws/aws-sdk-go-v2 v1.30.3 h1:jUeBtG0Ih+ZIFH0F4UkmL9w3cSpaMv9tYYDbzILP8dY=
+github.com/aws/aws-sdk-go-v2 v1.30.3/go.mod h1:nIQjQVp5sfpQcTc9mPSr1B0PaWK5ByX9MOoDadSN4lc=
+github.com/aws/aws-sdk-go-v2/config v1.27.27 h1:HdqgGt1OAP0HkEDDShEl0oSYa9ZZBSOmKpdpsDMdO90=
+github.com/aws/aws-sdk-go-v2/config v1.27.27/go.mod h1:MVYamCg76dFNINkZFu4n4RjDixhVr51HLj4ErWzrVwg=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.27 h1:2raNba6gr2IfA0eqqiP2XiQ0UVOpGPgDSi0I9iAP+UI=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.27/go.mod h1:gniiwbGahQByxan6YjQUMcW4Aov6bLC3m+evgcoN4r4=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 h1:KreluoV8FZDEtI6Co2xuNk/UqI9iwMrOx/87PBNIKqw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11/go.mod h1:SeSUYBLsMYFoRvHE0Tjvn7kbxaUhl75CJi1sbfhMxkU=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 h1:SoNJ4RlFEQEbtDcCEt+QG56MY4fm4W8rYirAmq+/DdU=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15/go.mod h1:U9ke74k1n2bf+RIgoX1SXFed1HLs51OgUSs+Ph0KJP8=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 h1:C6WHdGnTDIYETAm5iErQUiVNsclNx9qbJVPIt03B6bI=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15/go.mod h1:ZQLZqhcu+JhSrA9/NXRm8SkDvsycE+JkV3WGY41e+IM=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
+github.com/aws/aws-sdk-go-v2/service/dynamodb v1.34.3 h1:nEhZKd1JQ4EB1tekcqW1oIVpDC1ZFrjrp/cLC5MXjFQ=
+github.com/aws/aws-sdk-go-v2/service/dynamodb v1.34.3/go.mod h1:q9vzW3Xr1KEXa8n4waHiFt1PrppNDlMymlYP+xpsFbY=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 h1:dT3MqvGhSoaIhRseqw2I0yH81l7wiR2vjs57O51EAm8=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3/go.mod h1:GlAeCkHwugxdHaueRr4nhPuY+WW+gR8UjlcqzPr1SPI=
+github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.16 h1:lhAX5f7KpgwyieXjbDnRTjPEUI0l3emSRyxXj1PXP8w=
+github.com/aws/aws-sdk-go-v2/service/internal/endpoint-discovery v1.9.16/go.mod h1:AblAlCwvi7Q/SFowvckgN+8M3uFPlopSYeLlbNDArhA=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 h1:HGErhhrxZlQ044RiM+WdoZxp0p+EGM62y3L6pwA4olE=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17/go.mod h1:RkZEx4l0EHYDJpWppMJ3nD9wZJAa8/0lq9aVC+r2UII=
+github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 h1:BXx0ZIxvrJdSgSvKTZ+yRBeSqqgPM89VPlulEcl37tM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.22.4/go.mod h1:ooyCOXjvJEsUw7x+ZDHeISPMhtwI3ZCB7ggFMcFfWLU=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 h1:yiwVzJW2ZxZTurVbYWA7QOrAaCYQR72t0wrSBfoesUE=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4/go.mod h1:0oxfLkpz3rQ/CHlx5hB7H69YUpFiI1tql6Q6Ne+1bCw=
+github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 h1:ZsDKRLXGWHk8WdtyYMoGNO7bTudrvuKpDKgMVRlepGE=
+github.com/aws/aws-sdk-go-v2/service/sts v1.30.3/go.mod h1:zwySh8fpFyXp9yOr/KVzxOl8SRqgf/IDw5aUt9UKFcQ=
+github.com/aws/smithy-go v1.20.3 h1:ryHwveWzPV5BIof6fyDvor6V3iUL7nTfiTKXHiW05nE=
+github.com/aws/smithy-go v1.20.3/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
diff --git a/internal/awss3/lock.go b/internal/awss3/lock.go
@@ -0,0 +1,13 @@
+package awss3
+
+import "fmt"
+
+// LockID returns the lockID for the bucket specified by the given URI.
+func LockID(uri string) string {
+	bucket, _, err := parseURI(uri)
+	if err != nil {
+		return ""
+	}
+
+	return fmt.Sprintf("lock/%s", bucket)
+}
diff --git a/internal/locks/dynamodb.go b/internal/locks/dynamodb.go
diff --git a/internal/locks/false.go b/internal/locks/false.go
diff --git a/internal/locks/lock.go b/internal/locks/lock.go
