Ability to disable checksum check

[Surgery-Jake]

Due to promtail not having support for journald (grafana/loki#1459). I have to build the binary locally and upload to a file server. This means that the checksum part fails when changing promtail_dist_url.

To get around this I added a variable called promtail_check_checksum and replaced

ansible-role-promtail/tasks/install.yml

Line 66 in 8adddeb

checksum: "sha256:{{ __promtail_checksum }}"

with checksum: "{{ 'sha256:__promtail_checksum' if promtail_check_checksum else '' }}"

I don't know if this is something worth adding as a PR or if I should just leave the role edited locally?

[patrickjahns]

Thanks for reaching out.

I very much understand your use-case - one idea/thought at this point: Would it make sense to provide a custom checksum instead of just disabling the check?

One upside could be, that instead of fetching the checksums per default (which is also prone to Man-in-the-middle attacks). One can provide the checksum upfront to ensure that the correct artifact is delivered.
And in your case, you would have the added benefit of being able to also have a bit more "supply-chain" security when you would generate the binaries and checksum them before uploading.

What do you think?

[Surgery-Jake]

I think that the ability to provide a custom checksum is a great idea. I would be happy to work on it.

[patrickjahns]

@Surgery-Jake
Sorry for the delayed response - please feel free to create a PR with that feature - happy to accept it :-)