Merge branch 'main' into delete-unused-var

Signed-off-by: zyfy29 <wasuremono127@gmail.com>

.github/workflows/build-test.yml

@@ -28,6 +28,8 @@ jobs:
           check-latest: true
       - name: Test source headers are present
         run: make test-source-headers
+      - name: Check if go modules need to be tidied
+        run: go mod tidy -diff
       - name: Run unit tests
         run: make test-coverage
       - name: Test build

.github/workflows/stale.yaml

@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
+    - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: 'This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs.'

.gitignore

@@ -2,7 +2,7 @@
 *.swp
 .DS_Store
 .coverage/
-.idea/
+.idea
 .vimrc
 .vscode/
 .devcontainer/

.golangci.yml

@@ -33,6 +33,7 @@ linters:
     - usetesting
 
   exclusions:
+  
     generated: lax
 
     presets:
@@ -41,7 +42,10 @@ linters:
       - legacy
       - std-error-handling
 
-    rules: []
+    rules:
+      - linters:
+          - revive
+        text: 'var-naming: avoid meaningless package names'
 
     warn-unused: true
 

Makefile

@@ -13,9 +13,9 @@ GOX           = $(GOBIN)/gox
 GOIMPORTS     = $(GOBIN)/goimports
 ARCH          = $(shell go env GOARCH)
 
-ACCEPTANCE_DIR:=../acceptance-testing
+ACCEPTANCE_DIR := ../acceptance-testing
 # To specify the subset of acceptance tests to run. '.' means all tests
-ACCEPTANCE_RUN_TESTS=.
+ACCEPTANCE_RUN_TESTS = .
 
 # go option
 PKG         := ./...
@@ -63,10 +63,12 @@ K8S_MODULES_VER=$(subst ., ,$(subst v,,$(shell go list -f '{{.Version}}' -m k8s.
 K8S_MODULES_MAJOR_VER=$(shell echo $$(($(firstword $(K8S_MODULES_VER)) + 1)))
 K8S_MODULES_MINOR_VER=$(word 2,$(K8S_MODULES_VER))
 
-LDFLAGS += -X helm.sh/helm/v4/pkg/lint/rules.k8sVersionMajor=$(K8S_MODULES_MAJOR_VER)
+LDFLAGS += -X helm.sh/helm/v4/pkg/chart/v2/lint/rules.k8sVersionMajor=$(K8S_MODULES_MAJOR_VER)
-LDFLAGS += -X helm.sh/helm/v4/pkg/lint/rules.k8sVersionMinor=$(K8S_MODULES_MINOR_VER)
+LDFLAGS += -X helm.sh/helm/v4/pkg/chart/v2/lint/rules.k8sVersionMinor=$(K8S_MODULES_MINOR_VER)
-LDFLAGS += -X helm.sh/helm/v4/pkg/chart/v2/util.k8sVersionMajor=$(K8S_MODULES_MAJOR_VER)
+LDFLAGS += -X helm.sh/helm/v4/pkg/internal/v3/lint/rules.k8sVersionMajor=$(K8S_MODULES_MAJOR_VER)
-LDFLAGS += -X helm.sh/helm/v4/pkg/chart/v2/util.k8sVersionMinor=$(K8S_MODULES_MINOR_VER)
+LDFLAGS += -X helm.sh/helm/v4/pkg/internal/v3/lint/rules.k8sVersionMinor=$(K8S_MODULES_MINOR_VER)
+LDFLAGS += -X helm.sh/helm/v4/pkg/chart/common/util.k8sVersionMajor=$(K8S_MODULES_MAJOR_VER)
+LDFLAGS += -X helm.sh/helm/v4/pkg/chart/common/util.k8sVersionMinor=$(K8S_MODULES_MINOR_VER)
 
 .PHONY: all
 all: build
@@ -75,7 +77,7 @@ all: build
 #  build
 
 .PHONY: build
-build: $(BINDIR)/$(BINNAME)
+build: $(BINDIR)/$(BINNAME) tidy
 
 $(BINDIR)/$(BINNAME): $(SRC)
 	CGO_ENABLED=$(CGO_ENABLED) go build $(GOFLAGS) -trimpath -tags '$(TAGS)' -ldflags '$(LDFLAGS)' -o '$(BINDIR)'/$(BINNAME) ./cmd/helm
@@ -112,14 +114,16 @@ test-unit:
 # based on older versions, this is run separately. When run without the ldflags in the unit test (above) or coverage
 # test, it still passes with a false-positive result as the resources shouldn’t be deprecated in the older Kubernetes
 # version if it only starts failing with the latest.
-	go test $(GOFLAGS) -run ^TestHelmCreateChart_CheckDeprecatedWarnings$$ ./pkg/lint/ $(TESTFLAGS) -ldflags '$(LDFLAGS)'
+	go test $(GOFLAGS) -run ^TestHelmCreateChart_CheckDeprecatedWarnings$$ ./pkg/chart/v2/lint/ $(TESTFLAGS) -ldflags '$(LDFLAGS)'
+	go test $(GOFLAGS) -run ^TestHelmCreateChart_CheckDeprecatedWarnings$$ ./internal/chart/v3/lint/ $(TESTFLAGS) -ldflags '$(LDFLAGS)'
 
 
+# To run the coverage for a specific package use: make test-coverage PKG=./pkg/action
 .PHONY: test-coverage
 test-coverage:
 	@echo
-	@echo "==> Running unit tests with coverage <=="
+	@echo "==> Running unit tests with coverage: $(PKG) <=="
-	@ ./scripts/coverage.sh
+	@ ./scripts/coverage.sh $(PKG)
 
 .PHONY: test-style
 test-style:
@@ -145,10 +149,6 @@ test-acceptance: build build-cross
 test-acceptance-completion: ACCEPTANCE_RUN_TESTS = shells.robot
 test-acceptance-completion: test-acceptance
 
-.PHONY: coverage
-coverage:
-	@scripts/coverage.sh
-
 .PHONY: format
 format: $(GOIMPORTS)
 	go list -f '{{.Dir}}' ./... | xargs $(GOIMPORTS) -w -local helm.sh/helm
@@ -227,22 +227,23 @@ clean:
 
 .PHONY: release-notes
 release-notes:
-		@if [ ! -d "./_dist" ]; then \
+	@if [ ! -d "./_dist" ]; then \
-			echo "please run 'make fetch-dist' first" && \
+		echo "please run 'make fetch-dist' first" && \
-			exit 1; \
+		exit 1; \
-		fi
+	fi
-		@if [ -z "${PREVIOUS_RELEASE}" ]; then \
+	@if [ -z "${PREVIOUS_RELEASE}" ]; then \
-			echo "please set PREVIOUS_RELEASE environment variable" \
+		echo "please set PREVIOUS_RELEASE environment variable" && \
-			&& exit 1; \
+		exit 1; \
-		fi
+	fi
-
+	@./scripts/release-notes.sh ${PREVIOUS_RELEASE} ${VERSION}
-		@./scripts/release-notes.sh ${PREVIOUS_RELEASE} ${VERSION}
-
-
 
 .PHONY: info
 info:
-	 @echo "Version:           ${VERSION}"
+	@echo "Version:           ${VERSION}"
-	 @echo "Git Tag:           ${GIT_TAG}"
+	@echo "Git Tag:           ${GIT_TAG}"
-	 @echo "Git Commit:        ${GIT_COMMIT}"
+	@echo "Git Commit:        ${GIT_COMMIT}"
-	 @echo "Git Tree State:    ${GIT_DIRTY}"
+	@echo "Git Tree State:    ${GIT_DIRTY}"
+
+.PHONY: tidy
+tidy:
+	go mod tidy

cmd/helm/helm.go

@@ -41,11 +41,9 @@ func main() {
 	}
 
 	if err := cmd.Execute(); err != nil {
-		switch e := err.(type) {
+		if cerr, ok := err.(helmcmd.CommandError); ok {
-		case helmcmd.PluginError:
+			os.Exit(cerr.ExitCode)
-			os.Exit(e.Code)
-		default:
-			os.Exit(1)
 		}
+		os.Exit(1)
 	}
 }

cmd/helm/helm_test.go

@@ -22,11 +22,13 @@ import (
 	"os/exec"
 	"runtime"
 	"testing"
+
+	"github.com/stretchr/testify/assert"
 )
 
-func TestPluginExitCode(t *testing.T) {
+func TestCliPluginExitCode(t *testing.T) {
 	if os.Getenv("RUN_MAIN_FOR_TESTING") == "1" {
-		os.Args = []string{"helm", "exitwith", "2"}
+		os.Args = []string{"helm", "exitwith", "43"}
 
 		// We DO call helm's main() here. So this looks like a normal `helm` process.
 		main()
@@ -43,7 +45,7 @@ func TestPluginExitCode(t *testing.T) {
 		// So that the second run is able to run main() and this first run can verify the exit status returned by that.
 		//
 		// This technique originates from https://talks.golang.org/2014/testing.slide#23.
-		cmd := exec.Command(os.Args[0], "-test.run=TestPluginExitCode")
+		cmd := exec.Command(os.Args[0], "-test.run=TestCliPluginExitCode")
 		cmd.Env = append(
 			os.Environ(),
 			"RUN_MAIN_FOR_TESTING=1",
@@ -57,23 +59,21 @@ func TestPluginExitCode(t *testing.T) {
 		cmd.Stdout = stdout
 		cmd.Stderr = stderr
 		err := cmd.Run()
-		exiterr, ok := err.(*exec.ExitError)
 
+		exiterr, ok := err.(*exec.ExitError)
 		if !ok {
-			t.Fatalf("Unexpected error returned by os.Exit: %T", err)
+			t.Fatalf("Unexpected error type returned by os.Exit: %T", err)
 		}
 
-		if stdout.String() != "" {
+		assert.Empty(t, stdout.String())
-			t.Errorf("Expected no write to stdout: Got %q", stdout.String())
-		}
 
 		expectedStderr := "Error: plugin \"exitwith\" exited with error\n"
 		if stderr.String() != expectedStderr {
 			t.Errorf("Expected %q written to stderr: Got %q", expectedStderr, stderr.String())
 		}
 
-		if exiterr.ExitCode() != 2 {
+		if exiterr.ExitCode() != 43 {
-			t.Errorf("Expected exit code 2: Got %d", exiterr.ExitCode())
+			t.Errorf("Expected exit code 43: Got %d", exiterr.ExitCode())
 		}
 	}
 }

go.mod

@@ -14,6 +14,7 @@ require (
 	github.com/cyphar/filepath-securejoin v0.4.1
 	github.com/distribution/distribution/v3 v3.0.0
 	github.com/evanphx/json-patch/v5 v5.9.11
+	github.com/extism/go-sdk v1.7.1
 	github.com/fatih/color v1.18.0
 	github.com/fluxcd/cli-utils v0.36.0-flux.14
 	github.com/foxcpp/go-mockdns v1.1.0
@@ -25,28 +26,29 @@ require (
 	github.com/mattn/go-shellwords v1.0.12
 	github.com/mitchellh/copystructure v1.2.0
 	github.com/moby/term v0.5.2
-	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/opencontainers/go-digest v1.0.0
 	github.com/opencontainers/image-spec v1.1.1
 	github.com/rubenv/sql-migrate v1.8.0
 	github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
-	github.com/spf13/cobra v1.9.1
+	github.com/spf13/cobra v1.10.1
-	github.com/spf13/pflag v1.0.7
+	github.com/spf13/pflag v1.0.10
-	github.com/stretchr/testify v1.11.0
+	github.com/stretchr/testify v1.11.1
+	github.com/tetratelabs/wazero v1.9.0
 	go.yaml.in/yaml/v3 v3.0.4
-	golang.org/x/crypto v0.41.0
+	golang.org/x/crypto v0.42.0
-	golang.org/x/term v0.34.0
+	golang.org/x/term v0.35.0
-	golang.org/x/text v0.28.0
+	golang.org/x/text v0.29.0
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/api v0.33.4
+	k8s.io/api v0.34.1
-	k8s.io/apiextensions-apiserver v0.33.4
+	k8s.io/apiextensions-apiserver v0.34.1
-	k8s.io/apimachinery v0.33.4
+	k8s.io/apimachinery v0.34.1
-	k8s.io/apiserver v0.33.4
+	k8s.io/apiserver v0.34.1
-	k8s.io/cli-runtime v0.33.4
+	k8s.io/cli-runtime v0.34.1
-	k8s.io/client-go v0.33.4
+	k8s.io/client-go v0.34.1
 	k8s.io/klog/v2 v2.130.1
-	k8s.io/kubectl v0.33.4
+	k8s.io/kubectl v0.34.1
 	oras.land/oras-go/v2 v2.6.0
-	sigs.k8s.io/controller-runtime v0.21.0
+	sigs.k8s.io/controller-runtime v0.22.1
 	sigs.k8s.io/kustomize/kyaml v0.20.1
 	sigs.k8s.io/yaml v1.6.0
 )
@@ -59,7 +61,6 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/bshuster-repo/logrus-logstash-hook v1.0.0 // indirect
-	github.com/carapace-sh/carapace-shlex v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chai2010/gettext-go v1.0.2 // indirect
@@ -71,10 +72,11 @@ require (
 	github.com/docker/docker-credential-helpers v0.8.2 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
+	github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a // indirect
 	github.com/emicklei/go-restful/v3 v3.12.2 // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fxamacker/cbor/v2 v2.8.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
 	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
@@ -91,10 +93,11 @@ require (
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
 	github.com/hashicorp/golang-lru/arc/v2 v2.0.5 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.5 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
+	github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -111,7 +114,7 @@ require (
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/spdystream v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
@@ -130,6 +133,7 @@ require (
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
+	github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
@@ -141,8 +145,8 @@ require (
 	go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.32.0 // indirect
 	go.opentelemetry.io/otel/exporters/prometheus v0.54.0 // indirect
 	go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0 // indirect
@@ -150,31 +154,31 @@ require (
 	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 // indirect
 	go.opentelemetry.io/otel/log v0.8.0 // indirect
 	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.33.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
 	go.opentelemetry.io/otel/sdk/log v0.8.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.32.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.34.0 // indirect
 	go.opentelemetry.io/otel/trace v1.37.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.4.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
-	golang.org/x/mod v0.26.0 // indirect
+	golang.org/x/mod v0.27.0 // indirect
-	golang.org/x/net v0.42.0 // indirect
+	golang.org/x/net v0.43.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sync v0.17.0 // indirect
-	golang.org/x/sys v0.35.0 // indirect
+	golang.org/x/sys v0.36.0 // indirect
 	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.35.0 // indirect
+	golang.org/x/tools v0.36.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb // indirect
-	google.golang.org/grpc v1.68.1 // indirect
+	google.golang.org/grpc v1.72.1 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/component-base v0.33.4 // indirect
+	k8s.io/component-base v0.34.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20250701173324-9bd5c66d9911 // indirect
+	k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
 	k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
-	sigs.k8s.io/kustomize/api v0.20.0 // indirect
+	sigs.k8s.io/kustomize/api v0.20.1 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v6 v6.3.0 // indirect
 )

go.sum

@@ -42,8 +42,6 @@ github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdb
 github.com/bsm/gomega v1.26.0/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
 github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0H+O0=
-github.com/carapace-sh/carapace-shlex v1.0.1 h1:ww0JCgWpOVuqWG7k3724pJ18Lq8gh5pHQs9j3ojUs1c=
-github.com/carapace-sh/carapace-shlex v1.0.1/go.mod h1:lJ4ZsdxytE0wHJ8Ta9S7Qq0XpjgjU0mdfCqiI2FHx7M=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
@@ -77,12 +75,16 @@ github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ
 github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA=
 github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8=
 github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw=
+github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a h1:UwSIFv5g5lIvbGgtf3tVwC7Ky9rmMFBp0RMs+6f6YqE=
+github.com/dylibso/observe-sdk/go v0.0.0-20240819160327-2d926c5d788a/go.mod h1:C8DzXehI4zAbrdlbtOByKX6pfivJTBiV9Jjqv56Yd9Q=
 github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
 github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
 github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
 github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4=
 github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc=
+github.com/extism/go-sdk v1.7.1 h1:lWJos6uY+tRFdlIHR+SJjwFDApY7OypS/2nMhiVQ9Sw=
+github.com/extism/go-sdk v1.7.1/go.mod h1:IT+Xdg5AZM9hVtpFUA+uZCJMge/hbvshl8bwzLtFyKA=
 github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
 github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -93,8 +95,8 @@ github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7Dlme
 github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
-github.com/fxamacker/cbor/v2 v2.8.0 h1:fFtUGXUzXPHTIUdne5+zzMPTfffl3RD5qYnkY40vtxU=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
-github.com/fxamacker/cbor/v2 v2.8.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-errors/errors v1.5.1 h1:ZwEMSLRCapFLflTpT7NKaAc7ukJ8ZPEjzlxt8rPN8bk=
 github.com/go-errors/errors v1.5.1/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
@@ -138,7 +140,6 @@ github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl76
 github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
 github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -156,14 +157,16 @@ github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY=
 github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0 h1:TmHmbvxPmaegwhDubVz0lICL0J5Ka2vwTzhoePEXsGE=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 h1:5ZPtiqj0JL5oKWmcsq4VMaAW5ukBEgSGXEN89zeH1Jo=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.24.0/go.mod h1:qztMSjm835F2bXf+5HKAPIS5qsmQDqZna/PgVt4rWtI=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3/go.mod h1:ndYquD05frm2vACXE1nsccT4oJzjhw2arTS2cpUD1PI=
 github.com/hashicorp/golang-lru/arc/v2 v2.0.5 h1:l2zaLDubNhW4XO3LnliVj0GXO3+/CGNJAg1dcN2Fpfw=
 github.com/hashicorp/golang-lru/arc/v2 v2.0.5/go.mod h1:ny6zBSQZi2JxIeYcv7kt2sH2PXJtirBN7RDhRpxPkxU=
 github.com/hashicorp/golang-lru/v2 v2.0.5 h1:wW7h1TG88eUIJ2i69gaE3uNVtEPIagzhGvHgwfx2Vm4=
 github.com/hashicorp/golang-lru/v2 v2.0.5/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
+github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca h1:T54Ema1DU8ngI+aef9ZhAhNGQhcRTrWxVeG07F+c/Rw=
+github.com/ianlancetaylor/demangle v0.0.0-20240805132620-81f5be970eca/go.mod h1:gx7rwoVhcfuVKG5uya9Hs3Sxj7EIvldVofAWIUtGouw=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
@@ -227,8 +230,9 @@ github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0=
 github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
@@ -296,11 +300,11 @@ github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
 github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
-github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
-github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/pflag v1.0.7 h1:vN6T9TfwStFPFM5XzjsvmzZkLuaLX+HS+0SeFLRgU6M=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
-github.com/spf13/pflag v1.0.7/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
@@ -309,8 +313,12 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.11.0 h1:ib4sjIrwZKxE5u/Japgo/7SJV3PvgjGiRNAvTVGqQl8=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.11.0/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834 h1:ZF+QBjOI+tILZjBaFj3HgFonKXUcwgJ4djLb6i42S3Q=
+github.com/tetratelabs/wabin v0.0.0-20230304001439-f6f874872834/go.mod h1:m9ymHTgNSEjuxvw8E7WWe4Pl4hZQHXONY8wE6dMLaRk=
+github.com/tetratelabs/wazero v1.9.0 h1:IcZ56OuxrtaEz8UYNRHBrUa9bYeX9oVY93KspZZBf/I=
+github.com/tetratelabs/wazero v1.9.0/go.mod h1:TSbcXCfFP0L2FGkRPxHphadXPjo1T6W+CseNNY7EkjM=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
@@ -336,10 +344,10 @@ go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 h1:j7Z
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0/go.mod h1:WXbYJTUaZXAbYd8lbgGuvih0yuCfOFC5RJoYnoLcGz8=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 h1:t/Qur3vKSkUCcDVaSumWF2PKHt85pc7fRvFuoVT8qFU=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0/go.mod h1:Rl61tySSdcOJWoEgYZVtmnKdA0GeKrSqkHC1t+91CH8=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 h1:Vh5HayB/0HHfOQA7Ctx69E/Y/DcQSMPpKANYVMQ7fBA=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0/go.mod h1:cpgtDBaqD/6ok/UG0jT15/uKjAY8mRA53diogHBg3UI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 h1:5pojmb1U1AogINhN3SurB+zm/nIcusopeBNp42f45QM=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0 h1:tgJ0uaNS4c98WRNUEx5U3aDlrDOI5Rs+1Vifcw4DJ8U=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0/go.mod h1:57gTHJSE5S1tqg+EKsLPlTWhpHMsWlVmer+LA926XiA=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.34.0/go.mod h1:U7HYyW0zt/a9x5J1Kjs+r1f/d4ZHnYFclhYY2+YbeoE=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.32.0 h1:cMyu9O88joYEaI47CnQkxO1XZdpoTF9fEnW2duIddhw=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.32.0/go.mod h1:6Am3rn7P9TVVeXYG+wtcGE7IE1tsQ+bP3AuWcKt/gOI=
 go.opentelemetry.io/otel/exporters/prometheus v0.54.0 h1:rFwzp68QMgtzu9PgP3jm9XaMICI6TsofWWPcBDKwlsU=
@@ -354,16 +362,16 @@ go.opentelemetry.io/otel/log v0.8.0 h1:egZ8vV5atrUWUbnSsHn6vB8R21G2wrKqNiDt3iWer
 go.opentelemetry.io/otel/log v0.8.0/go.mod h1:M9qvDdUTRCopJcGRKg57+JSQ9LgLBrwwfC32epk5NX8=
 go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
 go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
-go.opentelemetry.io/otel/sdk v1.33.0 h1:iax7M131HuAm9QkZotNHEfstof92xM+N8sr3uHXc2IM=
+go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
-go.opentelemetry.io/otel/sdk v1.33.0/go.mod h1:A1Q5oi7/9XaMlIWzPSxLRWOI8nG3FnzHJNbiENQuihM=
+go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
 go.opentelemetry.io/otel/sdk/log v0.8.0 h1:zg7GUYXqxk1jnGF/dTdLPrK06xJdrXgqgFLnI4Crxvs=
 go.opentelemetry.io/otel/sdk/log v0.8.0/go.mod h1:50iXr0UVwQrYS45KbruFrEt4LvAdCaWWgIrsN3ZQggo=
-go.opentelemetry.io/otel/sdk/metric v1.32.0 h1:rZvFnvmvawYb0alrYkjraqJq0Z4ZUJAiyYCU9snn1CU=
+go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
-go.opentelemetry.io/otel/sdk/metric v1.32.0/go.mod h1:PWeZlq0zt9YkYAp3gjKZ0eicRYvOh1Gd+X99x6GHpCQ=
+go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
 go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
 go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
-go.opentelemetry.io/proto/otlp v1.4.0 h1:TA9WRvW6zMwP+Ssb6fLoUIuirti1gGbP28GcKG1jgeg=
+go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
-go.opentelemetry.io/proto/otlp v1.4.0/go.mod h1:PPBWZIP98o2ElSqI35IHfu7hIhSwvc5N38Jw8pXuGFY=
+go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
@@ -384,16 +392,16 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4=
 golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g=
-golang.org/x/crypto v0.41.0 h1:WKYxWedPGCTVVl5+WHSSrOBT0O8lx32+zxmHxijgXp4=
+golang.org/x/crypto v0.42.0 h1:chiH31gIWm57EkTXpwnqf8qeuMUi0yekh6mT2AvFlqI=
-golang.org/x/crypto v0.41.0/go.mod h1:pO5AFd7FA68rFak7rOAGVuygIISepHftHnr8dr6+sUc=
+golang.org/x/crypto v0.42.0/go.mod h1:4+rDnOTJhQCx2q7/j6rAN5XDw8kPjeaXEUR2eL94ix8=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
+golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
-golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
+golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -407,8 +415,8 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE=
 golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ=
-golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
+golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
-golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
+golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -421,8 +429,8 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.17.0 h1:l60nONMj9l5drqw6jlhIELNv9I0A4OFgRsG9k2oT9Ug=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.17.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -442,8 +450,8 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.35.0 h1:vz1N37gP5bs89s7He8XuIYXpyY0+QlsKmzipCbUtyxI=
+golang.org/x/sys v0.36.0 h1:KVRy2GtZBrk1cBYA7MKu5bEZFxQk4NIDV6RLVcC8o0k=
-golang.org/x/sys v0.35.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.36.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -451,8 +459,8 @@ golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww=
-golang.org/x/term v0.34.0 h1:O/2T7POpk0ZZ7MAzMeWFSg6S5IpWd/RXDlM9hgM3DR4=
+golang.org/x/term v0.35.0 h1:bZBVKBudEyhRcajGcNc3jIfWPqV4y/Kt2XcoigOWtDQ=
-golang.org/x/term v0.34.0/go.mod h1:5jC53AEywhIVebHgPVeg0mj8OD3VO9OzclacVrqpaAw=
+golang.org/x/term v0.35.0/go.mod h1:TPGtkTLesOwf2DE8CgVYiZinHAOuy5AYUYT1lENIZnA=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -460,8 +468,8 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
+golang.org/x/text v0.29.0 h1:1neNs90w9YzJ9BocxfsQNHKuAT4pkghyXc4nhZ6sJvk=
-golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
+golang.org/x/text v0.29.0/go.mod h1:7MhJOA9CD2qZyOKYazxdYMF85OwPdEr9jTtBpO7ydH4=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -472,18 +480,18 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk=
-golang.org/x/tools v0.35.0 h1:mBffYraMEf7aa0sB+NuKnuCy8qI/9Bughn8dC2Gu5r0=
+golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
-golang.org/x/tools v0.35.0/go.mod h1:NKdj5HkL/73byiZSJjqJgKn3ep7KjFkBOkR/Hps3VPw=
+golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 h1:CkkIfIt50+lT6NHAVoRYEyAvQGFM7xEwXUUywFvEb3Q=
+google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb h1:p31xT4yrYrSM/G4Sn2+TNUkVhFCbG9y8itM2S6Th950=
-google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576/go.mod h1:1R3kvZ1dtP3+4p4d3G8uJ8rFk/fWlScl38vanWACI08=
+google.golang.org/genproto/googleapis/api v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:jbe3Bkdp+Dh2IrslsFCklNhweNTBgSYanP1UXhJDhKg=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 h1:8ZmaLZE4XWrtU3MyClkYqqtl6Oegr3235h7jxsDyqCY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb h1:TLPQVbx1GJ8VKZxz52VAxl1EBgKXXbTiU9Fc5fZeLn4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576/go.mod h1:5uTbfoYQed2U9p3KIj2/Zzm02PYhndfdmML0qC3q3FU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250303144028-a0af3efb3deb/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
-google.golang.org/grpc v1.68.1 h1:oI5oTa11+ng8r8XMMN7jAOmWfPZWbYpCFaMUTACxkM0=
+google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.68.1/go.mod h1:+q1XYFJjShcqn0QZHvCyeR4CXPA+llXIeUIfIe00waw=
+google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
@@ -500,43 +508,41 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.33.4 h1:oTzrFVNPXBjMu0IlpA2eDDIU49jsuEorGHB4cvKupkk=
+k8s.io/api v0.34.1 h1:jC+153630BMdlFukegoEL8E/yT7aLyQkIVuwhmwDgJM=
-k8s.io/api v0.33.4/go.mod h1:VHQZ4cuxQ9sCUMESJV5+Fe8bGnqAARZ08tSTdHWfeAc=
+k8s.io/api v0.34.1/go.mod h1:SB80FxFtXn5/gwzCoN6QCtPD7Vbu5w2n1S0J5gFfTYk=
-k8s.io/apiextensions-apiserver v0.33.4 h1:rtq5SeXiDbXmSwxsF0MLe2Mtv3SwprA6wp+5qh/CrOU=
+k8s.io/apiextensions-apiserver v0.34.1 h1:NNPBva8FNAPt1iSVwIE0FsdrVriRXMsaWFMqJbII2CI=
-k8s.io/apiextensions-apiserver v0.33.4/go.mod h1:mWXcZQkQV1GQyxeIjYApuqsn/081hhXPZwZ2URuJeSs=
+k8s.io/apiextensions-apiserver v0.34.1/go.mod h1:hP9Rld3zF5Ay2Of3BeEpLAToP+l4s5UlxiHfqRaRcMc=
-k8s.io/apimachinery v0.33.4 h1:SOf/JW33TP0eppJMkIgQ+L6atlDiP/090oaX0y9pd9s=
+k8s.io/apimachinery v0.34.1 h1:dTlxFls/eikpJxmAC7MVE8oOeP1zryV7iRyIjB0gky4=
-k8s.io/apimachinery v0.33.4/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/apimachinery v0.34.1/go.mod h1:/GwIlEcWuTX9zKIg2mbw0LRFIsXwrfoVxn+ef0X13lw=
-k8s.io/apiserver v0.33.4 h1:6N0TEVA6kASUS3owYDIFJjUH6lgN8ogQmzZvaFFj1/Y=
+k8s.io/apiserver v0.34.1 h1:U3JBGdgANK3dfFcyknWde1G6X1F4bg7PXuvlqt8lITA=
-k8s.io/apiserver v0.33.4/go.mod h1:8ODgXMnOoSPLMUg1aAzMFx+7wTJM+URil+INjbTZCok=
+k8s.io/apiserver v0.34.1/go.mod h1:eOOc9nrVqlBI1AFCvVzsob0OxtPZUCPiUJL45JOTBG0=
-k8s.io/cli-runtime v0.33.4 h1:V8NSxGfh24XzZVhXmIGzsApdBpGq0RQS2u/Fz1GvJwk=
+k8s.io/cli-runtime v0.34.1 h1:btlgAgTrYd4sk8vJTRG6zVtqBKt9ZMDeQZo2PIzbL7M=
-k8s.io/cli-runtime v0.33.4/go.mod h1:V+ilyokfqjT5OI+XE+O515K7jihtr0/uncwoyVqXaIU=
+k8s.io/cli-runtime v0.34.1/go.mod h1:aVA65c+f0MZiMUPbseU/M9l1Wo2byeaGwUuQEQVVveE=
-k8s.io/client-go v0.33.4 h1:TNH+CSu8EmXfitntjUPwaKVPN0AYMbc9F1bBS8/ABpw=
+k8s.io/client-go v0.34.1 h1:ZUPJKgXsnKwVwmKKdPfw4tB58+7/Ik3CrjOEhsiZ7mY=
-k8s.io/client-go v0.33.4/go.mod h1:LsA0+hBG2DPwovjd931L/AoaezMPX9CmBgyVyBZmbCY=
+k8s.io/client-go v0.34.1/go.mod h1:kA8v0FP+tk6sZA0yKLRG67LWjqufAoSHA2xVGKw9Of8=
-k8s.io/component-base v0.33.4 h1:Jvb/aw/tl3pfgnJ0E0qPuYLT0NwdYs1VXXYQmSuxJGY=
+k8s.io/component-base v0.34.1 h1:v7xFgG+ONhytZNFpIz5/kecwD+sUhVE6HU7qQUiRM4A=
-k8s.io/component-base v0.33.4/go.mod h1:567TeSdixWW2Xb1yYUQ7qk5Docp2kNznKL87eygY8Rc=
+k8s.io/component-base v0.34.1/go.mod h1:mknCpLlTSKHzAQJJnnHVKqjxR7gBeHRv0rPXA7gdtQ0=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20250701173324-9bd5c66d9911 h1:gAXU86Fmbr/ktY17lkHwSjw5aoThQvhnstGGIYKlKYc=
+k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
-k8s.io/kube-openapi v0.0.0-20250701173324-9bd5c66d9911/go.mod h1:GLOk5B+hDbRROvt0X2+hqX64v/zO3vXN7J78OUmBSKw=
+k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
-k8s.io/kubectl v0.33.4 h1:nXEI6Vi+oB9hXxoAHyHisXolm/l1qutK3oZQMak4N98=
+k8s.io/kubectl v0.34.1 h1:1qP1oqT5Xc93K+H8J7ecpBjaz511gan89KO9Vbsh/OI=
-k8s.io/kubectl v0.33.4/go.mod h1:Xe7P9X4DfILvKmlBsVqUtzktkI56lEj22SJW7cFy6nE=
+k8s.io/kubectl v0.34.1/go.mod h1:JRYlhJpGPyk3dEmJ+BuBiOB9/dAvnrALJEiY/C5qa6A=
 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc=
 oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o=
-sigs.k8s.io/controller-runtime v0.21.0 h1:CYfjpEuicjUecRk+KAeyYh+ouUBn4llGyDYytIGcJS8=
+sigs.k8s.io/controller-runtime v0.22.1 h1:Ah1T7I+0A7ize291nJZdS1CabF/lB4E++WizgV24Eqg=
-sigs.k8s.io/controller-runtime v0.21.0/go.mod h1:OSg14+F65eWqIu4DceX7k/+QRAbTTvxeQSNSOQpukWM=
+sigs.k8s.io/controller-runtime v0.22.1/go.mod h1:FwiwRjkRPbiN+zp2QRp7wlTCzbUXxZ/D4OzuQUDwBHY=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
 sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
-sigs.k8s.io/kustomize/api v0.20.0 h1:xPLqcobHI0bThyRUteO+nCV8G4d1Rlo5HafO57VRcas=
+sigs.k8s.io/kustomize/api v0.20.1 h1:iWP1Ydh3/lmldBnH/S5RXgT98vWYMaTUL1ADcr+Sv7I=
-sigs.k8s.io/kustomize/api v0.20.0/go.mod h1:F6CfaV27oevRCMJgehLqyX81dlUnRX/Fc13Uo7+OSo4=
+sigs.k8s.io/kustomize/api v0.20.1/go.mod h1:t6hUFxO+Ph0VxIk1sKp1WS0dOjbPCtLJ4p8aADLwqjM=
 sigs.k8s.io/kustomize/kyaml v0.20.1 h1:PCMnA2mrVbRP3NIB6v9kYCAc38uvFLVs8j/CD567A78=
 sigs.k8s.io/kustomize/kyaml v0.20.1/go.mod h1:0EmkQHRUsJxY8Ug9Niig1pUMSCGHxQ5RklbpV/Ri6po=
-sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
 sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
 sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
-sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0 h1:jTijUJbW353oVOd9oTlifJqOGEkUw2jB/fXCbTiQEco=
-sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
+sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
-sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs=
 sigs.k8s.io/yaml v1.6.0/go.mod h1:796bPqUfzR/0jLAl6XjHl3Ck7MiyVv8dbTdyT3/pMf4=

internal/chart/v3/chart.go

@@ -19,6 +19,8 @@ import (
 	"path/filepath"
 	"regexp"
 	"strings"
+
+	"helm.sh/helm/v4/pkg/chart/common"
 )
 
 // APIVersionV3 is the API version number for version 3.
@@ -34,20 +36,20 @@ type Chart struct {
 	//
 	// This should not be used except in special cases like `helm show values`,
 	// where we want to display the raw values, comments and all.
-	Raw []*File `json:"-"`
+	Raw []*common.File `json:"-"`
 	// Metadata is the contents of the Chartfile.
 	Metadata *Metadata `json:"metadata"`
 	// Lock is the contents of Chart.lock.
 	Lock *Lock `json:"lock"`
 	// Templates for this chart.
-	Templates []*File `json:"templates"`
+	Templates []*common.File `json:"templates"`
 	// Values are default config for this chart.
 	Values map[string]interface{} `json:"values"`
 	// Schema is an optional JSON schema for imposing structure on Values
 	Schema []byte `json:"schema"`
 	// Files are miscellaneous files in a chart archive,
 	// e.g. README, LICENSE, etc.
-	Files []*File `json:"files"`
+	Files []*common.File `json:"files"`
 
 	parent       *Chart
 	dependencies []*Chart
@@ -59,7 +61,7 @@ type CRD struct {
 	// Filename is the File obj Name including (sub-)chart.ChartFullPath
 	Filename string
 	// File is the File obj for the crd
-	File *File
+	File *common.File
 }
 
 // SetDependencies replaces the chart dependencies.
@@ -134,8 +136,8 @@ func (ch *Chart) AppVersion() string {
 
 // CRDs returns a list of File objects in the 'crds/' directory of a Helm chart.
 // Deprecated: use CRDObjects()
-func (ch *Chart) CRDs() []*File {
+func (ch *Chart) CRDs() []*common.File {
-	files := []*File{}
+	files := []*common.File{}
 	// Find all resources in the crds/ directory
 	for _, f := range ch.Files {
 		if strings.HasPrefix(f.Name, "crds/") && hasManifestExtension(f.Name) {

internal/chart/v3/chart_test.go

@@ -20,11 +20,13 @@ import (
 	"testing"
 
 	"github.com/stretchr/testify/assert"
+
+	"helm.sh/helm/v4/pkg/chart/common"
 )
 
 func TestCRDs(t *testing.T) {
 	chrt := Chart{
-		Files: []*File{
+		Files: []*common.File{
 			{
 				Name: "crds/foo.yaml",
 				Data: []byte("hello"),
@@ -57,7 +59,7 @@ func TestCRDs(t *testing.T) {
 
 func TestSaveChartNoRawData(t *testing.T) {
 	chrt := Chart{
-		Raw: []*File{
+		Raw: []*common.File{
 			{
 				Name: "fhqwhgads.yaml",
 				Data: []byte("Everybody to the Limit"),
@@ -76,7 +78,7 @@ func TestSaveChartNoRawData(t *testing.T) {
 		t.Fatal(err)
 	}
 
-	is.Equal([]*File(nil), res.Raw)
+	is.Equal([]*common.File(nil), res.Raw)
 }
 
 func TestMetadata(t *testing.T) {
@@ -162,7 +164,7 @@ func TestChartFullPath(t *testing.T) {
 
 func TestCRDObjects(t *testing.T) {
 	chrt := Chart{
-		Files: []*File{
+		Files: []*common.File{
 			{
 				Name: "crds/foo.yaml",
 				Data: []byte("hello"),
@@ -190,7 +192,7 @@ func TestCRDObjects(t *testing.T) {
 		{
 			Name:     "crds/foo.yaml",
 			Filename: "crds/foo.yaml",
-			File: &File{
+			File: &common.File{
 				Name: "crds/foo.yaml",
 				Data: []byte("hello"),
 			},
@@ -198,7 +200,7 @@ func TestCRDObjects(t *testing.T) {
 		{
 			Name:     "crds/foo/bar/baz.yaml",
 			Filename: "crds/foo/bar/baz.yaml",
-			File: &File{
+			File: &common.File{
 				Name: "crds/foo/bar/baz.yaml",
 				Data: []byte("hello"),
 			},

internal/chart/v3/lint/lint.go

@@ -0,0 +1,66 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package lint // import "helm.sh/helm/v4/internal/chart/v3/lint"
+
+import (
+	"path/filepath"
+
+	"helm.sh/helm/v4/internal/chart/v3/lint/rules"
+	"helm.sh/helm/v4/internal/chart/v3/lint/support"
+	"helm.sh/helm/v4/pkg/chart/common"
+)
+
+type linterOptions struct {
+	KubeVersion          *common.KubeVersion
+	SkipSchemaValidation bool
+}
+
+type LinterOption func(lo *linterOptions)
+
+func WithKubeVersion(kubeVersion *common.KubeVersion) LinterOption {
+	return func(lo *linterOptions) {
+		lo.KubeVersion = kubeVersion
+	}
+}
+
+func WithSkipSchemaValidation(skipSchemaValidation bool) LinterOption {
+	return func(lo *linterOptions) {
+		lo.SkipSchemaValidation = skipSchemaValidation
+	}
+}
+
+func RunAll(baseDir string, values map[string]interface{}, namespace string, options ...LinterOption) support.Linter {
+
+	chartDir, _ := filepath.Abs(baseDir)
+
+	lo := linterOptions{}
+	for _, option := range options {
+		option(&lo)
+	}
+
+	result := support.Linter{
+		ChartDir: chartDir,
+	}
+
+	rules.Chartfile(&result)
+	rules.ValuesWithOverrides(&result, values, lo.SkipSchemaValidation)
+	rules.TemplatesWithSkipSchemaValidation(&result, values, namespace, lo.KubeVersion, lo.SkipSchemaValidation)
+	rules.Dependencies(&result)
+	rules.Crds(&result)
+
+	return result
+}

internal/chart/v3/lint/lint_test.go

@@ -23,8 +23,8 @@ import (
 
 	"github.com/stretchr/testify/assert"
 
-	chartutil "helm.sh/helm/v4/pkg/chart/v2/util"
+	"helm.sh/helm/v4/internal/chart/v3/lint/support"
-	"helm.sh/helm/v4/pkg/lint/support"
+	chartutil "helm.sh/helm/v4/internal/chart/v3/util"
 )
 
 var values map[string]interface{}
@@ -40,7 +40,7 @@ const subChartValuesDir = "rules/testdata/withsubchart"
 const malformedTemplate = "rules/testdata/malformed-template"
 const invalidChartFileDir = "rules/testdata/invalidchartfile"
 
-func TestBadChart(t *testing.T) {
+func TestBadChartV3(t *testing.T) {
 	m := RunAll(badChartDir, values, namespace).Messages
 	if len(m) != 8 {
 		t.Errorf("Number of errors %v", len(m))
@@ -60,14 +60,14 @@ func TestBadChart(t *testing.T) {
 			}
 		}
 		if msg.Severity == support.ErrorSev {
-			if strings.Contains(msg.Err.Error(), "version '0.0.0.0' is not a valid SemVer") {
+			if strings.Contains(msg.Err.Error(), "version '0.0.0.0' is not a valid SemVerV2") {
 				e = true
 			}
 			if strings.Contains(msg.Err.Error(), "name is required") {
 				e2 = true
 			}
 
-			if strings.Contains(msg.Err.Error(), "apiVersion is required. The value must be either \"v1\" or \"v2\"") {
+			if strings.Contains(msg.Err.Error(), "apiVersion is required. The value must be \"v3\"") {
 				e3 = true
 			}
 
@@ -99,9 +99,10 @@ func TestInvalidYaml(t *testing.T) {
 	}
 }
 
-func TestInvalidChartYaml(t *testing.T) {
+func TestInvalidChartYamlV3(t *testing.T) {
 	m := RunAll(invalidChartFileDir, values, namespace).Messages
-	if len(m) != 2 {
+	t.Log(m)
+	if len(m) != 3 {
 		t.Fatalf("All didn't fail with expected errors, got %#v", m)
 	}
 	if !strings.Contains(m[0].Err.Error(), "failed to strictly parse chart metadata file") {
@@ -109,7 +110,7 @@ func TestInvalidChartYaml(t *testing.T) {
 	}
 }
 
-func TestBadValues(t *testing.T) {
+func TestBadValuesV3(t *testing.T) {
 	m := RunAll(badValuesFileDir, values, namespace).Messages
 	if len(m) < 1 {
 		t.Fatalf("All didn't fail with expected errors, got %#v", m)
@@ -119,7 +120,7 @@ func TestBadValues(t *testing.T) {
 	}
 }
 
-func TestBadCrdFile(t *testing.T) {
+func TestBadCrdFileV3(t *testing.T) {
 	m := RunAll(badCrdFileDir, values, namespace).Messages
 	assert.Lenf(t, m, 2, "All didn't fail with expected errors, got %#v", m)
 	assert.ErrorContains(t, m[0].Err, "apiVersion is not in 'apiextensions.k8s.io'")

internal/chart/v3/lint/rules/chartfile.go

@@ -0,0 +1,225 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules // import "helm.sh/helm/v4/internal/chart/v3/lint/rules"
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/Masterminds/semver/v3"
+	"github.com/asaskevich/govalidator"
+	"sigs.k8s.io/yaml"
+
+	chart "helm.sh/helm/v4/internal/chart/v3"
+	"helm.sh/helm/v4/internal/chart/v3/lint/support"
+	chartutil "helm.sh/helm/v4/internal/chart/v3/util"
+)
+
+// Chartfile runs a set of linter rules related to Chart.yaml file
+func Chartfile(linter *support.Linter) {
+	chartFileName := "Chart.yaml"
+	chartPath := filepath.Join(linter.ChartDir, chartFileName)
+
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartYamlNotDirectory(chartPath))
+
+	chartFile, err := chartutil.LoadChartfile(chartPath)
+	validChartFile := linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartYamlFormat(err))
+
+	// Guard clause. Following linter rules require a parsable ChartFile
+	if !validChartFile {
+		return
+	}
+
+	_, err = chartutil.StrictLoadChartfile(chartPath)
+	linter.RunLinterRule(support.WarningSev, chartFileName, validateChartYamlStrictFormat(err))
+
+	// type check for Chart.yaml . ignoring error as any parse
+	// errors would already be caught in the above load function
+	chartFileForTypeCheck, _ := loadChartFileForTypeCheck(chartPath)
+
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartName(chartFile))
+
+	// Chart metadata
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartAPIVersion(chartFile))
+
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartVersionType(chartFileForTypeCheck))
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartVersion(chartFile))
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartAppVersionType(chartFileForTypeCheck))
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartMaintainer(chartFile))
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartSources(chartFile))
+	linter.RunLinterRule(support.InfoSev, chartFileName, validateChartIconPresence(chartFile))
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartIconURL(chartFile))
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartType(chartFile))
+	linter.RunLinterRule(support.ErrorSev, chartFileName, validateChartDependencies(chartFile))
+}
+
+func validateChartVersionType(data map[string]interface{}) error {
+	return isStringValue(data, "version")
+}
+
+func validateChartAppVersionType(data map[string]interface{}) error {
+	return isStringValue(data, "appVersion")
+}
+
+func isStringValue(data map[string]interface{}, key string) error {
+	value, ok := data[key]
+	if !ok {
+		return nil
+	}
+	valueType := fmt.Sprintf("%T", value)
+	if valueType != "string" {
+		return fmt.Errorf("%s should be of type string but it's of type %s", key, valueType)
+	}
+	return nil
+}
+
+func validateChartYamlNotDirectory(chartPath string) error {
+	fi, err := os.Stat(chartPath)
+
+	if err == nil && fi.IsDir() {
+		return errors.New("should be a file, not a directory")
+	}
+	return nil
+}
+
+func validateChartYamlFormat(chartFileError error) error {
+	if chartFileError != nil {
+		return fmt.Errorf("unable to parse YAML\n\t%w", chartFileError)
+	}
+	return nil
+}
+
+func validateChartYamlStrictFormat(chartFileError error) error {
+	if chartFileError != nil {
+		return fmt.Errorf("failed to strictly parse chart metadata file\n\t%w", chartFileError)
+	}
+	return nil
+}
+
+func validateChartName(cf *chart.Metadata) error {
+	if cf.Name == "" {
+		return errors.New("name is required")
+	}
+	name := filepath.Base(cf.Name)
+	if name != cf.Name {
+		return fmt.Errorf("chart name %q is invalid", cf.Name)
+	}
+	return nil
+}
+
+func validateChartAPIVersion(cf *chart.Metadata) error {
+	if cf.APIVersion == "" {
+		return errors.New("apiVersion is required. The value must be \"v3\"")
+	}
+
+	if cf.APIVersion != chart.APIVersionV3 {
+		return fmt.Errorf("apiVersion '%s' is not valid. The value must be \"v3\"", cf.APIVersion)
+	}
+
+	return nil
+}
+
+func validateChartVersion(cf *chart.Metadata) error {
+	if cf.Version == "" {
+		return errors.New("version is required")
+	}
+
+	version, err := semver.StrictNewVersion(cf.Version)
+	if err != nil {
+		return fmt.Errorf("version '%s' is not a valid SemVerV2", cf.Version)
+	}
+
+	c, err := semver.NewConstraint(">0.0.0-0")
+	if err != nil {
+		return err
+	}
+	valid, msg := c.Validate(version)
+
+	if !valid && len(msg) > 0 {
+		return fmt.Errorf("version %v", msg[0])
+	}
+
+	return nil
+}
+
+func validateChartMaintainer(cf *chart.Metadata) error {
+	for _, maintainer := range cf.Maintainers {
+		if maintainer == nil {
+			return errors.New("a maintainer entry is empty")
+		}
+		if maintainer.Name == "" {
+			return errors.New("each maintainer requires a name")
+		} else if maintainer.Email != "" && !govalidator.IsEmail(maintainer.Email) {
+			return fmt.Errorf("invalid email '%s' for maintainer '%s'", maintainer.Email, maintainer.Name)
+		} else if maintainer.URL != "" && !govalidator.IsURL(maintainer.URL) {
+			return fmt.Errorf("invalid url '%s' for maintainer '%s'", maintainer.URL, maintainer.Name)
+		}
+	}
+	return nil
+}
+
+func validateChartSources(cf *chart.Metadata) error {
+	for _, source := range cf.Sources {
+		if source == "" || !govalidator.IsRequestURL(source) {
+			return fmt.Errorf("invalid source URL '%s'", source)
+		}
+	}
+	return nil
+}
+
+func validateChartIconPresence(cf *chart.Metadata) error {
+	if cf.Icon == "" {
+		return errors.New("icon is recommended")
+	}
+	return nil
+}
+
+func validateChartIconURL(cf *chart.Metadata) error {
+	if cf.Icon != "" && !govalidator.IsRequestURL(cf.Icon) {
+		return fmt.Errorf("invalid icon URL '%s'", cf.Icon)
+	}
+	return nil
+}
+
+func validateChartDependencies(cf *chart.Metadata) error {
+	if len(cf.Dependencies) > 0 && cf.APIVersion != chart.APIVersionV3 {
+		return fmt.Errorf("dependencies are not valid in the Chart file with apiVersion '%s'. They are valid in apiVersion '%s'", cf.APIVersion, chart.APIVersionV3)
+	}
+	return nil
+}
+
+func validateChartType(cf *chart.Metadata) error {
+	if len(cf.Type) > 0 && cf.APIVersion != chart.APIVersionV3 {
+		return fmt.Errorf("chart type is not valid in apiVersion '%s'. It is valid in apiVersion '%s'", cf.APIVersion, chart.APIVersionV3)
+	}
+	return nil
+}
+
+// loadChartFileForTypeCheck loads the Chart.yaml
+// in a generic form of a map[string]interface{}, so that the type
+// of the values can be checked
+func loadChartFileForTypeCheck(filename string) (map[string]interface{}, error) {
+	b, err := os.ReadFile(filename)
+	if err != nil {
+		return nil, err
+	}
+	y := make(map[string]interface{})
+	err = yaml.Unmarshal(b, &y)
+	return y, err
+}

internal/chart/v3/lint/rules/chartfile_test.go

@@ -23,9 +23,9 @@ import (
 	"strings"
 	"testing"
 
-	chart "helm.sh/helm/v4/pkg/chart/v2"
+	chart "helm.sh/helm/v4/internal/chart/v3"
-	chartutil "helm.sh/helm/v4/pkg/chart/v2/util"
+	"helm.sh/helm/v4/internal/chart/v3/lint/support"
-	"helm.sh/helm/v4/pkg/lint/support"
+	chartutil "helm.sh/helm/v4/internal/chart/v3/util"
 )
 
 const (
@@ -84,9 +84,11 @@ func TestValidateChartVersion(t *testing.T) {
 		ErrorMsg string
 	}{
 		{"", "version is required"},
-		{"1.2.3.4", "version '1.2.3.4' is not a valid SemVer"},
+		{"1.2.3.4", "version '1.2.3.4' is not a valid SemVerV2"},
-		{"waps", "'waps' is not a valid SemVer"},
+		{"waps", "'waps' is not a valid SemVerV2"},
-		{"-3", "'-3' is not a valid SemVer"},
+		{"-3", "'-3' is not a valid SemVerV2"},
+		{"1.1", "'1.1' is not a valid SemVerV2"},
+		{"1", "'1' is not a valid SemVerV2"},
 	}
 
 	var successTest = []string{"0.0.1", "0.0.1+build", "0.0.1-beta"}
@@ -221,7 +223,7 @@ func TestValidateChartIconURL(t *testing.T) {
 	}
 }
 
-func TestChartfile(t *testing.T) {
+func TestV3Chartfile(t *testing.T) {
 	t.Run("Chart.yaml basic validity issues", func(t *testing.T) {
 		linter := support.Linter{ChartDir: badChartDir}
 		Chartfile(&linter)
@@ -237,7 +239,7 @@ func TestChartfile(t *testing.T) {
 			t.Errorf("Unexpected message 0: %s", msgs[0].Err)
 		}
 
-		if !strings.Contains(msgs[1].Err.Error(), "apiVersion is required. The value must be either \"v1\" or \"v2\"") {
+		if !strings.Contains(msgs[1].Err.Error(), "apiVersion is required. The value must be \"v3\"") {
 			t.Errorf("Unexpected message 1: %s", msgs[1].Err)
 		}
 
@@ -248,14 +250,6 @@ func TestChartfile(t *testing.T) {
 		if !strings.Contains(msgs[3].Err.Error(), "icon is recommended") {
 			t.Errorf("Unexpected message 3: %s", msgs[3].Err)
 		}
-
-		if !strings.Contains(msgs[4].Err.Error(), "chart type is not valid in apiVersion") {
-			t.Errorf("Unexpected message 4: %s", msgs[4].Err)
-		}
-
-		if !strings.Contains(msgs[5].Err.Error(), "dependencies are not valid in the Chart file with apiVersion") {
-			t.Errorf("Unexpected message 5: %s", msgs[5].Err)
-		}
 	})
 
 	t.Run("Chart.yaml validity issues due to type mismatch", func(t *testing.T) {

internal/chart/v3/lint/rules/crds.go

@@ -0,0 +1,113 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules
+
+import (
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"io/fs"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/util/yaml"
+
+	"helm.sh/helm/v4/internal/chart/v3/lint/support"
+	"helm.sh/helm/v4/internal/chart/v3/loader"
+)
+
+// Crds lints the CRDs in the Linter.
+func Crds(linter *support.Linter) {
+	fpath := "crds/"
+	crdsPath := filepath.Join(linter.ChartDir, fpath)
+
+	// crds directory is optional
+	if _, err := os.Stat(crdsPath); errors.Is(err, fs.ErrNotExist) {
+		return
+	}
+
+	crdsDirValid := linter.RunLinterRule(support.ErrorSev, fpath, validateCrdsDir(crdsPath))
+	if !crdsDirValid {
+		return
+	}
+
+	// Load chart and parse CRDs
+	chart, err := loader.Load(linter.ChartDir)
+
+	chartLoaded := linter.RunLinterRule(support.ErrorSev, fpath, err)
+
+	if !chartLoaded {
+		return
+	}
+
+	/* Iterate over all the CRDs to check:
+	1. It is a YAML file and not a template
+	2. The API version is apiextensions.k8s.io
+	3. The kind is CustomResourceDefinition
+	*/
+	for _, crd := range chart.CRDObjects() {
+		fileName := crd.Name
+		fpath = fileName
+
+		decoder := yaml.NewYAMLOrJSONDecoder(bytes.NewReader(crd.File.Data), 4096)
+		for {
+			var yamlStruct *k8sYamlStruct
+
+			err := decoder.Decode(&yamlStruct)
+			if err == io.EOF {
+				break
+			}
+
+			// If YAML parsing fails here, it will always fail in the next block as well, so we should return here.
+			// This also confirms the YAML is not a template, since templates can't be decoded into a K8sYamlStruct.
+			if !linter.RunLinterRule(support.ErrorSev, fpath, validateYamlContent(err)) {
+				return
+			}
+
+			linter.RunLinterRule(support.ErrorSev, fpath, validateCrdAPIVersion(yamlStruct))
+			linter.RunLinterRule(support.ErrorSev, fpath, validateCrdKind(yamlStruct))
+		}
+	}
+}
+
+// Validation functions
+func validateCrdsDir(crdsPath string) error {
+	fi, err := os.Stat(crdsPath)
+	if err != nil {
+		return err
+	}
+	if !fi.IsDir() {
+		return errors.New("not a directory")
+	}
+	return nil
+}
+
+func validateCrdAPIVersion(obj *k8sYamlStruct) error {
+	if !strings.HasPrefix(obj.APIVersion, "apiextensions.k8s.io") {
+		return fmt.Errorf("apiVersion is not in 'apiextensions.k8s.io'")
+	}
+	return nil
+}
+
+func validateCrdKind(obj *k8sYamlStruct) error {
+	if obj.Kind != "CustomResourceDefinition" {
+		return fmt.Errorf("object kind is not 'CustomResourceDefinition'")
+	}
+	return nil
+}

internal/chart/v3/lint/rules/crds_test.go

@@ -0,0 +1,36 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"helm.sh/helm/v4/internal/chart/v3/lint/support"
+)
+
+const invalidCrdsDir = "./testdata/invalidcrdsdir"
+
+func TestInvalidCrdsDir(t *testing.T) {
+	linter := support.Linter{ChartDir: invalidCrdsDir}
+	Crds(&linter)
+	res := linter.Messages
+
+	assert.Len(t, res, 1)
+	assert.ErrorContains(t, res[0].Err, "not a directory")
+}

internal/chart/v3/lint/rules/dependencies.go

@@ -0,0 +1,101 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules // import "helm.sh/helm/v4/internal/chart/v3/lint/rules"
+
+import (
+	"fmt"
+	"strings"
+
+	chart "helm.sh/helm/v4/internal/chart/v3"
+	"helm.sh/helm/v4/internal/chart/v3/lint/support"
+	"helm.sh/helm/v4/internal/chart/v3/loader"
+)
+
+// Dependencies runs lints against a chart's dependencies
+//
+// See https://github.com/helm/helm/issues/7910
+func Dependencies(linter *support.Linter) {
+	c, err := loader.LoadDir(linter.ChartDir)
+	if !linter.RunLinterRule(support.ErrorSev, "", validateChartFormat(err)) {
+		return
+	}
+
+	linter.RunLinterRule(support.ErrorSev, linter.ChartDir, validateDependencyInMetadata(c))
+	linter.RunLinterRule(support.ErrorSev, linter.ChartDir, validateDependenciesUnique(c))
+	linter.RunLinterRule(support.WarningSev, linter.ChartDir, validateDependencyInChartsDir(c))
+}
+
+func validateChartFormat(chartError error) error {
+	if chartError != nil {
+		return fmt.Errorf("unable to load chart\n\t%w", chartError)
+	}
+	return nil
+}
+
+func validateDependencyInChartsDir(c *chart.Chart) (err error) {
+	dependencies := map[string]struct{}{}
+	missing := []string{}
+	for _, dep := range c.Dependencies() {
+		dependencies[dep.Metadata.Name] = struct{}{}
+	}
+	for _, dep := range c.Metadata.Dependencies {
+		if _, ok := dependencies[dep.Name]; !ok {
+			missing = append(missing, dep.Name)
+		}
+	}
+	if len(missing) > 0 {
+		err = fmt.Errorf("chart directory is missing these dependencies: %s", strings.Join(missing, ","))
+	}
+	return err
+}
+
+func validateDependencyInMetadata(c *chart.Chart) (err error) {
+	dependencies := map[string]struct{}{}
+	missing := []string{}
+	for _, dep := range c.Metadata.Dependencies {
+		dependencies[dep.Name] = struct{}{}
+	}
+	for _, dep := range c.Dependencies() {
+		if _, ok := dependencies[dep.Metadata.Name]; !ok {
+			missing = append(missing, dep.Metadata.Name)
+		}
+	}
+	if len(missing) > 0 {
+		err = fmt.Errorf("chart metadata is missing these dependencies: %s", strings.Join(missing, ","))
+	}
+	return err
+}
+
+func validateDependenciesUnique(c *chart.Chart) (err error) {
+	dependencies := map[string]*chart.Dependency{}
+	shadowing := []string{}
+
+	for _, dep := range c.Metadata.Dependencies {
+		key := dep.Name
+		if dep.Alias != "" {
+			key = dep.Alias
+		}
+		if dependencies[key] != nil {
+			shadowing = append(shadowing, key)
+		}
+		dependencies[key] = dep
+	}
+	if len(shadowing) > 0 {
+		err = fmt.Errorf("multiple dependencies with name or alias: %s", strings.Join(shadowing, ","))
+	}
+	return err
+}

internal/chart/v3/lint/rules/dependencies_test.go

@@ -0,0 +1,157 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+package rules
+
+import (
+	"path/filepath"
+	"testing"
+
+	chart "helm.sh/helm/v4/internal/chart/v3"
+	"helm.sh/helm/v4/internal/chart/v3/lint/support"
+	chartutil "helm.sh/helm/v4/internal/chart/v3/util"
+)
+
+func chartWithBadDependencies() chart.Chart {
+	badChartDeps := chart.Chart{
+		Metadata: &chart.Metadata{
+			Name:       "badchart",
+			Version:    "0.1.0",
+			APIVersion: "v2",
+			Dependencies: []*chart.Dependency{
+				{
+					Name: "sub2",
+				},
+				{
+					Name: "sub3",
+				},
+			},
+		},
+	}
+
+	badChartDeps.SetDependencies(
+		&chart.Chart{
+			Metadata: &chart.Metadata{
+				Name:       "sub1",
+				Version:    "0.1.0",
+				APIVersion: "v2",
+			},
+		},
+		&chart.Chart{
+			Metadata: &chart.Metadata{
+				Name:       "sub2",
+				Version:    "0.1.0",
+				APIVersion: "v2",
+			},
+		},
+	)
+	return badChartDeps
+}
+
+func TestValidateDependencyInChartsDir(t *testing.T) {
+	c := chartWithBadDependencies()
+
+	if err := validateDependencyInChartsDir(&c); err == nil {
+		t.Error("chart should have been flagged for missing deps in chart directory")
+	}
+}
+
+func TestValidateDependencyInMetadata(t *testing.T) {
+	c := chartWithBadDependencies()
+
+	if err := validateDependencyInMetadata(&c); err == nil {
+		t.Errorf("chart should have been flagged for missing deps in chart metadata")
+	}
+}
+
+func TestValidateDependenciesUnique(t *testing.T) {
+	tests := []struct {
+		chart chart.Chart
+	}{
+		{chart.Chart{
+			Metadata: &chart.Metadata{
+				Name:       "badchart",
+				Version:    "0.1.0",
+				APIVersion: "v2",
+				Dependencies: []*chart.Dependency{
+					{
+						Name: "foo",
+					},
+					{
+						Name: "foo",
+					},
+				},
+			},
+		}},
+		{chart.Chart{
+			Metadata: &chart.Metadata{
+				Name:       "badchart",
+				Version:    "0.1.0",
+				APIVersion: "v2",
+				Dependencies: []*chart.Dependency{
+					{
+						Name:  "foo",
+						Alias: "bar",
+					},
+					{
+						Name: "bar",
+					},
+				},
+			},
+		}},
+		{chart.Chart{
+			Metadata: &chart.Metadata{
+				Name:       "badchart",
+				Version:    "0.1.0",
+				APIVersion: "v2",
+				Dependencies: []*chart.Dependency{
+					{
+						Name:  "foo",
+						Alias: "baz",
+					},
+					{
+						Name:  "bar",
+						Alias: "baz",
+					},
+				},
+			},
+		}},
+	}
+
+	for _, tt := range tests {
+		if err := validateDependenciesUnique(&tt.chart); err == nil {
+			t.Errorf("chart should have been flagged for dependency shadowing")
+		}
+	}
+}
+
+func TestDependencies(t *testing.T) {
+	tmp := t.TempDir()
+
+	c := chartWithBadDependencies()
+	err := chartutil.SaveDir(&c, tmp)
+	if err != nil {
+		t.Fatal(err)
+	}
+	linter := support.Linter{ChartDir: filepath.Join(tmp, c.Metadata.Name)}
+
+	Dependencies(&linter)
+	if l := len(linter.Messages); l != 2 {
+		t.Errorf("expected 2 linter errors for bad chart dependencies. Got %d.", l)
+		for i, msg := range linter.Messages {
+			t.Logf("Message: %d, Error: %#v", i, msg)
+		}
+	}
+}

internal/chart/v3/lint/rules/deprecations.go

@@ -14,18 +14,18 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package rules // import "helm.sh/helm/v4/pkg/lint/rules"
+package rules // import "helm.sh/helm/v4/internal/chart/v3/lint/rules"
 
 import (
 	"fmt"
 	"strconv"
 
+	"helm.sh/helm/v4/pkg/chart/common"
+
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apiserver/pkg/endpoints/deprecation"
 	kscheme "k8s.io/client-go/kubernetes/scheme"
-
-	chartutil "helm.sh/helm/v4/pkg/chart/v2/util"
 )
 
 var (
@@ -47,7 +47,7 @@ func (e deprecatedAPIError) Error() string {
 	return msg
 }
 
-func validateNoDeprecations(resource *k8sYamlStruct, kubeVersion *chartutil.KubeVersion) error {
+func validateNoDeprecations(resource *k8sYamlStruct, kubeVersion *common.KubeVersion) error {
 	// if `resource` does not have an APIVersion or Kind, we cannot test it for deprecation
 	if resource.APIVersion == "" {
 		return nil

internal/chart/v3/lint/rules/deprecations_test.go

@@ -0,0 +1,41 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules // import "helm.sh/helm/v4/internal/chart/v3/lint/rules"
+
+import "testing"
+
+func TestValidateNoDeprecations(t *testing.T) {
+	deprecated := &k8sYamlStruct{
+		APIVersion: "extensions/v1beta1",
+		Kind:       "Deployment",
+	}
+	err := validateNoDeprecations(deprecated, nil)
+	if err == nil {
+		t.Fatal("Expected deprecated extension to be flagged")
+	}
+	depErr := err.(deprecatedAPIError)
+	if depErr.Message == "" {
+		t.Fatalf("Expected error message to be non-blank: %v", err)
+	}
+
+	if err := validateNoDeprecations(&k8sYamlStruct{
+		APIVersion: "v1",
+		Kind:       "Pod",
+	}, nil); err != nil {
+		t.Errorf("Expected a v1 Pod to not be deprecated")
+	}
+}

internal/chart/v3/lint/rules/template.go

@@ -0,0 +1,348 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules
+
+import (
+	"bufio"
+	"bytes"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path"
+	"path/filepath"
+	"slices"
+	"strings"
+
+	"k8s.io/apimachinery/pkg/api/validation"
+	apipath "k8s.io/apimachinery/pkg/api/validation/path"
+	"k8s.io/apimachinery/pkg/util/validation/field"
+	"k8s.io/apimachinery/pkg/util/yaml"
+
+	"helm.sh/helm/v4/internal/chart/v3/lint/support"
+	"helm.sh/helm/v4/internal/chart/v3/loader"
+	chartutil "helm.sh/helm/v4/internal/chart/v3/util"
+	"helm.sh/helm/v4/pkg/chart/common"
+	"helm.sh/helm/v4/pkg/chart/common/util"
+	"helm.sh/helm/v4/pkg/engine"
+)
+
+// Templates lints the templates in the Linter.
+func Templates(linter *support.Linter, values map[string]interface{}, namespace string, _ bool) {
+	TemplatesWithKubeVersion(linter, values, namespace, nil)
+}
+
+// TemplatesWithKubeVersion lints the templates in the Linter, allowing to specify the kubernetes version.
+func TemplatesWithKubeVersion(linter *support.Linter, values map[string]interface{}, namespace string, kubeVersion *common.KubeVersion) {
+	TemplatesWithSkipSchemaValidation(linter, values, namespace, kubeVersion, false)
+}
+
+// TemplatesWithSkipSchemaValidation lints the templates in the Linter, allowing to specify the kubernetes version and if schema validation is enabled or not.
+func TemplatesWithSkipSchemaValidation(linter *support.Linter, values map[string]interface{}, namespace string, kubeVersion *common.KubeVersion, skipSchemaValidation bool) {
+	fpath := "templates/"
+	templatesPath := filepath.Join(linter.ChartDir, fpath)
+
+	// Templates directory is optional for now
+	templatesDirExists := linter.RunLinterRule(support.WarningSev, fpath, templatesDirExists(templatesPath))
+	if !templatesDirExists {
+		return
+	}
+
+	validTemplatesDir := linter.RunLinterRule(support.ErrorSev, fpath, validateTemplatesDir(templatesPath))
+	if !validTemplatesDir {
+		return
+	}
+
+	// Load chart and parse templates
+	chart, err := loader.Load(linter.ChartDir)
+
+	chartLoaded := linter.RunLinterRule(support.ErrorSev, fpath, err)
+
+	if !chartLoaded {
+		return
+	}
+
+	options := common.ReleaseOptions{
+		Name:      "test-release",
+		Namespace: namespace,
+	}
+
+	caps := common.DefaultCapabilities.Copy()
+	if kubeVersion != nil {
+		caps.KubeVersion = *kubeVersion
+	}
+
+	// lint ignores import-values
+	// See https://github.com/helm/helm/issues/9658
+	if err := chartutil.ProcessDependencies(chart, values); err != nil {
+		return
+	}
+
+	cvals, err := util.CoalesceValues(chart, values)
+	if err != nil {
+		return
+	}
+
+	valuesToRender, err := util.ToRenderValuesWithSchemaValidation(chart, cvals, options, caps, skipSchemaValidation)
+	if err != nil {
+		linter.RunLinterRule(support.ErrorSev, fpath, err)
+		return
+	}
+	var e engine.Engine
+	e.LintMode = true
+	renderedContentMap, err := e.Render(chart, valuesToRender)
+
+	renderOk := linter.RunLinterRule(support.ErrorSev, fpath, err)
+
+	if !renderOk {
+		return
+	}
+
+	/* Iterate over all the templates to check:
+	- It is a .yaml file
+	- All the values in the template file is defined
+	- {{}} include | quote
+	- Generated content is a valid Yaml file
+	- Metadata.Namespace is not set
+	*/
+	for _, template := range chart.Templates {
+		fileName := template.Name
+		fpath = fileName
+
+		linter.RunLinterRule(support.ErrorSev, fpath, validateAllowedExtension(fileName))
+
+		// We only apply the following lint rules to yaml files
+		if filepath.Ext(fileName) != ".yaml" || filepath.Ext(fileName) == ".yml" {
+			continue
+		}
+
+		// NOTE: disabled for now, Refs https://github.com/helm/helm/issues/1463
+		// Check that all the templates have a matching value
+		// linter.RunLinterRule(support.WarningSev, fpath, validateNoMissingValues(templatesPath, valuesToRender, preExecutedTemplate))
+
+		// NOTE: disabled for now, Refs https://github.com/helm/helm/issues/1037
+		// linter.RunLinterRule(support.WarningSev, fpath, validateQuotes(string(preExecutedTemplate)))
+
+		renderedContent := renderedContentMap[path.Join(chart.Name(), fileName)]
+		if strings.TrimSpace(renderedContent) != "" {
+			linter.RunLinterRule(support.WarningSev, fpath, validateTopIndentLevel(renderedContent))
+
+			decoder := yaml.NewYAMLOrJSONDecoder(strings.NewReader(renderedContent), 4096)
+
+			// Lint all resources if the file contains multiple documents separated by ---
+			for {
+				// Even though k8sYamlStruct only defines a few fields, an error in any other
+				// key will be raised as well
+				var yamlStruct *k8sYamlStruct
+
+				err := decoder.Decode(&yamlStruct)
+				if err == io.EOF {
+					break
+				}
+
+				//  If YAML linting fails here, it will always fail in the next block as well, so we should return here.
+				// fix https://github.com/helm/helm/issues/11391
+				if !linter.RunLinterRule(support.ErrorSev, fpath, validateYamlContent(err)) {
+					return
+				}
+				if yamlStruct != nil {
+					// NOTE: set to warnings to allow users to support out-of-date kubernetes
+					// Refs https://github.com/helm/helm/issues/8596
+					linter.RunLinterRule(support.WarningSev, fpath, validateMetadataName(yamlStruct))
+					linter.RunLinterRule(support.WarningSev, fpath, validateNoDeprecations(yamlStruct, kubeVersion))
+
+					linter.RunLinterRule(support.ErrorSev, fpath, validateMatchSelector(yamlStruct, renderedContent))
+					linter.RunLinterRule(support.ErrorSev, fpath, validateListAnnotations(yamlStruct, renderedContent))
+				}
+			}
+		}
+	}
+}
+
+// validateTopIndentLevel checks that the content does not start with an indent level > 0.
+//
+// This error can occur when a template accidentally inserts space. It can cause
+// unpredictable errors depending on whether the text is normalized before being passed
+// into the YAML parser. So we trap it here.
+//
+// See https://github.com/helm/helm/issues/8467
+func validateTopIndentLevel(content string) error {
+	// Read lines until we get to a non-empty one
+	scanner := bufio.NewScanner(bytes.NewBufferString(content))
+	for scanner.Scan() {
+		line := scanner.Text()
+		// If line is empty, skip
+		if strings.TrimSpace(line) == "" {
+			continue
+		}
+		// If it starts with one or more spaces, this is an error
+		if strings.HasPrefix(line, " ") || strings.HasPrefix(line, "\t") {
+			return fmt.Errorf("document starts with an illegal indent: %q, which may cause parsing problems", line)
+		}
+		// Any other condition passes.
+		return nil
+	}
+	return scanner.Err()
+}
+
+// Validation functions
+func templatesDirExists(templatesPath string) error {
+	_, err := os.Stat(templatesPath)
+	if errors.Is(err, os.ErrNotExist) {
+		return errors.New("directory does not exist")
+	}
+	return nil
+}
+
+func validateTemplatesDir(templatesPath string) error {
+	fi, err := os.Stat(templatesPath)
+	if err != nil {
+		return err
+	}
+	if !fi.IsDir() {
+		return errors.New("not a directory")
+	}
+	return nil
+}
+
+func validateAllowedExtension(fileName string) error {
+	ext := filepath.Ext(fileName)
+	validExtensions := []string{".yaml", ".yml", ".tpl", ".txt"}
+
+	if slices.Contains(validExtensions, ext) {
+		return nil
+	}
+
+	return fmt.Errorf("file extension '%s' not valid. Valid extensions are .yaml, .yml, .tpl, or .txt", ext)
+}
+
+func validateYamlContent(err error) error {
+	if err != nil {
+		return fmt.Errorf("unable to parse YAML: %w", err)
+	}
+	return nil
+}
+
+// validateMetadataName uses the correct validation function for the object
+// Kind, or if not set, defaults to the standard definition of a subdomain in
+// DNS (RFC 1123), used by most resources.
+func validateMetadataName(obj *k8sYamlStruct) error {
+	fn := validateMetadataNameFunc(obj)
+	allErrs := field.ErrorList{}
+	for _, msg := range fn(obj.Metadata.Name, false) {
+		allErrs = append(allErrs, field.Invalid(field.NewPath("metadata").Child("name"), obj.Metadata.Name, msg))
+	}
+	if len(allErrs) > 0 {
+		return fmt.Errorf("object name does not conform to Kubernetes naming requirements: %q: %w", obj.Metadata.Name, allErrs.ToAggregate())
+	}
+	return nil
+}
+
+// validateMetadataNameFunc will return a name validation function for the
+// object kind, if defined below.
+//
+// Rules should match those set in the various api validations:
+// https://github.com/kubernetes/kubernetes/blob/v1.20.0/pkg/apis/core/validation/validation.go#L205-L274
+// https://github.com/kubernetes/kubernetes/blob/v1.20.0/pkg/apis/apps/validation/validation.go#L39
+// ...
+//
+// Implementing here to avoid importing k/k.
+//
+// If no mapping is defined, returns NameIsDNSSubdomain.  This is used by object
+// kinds that don't have special requirements, so is the most likely to work if
+// new kinds are added.
+func validateMetadataNameFunc(obj *k8sYamlStruct) validation.ValidateNameFunc {
+	switch strings.ToLower(obj.Kind) {
+	case "pod", "node", "secret", "endpoints", "resourcequota", // core
+		"controllerrevision", "daemonset", "deployment", "replicaset", "statefulset", // apps
+		"autoscaler",     // autoscaler
+		"cronjob", "job", // batch
+		"lease",                    // coordination
+		"endpointslice",            // discovery
+		"networkpolicy", "ingress", // networking
+		"podsecuritypolicy",                           // policy
+		"priorityclass",                               // scheduling
+		"podpreset",                                   // settings
+		"storageclass", "volumeattachment", "csinode": // storage
+		return validation.NameIsDNSSubdomain
+	case "service":
+		return validation.NameIsDNS1035Label
+	case "namespace":
+		return validation.ValidateNamespaceName
+	case "serviceaccount":
+		return validation.ValidateServiceAccountName
+	case "certificatesigningrequest":
+		// No validation.
+		// https://github.com/kubernetes/kubernetes/blob/v1.20.0/pkg/apis/certificates/validation/validation.go#L137-L140
+		return func(_ string, _ bool) []string { return nil }
+	case "role", "clusterrole", "rolebinding", "clusterrolebinding":
+		// https://github.com/kubernetes/kubernetes/blob/v1.20.0/pkg/apis/rbac/validation/validation.go#L32-L34
+		return func(name string, _ bool) []string {
+			return apipath.IsValidPathSegmentName(name)
+		}
+	default:
+		return validation.NameIsDNSSubdomain
+	}
+}
+
+// validateMatchSelector ensures that template specs have a selector declared.
+// See https://github.com/helm/helm/issues/1990
+func validateMatchSelector(yamlStruct *k8sYamlStruct, manifest string) error {
+	switch yamlStruct.Kind {
+	case "Deployment", "ReplicaSet", "DaemonSet", "StatefulSet":
+		// verify that matchLabels or matchExpressions is present
+		if !strings.Contains(manifest, "matchLabels") && !strings.Contains(manifest, "matchExpressions") {
+			return fmt.Errorf("a %s must contain matchLabels or matchExpressions, and %q does not", yamlStruct.Kind, yamlStruct.Metadata.Name)
+		}
+	}
+	return nil
+}
+
+func validateListAnnotations(yamlStruct *k8sYamlStruct, manifest string) error {
+	if yamlStruct.Kind == "List" {
+		m := struct {
+			Items []struct {
+				Metadata struct {
+					Annotations map[string]string
+				}
+			}
+		}{}
+
+		if err := yaml.Unmarshal([]byte(manifest), &m); err != nil {
+			return validateYamlContent(err)
+		}
+
+		for _, i := range m.Items {
+			if _, ok := i.Metadata.Annotations["helm.sh/resource-policy"]; ok {
+				return errors.New("annotation 'helm.sh/resource-policy' within List objects are ignored")
+			}
+		}
+	}
+	return nil
+}
+
+// k8sYamlStruct stubs a Kubernetes YAML file.
+type k8sYamlStruct struct {
+	APIVersion string `json:"apiVersion"`
+	Kind       string
+	Metadata   k8sYamlMetadata
+}
+
+type k8sYamlMetadata struct {
+	Namespace string
+	Name      string
+}

internal/chart/v3/lint/rules/template_test.go

@@ -0,0 +1,441 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+
+	chart "helm.sh/helm/v4/internal/chart/v3"
+	"helm.sh/helm/v4/internal/chart/v3/lint/support"
+	chartutil "helm.sh/helm/v4/internal/chart/v3/util"
+	"helm.sh/helm/v4/pkg/chart/common"
+)
+
+const templateTestBasedir = "./testdata/albatross"
+
+func TestValidateAllowedExtension(t *testing.T) {
+	var failTest = []string{"/foo", "/test.toml"}
+	for _, test := range failTest {
+		err := validateAllowedExtension(test)
+		if err == nil || !strings.Contains(err.Error(), "Valid extensions are .yaml, .yml, .tpl, or .txt") {
+			t.Errorf("validateAllowedExtension('%s') to return \"Valid extensions are .yaml, .yml, .tpl, or .txt\", got no error", test)
+		}
+	}
+	var successTest = []string{"/foo.yaml", "foo.yaml", "foo.tpl", "/foo/bar/baz.yaml", "NOTES.txt"}
+	for _, test := range successTest {
+		err := validateAllowedExtension(test)
+		if err != nil {
+			t.Errorf("validateAllowedExtension('%s') to return no error but got \"%s\"", test, err.Error())
+		}
+	}
+}
+
+var values = map[string]interface{}{"nameOverride": "", "httpPort": 80}
+
+const namespace = "testNamespace"
+const strict = false
+
+func TestTemplateParsing(t *testing.T) {
+	linter := support.Linter{ChartDir: templateTestBasedir}
+	Templates(&linter, values, namespace, strict)
+	res := linter.Messages
+
+	if len(res) != 1 {
+		t.Fatalf("Expected one error, got %d, %v", len(res), res)
+	}
+
+	if !strings.Contains(res[0].Err.Error(), "deliberateSyntaxError") {
+		t.Errorf("Unexpected error: %s", res[0])
+	}
+}
+
+var wrongTemplatePath = filepath.Join(templateTestBasedir, "templates", "fail.yaml")
+var ignoredTemplatePath = filepath.Join(templateTestBasedir, "fail.yaml.ignored")
+
+// Test a template with all the existing features:
+// namespaces, partial templates
+func TestTemplateIntegrationHappyPath(t *testing.T) {
+	// Rename file so it gets ignored by the linter
+	os.Rename(wrongTemplatePath, ignoredTemplatePath)
+	defer os.Rename(ignoredTemplatePath, wrongTemplatePath)
+
+	linter := support.Linter{ChartDir: templateTestBasedir}
+	Templates(&linter, values, namespace, strict)
+	res := linter.Messages
+
+	if len(res) != 0 {
+		t.Fatalf("Expected no error, got %d, %v", len(res), res)
+	}
+}
+
+func TestMultiTemplateFail(t *testing.T) {
+	linter := support.Linter{ChartDir: "./testdata/multi-template-fail"}
+	Templates(&linter, values, namespace, strict)
+	res := linter.Messages
+
+	if len(res) != 1 {
+		t.Fatalf("Expected 1 error, got %d, %v", len(res), res)
+	}
+
+	if !strings.Contains(res[0].Err.Error(), "object name does not conform to Kubernetes naming requirements") {
+		t.Errorf("Unexpected error: %s", res[0].Err)
+	}
+}
+
+func TestValidateMetadataName(t *testing.T) {
+	tests := []struct {
+		obj     *k8sYamlStruct
+		wantErr bool
+	}{
+		// Most kinds use IsDNS1123Subdomain.
+		{&k8sYamlStruct{Kind: "Pod", Metadata: k8sYamlMetadata{Name: ""}}, true},
+		{&k8sYamlStruct{Kind: "Pod", Metadata: k8sYamlMetadata{Name: "foo"}}, false},
+		{&k8sYamlStruct{Kind: "Pod", Metadata: k8sYamlMetadata{Name: "foo.bar1234baz.seventyone"}}, false},
+		{&k8sYamlStruct{Kind: "Pod", Metadata: k8sYamlMetadata{Name: "FOO"}}, true},
+		{&k8sYamlStruct{Kind: "Pod", Metadata: k8sYamlMetadata{Name: "123baz"}}, false},
+		{&k8sYamlStruct{Kind: "Pod", Metadata: k8sYamlMetadata{Name: "foo.BAR.baz"}}, true},
+		{&k8sYamlStruct{Kind: "Pod", Metadata: k8sYamlMetadata{Name: "one-two"}}, false},
+		{&k8sYamlStruct{Kind: "Pod", Metadata: k8sYamlMetadata{Name: "-two"}}, true},
+		{&k8sYamlStruct{Kind: "Pod", Metadata: k8sYamlMetadata{Name: "one_two"}}, true},
+		{&k8sYamlStruct{Kind: "Pod", Metadata: k8sYamlMetadata{Name: "a..b"}}, true},
+		{&k8sYamlStruct{Kind: "Pod", Metadata: k8sYamlMetadata{Name: "%^&#$%*@^*@&#^"}}, true},
+		{&k8sYamlStruct{Kind: "Pod", Metadata: k8sYamlMetadata{Name: "operator:pod"}}, true},
+		{&k8sYamlStruct{Kind: "ServiceAccount", Metadata: k8sYamlMetadata{Name: "foo"}}, false},
+		{&k8sYamlStruct{Kind: "ServiceAccount", Metadata: k8sYamlMetadata{Name: "foo.bar1234baz.seventyone"}}, false},
+		{&k8sYamlStruct{Kind: "ServiceAccount", Metadata: k8sYamlMetadata{Name: "FOO"}}, true},
+		{&k8sYamlStruct{Kind: "ServiceAccount", Metadata: k8sYamlMetadata{Name: "operator:sa"}}, true},
+
+		// Service uses IsDNS1035Label.
+		{&k8sYamlStruct{Kind: "Service", Metadata: k8sYamlMetadata{Name: "foo"}}, false},
+		{&k8sYamlStruct{Kind: "Service", Metadata: k8sYamlMetadata{Name: "123baz"}}, true},
+		{&k8sYamlStruct{Kind: "Service", Metadata: k8sYamlMetadata{Name: "foo.bar"}}, true},
+
+		// Namespace uses IsDNS1123Label.
+		{&k8sYamlStruct{Kind: "Namespace", Metadata: k8sYamlMetadata{Name: "foo"}}, false},
+		{&k8sYamlStruct{Kind: "Namespace", Metadata: k8sYamlMetadata{Name: "123baz"}}, false},
+		{&k8sYamlStruct{Kind: "Namespace", Metadata: k8sYamlMetadata{Name: "foo.bar"}}, true},
+		{&k8sYamlStruct{Kind: "Namespace", Metadata: k8sYamlMetadata{Name: "foo-bar"}}, false},
+
+		// CertificateSigningRequest has no validation.
+		{&k8sYamlStruct{Kind: "CertificateSigningRequest", Metadata: k8sYamlMetadata{Name: ""}}, false},
+		{&k8sYamlStruct{Kind: "CertificateSigningRequest", Metadata: k8sYamlMetadata{Name: "123baz"}}, false},
+		{&k8sYamlStruct{Kind: "CertificateSigningRequest", Metadata: k8sYamlMetadata{Name: "%^&#$%*@^*@&#^"}}, false},
+
+		// RBAC uses path validation.
+		{&k8sYamlStruct{Kind: "Role", Metadata: k8sYamlMetadata{Name: "foo"}}, false},
+		{&k8sYamlStruct{Kind: "Role", Metadata: k8sYamlMetadata{Name: "123baz"}}, false},
+		{&k8sYamlStruct{Kind: "Role", Metadata: k8sYamlMetadata{Name: "foo.bar"}}, false},
+		{&k8sYamlStruct{Kind: "Role", Metadata: k8sYamlMetadata{Name: "operator:role"}}, false},
+		{&k8sYamlStruct{Kind: "Role", Metadata: k8sYamlMetadata{Name: "operator/role"}}, true},
+		{&k8sYamlStruct{Kind: "Role", Metadata: k8sYamlMetadata{Name: "operator%role"}}, true},
+		{&k8sYamlStruct{Kind: "ClusterRole", Metadata: k8sYamlMetadata{Name: "foo"}}, false},
+		{&k8sYamlStruct{Kind: "ClusterRole", Metadata: k8sYamlMetadata{Name: "123baz"}}, false},
+		{&k8sYamlStruct{Kind: "ClusterRole", Metadata: k8sYamlMetadata{Name: "foo.bar"}}, false},
+		{&k8sYamlStruct{Kind: "ClusterRole", Metadata: k8sYamlMetadata{Name: "operator:role"}}, false},
+		{&k8sYamlStruct{Kind: "ClusterRole", Metadata: k8sYamlMetadata{Name: "operator/role"}}, true},
+		{&k8sYamlStruct{Kind: "ClusterRole", Metadata: k8sYamlMetadata{Name: "operator%role"}}, true},
+		{&k8sYamlStruct{Kind: "RoleBinding", Metadata: k8sYamlMetadata{Name: "operator:role"}}, false},
+		{&k8sYamlStruct{Kind: "ClusterRoleBinding", Metadata: k8sYamlMetadata{Name: "operator:role"}}, false},
+
+		// Unknown Kind
+		{&k8sYamlStruct{Kind: "FutureKind", Metadata: k8sYamlMetadata{Name: ""}}, true},
+		{&k8sYamlStruct{Kind: "FutureKind", Metadata: k8sYamlMetadata{Name: "foo"}}, false},
+		{&k8sYamlStruct{Kind: "FutureKind", Metadata: k8sYamlMetadata{Name: "foo.bar1234baz.seventyone"}}, false},
+		{&k8sYamlStruct{Kind: "FutureKind", Metadata: k8sYamlMetadata{Name: "FOO"}}, true},
+		{&k8sYamlStruct{Kind: "FutureKind", Metadata: k8sYamlMetadata{Name: "123baz"}}, false},
+		{&k8sYamlStruct{Kind: "FutureKind", Metadata: k8sYamlMetadata{Name: "foo.BAR.baz"}}, true},
+		{&k8sYamlStruct{Kind: "FutureKind", Metadata: k8sYamlMetadata{Name: "one-two"}}, false},
+		{&k8sYamlStruct{Kind: "FutureKind", Metadata: k8sYamlMetadata{Name: "-two"}}, true},
+		{&k8sYamlStruct{Kind: "FutureKind", Metadata: k8sYamlMetadata{Name: "one_two"}}, true},
+		{&k8sYamlStruct{Kind: "FutureKind", Metadata: k8sYamlMetadata{Name: "a..b"}}, true},
+		{&k8sYamlStruct{Kind: "FutureKind", Metadata: k8sYamlMetadata{Name: "%^&#$%*@^*@&#^"}}, true},
+		{&k8sYamlStruct{Kind: "FutureKind", Metadata: k8sYamlMetadata{Name: "operator:pod"}}, true},
+
+		// No kind
+		{&k8sYamlStruct{Metadata: k8sYamlMetadata{Name: "foo"}}, false},
+		{&k8sYamlStruct{Metadata: k8sYamlMetadata{Name: "operator:pod"}}, true},
+	}
+	for _, tt := range tests {
+		t.Run(fmt.Sprintf("%s/%s", tt.obj.Kind, tt.obj.Metadata.Name), func(t *testing.T) {
+			if err := validateMetadataName(tt.obj); (err != nil) != tt.wantErr {
+				t.Errorf("validateMetadataName() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestDeprecatedAPIFails(t *testing.T) {
+	mychart := chart.Chart{
+		Metadata: &chart.Metadata{
+			APIVersion: "v2",
+			Name:       "failapi",
+			Version:    "0.1.0",
+			Icon:       "satisfy-the-linting-gods.gif",
+		},
+		Templates: []*common.File{
+			{
+				Name: "templates/baddeployment.yaml",
+				Data: []byte("apiVersion: apps/v1beta1\nkind: Deployment\nmetadata:\n  name: baddep\nspec: {selector: {matchLabels: {foo: bar}}}"),
+			},
+			{
+				Name: "templates/goodsecret.yaml",
+				Data: []byte("apiVersion: v1\nkind: Secret\nmetadata:\n  name: goodsecret"),
+			},
+		},
+	}
+	tmpdir := t.TempDir()
+
+	if err := chartutil.SaveDir(&mychart, tmpdir); err != nil {
+		t.Fatal(err)
+	}
+
+	linter := support.Linter{ChartDir: filepath.Join(tmpdir, mychart.Name())}
+	Templates(&linter, values, namespace, strict)
+	if l := len(linter.Messages); l != 1 {
+		for i, msg := range linter.Messages {
+			t.Logf("Message %d: %s", i, msg)
+		}
+		t.Fatalf("Expected 1 lint error, got %d", l)
+	}
+
+	err := linter.Messages[0].Err.(deprecatedAPIError)
+	if err.Deprecated != "apps/v1beta1 Deployment" {
+		t.Errorf("Surprised to learn that %q is deprecated", err.Deprecated)
+	}
+}
+
+const manifest = `apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: foo
+data:
+  myval1: {{default "val" .Values.mymap.key1 }}
+  myval2: {{default "val" .Values.mymap.key2 }}
+`
+
+// TestStrictTemplateParsingMapError is a regression test.
+//
+// The template engine should not produce an error when a map in values.yaml does
+// not contain all possible keys.
+//
+// See https://github.com/helm/helm/issues/7483
+func TestStrictTemplateParsingMapError(t *testing.T) {
+
+	ch := chart.Chart{
+		Metadata: &chart.Metadata{
+			Name:       "regression7483",
+			APIVersion: "v2",
+			Version:    "0.1.0",
+		},
+		Values: map[string]interface{}{
+			"mymap": map[string]string{
+				"key1": "val1",
+			},
+		},
+		Templates: []*common.File{
+			{
+				Name: "templates/configmap.yaml",
+				Data: []byte(manifest),
+			},
+		},
+	}
+	dir := t.TempDir()
+	if err := chartutil.SaveDir(&ch, dir); err != nil {
+		t.Fatal(err)
+	}
+	linter := &support.Linter{
+		ChartDir: filepath.Join(dir, ch.Metadata.Name),
+	}
+	Templates(linter, ch.Values, namespace, strict)
+	if len(linter.Messages) != 0 {
+		t.Errorf("expected zero messages, got %d", len(linter.Messages))
+		for i, msg := range linter.Messages {
+			t.Logf("Message %d: %q", i, msg)
+		}
+	}
+}
+
+func TestValidateMatchSelector(t *testing.T) {
+	md := &k8sYamlStruct{
+		APIVersion: "apps/v1",
+		Kind:       "Deployment",
+		Metadata: k8sYamlMetadata{
+			Name: "mydeployment",
+		},
+	}
+	manifest := `
+	apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+	`
+	if err := validateMatchSelector(md, manifest); err != nil {
+		t.Error(err)
+	}
+	manifest = `
+	apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 3
+  selector:
+    matchExpressions:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+	`
+	if err := validateMatchSelector(md, manifest); err != nil {
+		t.Error(err)
+	}
+	manifest = `
+	apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx-deployment
+  labels:
+    app: nginx
+spec:
+  replicas: 3
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+      - name: nginx
+        image: nginx:1.14.2
+	`
+	if err := validateMatchSelector(md, manifest); err == nil {
+		t.Error("expected Deployment with no selector to fail")
+	}
+}
+
+func TestValidateTopIndentLevel(t *testing.T) {
+	for doc, shouldFail := range map[string]bool{
+		// Should not fail
+		"\n\n\n\t\n   \t\n":          false,
+		"apiVersion:foo\n  bar:baz":  false,
+		"\n\n\napiVersion:foo\n\n\n": false,
+		// Should fail
+		"  apiVersion:foo":         true,
+		"\n\n  apiVersion:foo\n\n": true,
+	} {
+		if err := validateTopIndentLevel(doc); (err == nil) == shouldFail {
+			t.Errorf("Expected %t for %q", shouldFail, doc)
+		}
+	}
+
+}
+
+// TestEmptyWithCommentsManifests checks the lint is not failing against empty manifests that contains only comments
+// See https://github.com/helm/helm/issues/8621
+func TestEmptyWithCommentsManifests(t *testing.T) {
+	mychart := chart.Chart{
+		Metadata: &chart.Metadata{
+			APIVersion: "v2",
+			Name:       "emptymanifests",
+			Version:    "0.1.0",
+			Icon:       "satisfy-the-linting-gods.gif",
+		},
+		Templates: []*common.File{
+			{
+				Name: "templates/empty-with-comments.yaml",
+				Data: []byte("#@formatter:off\n"),
+			},
+		},
+	}
+	tmpdir := t.TempDir()
+
+	if err := chartutil.SaveDir(&mychart, tmpdir); err != nil {
+		t.Fatal(err)
+	}
+
+	linter := support.Linter{ChartDir: filepath.Join(tmpdir, mychart.Name())}
+	Templates(&linter, values, namespace, strict)
+	if l := len(linter.Messages); l > 0 {
+		for i, msg := range linter.Messages {
+			t.Logf("Message %d: %s", i, msg)
+		}
+		t.Fatalf("Expected 0 lint errors, got %d", l)
+	}
+}
+func TestValidateListAnnotations(t *testing.T) {
+	md := &k8sYamlStruct{
+		APIVersion: "v1",
+		Kind:       "List",
+		Metadata: k8sYamlMetadata{
+			Name: "list",
+		},
+	}
+	manifest := `
+apiVersion: v1
+kind: List
+items:
+  - apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      annotations:
+        helm.sh/resource-policy: keep
+`
+
+	if err := validateListAnnotations(md, manifest); err == nil {
+		t.Fatal("expected list with nested keep annotations to fail")
+	}
+
+	manifest = `
+apiVersion: v1
+kind: List
+metadata:
+  annotations:
+    helm.sh/resource-policy: keep
+items:
+  - apiVersion: v1
+    kind: ConfigMap
+`
+
+	if err := validateListAnnotations(md, manifest); err != nil {
+		t.Fatalf("List objects keep annotations should pass. got: %s", err)
+	}
+}

internal/chart/v3/lint/rules/testdata/albatross/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v3
+name: albatross
+description: testing chart
+version: 199.44.12345-Alpha.1+cafe009
+icon: http://riverrun.io

internal/chart/v3/lint/rules/testdata/anotherbadchartfile/Chart.yaml

@@ -0,0 +1,15 @@
+name: "some-chart"
+apiVersion: v3
+description: A Helm chart for Kubernetes
+version: 72445e2
+home: ""
+type: application
+appVersion: 72225e2
+icon: "https://some-url.com/icon.jpeg"
+dependencies:
+  - name: mariadb
+    version: 5.x.x
+    repository: https://charts.helm.sh/stable/
+    condition: mariadb.enabled
+    tags:
+      - database

internal/chart/v3/lint/rules/testdata/badchartname/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v3
+description: A Helm chart for Kubernetes
+version: 0.1.0
+name: "../badchartname"
+type: application

internal/chart/v3/lint/rules/testdata/badcrdfile/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v3
+description: A Helm chart for Kubernetes
+version: 0.1.0
+name: badcrdfile
+type: application
+icon: http://riverrun.io

internal/chart/v3/lint/rules/testdata/badvaluesfile/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v3
+name: badvaluesfile
+description: A Helm chart for Kubernetes
+version: 0.0.1
+home: ""
+icon: http://riverrun.io

internal/chart/v3/lint/rules/testdata/goodone/Chart.yaml

@@ -0,0 +1,5 @@
+apiVersion: v3
+name: goodone
+description: good testing chart
+version: 199.44.12345-Alpha.1+cafe009
+icon: http://riverrun.io

internal/chart/v3/lint/rules/testdata/invalidcrdsdir/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v3
+description: A Helm chart for Kubernetes
+version: 0.1.0
+name: invalidcrdsdir
+type: application
+icon: http://riverrun.io

internal/chart/v3/lint/rules/testdata/malformed-template/Chart.yaml

@@ -0,0 +1,25 @@
+apiVersion: v3
+name: test
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+icon: https://riverrun.io

internal/chart/v3/lint/rules/testdata/multi-template-fail/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v3
+name: multi-template-fail
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application and it is recommended to use it with quotes.
+appVersion: "1.16.0"

internal/chart/v3/lint/rules/testdata/v3-fail/Chart.yaml

@@ -0,0 +1,21 @@
+apiVersion: v3
+name: v3-fail
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application and it is recommended to use it with quotes.
+appVersion: "1.16.0"

internal/chart/v3/lint/rules/testdata/withsubchart/Chart.yaml

@@ -0,0 +1,16 @@
+apiVersion: v3
+name: withsubchart
+description: A Helm chart for Kubernetes
+type: application
+version: 0.1.0
+appVersion: "1.16.0"
+icon: http://riverrun.io
+
+dependencies:
+  - name: subchart
+    version: 0.1.16
+    repository: "file://../subchart"
+    import-values:
+      - child: subchart
+        parent: subchart
+

internal/chart/v3/lint/rules/testdata/withsubchart/charts/subchart/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v3
+name: subchart
+description: A Helm chart for Kubernetes
+type: application
+version: 0.1.0
+appVersion: "1.16.0"

internal/chart/v3/lint/rules/values.go

@@ -0,0 +1,84 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rules
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"helm.sh/helm/v4/internal/chart/v3/lint/support"
+	"helm.sh/helm/v4/pkg/chart/common"
+	"helm.sh/helm/v4/pkg/chart/common/util"
+)
+
+// ValuesWithOverrides tests the values.yaml file.
+//
+// If a schema is present in the chart, values are tested against that. Otherwise,
+// they are only tested for well-formedness.
+//
+// If additional values are supplied, they are coalesced into the values in values.yaml.
+func ValuesWithOverrides(linter *support.Linter, valueOverrides map[string]interface{}, skipSchemaValidation bool) {
+	file := "values.yaml"
+	vf := filepath.Join(linter.ChartDir, file)
+	fileExists := linter.RunLinterRule(support.InfoSev, file, validateValuesFileExistence(vf))
+
+	if !fileExists {
+		return
+	}
+
+	linter.RunLinterRule(support.ErrorSev, file, validateValuesFile(vf, valueOverrides, skipSchemaValidation))
+}
+
+func validateValuesFileExistence(valuesPath string) error {
+	_, err := os.Stat(valuesPath)
+	if err != nil {
+		return fmt.Errorf("file does not exist")
+	}
+	return nil
+}
+
+func validateValuesFile(valuesPath string, overrides map[string]interface{}, skipSchemaValidation bool) error {
+	values, err := common.ReadValuesFile(valuesPath)
+	if err != nil {
+		return fmt.Errorf("unable to parse YAML: %w", err)
+	}
+
+	// Helm 3.0.0 carried over the values linting from Helm 2.x, which only tests the top
+	// level values against the top-level expectations. Subchart values are not linted.
+	// We could change that. For now, though, we retain that strategy, and thus can
+	// coalesce tables (like reuse-values does) instead of doing the full chart
+	// CoalesceValues
+	coalescedValues := util.CoalesceTables(make(map[string]interface{}, len(overrides)), overrides)
+	coalescedValues = util.CoalesceTables(coalescedValues, values)
+
+	ext := filepath.Ext(valuesPath)
+	schemaPath := valuesPath[:len(valuesPath)-len(ext)] + ".schema.json"
+	schema, err := os.ReadFile(schemaPath)
+	if len(schema) == 0 {
+		return nil
+	}
+	if err != nil {
+		return err
+	}
+
+	if !skipSchemaValidation {
+		return util.ValidateAgainstSingleSchema(coalescedValues, schema)
+	}
+
+	return nil
+}

internal/chart/v3/lint/rules/values_test.go

@@ -67,7 +67,7 @@ func TestValidateValuesFileWellFormed(t *testing.T) {
 	`
 	tmpdir := ensure.TempFile(t, "values.yaml", []byte(badYaml))
 	valfile := filepath.Join(tmpdir, "values.yaml")
-	if err := validateValuesFile(valfile, map[string]interface{}{}); err == nil {
+	if err := validateValuesFile(valfile, map[string]interface{}{}, false); err == nil {
 		t.Fatal("expected values file to fail parsing")
 	}
 }
@@ -78,7 +78,7 @@ func TestValidateValuesFileSchema(t *testing.T) {
 	createTestingSchema(t, tmpdir)
 
 	valfile := filepath.Join(tmpdir, "values.yaml")
-	if err := validateValuesFile(valfile, map[string]interface{}{}); err != nil {
+	if err := validateValuesFile(valfile, map[string]interface{}{}, false); err != nil {
 		t.Fatalf("Failed validation with %s", err)
 	}
 }
@@ -91,7 +91,7 @@ func TestValidateValuesFileSchemaFailure(t *testing.T) {
 
 	valfile := filepath.Join(tmpdir, "values.yaml")
 
-	err := validateValuesFile(valfile, map[string]interface{}{})
+	err := validateValuesFile(valfile, map[string]interface{}{}, false)
 	if err == nil {
 		t.Fatal("expected values file to fail parsing")
 	}
@@ -99,6 +99,20 @@ func TestValidateValuesFileSchemaFailure(t *testing.T) {
 	assert.Contains(t, err.Error(), "- at '/username': got number, want string")
 }
 
+func TestValidateValuesFileSchemaFailureButWithSkipSchemaValidation(t *testing.T) {
+	// 1234 is an int, not a string. This should fail normally but pass with skipSchemaValidation.
+	yaml := "username: 1234\npassword: swordfish"
+	tmpdir := ensure.TempFile(t, "values.yaml", []byte(yaml))
+	createTestingSchema(t, tmpdir)
+
+	valfile := filepath.Join(tmpdir, "values.yaml")
+
+	err := validateValuesFile(valfile, map[string]interface{}{}, true)
+	if err != nil {
+		t.Fatal("expected values file to pass parsing because of skipSchemaValidation")
+	}
+}
+
 func TestValidateValuesFileSchemaOverrides(t *testing.T) {
 	yaml := "username: admin"
 	overrides := map[string]interface{}{
@@ -108,7 +122,7 @@ func TestValidateValuesFileSchemaOverrides(t *testing.T) {
 	createTestingSchema(t, tmpdir)
 
 	valfile := filepath.Join(tmpdir, "values.yaml")
-	if err := validateValuesFile(valfile, overrides); err != nil {
+	if err := validateValuesFile(valfile, overrides, false); err != nil {
 		t.Fatalf("Failed validation with %s", err)
 	}
 }
@@ -145,7 +159,7 @@ func TestValidateValuesFile(t *testing.T) {
 
 			valfile := filepath.Join(tmpdir, "values.yaml")
 
-			err := validateValuesFile(valfile, tt.overrides)
+			err := validateValuesFile(valfile, tt.overrides, false)
 
 			switch {
 			case err != nil && tt.errorMessage == "":

internal/chart/v3/lint/support/doc.go

@@ -14,24 +14,10 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package util
+/*
-
+Package support contains tools for linting charts.
-import (
-	"testing"
-)
-
-func TestErrorNoTableDoesNotPanic(t *testing.T) {
-	x := "empty"
-
-	y := ErrNoTable{x}
-
-	t.Logf("error is: %s", y)
-}
-
-func TestErrorNoValueDoesNotPanic(t *testing.T) {
-	x := "empty"
-
-	y := ErrNoValue{x}
 
-	t.Logf("error is: %s", y)
+Linting is the process of testing charts for errors or warnings regarding
-}
+formatting, compilation, or standards compliance.
+*/
+package support // import "helm.sh/helm/v4/internal/chart/v3/lint/support"

internal/chart/v3/loader/load.go

@@ -31,6 +31,7 @@ import (
 	"sigs.k8s.io/yaml"
 
 	chart "helm.sh/helm/v4/internal/chart/v3"
+	"helm.sh/helm/v4/pkg/chart/common"
 )
 
 // ChartLoader loads a chart.
@@ -79,7 +80,7 @@ func LoadFiles(files []*BufferedFile) (*chart.Chart, error) {
 	// do not rely on assumed ordering of files in the chart and crash
 	// if Chart.yaml was not coming early enough to initialize metadata
 	for _, f := range files {
-		c.Raw = append(c.Raw, &chart.File{Name: f.Name, Data: f.Data})
+		c.Raw = append(c.Raw, &common.File{Name: f.Name, Data: f.Data})
 		if f.Name == "Chart.yaml" {
 			if c.Metadata == nil {
 				c.Metadata = new(chart.Metadata)
@@ -115,10 +116,10 @@ func LoadFiles(files []*BufferedFile) (*chart.Chart, error) {
 			c.Schema = f.Data
 
 		case strings.HasPrefix(f.Name, "templates/"):
-			c.Templates = append(c.Templates, &chart.File{Name: f.Name, Data: f.Data})
+			c.Templates = append(c.Templates, &common.File{Name: f.Name, Data: f.Data})
 		case strings.HasPrefix(f.Name, "charts/"):
 			if filepath.Ext(f.Name) == ".prov" {
-				c.Files = append(c.Files, &chart.File{Name: f.Name, Data: f.Data})
+				c.Files = append(c.Files, &common.File{Name: f.Name, Data: f.Data})
 				continue
 			}
 
@@ -126,7 +127,7 @@ func LoadFiles(files []*BufferedFile) (*chart.Chart, error) {
 			cname := strings.SplitN(fname, "/", 2)[0]
 			subcharts[cname] = append(subcharts[cname], &BufferedFile{Name: fname, Data: f.Data})
 		default:
-			c.Files = append(c.Files, &chart.File{Name: f.Name, Data: f.Data})
+			c.Files = append(c.Files, &common.File{Name: f.Name, Data: f.Data})
 		}
 	}
 

internal/chart/v3/loader/load_test.go

@@ -31,6 +31,7 @@ import (
 	"time"
 
 	chart "helm.sh/helm/v4/internal/chart/v3"
+	"helm.sh/helm/v4/pkg/chart/common"
 )
 
 func TestLoadDir(t *testing.T) {
@@ -491,7 +492,7 @@ foo:
 	}
 }
 
-func TestMergeValues(t *testing.T) {
+func TestMergeValuesV3(t *testing.T) {
 	nestedMap := map[string]interface{}{
 		"foo": "bar",
 		"baz": map[string]string{
@@ -701,7 +702,7 @@ func verifyChartFileAndTemplate(t *testing.T, c *chart.Chart, name string) {
 	}
 }
 
-func verifyBomStripped(t *testing.T, files []*chart.File) {
+func verifyBomStripped(t *testing.T, files []*common.File) {
 	t.Helper()
 	for _, file := range files {
 		if bytes.HasPrefix(file.Data, utf8bom) {

internal/chart/v3/util/capabilities.go

@@ -1,122 +0,0 @@
-/*
-Copyright The Helm Authors.
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package util
-
-import (
-	"fmt"
-	"slices"
-	"strconv"
-
-	"github.com/Masterminds/semver/v3"
-	"k8s.io/client-go/kubernetes/scheme"
-
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	apiextensionsv1beta1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1"
-
-	helmversion "helm.sh/helm/v4/internal/version"
-)
-
-var (
-	// The Kubernetes version can be set by LDFLAGS. In order to do that the value
-	// must be a string.
-	k8sVersionMajor = "1"
-	k8sVersionMinor = "20"
-
-	// DefaultVersionSet is the default version set, which includes only Core V1 ("v1").
-	DefaultVersionSet = allKnownVersions()
-
-	// DefaultCapabilities is the default set of capabilities.
-	DefaultCapabilities = &Capabilities{
-		KubeVersion: KubeVersion{
-			Version: fmt.Sprintf("v%s.%s.0", k8sVersionMajor, k8sVersionMinor),
-			Major:   k8sVersionMajor,
-			Minor:   k8sVersionMinor,
-		},
-		APIVersions: DefaultVersionSet,
-		HelmVersion: helmversion.Get(),
-	}
-)
-
-// Capabilities describes the capabilities of the Kubernetes cluster.
-type Capabilities struct {
-	// KubeVersion is the Kubernetes version.
-	KubeVersion KubeVersion
-	// APIVersions are supported Kubernetes API versions.
-	APIVersions VersionSet
-	// HelmVersion is the build information for this helm version
-	HelmVersion helmversion.BuildInfo
-}
-
-func (capabilities *Capabilities) Copy() *Capabilities {
-	return &Capabilities{
-		KubeVersion: capabilities.KubeVersion,
-		APIVersions: capabilities.APIVersions,
-		HelmVersion: capabilities.HelmVersion,
-	}
-}
-
-// KubeVersion is the Kubernetes version.
-type KubeVersion struct {
-	Version string // Kubernetes version
-	Major   string // Kubernetes major version
-	Minor   string // Kubernetes minor version
-}
-
-// String implements fmt.Stringer
-func (kv *KubeVersion) String() string { return kv.Version }
-
-// GitVersion returns the Kubernetes version string.
-//
-// Deprecated: use KubeVersion.Version.
-func (kv *KubeVersion) GitVersion() string { return kv.Version }
-
-// ParseKubeVersion parses kubernetes version from string
-func ParseKubeVersion(version string) (*KubeVersion, error) {
-	sv, err := semver.NewVersion(version)
-	if err != nil {
-		return nil, err
-	}
-	return &KubeVersion{
-		Version: "v" + sv.String(),
-		Major:   strconv.FormatUint(sv.Major(), 10),
-		Minor:   strconv.FormatUint(sv.Minor(), 10),
-	}, nil
-}
-
-// VersionSet is a set of Kubernetes API versions.
-type VersionSet []string
-
-// Has returns true if the version string is in the set.
-//
-//	vs.Has("apps/v1")
-func (v VersionSet) Has(apiVersion string) bool {
-	return slices.Contains(v, apiVersion)
-}
-
-func allKnownVersions() VersionSet {
-	// We should register the built in extension APIs as well so CRDs are
-	// supported in the default version set. This has caused problems with `helm
-	// template` in the past, so let's be safe
-	apiextensionsv1beta1.AddToScheme(scheme.Scheme)
-	apiextensionsv1.AddToScheme(scheme.Scheme)
-
-	groups := scheme.Scheme.PrioritizedVersionsAllGroups()
-	vs := make(VersionSet, 0, len(groups))
-	for _, gv := range groups {
-		vs = append(vs, gv.String())
-	}
-	return vs
-}

internal/chart/v3/util/capabilities_test.go

@@ -1,84 +0,0 @@
-/*
-Copyright The Helm Authors.
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package util
-
-import (
-	"testing"
-)
-
-func TestVersionSet(t *testing.T) {
-	vs := VersionSet{"v1", "apps/v1"}
-	if d := len(vs); d != 2 {
-		t.Errorf("Expected 2 versions, got %d", d)
-	}
-
-	if !vs.Has("apps/v1") {
-		t.Error("Expected to find apps/v1")
-	}
-
-	if vs.Has("Spanish/inquisition") {
-		t.Error("No one expects the Spanish/inquisition")
-	}
-}
-
-func TestDefaultVersionSet(t *testing.T) {
-	if !DefaultVersionSet.Has("v1") {
-		t.Error("Expected core v1 version set")
-	}
-}
-
-func TestDefaultCapabilities(t *testing.T) {
-	kv := DefaultCapabilities.KubeVersion
-	if kv.String() != "v1.20.0" {
-		t.Errorf("Expected default KubeVersion.String() to be v1.20.0, got %q", kv.String())
-	}
-	if kv.Version != "v1.20.0" {
-		t.Errorf("Expected default KubeVersion.Version to be v1.20.0, got %q", kv.Version)
-	}
-	if kv.GitVersion() != "v1.20.0" {
-		t.Errorf("Expected default KubeVersion.GitVersion() to be v1.20.0, got %q", kv.Version)
-	}
-	if kv.Major != "1" {
-		t.Errorf("Expected default KubeVersion.Major to be 1, got %q", kv.Major)
-	}
-	if kv.Minor != "20" {
-		t.Errorf("Expected default KubeVersion.Minor to be 20, got %q", kv.Minor)
-	}
-}
-
-func TestDefaultCapabilitiesHelmVersion(t *testing.T) {
-	hv := DefaultCapabilities.HelmVersion
-
-	if hv.Version != "v4.0" {
-		t.Errorf("Expected default HelmVersion to be v4.0, got %q", hv.Version)
-	}
-}
-
-func TestParseKubeVersion(t *testing.T) {
-	kv, err := ParseKubeVersion("v1.16.0")
-	if err != nil {
-		t.Errorf("Expected v1.16.0 to parse successfully")
-	}
-	if kv.Version != "v1.16.0" {
-		t.Errorf("Expected parsed KubeVersion.Version to be v1.16.0, got %q", kv.String())
-	}
-	if kv.Major != "1" {
-		t.Errorf("Expected parsed KubeVersion.Major to be 1, got %q", kv.Major)
-	}
-	if kv.Minor != "16" {
-		t.Errorf("Expected parsed KubeVersion.Minor to be 16, got %q", kv.Minor)
-	}
-}

internal/chart/v3/util/coalesce.go

@@ -1,308 +0,0 @@
-/*
-Copyright The Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package util
-
-import (
-	"fmt"
-	"log"
-	"maps"
-
-	"github.com/mitchellh/copystructure"
-
-	chart "helm.sh/helm/v4/internal/chart/v3"
-)
-
-func concatPrefix(a, b string) string {
-	if a == "" {
-		return b
-	}
-	return fmt.Sprintf("%s.%s", a, b)
-}
-
-// CoalesceValues coalesces all of the values in a chart (and its subcharts).
-//
-// Values are coalesced together using the following rules:
-//
-//   - Values in a higher level chart always override values in a lower-level
-//     dependency chart
-//   - Scalar values and arrays are replaced, maps are merged
-//   - A chart has access to all of the variables for it, as well as all of
-//     the values destined for its dependencies.
-func CoalesceValues(chrt *chart.Chart, vals map[string]interface{}) (Values, error) {
-	valsCopy, err := copyValues(vals)
-	if err != nil {
-		return vals, err
-	}
-	return coalesce(log.Printf, chrt, valsCopy, "", false)
-}
-
-// MergeValues is used to merge the values in a chart and its subcharts. This
-// is different from Coalescing as nil/null values are preserved.
-//
-// Values are coalesced together using the following rules:
-//
-//   - Values in a higher level chart always override values in a lower-level
-//     dependency chart
-//   - Scalar values and arrays are replaced, maps are merged
-//   - A chart has access to all of the variables for it, as well as all of
-//     the values destined for its dependencies.
-//
-// Retaining Nils is useful when processes early in a Helm action or business
-// logic need to retain them for when Coalescing will happen again later in the
-// business logic.
-func MergeValues(chrt *chart.Chart, vals map[string]interface{}) (Values, error) {
-	valsCopy, err := copyValues(vals)
-	if err != nil {
-		return vals, err
-	}
-	return coalesce(log.Printf, chrt, valsCopy, "", true)
-}
-
-func copyValues(vals map[string]interface{}) (Values, error) {
-	v, err := copystructure.Copy(vals)
-	if err != nil {
-		return vals, err
-	}
-
-	valsCopy := v.(map[string]interface{})
-	// if we have an empty map, make sure it is initialized
-	if valsCopy == nil {
-		valsCopy = make(map[string]interface{})
-	}
-
-	return valsCopy, nil
-}
-
-type printFn func(format string, v ...interface{})
-
-// coalesce coalesces the dest values and the chart values, giving priority to the dest values.
-//
-// This is a helper function for CoalesceValues and MergeValues.
-//
-// Note, the merge argument specifies whether this is being used by MergeValues
-// or CoalesceValues. Coalescing removes null values and their keys in some
-// situations while merging keeps the null values.
-func coalesce(printf printFn, ch *chart.Chart, dest map[string]interface{}, prefix string, merge bool) (map[string]interface{}, error) {
-	coalesceValues(printf, ch, dest, prefix, merge)
-	return coalesceDeps(printf, ch, dest, prefix, merge)
-}
-
-// coalesceDeps coalesces the dependencies of the given chart.
-func coalesceDeps(printf printFn, chrt *chart.Chart, dest map[string]interface{}, prefix string, merge bool) (map[string]interface{}, error) {
-	for _, subchart := range chrt.Dependencies() {
-		if c, ok := dest[subchart.Name()]; !ok {
-			// If dest doesn't already have the key, create it.
-			dest[subchart.Name()] = make(map[string]interface{})
-		} else if !istable(c) {
-			return dest, fmt.Errorf("type mismatch on %s: %t", subchart.Name(), c)
-		}
-		if dv, ok := dest[subchart.Name()]; ok {
-			dvmap := dv.(map[string]interface{})
-			subPrefix := concatPrefix(prefix, chrt.Metadata.Name)
-			// Get globals out of dest and merge them into dvmap.
-			coalesceGlobals(printf, dvmap, dest, subPrefix, merge)
-			// Now coalesce the rest of the values.
-			var err error
-			dest[subchart.Name()], err = coalesce(printf, subchart, dvmap, subPrefix, merge)
-			if err != nil {
-				return dest, err
-			}
-		}
-	}
-	return dest, nil
-}
-
-// coalesceGlobals copies the globals out of src and merges them into dest.
-//
-// For convenience, returns dest.
-func coalesceGlobals(printf printFn, dest, src map[string]interface{}, prefix string, _ bool) {
-	var dg, sg map[string]interface{}
-
-	if destglob, ok := dest[GlobalKey]; !ok {
-		dg = make(map[string]interface{})
-	} else if dg, ok = destglob.(map[string]interface{}); !ok {
-		printf("warning: skipping globals because destination %s is not a table.", GlobalKey)
-		return
-	}
-
-	if srcglob, ok := src[GlobalKey]; !ok {
-		sg = make(map[string]interface{})
-	} else if sg, ok = srcglob.(map[string]interface{}); !ok {
-		printf("warning: skipping globals because source %s is not a table.", GlobalKey)
-		return
-	}
-
-	// EXPERIMENTAL: In the past, we have disallowed globals to test tables. This
-	// reverses that decision. It may somehow be possible to introduce a loop
-	// here, but I haven't found a way. So for the time being, let's allow
-	// tables in globals.
-	for key, val := range sg {
-		if istable(val) {
-			vv := copyMap(val.(map[string]interface{}))
-			if destv, ok := dg[key]; !ok {
-				// Here there is no merge. We're just adding.
-				dg[key] = vv
-			} else {
-				if destvmap, ok := destv.(map[string]interface{}); !ok {
-					printf("Conflict: cannot merge map onto non-map for %q. Skipping.", key)
-				} else {
-					// Basically, we reverse order of coalesce here to merge
-					// top-down.
-					subPrefix := concatPrefix(prefix, key)
-					// In this location coalesceTablesFullKey should always have
-					// merge set to true. The output of coalesceGlobals is run
-					// through coalesce where any nils will be removed.
-					coalesceTablesFullKey(printf, vv, destvmap, subPrefix, true)
-					dg[key] = vv
-				}
-			}
-		} else if dv, ok := dg[key]; ok && istable(dv) {
-			// It's not clear if this condition can actually ever trigger.
-			printf("key %s is table. Skipping", key)
-		} else {
-			// TODO: Do we need to do any additional checking on the value?
-			dg[key] = val
-		}
-	}
-	dest[GlobalKey] = dg
-}
-
-func copyMap(src map[string]interface{}) map[string]interface{} {
-	m := make(map[string]interface{}, len(src))
-	maps.Copy(m, src)
-	return m
-}
-
-// coalesceValues builds up a values map for a particular chart.
-//
-// Values in v will override the values in the chart.
-func coalesceValues(printf printFn, c *chart.Chart, v map[string]interface{}, prefix string, merge bool) {
-	subPrefix := concatPrefix(prefix, c.Metadata.Name)
-
-	// Using c.Values directly when coalescing a table can cause problems where
-	// the original c.Values is altered. Creating a deep copy stops the problem.
-	// This section is fault-tolerant as there is no ability to return an error.
-	valuesCopy, err := copystructure.Copy(c.Values)
-	var vc map[string]interface{}
-	var ok bool
-	if err != nil {
-		// If there is an error something is wrong with copying c.Values it
-		// means there is a problem in the deep copying package or something
-		// wrong with c.Values. In this case we will use c.Values and report
-		// an error.
-		printf("warning: unable to copy values, err: %s", err)
-		vc = c.Values
-	} else {
-		vc, ok = valuesCopy.(map[string]interface{})
-		if !ok {
-			// c.Values has a map[string]interface{} structure. If the copy of
-			// it cannot be treated as map[string]interface{} there is something
-			// strangely wrong. Log it and use c.Values
-			printf("warning: unable to convert values copy to values type")
-			vc = c.Values
-		}
-	}
-
-	for key, val := range vc {
-		if value, ok := v[key]; ok {
-			if value == nil && !merge {
-				// When the YAML value is null and we are coalescing instead of
-				// merging, we remove the value's key.
-				// This allows Helm's various sources of values (value files or --set) to
-				// remove incompatible keys from any previous chart, file, or set values.
-				delete(v, key)
-			} else if dest, ok := value.(map[string]interface{}); ok {
-				// if v[key] is a table, merge nv's val table into v[key].
-				src, ok := val.(map[string]interface{})
-				if !ok {
-					// If the original value is nil, there is nothing to coalesce, so we don't print
-					// the warning
-					if val != nil {
-						printf("warning: skipped value for %s.%s: Not a table.", subPrefix, key)
-					}
-				} else {
-					// If the key is a child chart, coalesce tables with Merge set to true
-					merge := childChartMergeTrue(c, key, merge)
-
-					// Because v has higher precedence than nv, dest values override src
-					// values.
-					coalesceTablesFullKey(printf, dest, src, concatPrefix(subPrefix, key), merge)
-				}
-			}
-		} else {
-			// If the key is not in v, copy it from nv.
-			v[key] = val
-		}
-	}
-}
-
-func childChartMergeTrue(chrt *chart.Chart, key string, merge bool) bool {
-	for _, subchart := range chrt.Dependencies() {
-		if subchart.Name() == key {
-			return true
-		}
-	}
-	return merge
-}
-
-// CoalesceTables merges a source map into a destination map.
-//
-// dest is considered authoritative.
-func CoalesceTables(dst, src map[string]interface{}) map[string]interface{} {
-	return coalesceTablesFullKey(log.Printf, dst, src, "", false)
-}
-
-func MergeTables(dst, src map[string]interface{}) map[string]interface{} {
-	return coalesceTablesFullKey(log.Printf, dst, src, "", true)
-}
-
-// coalesceTablesFullKey merges a source map into a destination map.
-//
-// dest is considered authoritative.
-func coalesceTablesFullKey(printf printFn, dst, src map[string]interface{}, prefix string, merge bool) map[string]interface{} {
-	// When --reuse-values is set but there are no modifications yet, return new values
-	if src == nil {
-		return dst
-	}
-	if dst == nil {
-		return src
-	}
-	for key, val := range dst {
-		if val == nil {
-			src[key] = nil
-		}
-	}
-	// Because dest has higher precedence than src, dest values override src
-	// values.
-	for key, val := range src {
-		fullkey := concatPrefix(prefix, key)
-		if dv, ok := dst[key]; ok && !merge && dv == nil {
-			delete(dst, key)
-		} else if !ok {
-			dst[key] = val
-		} else if istable(val) {
-			if istable(dv) {
-				coalesceTablesFullKey(printf, dv.(map[string]interface{}), val.(map[string]interface{}), fullkey, merge)
-			} else {
-				printf("warning: cannot overwrite table with non table for %s (%v)", fullkey, val)
-			}
-		} else if istable(dv) && val != nil {
-			printf("warning: destination for %s is a table. Ignoring non-table value (%v)", fullkey, val)
-		}
-	}
-	return dst
-}

internal/chart/v3/util/coalesce_test.go

@@ -1,723 +0,0 @@
-/*
-Copyright The Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package util
-
-import (
-	"encoding/json"
-	"fmt"
-	"maps"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-
-	chart "helm.sh/helm/v4/internal/chart/v3"
-)
-
-// ref: http://www.yaml.org/spec/1.2/spec.html#id2803362
-var testCoalesceValuesYaml = []byte(`
-top: yup
-bottom: null
-right: Null
-left: NULL
-front: ~
-back: ""
-nested:
-  boat: null
-
-global:
-  name: Ishmael
-  subject: Queequeg
-  nested:
-    boat: true
-
-pequod:
-  boat: null
-  global:
-    name: Stinky
-    harpooner: Tashtego
-    nested:
-      boat: false
-      sail: true
-      foo2: null
-  ahab:
-    scope: whale
-    boat: null
-    nested:
-      foo: true
-      boat: null
-    object: null
-`)
-
-func withDeps(c *chart.Chart, deps ...*chart.Chart) *chart.Chart {
-	c.AddDependency(deps...)
-	return c
-}
-
-func TestCoalesceValues(t *testing.T) {
-	is := assert.New(t)
-
-	c := withDeps(&chart.Chart{
-		Metadata: &chart.Metadata{Name: "moby"},
-		Values: map[string]interface{}{
-			"back":     "exists",
-			"bottom":   "exists",
-			"front":    "exists",
-			"left":     "exists",
-			"name":     "moby",
-			"nested":   map[string]interface{}{"boat": true},
-			"override": "bad",
-			"right":    "exists",
-			"scope":    "moby",
-			"top":      "nope",
-			"global": map[string]interface{}{
-				"nested2": map[string]interface{}{"l0": "moby"},
-			},
-			"pequod": map[string]interface{}{
-				"boat": "maybe",
-				"ahab": map[string]interface{}{
-					"boat":   "maybe",
-					"nested": map[string]interface{}{"boat": "maybe"},
-				},
-			},
-		},
-	},
-		withDeps(&chart.Chart{
-			Metadata: &chart.Metadata{Name: "pequod"},
-			Values: map[string]interface{}{
-				"name":  "pequod",
-				"scope": "pequod",
-				"global": map[string]interface{}{
-					"nested2": map[string]interface{}{"l1": "pequod"},
-				},
-				"boat": false,
-				"ahab": map[string]interface{}{
-					"boat":   false,
-					"nested": map[string]interface{}{"boat": false},
-				},
-			},
-		},
-			&chart.Chart{
-				Metadata: &chart.Metadata{Name: "ahab"},
-				Values: map[string]interface{}{
-					"global": map[string]interface{}{
-						"nested":  map[string]interface{}{"foo": "bar", "foo2": "bar2"},
-						"nested2": map[string]interface{}{"l2": "ahab"},
-					},
-					"scope":  "ahab",
-					"name":   "ahab",
-					"boat":   true,
-					"nested": map[string]interface{}{"foo": false, "boat": true},
-					"object": map[string]interface{}{"foo": "bar"},
-				},
-			},
-		),
-		&chart.Chart{
-			Metadata: &chart.Metadata{Name: "spouter"},
-			Values: map[string]interface{}{
-				"scope": "spouter",
-				"global": map[string]interface{}{
-					"nested2": map[string]interface{}{"l1": "spouter"},
-				},
-			},
-		},
-	)
-
-	vals, err := ReadValues(testCoalesceValuesYaml)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// taking a copy of the values before passing it
-	// to CoalesceValues as argument, so that we can
-	// use it for asserting later
-	valsCopy := make(Values, len(vals))
-	maps.Copy(valsCopy, vals)
-
-	v, err := CoalesceValues(c, vals)
-	if err != nil {
-		t.Fatal(err)
-	}
-	j, _ := json.MarshalIndent(v, "", "  ")
-	t.Logf("Coalesced Values: %s", string(j))
-
-	tests := []struct {
-		tpl    string
-		expect string
-	}{
-		{"{{.top}}", "yup"},
-		{"{{.back}}", ""},
-		{"{{.name}}", "moby"},
-		{"{{.global.name}}", "Ishmael"},
-		{"{{.global.subject}}", "Queequeg"},
-		{"{{.global.harpooner}}", "<no value>"},
-		{"{{.pequod.name}}", "pequod"},
-		{"{{.pequod.ahab.name}}", "ahab"},
-		{"{{.pequod.ahab.scope}}", "whale"},
-		{"{{.pequod.ahab.nested.foo}}", "true"},
-		{"{{.pequod.ahab.global.name}}", "Ishmael"},
-		{"{{.pequod.ahab.global.nested.foo}}", "bar"},
-		{"{{.pequod.ahab.global.nested.foo2}}", "<no value>"},
-		{"{{.pequod.ahab.global.subject}}", "Queequeg"},
-		{"{{.pequod.ahab.global.harpooner}}", "Tashtego"},
-		{"{{.pequod.global.name}}", "Ishmael"},
-		{"{{.pequod.global.nested.foo}}", "<no value>"},
-		{"{{.pequod.global.subject}}", "Queequeg"},
-		{"{{.spouter.global.name}}", "Ishmael"},
-		{"{{.spouter.global.harpooner}}", "<no value>"},
-
-		{"{{.global.nested.boat}}", "true"},
-		{"{{.pequod.global.nested.boat}}", "true"},
-		{"{{.spouter.global.nested.boat}}", "true"},
-		{"{{.pequod.global.nested.sail}}", "true"},
-		{"{{.spouter.global.nested.sail}}", "<no value>"},
-
-		{"{{.global.nested2.l0}}", "moby"},
-		{"{{.global.nested2.l1}}", "<no value>"},
-		{"{{.global.nested2.l2}}", "<no value>"},
-		{"{{.pequod.global.nested2.l0}}", "moby"},
-		{"{{.pequod.global.nested2.l1}}", "pequod"},
-		{"{{.pequod.global.nested2.l2}}", "<no value>"},
-		{"{{.pequod.ahab.global.nested2.l0}}", "moby"},
-		{"{{.pequod.ahab.global.nested2.l1}}", "pequod"},
-		{"{{.pequod.ahab.global.nested2.l2}}", "ahab"},
-		{"{{.spouter.global.nested2.l0}}", "moby"},
-		{"{{.spouter.global.nested2.l1}}", "spouter"},
-		{"{{.spouter.global.nested2.l2}}", "<no value>"},
-	}
-
-	for _, tt := range tests {
-		if o, err := ttpl(tt.tpl, v); err != nil || o != tt.expect {
-			t.Errorf("Expected %q to expand to %q, got %q", tt.tpl, tt.expect, o)
-		}
-	}
-
-	nullKeys := []string{"bottom", "right", "left", "front"}
-	for _, nullKey := range nullKeys {
-		if _, ok := v[nullKey]; ok {
-			t.Errorf("Expected key %q to be removed, still present", nullKey)
-		}
-	}
-
-	if _, ok := v["nested"].(map[string]interface{})["boat"]; ok {
-		t.Error("Expected nested boat key to be removed, still present")
-	}
-
-	subchart := v["pequod"].(map[string]interface{})
-	if _, ok := subchart["boat"]; ok {
-		t.Error("Expected subchart boat key to be removed, still present")
-	}
-
-	subsubchart := subchart["ahab"].(map[string]interface{})
-	if _, ok := subsubchart["boat"]; ok {
-		t.Error("Expected sub-subchart ahab boat key to be removed, still present")
-	}
-
-	if _, ok := subsubchart["nested"].(map[string]interface{})["boat"]; ok {
-		t.Error("Expected sub-subchart nested boat key to be removed, still present")
-	}
-
-	if _, ok := subsubchart["object"]; ok {
-		t.Error("Expected sub-subchart object map to be removed, still present")
-	}
-
-	// CoalesceValues should not mutate the passed arguments
-	is.Equal(valsCopy, vals)
-}
-
-func TestMergeValues(t *testing.T) {
-	is := assert.New(t)
-
-	c := withDeps(&chart.Chart{
-		Metadata: &chart.Metadata{Name: "moby"},
-		Values: map[string]interface{}{
-			"back":     "exists",
-			"bottom":   "exists",
-			"front":    "exists",
-			"left":     "exists",
-			"name":     "moby",
-			"nested":   map[string]interface{}{"boat": true},
-			"override": "bad",
-			"right":    "exists",
-			"scope":    "moby",
-			"top":      "nope",
-			"global": map[string]interface{}{
-				"nested2": map[string]interface{}{"l0": "moby"},
-			},
-		},
-	},
-		withDeps(&chart.Chart{
-			Metadata: &chart.Metadata{Name: "pequod"},
-			Values: map[string]interface{}{
-				"name":  "pequod",
-				"scope": "pequod",
-				"global": map[string]interface{}{
-					"nested2": map[string]interface{}{"l1": "pequod"},
-				},
-			},
-		},
-			&chart.Chart{
-				Metadata: &chart.Metadata{Name: "ahab"},
-				Values: map[string]interface{}{
-					"global": map[string]interface{}{
-						"nested":  map[string]interface{}{"foo": "bar"},
-						"nested2": map[string]interface{}{"l2": "ahab"},
-					},
-					"scope":  "ahab",
-					"name":   "ahab",
-					"boat":   true,
-					"nested": map[string]interface{}{"foo": false, "bar": true},
-				},
-			},
-		),
-		&chart.Chart{
-			Metadata: &chart.Metadata{Name: "spouter"},
-			Values: map[string]interface{}{
-				"scope": "spouter",
-				"global": map[string]interface{}{
-					"nested2": map[string]interface{}{"l1": "spouter"},
-				},
-			},
-		},
-	)
-
-	vals, err := ReadValues(testCoalesceValuesYaml)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// taking a copy of the values before passing it
-	// to MergeValues as argument, so that we can
-	// use it for asserting later
-	valsCopy := make(Values, len(vals))
-	maps.Copy(valsCopy, vals)
-
-	v, err := MergeValues(c, vals)
-	if err != nil {
-		t.Fatal(err)
-	}
-	j, _ := json.MarshalIndent(v, "", "  ")
-	t.Logf("Coalesced Values: %s", string(j))
-
-	tests := []struct {
-		tpl    string
-		expect string
-	}{
-		{"{{.top}}", "yup"},
-		{"{{.back}}", ""},
-		{"{{.name}}", "moby"},
-		{"{{.global.name}}", "Ishmael"},
-		{"{{.global.subject}}", "Queequeg"},
-		{"{{.global.harpooner}}", "<no value>"},
-		{"{{.pequod.name}}", "pequod"},
-		{"{{.pequod.ahab.name}}", "ahab"},
-		{"{{.pequod.ahab.scope}}", "whale"},
-		{"{{.pequod.ahab.nested.foo}}", "true"},
-		{"{{.pequod.ahab.global.name}}", "Ishmael"},
-		{"{{.pequod.ahab.global.nested.foo}}", "bar"},
-		{"{{.pequod.ahab.global.subject}}", "Queequeg"},
-		{"{{.pequod.ahab.global.harpooner}}", "Tashtego"},
-		{"{{.pequod.global.name}}", "Ishmael"},
-		{"{{.pequod.global.nested.foo}}", "<no value>"},
-		{"{{.pequod.global.subject}}", "Queequeg"},
-		{"{{.spouter.global.name}}", "Ishmael"},
-		{"{{.spouter.global.harpooner}}", "<no value>"},
-
-		{"{{.global.nested.boat}}", "true"},
-		{"{{.pequod.global.nested.boat}}", "true"},
-		{"{{.spouter.global.nested.boat}}", "true"},
-		{"{{.pequod.global.nested.sail}}", "true"},
-		{"{{.spouter.global.nested.sail}}", "<no value>"},
-
-		{"{{.global.nested2.l0}}", "moby"},
-		{"{{.global.nested2.l1}}", "<no value>"},
-		{"{{.global.nested2.l2}}", "<no value>"},
-		{"{{.pequod.global.nested2.l0}}", "moby"},
-		{"{{.pequod.global.nested2.l1}}", "pequod"},
-		{"{{.pequod.global.nested2.l2}}", "<no value>"},
-		{"{{.pequod.ahab.global.nested2.l0}}", "moby"},
-		{"{{.pequod.ahab.global.nested2.l1}}", "pequod"},
-		{"{{.pequod.ahab.global.nested2.l2}}", "ahab"},
-		{"{{.spouter.global.nested2.l0}}", "moby"},
-		{"{{.spouter.global.nested2.l1}}", "spouter"},
-		{"{{.spouter.global.nested2.l2}}", "<no value>"},
-	}
-
-	for _, tt := range tests {
-		if o, err := ttpl(tt.tpl, v); err != nil || o != tt.expect {
-			t.Errorf("Expected %q to expand to %q, got %q", tt.tpl, tt.expect, o)
-		}
-	}
-
-	// nullKeys is different from coalescing. Here the null/nil values are not
-	// removed.
-	nullKeys := []string{"bottom", "right", "left", "front"}
-	for _, nullKey := range nullKeys {
-		if vv, ok := v[nullKey]; !ok {
-			t.Errorf("Expected key %q to be present but it was removed", nullKey)
-		} else if vv != nil {
-			t.Errorf("Expected key %q to be null but it has a value of %v", nullKey, vv)
-		}
-	}
-
-	if _, ok := v["nested"].(map[string]interface{})["boat"]; !ok {
-		t.Error("Expected nested boat key to be present but it was removed")
-	}
-
-	subchart := v["pequod"].(map[string]interface{})["ahab"].(map[string]interface{})
-	if _, ok := subchart["boat"]; !ok {
-		t.Error("Expected subchart boat key to be present but it was removed")
-	}
-
-	if _, ok := subchart["nested"].(map[string]interface{})["bar"]; !ok {
-		t.Error("Expected subchart nested bar key to be present but it was removed")
-	}
-
-	// CoalesceValues should not mutate the passed arguments
-	is.Equal(valsCopy, vals)
-}
-
-func TestCoalesceTables(t *testing.T) {
-	dst := map[string]interface{}{
-		"name": "Ishmael",
-		"address": map[string]interface{}{
-			"street":  "123 Spouter Inn Ct.",
-			"city":    "Nantucket",
-			"country": nil,
-		},
-		"details": map[string]interface{}{
-			"friends": []string{"Tashtego"},
-		},
-		"boat": "pequod",
-		"hole": nil,
-	}
-	src := map[string]interface{}{
-		"occupation": "whaler",
-		"address": map[string]interface{}{
-			"state":   "MA",
-			"street":  "234 Spouter Inn Ct.",
-			"country": "US",
-		},
-		"details": "empty",
-		"boat": map[string]interface{}{
-			"mast": true,
-		},
-		"hole": "black",
-	}
-
-	// What we expect is that anything in dst overrides anything in src, but that
-	// otherwise the values are coalesced.
-	CoalesceTables(dst, src)
-
-	if dst["name"] != "Ishmael" {
-		t.Errorf("Unexpected name: %s", dst["name"])
-	}
-	if dst["occupation"] != "whaler" {
-		t.Errorf("Unexpected occupation: %s", dst["occupation"])
-	}
-
-	addr, ok := dst["address"].(map[string]interface{})
-	if !ok {
-		t.Fatal("Address went away.")
-	}
-
-	if addr["street"].(string) != "123 Spouter Inn Ct." {
-		t.Errorf("Unexpected address: %v", addr["street"])
-	}
-
-	if addr["city"].(string) != "Nantucket" {
-		t.Errorf("Unexpected city: %v", addr["city"])
-	}
-
-	if addr["state"].(string) != "MA" {
-		t.Errorf("Unexpected state: %v", addr["state"])
-	}
-
-	if _, ok = addr["country"]; ok {
-		t.Error("The country is not left out.")
-	}
-
-	if det, ok := dst["details"].(map[string]interface{}); !ok {
-		t.Fatalf("Details is the wrong type: %v", dst["details"])
-	} else if _, ok := det["friends"]; !ok {
-		t.Error("Could not find your friends. Maybe you don't have any. :-(")
-	}
-
-	if dst["boat"].(string) != "pequod" {
-		t.Errorf("Expected boat string, got %v", dst["boat"])
-	}
-
-	if _, ok = dst["hole"]; ok {
-		t.Error("The hole still exists.")
-	}
-
-	dst2 := map[string]interface{}{
-		"name": "Ishmael",
-		"address": map[string]interface{}{
-			"street":  "123 Spouter Inn Ct.",
-			"city":    "Nantucket",
-			"country": "US",
-		},
-		"details": map[string]interface{}{
-			"friends": []string{"Tashtego"},
-		},
-		"boat": "pequod",
-		"hole": "black",
-	}
-
-	// What we expect is that anything in dst should have all values set,
-	// this happens when the --reuse-values flag is set but the chart has no modifications yet
-	CoalesceTables(dst2, nil)
-
-	if dst2["name"] != "Ishmael" {
-		t.Errorf("Unexpected name: %s", dst2["name"])
-	}
-
-	addr2, ok := dst2["address"].(map[string]interface{})
-	if !ok {
-		t.Fatal("Address went away.")
-	}
-
-	if addr2["street"].(string) != "123 Spouter Inn Ct." {
-		t.Errorf("Unexpected address: %v", addr2["street"])
-	}
-
-	if addr2["city"].(string) != "Nantucket" {
-		t.Errorf("Unexpected city: %v", addr2["city"])
-	}
-
-	if addr2["country"].(string) != "US" {
-		t.Errorf("Unexpected Country: %v", addr2["country"])
-	}
-
-	if det2, ok := dst2["details"].(map[string]interface{}); !ok {
-		t.Fatalf("Details is the wrong type: %v", dst2["details"])
-	} else if _, ok := det2["friends"]; !ok {
-		t.Error("Could not find your friends. Maybe you don't have any. :-(")
-	}
-
-	if dst2["boat"].(string) != "pequod" {
-		t.Errorf("Expected boat string, got %v", dst2["boat"])
-	}
-
-	if dst2["hole"].(string) != "black" {
-		t.Errorf("Expected hole string, got %v", dst2["boat"])
-	}
-}
-
-func TestMergeTables(t *testing.T) {
-	dst := map[string]interface{}{
-		"name": "Ishmael",
-		"address": map[string]interface{}{
-			"street":  "123 Spouter Inn Ct.",
-			"city":    "Nantucket",
-			"country": nil,
-		},
-		"details": map[string]interface{}{
-			"friends": []string{"Tashtego"},
-		},
-		"boat": "pequod",
-		"hole": nil,
-	}
-	src := map[string]interface{}{
-		"occupation": "whaler",
-		"address": map[string]interface{}{
-			"state":   "MA",
-			"street":  "234 Spouter Inn Ct.",
-			"country": "US",
-		},
-		"details": "empty",
-		"boat": map[string]interface{}{
-			"mast": true,
-		},
-		"hole": "black",
-	}
-
-	// What we expect is that anything in dst overrides anything in src, but that
-	// otherwise the values are coalesced.
-	MergeTables(dst, src)
-
-	if dst["name"] != "Ishmael" {
-		t.Errorf("Unexpected name: %s", dst["name"])
-	}
-	if dst["occupation"] != "whaler" {
-		t.Errorf("Unexpected occupation: %s", dst["occupation"])
-	}
-
-	addr, ok := dst["address"].(map[string]interface{})
-	if !ok {
-		t.Fatal("Address went away.")
-	}
-
-	if addr["street"].(string) != "123 Spouter Inn Ct." {
-		t.Errorf("Unexpected address: %v", addr["street"])
-	}
-
-	if addr["city"].(string) != "Nantucket" {
-		t.Errorf("Unexpected city: %v", addr["city"])
-	}
-
-	if addr["state"].(string) != "MA" {
-		t.Errorf("Unexpected state: %v", addr["state"])
-	}
-
-	// This is one test that is different from CoalesceTables. Because country
-	// is a nil value and it's not removed it's still present.
-	if _, ok = addr["country"]; !ok {
-		t.Error("The country is left out.")
-	}
-
-	if det, ok := dst["details"].(map[string]interface{}); !ok {
-		t.Fatalf("Details is the wrong type: %v", dst["details"])
-	} else if _, ok := det["friends"]; !ok {
-		t.Error("Could not find your friends. Maybe you don't have any. :-(")
-	}
-
-	if dst["boat"].(string) != "pequod" {
-		t.Errorf("Expected boat string, got %v", dst["boat"])
-	}
-
-	// This is one test that is different from CoalesceTables. Because hole
-	// is a nil value and it's not removed it's still present.
-	if _, ok = dst["hole"]; !ok {
-		t.Error("The hole no longer exists.")
-	}
-
-	dst2 := map[string]interface{}{
-		"name": "Ishmael",
-		"address": map[string]interface{}{
-			"street":  "123 Spouter Inn Ct.",
-			"city":    "Nantucket",
-			"country": "US",
-		},
-		"details": map[string]interface{}{
-			"friends": []string{"Tashtego"},
-		},
-		"boat":   "pequod",
-		"hole":   "black",
-		"nilval": nil,
-	}
-
-	// What we expect is that anything in dst should have all values set,
-	// this happens when the --reuse-values flag is set but the chart has no modifications yet
-	MergeTables(dst2, nil)
-
-	if dst2["name"] != "Ishmael" {
-		t.Errorf("Unexpected name: %s", dst2["name"])
-	}
-
-	addr2, ok := dst2["address"].(map[string]interface{})
-	if !ok {
-		t.Fatal("Address went away.")
-	}
-
-	if addr2["street"].(string) != "123 Spouter Inn Ct." {
-		t.Errorf("Unexpected address: %v", addr2["street"])
-	}
-
-	if addr2["city"].(string) != "Nantucket" {
-		t.Errorf("Unexpected city: %v", addr2["city"])
-	}
-
-	if addr2["country"].(string) != "US" {
-		t.Errorf("Unexpected Country: %v", addr2["country"])
-	}
-
-	if det2, ok := dst2["details"].(map[string]interface{}); !ok {
-		t.Fatalf("Details is the wrong type: %v", dst2["details"])
-	} else if _, ok := det2["friends"]; !ok {
-		t.Error("Could not find your friends. Maybe you don't have any. :-(")
-	}
-
-	if dst2["boat"].(string) != "pequod" {
-		t.Errorf("Expected boat string, got %v", dst2["boat"])
-	}
-
-	if dst2["hole"].(string) != "black" {
-		t.Errorf("Expected hole string, got %v", dst2["boat"])
-	}
-
-	if dst2["nilval"] != nil {
-		t.Error("Expected nilvalue to have nil value but it does not")
-	}
-}
-
-func TestCoalesceValuesWarnings(t *testing.T) {
-
-	c := withDeps(&chart.Chart{
-		Metadata: &chart.Metadata{Name: "level1"},
-		Values: map[string]interface{}{
-			"name": "moby",
-		},
-	},
-		withDeps(&chart.Chart{
-			Metadata: &chart.Metadata{Name: "level2"},
-			Values: map[string]interface{}{
-				"name": "pequod",
-			},
-		},
-			&chart.Chart{
-				Metadata: &chart.Metadata{Name: "level3"},
-				Values: map[string]interface{}{
-					"name": "ahab",
-					"boat": true,
-					"spear": map[string]interface{}{
-						"tip": true,
-						"sail": map[string]interface{}{
-							"cotton": true,
-						},
-					},
-				},
-			},
-		),
-	)
-
-	vals := map[string]interface{}{
-		"level2": map[string]interface{}{
-			"level3": map[string]interface{}{
-				"boat": map[string]interface{}{"mast": true},
-				"spear": map[string]interface{}{
-					"tip": map[string]interface{}{
-						"sharp": true,
-					},
-					"sail": true,
-				},
-			},
-		},
-	}
-
-	warnings := make([]string, 0)
-	printf := func(format string, v ...interface{}) {
-		t.Logf(format, v...)
-		warnings = append(warnings, fmt.Sprintf(format, v...))
-	}
-
-	_, err := coalesce(printf, c, vals, "", false)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	t.Logf("vals: %v", vals)
-	assert.Contains(t, warnings, "warning: skipped value for level1.level2.level3.boat: Not a table.")
-	assert.Contains(t, warnings, "warning: destination for level1.level2.level3.spear.tip is a table. Ignoring non-table value (true)")
-	assert.Contains(t, warnings, "warning: cannot overwrite table with non table for level1.level2.level3.spear.sail (map[cotton:true])")
-
-}
-
-func TestConcatPrefix(t *testing.T) {
-	assert.Equal(t, "b", concatPrefix("", "b"))
-	assert.Equal(t, "a.b", concatPrefix("a", "b"))
-}

internal/chart/v3/util/create.go

@@ -28,6 +28,7 @@ import (
 
 	chart "helm.sh/helm/v4/internal/chart/v3"
 	"helm.sh/helm/v4/internal/chart/v3/loader"
+	"helm.sh/helm/v4/pkg/chart/common"
 )
 
 // chartName is a regular expression for testing the supplied name of a chart.
@@ -655,11 +656,11 @@ func CreateFrom(chartfile *chart.Metadata, dest, src string) error {
 
 	schart.Metadata = chartfile
 
-	var updatedTemplates []*chart.File
+	var updatedTemplates []*common.File
 
 	for _, template := range schart.Templates {
 		newData := transform(string(template.Data), schart.Name())
-		updatedTemplates = append(updatedTemplates, &chart.File{Name: template.Name, Data: newData})
+		updatedTemplates = append(updatedTemplates, &common.File{Name: template.Name, Data: newData})
 	}
 
 	schart.Templates = updatedTemplates

internal/chart/v3/util/dependencies.go

@@ -23,10 +23,12 @@ import (
 	"github.com/mitchellh/copystructure"
 
 	chart "helm.sh/helm/v4/internal/chart/v3"
+	"helm.sh/helm/v4/pkg/chart/common"
+	"helm.sh/helm/v4/pkg/chart/common/util"
 )
 
 // ProcessDependencies checks through this chart's dependencies, processing accordingly.
-func ProcessDependencies(c *chart.Chart, v Values) error {
+func ProcessDependencies(c *chart.Chart, v common.Values) error {
 	if err := processDependencyEnabled(c, v, ""); err != nil {
 		return err
 	}
@@ -34,7 +36,7 @@ func ProcessDependencies(c *chart.Chart, v Values) error {
 }
 
 // processDependencyConditions disables charts based on condition path value in values
-func processDependencyConditions(reqs []*chart.Dependency, cvals Values, cpath string) {
+func processDependencyConditions(reqs []*chart.Dependency, cvals common.Values, cpath string) {
 	if reqs == nil {
 		return
 	}
@@ -50,7 +52,7 @@ func processDependencyConditions(reqs []*chart.Dependency, cvals Values, cpath s
 						break
 					}
 					slog.Warn("returned non-bool value", "path", c, "chart", r.Name)
-				} else if _, ok := err.(ErrNoValue); !ok {
+				} else if _, ok := err.(common.ErrNoValue); !ok {
 					// this is a real error
 					slog.Warn("the method PathValue returned error", slog.Any("error", err))
 				}
@@ -60,7 +62,7 @@ func processDependencyConditions(reqs []*chart.Dependency, cvals Values, cpath s
 }
 
 // processDependencyTags disables charts based on tags in values
-func processDependencyTags(reqs []*chart.Dependency, cvals Values) {
+func processDependencyTags(reqs []*chart.Dependency, cvals common.Values) {
 	if reqs == nil {
 		return
 	}
@@ -177,7 +179,7 @@ Loop:
 	for _, lr := range c.Metadata.Dependencies {
 		lr.Enabled = true
 	}
-	cvals, err := CoalesceValues(c, v)
+	cvals, err := util.CoalesceValues(c, v)
 	if err != nil {
 		return err
 	}
@@ -232,6 +234,8 @@ func pathToMap(path string, data map[string]interface{}) map[string]interface{}
 	return set(parsePath(path), data)
 }
 
+func parsePath(key string) []string { return strings.Split(key, ".") }
+
 func set(path []string, data map[string]interface{}) map[string]interface{} {
 	if len(path) == 0 {
 		return nil
@@ -249,12 +253,12 @@ func processImportValues(c *chart.Chart, merge bool) error {
 		return nil
 	}
 	// combine chart values and empty config to get Values
-	var cvals Values
+	var cvals common.Values
 	var err error
 	if merge {
-		cvals, err = MergeValues(c, nil)
+		cvals, err = util.MergeValues(c, nil)
 	} else {
-		cvals, err = CoalesceValues(c, nil)
+		cvals, err = util.CoalesceValues(c, nil)
 	}
 	if err != nil {
 		return err
@@ -282,9 +286,9 @@ func processImportValues(c *chart.Chart, merge bool) error {
 				}
 				// create value map from child to be merged into parent
 				if merge {
-					b = MergeTables(b, pathToMap(parent, vv.AsMap()))
+					b = util.MergeTables(b, pathToMap(parent, vv.AsMap()))
 				} else {
-					b = CoalesceTables(b, pathToMap(parent, vv.AsMap()))
+					b = util.CoalesceTables(b, pathToMap(parent, vv.AsMap()))
 				}
 			case string:
 				child := "exports." + iv
@@ -298,9 +302,9 @@ func processImportValues(c *chart.Chart, merge bool) error {
 					continue
 				}
 				if merge {
-					b = MergeTables(b, vm.AsMap())
+					b = util.MergeTables(b, vm.AsMap())
 				} else {
-					b = CoalesceTables(b, vm.AsMap())
+					b = util.CoalesceTables(b, vm.AsMap())
 				}
 			}
 		}
@@ -315,14 +319,14 @@ func processImportValues(c *chart.Chart, merge bool) error {
 		// deep copying the cvals as there are cases where pointers can end
 		// up in the cvals when they are copied onto b in ways that break things.
 		cvals = deepCopyMap(cvals)
-		c.Values = MergeTables(cvals, b)
+		c.Values = util.MergeTables(cvals, b)
 	} else {
 		// Trimming the nil values from cvals is needed for backwards compatibility.
 		// Previously, the b value had been populated with cvals along with some
 		// overrides. This caused the coalescing functionality to remove the
 		// nil/null values. This trimming is for backwards compat.
 		cvals = trimNilValues(cvals)
-		c.Values = CoalesceTables(cvals, b)
+		c.Values = util.CoalesceTables(cvals, b)
 	}
 
 	return nil
@@ -355,6 +359,12 @@ func trimNilValues(vals map[string]interface{}) map[string]interface{} {
 	return valsCopyMap
 }
 
+// istable is a special-purpose function to see if the present thing matches the definition of a YAML table.
+func istable(v interface{}) bool {
+	_, ok := v.(map[string]interface{})
+	return ok
+}
+
 // processDependencyImportValues imports specified chart values from child to parent.
 func processDependencyImportValues(c *chart.Chart, merge bool) error {
 	for _, d := range c.Dependencies() {

internal/chart/v3/util/dependencies_test.go

@@ -23,6 +23,7 @@ import (
 
 	chart "helm.sh/helm/v4/internal/chart/v3"
 	"helm.sh/helm/v4/internal/chart/v3/loader"
+	"helm.sh/helm/v4/pkg/chart/common"
 )
 
 func loadChart(t *testing.T, path string) *chart.Chart {
@@ -221,7 +222,7 @@ func TestProcessDependencyImportValues(t *testing.T) {
 	if err := processDependencyImportValues(c, false); err != nil {
 		t.Fatalf("processing import values dependencies %v", err)
 	}
-	cc := Values(c.Values)
+	cc := common.Values(c.Values)
 	for kk, vv := range e {
 		pv, err := cc.PathValue(kk)
 		if err != nil {
@@ -251,7 +252,7 @@ func TestProcessDependencyImportValues(t *testing.T) {
 		t.Error("expect nil value not found but found it")
 	}
 	switch xerr := err.(type) {
-	case ErrNoValue:
+	case common.ErrNoValue:
 		// We found what we expected
 	default:
 		t.Errorf("expected an ErrNoValue but got %q instead", xerr)
@@ -261,7 +262,7 @@ func TestProcessDependencyImportValues(t *testing.T) {
 	if err := processDependencyImportValues(c, true); err != nil {
 		t.Fatalf("processing import values dependencies %v", err)
 	}
-	cc = Values(c.Values)
+	cc = common.Values(c.Values)
 	val, err := cc.PathValue("ensurenull")
 	if err != nil {
 		t.Error("expect value but ensurenull was not found")
@@ -291,7 +292,7 @@ func TestProcessDependencyImportValuesFromSharedDependencyToAliases(t *testing.T
 	e["foo.grandchild.defaults.defaultValue"] = "42"
 	e["bar.grandchild.defaults.defaultValue"] = "42"
 
-	cValues := Values(c.Values)
+	cValues := common.Values(c.Values)
 	for kk, vv := range e {
 		pv, err := cValues.PathValue(kk)
 		if err != nil {
@@ -329,7 +330,7 @@ func TestProcessDependencyImportValuesMultiLevelPrecedence(t *testing.T) {
 	if err := processDependencyImportValues(c, true); err != nil {
 		t.Fatalf("processing import values dependencies %v", err)
 	}
-	cc := Values(c.Values)
+	cc := common.Values(c.Values)
 	for kk, vv := range e {
 		pv, err := cc.PathValue(kk)
 		if err != nil {

internal/chart/v3/util/jsonschema.go

@@ -1,113 +0,0 @@
-/*
-Copyright The Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package util
-
-import (
-	"bytes"
-	"errors"
-	"fmt"
-	"log/slog"
-	"strings"
-
-	"github.com/santhosh-tekuri/jsonschema/v6"
-
-	chart "helm.sh/helm/v4/internal/chart/v3"
-)
-
-// ValidateAgainstSchema checks that values does not violate the structure laid out in schema
-func ValidateAgainstSchema(chrt *chart.Chart, values map[string]interface{}) error {
-	var sb strings.Builder
-	if chrt.Schema != nil {
-		slog.Debug("chart name", "chart-name", chrt.Name())
-		err := ValidateAgainstSingleSchema(values, chrt.Schema)
-		if err != nil {
-			sb.WriteString(fmt.Sprintf("%s:\n", chrt.Name()))
-			sb.WriteString(err.Error())
-		}
-	}
-	slog.Debug("number of dependencies in the chart", "dependencies", len(chrt.Dependencies()))
-	// For each dependency, recursively call this function with the coalesced values
-	for _, subchart := range chrt.Dependencies() {
-		subchartValues := values[subchart.Name()].(map[string]interface{})
-		if err := ValidateAgainstSchema(subchart, subchartValues); err != nil {
-			sb.WriteString(err.Error())
-		}
-	}
-
-	if sb.Len() > 0 {
-		return errors.New(sb.String())
-	}
-
-	return nil
-}
-
-// ValidateAgainstSingleSchema checks that values does not violate the structure laid out in this schema
-func ValidateAgainstSingleSchema(values Values, schemaJSON []byte) (reterr error) {
-	defer func() {
-		if r := recover(); r != nil {
-			reterr = fmt.Errorf("unable to validate schema: %s", r)
-		}
-	}()
-
-	// This unmarshal function leverages UseNumber() for number precision. The parser
-	// used for values does this as well.
-	schema, err := jsonschema.UnmarshalJSON(bytes.NewReader(schemaJSON))
-	if err != nil {
-		return err
-	}
-	slog.Debug("unmarshalled JSON schema", "schema", schemaJSON)
-
-	compiler := jsonschema.NewCompiler()
-	err = compiler.AddResource("file:///values.schema.json", schema)
-	if err != nil {
-		return err
-	}
-
-	validator, err := compiler.Compile("file:///values.schema.json")
-	if err != nil {
-		return err
-	}
-
-	err = validator.Validate(values.AsMap())
-	if err != nil {
-		return JSONSchemaValidationError{err}
-	}
-
-	return nil
-}
-
-// Note, JSONSchemaValidationError is used to wrap the error from the underlying
-// validation package so that Helm has a clean interface and the validation package
-// could be replaced without changing the Helm SDK API.
-
-// JSONSchemaValidationError is the error returned when there is a schema validation
-// error.
-type JSONSchemaValidationError struct {
-	embeddedErr error
-}
-
-// Error prints the error message
-func (e JSONSchemaValidationError) Error() string {
-	errStr := e.embeddedErr.Error()
-
-	// This string prefixes all of our error details. Further up the stack of helm error message
-	// building more detail is provided to users. This is removed.
-	errStr = strings.TrimPrefix(errStr, "jsonschema validation failed with 'file:///values.schema.json#'\n")
-
-	// The extra new line is needed for when there are sub-charts.
-	return errStr + "\n"
-}

internal/chart/v3/util/jsonschema_test.go

@@ -1,247 +0,0 @@
-/*
-Copyright The Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package util
-
-import (
-	"os"
-	"testing"
-
-	chart "helm.sh/helm/v4/internal/chart/v3"
-)
-
-func TestValidateAgainstSingleSchema(t *testing.T) {
-	values, err := ReadValuesFile("./testdata/test-values.yaml")
-	if err != nil {
-		t.Fatalf("Error reading YAML file: %s", err)
-	}
-	schema, err := os.ReadFile("./testdata/test-values.schema.json")
-	if err != nil {
-		t.Fatalf("Error reading YAML file: %s", err)
-	}
-
-	if err := ValidateAgainstSingleSchema(values, schema); err != nil {
-		t.Errorf("Error validating Values against Schema: %s", err)
-	}
-}
-
-func TestValidateAgainstInvalidSingleSchema(t *testing.T) {
-	values, err := ReadValuesFile("./testdata/test-values.yaml")
-	if err != nil {
-		t.Fatalf("Error reading YAML file: %s", err)
-	}
-	schema, err := os.ReadFile("./testdata/test-values-invalid.schema.json")
-	if err != nil {
-		t.Fatalf("Error reading YAML file: %s", err)
-	}
-
-	var errString string
-	if err := ValidateAgainstSingleSchema(values, schema); err == nil {
-		t.Fatalf("Expected an error, but got nil")
-	} else {
-		errString = err.Error()
-	}
-
-	expectedErrString := `"file:///values.schema.json#" is not valid against metaschema: jsonschema validation failed with 'https://json-schema.org/draft/2020-12/schema#'
-- at '': got number, want boolean or object`
-	if errString != expectedErrString {
-		t.Errorf("Error string :\n`%s`\ndoes not match expected\n`%s`", errString, expectedErrString)
-	}
-}
-
-func TestValidateAgainstSingleSchemaNegative(t *testing.T) {
-	values, err := ReadValuesFile("./testdata/test-values-negative.yaml")
-	if err != nil {
-		t.Fatalf("Error reading YAML file: %s", err)
-	}
-	schema, err := os.ReadFile("./testdata/test-values.schema.json")
-	if err != nil {
-		t.Fatalf("Error reading JSON file: %s", err)
-	}
-
-	var errString string
-	if err := ValidateAgainstSingleSchema(values, schema); err == nil {
-		t.Fatalf("Expected an error, but got nil")
-	} else {
-		errString = err.Error()
-	}
-
-	expectedErrString := `- at '': missing property 'employmentInfo'
-- at '/age': minimum: got -5, want 0
-`
-	if errString != expectedErrString {
-		t.Errorf("Error string :\n`%s`\ndoes not match expected\n`%s`", errString, expectedErrString)
-	}
-}
-
-const subchartSchema = `{
-  "$schema": "http://json-schema.org/draft-07/schema#",
-  "title": "Values",
-  "type": "object",
-  "properties": {
-    "age": {
-      "description": "Age",
-      "minimum": 0,
-      "type": "integer"
-    }
-  },
-  "required": [
-    "age"
-  ]
-}
-`
-
-const subchartSchema2020 = `{
-	"$schema": "https://json-schema.org/draft/2020-12/schema",
-	"title": "Values",
-	"type": "object",
-	"properties": {
-		"data": {
-			"type": "array",
-			"contains": { "type": "string" },
-			"unevaluatedItems": { "type": "number" }
-		}
-	},
-	"required": ["data"]
-}
-`
-
-func TestValidateAgainstSchema(t *testing.T) {
-	subchartJSON := []byte(subchartSchema)
-	subchart := &chart.Chart{
-		Metadata: &chart.Metadata{
-			Name: "subchart",
-		},
-		Schema: subchartJSON,
-	}
-	chrt := &chart.Chart{
-		Metadata: &chart.Metadata{
-			Name: "chrt",
-		},
-	}
-	chrt.AddDependency(subchart)
-
-	vals := map[string]interface{}{
-		"name": "John",
-		"subchart": map[string]interface{}{
-			"age": 25,
-		},
-	}
-
-	if err := ValidateAgainstSchema(chrt, vals); err != nil {
-		t.Errorf("Error validating Values against Schema: %s", err)
-	}
-}
-
-func TestValidateAgainstSchemaNegative(t *testing.T) {
-	subchartJSON := []byte(subchartSchema)
-	subchart := &chart.Chart{
-		Metadata: &chart.Metadata{
-			Name: "subchart",
-		},
-		Schema: subchartJSON,
-	}
-	chrt := &chart.Chart{
-		Metadata: &chart.Metadata{
-			Name: "chrt",
-		},
-	}
-	chrt.AddDependency(subchart)
-
-	vals := map[string]interface{}{
-		"name":     "John",
-		"subchart": map[string]interface{}{},
-	}
-
-	var errString string
-	if err := ValidateAgainstSchema(chrt, vals); err == nil {
-		t.Fatalf("Expected an error, but got nil")
-	} else {
-		errString = err.Error()
-	}
-
-	expectedErrString := `subchart:
-- at '': missing property 'age'
-`
-	if errString != expectedErrString {
-		t.Errorf("Error string :\n`%s`\ndoes not match expected\n`%s`", errString, expectedErrString)
-	}
-}
-
-func TestValidateAgainstSchema2020(t *testing.T) {
-	subchartJSON := []byte(subchartSchema2020)
-	subchart := &chart.Chart{
-		Metadata: &chart.Metadata{
-			Name: "subchart",
-		},
-		Schema: subchartJSON,
-	}
-	chrt := &chart.Chart{
-		Metadata: &chart.Metadata{
-			Name: "chrt",
-		},
-	}
-	chrt.AddDependency(subchart)
-
-	vals := map[string]interface{}{
-		"name": "John",
-		"subchart": map[string]interface{}{
-			"data": []any{"hello", 12},
-		},
-	}
-
-	if err := ValidateAgainstSchema(chrt, vals); err != nil {
-		t.Errorf("Error validating Values against Schema: %s", err)
-	}
-}
-
-func TestValidateAgainstSchema2020Negative(t *testing.T) {
-	subchartJSON := []byte(subchartSchema2020)
-	subchart := &chart.Chart{
-		Metadata: &chart.Metadata{
-			Name: "subchart",
-		},
-		Schema: subchartJSON,
-	}
-	chrt := &chart.Chart{
-		Metadata: &chart.Metadata{
-			Name: "chrt",
-		},
-	}
-	chrt.AddDependency(subchart)
-
-	vals := map[string]interface{}{
-		"name": "John",
-		"subchart": map[string]interface{}{
-			"data": []any{12},
-		},
-	}
-
-	var errString string
-	if err := ValidateAgainstSchema(chrt, vals); err == nil {
-		t.Fatalf("Expected an error, but got nil")
-	} else {
-		errString = err.Error()
-	}
-
-	expectedErrString := `subchart:
-- at '/data': no items match contains schema
-  - at '/data/0': got number, want string
-`
-	if errString != expectedErrString {
-		t.Errorf("Error string :\n`%s`\ndoes not match expected\n`%s`", errString, expectedErrString)
-	}
-}

internal/chart/v3/util/save.go

@@ -30,6 +30,7 @@ import (
 	"sigs.k8s.io/yaml"
 
 	chart "helm.sh/helm/v4/internal/chart/v3"
+	"helm.sh/helm/v4/pkg/chart/common"
 )
 
 var headerBytes = []byte("+aHR0cHM6Ly95b3V0dS5iZS96OVV6MWljandyTQo=")
@@ -76,7 +77,7 @@ func SaveDir(c *chart.Chart, dest string) error {
 	}
 
 	// Save templates and files
-	for _, o := range [][]*chart.File{c.Templates, c.Files} {
+	for _, o := range [][]*common.File{c.Templates, c.Files} {
 		for _, f := range o {
 			n := filepath.Join(outdir, f.Name)
 			if err := writeFile(n, f.Data); err != nil {
@@ -246,7 +247,7 @@ func validateName(name string) error {
 	nname := filepath.Base(name)
 
 	if nname != name {
-		return ErrInvalidChartName{name}
+		return common.ErrInvalidChartName{Name: name}
 	}
 
 	return nil

internal/chart/v3/util/save_test.go

@@ -31,6 +31,7 @@ import (
 
 	chart "helm.sh/helm/v4/internal/chart/v3"
 	"helm.sh/helm/v4/internal/chart/v3/loader"
+	"helm.sh/helm/v4/pkg/chart/common"
 )
 
 func TestSave(t *testing.T) {
@@ -47,7 +48,7 @@ func TestSave(t *testing.T) {
 				Lock: &chart.Lock{
 					Digest: "testdigest",
 				},
-				Files: []*chart.File{
+				Files: []*common.File{
 					{Name: "scheherazade/shahryar.txt", Data: []byte("1,001 Nights")},
 				},
 				Schema: []byte("{\n  \"title\": \"Values\"\n}"),
@@ -113,7 +114,7 @@ func TestSave(t *testing.T) {
 		Lock: &chart.Lock{
 			Digest: "testdigest",
 		},
-		Files: []*chart.File{
+		Files: []*common.File{
 			{Name: "scheherazade/shahryar.txt", Data: []byte("1,001 Nights")},
 		},
 	}
@@ -153,7 +154,7 @@ func TestSavePreservesTimestamps(t *testing.T) {
 			"imageName": "testimage",
 			"imageId":   42,
 		},
-		Files: []*chart.File{
+		Files: []*common.File{
 			{Name: "scheherazade/shahryar.txt", Data: []byte("1,001 Nights")},
 		},
 		Schema: []byte("{\n  \"title\": \"Values\"\n}"),
@@ -219,10 +220,10 @@ func TestSaveDir(t *testing.T) {
 			Name:       "ahab",
 			Version:    "1.2.3",
 		},
-		Files: []*chart.File{
+		Files: []*common.File{
 			{Name: "scheherazade/shahryar.txt", Data: []byte("1,001 Nights")},
 		},
-		Templates: []*chart.File{
+		Templates: []*common.File{
 			{Name: path.Join(TemplatesDir, "nested", "dir", "thing.yaml"), Data: []byte("abc: {{ .Values.abc }}")},
 		},
 	}

internal/chart/v3/util/values.go

@@ -1,220 +0,0 @@
-/*
-Copyright The Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package util
-
-import (
-	"errors"
-	"fmt"
-	"io"
-	"os"
-	"strings"
-
-	"sigs.k8s.io/yaml"
-
-	chart "helm.sh/helm/v4/internal/chart/v3"
-)
-
-// GlobalKey is the name of the Values key that is used for storing global vars.
-const GlobalKey = "global"
-
-// Values represents a collection of chart values.
-type Values map[string]interface{}
-
-// YAML encodes the Values into a YAML string.
-func (v Values) YAML() (string, error) {
-	b, err := yaml.Marshal(v)
-	return string(b), err
-}
-
-// Table gets a table (YAML subsection) from a Values object.
-//
-// The table is returned as a Values.
-//
-// Compound table names may be specified with dots:
-//
-//	foo.bar
-//
-// The above will be evaluated as "The table bar inside the table
-// foo".
-//
-// An ErrNoTable is returned if the table does not exist.
-func (v Values) Table(name string) (Values, error) {
-	table := v
-	var err error
-
-	for _, n := range parsePath(name) {
-		if table, err = tableLookup(table, n); err != nil {
-			break
-		}
-	}
-	return table, err
-}
-
-// AsMap is a utility function for converting Values to a map[string]interface{}.
-//
-// It protects against nil map panics.
-func (v Values) AsMap() map[string]interface{} {
-	if len(v) == 0 {
-		return map[string]interface{}{}
-	}
-	return v
-}
-
-// Encode writes serialized Values information to the given io.Writer.
-func (v Values) Encode(w io.Writer) error {
-	out, err := yaml.Marshal(v)
-	if err != nil {
-		return err
-	}
-	_, err = w.Write(out)
-	return err
-}
-
-func tableLookup(v Values, simple string) (Values, error) {
-	v2, ok := v[simple]
-	if !ok {
-		return v, ErrNoTable{simple}
-	}
-	if vv, ok := v2.(map[string]interface{}); ok {
-		return vv, nil
-	}
-
-	// This catches a case where a value is of type Values, but doesn't (for some
-	// reason) match the map[string]interface{}. This has been observed in the
-	// wild, and might be a result of a nil map of type Values.
-	if vv, ok := v2.(Values); ok {
-		return vv, nil
-	}
-
-	return Values{}, ErrNoTable{simple}
-}
-
-// ReadValues will parse YAML byte data into a Values.
-func ReadValues(data []byte) (vals Values, err error) {
-	err = yaml.Unmarshal(data, &vals)
-	if len(vals) == 0 {
-		vals = Values{}
-	}
-	return vals, err
-}
-
-// ReadValuesFile will parse a YAML file into a map of values.
-func ReadValuesFile(filename string) (Values, error) {
-	data, err := os.ReadFile(filename)
-	if err != nil {
-		return map[string]interface{}{}, err
-	}
-	return ReadValues(data)
-}
-
-// ReleaseOptions represents the additional release options needed
-// for the composition of the final values struct
-type ReleaseOptions struct {
-	Name      string
-	Namespace string
-	Revision  int
-	IsUpgrade bool
-	IsInstall bool
-}
-
-// ToRenderValues composes the struct from the data coming from the Releases, Charts and Values files
-//
-// This takes both ReleaseOptions and Capabilities to merge into the render values.
-func ToRenderValues(chrt *chart.Chart, chrtVals map[string]interface{}, options ReleaseOptions, caps *Capabilities) (Values, error) {
-	return ToRenderValuesWithSchemaValidation(chrt, chrtVals, options, caps, false)
-}
-
-// ToRenderValuesWithSchemaValidation composes the struct from the data coming from the Releases, Charts and Values files
-//
-// This takes both ReleaseOptions and Capabilities to merge into the render values.
-func ToRenderValuesWithSchemaValidation(chrt *chart.Chart, chrtVals map[string]interface{}, options ReleaseOptions, caps *Capabilities, skipSchemaValidation bool) (Values, error) {
-	if caps == nil {
-		caps = DefaultCapabilities
-	}
-	top := map[string]interface{}{
-		"Chart":        chrt.Metadata,
-		"Capabilities": caps,
-		"Release": map[string]interface{}{
-			"Name":      options.Name,
-			"Namespace": options.Namespace,
-			"IsUpgrade": options.IsUpgrade,
-			"IsInstall": options.IsInstall,
-			"Revision":  options.Revision,
-			"Service":   "Helm",
-		},
-	}
-
-	vals, err := CoalesceValues(chrt, chrtVals)
-	if err != nil {
-		return top, err
-	}
-
-	if !skipSchemaValidation {
-		if err := ValidateAgainstSchema(chrt, vals); err != nil {
-			return top, fmt.Errorf("values don't meet the specifications of the schema(s) in the following chart(s):\n%w", err)
-		}
-	}
-
-	top["Values"] = vals
-	return top, nil
-}
-
-// istable is a special-purpose function to see if the present thing matches the definition of a YAML table.
-func istable(v interface{}) bool {
-	_, ok := v.(map[string]interface{})
-	return ok
-}
-
-// PathValue takes a path that traverses a YAML structure and returns the value at the end of that path.
-// The path starts at the root of the YAML structure and is comprised of YAML keys separated by periods.
-// Given the following YAML data the value at path "chapter.one.title" is "Loomings".
-//
-//	chapter:
-//	  one:
-//	    title: "Loomings"
-func (v Values) PathValue(path string) (interface{}, error) {
-	if path == "" {
-		return nil, errors.New("YAML path cannot be empty")
-	}
-	return v.pathValue(parsePath(path))
-}
-
-func (v Values) pathValue(path []string) (interface{}, error) {
-	if len(path) == 1 {
-		// if exists must be root key not table
-		if _, ok := v[path[0]]; ok && !istable(v[path[0]]) {
-			return v[path[0]], nil
-		}
-		return nil, ErrNoValue{path[0]}
-	}
-
-	key, path := path[len(path)-1], path[:len(path)-1]
-	// get our table for table path
-	t, err := v.Table(joinPath(path...))
-	if err != nil {
-		return nil, ErrNoValue{key}
-	}
-	// check table for key and ensure value is not a table
-	if k, ok := t[key]; ok && !istable(k) {
-		return k, nil
-	}
-	return nil, ErrNoValue{key}
-}
-
-func parsePath(key string) []string { return strings.Split(key, ".") }
-
-func joinPath(path ...string) string { return strings.Join(path, ".") }

internal/chart/v3/util/values_test.go

@@ -1,293 +0,0 @@
-/*
-Copyright The Helm Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package util
-
-import (
-	"bytes"
-	"fmt"
-	"testing"
-	"text/template"
-
-	chart "helm.sh/helm/v4/internal/chart/v3"
-)
-
-func TestReadValues(t *testing.T) {
-	doc := `# Test YAML parse
-poet: "Coleridge"
-title: "Rime of the Ancient Mariner"
-stanza:
-  - "at"
-  - "length"
-  - "did"
-  - cross
-  - an
-  - Albatross
-
-mariner:
-  with: "crossbow"
-  shot: "ALBATROSS"
-
-water:
-  water:
-    where: "everywhere"
-    nor: "any drop to drink"
-`
-
-	data, err := ReadValues([]byte(doc))
-	if err != nil {
-		t.Fatalf("Error parsing bytes: %s", err)
-	}
-	matchValues(t, data)
-
-	tests := []string{`poet: "Coleridge"`, "# Just a comment", ""}
-
-	for _, tt := range tests {
-		data, err = ReadValues([]byte(tt))
-		if err != nil {
-			t.Fatalf("Error parsing bytes (%s): %s", tt, err)
-		}
-		if data == nil {
-			t.Errorf(`YAML string "%s" gave a nil map`, tt)
-		}
-	}
-}
-
-func TestToRenderValues(t *testing.T) {
-
-	chartValues := map[string]interface{}{
-		"name": "al Rashid",
-		"where": map[string]interface{}{
-			"city":  "Basrah",
-			"title": "caliph",
-		},
-	}
-
-	overrideValues := map[string]interface{}{
-		"name": "Haroun",
-		"where": map[string]interface{}{
-			"city": "Baghdad",
-			"date": "809 CE",
-		},
-	}
-
-	c := &chart.Chart{
-		Metadata:  &chart.Metadata{Name: "test"},
-		Templates: []*chart.File{},
-		Values:    chartValues,
-		Files: []*chart.File{
-			{Name: "scheherazade/shahryar.txt", Data: []byte("1,001 Nights")},
-		},
-	}
-	c.AddDependency(&chart.Chart{
-		Metadata: &chart.Metadata{Name: "where"},
-	})
-
-	o := ReleaseOptions{
-		Name:      "Seven Voyages",
-		Namespace: "default",
-		Revision:  1,
-		IsInstall: true,
-	}
-
-	res, err := ToRenderValuesWithSchemaValidation(c, overrideValues, o, nil, false)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Ensure that the top-level values are all set.
-	if name := res["Chart"].(*chart.Metadata).Name; name != "test" {
-		t.Errorf("Expected chart name 'test', got %q", name)
-	}
-	relmap := res["Release"].(map[string]interface{})
-	if name := relmap["Name"]; name.(string) != "Seven Voyages" {
-		t.Errorf("Expected release name 'Seven Voyages', got %q", name)
-	}
-	if namespace := relmap["Namespace"]; namespace.(string) != "default" {
-		t.Errorf("Expected namespace 'default', got %q", namespace)
-	}
-	if revision := relmap["Revision"]; revision.(int) != 1 {
-		t.Errorf("Expected revision '1', got %d", revision)
-	}
-	if relmap["IsUpgrade"].(bool) {
-		t.Error("Expected upgrade to be false.")
-	}
-	if !relmap["IsInstall"].(bool) {
-		t.Errorf("Expected install to be true.")
-	}
-	if !res["Capabilities"].(*Capabilities).APIVersions.Has("v1") {
-		t.Error("Expected Capabilities to have v1 as an API")
-	}
-	if res["Capabilities"].(*Capabilities).KubeVersion.Major != "1" {
-		t.Error("Expected Capabilities to have a Kube version")
-	}
-
-	vals := res["Values"].(Values)
-	if vals["name"] != "Haroun" {
-		t.Errorf("Expected 'Haroun', got %q (%v)", vals["name"], vals)
-	}
-	where := vals["where"].(map[string]interface{})
-	expects := map[string]string{
-		"city":  "Baghdad",
-		"date":  "809 CE",
-		"title": "caliph",
-	}
-	for field, expect := range expects {
-		if got := where[field]; got != expect {
-			t.Errorf("Expected %q, got %q (%v)", expect, got, where)
-		}
-	}
-}
-
-func TestReadValuesFile(t *testing.T) {
-	data, err := ReadValuesFile("./testdata/coleridge.yaml")
-	if err != nil {
-		t.Fatalf("Error reading YAML file: %s", err)
-	}
-	matchValues(t, data)
-}
-
-func ExampleValues() {
-	doc := `
-title: "Moby Dick"
-chapter:
-  one:
-    title: "Loomings"
-  two:
-    title: "The Carpet-Bag"
-  three:
-    title: "The Spouter Inn"
-`
-	d, err := ReadValues([]byte(doc))
-	if err != nil {
-		panic(err)
-	}
-	ch1, err := d.Table("chapter.one")
-	if err != nil {
-		panic("could not find chapter one")
-	}
-	fmt.Print(ch1["title"])
-	// Output:
-	// Loomings
-}
-
-func TestTable(t *testing.T) {
-	doc := `
-title: "Moby Dick"
-chapter:
-  one:
-    title: "Loomings"
-  two:
-    title: "The Carpet-Bag"
-  three:
-    title: "The Spouter Inn"
-`
-	d, err := ReadValues([]byte(doc))
-	if err != nil {
-		t.Fatalf("Failed to parse the White Whale: %s", err)
-	}
-
-	if _, err := d.Table("title"); err == nil {
-		t.Fatalf("Title is not a table.")
-	}
-
-	if _, err := d.Table("chapter"); err != nil {
-		t.Fatalf("Failed to get the chapter table: %s\n%v", err, d)
-	}
-
-	if v, err := d.Table("chapter.one"); err != nil {
-		t.Errorf("Failed to get chapter.one: %s", err)
-	} else if v["title"] != "Loomings" {
-		t.Errorf("Unexpected title: %s", v["title"])
-	}
-
-	if _, err := d.Table("chapter.three"); err != nil {
-		t.Errorf("Chapter three is missing: %s\n%v", err, d)
-	}
-
-	if _, err := d.Table("chapter.OneHundredThirtySix"); err == nil {
-		t.Errorf("I think you mean 'Epilogue'")
-	}
-}
-
-func matchValues(t *testing.T, data map[string]interface{}) {
-	t.Helper()
-	if data["poet"] != "Coleridge" {
-		t.Errorf("Unexpected poet: %s", data["poet"])
-	}
-
-	if o, err := ttpl("{{len .stanza}}", data); err != nil {
-		t.Errorf("len stanza: %s", err)
-	} else if o != "6" {
-		t.Errorf("Expected 6, got %s", o)
-	}
-
-	if o, err := ttpl("{{.mariner.shot}}", data); err != nil {
-		t.Errorf(".mariner.shot: %s", err)
-	} else if o != "ALBATROSS" {
-		t.Errorf("Expected that mariner shot ALBATROSS")
-	}
-
-	if o, err := ttpl("{{.water.water.where}}", data); err != nil {
-		t.Errorf(".water.water.where: %s", err)
-	} else if o != "everywhere" {
-		t.Errorf("Expected water water everywhere")
-	}
-}
-
-func ttpl(tpl string, v map[string]interface{}) (string, error) {
-	var b bytes.Buffer
-	tt := template.Must(template.New("t").Parse(tpl))
-	err := tt.Execute(&b, v)
-	return b.String(), err
-}
-
-func TestPathValue(t *testing.T) {
-	doc := `
-title: "Moby Dick"
-chapter:
-  one:
-    title: "Loomings"
-  two:
-    title: "The Carpet-Bag"
-  three:
-    title: "The Spouter Inn"
-`
-	d, err := ReadValues([]byte(doc))
-	if err != nil {
-		t.Fatalf("Failed to parse the White Whale: %s", err)
-	}
-
-	if v, err := d.PathValue("chapter.one.title"); err != nil {
-		t.Errorf("Got error instead of title: %s\n%v", err, d)
-	} else if v != "Loomings" {
-		t.Errorf("No error but got wrong value for title: %s\n%v", err, d)
-	}
-	if _, err := d.PathValue("chapter.one.doesnotexist"); err == nil {
-		t.Errorf("Non-existent key should return error: %s\n%v", err, d)
-	}
-	if _, err := d.PathValue("chapter.doesnotexist.one"); err == nil {
-		t.Errorf("Non-existent key in middle of path should return error: %s\n%v", err, d)
-	}
-	if _, err := d.PathValue(""); err == nil {
-		t.Error("Asking for the value from an empty path should yield an error")
-	}
-	if v, err := d.PathValue("title"); err == nil {
-		if v != "Moby Dick" {
-			t.Errorf("Failed to return values for root key title")
-		}
-	}
-}

internal/fileutil/fileutil_test.go

@@ -20,9 +20,12 @@ import (
 	"bytes"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"
 )
 
+// TestAtomicWriteFile tests the happy path of AtomicWriteFile function.
+// It verifies that the function correctly writes content to a file with the specified mode.
 func TestAtomicWriteFile(t *testing.T) {
 	dir := t.TempDir()
 
@@ -55,3 +58,64 @@ func TestAtomicWriteFile(t *testing.T) {
 			mode, gotinfo.Mode())
 	}
 }
+
+// TestAtomicWriteFile_CreateTempError tests the error path when os.CreateTemp fails
+func TestAtomicWriteFile_CreateTempError(t *testing.T) {
+	invalidPath := "/invalid/path/that/does/not/exist/testfile"
+
+	reader := bytes.NewReader([]byte("test content"))
+	mode := os.FileMode(0644)
+
+	err := AtomicWriteFile(invalidPath, reader, mode)
+	if err == nil {
+		t.Error("Expected error when CreateTemp fails, but got nil")
+	}
+}
+
+// TestAtomicWriteFile_EmptyContent tests with empty content
+func TestAtomicWriteFile_EmptyContent(t *testing.T) {
+	dir := t.TempDir()
+	testpath := filepath.Join(dir, "empty_helm")
+
+	reader := bytes.NewReader([]byte(""))
+	mode := os.FileMode(0644)
+
+	err := AtomicWriteFile(testpath, reader, mode)
+	if err != nil {
+		t.Errorf("AtomicWriteFile error with empty content: %s", err)
+	}
+
+	got, err := os.ReadFile(testpath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if len(got) != 0 {
+		t.Fatalf("expected empty content, got: %s", string(got))
+	}
+}
+
+// TestAtomicWriteFile_LargeContent tests with large content
+func TestAtomicWriteFile_LargeContent(t *testing.T) {
+	dir := t.TempDir()
+	testpath := filepath.Join(dir, "large_test")
+
+	// Create a large content string
+	largeContent := strings.Repeat("HELM", 1024*1024)
+	reader := bytes.NewReader([]byte(largeContent))
+	mode := os.FileMode(0644)
+
+	err := AtomicWriteFile(testpath, reader, mode)
+	if err != nil {
+		t.Errorf("AtomicWriteFile error with large content: %s", err)
+	}
+
+	got, err := os.ReadFile(testpath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if largeContent != string(got) {
+		t.Fatalf("expected large content to match, got different length: %d vs %d", len(largeContent), len(got))
+	}
+}

internal/plugin/config.go

@@ -16,67 +16,39 @@ limitations under the License.
 package plugin
 
 import (
+	"bytes"
 	"fmt"
+	"reflect"
 
 	"go.yaml.in/yaml/v3"
 )
 
-// Config interface defines the methods that all plugin type configurations must implement
+// Config represents an plugin type specific configuration
+// It is expected to type assert (cast) the a Config to its expected underlying type (schema.ConfigCLIV1, schema.ConfigGetterV1, etc).
 type Config interface {
-	GetType() string
 	Validate() error
 }
 
-// ConfigCLI represents the configuration for CLI plugins
+func unmarshaConfig(pluginType string, configData map[string]any) (Config, error) {
-type ConfigCLI struct {
-	// Usage is the single-line usage text shown in help
-	// For recommended syntax, see [spf13/cobra.command.Command] Use field comment:
-	// https://pkg.go.dev/github.com/spf13/cobra#Command
-	Usage string `yaml:"usage"`
-	// ShortHelp is the short description shown in the 'helm help' output
-	ShortHelp string `yaml:"shortHelp"`
-	// LongHelp is the long message shown in the 'helm help <this-command>' output
-	LongHelp string `yaml:"longHelp"`
-	// IgnoreFlags ignores any flags passed in from Helm
-	IgnoreFlags bool `yaml:"ignoreFlags"`
-}
-
-// ConfigGetter represents the configuration for download plugins
-type ConfigGetter struct {
-	// Protocols are the list of URL schemes supported by this downloader
-	Protocols []string `yaml:"protocols"`
-}
-
-func (c *ConfigCLI) GetType() string    { return "cli/v1" }
-func (c *ConfigGetter) GetType() string { return "getter/v1" }
-
-func (c *ConfigCLI) Validate() error {
-	// Config validation for CLI plugins
-	return nil
-}
 
-func (c *ConfigGetter) Validate() error {
+	pluginTypeMeta, ok := pluginTypesIndex[pluginType]
-	if len(c.Protocols) == 0 {
+	if !ok {
-		return fmt.Errorf("getter has no protocols")
+		return nil, fmt.Errorf("unknown plugin type %q", pluginType)
-	}
-	for i, protocol := range c.Protocols {
-		if protocol == "" {
-			return fmt.Errorf("getter has empty protocol at index %d", i)
-		}
 	}
-	return nil
-}
 
-func remarshalConfig[T Config](configData map[string]any) (Config, error) {
+	// TODO: Avoid (yaml) serialization/deserialization for type conversion here
+
 	data, err := yaml.Marshal(configData)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to marshel config data (plugin type %s): %w", pluginType, err)
 	}
 
-	var config T
+	config := reflect.New(pluginTypeMeta.configType)
-	if err := yaml.Unmarshal(data, &config); err != nil {
+	d := yaml.NewDecoder(bytes.NewReader(data))
+	d.KnownFields(true)
+	if err := d.Decode(config.Interface()); err != nil {
 		return nil, err
 	}
 
-	return config, nil
+	return config.Interface().(Config), nil
 }

internal/plugin/config_test.go

@@ -0,0 +1,56 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package plugin
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"helm.sh/helm/v4/internal/plugin/schema"
+)
+
+func TestUnmarshaConfig(t *testing.T) {
+	// Test unmarshalling a CLI plugin config
+	{
+		config, err := unmarshaConfig("cli/v1", map[string]any{
+			"usage":       "usage string",
+			"shortHelp":   "short help string",
+			"longHelp":    "long help string",
+			"ignoreFlags": true,
+		})
+		require.NoError(t, err)
+
+		require.IsType(t, &schema.ConfigCLIV1{}, config)
+		assert.Equal(t, schema.ConfigCLIV1{
+			Usage:       "usage string",
+			ShortHelp:   "short help string",
+			LongHelp:    "long help string",
+			IgnoreFlags: true,
+		}, *(config.(*schema.ConfigCLIV1)))
+	}
+
+	// Test unmarshalling invalid config data
+	{
+		config, err := unmarshaConfig("cli/v1", map[string]any{
+			"invalid field": "foo",
+		})
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "field not found")
+		assert.Nil(t, config)
+	}
+}

internal/plugin/error.go

@@ -19,8 +19,8 @@ package plugin
 // - subprocess plugin: child process exit code
 // - extism plugin: wasm function return code
 type InvokeExecError struct {
-	Err  error // Underlying error
+	ExitCode int   // Exit code from plugin code execution
-	Code int   // Exeit code from plugin code execution
+	Err      error // Underlying error
 }
 
 // Error implements the error interface

internal/plugin/installer/extractor.go

@@ -0,0 +1,195 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package installer // import "helm.sh/helm/v4/internal/plugin/installer"
+
+import (
+	"archive/tar"
+	"bytes"
+	"compress/gzip"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"path"
+	"path/filepath"
+	"regexp"
+	"slices"
+	"strings"
+
+	securejoin "github.com/cyphar/filepath-securejoin"
+)
+
+// TarGzExtractor extracts gzip compressed tar archives
+type TarGzExtractor struct{}
+
+// Extractor provides an interface for extracting archives
+type Extractor interface {
+	Extract(buffer *bytes.Buffer, targetDir string) error
+}
+
+// Extractors contains a map of suffixes and matching implementations of extractor to return
+var Extractors = map[string]Extractor{
+	".tar.gz": &TarGzExtractor{},
+	".tgz":    &TarGzExtractor{},
+}
+
+// Convert a media type to an extractor extension.
+//
+// This should be refactored in Helm 4, combined with the extension-based mechanism.
+func mediaTypeToExtension(mt string) (string, bool) {
+	switch strings.ToLower(mt) {
+	case "application/gzip", "application/x-gzip", "application/x-tgz", "application/x-gtar":
+		return ".tgz", true
+	case "application/octet-stream":
+		// Generic binary type - we'll need to check the URL suffix
+		return "", false
+	default:
+		return "", false
+	}
+}
+
+// NewExtractor creates a new extractor matching the source file name
+func NewExtractor(source string) (Extractor, error) {
+	for suffix, extractor := range Extractors {
+		if strings.HasSuffix(source, suffix) {
+			return extractor, nil
+		}
+	}
+	return nil, fmt.Errorf("no extractor implemented yet for %s", source)
+}
+
+// cleanJoin resolves dest as a subpath of root.
+//
+// This function runs several security checks on the path, generating an error if
+// the supplied `dest` looks suspicious or would result in dubious behavior on the
+// filesystem.
+//
+// cleanJoin assumes that any attempt by `dest` to break out of the CWD is an attempt
+// to be malicious. (If you don't care about this, use the securejoin-filepath library.)
+// It will emit an error if it detects paths that _look_ malicious, operating on the
+// assumption that we don't actually want to do anything with files that already
+// appear to be nefarious.
+//
+//   - The character `:` is considered illegal because it is a separator on UNIX and a
+//     drive designator on Windows.
+//   - The path component `..` is considered suspicions, and therefore illegal
+//   - The character \ (backslash) is treated as a path separator and is converted to /.
+//   - Beginning a path with a path separator is illegal
+//   - Rudimentary symlink protects are offered by SecureJoin.
+func cleanJoin(root, dest string) (string, error) {
+
+	// On Windows, this is a drive separator. On UNIX-like, this is the path list separator.
+	// In neither case do we want to trust a TAR that contains these.
+	if strings.Contains(dest, ":") {
+		return "", errors.New("path contains ':', which is illegal")
+	}
+
+	// The Go tar library does not convert separators for us.
+	// We assume here, as we do elsewhere, that `\\` means a Windows path.
+	dest = strings.ReplaceAll(dest, "\\", "/")
+
+	// We want to alert the user that something bad was attempted. Cleaning it
+	// is not a good practice.
+	if slices.Contains(strings.Split(dest, "/"), "..") {
+		return "", errors.New("path contains '..', which is illegal")
+	}
+
+	// If a path is absolute, the creator of the TAR is doing something shady.
+	if path.IsAbs(dest) {
+		return "", errors.New("path is absolute, which is illegal")
+	}
+
+	// SecureJoin will do some cleaning, as well as some rudimentary checking of symlinks.
+	// The directory needs to be cleaned prior to passing to SecureJoin or the location may end up
+	// being wrong or returning an error. This was introduced in v0.4.0.
+	root = filepath.Clean(root)
+	newpath, err := securejoin.SecureJoin(root, dest)
+	if err != nil {
+		return "", err
+	}
+
+	return filepath.ToSlash(newpath), nil
+}
+
+// Extract extracts compressed archives
+//
+// Implements Extractor.
+func (g *TarGzExtractor) Extract(buffer *bytes.Buffer, targetDir string) error {
+	uncompressedStream, err := gzip.NewReader(buffer)
+	if err != nil {
+		return err
+	}
+
+	if err := os.MkdirAll(targetDir, 0755); err != nil {
+		return err
+	}
+
+	tarReader := tar.NewReader(uncompressedStream)
+	for {
+		header, err := tarReader.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return err
+		}
+
+		path, err := cleanJoin(targetDir, header.Name)
+		if err != nil {
+			return err
+		}
+
+		switch header.Typeflag {
+		case tar.TypeDir:
+			if err := os.MkdirAll(path, 0755); err != nil {
+				return err
+			}
+		case tar.TypeReg:
+			// Ensure parent directory exists
+			if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
+				return err
+			}
+			outFile, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))
+			if err != nil {
+				return err
+			}
+			if _, err := io.Copy(outFile, tarReader); err != nil {
+				outFile.Close()
+				return err
+			}
+			outFile.Close()
+		// We don't want to process these extension header files.
+		case tar.TypeXGlobalHeader, tar.TypeXHeader:
+			continue
+		default:
+			return fmt.Errorf("unknown type: %b in %s", header.Typeflag, header.Name)
+		}
+	}
+	return nil
+}
+
+// stripPluginName is a helper that relies on some sort of convention for plugin name (plugin-name-<version>)
+func stripPluginName(name string) string {
+	var strippedName string
+	for suffix := range Extractors {
+		if before, ok := strings.CutSuffix(name, suffix); ok {
+			strippedName = before
+			break
+		}
+	}
+	re := regexp.MustCompile(`(.*)-[0-9]+\..*`)
+	return re.ReplaceAllString(strippedName, `$1`)
+}

internal/plugin/installer/http_installer.go

@@ -16,22 +16,14 @@ limitations under the License.
 package installer // import "helm.sh/helm/v4/internal/plugin/installer"
 
 import (
-	"archive/tar"
 	"bytes"
-	"compress/gzip"
-	"errors"
 	"fmt"
-	"io"
 	"log/slog"
 	"os"
-	"path"
 	"path/filepath"
-	"regexp"
-	"slices"
 	"strings"
 
-	securejoin "github.com/cyphar/filepath-securejoin"
+	"helm.sh/helm/v4/internal/plugin"
-
 	"helm.sh/helm/v4/internal/plugin/cache"
 	"helm.sh/helm/v4/internal/third_party/dep/fs"
 	"helm.sh/helm/v4/pkg/cli"
@@ -46,45 +38,9 @@ type HTTPInstaller struct {
 	base
 	extractor Extractor
 	getter    getter.Getter
-}
+	// Cached data to avoid duplicate downloads
-
+	pluginData []byte
-// TarGzExtractor extracts gzip compressed tar archives
+	provData   []byte
-type TarGzExtractor struct{}
-
-// Extractor provides an interface for extracting archives
-type Extractor interface {
-	Extract(buffer *bytes.Buffer, targetDir string) error
-}
-
-// Extractors contains a map of suffixes and matching implementations of extractor to return
-var Extractors = map[string]Extractor{
-	".tar.gz": &TarGzExtractor{},
-	".tgz":    &TarGzExtractor{},
-}
-
-// Convert a media type to an extractor extension.
-//
-// This should be refactored in Helm 4, combined with the extension-based mechanism.
-func mediaTypeToExtension(mt string) (string, bool) {
-	switch strings.ToLower(mt) {
-	case "application/gzip", "application/x-gzip", "application/x-tgz", "application/x-gtar":
-		return ".tgz", true
-	case "application/octet-stream":
-		// Generic binary type - we'll need to check the URL suffix
-		return "", false
-	default:
-		return "", false
-	}
-}
-
-// NewExtractor creates a new extractor matching the source file name
-func NewExtractor(source string) (Extractor, error) {
-	for suffix, extractor := range Extractors {
-		if strings.HasSuffix(source, suffix) {
-			return extractor, nil
-		}
-	}
-	return nil, fmt.Errorf("no extractor implemented yet for %s", source)
 }
 
 // NewHTTPInstaller creates a new HttpInstaller.
@@ -114,30 +70,53 @@ func NewHTTPInstaller(source string) (*HTTPInstaller, error) {
 	return i, nil
 }
 
-// helper that relies on some sort of convention for plugin name (plugin-name-<version>)
-func stripPluginName(name string) string {
-	var strippedName string
-	for suffix := range Extractors {
-		if strings.HasSuffix(name, suffix) {
-			strippedName = strings.TrimSuffix(name, suffix)
-			break
-		}
-	}
-	re := regexp.MustCompile(`(.*)-[0-9]+\..*`)
-	return re.ReplaceAllString(strippedName, `$1`)
-}
-
 // Install downloads and extracts the tarball into the cache directory
 // and installs into the plugin directory.
 //
 // Implements Installer.
 func (i *HTTPInstaller) Install() error {
-	pluginData, err := i.getter.Get(i.Source)
+	// Ensure plugin data is cached
+	if i.pluginData == nil {
+		pluginData, err := i.getter.Get(i.Source)
+		if err != nil {
+			return err
+		}
+		i.pluginData = pluginData.Bytes()
+	}
+
+	// Save the original tarball to plugins directory for verification
+	// Extract metadata to get the actual plugin name and version
+	metadata, err := plugin.ExtractTgzPluginMetadata(bytes.NewReader(i.pluginData))
 	if err != nil {
-		return err
+		return fmt.Errorf("failed to extract plugin metadata from tarball: %w", err)
+	}
+	filename := fmt.Sprintf("%s-%s.tgz", metadata.Name, metadata.Version)
+	tarballPath := helmpath.DataPath("plugins", filename)
+	if err := os.MkdirAll(filepath.Dir(tarballPath), 0755); err != nil {
+		return fmt.Errorf("failed to create plugins directory: %w", err)
+	}
+	if err := os.WriteFile(tarballPath, i.pluginData, 0644); err != nil {
+		return fmt.Errorf("failed to save tarball: %w", err)
 	}
 
-	if err := i.extractor.Extract(pluginData, i.CacheDir); err != nil {
+	// Ensure prov data is cached if available
+	if i.provData == nil {
+		// Try to download .prov file if it exists
+		provURL := i.Source + ".prov"
+		if provData, err := i.getter.Get(provURL); err == nil {
+			i.provData = provData.Bytes()
+		}
+	}
+
+	// Save prov file if we have the data
+	if i.provData != nil {
+		provPath := tarballPath + ".prov"
+		if err := os.WriteFile(provPath, i.provData, 0644); err != nil {
+			slog.Debug("failed to save provenance file", "error", err)
+		}
+	}
+
+	if err := i.extractor.Extract(bytes.NewBuffer(i.pluginData), i.CacheDir); err != nil {
 		return fmt.Errorf("extracting files from archive: %w", err)
 	}
 
@@ -175,111 +154,38 @@ func (i HTTPInstaller) Path() string {
 	return helmpath.DataPath("plugins", i.PluginName)
 }
 
-// cleanJoin resolves dest as a subpath of root.
+// SupportsVerification returns true if the HTTP installer can verify plugins
-//
+func (i *HTTPInstaller) SupportsVerification() bool {
-// This function runs several security checks on the path, generating an error if
+	// Only support verification for tarball URLs
-// the supplied `dest` looks suspicious or would result in dubious behavior on the
+	return strings.HasSuffix(i.Source, ".tgz") || strings.HasSuffix(i.Source, ".tar.gz")
-// filesystem.
-//
-// cleanJoin assumes that any attempt by `dest` to break out of the CWD is an attempt
-// to be malicious. (If you don't care about this, use the securejoin-filepath library.)
-// It will emit an error if it detects paths that _look_ malicious, operating on the
-// assumption that we don't actually want to do anything with files that already
-// appear to be nefarious.
-//
-//   - The character `:` is considered illegal because it is a separator on UNIX and a
-//     drive designator on Windows.
-//   - The path component `..` is considered suspicions, and therefore illegal
-//   - The character \ (backslash) is treated as a path separator and is converted to /.
-//   - Beginning a path with a path separator is illegal
-//   - Rudimentary symlink protects are offered by SecureJoin.
-func cleanJoin(root, dest string) (string, error) {
-
-	// On Windows, this is a drive separator. On UNIX-like, this is the path list separator.
-	// In neither case do we want to trust a TAR that contains these.
-	if strings.Contains(dest, ":") {
-		return "", errors.New("path contains ':', which is illegal")
-	}
-
-	// The Go tar library does not convert separators for us.
-	// We assume here, as we do elsewhere, that `\\` means a Windows path.
-	dest = strings.ReplaceAll(dest, "\\", "/")
-
-	// We want to alert the user that something bad was attempted. Cleaning it
-	// is not a good practice.
-	if slices.Contains(strings.Split(dest, "/"), "..") {
-		return "", errors.New("path contains '..', which is illegal")
-	}
-
-	// If a path is absolute, the creator of the TAR is doing something shady.
-	if path.IsAbs(dest) {
-		return "", errors.New("path is absolute, which is illegal")
-	}
-
-	// SecureJoin will do some cleaning, as well as some rudimentary checking of symlinks.
-	// The directory needs to be cleaned prior to passing to SecureJoin or the location may end up
-	// being wrong or returning an error. This was introduced in v0.4.0.
-	root = filepath.Clean(root)
-	newpath, err := securejoin.SecureJoin(root, dest)
-	if err != nil {
-		return "", err
-	}
-
-	return filepath.ToSlash(newpath), nil
 }
 
-// Extract extracts compressed archives
+// GetVerificationData returns cached plugin and provenance data for verification
-//
+func (i *HTTPInstaller) GetVerificationData() (archiveData, provData []byte, filename string, err error) {
-// Implements Extractor.
+	if !i.SupportsVerification() {
-func (g *TarGzExtractor) Extract(buffer *bytes.Buffer, targetDir string) error {
+		return nil, nil, "", fmt.Errorf("verification not supported for this source")
-	uncompressedStream, err := gzip.NewReader(buffer)
-	if err != nil {
-		return err
-	}
-
-	if err := os.MkdirAll(targetDir, 0755); err != nil {
-		return err
 	}
 
-	tarReader := tar.NewReader(uncompressedStream)
+	// Download plugin data once and cache it
-	for {
+	if i.pluginData == nil {
-		header, err := tarReader.Next()
+		data, err := i.getter.Get(i.Source)
-		if err == io.EOF {
-			break
-		}
 		if err != nil {
-			return err
+			return nil, nil, "", fmt.Errorf("failed to download plugin: %w", err)
 		}
+		i.pluginData = data.Bytes()
+	}
 
-		path, err := cleanJoin(targetDir, header.Name)
+	// Download prov data once and cache it if available
+	if i.provData == nil {
+		provData, err := i.getter.Get(i.Source + ".prov")
 		if err != nil {
-			return err
+			// If provenance file doesn't exist, set provData to nil
-		}
+			// The verification logic will handle this gracefully
-
+			i.provData = nil
-		switch header.Typeflag {
+		} else {
-		case tar.TypeDir:
+			i.provData = provData.Bytes()
-			if err := os.MkdirAll(path, 0755); err != nil {
-				return err
-			}
-		case tar.TypeReg:
-			// Ensure parent directory exists
-			if err := os.MkdirAll(filepath.Dir(path), 0755); err != nil {
-				return err
-			}
-			outFile, err := os.OpenFile(path, os.O_CREATE|os.O_RDWR, os.FileMode(header.Mode))
-			if err != nil {
-				return err
-			}
-			defer outFile.Close()
-			if _, err := io.Copy(outFile, tarReader); err != nil {
-				return err
-			}
-		// We don't want to process these extension header files.
-		case tar.TypeXGlobalHeader, tar.TypeXHeader:
-			continue
-		default:
-			return fmt.Errorf("unknown type: %b in %s", header.Typeflag, header.Name)
 		}
 	}
-	return nil
+
+	return i.pluginData, i.provData, filepath.Base(i.Source), nil
 }

internal/plugin/installer/http_installer_test.go

@@ -49,7 +49,7 @@ func (t *TestHTTPGetter) Get(_ string, _ ...getter.Option) (*bytes.Buffer, error
 }
 
 // Fake plugin tarball data
-var fakePluginB64 = "H4sIAKRj51kAA+3UX0vCUBgGcC9jn+Iwuk3Peza3GeyiUlJQkcogCOzgli7dJm4TvYk+a5+k479UqquUCJ/fLs549sLO2TnvWnJa9aXnjwujYdYLovxMhsPcfnHOLdNkOXthM/IVQQYjg2yyLLJ4kXGhLp5j0z3P41tZksqxmspL3B/O+j/XtZu1y8rdYzkOZRCxduKPk53ny6Wwz/GfIIf1As8lxzGJSmoHNLJZphKHG4YpTCE0wVk3DULfpSJ3DMMqkj3P5JfMYLdX1Vr9Ie/5E5cstcdC8K04iGLX5HaJuKpWL17F0TCIBi5pf/0pjtLhun5j3f9v6r7wfnI/H0eNp9d1/5P6Gez0vzo7wsoxfrAZbTny/o9k6J8z/VkO/LPlWdC1iVpbEEcq5nmeJ13LEtmbV0k2r2PrOs9PuuNglC5rL1Y5S/syXRQmutaNw1BGnnp8Wq3UG51WvX1da3bKtZtCN/R09DwAAAAAAAAAAAAAAAAAAADAb30AoMczDwAoAAA="
+var fakePluginB64 = "H4sIAAAAAAAAA+3SQUvDMBgG4Jz7K0LwapdvSxrwJig6mCKC5xHabBaXdDSt4L+3cQ56mV42ZPg+lw+SF5LwZmXf3OV206/rMGEnIgdG6zTJaDmee4y01FOlZpqGHJGZSsb1qS401sfOtpyz0FTup9xv+2dqNep/N/IP6zdHPSMVXCh1sH8yhtGMDBUFFTL1r4iIcXnUWxzwz/sP1rsrLkbfQGTvro11E4ZlmcucRNZHu04py1OO73OVi2Vbb7td9vp7nXevtvsKRpGVjfc2VMP2xf3t4mH5tHi5mz8ub+bPk9JXIvvr5wMAAAAAAAAAAAAAAAAAAAAAnLVPqwHcXQAoAAA="
 
 func TestStripName(t *testing.T) {
 	if stripPluginName("fake-plugin-0.0.1.tar.gz") != "fake-plugin" {
@@ -515,6 +515,7 @@ func TestExtractWithExistingDirectory(t *testing.T) {
 }
 
 func TestExtractPluginInSubdirectory(t *testing.T) {
+	ensure.HelmHome(t)
 	source := "https://repo.localdomain/plugins/subdir-plugin-1.0.0.tar.gz"
 	tempDir := t.TempDir()
 

internal/plugin/installer/installer.go

@@ -17,17 +17,27 @@ package installer
 
 import (
 	"errors"
+	"fmt"
 	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
 
 	"helm.sh/helm/v4/internal/plugin"
+	"helm.sh/helm/v4/pkg/registry"
 )
 
 // ErrMissingMetadata indicates that plugin.yaml is missing.
 var ErrMissingMetadata = errors.New("plugin metadata (plugin.yaml) missing")
 
+// Options contains options for plugin installation.
+type Options struct {
+	// Verify enables signature verification before installation
+	Verify bool
+	// Keyring is the path to the keyring for verification
+	Keyring string
+}
+
 // Installer provides an interface for installing helm client plugins.
 type Installer interface {
 	// Install adds a plugin.
@@ -38,15 +48,80 @@ type Installer interface {
 	Update() error
 }
 
+// Verifier provides an interface for installers that support verification.
+type Verifier interface {
+	// SupportsVerification returns true if this installer can verify plugins
+	SupportsVerification() bool
+	// GetVerificationData returns plugin and provenance data for verification
+	GetVerificationData() (archiveData, provData []byte, filename string, err error)
+}
+
 // Install installs a plugin.
 func Install(i Installer) error {
+	_, err := InstallWithOptions(i, Options{})
+	return err
+}
+
+// VerificationResult contains the result of plugin verification
+type VerificationResult struct {
+	SignedBy    []string
+	Fingerprint string
+	FileHash    string
+}
+
+// InstallWithOptions installs a plugin with options.
+func InstallWithOptions(i Installer, opts Options) (*VerificationResult, error) {
+
 	if err := os.MkdirAll(filepath.Dir(i.Path()), 0755); err != nil {
-		return err
+		return nil, err
 	}
 	if _, pathErr := os.Stat(i.Path()); !os.IsNotExist(pathErr) {
-		return errors.New("plugin already exists")
+		return nil, errors.New("plugin already exists")
+	}
+
+	var result *VerificationResult
+
+	// If verification is requested, check if installer supports it
+	if opts.Verify {
+		verifier, ok := i.(Verifier)
+		if !ok || !verifier.SupportsVerification() {
+			return nil, fmt.Errorf("--verify is only supported for plugin tarballs (.tgz files)")
+		}
+
+		// Get verification data (works for both memory and file-based installers)
+		archiveData, provData, filename, err := verifier.GetVerificationData()
+		if err != nil {
+			return nil, fmt.Errorf("failed to get verification data: %w", err)
+		}
+
+		// Check if provenance data exists
+		if len(provData) == 0 {
+			// No .prov file found - emit warning but continue installation
+			fmt.Fprintf(os.Stderr, "WARNING: No provenance file found for plugin. Plugin is not signed and cannot be verified.\n")
+		} else {
+			// Provenance data exists - verify the plugin
+			verification, err := plugin.VerifyPlugin(archiveData, provData, filename, opts.Keyring)
+			if err != nil {
+				return nil, fmt.Errorf("plugin verification failed: %w", err)
+			}
+
+			// Collect verification info
+			result = &VerificationResult{
+				SignedBy:    make([]string, 0),
+				Fingerprint: fmt.Sprintf("%X", verification.SignedBy.PrimaryKey.Fingerprint),
+				FileHash:    verification.FileHash,
+			}
+			for name := range verification.SignedBy.Identities {
+				result.SignedBy = append(result.SignedBy, name)
+			}
+		}
+	}
+
+	if err := i.Install(); err != nil {
+		return nil, err
 	}
-	return i.Install()
+
+	return result, nil
 }
 
 // Update updates a plugin.
@@ -59,6 +134,10 @@ func Update(i Installer) error {
 
 // NewForSource determines the correct Installer for the given source.
 func NewForSource(source, version string) (Installer, error) {
+	// Check if source is an OCI registry reference
+	if strings.HasPrefix(source, fmt.Sprintf("%s://", registry.OCIScheme)) {
+		return NewOCIInstaller(source)
+	}
 	// Check if source is a local directory
 	if isLocalReference(source) {
 		return NewLocalInstaller(source)

internal/plugin/installer/local_installer.go

@@ -24,7 +24,9 @@ import (
 	"path/filepath"
 	"strings"
 
+	"helm.sh/helm/v4/internal/plugin"
 	"helm.sh/helm/v4/internal/third_party/dep/fs"
+	"helm.sh/helm/v4/pkg/helmpath"
 )
 
 // ErrPluginNotAFolder indicates that the plugin path is not a folder.
@@ -33,8 +35,10 @@ var ErrPluginNotAFolder = errors.New("expected plugin to be a folder")
 // LocalInstaller installs plugins from the filesystem.
 type LocalInstaller struct {
 	base
-	isArchive bool
+	isArchive  bool
-	extractor Extractor
+	extractor  Extractor
+	pluginData []byte // Cached plugin data
+	provData   []byte // Cached provenance data
 }
 
 // NewLocalInstaller creates a new LocalInstaller.
@@ -105,6 +109,30 @@ func (i *LocalInstaller) installFromArchive() error {
 		return fmt.Errorf("failed to read archive: %w", err)
 	}
 
+	// Copy the original tarball to plugins directory for verification
+	// Extract metadata to get the actual plugin name and version
+	metadata, err := plugin.ExtractTgzPluginMetadata(bytes.NewReader(data))
+	if err != nil {
+		return fmt.Errorf("failed to extract plugin metadata from tarball: %w", err)
+	}
+	filename := fmt.Sprintf("%s-%s.tgz", metadata.Name, metadata.Version)
+	tarballPath := helmpath.DataPath("plugins", filename)
+	if err := os.MkdirAll(filepath.Dir(tarballPath), 0755); err != nil {
+		return fmt.Errorf("failed to create plugins directory: %w", err)
+	}
+	if err := os.WriteFile(tarballPath, data, 0644); err != nil {
+		return fmt.Errorf("failed to save tarball: %w", err)
+	}
+
+	// Check for and copy .prov file if it exists
+	provSource := i.Source + ".prov"
+	if provData, err := os.ReadFile(provSource); err == nil {
+		provPath := tarballPath + ".prov"
+		if err := os.WriteFile(provPath, provData, 0644); err != nil {
+			slog.Debug("failed to save provenance file", "error", err)
+		}
+	}
+
 	// Create a temporary directory for extraction
 	tempDir, err := os.MkdirTemp("", "helm-plugin-extract-")
 	if err != nil {
@@ -118,31 +146,74 @@ func (i *LocalInstaller) installFromArchive() error {
 		return fmt.Errorf("failed to extract archive: %w", err)
 	}
 
-	// Detect where the plugin.yaml actually is
+	// Plugin directory should be named after the plugin at the archive root
-	pluginRoot, err := detectPluginRoot(tempDir)
+	pluginName := stripPluginName(filepath.Base(i.Source))
-	if err != nil {
+	pluginDir := filepath.Join(tempDir, pluginName)
-		return err
+	if _, err = os.Stat(filepath.Join(pluginDir, "plugin.yaml")); err != nil {
+		return fmt.Errorf("plugin.yaml not found in expected directory %s: %w", pluginDir, err)
 	}
 
 	// Copy to the final destination
-	slog.Debug("copying", "source", pluginRoot, "path", i.Path())
+	slog.Debug("copying", "source", pluginDir, "path", i.Path())
-	return fs.CopyDir(pluginRoot, i.Path())
+	return fs.CopyDir(pluginDir, i.Path())
+}
+
+// Update updates a local repository
+func (i *LocalInstaller) Update() error {
+	slog.Debug("local repository is auto-updated")
+	return nil
 }
 
-// Path returns the path where the plugin will be installed.
+// Path is overridden to handle archive plugin names properly
-// For archive sources, strips the version from the filename.
 func (i *LocalInstaller) Path() string {
 	if i.Source == "" {
 		return ""
 	}
+
+	pluginName := filepath.Base(i.Source)
 	if i.isArchive {
-		return filepath.Join(i.PluginsDirectory, stripPluginName(filepath.Base(i.Source)))
+		// Strip archive extension to get plugin name
+		pluginName = stripPluginName(pluginName)
 	}
-	return filepath.Join(i.PluginsDirectory, filepath.Base(i.Source))
+
+	return helmpath.DataPath("plugins", pluginName)
 }
 
-// Update updates a local repository
+// SupportsVerification returns true if the local installer can verify plugins
-func (i *LocalInstaller) Update() error {
+func (i *LocalInstaller) SupportsVerification() bool {
-	slog.Debug("local repository is auto-updated")
+	// Only support verification for local tarball files
-	return nil
+	return i.isArchive
+}
+
+// GetVerificationData loads plugin and provenance data from local files for verification
+func (i *LocalInstaller) GetVerificationData() (archiveData, provData []byte, filename string, err error) {
+	if !i.SupportsVerification() {
+		return nil, nil, "", fmt.Errorf("verification not supported for directories")
+	}
+
+	// Read and cache the plugin archive file
+	if i.pluginData == nil {
+		i.pluginData, err = os.ReadFile(i.Source)
+		if err != nil {
+			return nil, nil, "", fmt.Errorf("failed to read plugin file: %w", err)
+		}
+	}
+
+	// Read and cache the provenance file if it exists
+	if i.provData == nil {
+		provFile := i.Source + ".prov"
+		i.provData, err = os.ReadFile(provFile)
+		if err != nil {
+			if os.IsNotExist(err) {
+				// If provenance file doesn't exist, set provData to nil
+				// The verification logic will handle this gracefully
+				i.provData = nil
+			} else {
+				// If file exists but can't be read (permissions, etc), return error
+				return nil, nil, "", fmt.Errorf("failed to access provenance file %s: %w", provFile, err)
+			}
+		}
+	}
+
+	return i.pluginData, i.provData, filepath.Base(i.Source), nil
 }

internal/plugin/installer/local_installer_test.go

@@ -86,8 +86,8 @@ func TestLocalInstallerTarball(t *testing.T) {
 		Body string
 		Mode int64
 	}{
-		{"plugin.yaml", "name: test-plugin\nversion: 1.0.0\nusage: test\ndescription: test\ncommand: echo", 0644},
+		{"test-plugin/plugin.yaml", "name: test-plugin\napiVersion: v1\ntype: cli/v1\nruntime: subprocess\nversion: 1.0.0\nconfig:\n  shortHelp: test\n  longHelp: test\nruntimeConfig:\n  platformCommand:\n  - command: echo", 0644},
-		{"bin/test-plugin", "#!/bin/bash\necho test", 0755},
+		{"test-plugin/bin/test-plugin", "#!/bin/bash\necho test", 0755},
 	}
 
 	for _, file := range files {
@@ -146,82 +146,3 @@ func TestLocalInstallerTarball(t *testing.T) {
 		t.Fatalf("plugin not found at %s: %v", i.Path(), err)
 	}
 }
-
-func TestLocalInstallerTarballWithSubdirectory(t *testing.T) {
-	ensure.HelmHome(t)
-
-	// Create a test tarball with subdirectory
-	tempDir := t.TempDir()
-	tarballPath := filepath.Join(tempDir, "subdir-plugin-1.0.0.tar.gz")
-
-	// Create tarball content
-	var buf bytes.Buffer
-	gw := gzip.NewWriter(&buf)
-	tw := tar.NewWriter(gw)
-
-	files := []struct {
-		Name  string
-		Body  string
-		Mode  int64
-		IsDir bool
-	}{
-		{"my-plugin/", "", 0755, true},
-		{"my-plugin/plugin.yaml", "name: my-plugin\nversion: 1.0.0\nusage: test\ndescription: test\ncommand: echo", 0644, false},
-		{"my-plugin/bin/", "", 0755, true},
-		{"my-plugin/bin/my-plugin", "#!/bin/bash\necho test", 0755, false},
-	}
-
-	for _, file := range files {
-		hdr := &tar.Header{
-			Name: file.Name,
-			Mode: file.Mode,
-		}
-		if file.IsDir {
-			hdr.Typeflag = tar.TypeDir
-		} else {
-			hdr.Size = int64(len(file.Body))
-		}
-
-		if err := tw.WriteHeader(hdr); err != nil {
-			t.Fatal(err)
-		}
-		if !file.IsDir {
-			if _, err := tw.Write([]byte(file.Body)); err != nil {
-				t.Fatal(err)
-			}
-		}
-	}
-
-	if err := tw.Close(); err != nil {
-		t.Fatal(err)
-	}
-	if err := gw.Close(); err != nil {
-		t.Fatal(err)
-	}
-
-	// Write tarball to file
-	if err := os.WriteFile(tarballPath, buf.Bytes(), 0644); err != nil {
-		t.Fatal(err)
-	}
-
-	// Test installation
-	i, err := NewForSource(tarballPath, "")
-	if err != nil {
-		t.Fatalf("unexpected error: %s", err)
-	}
-
-	if err := Install(i); err != nil {
-		t.Fatal(err)
-	}
-
-	expectedPath := helmpath.DataPath("plugins", "subdir-plugin")
-	if i.Path() != expectedPath {
-		t.Fatalf("expected path %q, got %q", expectedPath, i.Path())
-	}
-
-	// Verify plugin was installed from subdirectory
-	pluginYaml := filepath.Join(i.Path(), "plugin.yaml")
-	if _, err := os.Stat(pluginYaml); err != nil {
-		t.Fatalf("plugin.yaml not found at %s: %v", pluginYaml, err)
-	}
-}

internal/plugin/installer/oci_installer.go

@@ -25,6 +25,7 @@ import (
 	"os"
 	"path/filepath"
 
+	"helm.sh/helm/v4/internal/plugin"
 	"helm.sh/helm/v4/internal/plugin/cache"
 	"helm.sh/helm/v4/internal/third_party/dep/fs"
 	"helm.sh/helm/v4/pkg/cli"
@@ -33,6 +34,9 @@ import (
 	"helm.sh/helm/v4/pkg/registry"
 )
 
+// Ensure OCIInstaller implements Verifier
+var _ Verifier = (*OCIInstaller)(nil)
+
 // OCIInstaller installs plugins from OCI registries
 type OCIInstaller struct {
 	CacheDir   string
@@ -40,6 +44,9 @@ type OCIInstaller struct {
 	base
 	settings *cli.EnvSettings
 	getter   getter.Getter
+	// Cached data to avoid duplicate downloads
+	pluginData []byte
+	provData   []byte
 }
 
 // NewOCIInstaller creates a new OCIInstaller with optional getter options
@@ -79,25 +86,59 @@ func NewOCIInstaller(source string, options ...getter.Option) (*OCIInstaller, er
 func (i *OCIInstaller) Install() error {
 	slog.Debug("pulling OCI plugin", "source", i.Source)
 
-	// Use getter to download the plugin
+	// Ensure plugin data is cached
-	pluginData, err := i.getter.Get(i.Source)
+	if i.pluginData == nil {
+		pluginData, err := i.getter.Get(i.Source)
+		if err != nil {
+			return fmt.Errorf("failed to pull plugin from %s: %w", i.Source, err)
+		}
+		i.pluginData = pluginData.Bytes()
+	}
+
+	// Extract metadata to get the actual plugin name and version
+	metadata, err := plugin.ExtractTgzPluginMetadata(bytes.NewReader(i.pluginData))
 	if err != nil {
-		return fmt.Errorf("failed to pull plugin from %s: %w", i.Source, err)
+		return fmt.Errorf("failed to extract plugin metadata from tarball: %w", err)
 	}
+	filename := fmt.Sprintf("%s-%s.tgz", metadata.Name, metadata.Version)
 
-	// Create cache directory
+	tarballPath := helmpath.DataPath("plugins", filename)
-	if err := os.MkdirAll(i.CacheDir, 0755); err != nil {
+	if err := os.MkdirAll(filepath.Dir(tarballPath), 0755); err != nil {
-		return fmt.Errorf("failed to create cache directory: %w", err)
+		return fmt.Errorf("failed to create plugins directory: %w", err)
+	}
+	if err := os.WriteFile(tarballPath, i.pluginData, 0644); err != nil {
+		return fmt.Errorf("failed to save tarball: %w", err)
+	}
+
+	// Ensure prov data is cached if available
+	if i.provData == nil {
+		// Try to download .prov file if it exists
+		provSource := i.Source + ".prov"
+		if provData, err := i.getter.Get(provSource); err == nil {
+			i.provData = provData.Bytes()
+		}
+	}
+
+	// Save prov file if we have the data
+	if i.provData != nil {
+		provPath := tarballPath + ".prov"
+		if err := os.WriteFile(provPath, i.provData, 0644); err != nil {
+			slog.Debug("failed to save provenance file", "error", err)
+		}
 	}
 
 	// Check if this is a gzip compressed file
-	pluginBytes := pluginData.Bytes()
+	if len(i.pluginData) < 2 || i.pluginData[0] != 0x1f || i.pluginData[1] != 0x8b {
-	if len(pluginBytes) < 2 || pluginBytes[0] != 0x1f || pluginBytes[1] != 0x8b {
 		return fmt.Errorf("plugin data is not a gzip compressed archive")
 	}
 
+	// Create cache directory
+	if err := os.MkdirAll(i.CacheDir, 0755); err != nil {
+		return fmt.Errorf("failed to create cache directory: %w", err)
+	}
+
 	// Extract as gzipped tar
-	if err := extractTarGz(bytes.NewReader(pluginBytes), i.CacheDir); err != nil {
+	if err := extractTarGz(bytes.NewReader(i.pluginData), i.CacheDir); err != nil {
 		return fmt.Errorf("failed to extract plugin: %w", err)
 	}
 
@@ -214,3 +255,47 @@ func extractTar(r io.Reader, targetDir string) error {
 
 	return nil
 }
+
+// SupportsVerification returns true since OCI plugins can be verified
+func (i *OCIInstaller) SupportsVerification() bool {
+	return true
+}
+
+// GetVerificationData downloads and caches plugin and provenance data from OCI registry for verification
+func (i *OCIInstaller) GetVerificationData() (archiveData, provData []byte, filename string, err error) {
+	slog.Debug("getting verification data for OCI plugin", "source", i.Source)
+
+	// Download plugin data once and cache it
+	if i.pluginData == nil {
+		pluginDataBuffer, err := i.getter.Get(i.Source)
+		if err != nil {
+			return nil, nil, "", fmt.Errorf("failed to pull plugin from %s: %w", i.Source, err)
+		}
+		i.pluginData = pluginDataBuffer.Bytes()
+	}
+
+	// Download prov data once and cache it if available
+	if i.provData == nil {
+		provSource := i.Source + ".prov"
+		// Calling getter.Get again is reasonable because: 1. The OCI registry client already optimizes the underlying network calls
+		// 2. Both calls use the same underlying manifest and memory store 3. The second .prov call is very fast since the data is already pulled
+		provDataBuffer, err := i.getter.Get(provSource)
+		if err != nil {
+			// If provenance file doesn't exist, set provData to nil
+			// The verification logic will handle this gracefully
+			i.provData = nil
+		} else {
+			i.provData = provDataBuffer.Bytes()
+		}
+	}
+
+	// Extract metadata to get the filename
+	metadata, err := plugin.ExtractTgzPluginMetadata(bytes.NewReader(i.pluginData))
+	if err != nil {
+		return nil, nil, "", fmt.Errorf("failed to extract plugin metadata from tarball: %w", err)
+	}
+	filename = fmt.Sprintf("%s-%s.tgz", metadata.Name, metadata.Version)
+
+	slog.Debug("got verification data for OCI plugin", "filename", filename)
+	return i.pluginData, i.provData, filename, nil
+}

internal/plugin/installer/oci_installer_test.go

@@ -34,6 +34,7 @@ import (
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 
+	"helm.sh/helm/v4/internal/test/ensure"
 	"helm.sh/helm/v4/pkg/cli"
 	"helm.sh/helm/v4/pkg/getter"
 	"helm.sh/helm/v4/pkg/helmpath"
@@ -125,7 +126,7 @@ func mockOCIRegistryWithArtifactType(t *testing.T, pluginName string) (*httptest
 				Digest:    digest.Digest(layerDigest),
 				Size:      int64(len(pluginData)),
 				Annotations: map[string]string{
-					ocispec.AnnotationTitle: pluginName + ".tgz", // Layer named properly
+					ocispec.AnnotationTitle: pluginName + "-1.0.0.tgz", // Layer named with version
 				},
 			},
 		},
@@ -316,9 +317,8 @@ func TestOCIInstaller_Path(t *testing.T) {
 }
 
 func TestOCIInstaller_Install(t *testing.T) {
-	// Set up isolated test environment FIRST
+	// Set up isolated test environment
-	testPluginsDir := t.TempDir()
+	ensure.HelmHome(t)
-	t.Setenv("HELM_PLUGINS", testPluginsDir)
 
 	pluginName := "test-plugin-basic"
 	server, registryHost := mockOCIRegistryWithArtifactType(t, pluginName)
@@ -333,15 +333,10 @@ func TestOCIInstaller_Install(t *testing.T) {
 		t.Fatalf("Expected no error, got %v", err)
 	}
 
-	// The OCI installer uses helmpath.DataPath, which now points to our test directory
+	// The OCI installer uses helmpath.DataPath, which is isolated by ensure.HelmHome(t)
 	actualPath := installer.Path()
 	t.Logf("Installer will use path: %s", actualPath)
 
-	// Verify the path is actually in our test directory
-	if !strings.HasPrefix(actualPath, testPluginsDir) {
-		t.Fatalf("Expected path %s to be under test directory %s", actualPath, testPluginsDir)
-	}
-
 	// Install the plugin
 	if err := Install(installer); err != nil {
 		t.Fatalf("Expected installation to succeed, got error: %v", err)
@@ -399,8 +394,7 @@ func TestOCIInstaller_Install_WithGetterOptions(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			// Set up isolated test environment for each subtest
-			testPluginsDir := t.TempDir()
+			ensure.HelmHome(t)
-			t.Setenv("HELM_PLUGINS", testPluginsDir)
 
 			server, registryHost := mockOCIRegistryWithArtifactType(t, tc.pluginName)
 			defer server.Close()
@@ -440,8 +434,7 @@ func TestOCIInstaller_Install_WithGetterOptions(t *testing.T) {
 
 func TestOCIInstaller_Install_AlreadyExists(t *testing.T) {
 	// Set up isolated test environment
-	testPluginsDir := t.TempDir()
+	ensure.HelmHome(t)
-	t.Setenv("HELM_PLUGINS", testPluginsDir)
 
 	pluginName := "test-plugin-exists"
 	server, registryHost := mockOCIRegistryWithArtifactType(t, pluginName)
@@ -474,8 +467,7 @@ func TestOCIInstaller_Install_AlreadyExists(t *testing.T) {
 
 func TestOCIInstaller_Update(t *testing.T) {
 	// Set up isolated test environment
-	testPluginsDir := t.TempDir()
+	ensure.HelmHome(t)
-	t.Setenv("HELM_PLUGINS", testPluginsDir)
 
 	pluginName := "test-plugin-update"
 	server, registryHost := mockOCIRegistryWithArtifactType(t, pluginName)