From 99da9fb54817a00e0138a08ce0b0643b923e5b6e Mon Sep 17 00:00:00 2001 From: Ali Rizwan Date: Thu, 15 Mar 2018 16:07:29 +0100 Subject: [PATCH 01/20] Fixed SIGSEGV when running helm create with -p and no values.yaml file --- pkg/chartutil/create.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/chartutil/create.go b/pkg/chartutil/create.go index 319a75e2f..c6c1308ca 100644 --- a/pkg/chartutil/create.go +++ b/pkg/chartutil/create.go @@ -305,8 +305,9 @@ func CreateFrom(chartfile *chart.Metadata, dest string, src string) error { } schart.Templates = updatedTemplates - schart.Values = &chart.Config{Raw: string(Transform(schart.Values.Raw, "", schart.Metadata.Name))} - + if schart.Values != nil { + schart.Values = &chart.Config{Raw: string(Transform(schart.Values.Raw, "", schart.Metadata.Name))} + } return SaveDir(schart, dest) } From 6a59683c01f053ab6490a82f64985aeea9894358 Mon Sep 17 00:00:00 2001 From: cameronconradt <16780811+cameronconradt@users.noreply.github.com> Date: Fri, 23 Mar 2018 23:57:35 -0600 Subject: [PATCH 02/20] Update files.go Should suppress the warnings about the naming of these two functions. Added TODO --- pkg/chartutil/files.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkg/chartutil/files.go b/pkg/chartutil/files.go index a711a3366..f9fc0a26d 100644 --- a/pkg/chartutil/files.go +++ b/pkg/chartutil/files.go @@ -211,7 +211,8 @@ func ToToml(v interface{}) string { // always return a string, even on marshal error (empty string). // // This is designed to be called from a template. -func ToJson(v interface{}) string { +//TODO:change the function signature in Helm 3 +func ToJson(v interface{}) string { //nolint data, err := json.Marshal(v) if err != nil { // Swallow errors inside of a template. @@ -226,7 +227,8 @@ func ToJson(v interface{}) string { // JSON documents. Additionally, because its intended use is within templates // it tolerates errors. It will insert the returned error message string into // m["Error"] in the returned map. -func FromJson(str string) map[string]interface{} { +//TODO:change the function signature in Helm 3 +func FromJson(str string) map[string]interface{} { //nolint m := map[string]interface{}{} if err := json.Unmarshal([]byte(str), &m); err != nil { From aa2976f0cea3b80278c07c31ffc40072ff81b289 Mon Sep 17 00:00:00 2001 From: Matthew Fisher Date: Tue, 17 Apr 2018 16:36:50 -0700 Subject: [PATCH 03/20] swallow the error when returning the default HTTP client --- pkg/downloader/chart_downloader.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/downloader/chart_downloader.go b/pkg/downloader/chart_downloader.go index fe2f3ce92..8b386fc09 100644 --- a/pkg/downloader/chart_downloader.go +++ b/pkg/downloader/chart_downloader.go @@ -183,7 +183,7 @@ func (c *ChartDownloader) ResolveChartVersionAndGetRepo(ref, version string) (*u r := &repo.ChartRepository{} r.Client = g g.SetCredentials(c.getRepoCredentials(r)) - return u, r, g, err + return u, r, g, nil } return u, nil, nil, err } From b0eb40b2ca67146b7bb76e0197bfba0c83c5dd60 Mon Sep 17 00:00:00 2001 From: Colin Dickson Date: Thu, 19 Apr 2018 19:20:42 -0400 Subject: [PATCH 04/20] fixed flag for tls ca cert option in the documentation --- docs/securing_installation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/securing_installation.md b/docs/securing_installation.md index 5c420242e..9f74f6049 100644 --- a/docs/securing_installation.md +++ b/docs/securing_installation.md @@ -95,10 +95,10 @@ If these steps are followed, an example `helm init` command might look something $ helm init \ --tiller-tls \ --tiller-tls-verify \ ---tiller-tls-ca-cert=ca.pem \ --tiller-tls-cert=cert.pem \ --tiller-tls-key=key.pem \ ---service-account=accountname +--tls-ca-cert=ca.pem \ +--service-account=accountname ``` This command will start Tiller with both strong authentication over gRPC, and a service account to which RBAC policies have been applied. From 28fb950588f64c4341886509a62d3b7670578e7a Mon Sep 17 00:00:00 2001 From: AdamDang Date: Mon, 23 Apr 2018 13:05:12 +0800 Subject: [PATCH 05/20] Typo fix in plugins.md "that that"->"that" "that that"->"that" --- docs/plugins.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/plugins.md b/docs/plugins.md index 82bcfe33b..3087d1b39 100644 --- a/docs/plugins.md +++ b/docs/plugins.md @@ -183,7 +183,7 @@ If a plugin specifies `useTunnel: true`, Helm will do the following (in order): 5. Close the tunnel The tunnel is removed as soon as the `command` returns. So, for example, a -command cannot background a process and assume that that process will be able +command cannot background a process and assume that process will be able to use the tunnel. ## A Note on Flag Parsing From bcf5688e9a9da64fe5c8580c435bd248ec499e99 Mon Sep 17 00:00:00 2001 From: AdamDang Date: Mon, 23 Apr 2018 13:06:24 +0800 Subject: [PATCH 06/20] Update install.go --- cmd/helm/installer/install.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/helm/installer/install.go b/cmd/helm/installer/install.go index a45179a48..0abd6774b 100644 --- a/cmd/helm/installer/install.go +++ b/cmd/helm/installer/install.go @@ -73,7 +73,7 @@ func Upgrade(client kubernetes.Interface, opts *Options) error { if _, err := client.ExtensionsV1beta1().Deployments(opts.Namespace).Update(obj); err != nil { return err } - // If the service does not exists that would mean we are upgrading from a Tiller version + // If the service does not exist that would mean we are upgrading from a Tiller version // that didn't deploy the service, so install it. _, err = client.CoreV1().Services(opts.Namespace).Get(serviceName, metav1.GetOptions{}) if apierrors.IsNotFound(err) { From 6b2384f8b4dbc64e0452dfb60b987e94e8c21f00 Mon Sep 17 00:00:00 2001 From: Julius Kammerl Date: Mon, 23 Apr 2018 15:42:07 +0200 Subject: [PATCH 07/20] Avoid to call 'go' with empty -tags argument go1.10.1 linux/amd64 complains: flag provided but not defined: -tags when compiling with: "make build-cross dist". This seems to fix it. --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 2dfbd2c3c..a8f778377 100644 --- a/Makefile +++ b/Makefile @@ -31,7 +31,7 @@ build: .PHONY: build-cross build-cross: LDFLAGS += -extldflags "-static" build-cross: - CGO_ENABLED=0 gox -parallel=3 -output="_dist/{{.OS}}-{{.Arch}}/{{.Dir}}" -osarch='$(TARGETS)' $(GOFLAGS) -tags '$(TAGS)' -ldflags '$(LDFLAGS)' k8s.io/helm/cmd/$(APP) + CGO_ENABLED=0 gox -parallel=3 -output="_dist/{{.OS}}-{{.Arch}}/{{.Dir}}" -osarch='$(TARGETS)' $(GOFLAGS) $(if $(TAGS),-tags '$(TAGS)',) -ldflags '$(LDFLAGS)' k8s.io/helm/cmd/$(APP) .PHONY: dist dist: From ed39f16ee57c094476ea61ef4983efcb501e7643 Mon Sep 17 00:00:00 2001 From: Fabian Ruff Date: Mon, 23 Apr 2018 20:12:40 +0200 Subject: [PATCH 08/20] Fix --tiller-namespace flag for plugins This fixes using `--tiller-namespace $namespace` flag (without the equal sign) for helm plugins. --- cmd/helm/load_plugins.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/helm/load_plugins.go b/cmd/helm/load_plugins.go index ef24e7883..f4c97bde7 100644 --- a/cmd/helm/load_plugins.go +++ b/cmd/helm/load_plugins.go @@ -131,7 +131,7 @@ func manuallyProcessArgs(args []string) ([]string, []string) { switch a := args[i]; a { case "--debug": known = append(known, a) - case "--host", "--kube-context", "--home": + case "--host", "--kube-context", "--home", "--tiller-namespace": known = append(known, a, args[i+1]) i++ default: From cefee4b749122bc38d019c2791faf79a4ab1376f Mon Sep 17 00:00:00 2001 From: Adam Reese Date: Mon, 23 Apr 2018 14:30:34 -0700 Subject: [PATCH 09/20] fix(kube): output internal object table fixes #3937 --- pkg/kube/client.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/kube/client.go b/pkg/kube/client.go index 34d979d47..e4c6b6a9f 100644 --- a/pkg/kube/client.go +++ b/pkg/kube/client.go @@ -178,7 +178,7 @@ func (c *Client) Get(namespace string, reader io.Reader) (string, error) { // versions per cluster, but this certainly won't hurt anything, so let's be safe. gvk := info.ResourceMapping().GroupVersionKind vk := gvk.Version + "/" + gvk.Kind - objs[vk] = append(objs[vk], info.Object) + objs[vk] = append(objs[vk], info.AsInternal()) //Get the relation pods objPods, err = c.getSelectRelationPod(info, objPods) From 7a65f7479acd2ae76289b0742d5e2349c22fec18 Mon Sep 17 00:00:00 2001 From: Marat Garafutdinov Date: Mon, 23 Apr 2018 16:35:29 -0700 Subject: [PATCH 10/20] add --col-width to `helm search` (#3949) * add customizeable --col-width * make docs. whitespacing --- cmd/helm/search.go | 8 +++++--- docs/helm/helm_search.md | 3 ++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/cmd/helm/search.go b/cmd/helm/search.go index 845bfd0be..ab284a898 100644 --- a/cmd/helm/search.go +++ b/cmd/helm/search.go @@ -47,6 +47,7 @@ type searchCmd struct { versions bool regexp bool version string + colWidth uint } func newSearchCmd(out io.Writer) *cobra.Command { @@ -66,6 +67,7 @@ func newSearchCmd(out io.Writer) *cobra.Command { f.BoolVarP(&sc.regexp, "regexp", "r", false, "use regular expressions for searching") f.BoolVarP(&sc.versions, "versions", "l", false, "show the long listing, with each version of each chart on its own line") f.StringVarP(&sc.version, "version", "v", "", "search using semantic versioning constraints") + f.UintVar(&sc.colWidth, "col-width", 60, "specifies the max column width of output") return cmd } @@ -93,7 +95,7 @@ func (s *searchCmd) run(args []string) error { return err } - fmt.Fprintln(s.out, s.formatSearchResults(data)) + fmt.Fprintln(s.out, s.formatSearchResults(data, s.colWidth)) return nil } @@ -126,12 +128,12 @@ func (s *searchCmd) applyConstraint(res []*search.Result) ([]*search.Result, err return data, nil } -func (s *searchCmd) formatSearchResults(res []*search.Result) string { +func (s *searchCmd) formatSearchResults(res []*search.Result, colWidth uint) string { if len(res) == 0 { return "No results found" } table := uitable.New() - table.MaxColWidth = 50 + table.MaxColWidth = colWidth table.AddRow("NAME", "CHART VERSION", "APP VERSION", "DESCRIPTION") for _, r := range res { table.AddRow(r.Name, r.Chart.Version, r.Chart.AppVersion, r.Chart.Description) diff --git a/docs/helm/helm_search.md b/docs/helm/helm_search.md index f59814b9a..1ed04e880 100644 --- a/docs/helm/helm_search.md +++ b/docs/helm/helm_search.md @@ -19,6 +19,7 @@ helm search [keyword] ### Options ``` + --col-width uint specifies the max column width of output (default 60) -r, --regexp use regular expressions for searching -v, --version string search using semantic versioning constraints -l, --versions show the long listing, with each version of each chart on its own line @@ -38,4 +39,4 @@ helm search [keyword] ### SEE ALSO * [helm](helm.md) - The Helm package manager for Kubernetes. -###### Auto generated by spf13/cobra on 8-Mar-2018 +###### Auto generated by spf13/cobra on 23-Apr-2018 From 718578036d4c13604ec557a32dfd31b5403aac31 Mon Sep 17 00:00:00 2001 From: BarryWilliams Date: Mon, 23 Apr 2018 22:25:11 -0400 Subject: [PATCH 11/20] Changed whitespacing in comments --- pkg/chartutil/files.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/chartutil/files.go b/pkg/chartutil/files.go index f9fc0a26d..a09bb8f43 100644 --- a/pkg/chartutil/files.go +++ b/pkg/chartutil/files.go @@ -211,8 +211,8 @@ func ToToml(v interface{}) string { // always return a string, even on marshal error (empty string). // // This is designed to be called from a template. -//TODO:change the function signature in Helm 3 -func ToJson(v interface{}) string { //nolint +// TODO: change the function signature in Helm 3 +func ToJson(v interface{}) string { // nolint data, err := json.Marshal(v) if err != nil { // Swallow errors inside of a template. @@ -227,8 +227,8 @@ func ToJson(v interface{}) string { //nolint // JSON documents. Additionally, because its intended use is within templates // it tolerates errors. It will insert the returned error message string into // m["Error"] in the returned map. -//TODO:change the function signature in Helm 3 -func FromJson(str string) map[string]interface{} { //nolint +// TODO: change the function signature in Helm 3 +func FromJson(str string) map[string]interface{} { // nolint m := map[string]interface{}{} if err := json.Unmarshal([]byte(str), &m); err != nil { From cf3ded91f2143fed6850dee70630c1049bf937ec Mon Sep 17 00:00:00 2001 From: Julien Bordellier Date: Tue, 24 Apr 2018 15:26:57 +0200 Subject: [PATCH 12/20] Add quoting support in ingress to allow wildcard domain --- pkg/chartutil/create.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/chartutil/create.go b/pkg/chartutil/create.go index 4c6b484a9..30c6310b2 100644 --- a/pkg/chartutil/create.go +++ b/pkg/chartutil/create.go @@ -143,14 +143,14 @@ spec: {{- range .Values.ingress.tls }} - hosts: {{- range .hosts }} - - {{ . }} + - {{ . | quote }} {{- end }} secretName: {{ .secretName }} {{- end }} {{- end }} rules: {{- range .Values.ingress.hosts }} - - host: {{ . }} + - host: {{ . | quote }} http: paths: - path: {{ $ingressPath }} From c2fa72ebcdc9a12381eec29b642374af75f5b45c Mon Sep 17 00:00:00 2001 From: eyalbe4 Date: Wed, 25 Apr 2018 03:44:47 +0300 Subject: [PATCH 13/20] Fix for - Downloader plugins not used when downloading new repo's index.yaml #3938 --- pkg/downloader/chart_downloader.go | 73 ++++++++++++++---------------- pkg/repo/chartrepo.go | 18 +++++--- 2 files changed, 45 insertions(+), 46 deletions(-) diff --git a/pkg/downloader/chart_downloader.go b/pkg/downloader/chart_downloader.go index 8b386fc09..6861a8270 100644 --- a/pkg/downloader/chart_downloader.go +++ b/pkg/downloader/chart_downloader.go @@ -23,6 +23,7 @@ import ( "net/url" "os" "path/filepath" + "reflect" "strings" "k8s.io/helm/pkg/getter" @@ -85,7 +86,7 @@ type ChartDownloader struct { // Returns a string path to the location where the file was downloaded and a verification // (if provenance was verified), or an error if something bad happened. func (c *ChartDownloader) DownloadTo(ref, version, dest string) (string, *provenance.Verification, error) { - u, r, g, err := c.ResolveChartVersionAndGetRepo(ref, version) + u, g, err := c.ResolveChartVersion(ref, version) if err != nil { return "", nil, err } @@ -104,7 +105,7 @@ func (c *ChartDownloader) DownloadTo(ref, version, dest string) (string, *proven // If provenance is requested, verify it. ver := &provenance.Verification{} if c.Verify > VerifyNever { - body, err := r.Client.Get(u.String() + ".prov") + body, err := g.Get(u.String() + ".prov") if err != nil { if c.Verify == VerifyAlways { return destfile, ver, fmt.Errorf("Failed to fetch provenance %q", u.String()+".prov") @@ -144,28 +145,14 @@ func (c *ChartDownloader) DownloadTo(ref, version, dest string) (string, *proven // * If version is empty, this will return the URL for the latest version // * If no version can be found, an error is returned func (c *ChartDownloader) ResolveChartVersion(ref, version string) (*url.URL, getter.Getter, error) { - u, r, _, err := c.ResolveChartVersionAndGetRepo(ref, version) - if r != nil { - return u, r.Client, err - } - return u, nil, err -} - -// ResolveChartVersionAndGetRepo is the same as the ResolveChartVersion method, but returns the chart repositoryy. -func (c *ChartDownloader) ResolveChartVersionAndGetRepo(ref, version string) (*url.URL, *repo.ChartRepository, *getter.HttpGetter, error) { u, err := url.Parse(ref) if err != nil { - return nil, nil, nil, fmt.Errorf("invalid chart URL format: %s", ref) + return nil, nil, fmt.Errorf("invalid chart URL format: %s", ref) } rf, err := repo.LoadRepositoriesFile(c.HelmHome.RepositoryFile()) if err != nil { - return u, nil, nil, err - } - - g, err := getter.NewHTTPGetter(ref, "", "", "") - if err != nil { - return u, nil, nil, err + return u, nil, err } if u.IsAbs() && len(u.Host) > 0 && len(u.Path) > 0 { @@ -180,23 +167,26 @@ func (c *ChartDownloader) ResolveChartVersionAndGetRepo(ref, version string) (*u // If there is no special config, return the default HTTP client and // swallow the error. if err == ErrNoOwnerRepo { - r := &repo.ChartRepository{} - r.Client = g - g.SetCredentials(c.getRepoCredentials(r)) - return u, r, g, nil + getterConstructor, err := c.Getters.ByScheme(u.Scheme) + if err != nil { + return u, nil, err + } + getter, err := getterConstructor(ref, "", "", "") + return u, getter, err } - return u, nil, nil, err + return u, nil, err } r, err := repo.NewChartRepository(rc, c.Getters) + c.setCredentials(r) // If we get here, we don't need to go through the next phase of looking // up the URL. We have it already. So we just return. - return u, r, g, err + return u, r.Client, err } // See if it's of the form: repo/path_to_chart p := strings.SplitN(u.Path, "/", 2) if len(p) < 2 { - return u, nil, nil, fmt.Errorf("Non-absolute URLs should be in form of repo_name/path_to_chart, got: %s", u) + return u, nil, fmt.Errorf("Non-absolute URLs should be in form of repo_name/path_to_chart, got: %s", u) } repoName := p[0] @@ -204,56 +194,59 @@ func (c *ChartDownloader) ResolveChartVersionAndGetRepo(ref, version string) (*u rc, err := pickChartRepositoryConfigByName(repoName, rf.Repositories) if err != nil { - return u, nil, nil, err + return u, nil, err } r, err := repo.NewChartRepository(rc, c.Getters) if err != nil { - return u, nil, nil, err + return u, nil, err } - g.SetCredentials(c.getRepoCredentials(r)) + c.setCredentials(r) // Next, we need to load the index, and actually look up the chart. i, err := repo.LoadIndexFile(c.HelmHome.CacheIndex(r.Config.Name)) if err != nil { - return u, r, g, fmt.Errorf("no cached repo found. (try 'helm repo update'). %s", err) + return u, r.Client, fmt.Errorf("no cached repo found. (try 'helm repo update'). %s", err) } cv, err := i.Get(chartName, version) if err != nil { - return u, r, g, fmt.Errorf("chart %q matching %s not found in %s index. (try 'helm repo update'). %s", chartName, version, r.Config.Name, err) + return u, r.Client, fmt.Errorf("chart %q matching %s not found in %s index. (try 'helm repo update'). %s", chartName, version, r.Config.Name, err) } if len(cv.URLs) == 0 { - return u, r, g, fmt.Errorf("chart %q has no downloadable URLs", ref) + return u, r.Client, fmt.Errorf("chart %q has no downloadable URLs", ref) } // TODO: Seems that picking first URL is not fully correct u, err = url.Parse(cv.URLs[0]) if err != nil { - return u, r, g, fmt.Errorf("invalid chart URL format: %s", ref) + return u, r.Client, fmt.Errorf("invalid chart URL format: %s", ref) } // If the URL is relative (no scheme), prepend the chart repo's base URL if !u.IsAbs() { repoURL, err := url.Parse(rc.URL) if err != nil { - return repoURL, r, nil, err + return repoURL, r.Client, err } q := repoURL.Query() // We need a trailing slash for ResolveReference to work, but make sure there isn't already one repoURL.Path = strings.TrimSuffix(repoURL.Path, "/") + "/" u = repoURL.ResolveReference(u) u.RawQuery = q.Encode() - g, err := getter.NewHTTPGetter(rc.URL, "", "", "") - if err != nil { - return repoURL, r, nil, err - } - g.SetCredentials(c.getRepoCredentials(r)) - return u, r, g, err + return u, r.Client, err } - return u, r, g, nil + return u, r.Client, nil +} + +// If HttpGetter is used, this method sets the configured repository credentials on the HttpGetter. +func (c *ChartDownloader) setCredentials(r *repo.ChartRepository) { + var t *getter.HttpGetter + if reflect.TypeOf(r.Client) == reflect.TypeOf(t) { + r.Client.(*getter.HttpGetter).SetCredentials(c.getRepoCredentials(r)) + } } // If this ChartDownloader is not configured to use credentials, and the chart repository sent as an argument is, diff --git a/pkg/repo/chartrepo.go b/pkg/repo/chartrepo.go index bf03a68bb..ba1e6f4ff 100644 --- a/pkg/repo/chartrepo.go +++ b/pkg/repo/chartrepo.go @@ -22,6 +22,7 @@ import ( "net/url" "os" "path/filepath" + "reflect" "strings" "github.com/ghodss/yaml" @@ -119,12 +120,9 @@ func (r *ChartRepository) DownloadIndexFile(cachePath string) error { parsedURL.Path = strings.TrimSuffix(parsedURL.Path, "/") + "/index.yaml" indexURL = parsedURL.String() - g, err := getter.NewHTTPGetter(indexURL, r.Config.CertFile, r.Config.KeyFile, r.Config.CAFile) - if err != nil { - return err - } - g.SetCredentials(r.Config.Username, r.Config.Password) - resp, err := g.Get(indexURL) + + r.setCredentials() + resp, err := r.Client.Get(indexURL) if err != nil { return err } @@ -152,6 +150,14 @@ func (r *ChartRepository) DownloadIndexFile(cachePath string) error { return ioutil.WriteFile(cp, index, 0644) } +// If HttpGetter is used, this method sets the configured repository credentials on the HttpGetter. +func (r *ChartRepository) setCredentials() { + var t *getter.HttpGetter + if reflect.TypeOf(r.Client) == reflect.TypeOf(t) { + r.Client.(*getter.HttpGetter).SetCredentials(r.Config.Username, r.Config.Password) + } +} + // Index generates an index for the chart repository and writes an index.yaml file. func (r *ChartRepository) Index() error { err := r.generateIndex() From f0d78180d1b5b26955c70b80c4e38553b316d9ea Mon Sep 17 00:00:00 2001 From: Julien Bordellier Date: Wed, 25 Apr 2018 17:02:32 +0200 Subject: [PATCH 14/20] Change tiller's Dockerfile to use USER nobody + upgrades to alpine:3.7 --- rootfs/Dockerfile | 8 ++++---- rootfs/Dockerfile.experimental | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile index 53757cd8d..ca5ad2225 100644 --- a/rootfs/Dockerfile +++ b/rootfs/Dockerfile @@ -12,15 +12,15 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.3 +FROM alpine:3.7 RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/* ENV HOME /tmp -COPY tiller /tiller +COPY tiller /bin/tiller EXPOSE 44134 - -CMD ["/tiller"] +USER nobody +ENTRYPOINT ["/bin/tiller"] diff --git a/rootfs/Dockerfile.experimental b/rootfs/Dockerfile.experimental index 990bcde51..66a218477 100644 --- a/rootfs/Dockerfile.experimental +++ b/rootfs/Dockerfile.experimental @@ -12,15 +12,15 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM alpine:3.3 +FROM alpine:3.7 RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/* ENV HOME /tmp -COPY tiller /tiller +COPY tiller /bin/tiller EXPOSE 44134 - -CMD ["/tiller", "--experimental-release"] +USER nobody +ENTRYPOINT ["/bin/tiller", "--experimental-release"] From d9395bcc0668429a48cdfe8ff2389bb9d00f4e0e Mon Sep 17 00:00:00 2001 From: Matthew Fisher Date: Wed, 25 Apr 2018 14:55:05 -0700 Subject: [PATCH 15/20] remove need for type reflection --- pkg/downloader/chart_downloader.go | 6 ++---- pkg/repo/chartrepo.go | 6 ++---- 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/pkg/downloader/chart_downloader.go b/pkg/downloader/chart_downloader.go index 6861a8270..59b9d4d75 100644 --- a/pkg/downloader/chart_downloader.go +++ b/pkg/downloader/chart_downloader.go @@ -23,7 +23,6 @@ import ( "net/url" "os" "path/filepath" - "reflect" "strings" "k8s.io/helm/pkg/getter" @@ -243,9 +242,8 @@ func (c *ChartDownloader) ResolveChartVersion(ref, version string) (*url.URL, ge // If HttpGetter is used, this method sets the configured repository credentials on the HttpGetter. func (c *ChartDownloader) setCredentials(r *repo.ChartRepository) { - var t *getter.HttpGetter - if reflect.TypeOf(r.Client) == reflect.TypeOf(t) { - r.Client.(*getter.HttpGetter).SetCredentials(c.getRepoCredentials(r)) + if t, ok := r.Client.(*getter.HttpGetter); ok { + t.SetCredentials(c.getRepoCredentials(r)) } } diff --git a/pkg/repo/chartrepo.go b/pkg/repo/chartrepo.go index ba1e6f4ff..438f66d7c 100644 --- a/pkg/repo/chartrepo.go +++ b/pkg/repo/chartrepo.go @@ -22,7 +22,6 @@ import ( "net/url" "os" "path/filepath" - "reflect" "strings" "github.com/ghodss/yaml" @@ -152,9 +151,8 @@ func (r *ChartRepository) DownloadIndexFile(cachePath string) error { // If HttpGetter is used, this method sets the configured repository credentials on the HttpGetter. func (r *ChartRepository) setCredentials() { - var t *getter.HttpGetter - if reflect.TypeOf(r.Client) == reflect.TypeOf(t) { - r.Client.(*getter.HttpGetter).SetCredentials(r.Config.Username, r.Config.Password) + if t, ok := r.Client.(*getter.HttpGetter); ok { + t.SetCredentials(r.Config.Username, r.Config.Password) } } From c67fab5934bb76ccd7ab2420a4d2fc8da4ae4af1 Mon Sep 17 00:00:00 2001 From: Julien Bordellier Date: Thu, 26 Apr 2018 10:41:54 +0200 Subject: [PATCH 16/20] docs(helm): update Globs examples to work correctly --- docs/chart_template_guide/accessing_files.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/chart_template_guide/accessing_files.md b/docs/chart_template_guide/accessing_files.md index 250fd9520..11747d4f0 100644 --- a/docs/chart_template_guide/accessing_files.md +++ b/docs/chart_template_guide/accessing_files.md @@ -119,9 +119,10 @@ You have multiple options with Globs: ```yaml -{{ range $path := .Files.Glob "**.yaml" }} -{{ $path }}: | -{{ .Files.Get $path }} +{{ $root := . }} +{{ range $path, $bytes := .Files.Glob "**.yaml" }} +{{ $path }}: |- +{{ $root.Files.Get $path }} {{ end }} ``` @@ -129,7 +130,7 @@ Or ```yaml {{ range $path, $bytes := .Files.Glob "foo/*" }} -{{ $path }}: '{{ b64enc $bytes }}' +{{ $path.base }}: '{{ $root.Files.Get $path | b64enc }}' {{ end }} ``` From f7f686f7d065218ef6df3fbb75ce6348e699a0f3 Mon Sep 17 00:00:00 2001 From: Matthew Fisher Date: Fri, 27 Apr 2018 12:30:46 -0700 Subject: [PATCH 17/20] Revert "toYaml - Fix #3470 and #3410's trailing \n issues" --- pkg/chartutil/files.go | 2 +- pkg/chartutil/files_test.go | 8 ++++---- pkg/strvals/parser.go | 2 +- pkg/strvals/parser_test.go | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pkg/chartutil/files.go b/pkg/chartutil/files.go index b71ef5759..a09bb8f43 100644 --- a/pkg/chartutil/files.go +++ b/pkg/chartutil/files.go @@ -175,7 +175,7 @@ func ToYaml(v interface{}) string { // Swallow errors inside of a template. return "" } - return strings.TrimSuffix(string(data), "\n") + return string(data) } // FromYaml converts a YAML document into a map[string]interface{}. diff --git a/pkg/chartutil/files_test.go b/pkg/chartutil/files_test.go index 5cec35883..731c82e6f 100644 --- a/pkg/chartutil/files_test.go +++ b/pkg/chartutil/files_test.go @@ -72,10 +72,10 @@ func TestToConfig(t *testing.T) { f := NewFiles(getTestFiles()) out := f.Glob("**/captain.txt").AsConfig() - as.Equal("captain.txt: The Captain", out) + as.Equal("captain.txt: The Captain\n", out) out = f.Glob("ship/**").AsConfig() - as.Equal("captain.txt: The Captain\nstowaway.txt: Legatt", out) + as.Equal("captain.txt: The Captain\nstowaway.txt: Legatt\n", out) } func TestToSecret(t *testing.T) { @@ -84,7 +84,7 @@ func TestToSecret(t *testing.T) { f := NewFiles(getTestFiles()) out := f.Glob("ship/**").AsSecrets() - as.Equal("captain.txt: VGhlIENhcHRhaW4=\nstowaway.txt: TGVnYXR0", out) + as.Equal("captain.txt: VGhlIENhcHRhaW4=\nstowaway.txt: TGVnYXR0\n", out) } func TestLines(t *testing.T) { @@ -99,7 +99,7 @@ func TestLines(t *testing.T) { } func TestToYaml(t *testing.T) { - expect := "foo: bar" + expect := "foo: bar\n" v := struct { Foo string `json:"foo"` }{ diff --git a/pkg/strvals/parser.go b/pkg/strvals/parser.go index 8d20c3bc3..90670a4dd 100644 --- a/pkg/strvals/parser.go +++ b/pkg/strvals/parser.go @@ -36,7 +36,7 @@ func ToYAML(s string) (string, error) { return "", err } d, err := yaml.Marshal(m) - return strings.TrimSuffix(string(d), "\n"), err + return string(d), err } // Parse parses a set line. diff --git a/pkg/strvals/parser_test.go b/pkg/strvals/parser_test.go index 482377c32..c897cf0a7 100644 --- a/pkg/strvals/parser_test.go +++ b/pkg/strvals/parser_test.go @@ -370,7 +370,7 @@ func TestToYAML(t *testing.T) { if err != nil { t.Fatal(err) } - expect := "name: value" + expect := "name: value\n" if o != expect { t.Errorf("Expected %q, got %q", expect, o) } From 4d1a401a9fb52cfbad97c31a9d038935434b413c Mon Sep 17 00:00:00 2001 From: Matthew Fisher Date: Fri, 27 Apr 2018 15:33:48 -0700 Subject: [PATCH 18/20] Revert "Fix tiller deployment on RBAC clusters" --- cmd/helm/installer/install.go | 4 +--- cmd/helm/installer/install_test.go | 3 --- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/cmd/helm/installer/install.go b/cmd/helm/installer/install.go index 0abd6774b..becf412a1 100644 --- a/cmd/helm/installer/install.go +++ b/cmd/helm/installer/install.go @@ -176,7 +176,6 @@ func generateDeployment(opts *Options) (*v1beta1.Deployment, error) { return nil, err } } - automountServiceAccountToken := opts.ServiceAccount != "" d := &v1beta1.Deployment{ ObjectMeta: metav1.ObjectMeta{ Namespace: opts.Namespace, @@ -190,8 +189,7 @@ func generateDeployment(opts *Options) (*v1beta1.Deployment, error) { Labels: labels, }, Spec: v1.PodSpec{ - ServiceAccountName: opts.ServiceAccount, - AutomountServiceAccountToken: &automountServiceAccountToken, + ServiceAccountName: opts.ServiceAccount, Containers: []v1.Container{ { Name: "tiller", diff --git a/cmd/helm/installer/install_test.go b/cmd/helm/installer/install_test.go index 80219505a..dbb7143e3 100644 --- a/cmd/helm/installer/install_test.go +++ b/cmd/helm/installer/install_test.go @@ -96,9 +96,6 @@ func TestDeploymentManifestForServiceAccount(t *testing.T) { if got := d.Spec.Template.Spec.ServiceAccountName; got != tt.serviceAccount { t.Errorf("%s: expected service account value %q, got %q", tt.name, tt.serviceAccount, got) } - if got := *d.Spec.Template.Spec.AutomountServiceAccountToken; got != (tt.serviceAccount != "") { - t.Errorf("%s: unexpected automountServiceAccountToken = %t for serviceAccount %q", tt.name, got, tt.serviceAccount) - } } } From 07bebe6bff7885cafc800c063e52bf4669ed1c93 Mon Sep 17 00:00:00 2001 From: AdamDang Date: Sun, 29 Apr 2018 13:46:46 +0800 Subject: [PATCH 19/20] Typo fix: evalutes->evaluates --- pkg/ignore/rules.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/ignore/rules.go b/pkg/ignore/rules.go index 76f45fc7a..185d289bb 100644 --- a/pkg/ignore/rules.go +++ b/pkg/ignore/rules.go @@ -77,7 +77,7 @@ func (r *Rules) Len() int { return len(r.patterns) } -// Ignore evalutes the file at the given path, and returns true if it should be ignored. +// Ignore evaluates the file at the given path, and returns true if it should be ignored. // // Ignore evaluates path against the rules in order. Evaluation stops when a match // is found. Matching a negative rule will stop evaluation. From ddb536aa7a9287a6bf45994f4430891d00c1f529 Mon Sep 17 00:00:00 2001 From: AdamDang Date: Mon, 7 May 2018 00:15:35 +0800 Subject: [PATCH 20/20] Typo fix: usa helm->use helm usa helm->use helm --- docs/securing_installation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/securing_installation.md b/docs/securing_installation.md index 9f74f6049..4083bf188 100644 --- a/docs/securing_installation.md +++ b/docs/securing_installation.md @@ -53,7 +53,7 @@ This situation may change in the future. While the community has several methods In the default installation the gRPC endpoint that Tiller offers is available inside the cluster (not external to the cluster) without authentication configuration applied. Without applying authentication, any process in the cluster can use the gRPC endpoint to perform operations inside the cluster. In a local or secured private cluster, this enables rapid usage and is normal. (When running outside the cluster, Helm authenticates through the Kubernetes API server to reach Tiller, leveraging existing Kubernetes authentication support.) -Shared and production clusters -- for the most part -- should use Helm 2.7.2 at a minimum and configure TLS for each Tiller gRPC endpoint to ensure that within the cluster usage of gRPC endpoints is only for the properly authenticated identity for that endpoint. Doing so enables any number of Tiller instances to be deployed in any number of namespaces and yet no unauthenticated usage of any gRPC endpoint is possible. Finally, usa Helm `init` with the `--tiller-tls-verify` option to install Tiller with TLS enabled and to verify remote certificates, and all other Helm commands should use the `--tls` option. +Shared and production clusters -- for the most part -- should use Helm 2.7.2 at a minimum and configure TLS for each Tiller gRPC endpoint to ensure that within the cluster usage of gRPC endpoints is only for the properly authenticated identity for that endpoint. Doing so enables any number of Tiller instances to be deployed in any number of namespaces and yet no unauthenticated usage of any gRPC endpoint is possible. Finally, use Helm `init` with the `--tiller-tls-verify` option to install Tiller with TLS enabled and to verify remote certificates, and all other Helm commands should use the `--tls` option. For more information about the proper steps to configure Tiller and use Helm properly with TLS configured, see [Using SSL between Helm and Tiller](tiller_ssl.md).