Two things changed in this commit...
1. The Build behavior was restored and the change only impacts
Update. This is a more minimal functionality change thats
a more secure behavior
2. Cleanup from Josh's feedback on the PR to create a const
and comment changes
Signed-off-by: Matt Farina <matt@mattfarina.com>
If a repository was not know to helm (e.g. added using helm repo add)
then Helm would use the range set in the depenencies as the version
in the lock file. Lock files should not have ranges since they are
locked to versions.
Helm did this because the version information for repositories was
not know to Helm. This change fixes that by making the repository
and chart information known to Helm so it can resolve the versions.
Closes#8449
Signed-off-by: Matt Farina <matt@mattfarina.com>
* fix(sdk): Polish the downloader/manager package error return
Close#8471
Signed-off-by: Dong Gang <dong.gang@daocloud.io>
* Modify the repositories validation function `resloveRepoNames` and add a
unit test.
Signed-off-by: Dong Gang <dong.gang@daocloud.io>
* Remove wrong commit
Signed-off-by: Dong Gang <dong.gang@daocloud.io>
* Fix issue with apiVersion v1 lock digest
When apiVersion v1 chart dependencies are built with Helm 2
and then built with Helm 3, the lock digests differ. To avoid
this issue, a depdendency update is forced.
Signed-off-by: Martin Hickey <martin.hickey@ie.ibm.com>
* Check against Helm v2 hash
Handle scenario where dependency hash was generated by Helm v2
but need to do a dependency build with Helm v3.
Signed-off-by: Martin Hickey <martin.hickey@ie.ibm.com>
* Add unit test
Signed-off-by: Martin Hickey <martin.hickey@ie.ibm.com>
* Refactor unit test
Refactor unit test to use an existing chart as dependency
Signed-off-by: Martin Hickey <martin.hickey@ie.ibm.com>
* Update after review
Comments:
- https://github.com/helm/helm/pull/7261#discussion_r373827088
- https://github.com/helm/helm/pull/7261#discussion_r373827250
Signed-off-by: Martin Hickey <martin.hickey@ie.ibm.com>
* Include requirements.* as Files in APIVersionV1
Fixes#6974.
This ensures that when reading a Chart marked with APIVersion v1, we
maintain the behaviour of Helm v2 and include the requirements.yaml and
requirements.lock in the Files collection, and hence produce charts that
work correctly with Helm v2.
Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
* Write out requirements.lock for APIVersion1 Charts
This keeps the on-disk format consistent after `helm dependency update`
of an APIVersion1 Chart.
Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
* Exclude 'dependencies' from APVersion1 Chart.yaml
This fixes `helm lint` against an APIVersion1 chart packaged with Helm
v3.
Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
* Generate APIVersion v2 charts for dependency tests
As the generated chart contains no requirements.yaml in its files list,
but has dependencies in its metadata, it is not a valid APIVersion v1
chart.
Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
* Generate APIVersion v2 charts for manager tests
Specifically for the charts that have dependencies, the generated chart
contains no requirements.yaml in its files but has dependencies in its
metadata. Hence it is not a valid APIVersion v1 chart.
Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
`Update()` gets repo names before resolving a lock file by calling
`resolveRepoNames(req)`. But that method changes aliased repo URLs into
the actual URLs. That makes digests from `helm update` and `helm build`
be different for each other.
To make them in sync, setting actual (resolved) repo URLs into the
loaded chart during `helm build` is necessary. Thus, this commit adds an
extra step in the `Build()` implementation.
For comments, this commit also changes the name of `getRepoNames()` into
`resolveRepoNames()` to avoid misunderstanding since getters are
expected to not mutate their input data in general.
Signed-off-by: Hang Park <hangpark@kaist.ac.kr>
To make digests include information about Chart.yaml dependencies, not
only the lock file, digest calculation is changed to accept both
contents. This terminates the `dep build` command if Chart.yaml
dependencies have been updated so that `dep up` should be executed
properly, to prevent downloading wrong versions or mismatched subcharts.
Note that previous Helm cannot know whether Chart.yaml dependencies were changed
or not since the Chart.lock's digest is calculated by only Chart.lock
contents, which don't include information about SemVer ranges and extra
dependency fields such as aliases, conditions, and tags. Specially,
SemVer can be written as a version range in Chart.yaml, but Chart.lock
has the specific, resolved version of that range.
Signed-off-by: Hang Park <hangpark@kaist.ac.kr>
This code was ported over from PR #5038, #6738 which were originally for helm
v2. The code contains functions from golang/dep/internal/fs for renaming files.
Signed-off-by: Yagnesh Mistry <ysh@live.in>
* Kubernetes updated to 1.16.1
* SemVer and Sprig updated to latest releases that leverage go
modules
* Tests and checks updated. These already landed in v2 via PR 6457
Signed-off-by: Matt Farina <matt@mattfarina.com>
* allow repository config via cli
* make `helm repo add` create repo config file if it does not exist
* squash a ton of bugs
Signed-off-by: Adam Reese <adam@reese.io>
These packages are generally used only for logic inside of Helm and
can later be re-exported as needed
Signed-off-by: Taylor Thomas <taylor.thomas@microsoft.com>
The stable repository provides a quick onboarding with a set of
community curated charts. Two problems with the community stable
repository has lead to its need to be removed.
1. The URL is hard coded to a Google Cloud bucket under Google's
control. This was setup when Helm was part of Kubernetes and
Kubernetes was a Google project. The bucket cannot be
transfered to another non-Google controlled project. And,
the bucket is not accessible in some parts of the world
(e.g., China).
2. The number of charts in the stable repository has grown
generally unmaintainable. The repository maintainers cannot
manage the number of PRs coming it cauing delays in response
or no response and PRs are automatically closed. This is
a poor experience.
The alternatice is the Helm Hub that provides a central point of
search for many Helm repositories. Different people and organizations
can maintain their own charts. A central server is not needed as
Helm is setup to be distributed.
Signed-off-by: Matt Farina <matt@mattfarina.com>
This restores the ability to pass in parameters at runtime to the
ChartDownloader, enabling users to pass in parameters like the --username
and --password flags.
Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com>
This commit replaces usage of github.com/ghodss/yaml with it's forked
version maintained by SIG community. The replaced library has
low-to-none support activity unlike the latter. We believe the new
Helm branch could benefit from using the community-supported version on
a long-term run as yaml parser is a key component of Helm chart rendering
engine.
This commit locks sigs.k8s.io/yaml dependency version on 1.1.0 which
is backwards compatible with ghodss/yaml 1.0.0.
This change also resolves the outdated dependency version lock for
ghodss/yaml (currently 1.0.0) and makes it possible to port changes from
https://github.com/helm/helm/pull/6010 to dev-v3.
Signed-off-by: Oleg Sidorov <oleg.sidorov@booking.com>
When a user enters a non-URL (such as stable)
in requirements.yaml and tries to `helm dep up`,
they get a potentially confusing error message.
This tries to make the error message clearer.
Closes#2672
In Helm 2.6.0, the new delete feature that deletes old versions of
charts is deleting subcharts that aren't in requirements.yaml.
In this patch, I judge the dependency whether it is included in the
requirements.yaml before deleting it.
Closes#2830
This change changes the order of operations in
pkg/downloader.Manager.downloadAll
Old charts are moved to tmp directory which is restored in case any
dependency update fails. Otherwise tmp dir is deleted.
This flattens the getter package tree, adds tests, and changes a little
bit of the terminology to follow Go idioms. This also makes much of the
getter API private to begin with. This will give us more flexibility in
the future.
It is now possible to create plugins with chart download capabilities for custom, non-http protocols.
Furthermore it is possible to reuse helm packages to implement alternative clients with these custom downloader functions.