This adds support for generating the repository index file in JSON
format using the `--json` flag. The index itself is still written
to `index.yaml`, which is fully backwards compatible as YAML is a
superset of JSON.
For big indexes (think multiple megabytes), this approach is however
more efficient in combination with the changes to the load logic,
as it prevents a YAML -> JSON roundtrip during decoding.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
When an index is in a JSON format, the `sigs.k8s.io/yaml` package uses
an inefficient approach to unmarshaling the data, as it does an
unnecessary roundtrip on the data to transform the YAML to valid JSON.
To prevent this from happening, detect if the bytes which we attempt
to load contain valid JSON, and unmarshal them directly using
`json.Unmarshal` instead.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
At this time both Go 1.19 and 1.20 are supported. The version
specified in the go.mod file is the minimum version we expect Helm
to be compiled against. This is the oldest supported version to
support environments where others compile Helm. The Helm project
is using Go 1.20 to build Helm itself.
Updating to Go 1.19 also includes dealing with io/ioutil
deprecation and some additional linting issues around staticcheck.
All the staticcheck issues were in test files so linting was
skipped for those.
Signed-off-by: Matt Farina <matt.farina@suse.com>
ref: https://github.com/helm/helm/security/advisories/GHSA-c38g-469g-cmgx
* Skip invalid chart versions when reading the repository index file or
when programmatically adding a chart version.
* Adds semver validation and strips non-printable characters and
normalizes spaces for string fields in Metadata.Validate()
* Fixes a unit test that was pulling a remote repo. Now uses a local
repo.
* Fixes ignored error in repo update command
Signed-off-by: Adam Reese <adam@reese.io>
Chart.yaml files have an annotation field that allow a chart to
have custom information similar to the way Kubernetes annotations
work.
In an index.yaml file each chart version can have annotations in
a similar manner to the Chart.yaml file. It is derived from the
same underlying struct.
These enable extension points where people can add their own info.
One thing missing is the ability to extend the top level of an
index file. This change adds annotations to the top level of an
index.yaml file. This would provide top level support for vendors
to extent index.yaml files.
Closes#8767
Signed-off-by: Matt Farina <matt@mattfarina.com>
A recent change merged into Helm fixes a number of security issues related to parsing malformed index files. Unfortunately, it also broke the ability for users to load index files from chartmuseum, which adds a "server info" field to add additional metadata.
This commit adds that field so that index files from chartmuseum can be validated. Since Helm does not use this field for anything, the information is discarded and unused.
Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com>
* fix: write index.yaml file atomically
This refactors the already-existing `AtomicWriteFile` utility
to a central location and uses it to write index files
atomically.
This is done to avoid having half-written index files break
client requests.
Drive-bys:
- Add test for AtomicWriteFile.
- Add test IndexFile.WriteFile.
Signed-off-by: rabadin <rvbadin@gmail.com>
* Review fix: use RenameWithFallback instead of os.Rename
Signed-off-by: rabadin <rvbadin@gmail.com>
Co-authored-by: rabadin <rvbadin@gmail.com>
This port fixes the bug #6820 for helm3
which was fixed in helm2 with the pull request 4850
https://github.com/helm/helm/pull/4850
Signed-off-by: Lam Le <lam281990@gmail.com>
Introduce the `--devel` flag for `helm repo search` command.
`helm repo search` - searches only for stable releases, prerelease versions will be skip
`helm repo search --devel` - searches for releases and prereleases (alpha, beta, and release candidate releases)
`helm repo search --version 1.0.0 - searches for release in version 1.0.0
Signed-off-by: Mateusz Szostok <szostok.mateusz@gmail.com>
* Kubernetes updated to 1.16.1
* SemVer and Sprig updated to latest releases that leverage go
modules
* Tests and checks updated. These already landed in v2 via PR 6457
Signed-off-by: Matt Farina <matt@mattfarina.com>
* allow repository config via cli
* make `helm repo add` create repo config file if it does not exist
* squash a ton of bugs
Signed-off-by: Adam Reese <adam@reese.io>
These packages are generally used only for logic inside of Helm and
can later be re-exported as needed
Signed-off-by: Taylor Thomas <taylor.thomas@microsoft.com>
This commit replaces usage of github.com/ghodss/yaml with it's forked
version maintained by SIG community. The replaced library has
low-to-none support activity unlike the latter. We believe the new
Helm branch could benefit from using the community-supported version on
a long-term run as yaml parser is a key component of Helm chart rendering
engine.
This commit locks sigs.k8s.io/yaml dependency version on 1.1.0 which
is backwards compatible with ghodss/yaml 1.0.0.
This change also resolves the outdated dependency version lock for
ghodss/yaml (currently 1.0.0) and makes it possible to port changes from
https://github.com/helm/helm/pull/6010 to dev-v3.
Signed-off-by: Oleg Sidorov <oleg.sidorov@booking.com>
This prevents the index command from recursing through directories.
Behind the scenes, it swaps out the repository logic for the index file
logic.
Closes#1328
I wrote urlJoin to fix URL joining, but I put it in the wrong place and
never used it. This moves it to the right place, and replaces the hacky
previous solution.
This removes the requirement that a fetch or install command must
explicitly state the version number to install. Instead, this goes to
the strategy used by OS package managers: Install the latest until told
to do otherwise.
Closes#1198
This performs a relatively weak in-memory translation of index file
data. It does not, in most cases, write the corrected data to disk, and
it emits a warning directly to STDERR each time it loads a deprecated
index.
Known limitations:
- It cannot recover certain bogus records that earlier alpha releases
generated (notably, where all chartfile data is missing)
- In some cases, it has to parse a filename to get version info. This is
lossy.
- Because it takes three passes through the YAML and JSON unmarshal, it
is not performant.
This feature is transitional and should be removed during the Beta
cycle, prior to the release of 2.0.0.
Closes#1265
This implements a new index file format for repository indices. It also
implements a new format for requirements.yaml.
Breaking change: This will break all previous versions of Helm, and will
impact helm search, repo, serve, and fetch functions.
Closes#1197
This also refactors significant portions of the CLI, moving much of the
shared code into a library.
Also in this release, a testing repository server has been added.
Matt Farina
George Jenkins
Hidde Beydals
Martin Hickey
yxxhero
Josh Soref
Adam Reese
Matt Farina
Matthew Fisher
Matt Butcher
Raphaël
Marc Khouzam
Lam Le
Mateusz Szostok
Taylor Thomas
Oleg Sidorov
Amanda Cameron
Shane Starcher
John Welsh
Anton Galitsyn
Anton Galitsyn
Adnan Abdulhussein
Matt Butcher
Matt Butcher
Keerthan Reddy Mala (kmala)
Brandon Philips
Michelle Noorali