Go passes x509 verification off to the platform and different
platforms provide different responses. The Go tests for x509
even have different test files for different platform providers
that check for different messages.
This update haldes darwins difference for x509 authority handling
Closes#11159
Signed-off-by: Matt Farina <matt@mattfarina.com>
Exporting those fields enable 3rd party users to build their own mocked PullResult responses.
Related #10623
Signed-off-by: Antonio Gamez Diaz <agamez@vmware.com>
Confirm that the current and updated revision numbers also match as part
of the readiness check. Add coverage for readiness scenarios where
StatefulSet status does not reflect the most recent generation of the
StatefulSet yet.
Also add additional logging around the sts transitions from non-ready to
ready.
Fixes: #10163
Signed-off-by: Dominic Evans <dominic.evans@uk.ibm.com>
Fix list command for SQL storage driver
Fix SQL storage drivers tests after adding custom labels support
Remove notes that SQL driver not supported for storing labels in install and upgrade
Signed-off-by: Dmitry Chepurovskiy <dm3ch@dm3ch.net>
Signed-off-by: Dmitry Chepurovskiy <me@dm3ch.net>
Add a new flags and associated environment variables to override
the TLS Settings used when constructing the Kube Client.
- `--kube-insecure-skip-tls-verify | HELM_KUBEINSECURE_SKIP_TLS_VERIFY`: if true, the kube api server's certificate will not be checked for validity. This will make your HTTPS connections insecure
- `--kube-tls-server-name | HELM_KUBETLS_SERVER_NAME`: server name to use for kube api server certificate validation. If it is not provided, the hostname used to contact the server is used
Signed-off-by: Justen Walker <justen.walker+github@gmail.com>
* feat: add configuration for client-side throttling limit
Client-side throttling seems to be an issue in larger environments such as OpenShift clusters, where
it is common to have several hundreds CRDs out-of-the-box.
From this view point, it is fair that clients should be able to fine tune this accordingly should the
environment they work on evolves, which is currently not possible, and quite frustrating.
This change introduces the --default-burst-limit option to helm (and its counterpart
HELM_DEFAULT_BURST_LIMIT environment variable) to address that issue, allowing clients to properly
tune their client usage as their environment evolves.
Signed-off-by: Igor Sutton <isuttonl@redhat.com>
* chore: change DefaultBurstLimit to BurstLimit
Signed-off-by: Igor Sutton <isuttonl@redhat.com>
* chore: add HELM_BURST_LIMIT to golden file
Signed-off-by: Igor Sutton <isuttonl@redhat.com>
* chore: add burst limit tests
Signed-off-by: Igor Sutton <isuttonl@redhat.com>
* docs: add burst limit default value to documentation
Signed-off-by: Igor Sutton <isuttonl@redhat.com>
* refactor: change burst limit default value to 100 per review instructions
Signed-off-by: Igor Sutton <isuttonl@redhat.com>
This required modifying the `kube.Factory` interface to conform to
changes in k8s' `cmdutil.Factory` interface:
fe3772890f
Signed-off-by: Andrew Seigner <andrew@sig.gy>
go:build is the new conditional compilation directive used to specify build constraints. It was introduced in Go 1.17. It is meant to replace the old +build directives.
Now that go.mod points to Go 1.17 we no longer need to support both
build flags.
Signed-off-by: Matthew Fisher <matt.fisher@fermyon.com>
Fixed old releases rotation procedure to not require a deployed release to exists.
An error will arise when there are no successfully deployed release yet, but releases history limit has been reached. In such situation helm will refuse to upgrade release anymore with "... has no deployed releases" error.
Furthermore, release rotation procedure already expecting lastDeployedRelease to be either nil, or not nil. So it is assumed that deployed release may exist or may not and these both outcomes were already expected as a valid situation rather than a failure.
Reworked storage_test.go TestStorageRemoveLeastRecentWithError test case: use mocked driver and test release creation procedure does not shadows errors from the underneath release rotation procedure.
Signed-off-by: Timofey Kirillov <timofey.kirillov@flant.com>
When used with helm install, helm template, helm upgrade, it enables
to set json values (scalars/objects/arrays) from the command line.
Closes#10428
Signed-off-by: Luca Di Rocco <lucadirocco@gmail.com>
The directory created by `T.TempDir` is automatically removed when the
test and all its subtests complete.
Reference: https://pkg.go.dev/testing#T.TempDir
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
Quiet flag reduce the verbosity, such that the only text
that is written to the console is lint warnings/errors
Closes#9994
Signed-off-by: Piotr Resztak <piotr.resztak@gmail.com>
golint which is used as one of the sublinters in golangci-lint is deprecated.
It is replaced with revive which is a drop-in replacement.
Signed-off-by: Martin Hickey <martin.hickey@ie.ibm.com>
Co-authored-by: Martin Mulholland <mmulholl@redhat.com>
`os.ReadDir` was added in Go 1.16 as part of the deprecation of `ioutil`
package. It is a more efficient implementation than `ioutil.ReadDir` as
stated here https://pkg.go.dev/io/ioutil#ReadDir.
Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
When range support for OCI went in via #10527 it created a situation
where some lookups for a chart could cause a panic. This change
makes sure the registry client is available to lookup OCI charts
Signed-off-by: Matt Farina <matt.farina@suse.com>
Note, there is OCI handling later in the funtion that should
handle the situation instead.
Closes#10534
Signed-off-by: Matt Farina <matt.farina@suse.com>
Largely borrowed from (IndexFile).Get. However there is not currently a nice
way to make this code also usable to the repo package, as IndexFile depends on
a list of index Entries containing a nexted version.
We could refactor this later to somehow use the same shared function, but for
now keeping separate.
Signed-off-by: Scott Rigby <scott@r6by.com>
Note, there is OCI handling later in the funtion that should
handle the situation instead.
Closes#10534
Signed-off-by: Matt Farina <matt.farina@suse.com>
Before this change, several of the potential errors during the process
of signing a package were skipped.
Crucially, `Close()`ing the ReadCloser from the gpg clearsigner is the call
which actually does the signing, and so has several points of failure
which are ignored; for example, if there's a problem with the format of
the key.
Also changes the error from messageBlock() to be propagated rather than
being swallowed, and adds a test for the case where a signer fails to
sign.
Signed-off-by: Ashley Davis <ashley.davis@jetstack.io>
The partition value can be greater than number of replicas, in that
case no pods are rolled out. The expectedReplicas becomes a negative
number.
https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#partitions
In the cases where the update does not change anything in the pod
template, the updatedReplicas value from StatefulSet status remains
unchanged. Such updates can still set some partition value, and
UpdatedReplicas is always greater than expectedReplicas. Basically,
the StatefulSet is ready / rolled-out.
In both the above scenarios, providing `--wait` flag causes it to
timeout waiting indefinitely. Because updatedReplicas can never be
negative, or be equal to the expectedReplicas for the second case.
This commit handles both the scenarios by checking if UpdatedReplicas
is smaller than expectedReplicas. If it is, then the StatefulSet is
not ready yet.
Based on the code from kubectl rollout:
a450ebd59c/pkg/polymorphichelpers/rollout_status.go (L138-L141)Closes#8674
Signed-off-by: Bhavin Gandhi <bhavin7392@gmail.com>
This bug came about because of three issues that this change
corrects:
- The CI scripts run on a pull request did not test building
Helm. This means that a failure to set a variable using LDFLAGS
had no opportunity to be caught.
- #8608 provided a means to match the k8s version used in linting
and chartutil with the version of the package we pull in. With
one problem. It attempts to set a const as if it were a string.
This is ignored and everyone missed it.
- #10325 moved those constants to vars so it could be set. This
looked good and passed tests but missed that you can't set an
int as if it were a string. See first bullet.
This change fixes this by moved the internal representation to
be a string. These are internal variables not exposed in the public
API which makes this change non-breaking to the API.
Closes#10367
Signed-off-by: Matt Farina <matt.farina@suse.com>
When running helm lint, import-values for dependencies are ignored,
also added test for linting chart with import-values
Closes#9658
Signed-off-by: Stuart Drennan <stuart.drennan@gmail.com>
Problem: the warnings don't give enough details about which
values are problematic, only the name of the leaf key. This is
all the more annoying when you have a chart depending on other charts.
```
mainchart
|
+- subchart1
+- subchart2
+- subchart3
```
Here are some warnings I get before the change:
```
coalesce.go:199: warning: destination for credentials is a table. Ignoring non-table value
coalesce.go:160: warning: skipped value for resources: Not a table.
coalesce.go:160: warning: skipped value for googleSheetsServiceAccount: Not a table.
coalesce.go:199: warning: destination for googleSheetsServiceAccount is a table. Ignoring non-table value
coalesce.go:199: warning: destination for resources is a table. Ignoring non-table value []
coalesce.go:199: warning: destination for credentials is a table. Ignoring non-table value
coalesce.go:199: warning: destination for credentials is a table. Ignoring non-table value
coalesce.go:160: warning: skipped value for resources: Not a table.
coalesce.go:160: warning: skipped value for googleSheetsServiceAccount: Not a table.
```
with fix:
```
coalesce.go:162: warning: skipped value for subchart1.resources: Not a table.
coalesce.go:162: warning: skipped value for subchart2.googleSheetsServiceAccount: Not a table.
coalesce.go:211: warning: destination for subchart3.aws.credentials is a table. Ignoring non-table value ()
coalesce.go:211: warning: destination for mainchart.subchart3.aws.credentials is a table. Ignoring non-table value ()
coalesce.go:211: warning: destination for mainchart.subchart2.googleSheetsServiceAccount is a table. Ignoring non-table value ()
coalesce.go:211: warning: destination for mainchart.subchart1.resources is a table. Ignoring non-table value ([])
coalesce.go:162: warning: skipped value for subchart1.resources: Not a table.
coalesce.go:162: warning: skipped value for subchart2.googleSheetsServiceAccount: Not a table.
coalesce.go:211: warning: destination for subchart3.aws.credentials is a table. Ignoring non-table value ()
```
Signed-off-by: Damien Nozay <damiennozay+github@gmail.com>
add tests
Signed-off-by: Damien Nozay <damiennozay+github@gmail.com>
Problem: the warnings don't give enough details about which
values are problematic, only the name of the leaf key. This is
all the more annoying when you have a chart depending on other charts.
```
mainchart
|
+- subchart1
+- subchart2
+- subchart3
```
Here are some warnings I get before the change:
```
coalesce.go:199: warning: destination for credentials is a table. Ignoring non-table value
coalesce.go:160: warning: skipped value for resources: Not a table.
coalesce.go:160: warning: skipped value for googleSheetsServiceAccount: Not a table.
coalesce.go:199: warning: destination for googleSheetsServiceAccount is a table. Ignoring non-table value
coalesce.go:199: warning: destination for resources is a table. Ignoring non-table value []
coalesce.go:199: warning: destination for credentials is a table. Ignoring non-table value
coalesce.go:199: warning: destination for credentials is a table. Ignoring non-table value
coalesce.go:160: warning: skipped value for resources: Not a table.
coalesce.go:160: warning: skipped value for googleSheetsServiceAccount: Not a table.
```
with fix:
```
coalesce.go:162: warning: skipped value for subchart1.resources: Not a table.
coalesce.go:162: warning: skipped value for subchart2.googleSheetsServiceAccount: Not a table.
coalesce.go:211: warning: destination for subchart3.aws.credentials is a table. Ignoring non-table value ()
coalesce.go:211: warning: destination for mainchart.subchart3.aws.credentials is a table. Ignoring non-table value ()
coalesce.go:211: warning: destination for mainchart.subchart2.googleSheetsServiceAccount is a table. Ignoring non-table value ()
coalesce.go:211: warning: destination for mainchart.subchart1.resources is a table. Ignoring non-table value ([])
coalesce.go:162: warning: skipped value for subchart1.resources: Not a table.
coalesce.go:162: warning: skipped value for subchart2.googleSheetsServiceAccount: Not a table.
coalesce.go:211: warning: destination for subchart3.aws.credentials is a table. Ignoring non-table value ()
```
Signed-off-by: Damien Nozay <damiennozay+github@gmail.com>
add tests
Signed-off-by: Damien Nozay <damiennozay+github@gmail.com>
This is a regression accidently introduced in #9957.
A delete call had been used on the Template key of vals. This caused
a condition where Template was not available when rendering via tpl.
The delete happened after ExecuteTemplate so the issue is surpsising.
It may possibly be a race condition. Existing tests did not catch it.
I tried to create a test that directly tested the issue and was
unable to replicate the error seen with real charts. This leads me
to believe it is a race condition in the underlying Go template
package.
The delete call was not there before #9957. It should be safe to
remove and keep that information.
Closes#10082
Signed-off-by: Matt Farina <matt.farina@suse.com>
If set, 'uninstall' command will wait until all the resources are deleted before returning.
It will wait for as long as --timeout
closes#2378
Signed-off-by: Mike Ng <ming@redhat.com>
This refactor cleans up downloadAll's validation, download, and save
logic:
1. A temporary directory is created, and removed after all references to
the struct have been dropped via `defer`
2. Any local dependencies in the `charts` directory are kept intact and validated
3. Charts that have been updated are moved to the `charts` directory
This refactor has a number of improvements, including:
- tmpCharts is removed after execution
- no remote charts are downloaded to destPath: they are all pulled into
tmpPath, validated, then moved to destPath
- lots of code cleanup/improvements, like the `if` block checking
whether the `charts` directory was actually not a directory. In some
cases it could be checking a `nil` object, causing a runtime panic.
- the cyclomatic complexity of the code was simplified
- extra (and in some cases, dangerous) calls to `os.RemoveAll` have been
refactored, cleaning the code and preventing certain failure cases.
A test has been provided to demonstrate the tmpCharts removal issue has
been fixed.
Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com>
This subcommand will display manifests under `crds/` if some exist.
This also changes the behaviour of `show all` to include CRDs.
Signed-off-by: Mario Valderrama <woldy401@gmail.com>
The templating engine handles errors originating from the `required` and
`fail` template functions specially, cleaning up the error messages to
be more presentable to users. Go's text/template package unfortunately
does not make this straightforward to implement. Despite
template.ExecError implementing Unwrap, the error value returned from
the template function cannot be retrieved using errors.As. The wrapped
error in ExecError is a pre-formatted error string with the template
function's error string interpolated in with the original error value
erased. Helm works around this limitation by delimiting the
template-supplied message and extracting the message out of the
ExecError string with a regex.
Fix the parsing of `required` and `fail` error messages containing
newlines by setting the regex flag to make `.` match newline characters.
Signed-off-by: Cory Snider <csnider@mirantis.com>
Fix typos
Remove condition arround time.Sleep
Because a negative or zero duration causes Sleep to return immediately.
Signed-off-by: Stephane Moser <moser.sts@gmail.com>
Rename the package time
Redesgin the logic to make a FakeKubeClient wait for a ammount time.
Remove unneed logic in the PrintingKubeClient
Signed-off-by: Stephane Moser <moser.sts@gmail.com>
The 'helm.sh/resource-policy' annotation is only supported on top level
objects. The annotation is ignored if given on a nested object within a
list.
Ref #9829
Signed-off-by: Adam Reese <adam@reese.io>
Implement timer in the fake.go and printer.go to simulate the wait period
Add test Upgrade Release when it is interruped with SIGINT
Signed-off-by: Stephane Moser <moser.sts@gmail.com>
Replicate the same logic in that was implementd in the upgrade action to handle SIGINT
Rename mutexes to isolate the variables
Signed-off-by: Stephane Moser <moser.sts@gmail.com>
Use mutex to lock the action to report the upstream function
Wrap logic to report to upstream function in the function reportToPerformUpgrade
Signed-off-by: Stephane Moser <moser.sts@gmail.com>
Change the logic to release Upgrade to handle SIGTERMs
Extract logic to 2 goroutine so it is possible to handle SIGTERMS and the release flow
Fix go style
Signed-off-by: Stephane Moser <moser.sts@gmail.com>
The URL passed to the getter for WithURL needs to be a full URL
rather than a chart reference used at the CLI. For example,
bitnami/wordpress can point to the wordpress chart in the bitnami
repo where the bitnami repo is at https://charts.bitnami.com.
WithURL needs the full URL to the repo and not bitnami/wordpress.
This is important because getters use the full URL information.
In this case the http getter uses the host name for SNI handling.
Before this change WithURL was being set to the chart reference
instead of the URL. This was a silent bug.
This change sets WithURL using a URL after for the repo is
available when a reference is used instead of a full url.
Signed-off-by: Matt Farina <matt.farina@suse.com>
managedFields were a changed that landed in 1.18. This is an array
under metadata with managedFields. The kubernetes client pkgs that
Helm uses automatically add them.
This change added a manager for the managedFields. The flow for
deciding on the name to use is:
1. An explicit name if one is chosen
2. The base name of the first os.Arg (the binary name) if no name
explicitly set.
3. unknown if no name set and name cannot be detected
The name is at the package level as there is no other place to easily
set it for Helm v3. Since the name is for the binary or app it should
be ok to set app wide.
Signed-off-by: Matt Farina <matt.farina@suse.com>
It just makes the code better, I suppose the following is rational:
- use standard libaray common constants instead of hardcode though it's
really common
- close the response body even if the http status code is not 200 OK.
The doc says *It is the caller's responsibility to close Body*.
- move the `bytes.Buffer` return value declaration where it gets used.
Signed-off-by: longkai <im.longkai@gmail.com>
For more information, please see the following URL:
https://github.com/helm/community/blob/main/hips/hip-0006.md
Note: OCI support remains experimental, and you are still
required to set HELM_EXPERIMENTAL_OCI=1 in your environment.
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
When '--reset-then-reuse-values' is used on 'helm upgrade', the chart's values will be
reset to the values of the deployed chart while the current release's values will be
reused and merged with the values passed as argument (is any). '--reset-values' and
'--reuse-values' flags take precedence over `--reset-then-reuse-values', making it
ignored if one or the other is also used.
Closes#8085, #3957
Signed-off-by: Quentin Devos <quentin@devos.pm>
Signed-off-by: Simon Croome <simon@croome.org>
Developer Certificate of Origin
Version 1.1
Copyright (C) 2004, 2006 The Linux Foundation and its contributors.
1 Letterman Drive
Suite D4700
San Francisco, CA, 94129
Everyone is permitted to copy and distribute verbatim copies of this
license document, but changing it is not allowed.
Developer's Certificate of Origin 1.1
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.
Signed-off-by: Simon Croome <simon.croome@storageos.com>
Ref: HIP 0008
When completing output formats, extra information will be shown
for shells that support completions (fish, zsh). For example:
$ helm status -o <TAB>
json -- Output result in JSON format
table -- Output result in human-readable format
yaml -- Output result in YAML format
Signed-off-by: Marc Khouzam <marc.khouzam@montreal.ca>
ref: https://github.com/helm/helm/security/advisories/GHSA-c38g-469g-cmgx
* Skip invalid chart versions when reading the repository index file or
when programmatically adding a chart version.
* Adds semver validation and strips non-printable characters and
normalizes spaces for string fields in Metadata.Validate()
* Fixes a unit test that was pulling a remote repo. Now uses a local
repo.
* Fixes ignored error in repo update command
Signed-off-by: Adam Reese <adam@reese.io>
Because backOffLimit can be 0, a zero value for pod status failed will
always cause the condition to return true.
Signed-off-by: James McElwain <jmcelwain@gmail.com>
This commit updates the default section in values.yaml for the example
ingress definition to correspond with the template.
Signed-off-by: Nick Jones <nick@dischord.org>
The recent addition of oci:// to specify dependencies in the
Chart.yaml dependencies and with helm pull missed handling for the
dependency build command. This command was failing to handle OCI.
This change adds support for the dep build command following the
same pattern used to add oci:// functionality.
Signed-off-by: Matt Farina <matt@mattfarina.com>
* Reduce linting severity for users of out-of-date kubernetes
Fixes#8596
Signed-off-by: Joe Julian <me@joejulian.name>
* add more verbose deprecation info
Signed-off-by: Joe Julian <me@joejulian.name>
* use new upstream deprecations
Signed-off-by: Joe Julian <me@joejulian.name>
* do not error for custom resources
Signed-off-by: Joe Julian <me@joejulian.name>
* Define deprecation version in lint rules by LDFLAG
Signed-off-by: Joe Julian <me@joejulian.name>
* make comment clearer
Signed-off-by: Joe Julian <me@joejulian.name>
* Extend the k8s version discovery and constants to chartutil
Signed-off-by: Joe Julian <me@joejulian.name>
* remove awk dependency
Signed-off-by: Joe Julian <me@joejulian.name>
* align k8s version constant names between capabilities.go and deprecations.go
Signed-off-by: Joe Julian <me@joejulian.name>
* show the error if the unexpected happens
Signed-off-by: Joe Julian <me@joejulian.name>
* bump k8sVersionMinor and golden chart templates for k8s 1.20
Signed-off-by: Joe Julian <me@joejulian.name>
* bump for tests to match 1.20.1
Signed-off-by: Joe Julian <me@joejulian.name>
While the comments may seem to state the obvious to someone with helm CLI
experience, an SDK-first user may find these comments helpful.
Signed-off-by: Daniel Lipovetsky <dlipovetsky@d2iq.com>
Previously, storage.Create was ignoring the error. This meant that a user that
relied on the recent release version cleanup would not be notified if that
cleanup failed, and release versions could grow without bound.
Closes#9145
Signed-off-by: Daniel Lipovetsky <dlipovetsky@d2iq.com>
* fix: Fixed bug - The flags --cert-file/--key-file where ignored when --insecure-skip-tls-verify flag is set
Signed-off-by: Dinu Mathai <Dinu.Mathai1@T-Mobile.com>
* fix: Added unit test
Signed-off-by: Dinu Mathai <Dinu.Mathai1@T-Mobile.com>
Note, randInt is now a function in sprig so the failing test needed
to be updated to a function that does not exist.
Signed-off-by: Matt Farina <matt@mattfarina.com>
* Implement `helm dep update` for oci dependencies
* New unit tests
* Remove `helm chart pull` command
* New `helm pull` does not depend on registry cache
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
LoadFiles needs to load the Chart.yaml file first. When later files
are loaded there are checks for metadata. If that is not loaded
the checks could be handled incorrectly.
Signed-off-by: Matt Farina <matt@mattfarina.com>
A previous update to automate finding charts in repos when update
was run did not take into account the case for no repo being
specified. This fixes that situation.
Closes#8940
Signed-off-by: Matt Farina <matt@mattfarina.com>
Chart.yaml files have an annotation field that allow a chart to
have custom information similar to the way Kubernetes annotations
work.
In an index.yaml file each chart version can have annotations in
a similar manner to the Chart.yaml file. It is derived from the
same underlying struct.
These enable extension points where people can add their own info.
One thing missing is the ability to extend the top level of an
index file. This change adds annotations to the top level of an
index.yaml file. This would provide top level support for vendors
to extent index.yaml files.
Closes#8767
Signed-off-by: Matt Farina <matt@mattfarina.com>
A recent change merged into Helm fixes a number of security issues related to parsing malformed index files. Unfortunately, it also broke the ability for users to load index files from chartmuseum, which adds a "server info" field to add additional metadata.
This commit adds that field so that index files from chartmuseum can be validated. Since Helm does not use this field for anything, the information is discarded and unused.
Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com>
For backward compatibility, as suggested by @bacongobbler, we introduce
a new API NewTempServerWithCleanup
Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>