ref: https://github.com/helm/helm/security/advisories/GHSA-c38g-469g-cmgx
* Skip invalid chart versions when reading the repository index file or
when programmatically adding a chart version.
* Adds semver validation and strips non-printable characters and
normalizes spaces for string fields in Metadata.Validate()
* Fixes a unit test that was pulling a remote repo. Now uses a local
repo.
* Fixes ignored error in repo update command
Signed-off-by: Adam Reese <adam@reese.io>
The completion of charts was using 'helm search repo' which can be
quite slow as it must parse the entire yaml of every repo cache file.
Using completion for a chart name can end up triggering multiple calls
to 'helm search'; this makes the user experience poor, as there is
a delay of over a second at every <TAB> press.
This commit creates a cache file for each repo which contains the list
of charts for that repo. The completion logic then uses this new
cache file directly and obtains the chart names very quickly.
With only the stable repo configured, this optimization makes the
completion of charts about 85 times faster, going from 1.2 seconds to
0.014 seconds; such a difference gives a much better user experience
when completing chart names.
On the other hand, adding the creation of the chart list cache file to
'helm repo update' or 'helm repo add' is pretty much negligible compared
to the downloading of the index file.
It is also worth noting that when more repos are configured,
'helm search repo' only becomes slower, while the completion logic that
uses the new chart list cache file will not be affected as it only looks
for the single relevant repo file.
Signed-off-by: Marc Khouzam <marc.khouzam@montreal.ca>
* allow repository config via cli
* make `helm repo add` create repo config file if it does not exist
* squash a ton of bugs
Signed-off-by: Adam Reese <adam@reese.io>
This commit replaces usage of github.com/ghodss/yaml with it's forked
version maintained by SIG community. The replaced library has
low-to-none support activity unlike the latter. We believe the new
Helm branch could benefit from using the community-supported version on
a long-term run as yaml parser is a key component of Helm chart rendering
engine.
This commit locks sigs.k8s.io/yaml dependency version on 1.1.0 which
is backwards compatible with ghodss/yaml 1.0.0.
This change also resolves the outdated dependency version lock for
ghodss/yaml (currently 1.0.0) and makes it possible to port changes from
https://github.com/helm/helm/pull/6010 to dev-v3.
Signed-off-by: Oleg Sidorov <oleg.sidorov@booking.com>
instead of hard-coding the parameters being passed in the constructor, we should pass in an Options struct that can be used to pass in those parameters.
Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com>
* Remove helmVersion constraint from charts
* Guard compile time set variables behind `internal/`
* Allow configuration of UserAgent for HTTPGetter
Signed-off-by: Adam Reese <adam@reese.io>
* fix(helm): fix golint warning due to ApiVersionV1 constant name
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
* fix(helm): fix golint warning due to ResolveChartVersionAndGetRepo comment
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
* fix(helm): fix golint warnings on HttpGetter type and SetCredentials method missing a comment
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
* fix(helm):fix golint warning due to comment on FindChartInAuthRepoURL function
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
* fix(helm): fix golint warning due to RepoFile type name
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
* fix(helm): fix golint warning due to ParseString comment
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
* Closes#2937
Added required dependency to run make test in developer's guide
* Fixed base URL appending when chart address is not absolute
* Removed requirement from developers.md
* Fixed unnecessary line breaks
* Added tests for query string repo
* Returning URL along with error
This flattens the getter package tree, adds tests, and changes a little
bit of the terminology to follow Go idioms. This also makes much of the
getter API private to begin with. This will give us more flexibility in
the future.
It is now possible to create plugins with chart download capabilities for custom, non-http protocols.
Furthermore it is possible to reuse helm packages to implement alternative clients with these custom downloader functions.
This exposes the skip-refresh flag to helm init to make it possible to
initialize Helm without fetching the index.yaml of the stable repo.
This mirrors the behavior of 'helm dep up's skip-refresh flag.
Closes#2127
A regression was committed during 2.2.0 that broke the repositories.yaml
file format, switching the cache path from relative to absolute. This
fixes the error.
Closes#1974
Adam Reese
zouyu
yxxhero
Matthias Riegler
Marc Khouzam
Karuppiah Natarajan
Matt Farina
Matthew Fisher
hd-rk
Oleg Sidorov
adshmh
Eyal Ben Moshe
Christoph Hösler
Taylor Thomas
Michal Cwienczek
Nandor Kracser
Sushil Kumar
Matt Butcher
Gergo Huszty
Anton Galitsyn
Anton Galitsyn