The helm.sh/depends-on/resource-groups annotation contains multiple '/'
separators which fails Kubernetes annotation-key validation. The action
layer already strips it before SSA-applying via stripSequencingAnnotations,
but the template path emitted it verbatim, breaking
'helm template --wait=ordered | kubectl apply -f -'.
Lift the annotation list to pkg/release/v1/util.HelmInternalSequencingAnnotations
so both the action layer and the template renderer share one source of truth.
Add StripHelmInternalAnnotations as a line-based regex strip that preserves
surrounding byte order so 'helm template | diff' workflows stay stable.
Apply it in both ordered and flat template render paths and across hook
manifests for symmetry.
Refs HIP-0025.
Signed-off-by: Rohit Gudi <50377477+caretak3r@users.noreply.github.com>
Implements HIP-0025 to give chart authors first-class control over
deployment ordering of chart resources and subcharts. Helm operators
opt in via --wait=ordered (or WaitStrategy=ordered in the SDK); default
behavior for Chart v2 is unchanged.
== Foundations ==
- DAG abstraction (pkg/chart/v2/util/dag.go) with topological batch
output and cycle detection.
- Resource-group annotation parsing and dependency tracking
(pkg/release/v1/util/resource_group.go) for helm.sh/resource-group
and helm.sh/depends-on/resource-groups; resource IDs are
apiVersion/Kind/Namespace/Name to disambiguate cross-namespace.
- Subchart DAG (pkg/chart/v2/util/subchart_dag.go) reading depends-on
on Chart.yaml dependencies and the helm.sh/depends-on/subcharts
annotation. BuildSubchartDAG inspects c.Dependencies() (post
ProcessDependencies) so it correctly respects conditions, tags, and
aliases - addresses joejulian's review feedback on metadata
heuristics.
- DependsOn []string field on chart.Dependency (pkg/chart/v2/dependency.go).
- SequencingInfo metadata stored on the release object
(pkg/release/v1/release.go) so rollback knows whether a revision
was sequenced.
- Custom readiness via helm.sh/readiness-success and helm.sh/readiness-failure
JSONPath expressions (pkg/kube/readiness.go); falls back to kstatus
if either is missing. Failure conditions take precedence over success.
== Action integration ==
- pkg/action/sequencing.go: sequencedDeployment with per-batch deadline
via min(), context.Done() honored at build/create/wait phases, and
isolated/partial-readiness warnings emitted once per batch (not per
poll tick).
- Install, upgrade, rollback, and uninstall actions consume
WaitStrategy=ordered. Sequenced uninstall and rollback are gated on
the release's stored SequencingInfo to enforce the HIP "reverse
install order" semantic.
- ReadinessTimeout (default 1m) is capped by --timeout and applied
per batch.
- Manifest path recovery for nested subcharts on rollback/uninstall.
== CLI ==
- --wait=ordered on install, upgrade, rollback, AND uninstall. The
AddOrderedWaitFlag helper in pkg/cmd/flags.go is shared across all
four commands.
- --readiness-timeout flag with docstring clarifying that "ready" is
determined by kstatus signals or custom readiness annotations, and
that vanilla Jobs need --wait-for-jobs.
- helm template emits "## START resource-group: <chart> <name>" /
"## END resource-group: ..." delimiters when --wait=ordered. Falls
back to flat manifest output with a warning if YAML parsing fails.
== Lint ==
- pkg/chart/v2/lint/rules/sequencing.go: ErrorSev for circular subchart
deps, partial readiness annotations, and orphan
helm.sh/depends-on/resource-groups references. Empty annotation
values are treated as absent (matches runtime behavior).
== Tests + fixtures ==
- Unit tests for DAG, subchart DAG, lint rules, readiness JSONPath,
resource-group parsing, sequencing action, ordered template output,
and CLI flag wiring. Includes context-cancellation coverage for
sequencedDeployment per joejulian's request.
- Integration testchart at pkg/cmd/testdata/testcharts/sequenced-chart/
exercising parent->subchart and resource-group ordering.
== Backward compatibility ==
Sequencing is gated on WaitStrategy == OrderedWaitStrategy. Charts
without HIP-0025 annotations or --wait=ordered behave exactly as
before. The depends-on field on Chart.yaml dependencies is silently
accepted and unknown to upstream-stable lint (forward-compat fix
to be tracked separately once HIP is accepted).
Refs: HIP-0025
Addresses: joejulian and Copilot review feedback on PR #32038
Signed-off-by: Rohit Gudi <50377477+caretak3r@users.noreply.github.com>
Only user-supplied nils should survive coalescing. Chart-default nils
defaults, not just user overrides. This caused:
- %!s(<nil>) in templates using Bitnami common.secrets.key (#31919)
- pluck fallbacks returning nil instead of falling through to globals
(#31971)
Fixes#31919Fixes#31971
Signed-off-by: Johannes Lohmer <jojo.dev@lohmer.com>
This ensures that when `helm uninstall` is run with `--keep-history`
any release in a `deployed` state other than the last release (e.g.
due to a failed upgrade) is being marked as `superseded`.
As a by-effect, running `helm upgrade` on a release which has been
uninstalled after an upgrade failure now no longer works. But instead
fails with a `"<name>" has no deployed releases` error. Which is the
(likely) intended behavior, and prevents other side-effects like
rolling back to a release version which happened before the uninstall
if `--atomic` (or `--rollback-on-failure`) was provided.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
This adds a --no-headers flag to the 'helm repo list' command,
allowing users to suppress table headers in the output.
Useful for scripting and automation.
Signed-off-by: Paul Van Laer <paul.van.laer1@gmail.com>
The `vaildateTemplatesDir` function would still return `nil` if the directory doesn't exist,
so the early return that was documented never occurs.
Signed-off-by: Zach Burgess <zachburg@google.com>
This reverts #13533
This change has caused issues with numerous charts around things
unrelated to toml. This is because of functions like typeIs/typeOf
being used and acted upon.
The change caused a significant regression.
Note: This kind of change can be put into v3 charts, that are in
active development, without causing a regression.
Closes#30880
Signed-off-by: Matt Farina <matt@mattfarina.com>
A new library was introduced that provides JSON Schema checking for
newer versions of the schema. In Helm v4, there is no need to have
two packages doing the JSON schema validation. The message output
can have breaking changes.
This change moves everything to the newer library. It also uses a
wrapper error to enable a clean Helm only interface for the
public Go API validation functions. This would enable the replacement
of the Schema validation library, if needed, without breaking the
Go API contract.
Signed-off-by: Matt Farina <matt.farina@suse.com>
Rohit Gudi
Matheus Pimenta
Terry Howe
Johannes Lohmer
Evans Mungai
Branch Vincent
Matt Farina
tison
Hidde Beydals
Paul Van Laer
copilot-swe-agent[bot]
George Jenkins
Kamil Swiechowski
Andreas Sommer
Joe Julian
Yuriy Losev
Zach Burgess
Zach Burgess
Ashmit Bhardwaj
Matt Farina
Justen Stall
Austin Abro