Implements HIP-0025 to give chart authors first-class control over
deployment ordering of chart resources and subcharts. Helm operators
opt in via --wait=ordered (or WaitStrategy=ordered in the SDK); default
behavior for Chart v2 is unchanged.
== Foundations ==
- DAG abstraction (pkg/chart/v2/util/dag.go) with topological batch
output and cycle detection.
- Resource-group annotation parsing and dependency tracking
(pkg/release/v1/util/resource_group.go) for helm.sh/resource-group
and helm.sh/depends-on/resource-groups; resource IDs are
apiVersion/Kind/Namespace/Name to disambiguate cross-namespace.
- Subchart DAG (pkg/chart/v2/util/subchart_dag.go) reading depends-on
on Chart.yaml dependencies and the helm.sh/depends-on/subcharts
annotation. BuildSubchartDAG inspects c.Dependencies() (post
ProcessDependencies) so it correctly respects conditions, tags, and
aliases - addresses joejulian's review feedback on metadata
heuristics.
- DependsOn []string field on chart.Dependency (pkg/chart/v2/dependency.go).
- SequencingInfo metadata stored on the release object
(pkg/release/v1/release.go) so rollback knows whether a revision
was sequenced.
- Custom readiness via helm.sh/readiness-success and helm.sh/readiness-failure
JSONPath expressions (pkg/kube/readiness.go); falls back to kstatus
if either is missing. Failure conditions take precedence over success.
== Action integration ==
- pkg/action/sequencing.go: sequencedDeployment with per-batch deadline
via min(), context.Done() honored at build/create/wait phases, and
isolated/partial-readiness warnings emitted once per batch (not per
poll tick).
- Install, upgrade, rollback, and uninstall actions consume
WaitStrategy=ordered. Sequenced uninstall and rollback are gated on
the release's stored SequencingInfo to enforce the HIP "reverse
install order" semantic.
- ReadinessTimeout (default 1m) is capped by --timeout and applied
per batch.
- Manifest path recovery for nested subcharts on rollback/uninstall.
== CLI ==
- --wait=ordered on install, upgrade, rollback, AND uninstall. The
AddOrderedWaitFlag helper in pkg/cmd/flags.go is shared across all
four commands.
- --readiness-timeout flag with docstring clarifying that "ready" is
determined by kstatus signals or custom readiness annotations, and
that vanilla Jobs need --wait-for-jobs.
- helm template emits "## START resource-group: <chart> <name>" /
"## END resource-group: ..." delimiters when --wait=ordered. Falls
back to flat manifest output with a warning if YAML parsing fails.
== Lint ==
- pkg/chart/v2/lint/rules/sequencing.go: ErrorSev for circular subchart
deps, partial readiness annotations, and orphan
helm.sh/depends-on/resource-groups references. Empty annotation
values are treated as absent (matches runtime behavior).
== Tests + fixtures ==
- Unit tests for DAG, subchart DAG, lint rules, readiness JSONPath,
resource-group parsing, sequencing action, ordered template output,
and CLI flag wiring. Includes context-cancellation coverage for
sequencedDeployment per joejulian's request.
- Integration testchart at pkg/cmd/testdata/testcharts/sequenced-chart/
exercising parent->subchart and resource-group ordering.
== Backward compatibility ==
Sequencing is gated on WaitStrategy == OrderedWaitStrategy. Charts
without HIP-0025 annotations or --wait=ordered behave exactly as
before. The depends-on field on Chart.yaml dependencies is silently
accepted and unknown to upstream-stable lint (forward-compat fix
to be tracked separately once HIP is accepted).
Refs: HIP-0025
Addresses: joejulian and Copilot review feedback on PR #32038
Signed-off-by: Rohit Gudi <50377477+caretak3r@users.noreply.github.com>
Multiple changes were made to pass linting. Some Go built-in names
are being used for variables (e.g., min). This happens in the Go
source itself including the Go standard library and is not always
a bad practice.
To handle allowing some built-in names to be used the linter config
is updated to allow (via opt-in) some names to pass. This allows us
to still check for re-use of Go built-in names and opt-in to any
new uses.
There were also several cases where a value was checked for nil
before checking its length when this is already handled by len()
or the types default value. These were cleaned up.
The license validation was updated because it was checking everything
in the .git directory including all remote content that was local.
The previous vendor directory was from a time prior to Go modules
when Helm handled dependencies differently. It was no longer needed.
Signed-off-by: Matt Farina <matt.farina@suse.com>
Updates the script to use the new method of getting
the latest version that avoids the github API and
the associated rate limits. See the matching PR
at https://github.com/helm/helm/pull/12396 for
the server side change.
Signed-off-by: Ian Zink <zforce@gmail.com>
By specify the binary-name in the copy-operation the
script will fail if the directory does not exist instead
of silently installing the binary with the name of
the directory (e.g. /usr/local/bin)
Closes#10298
Signed-off-by: Dominik Stadler <dominik.stadler@gmx.at>
When `get`/`get-helm-3` is run with a HELM_INSTALL_DIR containing spaces, the installation fails.
Closes#9346
Signed-off-by: Michael Musenbrock <michael.musenbrock@gmail.com>
What this PR does / why we need it:
fix for issue #9253. The link taken from the projects GitHub page has been used for consistency across the documentation.
Signed-off-by: Jack Whitter-Jones <jackwhitterjones@gmail.com>
Now no matter what desired version provides, always give info "Helm ${TAG} is available.
Changing from version ${version}". It's obviously wrong.
This patch check whether desired version is actually available or not
by compare desired vesion with all available version in
https://github.com/helm/helm/releases
Signed-off-by: Ma Xinjian <maxj.fnst@cn.fujitsu.com>
* Add GPG signature verification to install script
The script fetches the KEYS file from GitHub, as well
as the .asc files on the release and verifies the
release artifacts are signed by a valid key.
Added new boolean config options in the install script
which allow for fine-grained control over verification
and output:
- DEBUG: sets -x in the bash script (default: false)
- VERIFY_CHECKSUM: verifies checksum (default: true)
- VERIFY_SIGNATURE: verifies signature (default: true)
Also reduced check for curl/wget to only one time.
Resolves#7943.
Resolves#7838.
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
* disable signature verification by default
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
* remove repeated line
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
* fix typo
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
* do not auto-import GPG keys
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
* silence errors about missing commands
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
* use a temporary gpg keyring
Signed-off-by: Josh Dolitsky <393494+jdolitsky@users.noreply.github.com>
* Fix wget commands for VERIFY_SIGNATURES=true
Signed-off-by: jdolitsky <393494+jdolitsky@users.noreply.github.com>
Rohit Gudi
George Jenkins
Jeevan Yewale
Sarfraj Khan
Matt Farina
Robert Sirchia
Terry Howe
yzewei
Stephanie Hohenberg
Eimhin Laverty
Evans Mungai
Asmit De
Joe Julian
Marcel Humburg
Ian Zink
shoce
Antony Chazapis
Andrew Block
Justin Wood
Wonyeong Choi
yxxhero
Ioan Indreias
Dominik Stadler
Dan Russell
Cameron Motevasselani
Martin Hickey
Matt Farina
Ajay Victor
Joe Lanford
Michael Musenbrock
houfangdong
Matthew Fisher
Jack Whitter-Jones
Ma Xinjian
Scott Rigby
Josh Dolitsky