ref: https://github.com/helm/helm/security/advisories/GHSA-c38g-469g-cmgx
* Skip invalid chart versions when reading the repository index file or
when programmatically adding a chart version.
* Adds semver validation and strips non-printable characters and
normalizes spaces for string fields in Metadata.Validate()
* Fixes a unit test that was pulling a remote repo. Now uses a local
repo.
* Fixes ignored error in repo update command
Signed-off-by: Adam Reese <adam@reese.io>
The recent addition of oci:// to specify dependencies in the
Chart.yaml dependencies and with helm pull missed handling for the
dependency build command. This command was failing to handle OCI.
This change adds support for the dep build command following the
same pattern used to add oci:// functionality.
Signed-off-by: Matt Farina <matt@mattfarina.com>
* Implement `helm dep update` for oci dependencies
* New unit tests
* Remove `helm chart pull` command
* New `helm pull` does not depend on registry cache
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
A previous update to automate finding charts in repos when update
was run did not take into account the case for no repo being
specified. This fixes that situation.
Closes#8940
Signed-off-by: Matt Farina <matt@mattfarina.com>
For backward compatibility, as suggested by @bacongobbler, we introduce
a new API NewTempServerWithCleanup
Signed-off-by: Li Zhijian <lizhijian@cn.fujitsu.com>
Two things changed in this commit...
1. The Build behavior was restored and the change only impacts
Update. This is a more minimal functionality change thats
a more secure behavior
2. Cleanup from Josh's feedback on the PR to create a const
and comment changes
Signed-off-by: Matt Farina <matt@mattfarina.com>
If a repository was not know to helm (e.g. added using helm repo add)
then Helm would use the range set in the depenencies as the version
in the lock file. Lock files should not have ranges since they are
locked to versions.
Helm did this because the version information for repositories was
not know to Helm. This change fixes that by making the repository
and chart information known to Helm so it can resolve the versions.
Closes#8449
Signed-off-by: Matt Farina <matt@mattfarina.com>
* fix(sdk): Polish the downloader/manager package error return
Close#8471
Signed-off-by: Dong Gang <dong.gang@daocloud.io>
* Modify the repositories validation function `resloveRepoNames` and add a
unit test.
Signed-off-by: Dong Gang <dong.gang@daocloud.io>
* Remove wrong commit
Signed-off-by: Dong Gang <dong.gang@daocloud.io>
* fix: write index.yaml file atomically
This refactors the already-existing `AtomicWriteFile` utility
to a central location and uses it to write index files
atomically.
This is done to avoid having half-written index files break
client requests.
Drive-bys:
- Add test for AtomicWriteFile.
- Add test IndexFile.WriteFile.
Signed-off-by: rabadin <rvbadin@gmail.com>
* Review fix: use RenameWithFallback instead of os.Rename
Signed-off-by: rabadin <rvbadin@gmail.com>
Co-authored-by: rabadin <rvbadin@gmail.com>
If several instances of Helm are run at the same moment and try to download the
same chart, some of them might see an empty or incomplete file in cache. Prevent
that by saving the dowloaded file atomically.
Closes#7600
Signed-off-by: Mikhail Gusarov <misha@ridge.co>
* Fix issue with apiVersion v1 lock digest
When apiVersion v1 chart dependencies are built with Helm 2
and then built with Helm 3, the lock digests differ. To avoid
this issue, a depdendency update is forced.
Signed-off-by: Martin Hickey <martin.hickey@ie.ibm.com>
* Check against Helm v2 hash
Handle scenario where dependency hash was generated by Helm v2
but need to do a dependency build with Helm v3.
Signed-off-by: Martin Hickey <martin.hickey@ie.ibm.com>
* Add unit test
Signed-off-by: Martin Hickey <martin.hickey@ie.ibm.com>
* Refactor unit test
Refactor unit test to use an existing chart as dependency
Signed-off-by: Martin Hickey <martin.hickey@ie.ibm.com>
* Update after review
Comments:
- https://github.com/helm/helm/pull/7261#discussion_r373827088
- https://github.com/helm/helm/pull/7261#discussion_r373827250
Signed-off-by: Martin Hickey <martin.hickey@ie.ibm.com>
* Include requirements.* as Files in APIVersionV1
Fixes#6974.
This ensures that when reading a Chart marked with APIVersion v1, we
maintain the behaviour of Helm v2 and include the requirements.yaml and
requirements.lock in the Files collection, and hence produce charts that
work correctly with Helm v2.
Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
* Write out requirements.lock for APIVersion1 Charts
This keeps the on-disk format consistent after `helm dependency update`
of an APIVersion1 Chart.
Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
* Exclude 'dependencies' from APVersion1 Chart.yaml
This fixes `helm lint` against an APIVersion1 chart packaged with Helm
v3.
Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
* Generate APIVersion v2 charts for dependency tests
As the generated chart contains no requirements.yaml in its files list,
but has dependencies in its metadata, it is not a valid APIVersion v1
chart.
Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
* Generate APIVersion v2 charts for manager tests
Specifically for the charts that have dependencies, the generated chart
contains no requirements.yaml in its files but has dependencies in its
metadata. Hence it is not a valid APIVersion v1 chart.
Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>
Fixes a few bugs related to tls config when installing charts:
1. When installing via relative path, tls config for the selected
repository was not being set.
2. The `--ca-file` flag was not being passed when constructing the
downloader.
3. Setting tls config was not checking for zero value in repo
config, causing flag to get overwritten with empty string.
There's still a few oddities here. I would expect that the flag
passed in on the command line would override the repo config, but
that's not currently the case. Also, we always set the cert, key
and ca files as a trio, when they should be set individually
depending on combination of flags / repo config.
Signed-off-by: James McElwain <jmcelwain@gmail.com>
`Update()` gets repo names before resolving a lock file by calling
`resolveRepoNames(req)`. But that method changes aliased repo URLs into
the actual URLs. That makes digests from `helm update` and `helm build`
be different for each other.
To make them in sync, setting actual (resolved) repo URLs into the
loaded chart during `helm build` is necessary. Thus, this commit adds an
extra step in the `Build()` implementation.
For comments, this commit also changes the name of `getRepoNames()` into
`resolveRepoNames()` to avoid misunderstanding since getters are
expected to not mutate their input data in general.
Signed-off-by: Hang Park <hangpark@kaist.ac.kr>
To make digests include information about Chart.yaml dependencies, not
only the lock file, digest calculation is changed to accept both
contents. This terminates the `dep build` command if Chart.yaml
dependencies have been updated so that `dep up` should be executed
properly, to prevent downloading wrong versions or mismatched subcharts.
Note that previous Helm cannot know whether Chart.yaml dependencies were changed
or not since the Chart.lock's digest is calculated by only Chart.lock
contents, which don't include information about SemVer ranges and extra
dependency fields such as aliases, conditions, and tags. Specially,
SemVer can be written as a version range in Chart.yaml, but Chart.lock
has the specific, resolved version of that range.
Signed-off-by: Hang Park <hangpark@kaist.ac.kr>
This code was ported over from PR #5038, #6738 which were originally for helm
v2. The code contains functions from golang/dep/internal/fs for renaming files.
Signed-off-by: Yagnesh Mistry <ysh@live.in>
This commit includes failing tests for a bug reported by #6416 and
several bugs due to #5874. `helm dependency build` command fails if one
of subcharts has optional dependency fields (e.g. Alias / Condition /
Tags) or SemVer ranges.
Signed-off-by: Hang Park <hangpark@kaist.ac.kr>
* Kubernetes updated to 1.16.1
* SemVer and Sprig updated to latest releases that leverage go
modules
* Tests and checks updated. These already landed in v2 via PR 6457
Signed-off-by: Matt Farina <matt@mattfarina.com>
* allow repository config via cli
* make `helm repo add` create repo config file if it does not exist
* squash a ton of bugs
Signed-off-by: Adam Reese <adam@reese.io>
These packages are generally used only for logic inside of Helm and
can later be re-exported as needed
Signed-off-by: Taylor Thomas <taylor.thomas@microsoft.com>
The stable repository provides a quick onboarding with a set of
community curated charts. Two problems with the community stable
repository has lead to its need to be removed.
1. The URL is hard coded to a Google Cloud bucket under Google's
control. This was setup when Helm was part of Kubernetes and
Kubernetes was a Google project. The bucket cannot be
transfered to another non-Google controlled project. And,
the bucket is not accessible in some parts of the world
(e.g., China).
2. The number of charts in the stable repository has grown
generally unmaintainable. The repository maintainers cannot
manage the number of PRs coming it cauing delays in response
or no response and PRs are automatically closed. This is
a poor experience.
The alternatice is the Helm Hub that provides a central point of
search for many Helm repositories. Different people and organizations
can maintain their own charts. A central server is not needed as
Helm is setup to be distributed.
Signed-off-by: Matt Farina <matt@mattfarina.com>
This restores the ability to pass in parameters at runtime to the
ChartDownloader, enabling users to pass in parameters like the --username
and --password flags.
Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com>
This commit replaces usage of github.com/ghodss/yaml with it's forked
version maintained by SIG community. The replaced library has
low-to-none support activity unlike the latter. We believe the new
Helm branch could benefit from using the community-supported version on
a long-term run as yaml parser is a key component of Helm chart rendering
engine.
This commit locks sigs.k8s.io/yaml dependency version on 1.1.0 which
is backwards compatible with ghodss/yaml 1.0.0.
This change also resolves the outdated dependency version lock for
ghodss/yaml (currently 1.0.0) and makes it possible to port changes from
https://github.com/helm/helm/pull/6010 to dev-v3.
Signed-off-by: Oleg Sidorov <oleg.sidorov@booking.com>
instead of hard-coding the parameters being passed in the constructor, we should pass in an Options struct that can be used to pass in those parameters.
Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com>
* Remove helmVersion constraint from charts
* Guard compile time set variables behind `internal/`
* Allow configuration of UserAgent for HTTPGetter
Signed-off-by: Adam Reese <adam@reese.io>
* fix(helm): fix golint warning due to ApiVersionV1 constant name
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
* fix(helm): fix golint warning due to ResolveChartVersionAndGetRepo comment
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
* fix(helm): fix golint warnings on HttpGetter type and SetCredentials method missing a comment
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
* fix(helm):fix golint warning due to comment on FindChartInAuthRepoURL function
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
* fix(helm): fix golint warning due to RepoFile type name
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
* fix(helm): fix golint warning due to ParseString comment
Signed-off-by: Arash Deshmeh <adeshmeh@ca.ibm.com>
When a user enters a non-URL (such as stable)
in requirements.yaml and tries to `helm dep up`,
they get a potentially confusing error message.
This tries to make the error message clearer.
Closes#2672
* Closes#2937
Added required dependency to run make test in developer's guide
* Fixed base URL appending when chart address is not absolute
* Removed requirement from developers.md
* Fixed unnecessary line breaks
* Added tests for query string repo
* Returning URL along with error
In Helm 2.6.0, the new delete feature that deletes old versions of
charts is deleting subcharts that aren't in requirements.yaml.
In this patch, I judge the dependency whether it is included in the
requirements.yaml before deleting it.
Closes#2830
This change changes the order of operations in
pkg/downloader.Manager.downloadAll
Old charts are moved to tmp directory which is restored in case any
dependency update fails. Otherwise tmp dir is deleted.
When a repository is generated without --url, the packages in that
repository do not have FQDNs. In this case, the URL prefix (FQDN plus
base path) should be derived from the repository's base URL. This seems
to be a regression that crept in around Helm 2.2.0. This is now fixed.
Closes#2315Closes#2510
This flattens the getter package tree, adds tests, and changes a little
bit of the terminology to follow Go idioms. This also makes much of the
getter API private to begin with. This will give us more flexibility in
the future.
It is now possible to create plugins with chart download capabilities for custom, non-http protocols.
Furthermore it is possible to reuse helm packages to implement alternative clients with these custom downloader functions.
When downloader package moved to under /pkg, helmpath functions got called still from it, while it is under /cmd. This commit fixes the issue by moving helmpath after the downloader to have only cmd->pkg and pkg->pkg calls.
This makes it possible to do a `dep up` without refetching all of
the repositories.While it's less safe, it's useful when doing many
updates in a short period of time (such as in a CI/CD setting)
Closes#2019