For more information, please see the following URL:
https://github.com/helm/community/blob/main/hips/hip-0006.md
Note: OCI support remains experimental, and you are still
required to set HELM_EXPERIMENTAL_OCI=1 in your environment.
Signed-off-by: Josh Dolitsky <josh@dolit.ski>
ref: https://github.com/helm/helm/security/advisories/GHSA-c38g-469g-cmgx
* Skip invalid chart versions when reading the repository index file or
when programmatically adding a chart version.
* Adds semver validation and strips non-printable characters and
normalizes spaces for string fields in Metadata.Validate()
* Fixes a unit test that was pulling a remote repo. Now uses a local
repo.
* Fixes ignored error in repo update command
Signed-off-by: Adam Reese <adam@reese.io>
* Replace Helm Hub with Artifact Hub
Signed-off-by: Scott Rigby <scott@r6by.com>
* Update link to new doc entry for Monocular compatible search API
Signed-off-by: Scott Rigby <scott@r6by.com>
* Add struct for Artifact Hub data, and return correct URL for both artifact hub instances and backwards compatibility for Monocular search API
Signed-off-by: Scott Rigby <scott@r6by.com>
* Keep default endpoint hub.helm.sh, so the helm org controls the domain. At least until artifacthub moves to CNCF incubation
Signed-off-by: Scott Rigby <scott@r6by.com>
* Implement `helm dep update` for oci dependencies
* New unit tests
* Remove `helm chart pull` command
* New `helm pull` does not depend on registry cache
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
Previously, if a range was specified for a file:// url as a
dependency the range would be put in the lockfile. Lockfiles are
designed to pin to a specific version and not support ranges. This
is for reproducibility.
The change here pins to a the specific version of the chart
specified using the file:// when update is run.
Signed-off-by: Matt Farina <matt@mattfarina.com>
Currently, whenever the chart is printed, the digest of the .tar.gz
content layer is printed as the digest. The manifest digest is important
for OCI purposes, particularly in pushing to a registry.
Resolves#8248.
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
Cobra 1.0 introduces custom Go completions. This commit replaces Helm's
own solution to use Cobra's solution.
This allows to completely remove Helm's internal "completion" package.
Signed-off-by: Marc Khouzam <marc.khouzam@montreal.ca>
Add a unit test that proves the digest of the received content being
checked. The check should ensure that the digest of the received content
is identical to the digest provided by the manifest in the layers[0]
descriptor. This check is currently implemented in containerd, so the
unit test ensures security in the case a breaking change is made in
containerd.
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
With a large list of charts, `helm chart list` will crash with the
following message:
```
$ helm chart list --debug
Error: open
/home/me/.cache/helm/registry/cache/blobs/sha256/109971e44d63f7fd11fff60d19db41c2429a136943be2e3f8fd3e4c165156536:
too many open files
helm.go:75: [debug] open
/home/me/.cache/helm/registry/cache/blobs/sha256/109971e44d63f7fd11fff60d19db41c2429a136943be2e3f8fd3e4c165156536:
too many open files
```
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
* fix: make the linter coalesce the passed-in values before running values tests
Signed-off-by: Matt Butcher <matt.butcher@microsoft.com>
* fixed typo
Signed-off-by: Matt Butcher <matt.butcher@microsoft.com>
Josh Dolitsky
Martin Hickey
Matt Farina
cndoit18
Josh Soref
Christian
Adam Reese
Scott Rigby
Peter Engelbert
Matt Butcher
bellkeyang
Bridget Kromhout
Matthew Fisher
Peter Engelbert
Guangwen Feng
ZouYu
Marc Khouzam
Adam Reese
Eitan Yarmush
Juned Memon