msb-public/helm - helm - 马士兵教育代码仓库

Commit Graph

Author	SHA1	Message	Date
Kunal Jain	c441ebf043	Merge `1c9f24adf0` into `0752c1f5b5`	4 days ago
Matheus Pimenta	a4a9cc7a31	Upgrade Go to 1.26, Kubernetes to 1.36, kstatus to 1.1 Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>	2 weeks ago
Kunal Jain	1c9f24adf0	fix: separate list traversal from deduplication in SSA dedup Rename nameKeyedFields -> dedupFields and remove container lists (containers, initContainers, ephemeralContainers). Container lists are now always traversed to reach nested env/volumes, but are never deduplicated themselves — duplicate container names are invalid and must not be silently dropped with last-value-wins semantics. Add a test case asserting duplicate container names are preserved. Addresses Copilot review comment on PR #32061. Signed-off-by: Kunal Jain <qlapon@gmail.com>	3 weeks ago
Kunal Jain	dc0197c98d	test: add SSA integration test for duplicate env var deduplication Add TestPatchResourceServerSideDedupEnvVars to verify that duplicate env var entries in an unstructured manifest are removed from the PATCH body before server-side apply is sent, with last-value-wins semantics. Addresses Copilot review comment on PR #32061. Signed-off-by: Kunal Jain <qlapon@gmail.com>	3 weeks ago
Kunal Jain	bc82f2e18b	fix: narrow SSA dedup to name-keyed fields, guard empty name - Add nameKeyedFields allowlist (env, containers, initContainers, ephemeralContainers, volumes, imagePullSecrets) so deduplicateListMaps only touches list fields that are actually keyed by "name" under server-side apply merge semantics; volumeMounts and other lists that incidentally contain a "name" field are no longer collapsed - processNamedList now skips deduplication when any item's "name" is a missing or empty string, preventing unrelated entries from being treated as duplicates - Add regression tests: volumeMounts with duplicate names preserved, env list with empty name not deduplicated Addresses Copilot review comments on PR #32061. Signed-off-by: Kunal Jain <qlapon@gmail.com>	3 weeks ago
Kunal Jain	5b5d82d74e	fix: Duplicate env vars are now treated as errors in helm v4 Signed-off-by: Kunal Jain <qlapon@gmail.com>	3 weeks ago
abhay1999	f257c95c78	fix(kube): clarify server-side apply patch errors Signed-off-by: abhay1999 <abhaychaurasiya19@gmail.com>	1 month ago
Matthieu MOREL	c25c988cfb	chore(pkg): enable perfsprint linter #### Description enable perfsprint linter in pkg/registry Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>	2 months ago
Matheus Pimenta	bbec77c1f7	bugfix(kstatus): do not wait forever on failed resources Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>	4 months ago
Evans Mungai	40a9de1086	Merge pull request #31412 from fmuyassarov/devel/rollback Fix rollback for missing resources	4 months ago
Matheus Pimenta	59ece92bed	pkg/kube: introduce support for custom kstatus readers Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>	4 months ago
Feruzjon Muyassarov	374aeb4b4e	Fix rollback for missing resources Signed-off-by: Feruzjon Muyassarov <feruzjon.muyassarov@est.tech>	4 months ago
George Jenkins	a15db7f087	Replace deprecated `NewSimpleClientset` Signed-off-by: George Jenkins <gvjenkins@gmail.com>	5 months ago
George Jenkins	f8a49f1852	fixup test Signed-off-by: George Jenkins <gvjenkins@gmail.com>	6 months ago
Matheus Pimenta	efc1702657	Introduce a context for canceling wait operations Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>	6 months ago
Benoit Tigeot	7097c8e2e5	Replicate as unit test case where we fail once a resource deletion Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>	7 months ago
Benoit Tigeot	054eabddd7	Return errors on upgrade when deletion fails This is a rebase of https://github.com/helm/helm/pull/12299 as the pull request was tagged for Helm v4. Closes: https://github.com/helm/helm/issues/11375 Related: https://github.com/helm/helm/pull/7929 It was a pain to reproduce, here is a script: ``` set -u NS=default RELEASE=test-release CHART=./test-chart SA=limited-helm-sa HELM=${HELM:-./bin/helm} echo "Helm: $($HELM version)" echo "Cleaning…" $HELM uninstall "$RELEASE" -n "$NS" >/dev/null 2>&1 \|\| true kubectl -n "$NS" delete sa "$SA" role "${SA}-role" rolebinding "${SA}-rb" >/dev/null 2>&1 \|\| true kubectl -n "$NS" delete cronjob "$RELEASE-test-chart-cronjob" >/dev/null 2>&1 \|\| true rm -rf "$CHART" /tmp/limited-helm-kubeconfig echo "Create minimal chart with only a CronJob" $HELM create "$CHART" >/dev/null rm -f "$CHART"/templates/{deployment.yaml,service.yaml,hpa.yaml,tests/test-connection.yaml,serviceaccount.yaml} cat > "$CHART/templates/cronjob.yaml" <<'YAML' apiVersion: batch/v1 kind: CronJob metadata: name: {{ include "test-chart.fullname" . }}-cronjob spec: schedule: "/5 * * " jobTemplate: spec: template: spec: restartPolicy: OnFailure containers: - name: hello image: busybox command: ["/bin/sh","-c","date; echo Hello from CronJob"] YAML echo "RBAC: allow Helm storage, basic reads/creates, but NO delete on cronjobs" kubectl -n "$NS" apply -f - >/dev/null <<EOF apiVersion: v1 kind: ServiceAccount metadata: name: $SA --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: ${SA}-role rules: - apiGroups: [""] resources: ["secrets","configmaps"] verbs: ["get","list","watch","create","patch","update","delete"] - apiGroups: [""] resources: ["pods","events"] verbs: ["get","list","watch"] - apiGroups: ["batch"] resources: ["cronjobs"] verbs: ["get","list","watch","create","patch","update"] EOF kubectl -n "$NS" apply -f - >/dev/null <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: ${SA}-rb subjects: - kind: ServiceAccount name: $SA roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ${SA}-role EOF echo "Create kubeconfig for that SA" TOKEN=$(kubectl -n "$NS" create token "$SA") SERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}') CA_DATA=$(kubectl config view --minify --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}') KCFG=/tmp/limited-helm-kubeconfig cat > "$KCFG" <<EOF apiVersion: v1 kind: Config clusters: - name: local cluster: server: $SERVER certificate-authority-data: $CA_DATA contexts: - name: limited context: cluster: local namespace: $NS user: $SA current-context: limited users: - name: $SA user: token: $TOKEN EOF set +e echo "Install (as limited SA)" KUBECONFIG="$KCFG" $HELM upgrade --install "$RELEASE" "$CHART" -n "$NS" --wait echo "CronJob after install:" kubectl -n "$NS" get cronjob "$RELEASE-test-chart-cronjob" \|\| true echo "Remove CronJob from chart and add a small ConfigMap to force an upgrade" rm -f "$CHART/templates/cronjob.yaml" cat > "$CHART/templates/configmap.yaml" <<'YAML' apiVersion: v1 kind: ConfigMap metadata: name: {{ include "test-chart.fullname" . }}-config data: hello: world YAML echo "Upgrade without CronJob (as limited SA)" KUBECONFIG="$KCFG" $HELM upgrade --install "$RELEASE" "$CHART" -n "$NS" RC=$? echo "Post-upgrade verification" if kubectl -n "$NS" get cronjob "$RELEASE-test-chart-cronjob" >/dev/null 2>&1; then echo "OK: Stale CronJob still present: $RELEASE-test-chart-cronjob" else echo "NO_OK: CronJob deleted" fi echo "Helm exit code: $RC" exit 0 ``` With the current build: ```sh ./reproduce-helm-issue.sh Helm: version.BuildInfo{Version:"v4.0+unreleased", GitCommit:"f19bb9cd4c99943f7a4980d6670de44affe3e472", GitTreeState:"dirty", GoVersion:"go1.24.0"} Cleaning… Create minimal chart with CronJob + ConfigMap (we will remove both in v2) RBAC: allow Helm storage + delete for configmaps, but NO delete on cronjobs Create kubeconfig for that SA Install v1 (as limited SA) Release "test-release" does not exist. Installing it now. NAME: test-release LAST DEPLOYED: Tue Oct 14 18:55:57 2025 NAMESPACE: default STATUS: deployed REVISION: 1 DESCRIPTION: Install complete TEST SUITE: None NOTES: 1. Get the application URL by running these commands: export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=test-chart,app.kubernetes.io/instance=test-release" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace default $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") echo "Visit http://127.0.0.1:8080 to use your application" kubectl --namespace default port-forward $POD_NAME 8080:$CONTAINER_PORT Verify v1 objects exist NAME SCHEDULE TIMEZONE SUSPEND ACTIVE LAST SCHEDULE AGE test-release-test-chart-cronjob /5 * * * * <none> False 0 <none> 0s NAME DATA AGE test-release-test-chart-config 1 0s Prepare v2: remove BOTH CronJob and ConfigMap from the chart Upgrade to v2 (as limited SA) — expecting CronJob delete first, then ConfigMap - CronJob delete should FAIL (no delete permission) - ConfigMap delete should SUCCEED (delete allowed) — proves 'continue on error' and inverted order level=DEBUG msg="getting history for release" release=test-release level=DEBUG msg="getting release history" name=test-release level=DEBUG msg="preparing upgrade" name=test-release level=DEBUG msg="getting last revision" name=test-release level=DEBUG msg="getting release history" name=test-release level=DEBUG msg="number of dependencies in the chart" dependencies=0 level=DEBUG msg="determined release apply method" server_side_apply=true previous_release_apply_method=ssa level=DEBUG msg="performing update" name=test-release level=DEBUG msg="creating upgraded release" name=test-release level=DEBUG msg="creating release" key=sh.helm.release.v1.test-release.v2 level=DEBUG msg="getting release history" name=test-release level=DEBUG msg="using server-side apply for resource update" forceConflicts=false dryRun=false fieldValidationDirective=Strict upgradeClientSideFieldManager=false level=DEBUG msg="checking resources for changes" resources=0 level=DEBUG msg="deleting resource" namespace=default name=test-release-test-chart-config kind=ConfigMap level=DEBUG msg="deleting resource" namespace=default name=test-release-test-chart-cronjob kind=CronJob level=DEBUG msg="failed to delete resource" namespace=default name=test-release-test-chart-cronjob kind=CronJob error="cronjobs.batch \"test-release-test-chart-cronjob\" is forbidden: User \"system:serviceaccount:default:limited-helm-sa\" cannot delete resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" level=INFO msg="update completed" created=0 updated=0 deleted=1 level=WARN msg="update completed with errors" errors=1 level=DEBUG msg="updating release" key=sh.helm.release.v1.test-release.v1 level=WARN msg="upgrade failed" name=test-release error="failed to delete resource test-release-test-chart-cronjob: cronjobs.batch \"test-release-test-chart-cronjob\" is forbidden: User \"system:serviceaccount:default:limited-helm-sa\" cannot delete resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" level=DEBUG msg="updating release" key=sh.helm.release.v1.test-release.v2 Error: UPGRADE FAILED: failed to delete resource test-release-test-chart-cronjob: cronjobs.batch "test-release-test-chart-cronjob" is forbidden: User "system:serviceaccount:default:limited-helm-sa" cannot delete resource "cronjobs" in API group "batch" in the namespace "default" Post-upgrade verification Stale CronJob still present: test-release-test-chart-cronjob (expected if delete is forbidden) ConfigMap deleted as expected: test-release-test-chart-config (and after CronJob attempt) Helm exit code: 1 ``` With last version v3.19: ``` HELM=/usr/local/bin/helm ./reproduce-helm-issue.sh Helm: version.BuildInfo{Version:"v3.19.0", GitCommit:"3d8990f0836691f0229297773f3524598f46bda6", GitTreeState:"clean", GoVersion:"go1.24.7"} Cleaning… Create minimal chart with only a CronJob RBAC: allow Helm storage, basic reads/creates, but NO delete on cronjobs Create kubeconfig for that SA Install (as limited SA) Release "test-release" does not exist. Installing it now. NAME: test-release LAST DEPLOYED: Tue Oct 14 19:07:01 2025 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: 1. Get the application URL by running these commands: export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=test-chart,app.kubernetes.io/instance=test-release" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace default $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") echo "Visit http://127.0.0.1:8080 to use your application" kubectl --namespace default port-forward $POD_NAME 8080:$CONTAINER_PORT CronJob after install: NAME SCHEDULE TIMEZONE SUSPEND ACTIVE LAST SCHEDULE AGE test-release-test-chart-cronjob /5 * * * <none> False 0 <none> 0s Remove CronJob from chart and add a small ConfigMap to force an upgrade Upgrade without CronJob (as limited SA) Release "test-release" has been upgraded. Happy Helming! NAME: test-release LAST DEPLOYED: Tue Oct 14 19:07:01 2025 NAMESPACE: default STATUS: deployed REVISION: 2 TEST SUITE: None NOTES: 1. Get the application URL by running these commands: export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=test-chart,app.kubernetes.io/instance=test-release" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace default $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") echo "Visit http://127.0.0.1:8080 to use your application" kubectl --namespace default port-forward $POD_NAME 8080:$CONTAINER_PORT Post-upgrade verification OK: Stale CronJob still present: test-release-test-chart-cronjob Helm exit code: 0 ``` Co-authored-by: dayeguilaiye <979014041@qq.com> Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>	7 months ago
Matt Farina	fbf02e494e	Merge pull request #30980 from gjenkins8/gjenkins/cleanup_kubeclient_interfaces cleanup: Remove/consolidate redundant kube client Interfaces	7 months ago
juejinyuxitu	69dbd6115e	chore: fix some typos in comment Signed-off-by: juejinyuxitu <juejinyuxitu@outlook.com>	8 months ago
George Jenkins	b5de5b1591	chore: Cleanup additional/redundant kube client Interfaces Signed-off-by: George Jenkins <gvjenkins@gmail.com>	8 months ago
George Jenkins	ebc874ef84	fix client-side to server-side field manager migration Signed-off-by: George Jenkins <gvjenkins@gmail.com>	9 months ago
George Jenkins	b2dc411f9d	code review (error checks, collapse forceConflicts, UpdateApplyFunc) Signed-off-by: George Jenkins <gvjenkins@gmail.com>	9 months ago
George Jenkins	99dc23f00b	switch target<->original Signed-off-by: George Jenkins <gvjenkins@gmail.com>	9 months ago
George Jenkins	741facca43	Update pkg/kube/client_test.go Signed-off-by: George Jenkins <gvjenkins@gmail.com>	9 months ago
George Jenkins	45141451b4	Kube client support server-side apply Signed-off-by: George Jenkins <gvjenkins@gmail.com>	9 months ago
Atish Kumar	008bd7fc82	test(pkg/kube/client): add test for isReachable Signed-off-by: Atish Kumar <allolro@gmail.com>	9 months ago
Matthieu MOREL	157f0ba10a	chore: enable thelper Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>	1 year ago
Robert Sirchia	4d580c6b95	Merge pull request #30810 from mmorel-35/usestdlibvars chore: enable usestdlibvars linter	1 year ago
Terry Howe	71787cca60	fix: rename slave replica Signed-off-by: Terry Howe <terrylhowe@gmail.com>	1 year ago
Matthieu MOREL	77a267dacf	chore: enable usestdlibvars linter Signed-off-by: Matthieu MOREL <matthieu.morel35@gmail.com>	1 year ago
Evans Mungai	e8e79cc4b4	Merge branch 'main' into fix-take-ownership Signed-off-by: Evans Mungai <mbuevans@gmail.com>	1 year ago
Benoit Tigeot	cbaac7652d	Call slog directly instead of using a wrapper Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>	1 year ago
Benoit Tigeot	b2380720eb	Migrate to pure slog without a custom wrapper Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>	1 year ago
Benoit Tigeot	b42767be40	Migrate more code to log adapter Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>	1 year ago
Benoit Tigeot	83cdffe4ae	Migrate to a dedicated internal package for slog adapter + migrate more Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>	1 year ago
Benoit Tigeot	394ba2d55e	Properly use DefaultLogger Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr>	1 year ago
Patrick Seidensal	e55707b09d	Fix --take-ownership If a resource exists in the cluster and is to be adopted by helm install --take-ownership, it is left unchanged while helm reports the installation to have succeeded. This is due to CRs and CRDs being merged without three-way-merge, which results in an empty patch. By using a three-way-merge transparently when --take-ownership is used, the helm behaves as expected without breaking previous behavior. Fixes #30622 Signed-off-by: Patrick Seidensal <pseidensal@suse.com>	1 year ago
Austin Abro	386523bdbc	update to get waiter instead of set Signed-off-by: Austin Abro <AustinAbro321@gmail.com>	1 year ago
Austin Abro	11eeb4a6b1	merge Signed-off-by: Austin Abro <AustinAbro321@gmail.com>	1 year ago
Chris Berry	6d30fa5990	Add HookOutputFunc and generic yaml unmarshaller Signed-off-by: Chris Berry <bez625@gmail.com>	1 year ago
Chris Berry	cde407b7d1	Add hook annotations to output pod logs to client on success and fail Signed-off-by: Chris Berry <bez625@gmail.com>	1 year ago
Austin Abro	7fde4962a8	set waiter in functions Signed-off-by: Austin Abro <AustinAbro321@gmail.com>	1 year ago
Austin Abro	f2dd2c9109	add hook only waiter Signed-off-by: Austin Abro <AustinAbro321@gmail.com>	1 year ago
Austin Abro	2b03c527f1	set command line flags Signed-off-by: Austin Abro <AustinAbro321@gmail.com>	1 year ago
Austin Abro	f1b642cb0d	unexport newWaiter function Signed-off-by: Austin Abro <AustinAbro321@gmail.com>	1 year ago
Austin Abro	8fe66998bf	refactor obj logic Signed-off-by: Austin Abro <AustinAbro321@gmail.com>	1 year ago
Austin Abro	eaa6e14546	test cleanup Signed-off-by: Austin Abro <AustinAbro321@gmail.com>	1 year ago
Austin Abro	c26b44f651	update names Signed-off-by: Austin Abro <AustinAbro321@gmail.com>	1 year ago
Austin Abro	86338215b7	ability to create different waiters Signed-off-by: Austin Abro <AustinAbro321@gmail.com>	1 year ago
Austin Abro	947425ee64	refactor new Signed-off-by: Austin Abro <AustinAbro321@gmail.com>	1 year ago

1 2 3

110 Commits (c441ebf043e191ca0bc9779bb5246ade47dbcc4b)