You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: hips/hip-00NN.md
+18-5
Original file line number
Diff line number
Diff line change
@@ -20,13 +20,15 @@ There are existing ways to achieve installation of charts without using a regist
20
20
21
21
- A Helm chart repository is effectively an `index.yaml` with links to downloads. Maintaining such a repository does create a burden of scripts and automation (e.g. Github Actions). This is not always feasible for smaller projects. It also does not really offer an obvious and readily available way of testing pre-releases.
22
22
- For the testing use cases, charts can be packaged using `helm package`, however this does introduce manual steps and requires extra work to replicate in CI/CD scenarios.
23
-
- There is a [`aslafy-z/helm-git`](https://github.com/aslafy-z/helm-git) plugin available, however using plugins requires additional setup, which may not always be feasible (esp. in more complex team structures and cluster setups with advanced tooling, e.g. ArgoCD). An additional drawback is that the `Chart.yaml` does not provide a way to specify the plugin requirements.
23
+
- There are several plugins available to solve this problem ([`aslafy-z/helm-git`](https://github.com/aslafy-z/helm-git), [`diwakar-s-maurya/helm-git`](https://github.com/diwakar-s-maurya/helm-git), [`sagansystems/helm-github`](https://github.com/sagansystems/helm-github)), however using plugins requires additional setup, which may not always be feasible (esp. in more complex team structures and cluster setups with advanced tooling, e.g. ArgoCD). An additional drawback is that the `Chart.yaml` does not provide a way to specify the plugin requirements, which leaves it up to the consumer to figure this out.
24
+
25
+
## Rationale
24
26
25
27
Installing dependencies from git is an established pattern in other ecosystems even when they are registry-based, e.g. npm (Node.js), pipenv (Python), bundler (Gem) have this option - it would make sense to have the behavior replicated in Helm.
26
28
27
-
## Rationale
29
+
At least the npm and the pip ecosystems have already established a syntax of `vcs+protocol` for defining the dependency source, so it should be familiar to some users.
28
30
29
-
(TBD)
31
+
One alternative to consider would be to exclude defining the vcs/protocol, similar to what Go does, esp. given that Helm is built using Go. This does limit the flexibility somewhat - while Go does allow adding a VCS qualifier at the end of the URL (allowing future support for other VCSs), it does not allow specifying the protocol, which means that the users might have to override the default protocol in their VCS configuration.
30
32
31
33
## Specification
32
34
@@ -51,6 +53,13 @@ dependencies:
51
53
version: "main"
52
54
```
53
55
56
+
When Helm is installing a dependency from git, it should:
57
+
58
+
- create a temporary directory
59
+
- clone the repo at the specified branch/tag into the temp dir
60
+
- treat the cloned git repo similar to a `file:///path/to/temp/dir` style requirement; use `chart.LoadDir` to load that directory (which in turn applied the logic for filtering the files through `.helmignore`) and archives it to `charts/`
61
+
- delete the temp dir
62
+
54
63
## Backwards compatibility
55
64
56
65
This is backwards compatible from Helm perspective - the existing formats for `dependencies` are still supported.
@@ -59,11 +68,15 @@ Charts that start using the new format will effectively be changing their minimu
59
68
60
69
## Security implications
61
70
62
-
(TBD)
71
+
Pulling the dependencies from git may introduce additional attack surfaces, as it would need to rely on an implementation of `git` (most likely the official `git` executable), and there have been recent vulnerabilities disclosed, including Remote Code Execution (RCE).
72
+
73
+
This is something that needs to be taken into account in security conscious environments and might need to be documented for the end users. Users with high security requirements, should probably avoid using the feature and instead rely on a registry.
63
74
64
75
## How to teach this
65
76
66
-
(TBD)
77
+
- The documentation should note the security caveat listed above
78
+
- The documentation should provide the recommendation to prefer registries to git, if possible
79
+
- The documentation should note the implications of git being mutable with a recommendation of pinning to specific hashes
0 commit comments