Helm index validation not honoring Artifactory bug which was mitigated in Helm 3.14.3
bb-Ricardo opened this issue · 4 comments
Hi,
today we ran into an issue with source controller version 1.3.0.
First we discovered that some Helm charts were missing from the index that source-controller created.
Downloading the index.yaml directly from the repository in Artifactory confirmed that the chart was present.
Then we downgraded the source-controller version to 1.2.4 and all was working as expected again.
So we started to investigate the changes between the two versions and we found it was the upgrade of the
Helm dependency from helm.sh/helm/v3 v3.13.3 to helm.sh/helm/v3 v3.14.4.
And found this issue: helm/helm#12748
The behavior of the this validate function has changed.
version 1.13.3
https://github.com/helm/helm/blob/v3.13.3/pkg/chart/metadata.go#L131-L135
Version 1.14.4
https://github.com/helm/helm/blob/v3.14.4/pkg/chart/metadata.go#L138-L150
To mitigate the reported Helm issue check has been added:
https://github.com/helm/helm/blob/15f76cf83c670a329b62c2b5ddeb0864ec99daec/pkg/repo/index.go#L369
Which is now missing from the logic in source-controller.
Best way forward from here I currently see is to copy the the behavior from Helm to implement the level of validation.
Another option would be to ask the Helm project to change the loadIndex
to a public function and then use this directly in source-controller. (Might still be an issue with the logging and naming the source)
Cheers
Ricardo
Hi,
was wondering if any release is planned/scheduled? Last release was May 4th.
Thank you. I assumed there would be a bug fix release 1.3.1 (hence the backport to the 1.3.x branch)
No patch release, only if a CVE is found in helm-controller we'll backport.