Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use dry-run=server to enable lookups #458

Merged
merged 1 commit into from
Aug 21, 2023

Conversation

MichaelMorrisEst
Copy link
Contributor

Helm PR helm/helm#9426 enables support for executing lookups during dry run. This PR is to make use of this new support in helm-diff. Backwards compatibility for older versions of helm is maintained by checking the helm version before setting the flag

Addresses issue: #449

Helm PR helm/helm#9426 enables support for executing lookups during dry run. This PR is to make use of this new support in helm-diff.
Backwards compatibility for older versions of helm is maintained by checking the helm version before setting the flag

Addresses issue: databus23#449

Signed-off-by: MichaelMorris <michael.morris@est.tech>
@MichaelMorrisEst
Copy link
Contributor Author

Hi @databus23
The PR in Helm (helm/helm#9426) has now been merged and will be included in Helm version 3.13.0.
It would be great if I could get this PR reviewed so we can move towards making use of the new functionality in Helm

Copy link
Collaborator

@mumoshu mumoshu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Finally we have dry-run=server! LGTM. Thanks for your contribution and update @MichaelMorrisEst ☺️

@mumoshu mumoshu merged commit c54f085 into databus23:master Aug 21, 2023
@jBouyoud
Copy link

jBouyoud commented Oct 2, 2023

@mumoshu is it possible to get a new release with this PR ? (Helm 1.13 is now live 🎉 )

mumoshu added a commit that referenced this pull request Oct 11, 2023
This intends to fix a potential security issue introduced via #458 before
cutting the next helm-diff release.

Since #458 (unreleased), we had forced helm-diff to use `helm template --dry-run=server` for Helm 3.13 or greater.

I think this can create an unintended security hole, where any users, who can run
helm-diff via CI or any automation with an arbitrary chart and values, is able
to view cluster resources via helm template's `lookup` functions.

Previously this was impossible because `helm template` run by `helm diff` had
no access to the `lookup` function. To fix this, we need to make `--dry-run=server`
optional. And we do so by introducing a new flag `--dry-run=[|client|server]` to helm-diff.

See the updated README and the updated helm-diff help message for more details.
mumoshu added a commit that referenced this pull request Oct 18, 2023
This intends to fix a potential security issue introduced via #458 before
cutting the next helm-diff release.

Since #458 (unreleased), we had forced helm-diff to use `helm template --dry-run=server` for Helm 3.13 or greater.

I think this can create an unintended security hole, where any users, who can run
helm-diff via CI or any automation with an arbitrary chart and values, is able
to view cluster resources via helm template's `lookup` functions.

Previously this was impossible because `helm template` run by `helm diff` had
no access to the `lookup` function. To fix this, we need to make `--dry-run=server`
optional. And we do so by introducing a new flag `--dry-run=[|client|server]` to helm-diff.

See the updated README and the updated helm-diff help message for more details.
mumoshu added a commit that referenced this pull request Jan 4, 2024
This intends to fix a potential security issue introduced via #458 before
cutting the next helm-diff release.

Since #458 (unreleased), we had forced helm-diff to use `helm template --dry-run=server` for Helm 3.13 or greater.

I think this can create an unintended security hole, where any users, who can run
helm-diff via CI or any automation with an arbitrary chart and values, is able
to view cluster resources via helm template's `lookup` functions.

Previously this was impossible because `helm template` run by `helm diff` had
no access to the `lookup` function. To fix this, we need to make `--dry-run=server`
optional. And we do so by introducing a new flag `--dry-run=[|client|server]` to helm-diff.

See the updated README and the updated helm-diff help message for more details.
mumoshu added a commit that referenced this pull request Jan 9, 2024
This intends to fix a potential security issue introduced via #458 before cutting the next helm-diff release.

Since #458 (unreleased), we had forced helm-diff to use `helm template --dry-run=server` for Helm 3.13 or greater.

I think this can create an unintended security hole, where any users, who can run helm-diff via CI or any automation with an arbitrary chart and values, is able to view cluster resources via helm template's `lookup` functions.

Previously this was impossible because `helm template` run by `helm diff` had no access to the `lookup` function. To fix this, we need to make `--dry-run=server` optional. And we do so by changing helm-diff's `--dry-run` flag to accept only only booleans but also `client` and `server`. The updated flag usage is `--dry-run[=[|true|false|client|server]]`.

See the updated README and the updated helm-diff help message for more details.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants