-
Notifications
You must be signed in to change notification settings - Fork 283
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use dry-run=server to enable lookups #458
Conversation
Helm PR helm/helm#9426 enables support for executing lookups during dry run. This PR is to make use of this new support in helm-diff. Backwards compatibility for older versions of helm is maintained by checking the helm version before setting the flag Addresses issue: databus23#449 Signed-off-by: MichaelMorris <michael.morris@est.tech>
3be20a8
to
d6631aa
Compare
Hi @databus23 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Finally we have dry-run=server
! LGTM. Thanks for your contribution and update @MichaelMorrisEst
@mumoshu is it possible to get a new release with this PR ? (Helm 1.13 is now live 🎉 ) |
This intends to fix a potential security issue introduced via #458 before cutting the next helm-diff release. Since #458 (unreleased), we had forced helm-diff to use `helm template --dry-run=server` for Helm 3.13 or greater. I think this can create an unintended security hole, where any users, who can run helm-diff via CI or any automation with an arbitrary chart and values, is able to view cluster resources via helm template's `lookup` functions. Previously this was impossible because `helm template` run by `helm diff` had no access to the `lookup` function. To fix this, we need to make `--dry-run=server` optional. And we do so by introducing a new flag `--dry-run=[|client|server]` to helm-diff. See the updated README and the updated helm-diff help message for more details.
This intends to fix a potential security issue introduced via #458 before cutting the next helm-diff release. Since #458 (unreleased), we had forced helm-diff to use `helm template --dry-run=server` for Helm 3.13 or greater. I think this can create an unintended security hole, where any users, who can run helm-diff via CI or any automation with an arbitrary chart and values, is able to view cluster resources via helm template's `lookup` functions. Previously this was impossible because `helm template` run by `helm diff` had no access to the `lookup` function. To fix this, we need to make `--dry-run=server` optional. And we do so by introducing a new flag `--dry-run=[|client|server]` to helm-diff. See the updated README and the updated helm-diff help message for more details.
This intends to fix a potential security issue introduced via #458 before cutting the next helm-diff release. Since #458 (unreleased), we had forced helm-diff to use `helm template --dry-run=server` for Helm 3.13 or greater. I think this can create an unintended security hole, where any users, who can run helm-diff via CI or any automation with an arbitrary chart and values, is able to view cluster resources via helm template's `lookup` functions. Previously this was impossible because `helm template` run by `helm diff` had no access to the `lookup` function. To fix this, we need to make `--dry-run=server` optional. And we do so by introducing a new flag `--dry-run=[|client|server]` to helm-diff. See the updated README and the updated helm-diff help message for more details.
This intends to fix a potential security issue introduced via #458 before cutting the next helm-diff release. Since #458 (unreleased), we had forced helm-diff to use `helm template --dry-run=server` for Helm 3.13 or greater. I think this can create an unintended security hole, where any users, who can run helm-diff via CI or any automation with an arbitrary chart and values, is able to view cluster resources via helm template's `lookup` functions. Previously this was impossible because `helm template` run by `helm diff` had no access to the `lookup` function. To fix this, we need to make `--dry-run=server` optional. And we do so by changing helm-diff's `--dry-run` flag to accept only only booleans but also `client` and `server`. The updated flag usage is `--dry-run[=[|true|false|client|server]]`. See the updated README and the updated helm-diff help message for more details.
Helm PR helm/helm#9426 enables support for executing lookups during dry run. This PR is to make use of this new support in helm-diff. Backwards compatibility for older versions of helm is maintained by checking the helm version before setting the flag
Addresses issue: #449