-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[epic] Add support for handling helm charts #962
Comments
Have you thought about which libraries might be good choices for helping with the validating of Helm charts to ensure we can work with them? We need to rule out chart with non-deterministic template functions and hooks, so something like: customChecks := []*config.Check{
{
Name: "detect-non-deterministic-functions",
Description: "Detect non-deterministic template functions in Helm charts",
Template: "template-name",
Params: map[string]interface{}{
"functions": []string{"randAlphaNum", "randAlpha", "randNumeric", "randAlphaSpecial", "now"},
},
},
{
Name: "detect-helm-hooks",
Description: "Detect Helm hooks in Helm charts",
Template: "template-name",
Params: map[string]interface{}{
"hooks": []string{"pre-install", "post-install", "pre-delete", "post-delete", "pre-upgrade", "post-upgrade", "pre-rollback", "post-rollback"},
},
}, in Stackrox's kube-linter terms, though I can't quite make a working example yet. Maybe there are other libs that would work better? |
Checks for non-deterministic functions would probably require use of the https://pkg.go.dev/text/template/parse package, since those functions disappear post-templating. Checks for helm hooks should be straightforward because we can render a manifest, parse as normal kube objects, then search for the annotations. If we end up with a handful of checks like that, I could definitely see the value in using an off-the-shelf library. |
This epic need more discussion to finalize what we want to deliver as part of this. Also what helm chart support means in OLM 1.0.0+ |
In OLMv1, we plan to support the
registry+v1
bundle format in order to provide a means for migration from OLMv0. However, we recognize the many pain points and limitations of that format (to name a few: limited types of supported objects, lack of templating, too opinionated out how RBAC is generated)In order to provide operator authors and cluster admins with more flexibility and control, this epic tracks the work necessary to support managing native helm charts in OLMv1.
Warning
A meta concern is that the below list of concerns has continued to grow as we have discovered more of Helm's behaviors. IMO, we need to do one of the following:
Some items to consider:
./crds
directory when performing upgrades. It ignores them if the CRDs are already present on the cluster. If helm chart authors understand this behavior of helm and make assumptions about it, it is unsafe for OLMv1 to treat them differently. However one of the primary goals of OLMv1 is to lifecycle CRDs. This Helm behavior pits helm chart authors against ClusterExtension users who have opposing expectations of CRD lifecycling.helm.sh/resource-policy: keep
annotation, which gives chart authors the ability to control helm's behavior when uninstalling a chart. We specifically designed the ClusterExtension API to give cluster admins the ultimate control (see [epic] Support orphan deletion policy #775), not the extension author. So we currently use owner references to propogate deletions from the ClusterExtension, which means manifests that use this annotation would be deleted. How do we reconcile this ?containers/image
library to interact directly with image registries. We need to investigate whether Helm OCI Artifact charts would be supported (and therefore extractable) with this library.The text was updated successfully, but these errors were encountered: