public_git
/
helmfile
mirror of https://github.com/helmfile/helmfile.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
helmfile/pkg/helmexec/exec.go

983 lines
29 KiB
Go
Raw Blame History

package helmexec
import (
"bytes"
"fmt"
"io"
"net/url"
"os"
"path/filepath"
"reflect"
"strconv"
"strings"
"sync"
"unicode"
"github.com/Masterminds/semver/v3"
"github.com/helmfile/chartify"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
actionv3 "helm.sh/helm/v3/pkg/action"
cliv3 "helm.sh/helm/v3/pkg/cli"
actionv4 "helm.sh/helm/v4/pkg/action"
chart "helm.sh/helm/v4/pkg/chart/v2"
cliv4 "helm.sh/helm/v4/pkg/cli"
"github.com/helmfile/helmfile/pkg/yaml"
)
type decryptedSecret struct {
mutex sync.RWMutex
bytes []byte
err error
}
type HelmExecOptions struct {
EnableLiveOutput bool
DisableForceUpdate bool // If true, do not force helm repos to update when executing "helm repo add" (Helm 3)
EnforcePluginVerification bool // If true, fail plugin installation if verification is not supported
HelmOCIPlainHTTP bool // If true, use plain HTTP for OCI registries
}
type execer struct {
helmBinary string
options HelmExecOptions
version *semver.Version
runner Runner
logger *zap.SugaredLogger
kubeconfig string
kubeContext string
extra []string
decryptedSecretMutex sync.Mutex
decryptedSecrets map[string]*decryptedSecret
writeTempFile func([]byte) (string, error)
}
func NewLogger(writer io.Writer, logLevel string) *zap.SugaredLogger {
var cfg zapcore.EncoderConfig
cfg.MessageKey = "message"
out := zapcore.AddSync(writer)
var level zapcore.Level
err := level.Set(logLevel)
if err != nil {
panic(err)
}
core := zapcore.NewCore(
zapcore.NewConsoleEncoder(cfg),
out,
level,
)
return zap.New(core).Sugar()
}
func parseHelmVersion(versionStr string) (*semver.Version, error) {
if len(versionStr) == 0 {
return nil, fmt.Errorf("empty helm version")
}
// Check if version string starts with "v", if not add it
processedVersion := strings.TrimSpace(versionStr)
if !strings.HasPrefix(processedVersion, "v") {
processedVersion = "v" + processedVersion
}
v, err := chartify.FindSemVerInfo(processedVersion)
if err != nil {
return nil, fmt.Errorf("error find helm srmver version '%s': %w", versionStr, err)
}
ver, err := semver.NewVersion(v)
if err != nil {
return nil, fmt.Errorf("error parsing helm version '%s'", versionStr)
}
return ver, nil
}
func GetHelmVersion(helmBinary string, runner Runner) (*semver.Version, error) {
// Autodetect from `helm version` - just short works for both Helm 3 and Helm 4
outBytes, err := runner.Execute(helmBinary, []string{"version", "--short"}, nil, false)
if err != nil {
return nil, fmt.Errorf("error determining helm version: %w", err)
}
return parseHelmVersion(string(outBytes))
}
// PluginMetadata represents the metadata of a Helm plugin
type PluginMetadata struct {
Name string `yaml:"name"`
Version string `yaml:"version"`
}
func GetPluginVersion(name, pluginsDir string) (*semver.Version, error) {
// Scan pluginsDir for subdirectories containing plugin.yaml
entries, err := os.ReadDir(pluginsDir)
if err != nil {
// If directory doesn't exist, treat as plugin not installed
if os.IsNotExist(err) {
return nil, fmt.Errorf("plugin %s not installed", name)
}
return nil, err
}
for _, entry := range entries {
if !entry.IsDir() {
continue
}
pluginFile := filepath.Join(pluginsDir, entry.Name(), "plugin.yaml")
data, err := os.ReadFile(pluginFile)
if err != nil {
continue // Skip if plugin.yaml doesn't exist in this directory
}
var metadata PluginMetadata
if err := yaml.Unmarshal(data, &metadata); err != nil {
continue // Skip if plugin.yaml is malformed
}
if metadata.Name == name {
return semver.NewVersion(metadata.Version)
}
}
return nil, fmt.Errorf("plugin %s not installed", name)
}
func redactedURL(chart string) string {
chartURL, err := url.ParseRequestURI(chart)
if err != nil {
return chart
}
return chartURL.Redacted()
}
// New for running helm commands
func New(helmBinary string, options HelmExecOptions, logger *zap.SugaredLogger, kubeconfig string, kubeContext string, runner Runner) (*execer, error) {
version, err := GetHelmVersion(helmBinary, runner)
if err != nil {
return nil, err
}
if version.Prerelease() != "" {
logger.Warnf("Helm version %s is a pre-release version. This may cause problems when deploying Helm charts.\n", version)
*version, _ = version.SetPrerelease("")
}
return &execer{
helmBinary: helmBinary,
options: options,
version: version,
logger: logger,
kubeconfig: kubeconfig,
kubeContext: kubeContext,
runner: runner,
decryptedSecrets: make(map[string]*decryptedSecret),
}, nil
}
func (helm *execer) SetExtraArgs(args ...string) {
helm.extra = args
}
func (helm *execer) SetHelmBinary(bin string) {
helm.helmBinary = bin
}
func (helm *execer) SetEnableLiveOutput(enableLiveOutput bool) {
helm.options.EnableLiveOutput = enableLiveOutput
}
func (helm *execer) SetDisableForceUpdate(forceUpdate bool) {
helm.options.DisableForceUpdate = forceUpdate
}
func (helm *execer) AddRepo(name, repository, cafile, certfile, keyfile, username, password string, managed string, passCredentials, skipTLSVerify bool) error {
var args []string
var out []byte
var err error
if name == "" && repository != "" {
helm.logger.Infof("empty field name\n")
return fmt.Errorf("empty field name")
}
switch managed {
case "acr":
helm.logger.Infof("Adding repo %v (acr)", name)
out, err = helm.azcli(name)
case "":
args = append(args, "repo", "add", name, repository)
// --force-update is the default behavior in Helm 4, but needs to be explicit in Helm 3
// See https://github.com/helm/helm/pull/8777
if helm.IsHelm3() {
if cons, err := semver.NewConstraint(">= 3.3.2"); err == nil {
if !helm.options.DisableForceUpdate && cons.Check(helm.version) {
args = append(args, "--force-update")
}
} else {
panic(err)
}
}
if certfile != "" && keyfile != "" {
args = append(args, "--cert-file", certfile, "--key-file", keyfile)
}
if cafile != "" {
args = append(args, "--ca-file", cafile)
}
if passCredentials {
args = append(args, "--pass-credentials")
}
if skipTLSVerify {
args = append(args, "--insecure-skip-tls-verify")
}
helm.logger.Infof("Adding repo %v %v", name, repository)
if username != "" && password != "" {
args = append(args, "--username", username, "--password-stdin")
buffer := bytes.Buffer{}
buffer.Write([]byte(fmt.Sprintf("%s\n", password)))
out, err = helm.execStdIn(args, map[string]string{}, &buffer)
} else {
out, err = helm.exec(args, map[string]string{}, nil)
}
default:
helm.logger.Errorf("ERROR: unknown type '%v' for repository %v", managed, name)
out = nil
err = nil
}
helm.info(out)
return err
}
func (helm *execer) UpdateRepo() error {
helm.logger.Info("Updating repo")
out, err := helm.exec([]string{"repo", "update"}, map[string]string{}, nil)
helm.info(out)
return err
}
func (helm *execer) RegistryLogin(repository, username, password, caFile, certFile, keyFile string, skipTLSVerify bool) error {
if username == "" || password == "" {
return nil
}
args := []string{
"registry",
"login",
repository,
}
helmVersionConstraint, _ := semver.NewConstraint(">= 3.12.0")
if helmVersionConstraint.Check(helm.version) {
// in the 3.12.0 version, the registry login support --key-file --cert-file and --ca-file
// https://github.com/helm/helm/releases/tag/v3.12.0
if certFile != "" && keyFile != "" {
args = append(args, "--cert-file", certFile, "--key-file", keyFile)
}
if caFile != "" {
args = append(args, "--ca-file", caFile)
}
}
if skipTLSVerify {
args = append(args, "--insecure")
}
args = append(args, "--username", username, "--password-stdin")
buffer := bytes.Buffer{}
buffer.Write([]byte(fmt.Sprintf("%s\n", password)))
helm.logger.Info("Logging in to registry")
out, err := helm.execStdIn(args, map[string]string{"HELM_EXPERIMENTAL_OCI": "1"}, &buffer)
helm.info(out)
return err
}
// toKebabCase converts a PascalCase or camelCase string to kebab-case.
// e.g., "SkipRefresh" -> "skip-refresh", "KubeContext" -> "kube-context"
func toKebabCase(s string) string {
var result strings.Builder
for i, r := range s {
if i > 0 && unicode.IsUpper(r) {
result.WriteRune('-')
}
result.WriteRune(unicode.ToLower(r))
}
return result.String()
}
// getSupportedDependencyFlags returns a map of supported flags for helm dependency commands.
// It uses reflection on helm's action.Dependency and cli.EnvSettings structs to
// dynamically determine which flags are supported, avoiding hardcoded lists.
// Uses version-specific packages based on whether Helm 3 or Helm 4 is detected.
func getSupportedDependencyFlags() map[string]bool {
supported := make(map[string]bool)
// Determine which Helm version's API to use based on environment or default to Helm 4
useHelm3 := os.Getenv("HELMFILE_HELM4") != "1"
if useHelm3 {
// Get global flags from Helm 3 cli.EnvSettings
envSettings := cliv3.New()
envType := reflect.TypeOf(*envSettings)
for i := 0; i < envType.NumField(); i++ {
field := envType.Field(i)
if field.IsExported() {
flagName := "--" + toKebabCase(field.Name)
supported[flagName] = true
}
}
// Add namespace short form
supported["-n"] = true
// Get dependency-specific flags from Helm 3 action.Dependency
dep := actionv3.NewDependency()
depType := reflect.TypeOf(*dep)
for i := 0; i < depType.NumField(); i++ {
field := depType.Field(i)
if field.IsExported() {
flagName := "--" + toKebabCase(field.Name)
supported[flagName] = true
}
}
} else {
// Get global flags from Helm 4 cli.EnvSettings
envSettings := cliv4.New()
envType := reflect.TypeOf(*envSettings)
for i := 0; i < envType.NumField(); i++ {
field := envType.Field(i)
if field.IsExported() {
flagName := "--" + toKebabCase(field.Name)
supported[flagName] = true
}
}
// Add namespace short form
supported["-n"] = true
// Get dependency-specific flags from Helm 4 action.Dependency
dep := actionv4.NewDependency()
depType := reflect.TypeOf(*dep)
for i := 0; i < depType.NumField(); i++ {
field := depType.Field(i)
if field.IsExported() {
flagName := "--" + toKebabCase(field.Name)
supported[flagName] = true
}
}
}
return supported
}
// Cache of supported flags, initialized once
var (
supportedDependencyFlagsOnce sync.Once
supportedDependencyFlags map[string]bool
)
// filterDependencyUnsupportedFlags filters flags to only those supported by helm dependency commands.
// Uses reflection on helm's action.Dependency and cli.EnvSettings structs to dynamically
// determine supported flags, avoiding hardcoded lists.
func filterDependencyUnsupportedFlags(flags []string) []string {
if len(flags) == 0 {
return flags
}
// Initialize supported flags map once
supportedDependencyFlagsOnce.Do(func() {
supportedDependencyFlags = getSupportedDependencyFlags()
})
filtered := make([]string, 0, len(flags))
for _, flag := range flags {
// Extract flag name without value (e.g., "--dry-run=server" -> "--dry-run")
flagName := flag
if idx := strings.Index(flag, "="); idx != -1 {
flagName = flag[:idx]
}
// Check if this flag or any prefix of it is supported
supported := false
for supportedFlag := range supportedDependencyFlags {
if strings.HasPrefix(flagName, supportedFlag) {
supported = true
break
}
}
if supported {
filtered = append(filtered, flag)
}
}
return filtered
}
func (helm *execer) BuildDeps(name, chart string, flags ...string) error {
helm.logger.Infof("Building dependency release=%v, chart=%v", name, chart)
// Filter out template/install/upgrade-specific flags while preserving global flags
savedExtra := helm.extra
helm.extra = filterDependencyUnsupportedFlags(helm.extra)
defer func() {
helm.extra = savedExtra
}()
args := []string{
"dependency",
"build",
chart,
}
args = append(args, flags...)
// Helm 4 requires --plain-http for HTTP-only OCI registries (not HTTPS with self-signed certs)
if helm.options.HelmOCIPlainHTTP && helm.IsHelm4() {
args = append(args, "--plain-http")
}
out, err := helm.exec(args, map[string]string{}, nil)
helm.info(out)
return err
}
func (helm *execer) UpdateDeps(chart string) error {
helm.logger.Infof("Updating dependency %v", chart)
// Filter out template/install/upgrade-specific flags while preserving global flags
savedExtra := helm.extra
helm.extra = filterDependencyUnsupportedFlags(helm.extra)
defer func() {
helm.extra = savedExtra
}()
args := []string{"dependency", "update", chart}
// Helm 4 requires --plain-http for HTTP-only OCI registries (not HTTPS with self-signed certs)
if helm.options.HelmOCIPlainHTTP && helm.IsHelm4() {
args = append(args, "--plain-http")
}
out, err := helm.exec(args, map[string]string{}, nil)
helm.info(out)
return err
}
func (helm *execer) SyncRelease(context HelmContext, name, chart, namespace string, flags ...string) error {
helm.logger.Infof("Upgrading release=%v, chart=%v, namespace=%v", name, redactedURL(chart), namespace)
preArgs := make([]string, 0)
env := make(map[string]string)
flags = append(flags, "--history-max", strconv.Itoa(context.HistoryMax))
out, err := helm.exec(append(append(preArgs, "upgrade", "--install", name, chart), flags...), env, nil)
helm.info(out)
return err
}
func (helm *execer) ReleaseStatus(context HelmContext, name string, flags ...string) error {
helm.logger.Infof("Getting status %v", name)
preArgs := make([]string, 0)
env := make(map[string]string)
out, err := helm.exec(append(append(preArgs, "status", name), flags...), env, nil)
helm.info(out)
return err
}
func (helm *execer) List(context HelmContext, filter string, flags ...string) (string, error) {
helm.logger.Infof("Listing releases matching %v", filter)
preArgs := make([]string, 0)
env := make(map[string]string)
args := []string{"list", "--filter", filter}
enableLiveOutput := false
out, err := helm.exec(append(append(preArgs, args...), flags...), env, &enableLiveOutput)
// In v2 we have been expecting `helm list FILTER` prints nothing.
// In v3 helm still prints the header like `NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION`,
// which confuses helmfile's existing logic that treats any non-empty output from `helm list` is considered as the indication
// of the release to exist.
//
// This fixes it by removing the header from the v3 output, so that the output is formatted the same as that of v2.
lines := strings.Split(string(out), "\n")
lines = lines[1:]
out = []byte(strings.Join(lines, "\n"))
helm.info(out)
return string(out), err
}
func (helm *execer) DecryptSecret(context HelmContext, name string, flags ...string) (string, error) {
absPath, err := filepath.Abs(name)
if err != nil {
return "", err
}
helm.logger.Debugf("Preparing to decrypt secret %v", absPath)
helm.decryptedSecretMutex.Lock()
secret, ok := helm.decryptedSecrets[absPath]
// Cache miss
if !ok {
secret = &decryptedSecret{}
helm.decryptedSecrets[absPath] = secret
secret.mutex.Lock()
defer secret.mutex.Unlock()
helm.decryptedSecretMutex.Unlock()
helm.logger.Infof("Decrypting secret %v", absPath)
preArgs := make([]string, 0)
env := make(map[string]string)
// Use version-specific cli based on detected Helm version
var pluginsDir string
if helm.IsHelm3() {
pluginsDir = cliv3.New().PluginsDirectory
} else {
pluginsDir = cliv4.New().PluginsDirectory
}
pluginVersion, err := GetPluginVersion("secrets", pluginsDir)
if err != nil {
secret.err = err
return "", err
}
secretArg := "view"
// helm secret view command. The helm secret decrypt command is a drop-in replacement in 4.0.0 version
if pluginVersion.Major() > 3 {
secretArg = "decrypt"
}
enableLiveOutput := false
secretBytes, err := helm.exec(append(append(preArgs, "secrets", secretArg, absPath), flags...), env, &enableLiveOutput)
if err != nil {
secret.err = err
return "", err
}
// When the source encrypted file is not a yaml file AND helm secrets < 4
// secrets plugin returns a yaml file with all the content in a yaml `data` key
// which isn't parsable from an hcl perspective
if strings.HasSuffix(name, ".hcl") && pluginVersion.Major() < 4 {
type helmSecretDataV3 struct {
Data string `yaml:"data"`
}
var data helmSecretDataV3
err := yaml.Unmarshal(secretBytes, &data)
if err != nil {
return "", fmt.Errorf("Could not unmarshall helm secret plugin V3 decrypted file to a yaml string\n"+
"You may consider upgrading your helm secrets plugin to >4.0.\n %s", err.Error())
}
secretBytes = []byte(data.Data)
}
secret.bytes = secretBytes
} else {
// Cache hit
helm.logger.Debugf("Found secret in cache %v", absPath)
secret.mutex.RLock()
helm.decryptedSecretMutex.Unlock()
defer secret.mutex.RUnlock()
if secret.err != nil {
return "", secret.err
}
}
tempFile := helm.writeTempFile
if tempFile == nil {
tempFile = func(content []byte) (string, error) {
dir := filepath.Dir(name)
extension := filepath.Ext(name)
tmpFile, err := os.CreateTemp(dir, "secret*"+extension)
if err != nil {
return "", err
}
defer func() {
_ = tmpFile.Close()
}()
_, err = tmpFile.Write(content)
if err != nil {
return "", err
}
return tmpFile.Name(), nil
}
}
tmpFileName, err := tempFile(secret.bytes)
if err != nil {
return "", err
}
helm.logger.Debugf("Decrypted %s into %s", absPath, tmpFileName)
return tmpFileName, err
}
func (helm *execer) TemplateRelease(name string, chart string, flags ...string) error {
helm.logger.Infof("Templating release=%v, chart=%v", name, redactedURL(chart))
args := []string{"template", name, chart}
out, err := helm.exec(append(args, flags...), map[string]string{}, nil)
var outputToFile bool
for _, f := range flags {
if strings.HasPrefix("--output-dir", f) {
outputToFile = true
break
}
}
if outputToFile {
// With --output-dir is passed to helm-template,
// we can safely direct all the logs from it to our logger.
//
// It's safe because anything written to stdout by helm-template with output-dir is logs,
// like excessive `wrote path/to/output/dir/chart/template/file.yaml` messages,
// but manifets.
//
// See https://github.com/roboll/helmfile/pull/1691#issuecomment-805636021 for more information.
helm.info(out)
} else {
// Always write to stdout for use with e.g. `helmfile template | kubectl apply -f -`
helm.write(nil, out)
}
return err
}
func (helm *execer) DiffRelease(context HelmContext, name, chart, namespace string, suppressDiff bool, flags ...string) error {
diffMsg := fmt.Sprintf("Comparing release=%v, chart=%v, namespace=%v\n", name, redactedURL(chart), namespace)
if context.Writer != nil && !suppressDiff {
_, _ = fmt.Fprint(context.Writer, diffMsg)
} else {
helm.logger.Info(diffMsg)
}
preArgs := make([]string, 0)
env := make(map[string]string)
var overrideEnableLiveOutput *bool = nil
if suppressDiff {
enableLiveOutput := false
overrideEnableLiveOutput = &enableLiveOutput
}
// Issue #2280: In Helm 4, the --color flag is parsed by Helm before reaching the plugin,
// causing it to consume the next argument. Remove color flags and use HELM_DIFF_COLOR env var.
if helm.IsHelm4() {
flags = helm.filterColorFlagsForHelm4(flags, env)
}
out, err := helm.exec(append(append(preArgs, "diff", "upgrade", "--allow-unreleased", name, chart), flags...), env, overrideEnableLiveOutput)
// Do our best to write STDOUT only when diff existed
// Unfortunately, this works only when you run helmfile with `--detailed-exitcode`
detailedExitcodeEnabled := false
for _, f := range flags {
if strings.Contains(f, "detailed-exitcode") {
detailedExitcodeEnabled = true
break
}
}
if detailedExitcodeEnabled {
e, ok := err.(ExitError)
if ok && e.ExitStatus() == 2 {
if !(suppressDiff) {
helm.write(context.Writer, out)
}
return err
}
} else if !(suppressDiff) {
helm.write(context.Writer, out)
}
return err
}
// filterColorFlagsForHelm4 removes --color and --no-color flags from the flags slice
// and sets the HELM_DIFF_COLOR environment variable instead.
// In Helm 4, the --color flag is parsed by Helm itself before reaching the helm-diff plugin,
// causing Helm to consume the next argument as the color value (issue #2280).
// The helm-diff plugin supports HELM_DIFF_COLOR=[true|false] env var as an alternative.
func (helm *execer) filterColorFlagsForHelm4(flags []string, env map[string]string) []string {
filtered := make([]string, 0, len(flags))
for _, flag := range flags {
switch flag {
case "--color":
// Use environment variable instead of flag for Helm 4
// Only set if not already present (defensive check)
if _, exists := env["HELM_DIFF_COLOR"]; !exists {
env["HELM_DIFF_COLOR"] = "true"
}
case "--no-color":
// Use environment variable instead of flag for Helm 4
// Only set if not already present (defensive check)
if _, exists := env["HELM_DIFF_COLOR"]; !exists {
env["HELM_DIFF_COLOR"] = "false"
}
default:
// Keep all other flags unchanged
filtered = append(filtered, flag)
}
}
return filtered
}
func (helm *execer) Lint(name, chart string, flags ...string) error {
helm.logger.Infof("Linting release=%v, chart=%v", name, chart)
out, err := helm.exec(append([]string{"lint", chart}, flags...), map[string]string{}, nil)
// Always write to stdout to write the linting result to eg. a file
helm.write(nil, out)
return err
}
func (helm *execer) Fetch(chart string, flags ...string) error {
helm.logger.Infof("Fetching %v", redactedURL(chart))
out, err := helm.exec(append([]string{"fetch", chart}, flags...), map[string]string{}, nil)
helm.info(out)
return err
}
func (helm *execer) ChartPull(chart string, path string, flags ...string) error {
var helmArgs []string
helm.logger.Infof("Pulling %v", chart)
helmVersionConstraint, _ := semver.NewConstraint(">= 3.7.0")
if helmVersionConstraint.Check(helm.version) {
// in the 3.7.0 version, the chart pull has been replaced with helm pull
// https://github.com/helm/helm/releases/tag/v3.7.0
ociChartURL, _ := resolveOciChart(chart)
helmArgs = []string{"pull", ociChartURL, "--destination", path, "--untar"}
helmArgs = append(helmArgs, flags...)
// Add --plain-http for OCI registries if requested (Helm 4 requirement for insecure registries)
if helm.options.HelmOCIPlainHTTP && strings.HasPrefix(ociChartURL, "oci://") {
helmArgs = append(helmArgs, "--plain-http")
}
} else {
helmArgs = []string{"chart", "pull", chart}
}
out, err := helm.exec(helmArgs, map[string]string{"HELM_EXPERIMENTAL_OCI": "1"}, nil)
helm.info(out)
return err
}
func (helm *execer) ChartExport(chart string, path string) error {
helmVersionConstraint, _ := semver.NewConstraint(">= 3.7.0")
if helmVersionConstraint.Check(helm.version) {
// in the 3.7.0 version, the chart export has been removed
// https://github.com/helm/helm/releases/tag/v3.7.0
return nil
}
var helmArgs []string
helm.logger.Infof("Exporting %v", chart)
helmArgs = []string{"chart", "export", chart, "--destination", path}
// no extra flags for before v3.7.0, details in helm chart export --help
out, err := helm.exec(helmArgs, map[string]string{"HELM_EXPERIMENTAL_OCI": "1"}, nil)
helm.info(out)
return err
}
func (helm *execer) DeleteRelease(context HelmContext, name string, flags ...string) error {
helm.logger.Infof("Deleting %v", name)
preArgs := make([]string, 0)
env := make(map[string]string)
out, err := helm.exec(append(append(preArgs, "delete", name), flags...), env, nil)
helm.info(out)
return err
}
func (helm *execer) TestRelease(context HelmContext, name string, flags ...string) error {
helm.logger.Infof("Testing %v", name)
preArgs := make([]string, 0)
env := make(map[string]string)
args := []string{"test", name}
out, err := helm.exec(append(append(preArgs, args...), flags...), env, nil)
helm.info(out)
return err
}
func (helm *execer) AddPlugin(name, path, version string) error {
helm.logger.Infof("Install helm plugin %v", name)
// Special handling for helm-secrets 4.7.0+ with Helm 4 which uses split plugin architecture
if name == "secrets" && version >= "v4.7.0" && helm.IsHelm4() {
return helm.installHelmSecretsV4(version)
}
// Try with verification first
out, err := helm.exec([]string{"plugin", "install", path, "--version", version}, map[string]string{}, nil)
// If verification fails, retry without verification (unless enforced)
if err != nil && strings.Contains(err.Error(), "does not support verification") {
if helm.options.EnforcePluginVerification {
helm.logger.Errorf("Plugin %v does not support verification and plugin verification enforcement is enabled", name)
return fmt.Errorf("plugin %s does not support verification (remove --enforce-plugin-verification flag to allow unverified plugins)", name)
}
helm.logger.Debugf("Plugin %v does not support verification, retrying with --verify=false", name)
out, err = helm.exec([]string{"plugin", "install", path, "--version", version, "--verify=false"}, map[string]string{}, nil)
}
helm.info(out)
return err
}
func (helm *execer) installHelmSecretsV4(version string) error {
helm.logger.Infof("Installing helm-secrets %s (split plugin architecture for Helm 4)", version)
baseURL := fmt.Sprintf("https://github.com/jkroepke/helm-secrets/releases/download/%s", version)
plugins := []string{"helm-secrets.tgz", "helm-secrets-getter.tgz", "helm-secrets-post-renderer.tgz"}
verifyFlag := ""
if !helm.options.EnforcePluginVerification {
verifyFlag = "--verify=false"
}
for _, plugin := range plugins {
url := fmt.Sprintf("%s/%s", baseURL, plugin)
args := []string{"plugin", "install", url}
if verifyFlag != "" {
args = append(args, verifyFlag)
}
out, err := helm.exec(args, map[string]string{}, nil)
if err != nil {
return fmt.Errorf("failed to install %s: %w", plugin, err)
}
helm.info(out)
}
return nil
}
func (helm *execer) UpdatePlugin(name string) error {
helm.logger.Infof("Update helm plugin %v", name)
out, err := helm.exec([]string{"plugin", "update", name}, map[string]string{}, nil)
helm.info(out)
return err
}
func (helm *execer) exec(args []string, env map[string]string, overrideEnableLiveOutput *bool) ([]byte, error) {
cmdargs := args
if len(helm.extra) > 0 {
cmdargs = append(cmdargs, helm.extra...)
}
if helm.kubeContext != "" {
cmdargs = append([]string{"--kube-context", helm.kubeContext}, cmdargs...)
}
if helm.kubeconfig != "" {
cmdargs = append([]string{"--kubeconfig", helm.kubeconfig}, cmdargs...)
}
cmd := fmt.Sprintf("exec: %s %s", helm.helmBinary, strings.Join(cmdargs, " "))
helm.logger.Debug(cmd)
enableLiveOutput := helm.options.EnableLiveOutput
if overrideEnableLiveOutput != nil {
enableLiveOutput = *overrideEnableLiveOutput
}
outBytes, err := helm.runner.Execute(helm.helmBinary, cmdargs, env, enableLiveOutput)
return outBytes, err
}
func (helm *execer) execStdIn(args []string, env map[string]string, stdin io.Reader) ([]byte, error) {
cmdargs := args
if len(helm.extra) > 0 {
cmdargs = append(cmdargs, helm.extra...)
}
if helm.kubeContext != "" {
cmdargs = append([]string{"--kube-context", helm.kubeContext}, cmdargs...)
}
if helm.kubeconfig != "" {
cmdargs = append([]string{"--kubeconfig", helm.kubeconfig}, cmdargs...)
}
cmd := fmt.Sprintf("exec: %s %s", helm.helmBinary, strings.Join(cmdargs, " "))
helm.logger.Debug(cmd)
outBytes, err := helm.runner.ExecuteStdIn(helm.helmBinary, cmdargs, env, stdin)
return outBytes, err
}
func (helm *execer) azcli(name string) ([]byte, error) {
cmdargs := append(strings.Split("acr helm repo add --name", " "), name)
cmd := fmt.Sprintf("exec: az %s", strings.Join(cmdargs, " "))
helm.logger.Debug(cmd)
outBytes, err := helm.runner.Execute("az", cmdargs, map[string]string{}, false)
if len(outBytes) > 0 {
helm.logger.Debugf("%s: %s", cmd, outBytes)
} else {
helm.logger.Debugf("%s:", cmd)
}
return outBytes, err
}
func (helm *execer) info(out []byte) {
if len(out) > 0 {
helm.logger.Infof("%s", out)
}
}
func (helm *execer) write(w io.Writer, out []byte) {
if len(out) > 0 {
if w == nil {
w = os.Stdout
}
_, _ = fmt.Fprintf(w, "%s\n", out)
}
}
func (helm *execer) IsHelm3() bool {
return helm.version.Major() == 3
}
func (helm *execer) IsHelm4() bool {
return helm.version.Major() == 4
}
func (helm *execer) GetVersion() Version {
return Version{
Major: int(helm.version.Major()),
Minor: int(helm.version.Minor()),
Patch: int(helm.version.Patch()),
}
}
func (helm *execer) IsVersionAtLeast(versionStr string) bool {
ver := semver.MustParse(versionStr)
return helm.version.Equal(ver) || helm.version.GreaterThan(ver)
}
func resolveOciChart(ociChart string) (ociChartURL, ociChartTag string) {
var urlTagIndex int
// Get the last : index
// e.g.,
// 1. registry:443/helm-charts
// 2. registry/helm-charts:latest
// 3. registry:443/helm-charts:latest
if strings.LastIndex(ociChart, ":") <= strings.LastIndex(ociChart, "/") {
urlTagIndex = len(ociChart)
ociChartTag = ""
} else {
urlTagIndex = strings.LastIndex(ociChart, ":")
ociChartTag = ociChart[urlTagIndex+1:]
}
ociChartURL = fmt.Sprintf("oci://%s", ociChart[:urlTagIndex])
return ociChartURL, ociChartTag
}
func (helm *execer) ShowChart(chartPath string) (chart.Metadata, error) {
var helmArgs = []string{"show", "chart", chartPath}
out, error := helm.exec(helmArgs, map[string]string{}, nil)
if error != nil {
return chart.Metadata{}, error
}
var metadata chart.Metadata
error = yaml.Unmarshal(out, &metadata)
if error != nil {
return chart.Metadata{}, error
}
return metadata, nil
}
Reference in New Issue View Git Blame Copy Permalink