* fix: loosen source not permitted helm errors
With #12255, we check if a source is first permitted before running
`helm template`. This works a bit too well, since this may break
previously working manifests. If an `AppProject` has a set of
`sourceRepos` which are more restrictive than `*`, and it also has Helm
public dependencies (repos with credentials would not work with 2.7x
due to the fact they get filtered out before ending up on the repo
server). Whereas before this would work, this currently fails on
`HEAD` but not in `2.7x`.
What we instead do here is that we only run this check if the chart
failed to download - if it does then we run a check to see if the repo
is in the allowed repos list. If the repo is not in the allowed repos
list, we return the same error as in #12555, otherwise we bubble up the
error.
Should fix#13833.
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* fix: check for 401 unauthorized in error
The regex check works fine for OCI artifacts, but the flow is slightly
different for standard Helm charts (specifically when running
`helm repo add`). To get around that, we also check the error for
`401 Unauthorized`.
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* fix: loosen string check
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* Revert "chore: revert #12255 (#14858)"
This reverts commit c8ae5bc3e7.
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* wip
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* wip
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* chore: reword test to reduce confusion
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
---------
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
This reverts commit c651bd8de5.
Due to the imminent release of 2.8, this needs to be rolled back since
the proposed fix in #14210 cannot make it in time.
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* chore: surface source not permitted errors
For Git and Helm repositories, we filter out non-permitted urls before
submitting a `ManifestRequest` to the repo-server. While that works
fine, this also leads to very hard to debug issues in particular when
using Helm dependencies.
This (very) WIP PR adds `ProjectSourceRepos` as a parameter to
`ManifestRequest`, so we can verify that a source is in fact
permitted in order to distinguish between actual 40x errors (caused
by e.g misconfiguration) and "source not permitted" caused by not
adding the relevant sources to the AppProject config.
This still needs documentation, tests and some basic sanity checking
before proceeding further, as well as resolving whatever is causing
`make codegen` to not properly work.
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* chore: propagate project values to repo-server
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* test: fix failing unit tests
now onto the e2e tests...
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* test: fix failing e2e test(s)
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* fix: add project params
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* test: add e2e test
Add Helm dependency check test.
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* chore: remove git source check
Discussed over Slack and deemed this to not be necessary at this time.
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* make codegen
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* chore: cr tweaks
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* chore: code review tweaks
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* test: fix
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* test: wip
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* test: wip
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* chore: wip
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* chore: typo
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* fix: typo
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* chore: rebase fixes
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* test: oci:// is not prefixed
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
---------
Signed-off-by: Blake Pettersson <blake.pettersson@gmail.com>
* chore: remove helm2
Reorder test/container/Dockerfile to mitigate issue of being unable to create
.gitconfig since the homedir is not present
chore: cleanup helm2 and tests related to it
Remove helm2 init. Fix unused import
Use helm 3 structure for CRDs
Remove helm2-dependency testdata
Address PR comments
Add back values-production and value.yaml on helm tests
Remove helm2 from openapi.
Signed-off-by: Shyukri Shyukriev <shyukri.shyukriev@mariadb.com>
modified: util/helm/cmd_test.go
* fix: generated openapi
Signed-off-by: Michael Crenshaw <michael@crenshaw.dev>
Co-authored-by: Michael Crenshaw <michael@crenshaw.dev>
* fix: repository name already exists when multiple helm dependencies from same private repo server
Signed-off-by: May Zhang <may_zhang@intuit.com>
* fix: add test cases
Signed-off-by: May Zhang <may_zhang@intuit.com>
* fix: clean up
Signed-off-by: May Zhang <may_zhang@intuit.com>
