HIP for dependency overrides #176
Conversation
Signed-off-by: David Mládek <[email protected]>
|
Looks good. |
Signed-off-by: David Mládek <[email protected]>
There was a problem hiding this comment.
Thanks for taking the time to write a HIP. I have a few questions about the proposal that may be best addressed as follow-up material in the HIP.
There are a few other security implications that would probably need addressing with this proposal. For example, how do we address chart provenance with the --set-dependency flag? How do we verify a chart's integrity?
How would this proposal handle cases such as the one described in HIP 13?
The following questions are partially referenced in the "Open Issues" section, but I'll call it out here as well:
- How can a user write dependency updates to the lockfile?
- What happens when there are version conflicts? As in, the Chart.yaml requests for
^1.0.0but--set-dependencyrequests v2.0.0. What about transitive dependencies? - What happens when the user requests a package that is NOT declared in Chart.yaml? Is that a failure case? Why or why not?
- If the above case is supported, how is a chart developer expected to handle that case?
Finally, I would suggest that under the "How to Teach This" section, I would place an example demonstrating a compelling use case that clearly illustrates why this proposal is required to solve the issue. That way we can observe its practicality and compare it to existing solutions or alternative HIPs in the future.
Thanks!
|
@bacongobbler Thank you for the review.
As I see it this flag would not change the actual process of how the packages are downloaded and checked for integrity, it would only change which versions (and possibly packages) are downloaded. The actual installation would be identical to a scenario where the user changes the dependencies in the Therefore provenance would be checked in the same way.
I don't see any concrete cases in the HIP on caches, but this would also be used in the same way as other dependency commands would use it.
It seems I have accidentally omitted this in the HIP. As I see it and from what I've understood from the proposals in the original issue, this would be used mainly for development and interoperation in cases where the user wants to use different dependencies one time and therefore I would propose to not change the lock file. This is open to discussion though.
The
I have not thought of that, but I would allow it if they specify the version and repository. Here I'm assuming that even with cache both of these must be specified to correctly locate the digest and chart. If only one is specified that would be failure because there is not enough information to retrieve the dependency.
I don't understand this question.
Sure. |
|
In HIP 15 there is a proposal to add images lists to Chart.yaml. And, there have been requests in the past to allow overrides of appversion in Chart.yaml. My concern is that if we address this using the command line options, we end up with only a partial, uncoordinated solution. Maybe an alternative is to provide an overlay flag for Chart.yaml (similar to -f) where we can override the Chart.yaml settings, regardless of what they are. This would help resolve dependency overrides, image overrides (if implemented), appversion overrides, etc. The same code/rules for values.yaml overlays would apply. |
|
This seems to stagnate for a year now, while several people want this feature there is no champion to really push this through. Furthermore there seems to be desire to solve this in more general way. I will close this now, if anyone wishes to take over I would be delighted. |
I was told this feature should be written up as a HIP. It's based on helm/helm#2205.