From cd733b3c0a7cbfaffd2f8fbf88ee5589e8964217 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Ml=C3=A1dek?= Date: Tue, 30 Mar 2021 21:28:45 +0200 Subject: [PATCH 1/2] HIP for dependency overrides MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: David Mládek --- hips/hip-9999.md | 81 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 hips/hip-9999.md diff --git a/hips/hip-9999.md b/hips/hip-9999.md new file mode 100644 index 00000000..fcd1875b --- /dev/null +++ b/hips/hip-9999.md @@ -0,0 +1,81 @@ +--- +hip: 9999 +title: "Dynamic dependency override" +authors: [ "David Mládek " ] +created: "2021-09-30" +type: "feature" +status: "draft" +--- + +## Abstract + +This feature allows installing charts with dependencies other than the ones +specified in Chart.yaml or Chart.lock. + +## Motivation + +Current design doesn't allow for changes of the dependencies during +installation. A possible workaround in current version would be to fetch the +chart, change the Chart.yaml file, run `helm dependency update` and install +it. + +This allows developers to change dependencies of charts without the need to download them and edit them as well as allowing operation where some kind of proxy needsd to be used for repositories. + +Some use cases can be found in the [original issue](https://github.com/helm/helm/issues/2205). + +## Specification + +Commands `helm install` and `helm upgrade` would have a new option +`--set-dependency` which would override dependency version and/or repository +for dependencies declared in Chart.yaml. The usage would be for example: +`helm install chart-name . --set-dependency dep-name.version=1.0.1 --set-dependency +dep-name2.version=2.0.0,dep-name3.repository=helm.sh/repo` +where dependencies `dep-name`, `dep-name2`, and `dep-name3` were already declared in Chart.yaml. Currently only version and repository can be changed. + +This option would also imply the option `--dependency-update` as if it were +called explicitly for the overriden versions to be downloaded. +This specification does not mandate how the `--dependency-update` option +should behave. + +The updated charts/ directory must not overwrite dependencies that were +present in the umbrella chart's charts/ folder before the opration as that +would make all subsequent install operations use these changed dependencies. + +## Rationale + +The decision to not overwrite dependencies prevents users to unwittingly use +wrong versions without changing the declared dependencies and then explicitly +calling `helm dependency update`. This behaviour would be dangerous because +helm does not check versions of present dependencies. + +## Backwards compatibility + +This HIP would not change any current functionality. + +## Security implications + +If the malicious user has the ability to add or change CLI arguments of a +legitimate user, they could change the dependencies. Since they can change +the repository, they could install any chart that they prepared beforehand. + +## How to teach this + +This would be added to the documentation and list of arguments of the +respective commands. + +## Reference implementation + +Not ready yet. + +## Open issues + +Should the dependencies be saved or discarded after use? + +Should dependencies already present in charts/ directory be used by default or should versions specified in Chart.yaml be located each time? + +## Notes + +The `--dependency-update` flag currently does not match documentation and +further steps are currently taking place to decide if the feature will +change. If it does not change in v3, this HIP would probably apply only to v4 +and later. From d6ef9e109acb57279b8fd94f52db8932b2abb960 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20Ml=C3=A1dek?= Date: Wed, 28 Apr 2021 21:30:21 +0200 Subject: [PATCH 2/2] Update HIP and dependency handling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: David Mládek --- hips/hip-9999.md | 32 +++++++++++++++++++++----------- 1 file changed, 21 insertions(+), 11 deletions(-) diff --git a/hips/hip-9999.md b/hips/hip-9999.md index fcd1875b..10cc440a 100644 --- a/hips/hip-9999.md +++ b/hips/hip-9999.md @@ -19,7 +19,7 @@ installation. A possible workaround in current version would be to fetch the chart, change the Chart.yaml file, run `helm dependency update` and install it. -This allows developers to change dependencies of charts without the need to download them and edit them as well as allowing operation where some kind of proxy needsd to be used for repositories. +This allows developers to change dependencies of charts without the need to download them and edit them as well as allowing operation where some kind of proxy needs to be used for repositories. Some use cases can be found in the [original issue](https://github.com/helm/helm/issues/2205). @@ -32,10 +32,8 @@ for dependencies declared in Chart.yaml. The usage would be for example: dep-name2.version=2.0.0,dep-name3.repository=helm.sh/repo` where dependencies `dep-name`, `dep-name2`, and `dep-name3` were already declared in Chart.yaml. Currently only version and repository can be changed. -This option would also imply the option `--dependency-update` as if it were -called explicitly for the overriden versions to be downloaded. -This specification does not mandate how the `--dependency-update` option -should behave. +This option would also imply the option to fetch missing subcharts based on +Chart.yaml as if the option was called explicitly. The updated charts/ directory must not overwrite dependencies that were present in the umbrella chart's charts/ folder before the opration as that @@ -48,9 +46,18 @@ wrong versions without changing the declared dependencies and then explicitly calling `helm dependency update`. This behaviour would be dangerous because helm does not check versions of present dependencies. +This command would also fetch missing subcharts based on Chart.yaml so that +the implementation can just change the dependencies in memory and resolve +them. Another option would be to always update based on Chart.yaml, but if +the user already has a version present and does not explicitly call for +updates, using their current versions should be ok. This can be overriden +with the option to update dependencies (see notes about the new options +planned for v4 concerning this). + ## Backwards compatibility -This HIP would not change any current functionality. +This HIP would not change any current functionality. The implementation +depends on options planned for v4 and therefore is also planned for v4. ## Security implications @@ -71,11 +78,14 @@ Not ready yet. Should the dependencies be saved or discarded after use? -Should dependencies already present in charts/ directory be used by default or should versions specified in Chart.yaml be located each time? +Should dependencies already present in charts/ directory be used by default +or should versions specified in Chart.yaml be located each time (and +therefore update)? ## Notes -The `--dependency-update` flag currently does not match documentation and -further steps are currently taking place to decide if the feature will -change. If it does not change in v3, this HIP would probably apply only to v4 -and later. +Originally this HIP expected to use `--dependency-update` flag internally, +but there seem to be some bugs with it and it is planned to be changed in v4. +Therefore the newer version will be used pushing this feature to v4 also. +See https://github.com/helm/helm/issues/9545#issuecomment-812045805 +Implementation of this HIP would then depend on this feature.