helm · mladedav · Mar 30, 2021 · Apr 28, 2021
diff --git a/hips/hip-9999.md b/hips/hip-9999.md
@@ -0,0 +1,91 @@
+---
+hip: 9999
+title: "Dynamic dependency override"
+authors: [ "David Mládek <[email protected]>" ]
+created: "2021-09-30"
+type: "feature"
+status: "draft"
+---
+
+## Abstract
+
+This feature allows installing charts with dependencies other than the ones
+specified in Chart.yaml or Chart.lock.
+
+## Motivation
+
+Current design doesn't allow for changes of the dependencies during
+installation. A possible workaround in current version would be to fetch the
+chart, change the Chart.yaml file, run `helm dependency update` and install
+it.
+
+This allows developers to change dependencies of charts without the need to download them and edit them as well as allowing operation where some kind of proxy needs to be used for repositories.
+
+Some use cases can be found in the [original issue](https://github.com/helm/helm/issues/2205).
+
+## Specification
+
+Commands `helm install` and `helm upgrade` would have a new option
+`--set-dependency` which would override dependency version and/or repository
+for dependencies declared in Chart.yaml. The usage would be for example:  
+`helm install chart-name . --set-dependency dep-name.version=1.0.1 --set-dependency
+dep-name2.version=2.0.0,dep-name3.repository=helm.sh/repo`  
+where dependencies `dep-name`, `dep-name2`, and `dep-name3` were already declared in Chart.yaml. Currently only version and repository can be changed.
+
+This option would also imply the option to fetch missing subcharts based on
+Chart.yaml as if the option was called explicitly.
+
+The updated charts/ directory must not overwrite dependencies that were
+present in the umbrella chart's charts/ folder before the opration as that
+would make all subsequent install operations use these changed dependencies.
+
+## Rationale
+
+The decision to not overwrite dependencies prevents users to unwittingly use
+wrong versions without changing the declared dependencies and then explicitly
+calling `helm dependency update`. This behaviour would be dangerous because
+helm does not check versions of present dependencies.
+
+This command would also fetch missing subcharts based on Chart.yaml so that
+the implementation can just change the dependencies in memory and resolve
+them.  Another option would be to always update based on Chart.yaml, but if
+the user already has a version present and does not explicitly call for
+updates, using their current versions should be ok.  This can be overriden
+with the option to update dependencies (see notes about the new options
+planned for v4 concerning this).
+
+## Backwards compatibility
+
+This HIP would not change any current functionality.  The implementation
+depends on options planned for v4 and therefore is also planned for v4.
+
+## Security implications
+
+If the malicious user has the ability to add or change CLI arguments of a
+legitimate user, they could change the dependencies. Since they can change
+the repository, they could install any chart that they prepared beforehand.
+
+## How to teach this
+
+This would be added to the documentation and list of arguments of the
+respective commands.
+
+## Reference implementation
+
+Not ready yet.
+
+## Open issues
+
+Should the dependencies be saved or discarded after use?
+
+Should dependencies already present in charts/ directory be used by default
+or should versions specified in Chart.yaml be located each time (and
+therefore update)?
+
+## Notes
+
+Originally this HIP expected to use `--dependency-update` flag internally,
+but there seem to be some bugs with it and it is planned to be changed in v4.
+Therefore the newer version will be used pushing this feature to v4 also.
+See https://github.com/helm/helm/issues/9545#issuecomment-812045805
+Implementation of this HIP would then depend on this feature.