helm3 template with --validate option

[gmoshiko]

Summary

helm3 has a new template function called lookup.
The lookup function can be used to look up resources in a running cluster and get metadata from objects on render time.
this feature was introduced on helm3 release and was working with helm template command, the problem was this is a vulnerability in terms of helm template shouldn't interact with the cluster unless specified the --validate flag.

in the latest helm3 version they fixed that vulnerability and now helm template wouldn't render this function, but it should render when using --validate flag.

this feature currently doesn't work with helm template --validate as it should be, but it should be fixed soon and there is also an open issue about it.

Motivation

get metadata from objects like ConfigMaps so I can decide on which cluster im on, and write logic in helm template to use it instead of writing it in each values.yaml file for each cluster( i have 40 k8s clusters I manage, and 90% of the time the only thing I change between the clusters is the cluster name I'm deploying to.)

Proposal

ArgoCD uses helm template command before applying with kubectl to the cluster.
if we could have the option to add --validate to helm template command it could solve the problem and support the lookup function once this issue is solved by helm.

Reference

helm functions: https://helm.sh/docs/chart_template_guide/functions_and_pipelines
lookup Function Information Discolosure: GHSA-q8q8-93cv-v6h8
helm template render lookup function issue: helm/helm#8137

[rajivml]

+1 This would be really helpful for deriving private registry addresses, ingress hosts etc. so that we need not take these inputs from the user

[dansou901]

would also love to see this baked in

[ebuildy]

Also, this could fix error when using .Capabilities.APIVersions.has Helm template function which rely without --validate option on the kubectl version compiled.

This mean .Capabilities.APIVersions.Has "policy/v1" will return always true from Helm 3.6, no matter k8s server version (will do a sync error).

[13013SwagR]

FYI, this project provides a decent workaround https://github.com/kuuji/helm-external-val

[Jorricks]

Is there any active development on this ticket?

[crenshaw-dev]

I believe helm/helm#9426 is a prerequisite.

Should we consider this a duplicate of #5202 ?

[crenshaw-dev]

I guess the other is actually newer, but it is a bit clearer in intent and has more discussion. :-)

[crenshaw-dev]

Closing for now, in favor of 5202.