From 26b5b576bc9a6e8c46a1335228767d5637b99452 Mon Sep 17 00:00:00 2001 From: yxxhero Date: Tue, 5 Oct 2021 15:38:15 +0800 Subject: [PATCH 01/11] add git support hip MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: yxxhero fix typo Signed-off-by: yxxhero Update hip-0015.md Signed-off-by: yxxhero mv hip 0015 to 0016 Signed-off-by: yxxhero Signed-off-by: Dominykas Blyžė --- hips/hip-00NN.md | 81 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 hips/hip-00NN.md diff --git a/hips/hip-00NN.md b/hips/hip-00NN.md new file mode 100644 index 00000000..1cf293c2 --- /dev/null +++ b/hips/hip-00NN.md @@ -0,0 +1,81 @@ +--- +hip: "00NN" +title: "Helm repo support Git protocol" +authors: [ "yxxhero " ] +created: "2021-10-05" +type: "feature" +status: "draft" +--- + +## Abstract + +This document describes the introduction of git protocol for helm charts. + +## Audience + +Using a git URL as a repository in requirements.yaml will be a nice-to-have feature for organizations that house their helm charts in a git repository and would like to maintain private access to those charts. + +The format supported is: + +``` +dependencies: +- name: "{dependency name}" + repository: "git://{git repo url}" + version: "{git ref name}" +``` +where: +{git repo url} is any url type that a git clone ... command would accept (an ssh location, an https url, etc.). +{git ref name} is an existing tag or branch name on the repo (a commit sha cannot be used at this time) +For example: + +``` +dependencies: +- name: "a" + repository: "git://https://github.com/rally25rs/helm-test-chart.git" + version: "master" +``` + +## Rationale + +What it basically does is, if it find a registry that starts with `git://` then: +* create a temp directory. +* Using `github.com/Masterminds/vcs` to fetch the repo at the specified branch/tag into the temp dir +* Treat the cloned git repo similar to a file:///path/to/temp/dir style requirement; use chart.LoadDir to load that directory (which in turn applied the logic for filtering the files through .helmignore) and archives it to charts/ +* Delete the temp dir. + +### Caveats / Known Limitations +* Since this spawns git as a child process, git has to be available on the system and in the path. +* There is currently no handling for forwarding stdin to the git child process, so if git asks for input, helm will likely appear to hang as git tries to prompt for input. It will cause an issue if you are trying to reference a private repo with an SSL cert that needs a password, or with an https url that requires username/password authentication. (yarn package manager, ansible, and other tools have this same issue). + +## Specification +The specification for this HIP is broken into two (3) major sections: + +* Implement Getter +* Definition and identification of GIT protocol format +* As an experimental characteristic + +For example: + +``` +dependencies: +- name: "a" + repository: "git://https://github.com/rally25rs/helm-test-chart.git" + version: "master" +``` + +## Backwards compatibility +Experimental state, no affect other logic. + + +## Reference implementation +* [https://github.com/helm/helm/pull/9482](https://github.com/helm/helm/pull/9482) + + +## Open issues +The issues below are still unresolved. +* [https://github.com/helm/helm/issues/9461](https://github.com/helm/helm/issues/9461) + + + + + From 3b1a31cb20e7dbb3cd682621b8774dd53c54895a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominykas=20Blyz=CC=8Ce=CC=87?= Date: Mon, 20 Nov 2023 15:55:06 +0200 Subject: [PATCH 02/11] Update the HIP structure to follow the recommended template MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Dominykas Blyžė --- hips/hip-00NN.md | 93 ++++++++++++++++++++++++++---------------------- 1 file changed, 50 insertions(+), 43 deletions(-) diff --git a/hips/hip-00NN.md b/hips/hip-00NN.md index 1cf293c2..8583d4cc 100644 --- a/hips/hip-00NN.md +++ b/hips/hip-00NN.md @@ -1,7 +1,7 @@ --- hip: "00NN" -title: "Helm repo support Git protocol" -authors: [ "yxxhero " ] +title: "Support Git protocol for installing chart dependencies" +authors: [ "yxxhero ", "Dominykas Blyžė " ] created: "2021-10-05" type: "feature" status: "draft" @@ -9,73 +9,80 @@ status: "draft" ## Abstract -This document describes the introduction of git protocol for helm charts. +Currently, Helm supports installing dependencies from various registries, however that requires the charts to be published there. There are use cases which are cumbersome when registries are involved, for example: -## Audience +- private charts for organizations/individuals who do not have the capacity to maintain the infrastructure required to run a private registry +- testing work-in-progress charts in their umbrella charts -Using a git URL as a repository in requirements.yaml will be a nice-to-have feature for organizations that house their helm charts in a git repository and would like to maintain private access to those charts. +## Motivation -The format supported is: +There are existing ways to achieve installation of charts without using a registry, however they are not very user-friendly and require additional tooling. + +- A Helm chart repository is effectively an `index.yaml` with links to downloads. Maintaining such a repository does create a burden of scripts and automation (e.g. Github Actions). This is not always feasible for smaller projects. It also does not really offer an obvious and readily available way of testing pre-releases. +- For the testing use cases, charts can be packaged using `helm package`, however this does introduce manual steps and requires extra work to replicate in CI/CD scenarios. +- There is a [`aslafy-z/helm-git`](https://github.com/aslafy-z/helm-git) plugin available, however using plugins requires additional setup, which may not always be feasible (esp. in more complex team structures and cluster setups with advanced tooling, e.g. ArgoCD). An additional drawback is that the `Chart.yaml` does not provide a way to specify the plugin requirements. + +Installing dependencies from git is an established pattern in other ecosystems even when they are registry-based, e.g. npm (Node.js), pipenv (Python), bundler (Gem) have this option - it would make sense to have the behavior replicated in Helm. + +## Rationale + +(TBD) + +## Specification + +The `Chart.yaml` should support the following format for `dependencies`: ``` dependencies: -- name: "{dependency name}" - repository: "git://{git repo url}" - version: "{git ref name}" +- name: "" + repository: "://[[:]@][:][:][/]" + version: "" ``` where: -{git repo url} is any url type that a git clone ... command would accept (an ssh location, an https url, etc.). -{git ref name} is an existing tag or branch name on the repo (a commit sha cannot be used at this time) +- `` is one of `git`, `git+ssh`, `git+http`, `git+https`, or `git+file`. +- `` is an existing reference (SHA hash, tag or branch name) on the repo. + For example: ``` dependencies: -- name: "a" - repository: "git://https://github.com/rally25rs/helm-test-chart.git" - version: "master" +- name: "jenkins" + repository: "git+https://github.com/jenkinsci/helm-charts.git/charts/jenkins" + version: "main" ``` -## Rationale +## Backwards compatibility -What it basically does is, if it find a registry that starts with `git://` then: -* create a temp directory. -* Using `github.com/Masterminds/vcs` to fetch the repo at the specified branch/tag into the temp dir -* Treat the cloned git repo similar to a file:///path/to/temp/dir style requirement; use chart.LoadDir to load that directory (which in turn applied the logic for filtering the files through .helmignore) and archives it to charts/ -* Delete the temp dir. +This is backwards compatible from Helm perspective - the existing formats for `dependencies` are still supported. -### Caveats / Known Limitations -* Since this spawns git as a child process, git has to be available on the system and in the path. -* There is currently no handling for forwarding stdin to the git child process, so if git asks for input, helm will likely appear to hang as git tries to prompt for input. It will cause an issue if you are trying to reference a private repo with an SSL cert that needs a password, or with an https url that requires username/password authentication. (yarn package manager, ansible, and other tools have this same issue). +Charts that start using the new format will effectively be changing their minimum required Helm version, i.e. they would be introducing breaking changes and should bump their major version. -## Specification -The specification for this HIP is broken into two (3) major sections: +## Security implications -* Implement Getter -* Definition and identification of GIT protocol format -* As an experimental characteristic +(TBD) -For example: +## How to teach this -``` -dependencies: -- name: "a" - repository: "git://https://github.com/rally25rs/helm-test-chart.git" - version: "master" -``` - -## Backwards compatibility -Experimental state, no affect other logic. +(TBD) +## Reference implementation -## Reference implementation -* [https://github.com/helm/helm/pull/9482](https://github.com/helm/helm/pull/9482) +Multiple implementation attempts available for [a discarded earlier draft of a related HIP](https://github.com/helm/community/pull/214): +- [helm/helm#11258](https://github.com/helm/helm/pull/11258) +- [helm/helm#9482](https://github.com/helm/helm/pull/9482) +- [helm/helm#6734](https://github.com/helm/helm/pull/6734) -## Open issues -The issues below are still unresolved. -* [https://github.com/helm/helm/issues/9461](https://github.com/helm/helm/issues/9461) +## Rejected ideas +- An [earlier draft for solving the issue](https://github.com/helm/community/pull/214) suggested using URLs like `git://https://...`. There were comments about that approach in the reference implementations, with the suggestion to use the conventions which are already established in other ecosystems. +## Open issues +N/A +## References +- [`npm install` documentation](https://docs.npmjs.com/cli/v10/commands/npm-install) (covers the `git+[protocol]` format) +- [Python packaging documentation on version specifiers](https://packaging.python.org/en/latest/specifications/version-specifiers/) (covers the `VCS+protocol` format) +- [bundler documentation on installing gems from git repositories](https://bundler.io/guides/git.html) From 7f7233591ae564680d63b945f749034934c0c1c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominykas=20Blyz=CC=8Ce=CC=87?= Date: Wed, 22 Nov 2023 15:08:38 +0200 Subject: [PATCH 03/11] Add Jeff Valore to authors, as the previous HIP was based on their work MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Dominykas Blyžė --- hips/hip-00NN.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hips/hip-00NN.md b/hips/hip-00NN.md index 8583d4cc..67ca5c08 100644 --- a/hips/hip-00NN.md +++ b/hips/hip-00NN.md @@ -1,7 +1,7 @@ --- hip: "00NN" title: "Support Git protocol for installing chart dependencies" -authors: [ "yxxhero ", "Dominykas Blyžė " ] +authors: [ "Jeff Valore (@rally25rs)", "yxxhero ", "Dominykas Blyžė " ] created: "2021-10-05" type: "feature" status: "draft" From 3d4984e672cb1bf6943c0a18f958cebd9205482f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominykas=20Blyz=CC=8Ce=CC=87?= Date: Wed, 22 Nov 2023 15:32:38 +0200 Subject: [PATCH 04/11] Fill out rationale, security implications, etc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Dominykas Blyžė --- hips/hip-00NN.md | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/hips/hip-00NN.md b/hips/hip-00NN.md index 67ca5c08..26cc0418 100644 --- a/hips/hip-00NN.md +++ b/hips/hip-00NN.md @@ -20,13 +20,15 @@ There are existing ways to achieve installation of charts without using a regist - A Helm chart repository is effectively an `index.yaml` with links to downloads. Maintaining such a repository does create a burden of scripts and automation (e.g. Github Actions). This is not always feasible for smaller projects. It also does not really offer an obvious and readily available way of testing pre-releases. - For the testing use cases, charts can be packaged using `helm package`, however this does introduce manual steps and requires extra work to replicate in CI/CD scenarios. -- There is a [`aslafy-z/helm-git`](https://github.com/aslafy-z/helm-git) plugin available, however using plugins requires additional setup, which may not always be feasible (esp. in more complex team structures and cluster setups with advanced tooling, e.g. ArgoCD). An additional drawback is that the `Chart.yaml` does not provide a way to specify the plugin requirements. +- There are several plugins available to solve this problem ([`aslafy-z/helm-git`](https://github.com/aslafy-z/helm-git), [`diwakar-s-maurya/helm-git`](https://github.com/diwakar-s-maurya/helm-git), [`sagansystems/helm-github`](https://github.com/sagansystems/helm-github)), however using plugins requires additional setup, which may not always be feasible (esp. in more complex team structures and cluster setups with advanced tooling, e.g. ArgoCD). An additional drawback is that the `Chart.yaml` does not provide a way to specify the plugin requirements, which leaves it up to the consumer to figure this out. + +## Rationale Installing dependencies from git is an established pattern in other ecosystems even when they are registry-based, e.g. npm (Node.js), pipenv (Python), bundler (Gem) have this option - it would make sense to have the behavior replicated in Helm. -## Rationale +At least the npm and the pip ecosystems have already established a syntax of `vcs+protocol` for defining the dependency source, so it should be familiar to some users. -(TBD) +One alternative to consider would be to exclude defining the vcs/protocol, similar to what Go does, esp. given that Helm is built using Go. This does limit the flexibility somewhat - while Go does allow adding a VCS qualifier at the end of the URL (allowing future support for other VCSs), it does not allow specifying the protocol, which means that the users might have to override the default protocol in their VCS configuration. ## Specification @@ -51,6 +53,13 @@ dependencies: version: "main" ``` +When Helm is installing a dependency from git, it should: + +- create a temporary directory +- clone the repo at the specified branch/tag into the temp dir +- treat the cloned git repo similar to a `file:///path/to/temp/dir` style requirement; use `chart.LoadDir` to load that directory (which in turn applied the logic for filtering the files through `.helmignore`) and archives it to `charts/` +- delete the temp dir + ## Backwards compatibility This is backwards compatible from Helm perspective - the existing formats for `dependencies` are still supported. @@ -59,11 +68,15 @@ Charts that start using the new format will effectively be changing their minimu ## Security implications -(TBD) +Pulling the dependencies from git may introduce additional attack surfaces, as it would need to rely on an implementation of `git` (most likely the official `git` executable), and there have been recent vulnerabilities disclosed, including Remote Code Execution (RCE). + +This is something that needs to be taken into account in security conscious environments and might need to be documented for the end users. Users with high security requirements, should probably avoid using the feature and instead rely on a registry. ## How to teach this -(TBD) +- The documentation should note the security caveat listed above +- The documentation should provide the recommendation to prefer registries to git, if possible +- The documentation should note the implications of git being mutable with a recommendation of pinning to specific hashes ## Reference implementation From 888817fc276a6ab6a0415b71efaf7270a7f6a0a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominykas=20Blyz=CC=8Ce=CC=87?= Date: Wed, 13 Dec 2023 13:05:41 +0200 Subject: [PATCH 05/11] Remove user/password in the `repository` URL format MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit While we may or may not explicitly forbid this format, it is probably a good idea to not officially document it, so as to avoid the proliferation bad practices and accidental leakage of secrets. Signed-off-by: Dominykas Blyžė --- hips/hip-00NN.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hips/hip-00NN.md b/hips/hip-00NN.md index 26cc0418..e20a1daa 100644 --- a/hips/hip-00NN.md +++ b/hips/hip-00NN.md @@ -37,7 +37,7 @@ The `Chart.yaml` should support the following format for `dependencies`: ``` dependencies: - name: "" - repository: "://[[:]@][:][:][/]" + repository: "://[:][:][/]" version: "" ``` where: From 0f6cd2fc9795e52c2c3f33adf769e9fee3374c4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominykas=20Blyz=CC=8Ce=CC=87?= Date: Wed, 13 Dec 2023 13:19:28 +0200 Subject: [PATCH 06/11] Reword `` to explicitly say `git[+]` MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit As the protocols are handled by git, it's probably better to define them as something that's supported by `git clone`. Signed-off-by: Dominykas Blyžė --- hips/hip-00NN.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hips/hip-00NN.md b/hips/hip-00NN.md index e20a1daa..db59a87e 100644 --- a/hips/hip-00NN.md +++ b/hips/hip-00NN.md @@ -37,11 +37,11 @@ The `Chart.yaml` should support the following format for `dependencies`: ``` dependencies: - name: "" - repository: "://[:][:][/]" + repository: "git[+]://[:][:][/]" version: "" ``` where: -- `` is one of `git`, `git+ssh`, `git+http`, `git+https`, or `git+file`. +- `` is a protocol supported by `git clone` (e.g. `ssh`, `http`, `https`, `file`, etc). - `` is an existing reference (SHA hash, tag or branch name) on the repo. For example: @@ -77,6 +77,7 @@ This is something that needs to be taken into account in security conscious envi - The documentation should note the security caveat listed above - The documentation should provide the recommendation to prefer registries to git, if possible - The documentation should note the implications of git being mutable with a recommendation of pinning to specific hashes +- The documentation could list the examples for various git protocols, but mention that Helm supports whatever `git clone` supports ## Reference implementation From 7d89b4665c5b1588b2b6f1bef8beaa4b8de147d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominykas=20Blyz=CC=8Ce=CC=87?= Date: Wed, 13 Dec 2023 13:56:55 +0200 Subject: [PATCH 07/11] Note on git clone perf MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Dominykas Blyžė --- hips/hip-00NN.md | 1 + 1 file changed, 1 insertion(+) diff --git a/hips/hip-00NN.md b/hips/hip-00NN.md index db59a87e..cc7cbb4a 100644 --- a/hips/hip-00NN.md +++ b/hips/hip-00NN.md @@ -57,6 +57,7 @@ When Helm is installing a dependency from git, it should: - create a temporary directory - clone the repo at the specified branch/tag into the temp dir + - for performance reasons, a shallow clone of just the latest commit of a specific branch should be performed (i.e. `git clone --depth 1 --branch --single-branch --no-tags `) - treat the cloned git repo similar to a `file:///path/to/temp/dir` style requirement; use `chart.LoadDir` to load that directory (which in turn applied the logic for filtering the files through `.helmignore`) and archives it to `charts/` - delete the temp dir From 7b4771b0976dadb778ae1ba39dd7c01ada5f0549 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominykas=20Blyz=CC=8Ce=CC=87?= Date: Fri, 15 Dec 2023 12:27:29 +0200 Subject: [PATCH 08/11] Forbid username/password in the git repository URL MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Dominykas Blyžė --- hips/hip-00NN.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/hips/hip-00NN.md b/hips/hip-00NN.md index cc7cbb4a..de27f779 100644 --- a/hips/hip-00NN.md +++ b/hips/hip-00NN.md @@ -44,6 +44,8 @@ where: - `` is a protocol supported by `git clone` (e.g. `ssh`, `http`, `https`, `file`, etc). - `` is an existing reference (SHA hash, tag or branch name) on the repo. +Note that `git clone` supports having the `username` and `password` in the repository URL. The implementation of this feature should explicitly forbid that to prevent accidental credential leakage. It should throw an error if the URL contains a `username` or `password`. + For example: ``` From 4fc29f17df90b4ecc14524211e6c36a818a89b02 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominykas=20Blyz=CC=8Ce=CC=87?= Date: Fri, 15 Dec 2023 12:32:50 +0200 Subject: [PATCH 09/11] Add a note that git is required to make use of git based deps MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Dominykas Blyžė --- hips/hip-00NN.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hips/hip-00NN.md b/hips/hip-00NN.md index de27f779..3044b57b 100644 --- a/hips/hip-00NN.md +++ b/hips/hip-00NN.md @@ -1,7 +1,7 @@ --- hip: "00NN" title: "Support Git protocol for installing chart dependencies" -authors: [ "Jeff Valore (@rally25rs)", "yxxhero ", "Dominykas Blyžė " ] +authors: [ "Jeff Valore (@rally25rs)", "yxxhero ", "Dominykas Blyžė ", "George Jenkins " ] created: "2021-10-05" type: "feature" status: "draft" @@ -59,6 +59,7 @@ When Helm is installing a dependency from git, it should: - create a temporary directory - clone the repo at the specified branch/tag into the temp dir + - Helm will require a working git installation to invoke (via subprocess) in order for Helm to utilize chart's git dependencies. Helm will throw an error if git is not installed or misconfigured (e.g. credentials are not set up for private repositories). - for performance reasons, a shallow clone of just the latest commit of a specific branch should be performed (i.e. `git clone --depth 1 --branch --single-branch --no-tags `) - treat the cloned git repo similar to a `file:///path/to/temp/dir` style requirement; use `chart.LoadDir` to load that directory (which in turn applied the logic for filtering the files through `.helmignore`) and archives it to `charts/` - delete the temp dir From c16a922d53efd9d2d47723246f8a37e0a475af87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominykas=20Blyz=CC=8Ce=CC=87?= Date: Fri, 15 Dec 2023 12:57:37 +0200 Subject: [PATCH 10/11] Note that `helm lint` should warn about git deps MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Dominykas Blyžė --- hips/hip-00NN.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/hips/hip-00NN.md b/hips/hip-00NN.md index 3044b57b..9afc2426 100644 --- a/hips/hip-00NN.md +++ b/hips/hip-00NN.md @@ -55,6 +55,8 @@ dependencies: version: "main" ``` +### Installation + When Helm is installing a dependency from git, it should: - create a temporary directory @@ -64,6 +66,10 @@ When Helm is installing a dependency from git, it should: - treat the cloned git repo similar to a `file:///path/to/temp/dir` style requirement; use `chart.LoadDir` to load that directory (which in turn applied the logic for filtering the files through `.helmignore`) and archives it to `charts/` - delete the temp dir +### Linting + +`helm lint` should print a warning when a chart contains a git-based dependency, primarily because git references are mutable. + ## Backwards compatibility This is backwards compatible from Helm perspective - the existing formats for `dependencies` are still supported. From b61033b6c2d2dc2c63b6ac75bfa9e07c7330b738 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dominykas=20Blyz=CC=8Ce=CC=87?= Date: Thu, 21 Dec 2023 13:28:31 +0200 Subject: [PATCH 11/11] Document `#subdirectory=` approach MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Dominykas Blyžė --- hips/hip-00NN.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/hips/hip-00NN.md b/hips/hip-00NN.md index 9afc2426..4a5a9a68 100644 --- a/hips/hip-00NN.md +++ b/hips/hip-00NN.md @@ -37,12 +37,14 @@ The `Chart.yaml` should support the following format for `dependencies`: ``` dependencies: - name: "" - repository: "git[+]://[:][:][/]" + repository: "git[+]://[:][:][/][#subdirectory=]" version: "" ``` where: - `` is a protocol supported by `git clone` (e.g. `ssh`, `http`, `https`, `file`, etc). - `` is an existing reference (SHA hash, tag or branch name) on the repo. +- `` is the folder where the chart we want installed is located. If not specified, it defaults to the root of the repository. + - Implementation note: this has potential for path traversal based security bugs - it needs to be validated and prevented. Note that `git clone` supports having the `username` and `password` in the repository URL. The implementation of this feature should explicitly forbid that to prevent accidental credential leakage. It should throw an error if the URL contains a `username` or `password`. @@ -51,7 +53,7 @@ For example: ``` dependencies: - name: "jenkins" - repository: "git+https://github.com/jenkinsci/helm-charts.git/charts/jenkins" + repository: "git+https://github.com/jenkinsci/helm-charts.git#subdirectory=charts/jenkins" version: "main" ```