Uploaded image for project: 'Artifactory Binary Repository'
  1. Artifactory Binary Repository
  2. RTFACT-23010

helm repo globally breaks due to a published chart with version: y

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: 4 - Normal
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Helm
    • Labels:
    • Severity:
      Medium

      Description

      A chart with published to our Artifactory helm repository with `version: y` as the version.

      This chart entry was then added exactly as it is to the helm repository's index.yaml.

      Something like so:

      apiVersion: v1
      entries:
        fakeapp:
          - apiVersion: v1
            appVersion: "1.0"
            created: 2020-01-01T01:23:45.678912Z
            description: A Fake Helm Chart
            digest: 00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff
            name: fakeapp
            urls:
            - https://fake.url.com:443/helm/fakeapp-y.tgz
            version: y
      generated: 2020-01-01T01:23:45.678912Z 

      Every helm command that tried to use this repository was now broken (users, automation, across the company), because the index.yaml was invalid according to the following error:

      error unmarshaling JSON: while decoding JSON: json: cannot unmarshal bool into Go struct field ChartVersion.entries.version of type string 

      The following github issue was created with the helm/helm repo assuming it was a helm bug.

      https://github.com/helm/helm/issues/8531#issuecomment-666607976

      This seems to in fact not be a helm bug, but appears to be specific to Artifactory's helm repository implementation.

      Downloading that broken chart tar file and running `helm repo index` locally, the generated index.yaml implicitly casts `version: y` to be `version: "true"`. While this could be considered an issue, at least the resulting index.yaml does not break the helm repository.

      [2020-07-30 14:50:22]
      $ ls -l; helm repo index .; cat index.yaml
      total 16
      -rw-rw-r-- 1 user user 4618 Jul 30 10:51 myapp-y.tgz
      apiVersion: v1
      entries:
        myapp:
        - apiVersion: v1
          appVersion: "1.0"
          created: "2020-07-30T14:50:27.176873958-04:00"
          description: A Helm chart for Kubernetes
          digest: fake-digest
          name: myapp
          urls:
          - myapp-y.tgz
          version: "true"
      generated: "2020-07-30T14:50:27.176432195-04:00" 

      Until this bug is fixed in Artifactory's helm repository, a user publishing `version: y` or `version: n` or `version: 555e2` (a git hash that gets cast as a float due to the scientific notation `e2`) will result in globally breaking that helm repository for all users. 

      This is a huge risk, whether the publishing user's intentions were accidental or malicious.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            rryszewski Robert Ryszewski
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:

                Sync Status

                Connection: RTFACT Sync
                RTMID-23010 -
                SYNCHRONIZED
                • Last Sync Date: