fluxcd
Handle symlinks within GitRespository
- Handle symlinks within GitRespository
- Improve security for symlinks within GitRepository
Helm charts may include symlinks to common library charts under /charts. Currently, these are not handled. This PR adds functionality to properly handle symlinks within a GitRepository, ensuring that all Helm charts using this approach are prepared correctly. It also introduces a check to prevent users from including files outside their repository.
Example:
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: cozy-git
namespace: cozy-public
spec:
interval: 1m0s
ref:
tag: v0.37.5
timeout: 60s
url: https://github.com/cozystack/cozystack.git
ignore: |
# exclude all
/*
# include packages dir
!/packages
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: virtual-machine-asd2
namespace: tenant-user
spec:
interval: 5m
targetNamespace: cozy-system
chart:
spec:
chart: ./packages/apps/virtual-machine
sourceRef:
kind: GitRepository
name: cozy-git
namespace: cozy-public
version: '>= 0.0.0-0'
install:
remediation:
retries: -1
upgrade:
remediation:
retries: -1
values:
cloudInit: ""
cloudInitSeed: ""
external: false
externalMethod: PortList
externalPorts:
- 22
instanceProfile: ubuntu
instanceType: u1.medium
running: true
systemDisk:
image: ubuntu
storage: 5Gi
storageClass: replicated
Symlinks are skipped on purpose, this is a security decision. This PR needs an RFC.
Hey @matheuscscp it works with native Helm, but not with fluxcd.
Native Helm follows symlinks and copies content into resulting tar.gz
Additional security check and tests added to this PR
Helm is a client-side tool, not a privileged controller running inside the cluster.
We have an issue open to implement this on the Flux CLI, which is more aligned with what Helm does than this PR:
https://github.com/fluxcd/flux2/issues/5055
Feel free to work on that one, it will be more appreciated 👍