nexus-repository-helm icon indicating copy to clipboard operation
nexus-repository-helm copied to clipboard

Published 20 hours ago verified publisher icon sonatype-nexus-community

Helm repository indexes wrong metadata

Open webmutation opened this issue 4 years ago • 1 comments

I am reporting this bug has it can potentially create a big amount of problems for deployment. Making it possible to deploy different versions than the ones expected and failing to create new versions if helm nexus metadata is wrongly associated with file.

We faced this strange behavior recently. A file was uploaded with the wrong Chart version creating a link in the metadata for a version 1.0.0-SNAPSHOT associated with helmchart-1.5.0-SNAPSHOT.tgz

image

However that helmchart-1.5.0-SNAPSHOT.tgz file was rebuild and the Chart yaml was corrected with version 1.5.0-SNAPSHOT, a new upload to nexus and the file is still associated with version 1.0.0-SNAPSHOT even though inside the file the Chart is 1.5.0-SNAPSHOT, meaning this version will never get correctly published unless version 1.0.0-SNAPSHOT is removed manually from the helm index.

Current Behavior

  • Helm deployments of version 1.0.0--SNAPSHOT will deploy version 1.5.0-SNAPSHOT instead, resulting in wrong version being deployed, since a deployment will use a tgz file that has different version than the one in the metadata.
  • Helm version 1.5.0-SNAPSHOT fails to be created, it is wrongly associated with 1.0.0-SNAPSHOT, it will continue to update the blob of this version instead of creating a new version.
  • There are no error messages, with hundreds of charts this is tricky to debug.
  • Only way to fix is to manually delete the metadata for the problematic version and re-upload a new version with correct Chart yaml data and respective tgz data.

Expected Behavior

  • If version in Chart yaml is different from helm nexus metadata, do not associate uploaded file with previous version.
  • Throw error if Chart version is different from Helm Nexus metadata.
  • Any previous version of a helm chart should not be able to point to a *.tgz file that contains a Chart yaml file with a different version.

Possible solution On handling the upload, verify if the version of the uploaded Chart yaml matches existing nexus helm metadata version, throw error 400 Bad Request if it does not match. Update blob if it matches. Create new version if Chart yaml version does not exist in nexus helm metadata.

webmutation avatar Sep 03 '20 16:09 webmutation

Hi, we are moving helm source code to nexus public. This github page will be archived. Your issue https://issues.sonatype.org/browse/NEXUS-25199

mlukaretkyi avatar Sep 09 '20 10:09 mlukaretkyi