working commit

2026-03-13 19:02:42 +02:00
parent bebbf79c7a
commit 5c1da77f4c
1329 changed files with 314708 additions and 39 deletions
@@ -0,0 +1,22 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+/*
+Package getter provides a generalize tool for fetching data by scheme.
+
+This provides a method by which the plugin system can load arbitrary protocol
+handlers based upon a URL scheme.
+*/
+package getter
@@ -0,0 +1,232 @@
+/*
+Copyright The Helm Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package getter
+
+import (
+	"bytes"
+	"fmt"
+	"net/http"
+	"slices"
+	"time"
+
+	"helm.sh/helm/v4/pkg/cli"
+	"helm.sh/helm/v4/pkg/registry"
+)
+
+// getterOptions are generic parameters to be provided to the getter during instantiation.
+//
+// Getters may or may not ignore these parameters as they are passed in.
+// TODO what is the difference between this and schema.GetterOptionsV1?
+type getterOptions struct {
+	url                   string
+	certFile              string
+	keyFile               string
+	caFile                string
+	unTar                 bool
+	insecureSkipVerifyTLS bool
+	plainHTTP             bool
+	acceptHeader          string
+	username              string
+	password              string
+	passCredentialsAll    bool
+	userAgent             string
+	version               string
+	registryClient        *registry.Client
+	timeout               time.Duration
+	transport             *http.Transport
+	artifactType          string
+}
+
+// Option allows specifying various settings configurable by the user for overriding the defaults
+// used when performing Get operations with the Getter.
+type Option func(*getterOptions)
+
+// WithURL informs the getter the server name that will be used when fetching objects. Used in conjunction with
+// WithTLSClientConfig to set the TLSClientConfig's server name.
+func WithURL(url string) Option {
+	return func(opts *getterOptions) {
+		opts.url = url
+	}
+}
+
+// WithAcceptHeader sets the request's Accept header as some REST APIs serve multiple content types
+func WithAcceptHeader(header string) Option {
+	return func(opts *getterOptions) {
+		opts.acceptHeader = header
+	}
+}
+
+// WithBasicAuth sets the request's Authorization header to use the provided credentials
+func WithBasicAuth(username, password string) Option {
+	return func(opts *getterOptions) {
+		opts.username = username
+		opts.password = password
+	}
+}
+
+func WithPassCredentialsAll(pass bool) Option {
+	return func(opts *getterOptions) {
+		opts.passCredentialsAll = pass
+	}
+}
+
+// WithUserAgent sets the request's User-Agent header to use the provided agent name.
+func WithUserAgent(userAgent string) Option {
+	return func(opts *getterOptions) {
+		opts.userAgent = userAgent
+	}
+}
+
+// WithInsecureSkipVerifyTLS determines if a TLS Certificate will be checked
+func WithInsecureSkipVerifyTLS(insecureSkipVerifyTLS bool) Option {
+	return func(opts *getterOptions) {
+		opts.insecureSkipVerifyTLS = insecureSkipVerifyTLS
+	}
+}
+
+// WithTLSClientConfig sets the client auth with the provided credentials.
+func WithTLSClientConfig(certFile, keyFile, caFile string) Option {
+	return func(opts *getterOptions) {
+		opts.certFile = certFile
+		opts.keyFile = keyFile
+		opts.caFile = caFile
+	}
+}
+
+func WithPlainHTTP(plainHTTP bool) Option {
+	return func(opts *getterOptions) {
+		opts.plainHTTP = plainHTTP
+	}
+}
+
+// WithTimeout sets the timeout for requests
+func WithTimeout(timeout time.Duration) Option {
+	return func(opts *getterOptions) {
+		opts.timeout = timeout
+	}
+}
+
+func WithTagName(tagname string) Option {
+	return func(opts *getterOptions) {
+		opts.version = tagname
+	}
+}
+
+func WithRegistryClient(client *registry.Client) Option {
+	return func(opts *getterOptions) {
+		opts.registryClient = client
+	}
+}
+
+func WithUntar() Option {
+	return func(opts *getterOptions) {
+		opts.unTar = true
+	}
+}
+
+// WithTransport sets the http.Transport to allow overwriting the HTTPGetter default.
+func WithTransport(transport *http.Transport) Option {
+	return func(opts *getterOptions) {
+		opts.transport = transport
+	}
+}
+
+// WithArtifactType sets the type of OCI artifact ("chart" or "plugin")
+func WithArtifactType(artifactType string) Option {
+	return func(opts *getterOptions) {
+		opts.artifactType = artifactType
+	}
+}
+
+// Getter is an interface to support GET to the specified URL.
+type Getter interface {
+	// Get file content by url string
+	Get(url string, options ...Option) (*bytes.Buffer, error)
+}
+
+// Constructor is the function for every getter which creates a specific instance
+// according to the configuration
+type Constructor func(options ...Option) (Getter, error)
+
+// Provider represents any getter and the schemes that it supports.
+//
+// For example, an HTTP provider may provide one getter that handles both
+// 'http' and 'https' schemes.
+type Provider struct {
+	Schemes []string
+	New     Constructor
+}
+
+// Provides returns true if the given scheme is supported by this Provider.
+func (p Provider) Provides(scheme string) bool {
+	return slices.Contains(p.Schemes, scheme)
+}
+
+// Providers is a collection of Provider objects.
+type Providers []Provider
+
+// ByScheme returns a Provider that handles the given scheme.
+//
+// If no provider handles this scheme, this will return an error.
+func (p Providers) ByScheme(scheme string) (Getter, error) {
+	for _, pp := range p {
+		if pp.Provides(scheme) {
+			return pp.New()
+		}
+	}
+	return nil, fmt.Errorf("scheme %q not supported", scheme)
+}
+
+const (
+	// The cost timeout references curl's default connection timeout.
+	// https://github.com/curl/curl/blob/master/lib/connect.h#L40C21-L40C21
+	// The helm commands are usually executed manually. Considering the acceptable waiting time, we reduced the entire request time to 120s.
+	DefaultHTTPTimeout = 120
+)
+
+var defaultOptions = []Option{WithTimeout(time.Second * DefaultHTTPTimeout)}
+
+func Getters(extraOpts ...Option) Providers {
+	return Providers{
+		Provider{
+			Schemes: []string{"http", "https"},
+			New: func(options ...Option) (Getter, error) {
+				options = append(options, defaultOptions...)
+				options = append(options, extraOpts...)
+				return NewHTTPGetter(options...)
+			},
+		},
+		Provider{
+			Schemes: []string{registry.OCIScheme},
+			New: func(options ...Option) (Getter, error) {
+				options = append(options, defaultOptions...)
+				options = append(options, extraOpts...)
+				return NewOCIGetter(options...)
+			},
+		},
+	}
+}
+
+// All finds all of the registered getters as a list of Provider instances.
+// Currently, the built-in getters and the discovered plugins with downloader
+// notations are collected.
+func All(settings *cli.EnvSettings, opts ...Option) Providers {
+	result := Getters(opts...)
+	pluginDownloaders, _ := collectGetterPlugins(settings)
+	result = append(result, pluginDownloaders...)
+	return result
+}
@@ -0,0 +1,160 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package getter
+
+import (
+	"bytes"
+	"crypto/tls"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"sync"
+
+	"helm.sh/helm/v4/internal/tlsutil"
+	"helm.sh/helm/v4/internal/version"
+)
+
+// HTTPGetter is the default HTTP(/S) backend handler
+type HTTPGetter struct {
+	opts      getterOptions
+	transport *http.Transport
+	once      sync.Once
+}
+
+// Get performs a Get from repo.Getter and returns the body.
+func (g *HTTPGetter) Get(href string, options ...Option) (*bytes.Buffer, error) {
+	for _, opt := range options {
+		opt(&g.opts)
+	}
+	return g.get(href)
+}
+
+func (g *HTTPGetter) get(href string) (*bytes.Buffer, error) {
+	// Set a helm specific user agent so that a repo server and metrics can
+	// separate helm calls from other tools interacting with repos.
+	req, err := http.NewRequest(http.MethodGet, href, nil)
+	if err != nil {
+		return nil, err
+	}
+
+	if g.opts.acceptHeader != "" {
+		req.Header.Set("Accept", g.opts.acceptHeader)
+	}
+
+	req.Header.Set("User-Agent", version.GetUserAgent())
+	if g.opts.userAgent != "" {
+		req.Header.Set("User-Agent", g.opts.userAgent)
+	}
+
+	// Before setting the basic auth credentials, make sure the URL associated
+	// with the basic auth is the one being fetched.
+	u1, err := url.Parse(g.opts.url)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse getter URL: %w", err)
+	}
+	u2, err := url.Parse(href)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse URL getting from: %w", err)
+	}
+
+	// Host on URL (returned from url.Parse) contains the port if present.
+	// This check ensures credentials are not passed between different
+	// services on different ports.
+	if g.opts.passCredentialsAll || (u1.Scheme == u2.Scheme && u1.Host == u2.Host) {
+		if g.opts.username != "" && g.opts.password != "" {
+			req.SetBasicAuth(g.opts.username, g.opts.password)
+		}
+	}
+
+	client, err := g.httpClient()
+	if err != nil {
+		return nil, err
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("failed to fetch %s : %s", href, resp.Status)
+	}
+
+	buf := bytes.NewBuffer(nil)
+	_, err = io.Copy(buf, resp.Body)
+	return buf, err
+}
+
+// NewHTTPGetter constructs a valid http/https client as a Getter
+func NewHTTPGetter(options ...Option) (Getter, error) {
+	var client HTTPGetter
+
+	for _, opt := range options {
+		opt(&client.opts)
+	}
+
+	return &client, nil
+}
+
+func (g *HTTPGetter) httpClient() (*http.Client, error) {
+	if g.opts.transport != nil {
+		return &http.Client{
+			Transport: g.opts.transport,
+			Timeout:   g.opts.timeout,
+		}, nil
+	}
+
+	g.once.Do(func() {
+		g.transport = &http.Transport{
+			DisableCompression: true,
+			Proxy:              http.ProxyFromEnvironment,
+			// Being nil would cause the tls.Config default to be used
+			// "NewTLSConfig" modifies an empty TLS config, not the default one
+			TLSClientConfig: &tls.Config{},
+		}
+	})
+
+	if (g.opts.certFile != "" && g.opts.keyFile != "") || g.opts.caFile != "" || g.opts.insecureSkipVerifyTLS {
+		tlsConf, err := tlsutil.NewTLSConfig(
+			tlsutil.WithInsecureSkipVerify(g.opts.insecureSkipVerifyTLS),
+			tlsutil.WithCertKeyPairFiles(g.opts.certFile, g.opts.keyFile),
+			tlsutil.WithCAFile(g.opts.caFile),
+		)
+		if err != nil {
+			return nil, fmt.Errorf("can't create TLS config for client: %w", err)
+		}
+
+		g.transport.TLSClientConfig = tlsConf
+	}
+
+	if g.opts.insecureSkipVerifyTLS {
+		if g.transport.TLSClientConfig == nil {
+			g.transport.TLSClientConfig = &tls.Config{
+				InsecureSkipVerify: true,
+			}
+		} else {
+			g.transport.TLSClientConfig.InsecureSkipVerify = true
+		}
+	}
+
+	client := &http.Client{
+		Transport: g.transport,
+		Timeout:   g.opts.timeout,
+	}
+
+	return client, nil
+}
@@ -0,0 +1,213 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package getter
+
+import (
+	"bytes"
+	"crypto/tls"
+	"fmt"
+	"net"
+	"net/http"
+	"path"
+	"strings"
+	"sync"
+	"time"
+
+	"helm.sh/helm/v4/internal/tlsutil"
+	"helm.sh/helm/v4/internal/urlutil"
+	"helm.sh/helm/v4/pkg/registry"
+)
+
+// OCIGetter is the default HTTP(/S) backend handler
+type OCIGetter struct {
+	opts      getterOptions
+	transport *http.Transport
+	once      sync.Once
+}
+
+// Get performs a Get from repo.Getter and returns the body.
+func (g *OCIGetter) Get(href string, options ...Option) (*bytes.Buffer, error) {
+	for _, opt := range options {
+		opt(&g.opts)
+	}
+	return g.get(href)
+}
+
+func (g *OCIGetter) get(href string) (*bytes.Buffer, error) {
+	client := g.opts.registryClient
+	// if the user has already provided a configured registry client, use it,
+	// this is particularly true when user has his own way of handling the client credentials.
+	if client == nil {
+		c, err := g.newRegistryClient()
+		if err != nil {
+			return nil, err
+		}
+		client = c
+	}
+
+	ref := strings.TrimPrefix(href, fmt.Sprintf("%s://", registry.OCIScheme))
+
+	if version := g.opts.version; version != "" && !strings.Contains(path.Base(ref), ":") {
+		ref = fmt.Sprintf("%s:%s", ref, version)
+	}
+	// Check if this is a plugin request
+	if g.opts.artifactType == "plugin" {
+		return g.getPlugin(client, ref)
+	}
+
+	// Default to chart behavior for backward compatibility
+	var pullOpts []registry.PullOption
+	requestingProv := strings.HasSuffix(ref, ".prov")
+	if requestingProv {
+		ref = strings.TrimSuffix(ref, ".prov")
+		pullOpts = append(pullOpts,
+			registry.PullOptWithChart(false),
+			registry.PullOptWithProv(true))
+	}
+
+	result, err := client.Pull(ref, pullOpts...)
+	if err != nil {
+		return nil, err
+	}
+
+	if requestingProv {
+		return bytes.NewBuffer(result.Prov.Data), nil
+	}
+	return bytes.NewBuffer(result.Chart.Data), nil
+}
+
+// NewOCIGetter constructs a valid http/https client as a Getter
+func NewOCIGetter(ops ...Option) (Getter, error) {
+	var client OCIGetter
+
+	for _, opt := range ops {
+		opt(&client.opts)
+	}
+
+	return &client, nil
+}
+
+func (g *OCIGetter) newRegistryClient() (*registry.Client, error) {
+	if g.opts.transport != nil {
+		client, err := registry.NewClient(
+			registry.ClientOptHTTPClient(&http.Client{
+				Transport: g.opts.transport,
+				Timeout:   g.opts.timeout,
+			}),
+		)
+		if err != nil {
+			return nil, err
+		}
+		return client, nil
+	}
+
+	g.once.Do(func() {
+		g.transport = &http.Transport{
+			// From https://github.com/google/go-containerregistry/blob/31786c6cbb82d6ec4fb8eb79cd9387905130534e/pkg/v1/remote/options.go#L87
+			DisableCompression: true,
+			DialContext: (&net.Dialer{
+				// By default we wrap the transport in retries, so reduce the
+				// default dial timeout to 5s to avoid 5x 30s of connection
+				// timeouts when doing the "ping" on certain http registries.
+				Timeout:   5 * time.Second,
+				KeepAlive: 30 * time.Second,
+			}).DialContext,
+			ForceAttemptHTTP2:     true,
+			MaxIdleConns:          100,
+			IdleConnTimeout:       90 * time.Second,
+			TLSHandshakeTimeout:   10 * time.Second,
+			ExpectContinueTimeout: 1 * time.Second,
+			Proxy:                 http.ProxyFromEnvironment,
+			// Being nil would cause the tls.Config default to be used
+			// "NewTLSConfig" modifies an empty TLS config, not the default one
+			TLSClientConfig: &tls.Config{},
+		}
+	})
+
+	if (g.opts.certFile != "" && g.opts.keyFile != "") || g.opts.caFile != "" || g.opts.insecureSkipVerifyTLS {
+		tlsConf, err := tlsutil.NewTLSConfig(
+			tlsutil.WithInsecureSkipVerify(g.opts.insecureSkipVerifyTLS),
+			tlsutil.WithCertKeyPairFiles(g.opts.certFile, g.opts.keyFile),
+			tlsutil.WithCAFile(g.opts.caFile),
+		)
+		if err != nil {
+			return nil, fmt.Errorf("can't create TLS config for client: %w", err)
+		}
+
+		sni, err := urlutil.ExtractHostname(g.opts.url)
+		if err != nil {
+			return nil, err
+		}
+		tlsConf.ServerName = sni
+
+		g.transport.TLSClientConfig = tlsConf
+	}
+
+	opts := []registry.ClientOption{registry.ClientOptHTTPClient(&http.Client{
+		Transport: g.transport,
+		Timeout:   g.opts.timeout,
+	})}
+	if g.opts.plainHTTP {
+		opts = append(opts, registry.ClientOptPlainHTTP())
+	}
+
+	client, err := registry.NewClient(opts...)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
+
+// getPlugin handles plugin-specific OCI pulls
+func (g *OCIGetter) getPlugin(client *registry.Client, ref string) (*bytes.Buffer, error) {
+	// Check if this is a provenance file request
+	requestingProv := strings.HasSuffix(ref, ".prov")
+	if requestingProv {
+		ref = strings.TrimSuffix(ref, ".prov")
+	}
+
+	// Extract plugin name from the reference
+	// e.g., "ghcr.io/user/plugin-name:v1.0.0" -> "plugin-name"
+	parts := strings.Split(ref, "/")
+	if len(parts) < 2 {
+		return nil, fmt.Errorf("invalid OCI reference: %s", ref)
+	}
+	lastPart := parts[len(parts)-1]
+	pluginName := lastPart
+	if idx := strings.LastIndex(lastPart, ":"); idx > 0 {
+		pluginName = lastPart[:idx]
+	}
+	if idx := strings.LastIndex(lastPart, "@"); idx > 0 {
+		pluginName = lastPart[:idx]
+	}
+
+	var pullOpts []registry.PluginPullOption
+	if requestingProv {
+		pullOpts = append(pullOpts, registry.PullPluginOptWithProv(true))
+	}
+
+	result, err := client.PullPlugin(ref, pluginName, pullOpts...)
+	if err != nil {
+		return nil, err
+	}
+
+	if requestingProv {
+		return bytes.NewBuffer(result.Prov.Data), nil
+	}
+	return bytes.NewBuffer(result.PluginData), nil
+}
@@ -0,0 +1,129 @@
+/*
+Copyright The Helm Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package getter
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+
+	"net/url"
+
+	"helm.sh/helm/v4/internal/plugin"
+
+	"helm.sh/helm/v4/internal/plugin/schema"
+	"helm.sh/helm/v4/pkg/cli"
+)
+
+// collectGetterPlugins scans for getter plugins.
+// This will load plugins according to the cli.
+func collectGetterPlugins(settings *cli.EnvSettings) (Providers, error) {
+	d := plugin.Descriptor{
+		Type: "getter/v1",
+	}
+	plgs, err := plugin.FindPlugins([]string{settings.PluginsDirectory}, d)
+	if err != nil {
+		return nil, err
+	}
+	env := plugin.FormatEnv(settings.EnvVars())
+	pluginConstructorBuilder := func(plg plugin.Plugin) Constructor {
+		return func(option ...Option) (Getter, error) {
+
+			return &getterPlugin{
+				options: append([]Option{}, option...),
+				plg:     plg,
+				env:     env,
+			}, nil
+		}
+	}
+	results := make([]Provider, 0, len(plgs))
+	for _, plg := range plgs {
+		if c, ok := plg.Metadata().Config.(*schema.ConfigGetterV1); ok {
+			results = append(results, Provider{
+				Schemes: c.Protocols,
+				New:     pluginConstructorBuilder(plg),
+			})
+		}
+	}
+	return results, nil
+}
+
+func convertOptions(globalOptions, options []Option) schema.GetterOptionsV1 {
+	opts := getterOptions{}
+	for _, opt := range globalOptions {
+		opt(&opts)
+	}
+	for _, opt := range options {
+		opt(&opts)
+	}
+
+	result := schema.GetterOptionsV1{
+		URL:                   opts.url,
+		CertFile:              opts.certFile,
+		KeyFile:               opts.keyFile,
+		CAFile:                opts.caFile,
+		UNTar:                 opts.unTar,
+		InsecureSkipVerifyTLS: opts.insecureSkipVerifyTLS,
+		PlainHTTP:             opts.plainHTTP,
+		AcceptHeader:          opts.acceptHeader,
+		Username:              opts.username,
+		Password:              opts.password,
+		PassCredentialsAll:    opts.passCredentialsAll,
+		UserAgent:             opts.userAgent,
+		Version:               opts.version,
+		Timeout:               opts.timeout,
+	}
+
+	return result
+}
+
+type getterPlugin struct {
+	options []Option
+	plg     plugin.Plugin
+	env     []string
+}
+
+func (g *getterPlugin) Get(href string, options ...Option) (*bytes.Buffer, error) {
+	opts := convertOptions(g.options, options)
+
+	// TODO optimization: pass this along to Get() instead of re-parsing here
+	u, err := url.Parse(href)
+	if err != nil {
+		return nil, err
+	}
+
+	input := &plugin.Input{
+		Message: schema.InputMessageGetterV1{
+			Href:     href,
+			Options:  opts,
+			Protocol: u.Scheme,
+		},
+		Env: g.env,
+		// TODO should we pass Stdin, Stdout, and Stderr through Input here to getter plugins?
+		// Stdout: os.Stdout,
+	}
+	output, err := g.plg.Invoke(context.Background(), input)
+	if err != nil {
+		return nil, fmt.Errorf("plugin %q failed to invoke: %w", g.plg, err)
+	}
+
+	outputMessage, ok := output.Message.(schema.OutputMessageGetterV1)
+	if !ok {
+		return nil, fmt.Errorf("invalid output message type from plugin %q", g.plg.Metadata().Name)
+	}
+
+	return bytes.NewBuffer(outputMessage.Data), nil
+}