Support ExternalArtifacts

[kvaps]

• Fix panics
• Support ExternalArtifacts

Summary by CodeRabbit

• New Features

  • Support for chart references that resolve ExternalArtifact/HelmChart sources, merge values from referenced sources, and surface related events/history.
  • Added a take-ownership flag to control Helm ownership behavior.
  • Reconciliation now waits for and reconciles referenced sources (GitRepository, OCIRepository, Bucket) and annotates status.

• Infrastructure

  • Upgraded to Go 1.25.0 and refreshed Kubernetes, Flux CD, controller-runtime, and related dependencies for compatibility.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Bumps Go toolchain and many dependencies; refactors main.go to thread context.Context and client.Client through CLI commands; adds chart reference resolution, artifact-generator lookup, values merging, source reconciliation/waiting, history/event helpers, and a take-ownership CLI flag.

Changes

Cohort / File(s)	Summary
Dependency Updates go.mod	Bumped Go toolchain to 1.25.0 and updated numerous direct and indirect modules: FluxCD packages, k8s.io/* to v0.34.x, sigs.k8s.io/controller-runtime to v0.22.2, spf13/cobra/pflag, golang.org/x/*, gRPC/genproto, fxamacker/cbor, gomega, plus many indirect adjustments and reorganized require/indirect entries.
Core Refactor & Features main.go	Propagates context.Context and client.Client through all command execution paths; added resolveChartRef, findArtifactGeneratorForExternalArtifact, getChartInfo, mergedValues, newHistoryEntry, markSuccess; updated command signatures and cmd factory to accept new runFn signature; extended reconcile flow to reconcile referenced Source resources (HelmChart, ExternalArtifact, GitRepository, OCIRepository, Bucket), annotate/wait for source reconciliation, and introduced the takeOwnership flag into upgrade/install flows.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    actor CLI
    participant Cmd as cmdFactory / Command
    participant Handler as Command Handler
    participant Resolver as resolveChartRef / getChartInfo
    participant K8s as Kubernetes API (client.Client)
    participant Merger as mergedValues
    participant Helm as upgradeRelease / helmaction
    participant History as markSuccess

    CLI->>Cmd: invoke command (apply/diff/show/...)
    Cmd->>Handler: run(ctx, cl, cfg, hr, chartDir)
    Handler->>Resolver: resolveChartRef(ctx, cl, hr)
    Resolver->>K8s: fetch ExternalArtifact / HelmChart / OCIRepository / sources
    K8s-->>Resolver: chart metadata (name, version, valuesFiles)
    Handler->>Merger: mergedValues(ctx, cl, hr, chartDir)
    Merger->>K8s: load values files / inline values
    K8s-->>Merger: values contents
    Handler->>Helm: upgradeRelease(cfg, hr, chartDir, vals, takeOwnership)
    Helm-->>Handler: result
    Handler->>History: markSuccess(ctx, cl, recorder, hr, chartVer, cfgDigest)
    History->>K8s: update status / emit events
    K8s-->>History: ack

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Review focus:
  • Correctness of chart/source resolution and inventory lookup in findArtifactGeneratorForExternalArtifact
  • Consistent propagation and cancellation semantics of context.Context and client.Client across all command paths
  • Reconcile logic that annotates and waits for source reconciliation (GVR handling, suspension checks, watch/annotate correctness)
  • Threading and semantics of takeOwnership through upgrade/install logic and its interaction with Helm ownership behavior
  • Areas touching API surface: new/changed exported function signatures in main.go

Possibly related PRs

• Introduce --take-ownership option #6 — Alters upgradeRelease signature and threads a takeOwnership flag through apply/upgrade flow; directly related to the takeOwnership changes in main.go.

Poem

🐇 I hop through code with context in paw,
I fetch each chart and trace each law,
I stitch the values, quiet and neat,
I mark the history, drum a beat,
A tiny rabbit cheers this tidy draw!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Support ExternalArtifacts' clearly summarizes the primary objective of the pull request, which adds support for ExternalArtifacts as described in the PR objectives and reflected in the main.go changes.
Docstring Coverage	✅ Passed	Docstring coverage is 85.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch external-artifacts

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3816886 and 6bba540.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod (5 hunks)
• main.go (18 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.2.4)

go.mod

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm vulnerable to Code Injection through malicious chart.yaml content in helm.sh/helm

(GO-2025-3802)

---

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion in helm.sh/helm

(GO-2025-3887)

---

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm May Panic Due To Incorrect YAML Content in helm.sh/helm

(GO-2025-3888)

---

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm vulnerable to Code Injection through malicious chart.yaml content

(GHSA-557j-xg8c-q2mm)

---

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion

(GHSA-9h84-qmv7-982p)

---

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm May Panic Due To Incorrect YAML Content

(GHSA-f9f8-9pmf-xv68)

🔇 Additional comments (14)

main.go (14)

35-35: LGTM!

Proper addition of Flux source-controller v1 import and scheme registration to support ExternalArtifacts.

Also applies to: 78-78

---

230-307: LGTM!

The function correctly resolves chart information from different source types (ExternalArtifact, HelmChart, OCIRepository) with appropriate error handling and path parsing logic.

---

309-352: LGTM!

The function correctly handles the ArtifactGenerator lookup with proper error handling, including checking for meta.IsNoMatchError before attempting the fallback GVR.

---

354-369: LGTM!

Clean abstraction that centralizes chart information retrieval from either chartRef or chart.

---

372-418: LGTM!

The function is correctly updated to dynamically resolve valuesFiles from either chartRef or chart, with proper context and client threading.

---

549-549: LGTM!

The runFn signature is correctly updated to thread context and client through command handlers, with proper error handling for client creation in both plain and normal modes.

Also applies to: 572-614

---

623-687: LGTM!

Command handlers are correctly updated to pass context and client through the call chain, with appropriate error handling for values merging and chart info retrieval.

Also applies to: 693-794

---

799-824: LGTM!

The suspend, resume, and delete commands are correctly updated with context and client parameters.

---

1094-1112: LGTM!

The function correctly handles errors from getChartInfo with appropriate logging and fallback to the HelmRelease name.

---

1115-1134: LGTM!

The function correctly handles errors from getChartInfo with appropriate logging and fallback to the HelmRelease name for the success message.

---

1293-1312: LGTM!

The reconcile command is properly initialized with a reasonable timeout, suspension check, and dynamic client setup.

---

1313-1349: LGTM!

The waitByWatch helper implements a solid reconciliation waiting pattern with proper Ready condition validation and error handling.

---

1354-1519: LGTM!

The source reconciliation logic correctly handles multiple source types (ExternalArtifact, HelmChart, OCIRepository) with proper suspension checks, annotation, and watch-based waiting. The use of sourceReconciliationDone flag provides clear control flow.

---

1521-1561: LGTM!

The HelmRelease reconciliation logic correctly implements the Flux reconciliation pattern with proper annotation, watching, and support for force reconciliation.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @kvaps, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the application's ability to manage Helm releases by introducing support for ExternalArtifacts and updating core dependencies. It refines the reconciliation process for various source types and adds a new option for managing resource ownership during Helm upgrades, contributing to a more robust and up-to-date system.

Highlights

• ExternalArtifacts Support: Introduced comprehensive support for ExternalArtifacts in HelmRelease definitions, allowing the system to resolve chart information and reconcile underlying sources like GitRepository, OCIRepository, and Bucket resources.
• Dependency Updates: Upgraded the Go version to 1.25.0 and updated numerous Go module dependencies, including FluxCD APIs (e.g., fluxcd/pkg/apis/meta, fluxcd/pkg/runtime), Kubernetes client libraries, and other indirect dependencies, ensuring compatibility and leveraging the latest features and fixes.
• New --take-ownership Option: Added a new --take-ownership flag to the apply command, enabling Helm to assume ownership of existing Kubernetes resources during an upgrade operation.
• Enhanced Reconciliation Logic: Refactored the reconcile command to robustly handle various source kinds, including a new mechanism to find and reconcile the ArtifactGenerator and its associated sources when an ExternalArtifact is referenced. Also added checks for suspended resources before reconciliation.
• Improved Context Handling: Standardized the passing of context.Context and client.Client across command functions, improving consistency and error handling throughout the application.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for ExternalArtifacts in HelmReleases, which involves significant refactoring of the command logic. It also adds a --take-ownership option for Helm upgrades. The changes are well-structured, but there are a few areas where error handling and code clarity could be improved. My review includes suggestions to make the code more robust, especially in handling different API versions and potential failures during Kubernetes client interactions. I've also pointed out a few places where readability could be enhanced.

[gemini-code-assist]

The logic to trim prefixes from ExternalArtifact names is hardcoded to system- and apps-. This is not very flexible and might be surprising to users who don't follow this specific convention. Consider making this configurable via a flag, or at least add a comment to explain that this is an expected naming convention for ExternalArtifacts in your environment.

[gemini-code-assist]

The error handling for the first attempt to list ArtifactGenerators is too broad. It catches any error and proceeds to try the second GVR. This could mask important errors like authentication failures or network issues. It's better to specifically check if the error is because the resource kind is not found (meta.IsNoMatchError) before trying the alternative.

if err != nil {
		if !meta.IsNoMatchError(err) {
			return nil, fmt.Errorf("failed to list ArtifactGenerators with GVR %s: %w", artifactGenGVR, err)
		}
		artifactGenGVR = schema.GroupVersionResource{
			Group: "source.watcher.fluxcd.io", Version: "v2", Resource: "artifactgenerators",
		}
		list, err = dyn.Resource(artifactGenGVR).Namespace(extArtifactNS).List(ctx, metav1.ListOptions{})
		if err != nil {
			return nil, fmt.Errorf("failed to list ArtifactGenerators with GVR %s: %w", artifactGenGVR, err)
		}
	}

[gemini-code-assist]

The error returned by client.New is being ignored. While the client may not be heavily used in plain mode, client.New can still fail (e.g., due to an invalid scheme setup), and it's best practice to handle all errors.

				// Create a dummy client for plain mode
				cl, err := client.New(rc, client.Options{})
				if err != nil {
					return err
				}
				return fn(ctx, cl, cfg, stub, ".")

[gemini-code-assist]

The error from getChartInfo is ignored. If getChartInfo fails, chartName will be an empty string, resulting in an incomplete or incorrect history entry. The error should be handled, for example by logging it and falling back to a more generic name like the HelmRelease name.

	chartName, _, err := getChartInfo(ctx, cl, hr)
	if err != nil {
		// Log the error and fall back to the HelmRelease name.
		log.Printf("could not get chart info for %s/%s: %v", hr.Namespace, hr.Name, err)
		chartName = hr.Name
	}

[gemini-code-assist]

The error from getChartInfo is ignored. If it fails, chartName will be empty, which leads to a confusing success message. The error should be handled, for example by falling back to the HelmRelease name.

	chartName, _, err := getChartInfo(ctx, cl, hr)
	if err != nil {
		// Log the error and fall back to the HelmRelease name for the message.
		log.Printf("could not get chart info for %s/%s: %v", hr.Namespace, hr.Name, err)
		chartName = hr.Name
	}

[gemini-code-assist]

Using sourceNS = "" and clearing other variables to signal that source reconciliation is complete and to skip a later block of code reduces readability. It would be clearer to use a dedicated boolean flag, for example sourceReconciliationDone, to control the flow.

For example, you could declare var sourceReconciliationDone bool at the top of the if withSource block, set it to true here, and then check if !sourceReconciliationDone for the next block.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (6)

main.go (6)

252-258: Hardcoded prefix trimming lacks flexibility.

The logic to trim prefixes from ExternalArtifact names uses hardcoded values ("system-", "apps-"), which may not be flexible for all naming conventions.

This concern was already raised in previous reviews.

---

307-315: Error handling is too broad.

The error handling catches any error from the first GVR attempt and proceeds to try an alternative. This could mask important errors like authentication failures or network issues.

This concern was already raised in previous reviews, which suggested checking specifically for meta.IsNoMatchError.

---

567-568: Ignoring error from client.New.

The error returned by client.New is ignored. While the client may not be heavily used in plain mode, errors should still be handled.

This concern was already raised in previous reviews.

---

1074-1074: Error from getChartInfo is ignored.

If getChartInfo fails, chartName will be empty, resulting in incomplete history entries.

This concern was already raised in previous reviews, which suggested logging the error and falling back to the HelmRelease name.

---

1090-1090: Error from getChartInfo is ignored.

If getChartInfo fails, chartName will be empty, leading to a confusing success message.

This concern was already raised in previous reviews, which suggested logging the error and falling back to the HelmRelease name.

---

1428-1430: Using empty string as a control flag reduces readability.

Setting sourceNS = "" to signal that source reconciliation is complete makes the control flow harder to follow.

This concern was already raised in previous reviews, which suggested using a dedicated boolean flag like sourceReconciliationDone.

🧹 Nitpick comments (1)

main.go (1)

1346-1430: Consider extracting ExternalArtifact source reconciliation logic.

The nested logic for handling ExternalArtifact sources (finding ArtifactGenerator, iterating sources, determining GVR, annotating and waiting) is deeply nested and could benefit from extraction into a helper function for improved readability and testability.

For example:

func reconcileExternalArtifactSources(ctx context.Context, cl client.Client, dyn dynamic.Interface, refNS, refName string, waitByWatch func(...) error) error {
    // Extract the entire ExternalArtifact handling logic here
    artifactGen, err := findArtifactGeneratorForExternalArtifact(ctx, cl, refNS, refName)
    if err != nil {
        return fmt.Errorf("failed to find ArtifactGenerator for ExternalArtifact %s/%s: %w", refNS, refName, err)
    }
    
    sources, found, _ := unstructured.NestedSlice(artifactGen.Object, "spec", "sources")
    if !found || len(sources) == 0 {
        return fmt.Errorf("ArtifactGenerator %s has no sources", artifactGen.GetName())
    }
    
    // ... rest of the logic
    return nil
}

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b5284eb and 3816886.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (2)

• go.mod (5 hunks)
• main.go (18 hunks)

🧰 Additional context used

🪛 OSV Scanner (2.2.4)

go.mod

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm vulnerable to Code Injection through malicious chart.yaml content in helm.sh/helm

(GO-2025-3802)

---

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion in helm.sh/helm

(GO-2025-3887)

---

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm May Panic Due To Incorrect YAML Content in helm.sh/helm

(GO-2025-3888)

---

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm vulnerable to Code Injection through malicious chart.yaml content

(GHSA-557j-xg8c-q2mm)

---

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion

(GHSA-9h84-qmv7-982p)

---

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm May Panic Due To Incorrect YAML Content

(GHSA-f9f8-9pmf-xv68)

🔇 Additional comments (7)

main.go (6)

35-35: LGTM!

The import and scheme registration for Flux source-controller v1 types are correctly implemented to support the new ExternalArtifact functionality.

Also applies to: 78-78

---

336-351: LGTM!

The getChartInfo function cleanly abstracts chart information retrieval from both ChartRef and Chart sources with appropriate error handling.

---

354-400: LGTM!

The mergedValues function correctly integrates context and client parameters to support dynamic resolution of values files from both ChartRef and Chart sources. The merge logic is preserved and error handling is appropriate.

---

738-738: LGTM! New --take-ownership flag added.

The --take-ownership flag has been properly implemented as mentioned in the PR objectives, allowing users to take ownership of existing Helm resources during install/upgrade operations.

---

1270-1273: LGTM! Suspension check prevents unnecessary work.

Adding a check to fail early if the HelmRelease is suspended is a good defensive practice that prevents wasted reconciliation attempts.

---

1403-1404: LGTM! Source suspension checks prevent cascading errors.

The suspension checks for source resources (GitRepository, OCIRepository, Bucket, HelmChart) are appropriate and prevent attempting reconciliation on suspended resources.

Also applies to: 1472-1474

go.mod (1)

3-3: Go 1.25.0 is released and available.

Go 1.25.0 was released on August 12, 2025 with binaries and source available on the official download page. The version is stable and ready to use.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Address HIGH severity vulnerabilities in Helm.

Multiple HIGH severity vulnerabilities are reported in helm.sh/helm/v3 v3.18.2:

• Code Injection through malicious chart.yaml (GO-2025-3802, GHSA-557j-xg8c-q2mm)
• Memory Exhaustion from JSON Schema values (GO-2025-3887, GHSA-9h84-qmv7-982p)
• Panic due to incorrect YAML content (GO-2025-3888, GHSA-f9f8-9pmf-xv68)

---

🏁 Script executed:

#!/bin/bash
# Check for the latest Helm version and security advisories

echo "Checking latest Helm v3 version..."
curl -s https://api.github.com/repos/helm/helm/releases/latest | jq -r '.tag_name'

echo -e "\nChecking for security advisories..."
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: GO, package: "helm.sh/helm/v3") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Length of output: 2434

---

Upgrade Helm to v3.18.5 or later to address security vulnerabilities.

The review comment's severity assessment was inaccurate. v3.18.2 is actually affected by 1 HIGH severity and 2 MODERATE severity vulnerabilities, not 6 HIGH as claimed. The HIGH severity issue is Code Injection through malicious chart.yaml (patched in v3.18.4), and the MODERATE issues are Panic and Memory Exhaustion from YAML/JSON content (patched in v3.18.5). Upgrade to v3.18.5 or higher to address all reported vulnerabilities. Latest available is v4.0.0.

🧰 Tools

🪛 OSV Scanner (2.2.4)

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm vulnerable to Code Injection through malicious chart.yaml content in helm.sh/helm

(GO-2025-3802)

---

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion in helm.sh/helm

(GO-2025-3887)

---

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm May Panic Due To Incorrect YAML Content in helm.sh/helm

(GO-2025-3888)

---

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm vulnerable to Code Injection through malicious chart.yaml content

(GHSA-557j-xg8c-q2mm)

---

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm Charts with Specific JSON Schema Values Can Cause Memory Exhaustion

(GHSA-9h84-qmv7-982p)

---

[HIGH] 14-14: helm.sh/helm/v3 3.18.2: Helm May Panic Due To Incorrect YAML Content

(GHSA-f9f8-9pmf-xv68)