Skip to content

Handle symlinks within GitRespository #1931

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Handle symlinks within GitRespository #1931

wants to merge 2 commits into from

Conversation

@kvaps
Copy link

@kvaps kvaps commented Nov 7, 2025
edited
Loading

  • Handle symlinks within GitRespository
  • Improve security for symlinks within GitRepository

Helm charts may include symlinks to common library charts under /charts. Currently, these are not handled.
This PR adds functionality to properly handle symlinks within a GitRepository, ensuring that all Helm charts using this approach are prepared correctly.
It also introduces a check to prevent users from including files outside their repository.

Example:

apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: cozy-git
  namespace: cozy-public
spec:
  interval: 1m0s
  ref:
    tag: v0.37.5
  timeout: 60s
  url: https://github.com/cozystack/cozystack.git
  ignore: |
    # exclude all
    /*
    # include packages dir
    !/packages
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: virtual-machine-asd2
  namespace: tenant-user
spec:
  interval: 5m
  targetNamespace: cozy-system
  chart:
    spec:
      chart: ./packages/apps/virtual-machine
      sourceRef:
        kind: GitRepository
        name: cozy-git
        namespace: cozy-public
      version: '>= 0.0.0-0'
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  values:
    cloudInit: ""
    cloudInitSeed: ""
    external: false
    externalMethod: PortList
    externalPorts:
    - 22
    instanceProfile: ubuntu
    instanceType: u1.medium
    running: true
    systemDisk:
      image: ubuntu
      storage: 5Gi
      storageClass: replicated

@matheuscscp
Copy link
Member

matheuscscp commented Nov 17, 2025

Symlinks are skipped on purpose, this is a security decision. This PR needs an RFC.

@kvaps kvaps mentioned this pull request Nov 18, 2025
Closed
@kvaps
Copy link
Author

kvaps commented Nov 18, 2025

Hey @matheuscscp it works with native Helm, but not with fluxcd.

Native Helm follows symlinks and copies content into resulting tar.gz

Additional security check and tests added to this PR

@matheuscscp
Copy link
Member

matheuscscp commented Nov 18, 2025

Helm is a client-side tool, not a privileged controller running inside the cluster.

We have an issue open to implement this on the Flux CLI, which is more aligned with what Helm does than this PR:

fluxcd/flux2#5055

Feel free to work on that one, it will be more appreciated 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kvaps @matheuscscp