Skip to content

Handle symlinks within GitRespository#1931

Open
kvaps wants to merge 2 commits intofluxcd:mainfrom
kvaps:symlinks
Open

Handle symlinks within GitRespository#1931
kvaps wants to merge 2 commits intofluxcd:mainfrom
kvaps:symlinks

Conversation

@kvaps
Copy link

@kvaps kvaps commented Nov 7, 2025
edited
Loading

  • Handle symlinks within GitRespository
  • Improve security for symlinks within GitRepository

Helm charts may include symlinks to common library charts under /charts. Currently, these are not handled.
This PR adds functionality to properly handle symlinks within a GitRepository, ensuring that all Helm charts using this approach are prepared correctly.
It also introduces a check to prevent users from including files outside their repository.

Example:

apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
  name: cozy-git
  namespace: cozy-public
spec:
  interval: 1m0s
  ref:
    tag: v0.37.5
  timeout: 60s
  url: https://github.com/cozystack/cozystack.git
  ignore: |
    # exclude all
    /*
    # include packages dir
    !/packages
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: virtual-machine-asd2
  namespace: tenant-user
spec:
  interval: 5m
  targetNamespace: cozy-system
  chart:
    spec:
      chart: ./packages/apps/virtual-machine
      sourceRef:
        kind: GitRepository
        name: cozy-git
        namespace: cozy-public
      version: '>= 0.0.0-0'
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  values:
    cloudInit: ""
    cloudInitSeed: ""
    external: false
    externalMethod: PortList
    externalPorts:
    - 22
    instanceProfile: ubuntu
    instanceType: u1.medium
    running: true
    systemDisk:
      image: ubuntu
      storage: 5Gi
      storageClass: replicated

kvaps added 2 commits November 7, 2025 21:54
@kvaps
Handle symlinks within GitRespository
8f03161 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
@kvaps
Improve security for symlinks within GitRepository
9457848 
Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
@matheuscscp
Copy link
Member

matheuscscp commented Nov 17, 2025

Symlinks are skipped on purpose, this is a security decision. This PR needs an RFC.

@kvaps kvaps mentioned this pull request Nov 18, 2025
Closed
@kvaps
Copy link
Author

kvaps commented Nov 18, 2025

Hey @matheuscscp it works with native Helm, but not with fluxcd.

Native Helm follows symlinks and copies content into resulting tar.gz

Additional security check and tests added to this PR

@matheuscscp
Copy link
Member

matheuscscp commented Nov 18, 2025

Helm is a client-side tool, not a privileged controller running inside the cluster.

We have an issue open to implement this on the Flux CLI, which is more aligned with what Helm does than this PR:

fluxcd/flux2#5055

Feel free to work on that one, it will be more appreciated 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kvaps @matheuscscp