Understanding Helm Charts
Helm charts are a form of artifacts that serves as a container for numerous images. Make sure the helm chart is valid to assist the artifact scanning.
Vulnerability Scanning Service scans are used for container validation, for more information see Scanning Overview and Vulnerability Reports.
Example values in values.yaml for helm charts are as follows:
oci_meta:
repo: default.foo.local.io
images:
foo:
image: foo
tag: 1.1
bar:
image: bar
tag: 1.2
The containers are referred to as follows in the helm chart configuration yaml file:
.....
containers:
- name: {{ .Chart.Name }}-xyz
image: "{{ .Values.oci_meta.repo }}{{ .Values.oci_meta.images.foo.name }}:{{ .Values.oci_meta.images.foo.tag }}"
.....
Validation and Error Codes
Validation scans help to validate the helm charts for formatting related issues. The validation types include the following:
- HELM_SYSTEM_ERROR
This is system related message and is displayed when you try to pull up the helm chart.
- HELM_LINTER
This message is displayed when you try to run helm provided linter on the chart
- HELM_VALUES
This message is regarding values attribute validation and is displayed to refer to the field validation below for details.
- HELM_TEMPLATE
This validation is for checking the container references made on template compared to the containers mentioned under oci_meta in values.yaml.
The helm value fields and descriptions are as follows:
oci_meta- Represents presence of attribute on Values.yamloci_meta.repo- Represents that the field can be empty or have only ocir.io references.oci_meta.images- Represents the presence of attribute with one or more entries.oci_meta.images[*].image- Represents the presence of attribute and is not empty.oci_meta.images[*].tag- Represents the presence of attribute and is not empty.
A helm chart has bunch of kubernetes configuration file and one or more Values.yaml file. In the kubernetes configuration file you must have the correct references to values.yaml file. The helm templates descriptions are as follows:
- Getting the value at
containers.imagefrom the chart template spec and checking its presence. Values.oci_meta.In the kubernetes configuration yaml, the references are present in values.yaml file with the name 'oci_meta'.
- Getting the value at
containers.imagefrom the chart template spec and it should only refer to as Values.oci_meta.In the kubernetes configuration yaml, the reference should be only coming from oci_meta.
- The images referred in Values.yaml file are presented as part of image map in helm artifact details in Publisher.
| Error Type | Error Code | Description | Validation | Publisher Error | Guidance |
|---|---|---|---|---|---|
|
HELM_SYSTEM_ERROR |
n/a | Failure to pulling up the helm chart. | n/a | No | n/a |
|
HELM_SYSTEM_ERROR |
n/a | Failure in loading the chart. | n/a | No | n/a |
|
HELM_LINTER |
HELM_LINTER_ERROR |
Helm Linter failed. | Linter | Yes | See Helm Lint for more information. |
|
HELM_VALUES |
OCI_META_EMTPY |
Absence of oci_meta attr on values.yaml. | Values | Yes | oci_meta attribute on values.yaml is required. |
|
HELM_VALUES |
OCI_META_READ_ERROR |
Error in reading oci_meta. | Values | Yes | Formatting of oci_meta is incorrect. |
|
HELM_VALUES |
OCI_META_REPO_NOT_OCIR |
Repository value is not ocir.io. | Values | Yes | Repository is not hosted on ocir.io. |
|
HELM_VALUES |
OCI_META_IMAGES_EMPTY |
Empty image lists. | Values | Yes | Image list is required. |
|
HELM_VALUES |
OCI_META_IMAGES_IMAGE_EMPTY |
Empty entry for image. | Values | Yes | Image name entry is empty. |
|
HELM_VALUES |
OCI_META_IMAGES_TAG_EMPTY |
Empty entry for tag. | Values | Yes | Tag entry is empty. |
|
HELM_TEMPLATE |
n/a | Error in parsing template. | Template | Yes/No | The template has to be checked for errors, we try to substitute values.yaml on yaml templates and the cause of this error. |
|
HELM_TEMPLATE |
HELM_TEMPLATE_IMAGE_REFERENCES |
Image reference mismatch. | Template | Yes | The images referred on yaml templates are not part of images mentioned on oci_meta in values.yaml. |