We're beyond excited to share that Helm Summit EU 2019 is now official (h/t to CNCF)! Join the Helm community on September 11 - 12 in Amsterdam, The Netherlands at Pakhuis de Zwijger for our first European Helm Summit. Over the course of two days, we'll discuss all things Helm and hold tutorials, working sessions, and small group discussions with new and exisiting users.

Interested in...

• Registering? Sign up here before Aug 27 for Early Bird pricing of $250. Prices will go up to the Standard pricing of $300 thereafter.

  Read More…

Security researcher Bernard Wagner of Entersekt discovered a vulnerability in ChartMuseum, impacting all versions of ChartMuseum between ChartMuseum >=0.1.0 and < 0.8.1. A specially crafted chart could be uploaded that caused the uploaded archive to be saved outside of the intended location.

When ChartMuseum is configured for multitenancy the specially crafted chart could be uploaded to one tenant but saved in the location of another tenant. This includes overwriting a chart at a version in the other tenant.

Additionally, if ChartMuseum is configured to use a file system the uploaded Chart archive may be uploaded to locations outside of the storage directory. It could be uploaded to any place the ChartMuseum application binary has write permission to.

We are unaware of any public exploits caused by this issue.

Security researcher Bernard Wagner of Entersekt discovered a vulnerability in the Helm client, impacting all versions of Helm between Helm >=2.0.0 and < 2.12.2. Two Helm client commands may be coerced into unpacking unsafe content from a maliciously designed chart.

A specially crafted chart may be able to unpack content into locations on the filesystem outside of the chart’s path, potentially overwriting existing files.

No version of Tiller is known to be impacted. This is a client-only issue.

The following Helm commands may unsafely unpack malformed charts onto a local folder: helm fetch --untar and helm lint some.tgz.

We are unaware of any public exploits caused by this issue.

Helm was designed with many distributed repositories in mind. Like Homebrew Taps and Debian APT repositories, Helm has the ability to add and work with many repositories. While the Helm stable and incubator repositories have been front and center from the beginning it was never our intent for these to be the only public repositories.

With this in mind, we are delighted to announce the launch of the Helm Hub. This hub provides a means for you to find charts hosted in many distributed repositories hosted by numerous people and organizations.

The first major action under the new Helm governance was to elect a set of Helm Org Maintainers. In the initial election we were looking to select 7 people to represent Helm core, charts, and other projects under the Helm umbrella. The election is now complete and I would like to introduce the first set of Org Maintainers.

The Helm community charts, available as the stable and incubator repositories, have long had testing. That testing has grown and improved a significant amount in the past year; from Helm linting and testing if an application runs in a cluster to now include YAML linting, some validation on maintainers, Chart.yaml schema validation, tests on chart version increments, and more.

Being a top level incubating CNCF project requires having a governance structure to ensure that there is a publicly documented process for making decisions regarding the project and the community. While Helm was under Kubernetes, we relied on Kubernetes governance. As part of the transition to CNCF, the Helm project is required to have its own governance structure. To handle this we set up a provisional governance with a goal of creating a long term one. After a few months we are happy to announce that the new governance structure has been written and approved.

When Helm was part of the Kubernetes project it, like the rest of Kubernetes, used the CNCF Contributor License Agreement (CLA). This served Helm well for years. But, most of the CNCF projects use a Developers Certificate of Origin (DCO) instead of a CLA. The exceptions are Kubernetes and gRPC. Upon Helm becoming a CNCF project itself we were asked if we wanted to move Helm to a DCO. After some careful consideration and a little research, the Helm maintainers voted to move to a DCO.

Rimas Mocevicius ( rimusz) has become the fourth Helm Emeritus Maintainer. Rimas is one of the three original founders of Helm. Author of CoreOS Essentials (Packt, 2016) and creator of Kube Solo, Rimas is a long-time member of the Kubernetes ecosystem. Rimas was an active contributor on Helm Classic, and has been a leading voice in the community ever since.

Check out Rimas' latest blog post on Tillerless Helm.

Earlier this summer, we announced that Helm joined the CNCF as an official incubating project. Part of that transition involves moving the Helm project out of the Kubernetes GitHub org and into its org. We’re excited to announce that we’ve completed that process. As of last week, we have moved the Helm code repository to https://github.com/helm/helm.