Helm Charts requested by the Helm client frequently use external dependencies as defined in the index.yaml
file. These dependencies may, in turn, need additional dependencies. Therefore, when downloading a chart, you may not have full visibility into the full set of dependencies that your original chart needs (whether directly or transitively). As a result, you are at risk of downloading malicious dependencies from unknown external resources.
To manage this risk, and maintain the best practice of consuming external charts through Artifactory, you may specify a "safe" Allow List from which dependencies may be downloaded, cached in Artifactory, and configured to rewrite the dependencies so that the Helm client accesses dependencies through a remote repository as follows:
Select the Enable Dependency Rewrite checkbox in the Helm Chart remote repository advanced section.
Specify an Allow List pattern of external resources from which dependencies may be downloaded.
The fields under External Dependency Rewrite are connected to automatically rewriting external dependencies for Helm Charts that require them.
Field | Description |
---|---|
Enable Dependency Rewrite | When selected, external dependencies are rewritten. |
Patterns Allow List | An Allow List of Ant-style path expressions that specify where external dependencies may be downloaded from. By default, this is set to For example, if you limit the Patterns Allow List to |
For example, if you limit the Patterns Allow List to "github.com"github.com, the external dependencies will be cached in the "helm" remote repository, and only charts from https://github.com/prometheus-community/helm-charts/
are allowed to be cached.