Helm Charts requested by the Helm client frequently use external dependencies as defined in the
index.yaml file. These dependencies may, in turn, need additional dependencies. Therefore, when downloading a chart, you may not have full visibility into the full set of dependencies that your original chart needs (whether directly or transitively). As a result, you are at risk of downloading malicious dependencies from unknown external resources.
To manage this risk, and maintain the best practice of consuming external charts through Artifactory, you may specify a "safe" Allow List from which dependencies may be downloaded, cached in Artifactory, and configured to rewrite the dependencies so that the Helm client accesses dependencies through a remote repository as follows:
Select the Enable Dependency Rewrite checkbox in the Helm Chart remote repository advanced section.
Specify an Allow List pattern of external resources from which dependencies may be downloaded.
The fields under External Dependency Rewrite are connected to automatically rewriting external dependencies for Helm Charts that require them.
Enable Dependency Rewrite
When selected, external dependencies are rewritten.
Patterns Allow List
An Allow List of Ant-style path expressions that specify where external dependencies may be downloaded from. By default, this is set to
For example, if you limit the Patterns Allow List to https://github.com/**, the external dependencies will be cached in the "helm" remote repository, and only charts with a URL starting with https://github.com/ will be allowed to be cached.
For example, if you limit the Patterns Allow List to "github.com", the external dependencies will be cached in the "helm" remote repository, and only charts from
https://github.com/prometheus-community/helm-charts/ are allowed to be cached.