helmfile panics when helm 3.3.* warns about k8s configfile access mode

[danielefranceschi]

Context: helmfile v0.135.0, helm v3.3.3, WSL2 (debian sid), docker desktop on Windows 10.

As in WSL2 my ~/.kube is a symbolic link towards /mnt/c/Users/xxxx/.kube on a windows partition, it has 0777 access mode (default, chmod 0700 helps but not solves).

Infact, helm on WSL warns me each time:

$ helm version
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/xxxx/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /home/xxxx/.kube/config
version.BuildInfo{Version:"v3.3.3", GitCommit:"55e3ca022e40fe200fbc855938995f40b2a68ce0", GitTreeState:"clean", GoVersion:"go1.14.9"}

Then, running helmfile apply gives me this stacktrace:

panic: error parsing helm verion 'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /home/xxxx/.kube/config
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /home/xxxx/.kube/config
v3.3.3+g55e3ca0'

goroutine 1 [running]:
github.com/roboll/helmfile/pkg/helmexec.New(0x16c5888, 0x4, 0xc0000c1718, 0x0, 0x0, 0x1c874c0, 0xc0004a1520, 0x0)
        /home/circleci/workspace/helmfile/pkg/helmexec/exec.go:89 +0x28e
github.com/roboll/helmfile/pkg/app.(*App).getHelm(0xc000381c20, 0xc0000e3900, 0x0, 0x0)
        /home/circleci/workspace/helmfile/pkg/app/app.go:662 +0x261
github.com/roboll/helmfile/pkg/app.(*App).ForEachState.func1(0xc0000e3900, 0xc0000e3900, 0x0, 0x0, 0xc0000e2c80)
        /home/circleci/workspace/helmfile/pkg/app/app.go:810 +0x4a
github.com/roboll/helmfile/pkg/app.(*App).visitStates.func1(0xc0007b4627, 0xd, 0xc0007b45f0, 0x36, 0x0, 0x0)
        /home/circleci/workspace/helmfile/pkg/app/app.go:761 +0x7ec
github.com/roboll/helmfile/pkg/app.(*App).visitStateFiles.func1(0xc0007b45f0, 0x36)
        /home/circleci/workspace/helmfile/pkg/app/app.go:594 +0x9d
github.com/roboll/helmfile/pkg/app.(*App).within(0xc000381c20, 0xc0007b45f0, 0x36, 0xc0004cb2e8, 0xc0004cb2a8, 0x2)
.... (full stack trace on request)

In my own helm-based tooling, I had to parse helm output removing the WARNING: lines as I did not find a switch to avoid them.

[danielefranceschi]

This is related to https://github.com/helm/helm/issues/8776, so it does not occur with helm v3.4.1

[Sleeplessprodigy]

For me using helm producing the same error even on v3.4.1.

I am using helm within a docker container to use as a dev container for VS-Code.

$helm version
WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /workspaces/infra-dev-cluster/.devcontainer/kubeconfig.conf
WARNING: Kubernetes configuration file is world-readable. This is insecure. Location: /workspaces/infra-dev-cluster/.devcontainer/kubeconfig.conf
version.BuildInfo{Version:"v3.4.1", GitCommit:"c4e74854886b2efe3321e185578e6db9be0a6e29", GitTreeState:"clean", GoVersion:"go1.14.11"}
$helmfile version
helmfile version v0.135.0

not sure how to resolve this issue.

[danielefranceschi]

@Sleeplessprodigy: For me using helm producing the same error even on v3.4.1.

I don't see the crash: do helmfile apply or helmfile sync crash?

not sure how to resolve this issue.

Since v3.4.0 helm sends the WARNING: lines to stderr. while in v3.3.x on stdout: that's the reason helmfile breaks, because it does not expect those lines in helm output.

Issue can be solved with some filtering in the helmfile go code, or upgrading helm to v3.4.x. The devcontainer you're using should be ok.

[bacongobbler]

You can also fix the root cause by changing the file's read permissions to user-only via chmod go-r ~/.kube/config.

Your kubeconfig should not be group/world-readable, hence the error.

[danielefranceschi]

@bacongobbler of course that's the way, this issue is about helmfile that crashes on attempting to parse helm 3.3.x output (because that warning goes to stdout in helm 3.3.x and interferes with version parsing)

[bacongobbler]

I'm not sure what's the recourse for helmfile here. It was a bug in upstream that was fixed in a patch release. Your recourse is to either fix the root cause (which is the recommended path forward, because it raises a security concern), or upgrade to a newer version of Helm with the applied hotfix (3.3.4 and later).

To suggest that helmfile should address this for a very specific version of Helm due to an unintentional bug which was fixed in a patch release seems silly. Just upgrade to the latest patch release and the issue will go away.

The changelog between Helm 3.3.3 and 3.3.4 is incredibly minimal. It includes the fix mentioned here and a fix for a small bug with helm repo add, so the risk factor involved with an update is minimal to the user.

https://github.com/helm/helm/releases/tag/v3.3.4

[bacongobbler]

For reference, https://github.com/helm/helm/pull/8779 was the fix.

[danielefranceschi]

Yep, I've seen them and I agree in general. I'm of course not here to suggest what should be done, I just reported a crash and found the root cause (eventually because I hate panics), so feel free to close the issue.

[Morriz]

Mounting a kubeconfig file on a docker container still results in the warnings. Can we have a flag to turn off such warnings? Filtering output is ugly and not the way imo...