Skip to content

feat(github-release)!: Update aqua:helmfile/helmfile ( 0.171.0 → 1.6.0 )#112

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/aqua-helmfile-helmfile-1.x
Open

feat(github-release)!: Update aqua:helmfile/helmfile ( 0.171.0 → 1.6.0 )#112
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/aqua-helmfile-helmfile-1.x

Conversation

@renovate

@renovate renovate Bot commented May 31, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Update Change
aqua:helmfile/helmfile major 0.171.01.6.0

Release Notes

helmfile/helmfile (aqua:helmfile/helmfile)

v1.6.0

Compare Source

Helmfile v1.6.0

This release introduces helmfile doctor — an AI-assisted diff analyzer that
reads your helmfile diff output and asks an LLM to summarize the changes and
flag risks before you apply them. We also ship parallel kubedog tracking
so resource convergence now happens alongside (not after) helm execution.

🩺 helmfile doctor: AI-assisted diff analysis

helmfile doctor runs helmfile diff, then sends the diff to any
OpenAI-compatible Chat Completions endpoint to produce a structured risk
report. It is designed to drop into a CI pipeline before helmfile apply so a
human reviewer (or a gate) gets a fast, opinionated second opinion on what is
about to change.

Quick start
# Configure via env (lowest precedence)...
export HELMFILE_LLM_API_KEY="sk-..."
export HELMFILE_LLM_MODEL="gpt-4o"

# ...or helmfile.yaml...
llm:
  baseURL: "https://api.openai.com/v1"
  apiKey: {{ env "OPENAI_API_KEY" }}
  model: "gpt-4o"

# ...or flags (highest precedence)
helmfile doctor --llm-model claude-3-5-sonnet
helmfile doctor

Example output:


# Helmfile Doctor Report

## Summary
Upgrades the checkout Deployment from v1.4 to v1.5 and raises the replica
count from 3 to 5. The database StatefulSet is unchanged.

## Risks

### 🔴 [HIGH] data-loss
The PVC `data-checkout-0` is marked for deletion ...
**Suggestion:** `kubectl get pvc data-checkout-0 -o yaml` before applying.

### 🟡 [MEDIUM] downtime
No PodDisruptionBudget found for the checkout Deployment ...
**Suggestion:** Add a PDB before scaling.

---
Model: gpt-4o | Duration: 8.2s | Secrets redacted: 3
How it works
  1. Runs helmfile diff (with --context defaulting to 3 so the model gets
    enough surrounding YAML to ground its analysis).
  2. Runs the diff through a defense-in-depth secret redactor (see below).
  3. Sends the redacted diff to the LLM with a system prompt that frames it as a
    senior Kubernetes/Helm reviewer and locks the output to a known JSON schema.
  4. Renders a markdown report (or --output json for programmatic consumption).
Risk model

The model evaluates the diff across six categories and three severity levels:

Category What it catches
data-loss PVCs, databases, stateful workloads deleted/recreated
security New privileges, host networking, plaintext secrets
breaking-change Renamed values, dropped labels, apiVersion downgrades
downtime Missing PDBs, rolling-update storms, missing readiness gates
performance Huge resource requests, removed HPA, expensive sidecars
best-practice Missing namespace, hardcoded images, misaligned labels

Severity drives the exit code, making doctor a CI gate:

  • 0 — success, or only low/medium risks, or LLM call failed (degraded mode).
  • 2 — at least one high risk and --force was not passed.
    (helm-diff's own "detected changes" exit-2 is intentionally swallowed —
    changes are doctor's whole job.)
  • 1 — other error (state load failure, helm-diff runtime failure, etc.).

Pass --force to keep the report but skip the high-risk gate.

Secret safety

Secrets are always redacted before any byte leaves the process — there is
no opt-out. This is enforced in two layers:

  1. --show-secrets is silently ignored; the diff config is wrapped so
    ShowSecrets() returns false, making helm-diff itself emit <REDACTED>.
  2. A built-in SecretRedactor then strips any residual secret-looking content
    (Secret resource data: blocks, sensitive key names like password /
    apiKey / token, free-form long base64, and JWT-shaped tokens). The
    redaction count is always shown in the report footer so you can spot
    unexpected leaks.

JSON output (--output json) exposes only post-redaction diffs — doctor never
echoes raw pre-redaction content through stdout or JSON.

Graceful degradation

When no LLM is configured (no HELMFILE_LLM_API_KEY / model / llm: block /
--llm-* flags), doctor degrades to a plain helmfile diff with
--show-secrets forced off — byte-for-byte identical behavior, just safer.

Configuration precedence
env (HELMFILE_LLM_*)  <  helmfile.yaml (llm:)  <  CLI flags (--llm-*)
Flag Purpose
--llm-base-url OpenAI-compatible endpoint URL
--llm-api-key API key (prefer helmfile.yaml + {{ env }} over the CLI)
--llm-model Model id (gpt-4o, claude-3-5-sonnet via gateway, ...)
--llm-timeout Per-request timeout (default 60s)
--llm-max-tokens Completion cap (default 4096)
--force Skip the high-risk exit-2 gate
--output Report format: text (default) or json
--diff-output helm-diff plugin output format (renamed from --output)

Most helmfile diff flags are accepted for parity. See helmfile doctor --help.

See #​2660.

⚡ Parallel kubedog tracking with progress printer

With --track-mode kubedog, resource tracking now runs in parallel with
helm instead of waiting for helm to finish. Helmfile templates the release
upfront, launches the kubedog tracker in a goroutine, and streams live progress
while helm installs/upgrades.

Safety valves protect against the known upstream-kubedog races:

  • Cluster-convergence confirmation — when kubedog's resource graph stalls,
    helmfile queries the live API to confirm convergence and cancels the tracker.
  • helm-killer — if the cluster confirms all resources converged but helm is
    wedged on its hook waiter, helmfile deliberately interrupts the stuck helm
    subprocess and treats it as success.
  • Hard timeout — a tracker that never returns within the release timeout is
    treated as a failure.
  • Buffered helm output — helm's stdout is captured into a per-release buffer
    and replayed as a single block so it never interleaves with kubedog progress.

See #​2654.

🐛 Bug fixes

  • Fix OCI chart dependency resolution when the chart path contains underscores.
    Paths like oci://registry/charts_my_app were being mis-split, breaking
    helmfile deps. #​2648
  • Resolve symlinked plugin directories in GetPluginVersion. Plugin
    directories reached through symlinks (e.g. via XDG_DATA_DIRS) are now
    followed correctly, fixing spurious "plugin not installed" errors.
    #​2661

📦 Dependencies

  • bump github.com/aws/aws-sdk-go-v2/service/s3 1.103.3 → 1.104.0
  • bump github.com/containerd/containerd 1.7.32 → 1.7.33
  • bump github.com/helmfile/vals 0.44.1 → 0.44.2
  • bump github.com/helmfile/chartify 0.26.5 → 0.27.0
  • bump helm to v4.2.2 (and v3.21.2 for the v3 track)
  • bump actions/checkout v6 → v7

📚 Docs

Full Changelog: helmfile/helmfile@v1.5.5...v1.6.0

v1.5.5

Compare Source

What's Changed

Full Changelog: helmfile/helmfile@v1.5.4...v1.5.5

v1.5.4

Compare Source

What's Changed

New Contributors

Full Changelog: helmfile/helmfile@v1.5.3...v1.5.4

v1.5.3

Compare Source

What's Changed

  • build(deps): bump github.com/gookit/color from 1.5.4 to 1.6.1 by @​dependabot[bot] in #​2608
  • build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.17 to 1.32.18 by @​dependabot[bot] in #​2610
  • build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.101.0 to 1.102.0 by @​dependabot[bot] in #​2612
  • build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.102.0 to 1.102.1 by @​dependabot[bot] in #​2613
  • build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.18 to 1.32.20 by @​dependabot[bot] in #​2614
  • fix: support array of maps in set/setTemplate values by @​yxxhero in #​2615
  • fix: remove naked return by returning expected values by @​ceriath in #​2617
  • build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.102.1 to 1.103.0 by @​dependabot[bot] in #​2619
  • build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.20 to 1.32.21 by @​dependabot[bot] in #​2618
  • build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.103.0 to 1.103.1 by @​dependabot[bot] in #​2620
  • build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.21 to 1.32.22 by @​dependabot[bot] in #​2621
  • build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.103.1 to 1.103.2 by @​dependabot[bot] in #​2622
  • build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.22 to 1.32.23 by @​dependabot[bot] in #​2623
  • Bump helm-diff to v3.15.8 across runtime defaults and execution environments by @​Copilot in #​2624
  • build(deps): bump golang.org/x/sync from 0.20.0 to 0.21.0 by @​dependabot[bot] in #​2625

Full Changelog: helmfile/helmfile@v1.5.2...v1.5.3

v1.5.2

Compare Source

What's Changed

New Contributors

Full Changelog: helmfile/helmfile@v1.5.1...v1.5.2

v1.5.1

Compare Source

What's Changed

Full Changelog: helmfile/helmfile@v1.5.0...v1.5.1

v1.5.0

Compare Source

What's Changed

  • feat: add --write-output flag to helmfile fetch for air-gapped environments by @​yxxhero in #​2572
  • feat: add 'create' subcommand to scaffold helmfile deployment projects by @​yxxhero in #​2574
  • docs: restructure documentation and improve newcomer experience by @​yxxhero in #​2573
  • docs: deduplicate Technical Details sections in values-and-merging.md by @​yxxhero in #​2575

Full Changelog: helmfile/helmfile@v1.4.5...v1.5.0

v1.4.5

Compare Source

What's Changed

New Contributors

Full Changelog: helmfile/helmfile@v1.4.4...v1.4.5

v1.4.4

Compare Source

What's Changed

New Contributors

Full Changelog: helmfile/helmfile@v1.4.3...v1.4.4

v1.4.3

Compare Source

What's Changed

New Contributors

Full Changelog: helmfile/helmfile@v1.4.2...v1.4.3

v1.4.2

Compare Source

What's Changed

New Contributors

Full Changelog: helmfile/helmfile@v1.4.1...v1.4.2

v1.4.1

Compare Source

Fixed
  • Fix --kubeconfig not being passed to chartify's helm template call (#​2449)
  • Fix kubedog rate limiter configuration to prevent context cancellation (#​2446)

v1.4.0

Compare Source

Added
  • Add kubedog integration with unified resource handling for deployment monitoring (#​2383)
  • Add IP Network to supported HCL functions (#​2426)
Fixed
  • Fix local chart with external dependencies error when repos are configured (#​2433)
  • Fix values path resolution by using absolute baseDir in sequential helmfiles (#​2425)
Dependencies
  • Update helm-diff to v3.15.1
  • Bump k8s.io/client-go from 0.35.1 to 0.35.2
  • Bump k8s.io/apimachinery from 0.35.1 to 0.35.2
  • Bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0
  • Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.96.1 to 1.96.2
  • Bump github.com/helmfile/vals from 0.43.5 to 0.43.6
  • Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 (security)

v1.3.2

Compare Source

Added
  • Add HCL values override support (#​2402)
Fixed
  • Fix --skip-refresh only passed to helm dep build when helm repo update was run (#​2419)
  • Fix helm repo update being skipped when only OCI repos are configured (#​2420)
  • Fix helmDefaults.skipRefresh being ignored in runHelmDepBuilds (#​2415)
Dependencies
  • Bump github.com/aws/aws-sdk-go-v2/config from 1.32.9 to 1.32.10
  • Bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.96.0 to 1.96.1
  • Bump github.com/zclconf/go-cty from 1.17.0 to 1.18.0

v1.3.1

Compare Source

Fixed
  • Fix relative path resolution in sequential helmfiles by eliminating os.Chdir (#​2410)
  • Fix helmBinary setting being ignored in multi-document YAML files (#​2414)
  • Fix support for XDG-style multiple paths in HELM_PLUGINS (#​2412)

Generated by Changesmith

v1.3.0

Compare Source

What's Changed

New Contributors

Full Changelog: helmfile/helmfile@v1.2.3...v1.3.0

v1.2.3

Compare Source

What's Changed

Note

PR body was truncated to here.

Configuration

📅 Schedule: (in timezone Europe/Lisbon)

  • Branch creation
    • "every weekend"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/aqua-helmfile-helmfile-1.x branch from e5e78f7 to 0568327 Compare June 12, 2025 12:55
@renovate renovate Bot changed the title feat(github-release)!: Update aqua:helmfile/helmfile ( 0.170.1 → 1.1.1 ) feat(github-release)!: Update aqua:helmfile/helmfile ( 0.170.1 → 1.1.2 ) Jun 12, 2025
@eivarin eivarin force-pushed the main branch 10 times, most recently from bacd95d to 2e0786e Compare June 16, 2025 23:12
@renovate renovate Bot force-pushed the renovate/aqua-helmfile-helmfile-1.x branch from 0568327 to 47c794e Compare July 10, 2025 23:41
@renovate renovate Bot changed the title feat(github-release)!: Update aqua:helmfile/helmfile ( 0.170.1 → 1.1.2 ) feat(github-release)!: Update aqua:helmfile/helmfile ( 0.170.1 → 1.1.3 ) Jul 10, 2025
@renovate renovate Bot changed the title feat(github-release)!: Update aqua:helmfile/helmfile ( 0.170.1 → 1.1.3 ) feat(github-release)!: Update aqua:helmfile/helmfile ( 0.170.1 → 1.1.4 ) Aug 9, 2025
@renovate renovate Bot force-pushed the renovate/aqua-helmfile-helmfile-1.x branch 2 times, most recently from d162ed2 to 08692b4 Compare August 15, 2025 02:04
@renovate renovate Bot changed the title feat(github-release)!: Update aqua:helmfile/helmfile ( 0.170.1 → 1.1.4 ) feat(github-release)!: Update aqua:helmfile/helmfile ( 0.170.1 → 1.1.5 ) Aug 15, 2025
@eivarin eivarin force-pushed the main branch 3 times, most recently from f15508e to 1112e66 Compare September 2, 2025 22:00
@renovate renovate Bot force-pushed the renovate/aqua-helmfile-helmfile-1.x branch from 08692b4 to 2421d2d Compare September 3, 2025 01:09
@renovate renovate Bot changed the title feat(github-release)!: Update aqua:helmfile/helmfile ( 0.170.1 → 1.1.5 ) feat(github-release)!: Update aqua:helmfile/helmfile ( 0.170.1 → 1.1.6 ) Sep 3, 2025
@eivarin eivarin force-pushed the main branch 4 times, most recently from 8df9274 to b6fce7b Compare September 11, 2025 16:59
@eivarin eivarin force-pushed the main branch 18 times, most recently from 58cecef to f326ffb Compare September 12, 2025 04:00
@renovate renovate Bot force-pushed the renovate/aqua-helmfile-helmfile-1.x branch from a2ae0a2 to 4587013 Compare September 14, 2025 00:01
@renovate renovate Bot changed the title feat(github-release)!: Update aqua:helmfile/helmfile ( 0.170.1 → 1.1.6 ) feat(github-release)!: Update aqua:helmfile/helmfile ( 0.170.1 → 1.1.7 ) Sep 14, 2025
@renovate renovate Bot force-pushed the renovate/aqua-helmfile-helmfile-1.x branch from 4587013 to 772bcc0 Compare September 15, 2025 09:19
@renovate renovate Bot force-pushed the renovate/aqua-helmfile-helmfile-1.x branch from 772bcc0 to 88e9987 Compare September 15, 2025 09:47
@eivarin eivarin force-pushed the main branch 5 times, most recently from 4b9fb17 to 91c77bc Compare September 15, 2025 10:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

renovate/github-release type/major

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants