Skip to content

Update dependency helmfile/helmfile to v1#1306

Open
renovate[bot] wants to merge 1 commit into
v2from
renovate/helmfile-helmfile-1.x
Open

Update dependency helmfile/helmfile to v1#1306
renovate[bot] wants to merge 1 commit into
v2from
renovate/helmfile-helmfile-1.x

Conversation

@renovate

@renovate renovate Bot commented Apr 30, 2025
edited
Loading

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Update Change
helmfile/helmfile major v0.166.0v1.6.0

Release Notes

helmfile/helmfile (helmfile/helmfile)

v1.6.0

Compare Source

Helmfile v1.6.0

This release introduces helmfile doctor — an AI-assisted diff analyzer that
reads your helmfile diff output and asks an LLM to summarize the changes and
flag risks before you apply them. We also ship parallel kubedog tracking
so resource convergence now happens alongside (not after) helm execution.

🩺 helmfile doctor: AI-assisted diff analysis

helmfile doctor runs helmfile diff, then sends the diff to any
OpenAI-compatible Chat Completions endpoint to produce a structured risk
report. It is designed to drop into a CI pipeline before helmfile apply so a
human reviewer (or a gate) gets a fast, opinionated second opinion on what is
about to change.

Quick start
# Configure via env (lowest precedence)...
export HELMFILE_LLM_API_KEY="sk-..."
export HELMFILE_LLM_MODEL="gpt-4o"

# ...or helmfile.yaml...
llm:
  baseURL: "https://api.openai.com/v1"
  apiKey: {{ env "OPENAI_API_KEY" }}
  model: "gpt-4o"

# ...or flags (highest precedence)
helmfile doctor --llm-model claude-3-5-sonnet
helmfile doctor

Example output:


# Helmfile Doctor Report

## Summary
Upgrades the checkout Deployment from v1.4 to v1.5 and raises the replica
count from 3 to 5. The database StatefulSet is unchanged.

## Risks

### 🔴 [HIGH] data-loss
The PVC `data-checkout-0` is marked for deletion ...
**Suggestion:** `kubectl get pvc data-checkout-0 -o yaml` before applying.

### 🟡 [MEDIUM] downtime
No PodDisruptionBudget found for the checkout Deployment ...
**Suggestion:** Add a PDB before scaling.

---
Model: gpt-4o | Duration: 8.2s | Secrets redacted: 3
How it works
  1. Runs helmfile diff (with --context defaulting to 3 so the model gets
    enough surrounding YAML to ground its analysis).
  2. Runs the diff through a defense-in-depth secret redactor (see below).
  3. Sends the redacted diff to the LLM with a system prompt that frames it as a
    senior Kubernetes/Helm reviewer and locks the output to a known JSON schema.
  4. Renders a markdown report (or --output json for programmatic consumption).
Risk model

The model evaluates the diff across six categories and three severity levels:

Category What it catches
data-loss PVCs, databases, stateful workloads deleted/recreated
security New privileges, host networking, plaintext secrets
breaking-change Renamed values, dropped labels, apiVersion downgrades
downtime Missing PDBs, rolling-update storms, missing readiness gates
performance Huge resource requests, removed HPA, expensive sidecars
best-practice Missing namespace, hardcoded images, misaligned labels

Severity drives the exit code, making doctor a CI gate:

  • 0 — success, or only low/medium risks, or LLM call failed (degraded mode).
  • 2 — at least one high risk and --force was not passed.
    (helm-diff's own "detected changes" exit-2 is intentionally swallowed —
    changes are doctor's whole job.)
  • 1 — other error (state load failure, helm-diff runtime failure, etc.).

Pass --force to keep the report but skip the high-risk gate.

Secret safety

Secrets are always redacted before any byte leaves the process — there is
no opt-out. This is enforced in two layers:

  1. --show-secrets is silently ignored; the diff config is wrapped so
    ShowSecrets() returns false, making helm-diff itself emit <REDACTED>.
  2. A built-in SecretRedactor then strips any residual secret-looking content
    (Secret resource data: blocks, sensitive key names like password /
    apiKey / token, free-form long base64, and JWT-shaped tokens). The
    redaction count is always shown in the report footer so you can spot
    unexpected leaks.

JSON output (--output json) exposes only post-redaction diffs — doctor never
echoes raw pre-redaction content through stdout or JSON.

Graceful degradation

When no LLM is configured (no HELMFILE_LLM_API_KEY / model / llm: block /
--llm-* flags), doctor degrades to a plain helmfile diff with
--show-secrets forced off — byte-for-byte identical behavior, just safer.

Configuration precedence
env (HELMFILE_LLM_*)  <  helmfile.yaml (llm:)  <  CLI flags (--llm-*)
Flag Purpose
--llm-base-url OpenAI-compatible endpoint URL
--llm-api-key API key (prefer helmfile.yaml + {{ env }} over the CLI)
--llm-model Model id (gpt-4o, claude-3-5-sonnet via gateway, ...)
--llm-timeout Per-request timeout (default 60s)
--llm-max-tokens Completion cap (default 4096)
--force Skip the high-risk exit-2 gate
--output Report format: text (default) or json
--diff-output helm-diff plugin output format (renamed from --output)

Most helmfile diff flags are accepted for parity. See helmfile doctor --help.

See #​2660.

⚡ Parallel kubedog tracking with progress printer

With --track-mode kubedog, resource tracking now runs in parallel with
helm instead of waiting for helm to finish. Helmfile templates the release
upfront, launches the kubedog tracker in a goroutine, and streams live progress
while helm installs/upgrades.

Safety valves protect against the known upstream-kubedog races:

  • Cluster-convergence confirmation — when kubedog's resource graph stalls,
    helmfile queries the live API to confirm convergence and cancels the tracker.
  • helm-killer — if the cluster confirms all resources converged but helm is
    wedged on its hook waiter, helmfile deliberately interrupts the stuck helm
    subprocess and treats it as success.
  • Hard timeout — a tracker that never returns within the release timeout is
    treated as a failure.
  • Buffered helm output — helm's stdout is captured into a per-release buffer
    and replayed as a single block so it never interleaves with kubedog progress.

See #​2654.

🐛 Bug fixes

  • Fix OCI chart dependency resolution when the chart path contains underscores.
    Paths like oci://registry/charts_my_app were being mis-split, breaking
    helmfile deps. #​2648
  • Resolve symlinked plugin directories in GetPluginVersion. Plugin
    directories reached through symlinks (e.g. via XDG_DATA_DIRS) are now
    followed correctly, fixing spurious "plugin not installed" errors.
    #​2661

📦 Dependencies

  • bump github.com/aws/aws-sdk-go-v2/service/s3 1.103.3 → 1.104.0
  • bump github.com/containerd/containerd 1.7.32 → 1.7.33
  • bump github.com/helmfile/vals 0.44.1 → 0.44.2
  • bump github.com/helmfile/chartify 0.26.5 → 0.27.0
  • bump helm to v4.2.2 (and v3.21.2 for the v3 track)
  • bump actions/checkout v6 → v7

📚 Docs

Full Changelog: helmfile/helmfile@v1.5.5...v1.6.0

v1.5.5

Compare Source

What's Changed

Full Changelog: helmfile/helmfile@v1.5.4...v1.5.5

v1.5.4

Compare Source

What's Changed
New Contributors

Full Changelog: helmfile/helmfile@v1.5.3...v1.5.4

v1.5.3

Compare Source

What's Changed

  • build(deps): bump github.com/gookit/color from 1.5.4 to 1.6.1 by @​dependabot[bot] in #​2608
  • build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.17 to 1.32.18 by @​dependabot[bot] in #​2610
  • build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.101.0 to 1.102.0 by @​dependabot[bot] in #​2612
  • build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.102.0 to 1.102.1 by @​dependabot[bot] in #​2613
  • build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.18 to 1.32.20 by @​dependabot[bot] in #​2614
  • fix: support array of maps in set/setTemplate values by @​yxxhero in #​2615
  • fix: remove naked return by returning expected values by @​ceriath in #​2617
  • build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.102.1 to 1.103.0 by @​dependabot[bot] in #​2619
  • build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.20 to 1.32.21 by @​dependabot[bot] in #​2618
  • build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.103.0 to 1.103.1 by @​dependabot[bot] in #​2620
  • build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.21 to 1.32.22 by @​dependabot[bot] in #​2621
  • build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.103.1 to 1.103.2 by @​dependabot[bot] in #​2622
  • build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.22 to 1.32.23 by @​dependabot[bot] in #​2623
  • Bump helm-diff to v3.15.8 across runtime defaults and execution environments by @​Copilot in #​2624
  • build(deps): bump golang.org/x/sync from 0.20.0 to 0.21.0 by @​dependabot[bot] in #​2625

Full Changelog: helmfile/helmfile@v1.5.2...v1.5.3

v1.5.2

Compare Source

What's Changed

New Contributors

Full Changelog: helmfile/helmfile@v1.5.1...v1.5.2

v1.5.1

Compare Source

What's Changed

Full Changelog: helmfile/helmfile@v1.5.0...v1.5.1

v1.5.0

Compare Source

What's Changed

  • feat: add --write-output flag to helmfile fetch for air-gapped environments by @​yxxhero in #​2572
  • feat: add 'create' subcommand to scaffold helmfile deployment projects by @​yxxhero in #​2574
  • docs: restructure documentation and improve newcomer experience by @​yxxhero in #​2573
  • docs: deduplicate Technical Details sections in values-and-merging.md by @​yxxhero in #​2575

Full Changelog: helmfile/helmfile@v1.4.5...v1.5.0

v1.4.5

Compare Source

What's Changed

New Contributors

Full Changelog: helmfile/helmfile@v1.4.4...v1.4.5

v1.4.4

Compare Source

What's Changed

New Contributors

Full Changelog: helmfile/helmfile@v1.4.3...v1.4.4

v1.4.3

Compare Source

What's Changed

New Contributors

Full Changelog: helmfile/helmfile@v1.4.2...v1.4.3

v1.4.2

Compare Source

What's Changed

New Contributors

Full Changelog: helmfile/helmfile@v1.4.1...v1.4.2

v1.4.1

Compare Source

What's Changed

Full Changelog: helmfile/helmfile@v1.4.0...v1.4.1

v1.4.0

Compare Source

Release v1.4.0

🎯 Highlight: Kubedog Integration

This release introduces kubedog-based resource tracking as a powerful alternative to Helm's native --wait flag, providing:

  • Real-time deployment progress tracking for Deployments, StatefulSets, DaemonSets, and Jobs
  • Container log streaming during deployments
  • Fine-grained resource filtering with trackKinds/skipKinds/trackResources options
  • Multi-context support with proper kubeconfig/kubeContext handling
Getting Started

Try it with the new --track-mode flag:

# Use kubedog tracking (default behavior can be configured)
helmfile apply --track-mode kubedog

# Or configure in your helmfile.yaml
releases:
  - name: myapp
    chart: ./chart
    trackMode: kubedog
    trackLogs: true
    trackKinds:
      - Deployment
      - StatefulSet

We Need Your Feedback!
🚀 This is a new feature and we'd love to hear from you!
Please try kubedog tracking in your environments and share your experience:

What's Changed

✨ New Features

New Contributors

v1.3.2

Compare Source

What's Changed

New Contributors

Full Changelog: helmfile/helmfile@v1.3.1...v1.3.2

v1.3.1

Compare Source

What's Changed

Full Changelog: helmfile/helmfile@v1.3.0...v1.3.1

v1.3.0

Compare Source

What's Changed

Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch from ab2a485 to d3f6a77 Compare May 20, 2025 01:41
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch from d3f6a77 to da01c36 Compare May 31, 2025 01:44
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch from da01c36 to 4e8311c Compare June 12, 2025 13:04
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch from 4e8311c to 8b50e7d Compare July 11, 2025 04:02
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch 2 times, most recently from 6e6b2fe to b4d6516 Compare August 15, 2025 02:47
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch from b4d6516 to 2a5f4f4 Compare September 19, 2025 16:07
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch 2 times, most recently from 6c9a545 to 3e2c224 Compare October 31, 2025 00:13
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch 2 times, most recently from 98cabb6 to f6dc9d9 Compare November 23, 2025 12:55
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch from f6dc9d9 to 5048449 Compare November 28, 2025 02:10
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch from 5048449 to 150a056 Compare December 20, 2025 05:31
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch 3 times, most recently from 5555735 to f770047 Compare February 25, 2026 07:06
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch 2 times, most recently from abe06c4 to ae6097a Compare March 3, 2026 16:35
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch from ae6097a to 9fc5804 Compare March 15, 2026 12:49
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch from 9fc5804 to 77523b3 Compare March 24, 2026 18:02
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch from 77523b3 to 8ba6a1f Compare April 8, 2026 05:25
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch 2 times, most recently from 627f29a to 7cf4313 Compare May 3, 2026 13:58
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch from 7cf4313 to 95e9dbf Compare May 11, 2026 17:13
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch from 95e9dbf to 4650203 Compare May 22, 2026 05:12
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch 2 times, most recently from 54763c7 to c6258cc Compare June 16, 2026 05:00
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch from c6258cc to 959c69f Compare June 17, 2026 06:33
@renovate renovate Bot force-pushed the renovate/helmfile-helmfile-1.x branch from 959c69f to 6f84ff3 Compare June 23, 2026 00:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants