Helmfile: Classic Confinement?

Hi,

I’m trying to build a snap for https://github.com/roboll/helmfile

This in theory is pretty easy because it’s just a static binary but I think it might need Classic confinement, much like the snap for Helm itself. However I’m new to building snaps so I’m happy to be told I’m wrong.

From my understanding of the tool it needs access to yaml files in the directory you run the command in. It also needs permissions to run Helm. It may also need additional access to hidden directories storing Helm configuration in the user’s home directory but I’m not certain about that.

I’ve got a snap with classic confinement working and building: https://github.com/cablespaghetti/helmfile-snap/blob/master/snap/snapcraft.yaml

However immediately when I try and run with strict confinement I don’t have permissions to access files in the working directory of the command, and I can’t see an interface which obviously looks like it will solve this.

edit: Added the home plug and solved that problem but now I can’t find a way to be able to execute Helm (from the Helm snap) unless I bundle my own version of Helm.

Thanks
Sam

If you need to run binaries on the host system, you will need classic confinement. Can you explain why you can’t include helm in the snap? That would be the recommended way.

I can’t include Helm in the snap without having the same problems explained here, which caused the Helm snap to switch to classic confinement: Classic confinement for existing Helm snap

Also I don’t think in this case it would be a good user experience even if it could work due to the way these Kubernetes tools share configuration in .kube/config for example.

With classic confinement I can install kubectl, helm and helmfile separately and use the release channel I want for each tool e.g. kubectl 1.15, helm 2.16 branch. This is often desirable.

1 Like

Hi there.

FYI, today I’ve created a working snap for helmfile: helmfile-snap
There the github repo with the snapcraft: https://github.com/vincenzodnp/helmfile-snap

Let me know
Cheers
Vincenzo

Hi. What a coincidence that we’re both doing this at the same time!

I’ve had a quick look at your snap but I don’t see how it gets around the issues with accessing the helm binary or yaml files. I still believe this needs classic confinement for the reasons I’ve stated above, similar to Helm itself.

Omg, I didn’t even realize I was talking to two different people about a Helmfile snap :man_facepalming:

2 Likes

@sweston you’re right :slight_smile: what a coincidence. We are trying to fix a lack. BTW you’re right. I’m still checking solutions to get around the issues you had.

@galgalesh you’re right :smile: helmfile is on the wave

1 Like

Just a bump. Any chance I’ve done enough to justify this needing Classic confinement? :wink:

The helm classic request happened a couple of years ago and before a lot of discussion surrounding k8s, so I’d like to talk about this request anew.

@sweston - you mentioned “With classic confinement I can install kubectl, helm and helmfile separately and use the release channel I want for each tool e.g. kubectl 1.15, helm 2.16 branch”. Can you describe a couple/few representative use cases of how these 3 snaps are used together and how to drive helm?

Also, in your own words, can you describe why helm cannot be included in your snap?

1 Like

@sweston can you please respond to @jdstrand’s question above - this request cannot proceed without that information.

Removing this request from our internal queue - @sweston if you can provide the requested information we can add it back again, thanks.

@sweston hi there, @vdenaropapa was interested in taking over Helm, could you let us know if you’re still working on this or are OK with transferring the snap name to him?

Thanks.

  • Daniel

Hi. I’ve kind of given up on Helmfile which I have control of. I’ll see what I can do with transferring it

Thanks. FYI a transfer is requested here in the forum, though we do ask that you add the recipient as a collaborator and for them to accept the collaboration invite, so we can verify authorization and intent.

Since it’s been a while, I recommend waiting for @vdenaropapa to confirm he’s still interested in all this before proceeding.

  • Daniel