fix: Make dry-run=server optional

This intends to fix a potential security issue introduced via #458 before
cutting the next helm-diff release.

Since #458 (unreleased), we had forced helm-diff to use `helm template --dry-run=server` for Helm 3.13 or greater.

I think this can create an unintended security hole, where any users, who can run
helm-diff via CI or any automation with an arbitrary chart and values, is able
to view cluster resources via helm template's `lookup` functions.

Previously this was impossible because `helm template` run by `helm diff` had
no access to the `lookup` function. To fix this, we need to make `--dry-run=server`
optional. And we do so by introducing a new flag `--dry-run=[|client|server]` to helm-diff.

See the updated README and the updated helm-diff help message for more details.

Author: mumoshu

README.md

@@ -149,6 +149,16 @@ Examples:
   # See https://github.com/databus23/helm-diff/issues/278 for more information.
   HELM_DIFF_IGNORE_UNKNOWN_FLAGS=true helm diff upgrade my-release stable/postgres --wait
 
+  # helm-diff uses helm-template without the cluster access by default.
+  # In case you need the cluster access, you use HELM_DIFF_USE_INSECURE_SERVER_SIDE_DRY_RUN
+  #
+  # Set HELM_DIFF_USE_INSECURE_SERVER_SIDE_DRY_RUN=true to
+  # use `helm template --dry-run=server` or
+  # `helm upgrade --dry-run=server` (in case you also set `HELM_DIFF_USE_UPGRADE_DRY_RUN`)
+  # See https://github.com/databus23/helm-diff/pull/458
+  # for more information.
+  HELM_DIFF_USE_INSECURE_SERVER_SIDE_DRY_RUN=true helm diff upgrade my-release datadog/datadog
+
   # Set HELM_DIFF_USE_UPGRADE_DRY_RUN=true to
   # use `helm upgrade --dry-run` instead of `helm template` to render manifests from the chart.
   # See https://github.com/databus23/helm-diff/issues/253 for more information.

cmd/helm3.go

@@ -131,7 +131,7 @@ func (d *diffCmd) template(isUpgrade bool) ([]byte, error) {
 	// Let's simulate that in helm-diff.
 	// See https://medium.com/@kcatstack/understand-helm-upgrade-flags-reset-values-reuse-values-6e58ac8f127e
 	shouldDefaultReusingValues := isUpgrade && len(d.values) == 0 && len(d.stringValues) == 0 && len(d.valueFiles) == 0 && len(d.fileValues) == 0
-	if (d.reuseValues || shouldDefaultReusingValues) && !d.resetValues && !d.dryRun {
+	if (d.reuseValues || shouldDefaultReusingValues) && !d.resetValues && d.isRemoteAccessAllowed() {
 		tmpfile, err := os.CreateTemp("", "existing-values")
 		if err != nil {
 			return nil, err
@@ -193,9 +193,28 @@ func (d *diffCmd) template(isUpgrade bool) ([]byte, error) {
 	)
 
 	if d.useUpgradeDryRun {
-		if d.dryRun {
-			return nil, fmt.Errorf("`diff upgrade --dry-run` conflicts with HELM_DIFF_USE_UPGRADE_DRY_RUN_AS_TEMPLATE. Either remove --dry-run to enable cluster access, or unset HELM_DIFF_USE_UPGRADE_DRY_RUN_AS_TEMPLATE to make cluster access unnecessary")
-		}
+		//
+		// # `--dry-run=client` or `--dry-run=server`?
+		//
+		// Or what's the relationoship between helm-diff's --dry-run flag,
+		// HELM_DIFF_UPGRADE_DRY_RUN env var and the helm upgrade --dry-run flag?
+		//
+		// If the program reaches here,
+		// we are sure that the user wants to user the `helm upgrade --dry-run` command
+		// for generating the manifests to be diffed.
+		//
+		// However, which dry-run mode to use is still not clear.
+		//
+		// For compatibility with the old and new helm-diff options,
+		// old and new helm, we assume that the user wants to use the `--dry-run=client` mode
+		// if helm-diff has been invoked with any of the following flags:
+		//
+		// * --dry-run
+		// * --dry-run=""
+		// * --dry-run=client
+		//
+		// Otherwise, we assume that the user wants to use the `--dry-run=server` mode.
+		//
 
 		if d.isAllowUnreleased() {
 			// Otherwise you get the following error when this is a diff for a new install
@@ -213,7 +232,7 @@ func (d *diffCmd) template(isUpgrade bool) ([]byte, error) {
 			return extractManifestFromHelmUpgradeDryRunOutput(s, d.noHooks)
 		}
 	} else {
-		if !d.disableValidation && !d.dryRun {
+		if !d.disableValidation && d.isRemoteAccessAllowed() {
 			flags = append(flags, "--validate")
 		}
 
@@ -229,8 +248,26 @@ func (d *diffCmd) template(isUpgrade bool) ([]byte, error) {
 			flags = append(flags, "--kube-version", d.kubeVersion)
 		}
 
+		// To keep the full compatibility with older helm-diff versions,
+		// we pass --dry-run to `helm template` only if Helm is greater than v3.13.0.
 		if useDryRunService, err := isHelmVersionAtLeast(minHelmVersionWithDryRunLookupSupport); err == nil && useDryRunService {
-			flags = append(flags, "--dry-run=server")
+			// See the fllowing link for more details:
+			// - https://github.com/databus23/helm-diff/pull/458
+			// - https://github.com/helm/helm/pull/9426#issuecomment-1501005666
+			if d.dryRunMode == "server" {
+				//
+				// # This is for security reasons!
+				//
+				// We give helm-template the additional cluster access for the helm `lookup` function
+				// only if the user has explicitly requested it by --dry-run=server,
+				//
+				// In other words, although helm-diff-upgrade implies limited cluster access by default,
+				// helm-diff-upgrade without a --dry-run flag does NOT imply
+				// full cluster-access via helm-template --dry-run=server!
+				flags = append(flags, "--dry-run=server")
+			} else {
+				flags = append(flags, "--dry-run=client")
+			}
 		}
 
 		subcmd = "template"

cmd/upgrade.go

@@ -13,6 +13,7 @@ import (
 	jsoniterator "github.com/json-iterator/go"
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
 	"helm.sh/helm/v3/pkg/action"
 	"helm.sh/helm/v3/pkg/cli"
 	"helm.sh/helm/v3/pkg/kube"
@@ -37,7 +38,8 @@ type diffCmd struct {
 	devel                    bool
 	disableValidation        bool
 	disableOpenAPIValidation bool
-	dryRun                   bool
+	dryRunMode               string
+	dryRunModeSpecified      bool
 	namespace                string // namespace to assume the release to be installed into. Defaults to the current kube config namespace.
 	valueFiles               valueFiles
 	values                   []string
@@ -67,6 +69,11 @@ func (d *diffCmd) isAllowUnreleased() bool {
 	return d.allowUnreleased || d.install
 }
 
+func (d *diffCmd) isRemoteAccessAllowed() bool {
+	clientOnly := (d.dryRunModeSpecified && d.dryRunMode == "") || d.dryRunMode == "true" || d.dryRunMode == "client"
+	return !clientOnly
+}
+
 const globalUsage = `Show a diff explaining what a helm upgrade would change.
 
 This fetches the currently deployed version of a release
@@ -84,9 +91,64 @@ func newChartCommand() *cobra.Command {
 	}
 
 	cmd := &cobra.Command{
-		Use:   "upgrade [flags] [RELEASE] [CHART]",
-		Short: "Show a diff explaining what a helm upgrade would change.",
-		Long:  globalUsage,
+		Use:                "upgrade [flags] [RELEASE] [CHART]",
+		Short:              "Show a diff explaining what a helm upgrade would change.",
+		Long:               globalUsage,
+		DisableFlagParsing: true,
+		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
+			const (
+				dryRunUsage = "--dry-run, --dry-run=client, or --dry-run=true disables cluster access and show diff as if it was install. Implies --install, --reset-values, and --disable-validation." +
+					" --dry-run=server enables the cluster access with helm-get and the lookup template function."
+			)
+
+			legacyDryRunFlagSet := pflag.NewFlagSet("upgrade", pflag.ContinueOnError)
+			legacyDryRun := legacyDryRunFlagSet.Bool("dry-run", false, dryRunUsage)
+			if err := legacyDryRunFlagSet.Parse(args); err == nil && *legacyDryRun {
+				diff.dryRunModeSpecified = true
+				args = legacyDryRunFlagSet.Args()
+			} else {
+				cmd.Flags().StringVar(&diff.dryRunMode, "dry-run", "", dryRunUsage)
+			}
+
+			fmt.Fprintf(os.Stderr, "args after legacy dry-run parsing: %v\n", args)
+
+			// Here we parse the flags ourselves so that we can support
+			// both --dry-run and --dry-run=ARG syntaxes.
+			//
+			// If you don't do this, then cobra will treat --dry-run as
+			// a "flag needs an argument: --dry-run" error.
+			//
+			// This works becase we have `DisableFlagParsing: true`` above.
+			// Never turn that off, or you'll get the error again.
+			if err := cmd.Flags().Parse(args); err != nil {
+				return err
+			}
+
+			args = cmd.Flags().Args()
+
+			if !diff.dryRunModeSpecified {
+				dryRunModeSpecified := cmd.Flags().Changed("dry-run")
+				diff.dryRunModeSpecified = dryRunModeSpecified
+
+				if dryRunModeSpecified && !(diff.dryRunMode == "client" || diff.dryRunMode == "server") {
+					return fmt.Errorf("flag %q must take an argument of %q or %q but got %q", "dry-run", "client", "server", diff.dryRunMode)
+				}
+			}
+
+			cmd.SetArgs(args)
+
+			// We have to do this here because we have to sort out the
+			// --dry-run flag ambiguity to determine the args to be checked.
+			//
+			// In other words, we can't just do:
+			//
+			// cmd.Args = func(cmd *cobra.Command, args []string) error {
+			//     return checkArgsLength(len(args), "release name", "chart path")
+			// }
+			//
+			// Because it seems to take precedence over the PersistentPreRunE
+			return checkArgsLength(len(args), "release name", "chart path")
+		},
 		Example: strings.Join([]string{
 			"  helm diff upgrade my-release stable/postgresql --values values.yaml",
 			"",
@@ -95,6 +157,14 @@ func newChartCommand() *cobra.Command {
 			"  # See https://github.com/databus23/helm-diff/issues/278 for more information.",
 			"  HELM_DIFF_IGNORE_UNKNOWN_FLAGS=true helm diff upgrade my-release stable/postgres --wait",
 			"",
+			"  # helm-diff disallows the use of the `lookup` function by default.",
+			"  # To enable it, you must set HELM_DIFF_USE_INSECURE_SERVER_SIDE_DRY_RUN=true to",
+			"  # use `helm template --dry-run=server` or",
+			"  # `helm upgrade --dry-run=server` (in case you also set `HELM_DIFF_USE_UPGRADE_DRY_RUN`)",
+			"  # See https://github.com/databus23/helm-diff/pull/458",
+			"  # for more information.",
+			"  HELM_DIFF_USE_INSECURE_SERVER_SIDE_DRY_RUN=true helm diff upgrade my-release datadog/datadog",
+			"",
 			"  # Set HELM_DIFF_USE_UPGRADE_DRY_RUN=true to",
 			"  # use `helm upgrade --dry-run` instead of `helm template` to render manifests from the chart.",
 			"  # See https://github.com/databus23/helm-diff/issues/253 for more information.",
@@ -117,9 +187,6 @@ func newChartCommand() *cobra.Command {
 			"# Read the flag usage below for more information on --context.",
 			"HELM_DIFF_OUTPUT_CONTEXT=5 helm diff upgrade my-release datadog/datadog",
 		}, "\n"),
-		Args: func(cmd *cobra.Command, args []string) error {
-			return checkArgsLength(len(args), "release name", "chart path")
-		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			// Suppress the command usage on error. See #77 for more info
 			cmd.SilenceUsage = true
@@ -193,7 +260,6 @@ func newChartCommand() *cobra.Command {
 	f.BoolVar(&diff.devel, "devel", false, "use development versions, too. Equivalent to version '>0.0.0-0'. If --version is set, this is ignored.")
 	f.BoolVar(&diff.disableValidation, "disable-validation", false, "disables rendered templates validation against the Kubernetes cluster you are currently pointing to. This is the same validation performed on an install")
 	f.BoolVar(&diff.disableOpenAPIValidation, "disable-openapi-validation", false, "disables rendered templates validation against the Kubernetes OpenAPI Schema")
-	f.BoolVar(&diff.dryRun, "dry-run", false, "disables cluster access and show diff as if it was install. Implies --install, --reset-values, and --disable-validation")
 	f.StringVar(&diff.postRenderer, "post-renderer", "", "the path to an executable to be used for post rendering. If it exists in $PATH, the binary will be used, otherwise it will try to look for the executable at the given path")
 	f.StringArrayVar(&diff.postRendererArgs, "post-renderer-args", []string{}, "an argument to the post-renderer (can specify multiple)")
 	f.BoolVar(&diff.insecureSkipTLSVerify, "insecure-skip-tls-verify", false, "skip tls certificate checks for the chart download")
@@ -213,7 +279,7 @@ func (d *diffCmd) runHelm3() error {
 
 	var err error
 
-	if !d.dryRun {
+	if d.isRemoteAccessAllowed() {
 		releaseManifest, err = getRelease(d.release, d.namespace)
 	}
 
@@ -260,7 +326,7 @@ func (d *diffCmd) runHelm3() error {
 	}
 
 	currentSpecs := make(map[string]*manifest.MappingResult)
-	if !newInstall && !d.dryRun {
+	if !newInstall && d.isRemoteAccessAllowed() {
 		if !d.noHooks && !d.threeWayMerge {
 			hooks, err := getHooks(d.release, d.namespace)
 			if err != nil {