helm/chartmuseum v0.14.0

ChartMuseum v0.14.0

on GitHub

ChartMuseum v0.14.0 is a feature release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • #chartmuseum for discussing PRs, code, bugs, or just to hang out
• Hang out at the Helm Public Developer Call: Thursday, 9:30 Pacific via Zoom

Installation and Upgrading

Download ChartMuseum v0.14.0. The common platform binaries are here:

• MacOS amd64 (archive sig / checksum / checksum sig / 5036e2095e2c50ebc74161974cce638d5e481d7eb9d335ad5325c37e7eea5f9c)
• MacOS arm64 (archive sig / checksum / checksum sig / 4daeb6ba37e41a445ffd0f51c80b9ced453c64789ade219c1832ff3d77e87492)
• Linux amd64 (archive sig / checksum / checksum sig / 382d28c017e70fe4d331c9fe192459a6732cbdc48f1928047ee0ff282f924c3d)
• Linux arm (archive sig / checksum / checksum sig / 7ef0d1d9ebae49894cf2252698c57a43a73634dd5eacccc4cb0ea3a39bad2135)
• Linux arm64 (archive sig / checksum / checksum sig / 245c311e3d8f67eb24331907432b3d9a99925c6bfa5c02e8522aa892facff658)
• Linux i386 (archive sig / checksum / checksum sig / a4d4577244eec4a38c389439b6b679ed14115ebdb9cd1e56c130ffc2a9a1034f)
• Linux mips64le (archive sig / checksum / checksum sig / a50b11f029bca7de8bb1fc9eca3cb20de78b4c14070fe628eb458a64f6e302b5)
• Linux ppc64le (archive sig / checksum / checksum sig / 6eda60e9f72f00b7d76e2f91b7cdbe260d1c6f763061f0ce34a1c8bc72be4070)
• Linux s390x (archive sig / checksum / checksum sig / f9b8305153f09749347af7dde9972bb3a2828870392de1a3851239812afe5541)
• Windows amd64 (archive sig / checksum / checksum sig / dcb39c17d58c2c57722853f3cf6d86febe8304adf2aa8391413e213b841fcc5c)

You can use a script to install on any system with bash.

Software Bill of Materials (SBOM)

You can download the SBOM for this release in SPDX format here. You can use bom to inspect the contents:

curl -sL -o sbom.spdx https://get.helm.sh/chartmuseum-v0.14.0.spdx
bom document outline sbom.spdx

The SBOM has also been uploaded to the registry alongside the image, and can be fetched using cosign:

cosign download sbom ghcr.io/helm/chartmuseum:v0.14.0 --output-file=sbom.spdx
bom document outline sbom.spdx

Digital Signatures

In this release, we have integrated with the sigstore project to produce digital signatures of all artifacts and container images.

To verify these signatures, you can use cosign.

Verify the container image:

COSIGN_EXPERIMENTAL=true cosign verify ghcr.io/helm/chartmuseum:v0.14.0 | jq .

Verify a specific artifact:

curl -sL -o artifact.tar.gz https://get.helm.sh/chartmuseum-v0.14.0-darwin-arm64.tar.gz
curl -sL -o artifact.tar.gz.sig https://get.helm.sh/chartmuseum-v0.14.0-darwin-arm64.tar.gz.sig
COSIGN_EXPERIMENTAL=true cosign verify-blob --signature artifact.tar.gz.sig artifact.tar.gz

Since the install script has used gpg in the past, signatures in this format have also been added (see .asc files attached to release). These were created with E97F 9DA5 AE2E 39CF 48A1 42B7 852A 7470 A39F B81D (@jdolitsky's GPG key) which can be found here and here.

What's Next

• 0.14.1 will contain only bug fixes.
• 0.15.0 is the next feature release.

Changelog

• build(deps): bump github.com/prometheus/client_golang (#541) cc297af (dependabot[bot])
• build(deps): bump github.com/chartmuseum/storage from 0.12.2 to 0.12.3 (#540) 8ce6b29 (dependabot[bot])
• maint: fix sbom script env vars 0cbd5e1 (Josh Dolitsky)
• Generate SPDX SBOM at release time (#538) 77d6cea (Puerco)
• Add cbuto to OWNERS (#536) 0bb68d9 (Josh Dolitsky)
• Sign archives and checksums with cosign (#535) 122c661 (Josh Dolitsky)
• cmd/chartmuseum,pkg/chartmuseum,pkg/config: add new per-chart-limit-option , impls #316 (#466) b0326d6 (Nace Sc)
• feat: Add configuration deprecation warning logs (#533) c76aed0 (Casey Buto)
• Bump github.com/chartmuseum/storage from 0.12.1 to 0.12.2 (#534) 1f28e49 (dependabot[bot])
• ci: claim the action permissions explicitly 7a3c084 (scnace)
• maint: enable github oidc tokens 9d913c1 (Josh Dolitsky)
• ci: fixes the ghcr login and introduce the image sign mechanism (#531) 7ca48f9 (Nace Sc)
• Bump github.com/chartmuseum/storage from 0.12.0 to 0.12.1 (#530) e223265 (dependabot[bot])
• Various v0.14.0 prep items (#527) 4412d39 (Josh Dolitsky)
• feat: deprecate enforcesemver2 config option (#522) c08bf65 (Casey Buto)
• feat(jmespath): add jmespath support (#381) 8ebb204 (Marco Klaassen)
• Bump github.com/prometheus/client_golang from 1.11.0 to 1.12.0 (#525) 358e168 (dependabot[bot])
• Do not fetch chart content, when not needed (#504) 1229856 (Niklas Walter)
• chore: bump to latest helm version (#523) c409921 (Casey Buto)
• pkg/chartmuseum/router: fix potential CRLF log injection by constructing vulnerable request (#519) 619e85d (Nace Sc)
• Update Go dependencies, fix broken tests (#482) 9f42822 (Josh Dolitsky)
• Correct README description of config file keys (#489) a203781 (Max Timchenko)
• Fix duplicate versions for same chart (#492) 670c99e (Qian Deng)
• readme: fix the typo of the prometheus chart versions served metrics name 2029cca (scnace)
• Bump go.uber.org/zap from 1.16.0 to 1.19.0 (#475) d1b0e91 (dependabot[bot])
• Bump github.com/gin-gonic/gin from 1.6.3 to 1.7.4 (#476) 5b52e68 (dependabot[bot])
• Bump github.com/prometheus/client_golang from 1.9.0 to 1.11.0 (#465) 519f30f (dependabot[bot])
• ci,scripts: bump up go version to 1.17 and fix broken helm installation url (#478) e248702 (Nace Sc)
• mod: bump gin dependency to v1.7.3 (#474) 48dfaf6 (Nace Sc)
• Support Builds for ARM M1 Macs (#477) 0c7164e (Claus F. Strasburger)
• Bump urllib3 from 1.26.4 to 1.26.5 in /loadtesting c6ab46c (dependabot[bot])
• pkg/chartmuseum/server: upload chart should emit updateChart event with overwrite option is set (#454) d311914 (Nace Sc)
• Bump jinja2 from 2.10.1 to 2.11.3 in /loadtesting (#441) 560b651 (dependabot[bot])
• Add scbizu gpg keys (#435) 2630418 (Nace Sc)