This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@KATechDev I will review this at weekend.

@KATechDev did you test this locally? I don't see any code to use template args.

@KATechDev BTW. we need some test code to be addde.

@KATechDev did you test this locally? I don't see any code to use template args.

Yes I use it via helmfile apply --template-args=--dry-run=server.
In my charts I use something like {{ $existingSecret := (lookup "v1" "Secret" .Release.Namespace "my-secret") }} ...

@KATechDev ok. got it. pls fix code confilcts.

I've tried this feature, but the flag "--dry-run=server" is not handover to helmfile template.

Example:
helmfile template --template-args '--dry-run=server' -f namespace.yaml

Building dependency release=ns-observability, chart=../helm/namespaces
Templating release=ns-observability, chart=../helm/namespaces
in ./namespace.yaml: command "/usr/local/bin/helm" exited with non-zero status:

PATH:
  /usr/local/bin/helm

ARGS:
  0: helm (4 bytes)
  1: template (8 bytes)
  2: ns-observability (16 bytes)
  3: ../helm/namespaces (18 bytes)
  4: --namespace (11 bytes)
  5: observability (13 bytes)
  6: --values (8 bytes)
  7: /tmp/helmfile2586027982/observability-ns-observability-values-6574bb45c5 (72 bytes)
  8: --values (8 bytes)
  9: /tmp/helmfile142640842/observability-ns-observability-values-5d94988f5b (71 bytes)
  10: --values (8 bytes)
  11: /tmp/helmfile3254496066/observability-ns-observability-values-8666bb65cd (72 bytes)

ERROR:
  exit status 1

EXIT STATUS
  1

STDERR:
  Error: template: namespaces/templates/deny-all.yaml:1:62: executing "namespaces/templates/deny-all.yaml" at <include "namespace.isNcsRegion" .>: error calling include: template: namespaces/templates/_helpers.tpl:5:37: executing "namespace.isNcsRegion" at <first (lookup "v1" "Node" "" "").items>: error calling first: runtime error: invalid memory address or nil pointer dereference
  Use --debug flag to render out invalid YAML

COMBINED OUTPUT:
  Error: template: namespaces/templates/deny-all.yaml:1:62: executing "namespaces/templates/deny-all.yaml" at <include "namespace.isNcsRegion" .>: error calling include: template: namespaces/templates/_helpers.tpl:5:37: executing "namespace.isNcsRegion" at <first (lookup "v1" "Node" "" "").items>: error calling first: runtime error: invalid memory address or nil pointer dereference
  Use --debug flag to render out invalid YAML

@Footur I'll try to have a look at it end of next week.

@Footur I'll try to have a look at it end of next week.

This bothered me, so I had to check now. I tested template again on my machine and it works as expected.
However I see why this is confusing. helm template is called twice by helmfile. First to generate the expected values and secondly to use these generate values to template the result. As you see in your output the values have already been created and are used in the helm template call. Therefore your output is from the second time helm template gets called. The first time is however the one including the change. You can verify this by calling the helmfile with the --debug option. You'll find the first call: running helm template ... --dry-run=server and the second call exec: helm template ..

@KATechDev BTW. we need some test code to be addde.

Will be done soon (~2 weeks)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@KATechDev should we update the sync subcommand?

@KATechDev should we update the sync subcommand?

Not sure what you mean. Could you please be more specific?

@KATechDev do same thing in helmfile sync subcommand. because of helmfile apply is equal to helmfile diff && helmfile sync.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

hi, thank for your great effort, we're using argocd with helmfile and really need this feature, may I ask any progress on this?

@KATechDev ping. thanks so much.

Hi, I'm currently busy, but in about two weeks I might get a change to get to it.

Hi, I'm currently busy, but in about two weeks I might get a change to get to it.

👋 Hi @KATechDev, thanks for spending the effort to work on the feature, we're also using ArgoCD with Helmfile and would like to have such great feature. Might I know if there's any progress on this pull request?

Hi there,
adding the same changes for sync isn't the problem, unfortunately I noticed that my code is just executed under specific circumstances. I'll need to analyze this.

Is there any progress on this?

Because running helmfile apply … together with helm diff … without implicitly using the --dry-run=server flag is effectively useless and only creates confusion—the user doesn’t realize that this is the root cause.

Frankly, all the security theater around it seems nonsensical, since we ultimately invoke helmfile sync …, which must have cluster access anyway.

Permissions are determined solely by the token in the kubeconfig file; there’s no way to “gain extra” privileges, and in this context that is perfectly fine.

It’s merely a lookup operation, and if someone is concerned about security, the problem lies elsewhere—not with the --dry-run=server flag.

It neither degrades nor improves the outcome, in my opinion, but it does unnecessarily impair the UX.

Hi there,
I'm sorry that I couldn't find time to get into this any sooner.

The current behavior of helmfile is as follow.
Using helmfile apply or helmfile sync, with a "regular" helmfile on a helm-chart with resource that uses the "lookup" function, the lookup works as expected.
However if the helmfile internally uses "chartify", which is triggered for example by forceNamespace or kustomaziation, the lookup doesn't work, as there is no cluster connection for the internal "helm template".

As appy and sync are cluster operations and the use case without "chartify" works without any additional flag, I changed my implementation, that the "dry-run=server" flag for --template-args is set as default. This keeps the behavior consistent between "regular" and "chartify" helmfiles.
However for the helmfile template this mr provides a new flag --template-args where one can set --dry-run=server if desired.

One more thing:
currently when using helmfile apply with a "regular" helmfile on a helm-chart with resource that uses the "lookup" function, the printed diff is not correct. It shows the diff without lookup, but then applies the correct values with lookup. So the result is correct but the printed output is wrong and therefore confusing. This can be changed by enforcing to use the "chartify" if the template args / dry-run=server is set, but this would then be (nearly) always. I was wondering if there are any negative side effects that I'm missing (maybe performance!?). I can add the changes here and to the chartify repo.

I'm happy to rebase / resolve the conflicts but is there an estimation when there might be a review?

@KATechDev please rebase / resolve the conflicts

@KATechDev i can review but the PR needs to be in a state where it can actually be reviewed, please resolve the conflicats and I will take a look