Update Helm to v3.7.2

This commit updates Helm to 3.7.2, in an attempt to get to a v3.7.x release range _without_ any memory issues (see #345), which should have been addressed in this release. The change in replacements has been cross-checked with the dependencies of Helm (and more specifically, the Oras project), and confirmed to not trigger any warnings using `trivy`. Signed-off-by: Hidde Beydals <hello@hidde.co>
fluxcd · Jan 7, 2022 · de19dac · de19dac
1 parent e2b988a
commit de19dac
Show file tree

Hide file tree

Showing 2 changed files with 380 additions and 262 deletions.
diff --git a/go.mod b/go.mod
@@ -5,54 +5,37 @@ go 1.16
 replace github.com/fluxcd/helm-controller/api => ./api
 
 require (
-	github.com/bshuster-repo/logrus-logstash-hook v1.0.2 // indirect
-	github.com/bugsnag/bugsnag-go v2.1.2+incompatible // indirect
-	github.com/bugsnag/panicwrap v1.3.4 // indirect
-	github.com/docker/go-metrics v0.0.1 // indirect
-	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
 	github.com/fluxcd/helm-controller/api v0.14.1
 	github.com/fluxcd/pkg/apis/kustomize v0.3.0
 	github.com/fluxcd/pkg/apis/meta v0.10.1
 	github.com/fluxcd/pkg/runtime v0.12.2
 	github.com/fluxcd/source-controller/api v0.19.2
 	github.com/garyburd/redigo v1.6.3 // indirect
 	github.com/go-logr/logr v0.4.0
-	github.com/gofrs/uuid v4.1.0+incompatible // indirect
-	github.com/gorilla/handlers v1.5.1 // indirect
 	github.com/hashicorp/go-retryablehttp v0.6.8
-	github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 // indirect
 	github.com/onsi/ginkgo v1.16.4
 	github.com/onsi/gomega v1.15.0
 	github.com/spf13/pflag v1.0.5
-	github.com/yvasiyarov/go-metrics v0.0.0-20150112132944-c25f46c4b940 // indirect
-	github.com/yvasiyarov/gorelic v0.0.7 // indirect
-	github.com/yvasiyarov/newrelic_platform_go v0.0.0-20160601141957-9c099fbc30e9 // indirect
-	helm.sh/helm/v3 v3.7.1
-	k8s.io/api v0.22.2
-	k8s.io/apiextensions-apiserver v0.22.2
-	k8s.io/apimachinery v0.22.2
-	k8s.io/cli-runtime v0.22.2
-	k8s.io/client-go v0.22.2
-	rsc.io/letsencrypt v0.0.3 // indirect
+	helm.sh/helm/v3 v3.7.2
+	k8s.io/api v0.22.4
+	k8s.io/apiextensions-apiserver v0.22.4
+	k8s.io/apimachinery v0.22.4
+	k8s.io/cli-runtime v0.22.4
+	k8s.io/client-go v0.22.4
 	sigs.k8s.io/controller-runtime v0.10.2
 	sigs.k8s.io/kustomize/api v0.10.1
 	sigs.k8s.io/yaml v1.2.0
 )
 
-// pin kustomize to v4.4.1
+// Pin kustomize to v4.4.1
 replace (
 	sigs.k8s.io/kustomize/api => sigs.k8s.io/kustomize/api v0.10.1
 	sigs.k8s.io/kustomize/kyaml => sigs.k8s.io/kustomize/kyaml v0.13.0
 )
 
-// Freeze Helm due to OOM issues https://github.com/fluxcd/helm-controller/issues/345
-replace helm.sh/helm/v3 => helm.sh/helm/v3 v3.6.3
-
-// Required by https://github.com/helm/helm/blob/v3.6.3/go.mod,
-// but overwritten with a newer version due to CVE-2017-11468.
-replace github.com/docker/distribution => github.com/docker/distribution v2.7.0-rc.0+incompatible
-
 // Fix CVE-2021-41092
+// Due to https://github.com/oras-project/oras-go/blob/v0.4.0/go.mod#L14
+// pulled in by Helm.
 replace github.com/docker/cli => github.com/docker/cli v20.10.9+incompatible
 
 // Fix CVE-2021-30465
@@ -64,7 +47,11 @@ replace github.com/opencontainers/runc => github.com/opencontainers/runc v1.0.3
 // Fix CVE-2021-32760
 // Fix CVE-2021-41103
 // Fix CVE-2021-41190
-replace github.com/containerd/containerd => github.com/containerd/containerd v1.4.12
+// Due to https://github.com/oras-project/oras-go/blob/v0.4.0/go.mod#L13,
+// pulled in by Helm.
+replace github.com/containerd/containerd => github.com/containerd/containerd v1.5.8
 
 // Fix CVE-2021-41190
+// Due to https://github.com/oras-project/oras-go/blob/v0.4.0/go.mod#L21,
+// pulled in by Helm.
 replace github.com/opencontainers/image-spec => github.com/opencontainers/image-spec v1.0.2