So many security bugs are, when you get right down to it, embarrassingly bad. One of the newest is Helm’s CVE-2021-32690. Helm, as all Kubernetes users know, is Kubernetes’ package manager. While working on the Helm source, a Helm core maintainer discovered — whoops! — that you could all too easily set up a situation where the username and password credentials associated with one Helm repository could be passed on to another domain. Ow.
As a refresher, you can think of Helm as just Kubernetes’ take on Linux’s yum or apt programs. True, Helm’s charts, somewhat like Linux’s RPM and DEB packages, collect all your versioned, pre-configured program resources into a deployable YAML package. And, like those Linux packages, you need to be careful what you place in them lest things go badly wrong.
So it was when a Helm core maintainer found while working on the Helm source, that there are situations where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. Say it with me, “Whoops!”