Documentation
¶
Overview ¶
Package deterministic provides drop-in replacements for the nondeterministic functions Helm exposes to chart templates through sprig — the time- and crypto/rand-backed ones (now, randAlphaNum, genCA, …) — so flate renders byte-identically run to run.
Helm v4 applies action.Configuration.CustomTemplateFuncs LAST when it assembles the engine FuncMap (maps.Copy over sprig's defaults in engine.initFunMap), so an entry returned here OVERRIDES the sprig built-in of the same name, uniformly — including inside tpl/include and subcharts. pkg/helm assigns Funcs() to cfg.CustomTemplateFuncs once per render.
The replacements preserve Helm's output SHAPE (a real timestamp string, a valid-length random string, a valid PEM certificate) while making the VALUE reproducible: a fixed clock, a seeded ChaCha8 stream for the random funcs, and seed-derived ed25519 keys/certs (ed25519 is the only key type Go's crypto generates deterministically from a custom reader). flate renders for offline review and diff and never applies its output, so these are safe deterministic stand-ins for the material the live controller mints at apply time.
Index ¶
Constants ¶
This section is empty.
Variables ¶
var FixedTime = time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)
FixedTime is the instant every time-based template function resolves to under deterministic rendering. It is deliberately a fixed point in the past: a chart computing `NotAfter = now + daysValid` still lands plausibly in the future for any normal validity window, and the value reads as a recognizable sentinel in rendered output. It must never derive from the wall clock — reproducibility is the whole point.
Functions ¶
func Funcs ¶
Funcs returns deterministic overrides for the nondeterministic sprig functions Helm exposes to chart templates, all driven by a fixed clock and a single seeded stream derived from seed (see SeedFor). Assign the result to a render's action.Configuration.CustomTemplateFuncs; the engine applies it after sprig (maps.Copy in engine.initFunMap), so these entries win — uniformly, including inside tpl/include and subcharts.
Construct one FuncMap per render (per action.Configuration). The random overrides share a stateful stream that advances on every draw, so the FuncMap is NOT safe for concurrent use and must never be memoized or shared across goroutines. Helm renders a chart's templates sequentially, so within one render the stream is consumed in a deterministic order.
func SeedFor ¶
SeedFor derives a render's deterministic seed from inputs already folded into computeTemplateKey — the release name and namespace (both in keyHR). Seeding only from key inputs is the load-bearing invariant: a cache hit and a cache miss for the same key must produce identical bytes, so the seed must never draw from anything outside the key (least of all the wall clock). The NUL separator keeps ("ab","c") from colliding with ("a","bc").
Types ¶
This section is empty.
Source Files