chore: Remove log message about resolving symlink.

[connyay]

This log message is very spammy when building many helm charts.

What this PR does / why we need it:

This pr removes a log message about resolving symlinks.

Special notes for your reviewer:

If applicable:

• this PR contains documentation
• this PR contains unit tests
• this PR has been tested for backwards compatibility

[connyay]

I have a pretty atypical build setup (bazel + helm templates), but in our mono repo that produces ~45 helm charts this log message prints out thousands of times.

[mattfarina]

The reason for the logging is due to accidental disclosure. Imaging someone creates a chart with a symlink to something in /etc and then the user of that chart sends the contents into a malicious container that sends the data somewhere. All without the person running helm knowing about the symlink. symlinks can be dangerous.

Symlink handling has been part of the discussion in our security audits because of the danger of misuse.

I understand the atypical setup you have, @connyay. Any idea how to inform Helm users (who are often not chart creators) without filling your logs?

[connyay]

Thanks for the review! Makes sense.

I’d be happy with an env var or cli flag to suppress this log message. Would that be acceptable? If so, any recommendations on naming or patterns? Something like ‘HELM_SUPPRESS_SYMLINK_LOG’?

[mattfarina]

I added this topic to this weeks developer call on Thursday. Will come back to this after discussing it there.

[mattfarina]

We discussed this in the Helm developer call for May 23, 2024. The consensus was that we would be interested in a general log filtering mechanism instead of this specific one. If we have a flag to filter this one log message than others will ask to filter others with flags. We would want a general filtering capability.

It would essentially be like helm <commands and arguments> | grep -v "<log message to filter>"

Given that this is notification is there for security and possible abuses, we have concerns around a general flag that could easily be picked up in copy/paste commands for use with Helm.

Helm has documented audiences and the application operator (i.e. chart user) is the highest priority user. Most often, these users are getting their charts from someone else.