From c9ddc0fdbde3f9b492f2f651910e6b863dcb6c14 Mon Sep 17 00:00:00 2001
From: Hidde Beydals
Date: Tue, 21 Nov 2023 17:31:32 +0100
Subject: [PATCH] controller: adopt release based on v2beta1 state
This allows the controller to be updated from `v2beta1` to `v2beta2`
without triggering a release to settle state.
It does this by looking at the previous successful release as recorded
for the `v2beta1` object, and if found, recording a snapshot for it in
the new `History` field of the status.
This feature can be disabled by setting the `AdoptLegacyReleases`
feature flag to `false`.
Signed-off-by: Hidde Beydals
---
api/v2beta2/helmrelease_types.go | 5 +
.../helm.toolkit.fluxcd.io_helmreleases.yaml | 4 +
docs/api/v2beta2/helm.md | 13 +
internal/controller/helmrelease_controller.go | 64 ++++
.../controller/helmrelease_controller_test.go | 285 +++++++++++++++++-
internal/features/features.go | 10 +
6 files changed, 376 insertions(+), 5 deletions(-)
diff --git a/api/v2beta2/helmrelease_types.go b/api/v2beta2/helmrelease_types.go
index 67ed0ae3e..ac7a8524f 100644
--- a/api/v2beta2/helmrelease_types.go
+++ b/api/v2beta2/helmrelease_types.go
@@ -908,6 +908,11 @@ type HelmReleaseStatus struct {
// +optional
LastAttemptedValuesChecksum string `json:"lastAttemptedValuesChecksum,omitempty"`
+ // LastReleaseRevision is the revision of the last successful Helm release.
+ // Deprecated: Use History instead.
+ // +optional
+ LastReleaseRevision int `json:"lastReleaseRevision,omitempty"`
+
// LastAttemptedConfigDigest is the digest for the config (better known as
// "values") of the last reconciliation attempt.
// +optional
diff --git a/config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml b/config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml
index bad1de58f..61270e2cb 100644
--- a/config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml
+++ b/config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml
@@ -2049,6 +2049,10 @@ spec:
reconcile request value, so a change of the annotation value can
be detected.
type: string
+ lastReleaseRevision:
+ description: 'LastReleaseRevision is the revision of the last successful
+ Helm release. Deprecated: Use History instead.'
+ type: integer
observedGeneration:
description: ObservedGeneration is the last observed generation.
format: int64
diff --git a/docs/api/v2beta2/helm.md b/docs/api/v2beta2/helm.md
index b92b55ac2..bd2677ab2 100644
--- a/docs/api/v2beta2/helm.md
+++ b/docs/api/v2beta2/helm.md
@@ -1407,6 +1407,19 @@ Deprecated: Use LastAttemptedConfigDigest instead.
+
lastAttemptedConfigDigest
string
diff --git a/internal/controller/helmrelease_controller.go b/internal/controller/helmrelease_controller.go
index 3bef30141..450419d22 100644
--- a/internal/controller/helmrelease_controller.go
+++ b/internal/controller/helmrelease_controller.go
@@ -60,10 +60,12 @@ import (
"github.com/fluxcd/helm-controller/internal/action"
"github.com/fluxcd/helm-controller/internal/chartutil"
"github.com/fluxcd/helm-controller/internal/digest"
+ "github.com/fluxcd/helm-controller/internal/features"
"github.com/fluxcd/helm-controller/internal/kube"
"github.com/fluxcd/helm-controller/internal/loader"
intpredicates "github.com/fluxcd/helm-controller/internal/predicates"
intreconcile "github.com/fluxcd/helm-controller/internal/reconcile"
+ "github.com/fluxcd/helm-controller/internal/release"
)
// +kubebuilder:rbac:groups=helm.toolkit.fluxcd.io,resources=helmreleases,verbs=get;list;watch;create;update;patch;delete
@@ -288,6 +290,16 @@ func (r *HelmReleaseReconciler) reconcileRelease(ctx context.Context, patchHelpe
return ctrl.Result{}, err
}
+ // Attempt to adopt "legacy" v2beta1 release state on a best-effort basis.
+ // If this fails, the controller will fall back to performing an upgrade
+ // to settle on the desired state.
+ // TODO(hidde): remove this in a future release.
+ if ok, _ := features.Enabled(features.AdoptLegacyReleases); ok {
+ if err := r.adoptLegacyRelease(ctx, getter, obj); err != nil {
+ log.Error(err, "failed to adopt v2beta1 release state")
+ }
+ }
+
// If the release target configuration has changed, we need to uninstall the
// previous release target first. If we did not do this, the installation would
// fail due to resources already existing.
@@ -315,6 +327,7 @@ func (r *HelmReleaseReconciler) reconcileRelease(ctx context.Context, patchHelpe
obj.Status.LastAttemptedRevision = loadedChart.Metadata.Version
obj.Status.LastAttemptedConfigDigest = chartutil.DigestValues(digest.Canonical, values).String()
obj.Status.LastAttemptedValuesChecksum = ""
+ obj.Status.LastReleaseRevision = 0
// Construct config factory for any further Helm actions.
cfg, err := action.NewConfigFactory(getter,
@@ -508,6 +521,57 @@ func (r *HelmReleaseReconciler) checkDependencies(ctx context.Context, obj *v2.H
return nil
}
+// adoptLegacyRelease attempts to adopt a v2beta1 release into a v2beta2
+// release.
+// This is done by retrieving the last successful release from the Helm storage
+// and converting it to a v2beta2 release snapshot.
+// If the v2beta1 release has already been adopted, this function is a no-op.
+func (r *HelmReleaseReconciler) adoptLegacyRelease(ctx context.Context, getter genericclioptions.RESTClientGetter, obj *v2.HelmRelease) error {
+ if obj.Status.LastReleaseRevision < 1 || len(obj.Status.History) > 0 {
+ return nil
+ }
+
+ var (
+ log = ctrl.LoggerFrom(ctx).V(logger.DebugLevel)
+ storageNamespace = obj.GetStorageNamespace()
+ releaseNamespace = obj.GetReleaseNamespace()
+ releaseName = obj.GetReleaseName()
+ version = obj.Status.LastReleaseRevision
+ )
+
+ log.Info("adopting %s/%s.v%d release from v2beta1 state", releaseNamespace, releaseName, version)
+
+ // Construct config factory for current release.
+ cfg, err := action.NewConfigFactory(getter,
+ action.WithStorage(action.DefaultStorageDriver, storageNamespace),
+ action.WithStorageLog(action.NewDebugLog(ctrl.LoggerFrom(ctx).V(logger.TraceLevel))),
+ )
+
+ // Get the last successful release based on the observation for the v2beta1
+ // object.
+ rls, err := cfg.NewStorage().Get(releaseName, version)
+ if err != nil {
+ return err
+ }
+
+ // Convert it to a v2beta2 release snapshot.
+ snap := release.ObservedToSnapshot(release.ObserveRelease(rls))
+
+ // If tests are enabled, include them as well.
+ if obj.GetTest().Enable {
+ snap.SetTestHooks(release.TestHooksFromRelease(rls))
+ }
+
+ // Adopt it as the current release in the history.
+ obj.Status.History = append(obj.Status.History, snap)
+ obj.Status.StorageNamespace = storageNamespace
+
+ // Erase the last release revision from the status.
+ obj.Status.LastReleaseRevision = 0
+
+ return nil
+}
+
func (r *HelmReleaseReconciler) buildRESTClientGetter(ctx context.Context, obj *v2.HelmRelease) (genericclioptions.RESTClientGetter, error) {
opts := []kube.Option{
kube.WithNamespace(obj.GetReleaseNamespace()),
diff --git a/internal/controller/helmrelease_controller_test.go b/internal/controller/helmrelease_controller_test.go
index 47f07848d..86ebf5fa3 100644
--- a/internal/controller/helmrelease_controller_test.go
+++ b/internal/controller/helmrelease_controller_test.go
@@ -46,6 +46,7 @@ import (
"github.com/fluxcd/pkg/apis/acl"
"github.com/fluxcd/pkg/apis/meta"
"github.com/fluxcd/pkg/runtime/conditions"
+ feathelper "github.com/fluxcd/pkg/runtime/features"
"github.com/fluxcd/pkg/runtime/patch"
sourcev1 "github.com/fluxcd/source-controller/api/v1"
sourcev1b2 "github.com/fluxcd/source-controller/api/v1beta2"
@@ -53,6 +54,8 @@ import (
v2 "github.com/fluxcd/helm-controller/api/v2beta2"
intacl "github.com/fluxcd/helm-controller/internal/acl"
"github.com/fluxcd/helm-controller/internal/action"
+ "github.com/fluxcd/helm-controller/internal/chartutil"
+ "github.com/fluxcd/helm-controller/internal/features"
"github.com/fluxcd/helm-controller/internal/kube"
intreconcile "github.com/fluxcd/helm-controller/internal/reconcile"
"github.com/fluxcd/helm-controller/internal/release"
@@ -430,6 +433,110 @@ func TestHelmReleaseReconciler_reconcileRelease(t *testing.T) {
}))
})
+ t.Run("attempts to adopt v2beta1 release state", func(t *testing.T) {
+ g := NewWithT(t)
+
+ // Initialize feature gates.
+ g.Expect((&feathelper.FeatureGates{}).SupportedFeatures(features.FeatureGates())).To(Succeed())
+
+ // Create a test namespace for storing the Helm release mock.
+ ns, err := testEnv.CreateNamespace(context.TODO(), "adopt-release")
+ g.Expect(err).ToNot(HaveOccurred())
+ t.Cleanup(func() {
+ _ = testEnv.Delete(context.TODO(), ns)
+ })
+
+ // Create HelmChart mock.
+ chartMock := testutil.BuildChart()
+ chartArtifact, err := testutil.SaveChartAsArtifact(chartMock, digest.SHA256, testServer.URL(), testServer.Root())
+ g.Expect(err).ToNot(HaveOccurred())
+
+ chart := &sourcev1b2.HelmChart{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "adopt-release",
+ Namespace: ns.Name,
+ Generation: 1,
+ },
+ Spec: sourcev1b2.HelmChartSpec{
+ Chart: "testdata/test-helmrepo",
+ Version: "0.1.0",
+ SourceRef: sourcev1b2.LocalHelmChartSourceReference{
+ Kind: sourcev1b2.HelmRepositoryKind,
+ Name: "reconcile-delete",
+ },
+ },
+ Status: sourcev1b2.HelmChartStatus{
+ ObservedGeneration: 1,
+ Artifact: chartArtifact,
+ Conditions: []metav1.Condition{
+ {
+ Type: meta.ReadyCondition,
+ Status: metav1.ConditionTrue,
+ },
+ },
+ },
+ }
+
+ // Create a test Helm release storage mock.
+ rls := testutil.BuildRelease(&helmrelease.MockReleaseOptions{
+ Name: "adopt-release",
+ Namespace: ns.Name,
+ Version: 1,
+ Chart: chartMock,
+ Status: helmrelease.StatusDeployed,
+ }, testutil.ReleaseWithConfig(nil))
+ valChecksum := chartutil.DigestValues("sha1", rls.Config)
+
+ obj := &v2.HelmRelease{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "adopt-release",
+ Namespace: ns.Name,
+ },
+ Spec: v2.HelmReleaseSpec{
+ StorageNamespace: ns.Name,
+ },
+ Status: v2.HelmReleaseStatus{
+ HelmChart: chart.Namespace + "/" + chart.Name,
+ LastReleaseRevision: rls.Version,
+ LastAttemptedValuesChecksum: valChecksum.Hex(),
+ },
+ }
+
+ c := fake.NewClientBuilder().
+ WithScheme(NewTestScheme()).
+ WithObjects(chart).
+ Build()
+
+ r := &HelmReleaseReconciler{
+ Client: c,
+ GetClusterConfig: GetTestClusterConfig,
+ EventRecorder: record.NewFakeRecorder(32),
+ httpClient: retryablehttp.NewClient(),
+ }
+
+ // Store the Helm release mock in the test namespace.
+ getter, err := r.buildRESTClientGetter(context.TODO(), obj)
+ g.Expect(err).ToNot(HaveOccurred())
+
+ cfg, err := action.NewConfigFactory(getter, action.WithStorage(helmdriver.SecretsDriverName, obj.GetStorageNamespace()))
+ g.Expect(err).ToNot(HaveOccurred())
+
+ store := helmstorage.Init(cfg.Driver)
+ g.Expect(store.Create(rls)).To(Succeed())
+
+ // Reconcile the Helm release.
+ _, err = r.reconcileRelease(context.TODO(), nil, obj)
+ g.Expect(err).ToNot(HaveOccurred())
+
+ // Assert that the Helm release has been adopted.
+ g.Expect(obj.Status.History).To(testutil.Equal(v2.Snapshots{
+ release.ObservedToSnapshot(release.ObserveRelease(rls)),
+ }))
+ g.Expect(obj.Status.StorageNamespace).To(Equal(ns.Name))
+ g.Expect(obj.Status.LastAttemptedConfigDigest).ToNot(BeEmpty())
+ g.Expect(obj.Status.LastReleaseRevision).To(Equal(0))
+ })
+
t.Run("uninstalls HelmRelease if target has changed", func(t *testing.T) {
g := NewWithT(t)
@@ -607,7 +714,7 @@ func TestHelmReleaseReconciler_reconcileRelease(t *testing.T) {
Spec: v2.HelmReleaseSpec{
// Trigger a failure by setting an invalid storage namespace,
// preventing the release from actually being installed.
- // This allows us to just test the , without
+ // This allows us to just test the values being set, without
// having to facilitate a full install.
StorageNamespace: "not-exist",
Values: &apiextensionsv1.JSON{
@@ -681,7 +788,7 @@ func TestHelmReleaseReconciler_reconcileDelete(t *testing.T) {
// Create a test Helm release storage mock.
rls := testutil.BuildRelease(&helmrelease.MockReleaseOptions{
Name: "reconcile-delete",
- Namespace: ns.Namespace,
+ Namespace: ns.Name,
Version: 1,
Chart: testutil.BuildChart(testutil.ChartWithTestHook()),
Status: helmrelease.StatusDeployed,
@@ -791,7 +898,7 @@ func TestHelmReleaseReconciler_reconileReleaseDeletion(t *testing.T) {
// Create a test Helm release storage mock.
rls := testutil.BuildRelease(&helmrelease.MockReleaseOptions{
Name: "reconcile-delete",
- Namespace: ns.Namespace,
+ Namespace: ns.Name,
Version: 1,
Chart: testutil.BuildChart(testutil.ChartWithTestHook()),
Status: helmrelease.StatusDeployed,
@@ -853,7 +960,7 @@ func TestHelmReleaseReconciler_reconileReleaseDeletion(t *testing.T) {
// Create a test Helm release storage mock.
rls := testutil.BuildRelease(&helmrelease.MockReleaseOptions{
Name: "reconcile-delete",
- Namespace: ns.Namespace,
+ Namespace: ns.Name,
Version: 1,
Chart: testutil.BuildChart(testutil.ChartWithTestHook()),
Status: helmrelease.StatusDeployed,
@@ -953,7 +1060,7 @@ func TestHelmReleaseReconciler_reconileReleaseDeletion(t *testing.T) {
// Create a test Helm release storage mock.
rls := testutil.BuildRelease(&helmrelease.MockReleaseOptions{
Name: "reconcile-delete",
- Namespace: ns.Namespace,
+ Namespace: ns.Name,
Version: 1,
Chart: testutil.BuildChart(testutil.ChartWithTestHook()),
Status: helmrelease.StatusDeployed,
@@ -1404,6 +1511,174 @@ func TestHelmReleaseReconciler_checkDependencies(t *testing.T) {
}
}
+func TestHelmReleaseReconciler_adoptLegacyRelease(t *testing.T) {
+ tests := []struct {
+ name string
+ releases func(namespace string) []*helmrelease.Release
+ spec func(spec *v2.HelmReleaseSpec)
+ status v2.HelmReleaseStatus
+ expectHistory func(releases []*helmrelease.Release) v2.Snapshots
+ expectLastReleaseRevision int
+ wantErr bool
+ }{
+ {
+ name: "adopts last release revision",
+ releases: func(namespace string) []*helmrelease.Release {
+ return []*helmrelease.Release{
+ testutil.BuildRelease(&helmrelease.MockReleaseOptions{
+ Name: "orphaned",
+ Namespace: namespace,
+ Version: 6,
+ Chart: testutil.BuildChart(),
+ Status: helmrelease.StatusDeployed,
+ }, testutil.ReleaseWithTestHook()),
+ }
+ },
+ spec: func(spec *v2.HelmReleaseSpec) {
+ spec.ReleaseName = "orphaned"
+ },
+ status: v2.HelmReleaseStatus{
+ LastReleaseRevision: 6,
+ },
+ expectHistory: func(releases []*helmrelease.Release) v2.Snapshots {
+ return v2.Snapshots{
+ release.ObservedToSnapshot(release.ObserveRelease(releases[0])),
+ }
+ },
+ expectLastReleaseRevision: 0,
+ },
+ {
+ name: "includes test hooks if enabled",
+ releases: func(namespace string) []*helmrelease.Release {
+ return []*helmrelease.Release{
+ testutil.BuildRelease(&helmrelease.MockReleaseOptions{
+ Name: "orphaned-with-hooks",
+ Namespace: namespace,
+ Version: 3,
+ Chart: testutil.BuildChart(testutil.ChartWithTestHook()),
+ Status: helmrelease.StatusDeployed,
+ }, testutil.ReleaseWithTestHook()),
+ }
+ },
+ spec: func(spec *v2.HelmReleaseSpec) {
+ spec.ReleaseName = "orphaned-with-hooks"
+ spec.Test = &v2.Test{
+ Enable: true,
+ }
+ },
+ status: v2.HelmReleaseStatus{
+ LastReleaseRevision: 3,
+ },
+ expectHistory: func(releases []*helmrelease.Release) v2.Snapshots {
+ snap := release.ObservedToSnapshot(release.ObserveRelease(releases[0]))
+ snap.SetTestHooks(release.TestHooksFromRelease(releases[0]))
+
+ return v2.Snapshots{
+ snap,
+ }
+ },
+ expectLastReleaseRevision: 0,
+ },
+ {
+ name: "non-existing release",
+ spec: func(spec *v2.HelmReleaseSpec) {
+ spec.ReleaseName = "non-existing"
+ },
+ status: v2.HelmReleaseStatus{
+ LastReleaseRevision: 2,
+ },
+ expectLastReleaseRevision: 2,
+ wantErr: true,
+ },
+ {
+ name: "without last release revision",
+ status: v2.HelmReleaseStatus{
+ LastReleaseRevision: 0,
+ },
+ expectHistory: func(releases []*helmrelease.Release) v2.Snapshots {
+ return nil
+ },
+ expectLastReleaseRevision: 0,
+ },
+ {
+ name: "with existing history",
+ status: v2.HelmReleaseStatus{
+ History: v2.Snapshots{
+ {
+ Name: "something",
+ },
+ },
+ LastReleaseRevision: 5,
+ },
+ expectHistory: func(releases []*helmrelease.Release) v2.Snapshots {
+ return v2.Snapshots{
+ {
+ Name: "something",
+ },
+ }
+ },
+ expectLastReleaseRevision: 5,
+ },
+ }
+
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ g := NewWithT(t)
+
+ // Create a test namespace for storing the Helm release mock.
+ ns, err := testEnv.CreateNamespace(context.TODO(), "adopt-release")
+ g.Expect(err).ToNot(HaveOccurred())
+ t.Cleanup(func() {
+ _ = testEnv.Delete(context.TODO(), ns)
+ })
+
+ // Mock a HelmRelease object.
+ obj := &v2.HelmRelease{
+ Spec: v2.HelmReleaseSpec{
+ StorageNamespace: ns.Name,
+ },
+ Status: tt.status,
+ }
+ if tt.spec != nil {
+ tt.spec(&obj.Spec)
+ }
+
+ r := &HelmReleaseReconciler{
+ Client: testEnv.Client,
+ GetClusterConfig: GetTestClusterConfig,
+ }
+
+ // Store the Helm release mock in the test namespace.
+ getter, err := r.buildRESTClientGetter(context.TODO(), obj)
+ g.Expect(err).ToNot(HaveOccurred())
+
+ cfg, err := action.NewConfigFactory(getter, action.WithStorage(helmdriver.SecretsDriverName, obj.GetStorageNamespace()))
+ g.Expect(err).ToNot(HaveOccurred())
+
+ var releases []*helmrelease.Release
+ if tt.releases != nil {
+ releases = tt.releases(ns.Name)
+ }
+ store := helmstorage.Init(cfg.Driver)
+ for _, rls := range releases {
+ g.Expect(store.Create(rls)).To(Succeed())
+ }
+
+ // Adopt the Helm release mock.
+ err = r.adoptLegacyRelease(context.TODO(), getter, obj)
+ g.Expect(err != nil).To(Equal(tt.wantErr), "unexpected error: %s", err)
+
+ // Verify the Helm release mock has been adopted.
+ var expectHistory v2.Snapshots
+ if tt.expectHistory != nil {
+ expectHistory = tt.expectHistory(releases)
+ }
+ g.Expect(obj.Status.History).To(Equal(expectHistory))
+ g.Expect(obj.Status.LastReleaseRevision).To(Equal(tt.expectLastReleaseRevision))
+ })
+ }
+}
+
func TestHelmReleaseReconciler_buildRESTClientGetter(t *testing.T) {
const (
namespace = "some-namespace"
diff --git a/internal/features/features.go b/internal/features/features.go
index 43e7a4425..4d39cad0f 100644
--- a/internal/features/features.go
+++ b/internal/features/features.go
@@ -47,6 +47,13 @@ const (
// OOMWatch enables the OOM watcher, which will gracefully shut down the controller
// when the memory usage exceeds the configured limit. This is disabled by default.
OOMWatch = "OOMWatch"
+
+ // AdoptLegacyReleases enables the adoption of the historical Helm release
+ // based on the status fields from a v2beta1 HelmRelease object.
+ // This is enabled by default to support an upgrade path from v2beta1 to v2beta2
+ // without the need to upgrade the Helm release. But it can be disabled to
+ // avoid potential abuse of the adoption mechanism.
+ AdoptLegacyReleases = "AdoptLegacyReleases"
)
var features = map[string]bool{
@@ -65,6 +72,9 @@ var features = map[string]bool{
// OOMWatch
// opt-in from v0.31
OOMWatch: false,
+ // AdoptLegacyReleases
+ // opt-out from v0.37
+ AdoptLegacyReleases: true,
}
// FeatureGates contains a list of all supported feature gates and
|