feat: deprecate Helm 2

[jdolce]

Signed-off-by: Julian Dolce jdolce@qnx.com

What this PR does / why we need it:
Deprecates Helm 2 chart

Which issue(s) this PR fixes (optional, using fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when the PR gets merged):
Fixes #1076

Special notes for your reviewer:

[sozercan]

is this only used for kubectl? can we re-use line/kubectl-kustomize image we use for kustomize?

[jdolce]

yep for sure will look at using that.

[codecov-io]

Codecov Report

Merging #1179 (00ba3a4) into master (5b0472a) will decrease coverage by 0.24%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #1179      +/-   ##
==========================================
- Coverage   50.14%   49.89%   -0.25%     
==========================================
  Files          64       64              
  Lines        4465     4465              
==========================================
- Hits         2239     2228      -11     
- Misses       1922     1928       +6     
- Partials      304      309       +5     

Flag	Coverage Δ
unittests	49.89% <ø> (-0.25%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...onstrainttemplate/constrainttemplate_controller.go	53.07% <0.00%> (-3.56%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 5b0472a...00ba3a4. Read the comment docs.

[sozercan]

customResourceDefinition.create should be removed now?

[jdolce]

The reason why I left this was because this is the currently released chart being installed before we try and do an upgrade. So customResourceDefinition.create is still in that chart.

[sozercan]

@ritazh @maxsmythe are we okay with this behavior change? this should be documented in release notes.

[maxsmythe]

What is the behavior change? the --create-namespace flag?

TBH, I don't think of Helm as part of Gatekeeper's backwards compatibility contract b/c it's an installation method, not an interface, though reasonable people can disagree here. More importantly, it may not be possible to maintain backwards compatibility as it seems like some if these changes are forced by upstream changes to Helm itself?

With that in mind, I would do whatever the community standard is for Helm charts when they need to change.

[ritazh]

This postInstall hook is definitely not obvious. +1 on adding it to release notes and all the docs.
Can postInstall.labelNamespace.enabled be default to true so users don't need to do this every time? And this would ensure existing namespace also gets the admission.gatekeeper.sh/ignore=no-self-managing label.

[jdolce]

The behaviour change here is that the Helm chart no longer creates and manages the Namespace. Helm will create it if you ask it by setting the --create-namespace flag, but it's not managed by the chart itself. For example if you uninstall the chart the Namespace will remain.

The challenge with this chart is that we want the admission.gatekeeper.sh/ignore label on the Namespace Gatekeeper is installed in, which is what the postInstall hook stuff does.

As an alternative to this could we include a Config in the chart and set a reasonable default to the Namespace, and allow callers to override it? Based on the docs it seems like this is another alternative to the
--exempt-namespace flag. Also happy to set postInstall.labelNamespace.enabled to true by default, and remove the post-upgrade hook so that it only happens on first time installs. Because that labeling only has to happen one time I would think.

[ritazh]

happy to set postInstall.labelNamespace.enabled to true by default, and remove the post-upgrade hook so that it only happens on first time installs. Because that labeling only has to happen one time I would think.

+1

[sozercan]

nit: newline

[ritazh]

why does it need the label before installing the chart?

[ritazh]

Suggested change

	name: gatekeeper-update-namespace
	name: gatekeeper-update-namespace-label

[ritazh]

I kicked off upgrade / [Helm] Upgrade test (3.4.2) job again. let's make sure that e2e passes without any issues.

[jdolce]

I kicked off upgrade / [Helm] Upgrade test (3.4.2) job again. let's make sure that e2e passes without any issues.

I think there is an issue with the tests where the tests set enforcementAction: warn but that is not a valid value in gatekeeper 3.1.1 which is the base version of the upgrade path.

Error from server (Could not find the provided enforcementAction value within the supported list [deny dryrun]): error when applying patch:
...

[jdolce]

There is an issue with upgrading that makes it difficult if not impossible to upgrade from older versions.

helm install gatekeeper gatekeeper/gatekeeper --version 3.23 ....

This command will install and manage the Helm chart in the default namespace but all of the resources are installed to the gatekeeper-system namespace.

When you upgrade with the changes here we use the following command to replace the resources in gatekeeper-system namespace.

helm upgrade -n gatekeeper-system gatekeeper manifest_staging/charts/gatekeeper

The problem is that since Helm has installed the chart into the default namespace, it can't find the chart in the gatekeeper-namespace to upgrade.

The only way to make this work would be to initially install the chart with createNamespace=false, but that is not in a released version of the chart yet. This does also mean that there is a real potential for current users to not have a valid upgrade path with this chart.

[ritazh]

@jdolce Thanks for raising the issue! Sounds like we need a way to derive gatekeeper.namespace to support cases where the helm release namespace and the namespace that contains all the resources are different.

Maybe we need a helper function in cmd/build/helmify/static/templates/_helpers.tpl that defaults gatekeeper.namespace to gatekeeper-system when Release.Namespace is default, otherwise, use Release.Namespace :

{{- define "gatekeeper.namespace" -}}
{{- if .Release.Namespace default }}
{{- printf "gatekeeper-system" }}
{{- else }}
{{- .Release.Namespace }}
{{- end }}
{{- end -}}

This would ensure helm releases will continue to be in the same namespace users specify with -namespace and the resource's namespace will be gatekeeper.namespace. WDYT?

[jdolce]

@ritazh that might work, but I am concerned that it might be confusing as it is not expected Helm behaviour. Someone could have installed the chart into another namespace that isn't default or gatekeeper-system and they would run into the same problem.

I feel like this is kind of stuck in a bad spot where the current behaviour doesn't allow us to follow Helm best practices without some level of breakage. The changes in 3.4 help with this as it allows you to install it correctly, but that won't help folks that have installed on an older version.

My vote would be to break things with this change as we are deprecating something, and it will be easier to call out this behaviour. This will get us on a good track going forward. Doing so will require users to delete the old chart first to re-install it in the gatekeeper-system namespace. Or you could install it in a different namespace, like gatekeeper and run both for a brief moment, and delete the old one.

If we don't want to break anything, I think we can potentially come up with a solution like what Rita mentions above.

[ritazh]

@jdolce I have added this to this week's community call agenda.

[ritazh]

Per community call:

We want to deprecate support for when the helm release namespace and GK namespace are different
Need to test how existing CT and constraints will be persisted during helm delete and helm install
Side by side upgrade is not supported

[jdolce]

Per community call:

We want to deprecate support for when the helm release namespace and GK namespace are different
Need to test how existing CT and constraints will be persisted during helm delete and helm install
Side by side upgrade is not supported

Just tested this and after uninstalling the helm chart the CRD's remained along with the constraints.

[maxsmythe]

Sounds like the uninstall/reinstall path is viable then?

[jdolce]

@ritazh @maxsmythe @sozercan I came up with a migration script that seems to work well, and is being used in the upgrade tests. It prevents one from uninstalling the current chart and deleting any resources. There wasn't a clear spot to put this so it's just at the root of the repo. Let me know if there is a better place and I can move it.

[sozercan]

Suggested change

	Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then udpates the annotations of the resources so that the new chart can import and manage them.
	Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them.

[sozercan]

is this missing pdb?

Error: rendered manifests contain a resource that already exists. Unable to continue with install: PodDisruptionBudget "gatekeeper-controller-manager" in namespace "gatekeeper-system" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-namespace" must equal "gatekeeper-system": current value is "default"

[jdolce]

I added it. Didn't catch it the first time because it's not in the 3.2.3 Helm chart, which is the base revision for the upgrade.

[sozercan]

I am not seeing the helm release after doing helm ls here.

[jdolce]

You would need helm ls -n gatekeeper-system since the chart is installed in that namespace.
You can also see the secret that Helm creates to manage the release kubectl -n gatekeeper-system get secrets -l release=gatekeeper

[sozercan]

Thanks! LGTM

[maxsmythe]

LGTM