-
Notifications
You must be signed in to change notification settings - Fork 743
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: deprecate Helm 2 #1179
feat: deprecate Helm 2 #1179
Conversation
labelNamespace: | ||
enabled: false | ||
image: | ||
repository: bskim45/helm-kubectl-jq |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this only used for kubectl
? can we re-use line/kubectl-kustomize
image we use for kustomize?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yep for sure will look at using that.
e6f19d4
to
575da07
Compare
Codecov Report
@@ Coverage Diff @@
## master #1179 +/- ##
==========================================
- Coverage 50.14% 49.89% -0.25%
==========================================
Files 64 64
Lines 4465 4465
==========================================
- Hits 2239 2228 -11
- Misses 1922 1928 +6
- Partials 304 309 +5
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
00ba3a4
to
eb23f69
Compare
./.staging/helm/linux-amd64/helm install gatekeeper gatekeeper/gatekeeper --version ${BASE_RELEASE} --debug --wait \ | ||
--set emitAdmissionEvents=true \ | ||
--set emitAuditEvents=true \ | ||
--set customResourceDefinitions.create=false;\ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
customResourceDefinition.create
should be removed now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reason why I left this was because this is the currently released chart being installed before we try and do an upgrade. So customResourceDefinition.create
is still in that chart.
cmd/build/helmify/static/README.md
Outdated
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper | ||
|
||
# Helm install and create namespace | ||
$ helm install -n gatekeeper-system [RELEASE_NAME] gatekeeper/gatekeeper --create-namespace --set postInstall.labelNamespace.enabled=true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ritazh @maxsmythe are we okay with this behavior change? this should be documented in release notes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the behavior change? the --create-namespace
flag?
TBH, I don't think of Helm as part of Gatekeeper's backwards compatibility contract b/c it's an installation method, not an interface, though reasonable people can disagree here. More importantly, it may not be possible to maintain backwards compatibility as it seems like some if these changes are forced by upstream changes to Helm itself?
With that in mind, I would do whatever the community standard is for Helm charts when they need to change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This postInstall hook is definitely not obvious. +1 on adding it to release notes and all the docs.
Can postInstall.labelNamespace.enabled
be default to true
so users don't need to do this every time? And this would ensure existing namespace also gets the admission.gatekeeper.sh/ignore=no-self-managing
label.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The behaviour change here is that the Helm chart no longer creates and manages the Namespace. Helm will create it if you ask it by setting the --create-namespace
flag, but it's not managed by the chart itself. For example if you uninstall the chart the Namespace will remain.
The challenge with this chart is that we want the admission.gatekeeper.sh/ignore
label on the Namespace Gatekeeper is installed in, which is what the postInstall hook stuff does.
As an alternative to this could we include a Config
in the chart and set a reasonable default to the Namespace, and allow callers to override it? Based on the docs it seems like this is another alternative to the
--exempt-namespace
flag. Also happy to set postInstall.labelNamespace.enabled
to true
by default, and remove the post-upgrade
hook so that it only happens on first time installs. Because that labeling only has to happen one time I would think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
happy to set postInstall.labelNamespace.enabled to true by default, and remove the post-upgrade hook so that it only happens on first time installs. Because that labeling only has to happen one time I would think.
+1
name: gatekeeper-update-namespace | ||
namespace: {{ .Release.Namespace | quote }} | ||
|
||
{{- end }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: newline
cmd/build/helmify/static/README.md
Outdated
## Exempting Namespace | ||
|
||
The Helm chart automatically set the Gatekeeper flag `--exempt-namespace={{ .Release.Namespace }}` in order to exempt the namespace where the chart is installed. In order for this to work correctly the namespace must have the `admission.gatekeeper.sh/ignore` label. | ||
This can be done by setting up the namespace with the label before installing the chart, or setting `postInstall.labelNamespace.enabled: true`, which will add the label to the release namespace during the post install hook. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why does it need the label before installing the chart?
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: gatekeeper-update-namespace |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
name: gatekeeper-update-namespace | |
name: gatekeeper-update-namespace-label |
I kicked off |
I think there is an issue with the tests where the tests set
|
c7bd46f
to
bbc8fe6
Compare
There is an issue with upgrading that makes it difficult if not impossible to upgrade from older versions.
This command will install and manage the Helm chart in the When you upgrade with the changes here we use the following command to replace the resources in
The problem is that since Helm has installed the chart into the The only way to make this work would be to initially install the chart with |
@jdolce Thanks for raising the issue! Sounds like we need a way to derive Maybe we need a helper function in cmd/build/helmify/static/templates/_helpers.tpl that defaults {{- define "gatekeeper.namespace" -}}
{{- if .Release.Namespace default }}
{{- printf "gatekeeper-system" }}
{{- else }}
{{- .Release.Namespace }}
{{- end }}
{{- end -}} This would ensure helm releases will continue to be in the same namespace users specify with |
@ritazh that might work, but I am concerned that it might be confusing as it is not expected Helm behaviour. Someone could have installed the chart into another namespace that isn't I feel like this is kind of stuck in a bad spot where the current behaviour doesn't allow us to follow Helm best practices without some level of breakage. The changes in 3.4 help with this as it allows you to install it correctly, but that won't help folks that have installed on an older version. My vote would be to break things with this change as we are deprecating something, and it will be easier to call out this behaviour. This will get us on a good track going forward. Doing so will require users to delete the old chart first to re-install it in the If we don't want to break anything, I think we can potentially come up with a solution like what Rita mentions above. |
@jdolce I have added this to this week's community call agenda. |
Per community call:
|
Just tested this and after uninstalling the helm chart the CRD's remained along with the constraints. |
Sounds like the uninstall/reinstall path is viable then? |
f893048
to
9085602
Compare
@ritazh @maxsmythe @sozercan I came up with a migration script that seems to work well, and is being used in the upgrade tests. It prevents one from uninstalling the current chart and deleting any resources. There wasn't a clear spot to put this so it's just at the root of the repo. Let me know if there is a better place and I can move it. |
``` | ||
|
||
Option 2: | ||
Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then udpates the annotations of the resources so that the new chart can import and manage them. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then udpates the annotations of the resources so that the new chart can import and manage them. | |
Run the `helm_migrate.sh` script before installing the 3.4.0 or greater chart. This will remove the Helm secret for the original release, while keeping all of the resources. It then updates the annotations of the resources so that the new chart can import and manage them. |
|
||
kubectl annotate --overwrite -n gatekeeper-system deployment gatekeeper-controller-manager meta.helm.sh/release-name=${RELEASE_NAME} | ||
kubectl annotate --overwrite -n gatekeeper-system deployment gatekeeper-controller-manager meta.helm.sh/release-namespace=${NEW_NAMESPACE} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this missing pdb?
Error: rendered manifests contain a resource that already exists. Unable to continue with install: PodDisruptionBudget "gatekeeper-controller-manager" in namespace "gatekeeper-system" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-namespace" must equal "gatekeeper-system": current value is "default"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added it. Didn't catch it the first time because it's not in the 3.2.3 Helm chart, which is the base revision for the upgrade.
5bd3d52
to
6421834
Compare
```console | ||
$ helm_migrate.sh | ||
$ helm install -n gatekeeper-system gatekeeper gatekeeper/gatekeeper | ||
``` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not seeing the helm release after doing helm ls
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You would need helm ls -n gatekeeper-system
since the chart is installed in that namespace.
You can also see the secret that Helm creates to manage the release kubectl -n gatekeeper-system get secrets -l release=gatekeeper
Signed-off-by: Julian Dolce <jdolce@qnx.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Signed-off-by: Julian Dolce jdolce@qnx.com
What this PR does / why we need it:
Deprecates Helm 2 chart
Which issue(s) this PR fixes (optional, using
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when the PR gets merged):Fixes #1076
Special notes for your reviewer: