Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hydra maester cannot be deployed to multiple namespaces #138

Closed
jbapu opened this issue Apr 30, 2020 · 10 comments · Fixed by #276
Closed

Hydra maester cannot be deployed to multiple namespaces #138

jbapu opened this issue Apr 30, 2020 · 10 comments · Fixed by #276
Assignees
@Demonsthere
Labels
bug Something is not working.

Comments

@jbapu
Copy link
Contributor

jbapu commented Apr 30, 2020
edited

Describe the bug

Trying to deploy Hydra to multiple k8s namespaces results in

Error: rendered manifests contain a resource that already exists. Unable to continue with install: existing resource conflict: namespace: , name: maester-role, existing_kind: rbac.authorization.k8s.io/v1beta1, Kind=ClusterRole, new_kind: rbac.authorization.k8s.io/v1beta1, Kind=ClusterRole

To Reproduce

Steps to reproduce the behavior:

helm install hydra ory/hydra --version 0.3.3 -n namespace1
helm install hydra ory/hydra --version 0.3.3 -n namespace2

Results in:

Error: rendered manifests contain a resource that already exists. Unable to continue with install: ClusterRole "maester-role" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-namespace" must equal "namespace2": current value is "namespace1"

Expected behavior

I expect to be able to successfully deploy Hydra into different namespaces without any errors.

Environment

  • Version:
$ helm version
version.BuildInfo{Version:"v3.2.0", GitCommit:"e11b7ce3b12db2941e90399e874513fbd24bcb71", GitTreeState:"clean", GoVersion:"go1.13.10"}

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.5", GitCommit:"20c265fef0741dd71a66480e35bd69f18351daea", GitTreeState:"clean", BuildDate:"2019-10-15T19:16:51Z", GoVersion:"go1.12.10", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.2", GitCommit:"59603c6e503c87169aea6106f57b9f242f64df89", GitTreeState:"clean", BuildDate:"2020-01-18T23:22:30Z", GoVersion:"go1.13.5", Compiler:"gc", Platform:"linux/amd64"}

Is this intended behavior? Can hydra only be deployed once (maybe use enabledNamespaces for multiple namespaces)?
@aeneasr aeneasr added the bug Something is not working. label Apr 30, 2020
@aeneasr
Copy link
Member

aeneasr commented Apr 30, 2020

Yeah that's definitely a bug. You don't need maester, right?

@jbapu
Copy link
Contributor Author

jbapu commented Apr 30, 2020

Good point. I guess I don't..

@christian-roggia
Copy link
Contributor

The same issue shows up if you try to install oathkeeper and hydra in the same cluster with CDR enabled:

Error: rendered manifests contain a resource that already exists. Unable to continue with install: ClusterRole "maester-role" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-name" must equal "hydra": current value is "oathkeeper"; annotation validation error: key "meta.helm.sh/release-namespace" must equal "hydra": current value is "default"

@aeneasr
Copy link
Member

aeneasr commented May 1, 2020

Ok, we definitely need to rename the role. PRs welcomed!

@aeneasr aeneasr mentioned this issue May 14, 2020
Closed
@Atharex Atharex mentioned this issue Dec 7, 2020
Merged
@Atharex
Copy link
Contributor

Atharex commented Dec 7, 2020

Came across this issue and also wanted a fix :)

@golubovsky
Copy link

I’ve managed to fix it by

It’s a temporary solution, but it works )

PS v0.12.0

@golubovsky
Copy link

Found simplier solution, just add --set hydra-maester.nameOverride=hydra-maester-unique_word:

helm install hydra ory/hydra --version 0.13.0 -n namespace1 --set hydra-maester.nameOverride=hydra-maester-namespace1
helm install hydra ory/hydra --version 0.13.0 -n namespace2 --set hydra-maester.nameOverride=hydra-maester-namespace2

@aeneasr
Copy link
Member

aeneasr commented Jun 2, 2021

Could that be included in the helm chart directly?

@Demonsthere
Copy link
Collaborator

Hello there. Two things:
1 - There is a small bug in the RBAC, will create a PR in a second to fix it.
2 - Installing two copies of the same chart like this:

helm install hydra ory/hydra --version 0.3.3 -n namespace1
helm install hydra ory/hydra --version 0.3.3 -n namespace2

May not be the best approach, because as @golubovsky mentioned, the name is the same across both installation. Please install it like:

helm install hydra-maester ./helm/charts/hydra-maester -f local/hydra-maester.yaml --namespace foo1
helm install hydra-maester-2 ./helm/charts/hydra-maester -f local/hydra-maester.yaml --namespace foo2

@Demonsthere Demonsthere mentioned this issue Jun 4, 2021
Merged
5 tasks
@muya
Copy link

muya commented Feb 5, 2024

NB: This also works for the Oathkeeper maester

--set oathkeeper-maester.nameOverride=oathkeeper-maester-{unique-value}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Demonsthere Demonsthere

Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: use fullname instead of name Demonsthere/k8s
7 participants
@muya @Atharex @aeneasr @golubovsky @christian-roggia @jbapu @Demonsthere