-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
forceGenerateTLS does not work for an upgrade #51
Comments
I thought we had that particular state documented, but it doesn't seem that way. @victornoel Out of curiosity, are you using helm2 or helm3? There does appear to be a hook setting that takes care of this, which is something I learned about recently. It should be the default behavior in helm3. https://helm.sh/docs/topics/charts_hooks/#hook-deletion-policies |
@travisgroth interesting! So with helm 3 this should fix the problem : I am currently using helm 2 but we are in the process of migrating to helm 3. There is another problem with using hooks for those resources generated via the template (i.e., each run of helm will change the resource): once you disabled I think it's not very great it terms of declarativeness, another solution is the one used in some charts: they use a job resource hook that generates the certs from within the cluster. For example using bash, openssl and kubectl can be enough… It's more complex to write, but then you don't have this strange situation where resources are to be un-generated by helm: if it's a job, once it is run, it will stay here. Then you need to find the right way to detect what triggers regeneration: via manual job deletion, manual job restart, or even the job is run everytime (and deleted on success by helm) but certs only generated if not already present, etc, etc, etc. I don't know what is the best solution though. |
We are as well but it's been...rough. Good luck! :)
Yes. It's very funny looking in the diff. I looked into that and
I'm not sure that offloading to a job even addresses the whole problem set you're observing. The case we're facing during this upgrade path is going to need you to take some additional step for the upgrade. The closest helm gets to "create if doesn't exist" is the hooks we're using now. Punting to a non-helm resource does allow for less confusing ergonomics around the conditional...but if you're regenerating, it'll still need to be informed. Cleanup is still a problem as well, since you're creating objects outside tiller. I haven't played around with directly setting Short term, I'd like to at least put the hook annotation in to make this slightly less annoying to use with helm 2. Medium term, I think the if-not-exists logic can be moved into the operator, if it doesn't show up in helm 3. I anticipate more logic going into code over time. We could probably also add in either docs or explicit flags for Remaining concerns
|
When doing an upgrade, if I set the
config.forceGenerateTLS
value totrue
, I get the following error:I suppose a workaround is to delete manually the secret beforehand, but we should:
I'm not exactly clear how to do that though.
I think the problem is maybe that when
config.forceGenerateTLS
is set tofalse
, then maybe the resource should be generated so that helm continue to keep track of it? I'm not sure…The text was updated successfully, but these errors were encountered: