-
Notifications
You must be signed in to change notification settings - Fork 113
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pulumi fails to upgrade chart when SSA enabled #2215
Comments
Hi @hagaibarel, thanks for the issue. I'm sorry to hear you're having issues with server-side apply. There are a couple of possible remedies to this issue that we suggest:
|
Thanks for the reply, We changed SSA to Setting ignore changes doesn't have any affect on |
Two other reports of this at #2206 (comment) and #2206 (comment). @lblackstone @roothorp Beyond disabling this, what do users need to do to get the default configuration of the provider to work in these cases? |
We are reverting the default SSA-mode change in #2216, and will follow up with additional testing and documentation for Helm charts. It seems like certain charts always cause conflicts by default, and we'll need to figure out how to address that. |
Another use case where we're seeing issues around helm charts and SSA:
In this case, since the |
Just a note to say that the patch release v3.22.1 reverts the change of server-side apply being the default. This doesn't solve the problem with server-side apply with Helm, so I'll leave this issue open. You may want to keep the explicit |
Yes, we upgraded and explicitly set the option to false on all of our stack configs. Honestly this has taken us by surprise, it broke all of our pulumi programs (3 different ones, ~20 stacks, managing a total of ~800 |
Sorry for the bumpy rollout on this feature. We did test Helm with SSA mode, but missed the case where the Chart conflicts with a controller setting. I've tested the kruise example that you provided, and found that you can work around the problem using the import * as k8s from "@pulumi/kubernetes";
// Create a Provider with SSA enabled.
const provider = new k8s.Provider("k8s", {
enableServerSideApply: true,
});
new k8s.helm.v3.Chart("test", {
chart: "kruise",
version: "1.3.0",
fetchOpts: {
repo: "https://openkruise.github.io/charts/"
},
values: {
manager: {
replicas: 1
}
},
transformations: [
(obj: any, opts: pulumi.CustomResourceOptions) => {
if (obj.kind === "ValidatingWebhookConfiguration" || obj.kind === "MutatingWebhookConfiguration") {
opts.ignoreChanges = [
"metadata.annotations.template",
"webhooks[*].clientConfig",
];
}
}
]
}, {provider}) It's unfortunate that this requires more fiddling than it does with Client-side Apply, but it is surfacing a legitimate conflict on those fields compared to what the Pulumi program is setting. I think that the additional rigor will generally be a good thing, but will cause some friction initially as users need to resolve conflicts that were previously undetected. We will also update the conflict error message to be clearer about all of the resolution options, and when each one should be used. |
What happened?
After initial installation of a chart, following actions (up/preview) fail because some fields on resources are manged by the installed components.
Steps to reproduce
Consider the following pulumi program:
Initial installation works fine, but when trying to run the next operation (e.g. preivew), the follow error occuers:
From what I understand, since the
caBunlde
is set to some dummy value in the chart, and the controller rewrites them once it starts it's now the owner of those fields, yetpulumi
is still trying to override them. There's no way to passpulumi.com/patchForce=true
to those resources, nor would I like to as it can break the webhook ca configuration.Expected Behavior
pulumi
should not try to update fields owned by another entity and opeartions should workActual Behavior
See repro above
Output of
pulumi about
Additional context
I've seeing this happening in other charts as well (e.g.
kube-state-metrics
) where other controllers update fields and are set as owners but in those cases there was a way to passforcePatch
Contributing
Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
The text was updated successfully, but these errors were encountered: