Skip to content
This repository has been archived by the owner on Mar 22, 2024. It is now read-only.

ClusterSPIFFEID CR is included when CRD is found in the chart #427

Open
drewwells opened this issue Aug 7, 2023 · 10 comments
Open

ClusterSPIFFEID CR is included when CRD is found in the chart #427

drewwells opened this issue Aug 7, 2023 · 10 comments

Comments

@drewwells
Copy link
Contributor

If you're doing a fresh install of spire, it attempts to install both a CRD and CR. This is not supported in our CICD workflow (or a good practice). Other projects that require this do so in multiple steps like defining a separate CRD chart or a separate CR chart. I solve for this by installing a separate CR chart.

Repo steps:

helm template --namespace spire-server --release-name spire --is-upgrade spiffe/spire --version v0.10.1 --validate
Error: unable to build kubernetes objects from release manifest: resource mapping not found for name: "spire-controller-manager-service-account-based" namespace: "spire-server" from "": no matches for kind "ClusterSPIFFEID" in version "spire.spiffe.io/v1alpha1"
ensure CRDs are installed first
@kfox1111
Copy link
Contributor

kfox1111 commented Aug 7, 2023

I usually helm install with the skip crds flag, and then load it from raw yaml. Would that work?

@drewwells
Copy link
Contributor Author

Unfortunately, our CICD system would not be able to do this. We need a helm install --only-crds so helm template --validate does not fail.
We normally break out CRDs into a separate chart like cert-manager does. I think the best option is to have federation CRs as examples or a separate chart. Right now I disable the CRs with spire-server.controllerManager.identities.enabled=false then install them in a separate chart internally.

@kfox1111
Copy link
Contributor

This is related to #411 as well.

@faisal-memon
Copy link
Contributor

@drewwells thanks for bringing this up. We definitely need to revisit how controller manager is integrated. Im not super familiiar with how cert manager works. Would that model work here?

@kfox1111
Copy link
Contributor

kfox1111 commented Sep 6, 2023

No, its a CRD + CR issue not a Certificate issue. CRD management with helm has always been... problematic.

Some of the gory details are outlined in hip 11. https://github.com/helm/community/blob/main/hips/hip-0011.md

@drewwells
Copy link
Contributor Author

drewwells commented Sep 6, 2023
edited

In layman's, you can read this https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts

@kfox1111
Copy link
Contributor

kfox1111 commented Sep 6, 2023

Hmm... If we moved it to a separate chart, we could conditionally embed it, and have it standalone. Then folks could use it either way.

@faisal-memon
Copy link
Contributor

@drewwells Plan we came up with is to create a sub chart with the crd and convert it to a template. Then eventually move it to a separate root level chart. Would appreciate your thoughts on this plan.

@drewwells
Copy link
Contributor Author

As long as we can install it as if it were a chart with only crds in it, then that will work fine.

@kfox1111
Copy link
Contributor

Thats the plan.

@faisal-memon faisal-memon mentioned this issue Oct 3, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@drewwells @kfox1111 @faisal-memon