Provide optional rollback support for HelmReleases

[hiddeco]

Fixes #1960

[hiddeco]

@squaremo @2opremio although this PR is still a draft, please take a look whenever you have time.

The reason it is still is a draft is described in #1960 (comment), but due to Helm not providing us with tools to observe successful roll-outs, I see no easy way to work around the issue described in this comment. (Given the feature is opt-in, maybe we can live with it for a while?)

[2opremio]

@hiddeco Won't the rollback mechanism change based on how #1960 (comment) is resolved? If it can differ, then I think it's better to review it once we have a design.

Given the feature is opt-in, maybe we can live with it for a while?

Uhm, I am not sure. An infinite loop is scary

[hiddeco]

@2opremio @squaremo took me some time to get the mechanics sorted, but here it is.

The operator now keeps track of what generation of a resource it has seen, this is done by updating the ObservedGeneration status after it has performed a non-deleting operation, it also adds a status condition for rollbacks, and keeps track of both condition change and update timestamps.

In case a rollback status condition is set, there are three options:

1. If the generation > observedGeneration, we attempt an upgrade as the values may have changed (the generation of a resource is not increased on status updates, this is by design and widely utilized in the k8s core).
2. If the chart has been rolled back, but we have observed an update of the Helm chart source after this happened (LastUpdateTime), we attempt an upgrade as the contents of the chart source may have changed (or the failure is old).
3. We bail and log a warning to the user that we skipped the release.

I am still on the fence about two scenarios:

1. In case the Helm operator is restarted, it will attempt an upgrade and rollback afterwards. I think this is because it gets added to the queue through the AddFunc event handler on the informer, which does not perform any state checks at the moment, need to investigate...
2. If the rollback was due to the contents of any valuesFrom source, we are unable to determine this has been fixed, as any changes in those sources do not result in a new resource generation and we resolve and merge those values JIT for the upgrade we want to perform, which is much later in the process.

[2opremio]

2. If the rollback was due to the contents of any valuesFrom source, we are unable to determine this has been fixed, as any changes in those sources do not result in a new resource generation and we resolve and merge those values JIT for the upgrade we want to perform, which is much later in the process.

Can't we store the valuesFrom in the status?

[hiddeco]

We could store a SHA hash of the merged values in a status (someone on Slack suggested something like this too). But to be able to make a comparison and detect a change, this would require us to resolve and merge all values before we schedule an upgrade (in operator.go), which does not look like an optimal solution to me.

[2opremio]

Maybe, only maybe, create variables for the reason and message and call chs.setCondition only once?

[2opremio]

Code looks good, but I don't know enough about the Helm Operator to rubber-stamp this.

I am missing tests though (which I guess you planned to add later)

[hiddeco]

I don't know enough about the Helm Operator to rubber-stamp this

It may be an idea to pick up some of the FIXME/TODOs in integrations/helm/chartsync/chartsync.go and integrations/helm/release/release.go in the (near) future to prevent it from becoming heavy opinionated by my views and to spread some knowledge amongst maintainers.

The operator is not that complex and quite small as a whole, so you should be able to fit it into your head rapidly. (I was able to do this and I am not the fastest person on earth in Golang code bases at the moment).

[2opremio]

Thanks @hiddeco , I will take a look at those once I am done with the e2e test refactoring.

[hiddeco]

@2opremio @squaremo it does now detect changes to external values files, how it does this is up for debate.

I personally am not very happy with it, i.e. using the *ChartChangeSync in the enqueueUpdateJob method feels wrong (decision making should be fast), but given that we need to resolve all external files this was the only entrypoint I could think of, and as we only do this for HelmReleases with rollbacks enabled the overhead should be minimal.

[squaremo]

I could really do with a state machine diagram to see what's going on!

[adrian]

I've been testing this branch and came across a problem with StatefulSets.

If an upgrade involves recreating the pods in a StatefulSet then Kubernetes will, as normal, start replacing the pods starting at the last ordinal, e.g.

acme-statefulset-0                 1/1     Running            0          5m26s
acme-statefulset-1                 1/1     Running            0          5m21s
acme-statefulset-2                 0/1     ContainerCreating   0          1s

If that pod fails to come up (e.g. the image is missing) the release is rolled back but the problem pod is left as-is, i.e.

acme-statefulset-0                 1/1     Running            0          5m26s
acme-statefulset-1                 1/1     Running            0          5m21s
acme-statefulset-2                 0/1     ImagePullBackOff   0          33s

The problem is addressed by including recreate: true in the HelmRelease as all pods in the release are deleted as part of the rollback. However, this seems heavy handed as it means all pods in the StatefulSet and any other workloads created by the helm chart are also deleted.

Is there a way to address this?

Could the --cleanup-on-fail flag in Helm v2.14.0 be a solution?

[hiddeco]

@adrian given that StatefulSets are known to be problematic to rollback (as mentioned in the issue linked in this PR), and the fact that we mimic helm upgrade --atomic. I am afraid this has little to do with the Helm operator itself, but more with Helm.

I am however interested in any solution you may come across which solves the problem for helm, so I can include the required flag(s) and/or add the solution to our docs. My advice to you would be to see if you can make it work with helm upgrade --atomic <maybe --cleanup-on-fail> <or --recreate-pods> (or maybe a different strategy).

Oh, and almost forgot -- awesome you are testing this :-)

[adrian]

FWIW I've been testing the operator on this branch for the past few days and it's working fine. I've tested,

• upgrades with rollback.enabled: false
• upgrades with rollback.enabled: true and rollback.recreate: false
• upgrades with rollback.enabled: true and rollback.recreate: true

[adrian]

In relation to my question earlier about dealing with failed pods in StatefulSets...

--cleanup-on-fail isn't an option as it only deletes net new pods, i.e. pods for new workloads rather than updated pods.

--recreate recreates all pods belonging to all workloads deployed by the helm chart. This works, but leads to service downtime as the pods are being recreated.

One option we've implemented (not in an operator) is to delete all broken StatefulSet pods after issuing the helm rollback command. Maybe that's something that the operator could do?

[hiddeco]

FWIW I've been testing the operator on this branch for the past few days and it's working fine.

Awesome, going to rebase and tidy things up and bother @squaremo with reviewing again so it lands in master.

One option we've implemented (not in an operator) is to delete all broken StatefulSet pods after issuing the helm rollback command. Maybe that's something that the operator could do?

I am not very keen on implementing 'hacks' like this in the operator, the reason for this is that it may work for you but breaks things for other people. Instead, and this is probably not to your likening, I would just make note of that it is likely to give issues with some StatefulSet setups, due to shortcomings in Helm.

[squaremo]

Code looks fine to me, the design (in the state diagram) looks right, and we have some empirical evidence that it works as designed. Let's release it into the wild!

[semyonslepov]

@hiddeco this is awesome, thanks a lot for implementing this feature!
Would you mind also updating the docs on Helm integration: https://github.com/weaveworks/flux/blob/master/site/helm-integration.md ?

[hiddeco]

@semyonslepov thanks for your enthusiasm and interest in this feature, I merged a PR yesterday which documents the added fields to the HelmRelease.

Last, if you do not want to wait on the next Helm operator release, there is a prerelease build available which also adds experimental support for running multiple workers processing your releases (--workers=<num>).