New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create new resource policy, "no-upgrade-existing" #5290
Conversation
…ing an existing resource. Signed-off-by: Michael FIG <michael@fig.org>
Hey there. Thanks for the PR. I'm curious to know what's the difference between this and wrapping the whole object in a |
I tried that, but helm will delete the resource on upgrade. |
As a curious bystander I have a question: |
@msvticket,
The |
Ah yes, forgot about that. Sorry! What about a pre-install hook instead? If I recall, this should work without an issue (and solve the same use case as described):
That hook will render the secret before any resources are created in Kubernetes, and will not be updated during a Have you tried that before, and if so, what difference does the |
@bacongobbler The difference between |
The use cases provided in https://github.com/helm/charts/issues/5167 has been
The
Why would you want to install a chart with a password that gets changed every time you call |
It wouldn't be changed every time you call Also, the main advantage (that I've perhaps not stated very well) is that the annotation can be added to an existing chart, and if somebody already installed the old chart with a random password, upgrading to the new chart will not overwrite it. With an init hook, the default Helm behaviours will mean that user of the old chart is out of luck: it will still be deleted (or in the best case, overwritten) when they upgrade to the new chart. |
Okay, I'm starting to see the use case now. So essentially it's kind of "pinning" an object to its state. Thank you. I'll have another look. |
Would Also, what if the chart wants both this policy and also |
|
I think |
related discussion: #3053 (comment) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Can't wait to see this in the next release.
@FrenchBen, @bacongobbler will this be merged? Thanks, |
Right now I'm focusing on getting 2.13.0 out the door as well as Helm 3 core development work. When I have more time I will get back to this, but for now I don't have the time to review. Sorry! @FrenchBen's input is appreciated, but he is not a core maintainer. It needs an LGTM from a core maintainer before it can be merged. :) |
Would this work if we wanted to update one field in the resource, but not another (say a randomly generated ID or password)? |
@cgetzen, sorry but no, subsets of a resource are not kept. The current patch is all-or-nothing. |
Is there any ETA for merging this? |
No ETA. I've been focusing more recently on security fixes for Helm 2 as well as ongoing development for Helm 3 so I have not been able to give this PR the time to think through the design. If others could actually test this PR out and give it some feedback, that would be very helpful. I'm concerned that it might not solve the use cases in helm/charts#5167, so feedback from users running this in staging/production would be more helpful moving this forward. |
What are your thoughts on why this doesn't resolve #5167 @bacongobbler? It really seems like it's exactly what's needed. Would love to see this get in. |
It only checks the "target" (the chart you are upgrading to) for the "pin" annotation. As soon as the annotation is removed from the template on a |
IMO it should be a "set and forget" setting that occurs outside of the update logic. In other words the user should mark the existing resource as "pinned" with the annotation, which then Helm will recognize the annotation and ignore the update. The user must remove the annotation from the resource to allow updates. IOW we should be checking the source for the annotation, not the target. |
Closing as this is not the right approach for the problem. If someone wants to implement a PR as well as the supporting documentation that covers the approach described here for Helm 3, that'd be great. Helm 2.15.0 is the last feature release for Helm 2 so we are no longer accepting new features in Helm 2. |
Signed-off-by: Michael FIG michael@fig.org
What this PR does / why we need it:
refs charts #5167
This annotation can be added to existing charts that created random passwords, and they will no longer modify the passwords on upgrade.
See the sample
secret.yaml
below for usage.Special notes for your reviewer:
If applicable:
Not sure how to create a unit test: this is what I used for testing on my machine, after running
helm create helm-random-secret
helm-random-secret/templates/secret.yaml
t.sh: