Helm chart: Allow the creation of extra manifests via values #6424
Conversation
jetstack-bot
added
release-note-none
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
jetstack-bot
added
needs-kind
|
Hi @gplessis. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
jetstack-bot
added
the
size/S
There was a problem hiding this comment.
Thanks @gplessis
I'm quite strongly opposed to this new Helm chart feature until you can give some specific examples of how it will be used and why other methods can not be used.
See #5900 (comment)
| # solvers: | ||
| # - http01: | ||
| # ingress: | ||
| # class: nginx |
There was a problem hiding this comment.
Have you tested this? I think the toYaml function will choke on what is already yaml. Same as:
I also do not think it will be possible / reliable to create cert-manager Custom Resources as part of the chart,
because the CRDs may not yet have been installed (possibly Helm orders those first?)
and because the cert-manager webhook takes some time to become Ready and it is not safe to create cert-manager custom resources without the webhook running.
Please supply some console output as evidence that this example works.
There was a problem hiding this comment.
Sorry for the late answer.
Yes, I do confirm that, when uncommenting the provided example value, it generates valid YAML:
$ helm template cert-manager deploy/charts/cert-manager
(...)
---
# Source: cert-manager/templates/extras-manifests.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: foo@bar.com
privateKeySecretRef:
name: letsencrypt-prod
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: nginxYou're right though: the usage of toYaml will become problematic when using some Helm templating instead of plain YAML as a value, as depicted in prometheus-community/helm-charts#3287
As a consequence, I would be happy to switch to {{ tpl . $ }} (from {{ tpl (toYaml .) $ }}), change the example value accordingly, and be more robust.
Also... I tested this with plain YAML in the context of an upgrade (when CRDs were already installed) and it worked as expected.
But, when installing from scratch, CRDs are missing and the Helm release fails. This would be solved by #6193. In the meantime, I'm ok to put this PR on the back burner.
There was a problem hiding this comment.
Don't use a cert-manager resource in the example, because we know that won't work.
Change the example to be ConfigMap and include a template variable in the example.
Perhaps the standard labels, like @katsew did in prometheus-community/helm-charts#2140
And add some example helm template commands and output to the PR description showing how you've tested it.
There was a problem hiding this comment.
Move the example up above the default value, so that the example is included in the documentation of the values in the chart README file.
For example:
cert-manager/deploy/charts/cert-manager/values.yaml
Lines 7 to 13 in b61de55
cert-manager/deploy/charts/cert-manager/README.template.md
Lines 76 to 89 in b61de55
|
Issues go stale after 90d of inactivity. |
jetstack-bot
added
the
lifecycle/stale
|
/remove-lifecycle stale @gplessis I haven't forgotten about this. I half hoped that I might persuade Helm maintainers to add something to helm: Please comment on that issue explaining your use-case; explain what extra manifests you plan to deploy with the chart. Meanwhile, I'll review and test this. |
jetstack-bot
removed
the
lifecycle/stale
|
/ok-to-test |
jetstack-bot
added
ok-to-test
and removed
needs-ok-to-test
jetstack-bot
added
dco-signoff: no
wallrj
force-pushed
the
helm_extraObjects
branch
2 times, most recently
from
535a089
to
c12e3cb
Compare
jetstack-bot
added
dco-signoff: yes
|
@gplessis I rebased, signed-off and force pushed to your branch to fix the DCO problems. |
|
/kind feature |
jetstack-bot
added
kind/feature
| # solvers: | ||
| # - http01: | ||
| # ingress: | ||
| # class: nginx |
There was a problem hiding this comment.
Don't use a cert-manager resource in the example, because we know that won't work.
Change the example to be ConfigMap and include a template variable in the example.
Perhaps the standard labels, like @katsew did in prometheus-community/helm-charts#2140
And add some example helm template commands and output to the PR description showing how you've tested it.
| # solvers: | ||
| # - http01: | ||
| # ingress: | ||
| # class: nginx |
There was a problem hiding this comment.
Move the example up above the default value, so that the example is included in the documentation of the values in the chart README file.
For example:
cert-manager/deploy/charts/cert-manager/values.yaml
Lines 7 to 13 in b61de55
cert-manager/deploy/charts/cert-manager/README.template.md
Lines 76 to 89 in b61de55
|
We are so close! |
gplessis
force-pushed
the
helm_extraObjects
branch
from
c12e3cb
to
f71726f
Compare
cert-manager-prow
bot
added
dco-signoff: no
Signed-off-by: Guillaume Plessis <gui@endor.ai>
Signed-off-by: Guillaume Plessis <gui@endor.ai>
Signed-off-by: Guillaume Plessis <gui@endor.ai>
Signed-off-by: Guillaume Plessis <gui@endor.ai>
Signed-off-by: Guillaume Plessis <gui@endor.ai>
gplessis
force-pushed
the
helm_extraObjects
branch
from
f71726f
to
b1767b4
Compare
cert-manager-prow
bot
added
dco-signoff: yes
|
@wallrj Thanks for your comments and for the guidance. I addressed all of them. Please let me know what you think. |
There was a problem hiding this comment.
Hey @gplessis
Thanks for your patience and for addressing all the code review feedback and for showing your testing in the PR description.
I was curious to see if I could use extraObjects for @pierluigilenoci 's use-case; to install a Grafana Dashboard alongside cert-manager.
Here's how I tested it
#!/usr/bin/env bash
set -o nounset
set -o errexit
set -o pipefail
script_dir=$(cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd)
root_dir=$(cd -- "${script_dir}/../.." && pwd)
cd "${script_dir}"
# Build the Helm chart
make -C "${root_dir}" helm-chart VERSION=v0.0.0
# Create a Helm values file containing extraObjects with a Grafana dashboard ConfigMap
DASHBOARD_URL=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json
kubectl create configmap grafana-dashboard \
--dry-run=client \
-o yaml \
--from-file=dashboard.json=<(curl -fsSL $DASHBOARD_URL) \
| yq eval '. | .metadata.name="{{ template \"cert-manager.name\" . }}-grafana-dashboard"
| .metadata.labels={"grafana_dashboard": "1"}
| {"extraObjects": [. | @yaml]}' \
> values.extraobjects.yaml
# Create a cluster
kind create cluster || true
# Install kube-prometheus-stack
helm upgrade default kube-prometheus-stack \
--repo https://prometheus-community.github.io/helm-charts \
--install \
--namespace monitoring \
--create-namespace \
--values "values.kube-prometheus-stack.yaml" \
--wait
# Install cert-manager with the extraObjects values
helm upgrade cert-manager "${root_dir}/_bin/cert-manager-v0.0.0.tgz" \
--namespace cert-manager \
--install \
--create-namespace \
--values values.cert-manager.yaml \
--values values.extraobjects.yaml \
--wait# values.cert-manager.yaml
prometheus:
enabled: true
servicemonitor:
enabled: true
crds:
enabled: true
acmesolver:
image:
tag: v1.14.4
cainjector:
image:
tag: v1.14.4
image:
tag: v1.14.4
startupapicheck:
image:
tag: v1.14.4
webhook:
image:
tag: v1.14.4# values.kube-prometheus-stack.yaml
grafana:
enabled: true
# Enable discovery of all ServiceMonitor and PodMonitor resources
# https://github.com/prometheus-community/helm-charts/issues/1911#issuecomment-1106559031
prometheus:
prometheusSpec:
serviceMonitorSelectorNilUsesHelmValues: false
podMonitorSelectorNilUsesHelmValues: falseI observed that the dashboard configmap got created with all the helm labels and with the helm release name prefix:
$ kubectl get cm -n cert-manager cert-manager-grafana-dashboard -o json | jq '.metadata'
{
"annotations": {
"meta.helm.sh/release-name": "cert-manager",
"meta.helm.sh/release-namespace": "cert-manager"
},
"creationTimestamp": "2024-05-07T13:18:11Z",
"labels": {
"app.kubernetes.io/managed-by": "Helm",
"grafana_dashboard": "1"
},
"name": "cert-manager-grafana-dashboard",
"namespace": "cert-manager",
"resourceVersion": "1626",
"uid": "f749c2cd-5368-4215-8e2e-4b1b33468285"
}
And I saw the dashboard appear in Grafana:
kubectl port-forward -n monitoring deployments/default-grafana 3000
I then uninstalled cert-manager using Helm and observed that the grafana-dashboard configmap was deleted and that the dashboard was automatically removed from Grafana.
/lgtm
/approve
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wallrj The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
cert-manager-prow
bot
added
the
approved
|
@wallrj thank you very much for your thorough review and your approval. I'm sure this feature will prove useful to a lot of people. |
|
Thank you! ❤️ |
Pull Request Motivation
Sometimes, when installing the Helm chart, some extra manifests need to be deployed to have a fully-functional
cert-manager:SecretProviderClass,ClusterIssuers, orCertificates...This PR enables this use case by allowing the creation of extra manifests passed as Helm values. This is a similar approach to what Grafana and others do.
Implements #5900
When uncommenting the provided example
extraObjectsvalue - even with some template variables - it generates valid YAML:Kind
feature
Release Note