Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Helm: Chart not using helm-flag '--namespace' #7226

Closed
flyinggecko opened this issue Jun 9, 2021 · 9 comments
Closed

Helm: Chart not using helm-flag '--namespace' #7226

flyinggecko opened this issue Jun 9, 2021 · 9 comments
Labels
area/helm Issues or PRs related to helm charts good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug.

Comments

@flyinggecko
Copy link

flyinggecko commented Jun 9, 2021
edited
Loading

NGINX Ingress controller version: 0.47.0

Kubernetes version (use kubectl version): Server Version: version.Info{Major:"1", Minor:"19+", GitVersion:"v1.19.9-gke.1900", GitCommit:"008fd38bf3dc201bebdd4fe26edf9bf87478309a", GitTreeState:"clean", BuildDate:"2021-04-14T09:22:08Z", GoVersion:"go1.15.8b5", Compiler:"gc", Platform:"linux/amd64"}

Environment:

  • Cloud provider or hardware configuration: GKE
  • OS (e.g. from /etc/os-release): Container-Optimized OS from Google
  • Kernel (e.g. uname -a): 5.4.89+ Basic structure  #1 SMP Sat Feb 13 19:45:14 PST 2021
  • Install tools: helm v3.6.0 (I hope this is what you want to know)
  • Others:

What happened:

I was running helm template --namespace gitlab-managed-apps nginx-ingress ingress-nginx/ingress-nginx
The result is (just a few resources, as the output would be too long):

---
# Source: ingress-nginx/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: "0.47.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
automountServiceAccountToken: true
---
# Source: ingress-nginx/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: "0.47.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
data:
---
# ...

What you expected to happen:

Every resource, except cluster-wide resources (e.g. ClusterRole), should have the namespace set in metadata.namespace

---
# Source: ingress-nginx/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: "0.47.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx
  namespace: gitlab-managed-apps # <------ Is missing
automountServiceAccountToken: true
---
# Source: ingress-nginx/templates/controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress-nginx
    app.kubernetes.io/version: "0.47.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress-nginx-controller
  namespace: gitlab-managed-apps # <------ Is missing
data:
---
# ...

How to reproduce it:

Just run:
helm template --namespace gitlab-managed-apps nginx-ingress ingress-nginx/ingress-nginx

Anything else we need to know:

If this is a bug, I'm willing to fix it. ;)

/kind bug
/area helm
@flyinggecko flyinggecko added the kind/bug Categorizes issue or PR as related to a bug. label Jun 9, 2021
@k8s-ci-robot k8s-ci-robot added the area/helm Issues or PRs related to helm charts label Jun 9, 2021
@longwuyuan
Copy link
Contributor

longwuyuan commented Jun 9, 2021 via email

@tao12345666333
Copy link
Member

tao12345666333 commented Jun 19, 2021
edited
Loading

maybe we could add namespace: {{ .Release.Namespace }} to all resources templates.

/good-first-issue

@k8s-ci-robot
Copy link
Contributor

@tao12345666333:
This request has been marked as suitable for new contributors.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-good-first-issue command.

In response to this:

maybe we need add namespace: {{ .Release.Namespace }} to all resources templates.

/good-first-issue

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. labels Jun 19, 2021
@longwuyuan
Copy link
Contributor

longwuyuan commented Jun 19, 2021
edited
Loading

  • helm install command honors the --namespace flag
  • This issue is about the helm template command and the namespace may not exist at the time of running this command. I don't know if that is a factor.
  • I see at least the configmap template showing {{ .Release.Namespace}} under a if condition
  • I have tried helm template on a bitnami/mysql chart and it seems to do the expected thing
$ helm template --namespace nstest mysql bitnami/mysql 
  # Source: mysql/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: mysql
  namespace: nstest    --------> # --namespace flag honored
  labels:
    app.kubernetes.io/name: mysql
    helm.sh/chart: mysql-8.6.2
    app.kubernetes.io/instance: mysql
    app.kubernetes.io/managed-by: Helm
  annotations:
secrets:
  - name: mysql
  • While, as reported, ingress-nginx chart does not
---
$ helm template --namespace nstest ingress0 ingress-nginx/ingress-nginx
# Source: ingress-nginx/templates/controller-serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    helm.sh/chart: ingress-nginx-3.33.0
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/instance: ingress0
    app.kubernetes.io/version: "0.47.0"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: controller
  name: ingress0-ingress-nginx
automountServiceAccountToken: true
  • I don't see {{ .Release.Namespace }} in ingress-nginx serviceaccount template yaml
_$ cat controller-serviceaccount.yaml
{{- if or .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    {{- include "ingress-nginx.labels" . | nindent 4 }}
    app.kubernetes.io/component: controller
  name: {{ template "ingress-nginx.serviceAccountName" . }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
  • But I can see the {{ .Release.Namespace }} in the bitnami/mysql chart serviceaccount template yaml
__$ cat serviceaccount.yaml 
{{- if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ include "mysql.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
  labels: {{- include "common.labels.standard" . | nindent 4 }}
    {{- if .Values.commonLabels }}
    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
    {{- end }}
  annotations:
    {{- if .Values.serviceAccount.annotations }}
    {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }}
    {{- end }}
    {{- if .Values.commonAnnotations }}
    {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
    {{- end }}
{{- if (not .Values.auth.customPasswordFiles) }}
secrets:
  - name: {{ template "mysql.secretName" . }}
{{- end }}
{{- end }}

@tao12345666333 if some more advise and guidance is available, then I can attempt a PR . I don't know the impact of adding {{ .Release.Namespace }} in all relevant template yaml files.

  • I can guess that clusterrole and clusterrolebinding yaml files should/need not have this. But I am not dead sure of much else.
  • Do I need to learn the go code of helm template command functioning.
  • Would it be prudent to precisely list the names of the yaml files that need to be edited for this one liner, in the metadata section. And get a signoff from you/others on which files need that oneliner

@tao12345666333
Copy link
Member

This is a known issue. As mentioned here helm/helm#3553 (comment) the helm template command will ignore the --namespace flag.

So usually when we write helm chart, we will add namespace: {{ .Release.Namespace }} by default.

I don't know the impact of adding {{ .Release.Namespace }} in all relevant template yaml files.

You only need to add this field for resources in the namespace scope
ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/#not-all-objects-are-in-a-namespace

@longwuyuan longwuyuan mentioned this issue Jun 19, 2021
Closed
8 tasks
@longwuyuan
Copy link
Contributor

@tao12345666333 bacongobbler's comments in that issue you linked make so much sense

@longwuyuan longwuyuan mentioned this issue Jun 20, 2021
Merged
8 tasks
@flyinggecko flyinggecko reopened this Jun 21, 2021
@flyinggecko
Copy link
Author

Sorry, my bad. I hit the wrong button by accident.

There are at least some use-cases for the namespace parameter in the helm-template-functionality:

We use it to create the manifests and then let them deploy via gitlab's kubernetes agent. In that case we need to manually adjust the rendered manifest every time we update the helm values.

So, i will prepare a pr for this ;) bests

@tao12345666333
Copy link
Member

@flyinggecko Don't worry, @longwuyuan has opened a PR #7256

@flyinggecko
Copy link
Author

Cool, is released and already in use. Thank you 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/helm Issues or PRs related to helm charts good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@flyinggecko @tao12345666333 @longwuyuan @k8s-ci-robot