camunda-platform-helm icon indicating copy to clipboard operation
camunda-platform-helm copied to clipboard

Published 20 hours ago verified publisher icon camunda

[ISSUE] Helm upgrade without secrets extraction steps does not trigger validation error between v9 and v10

Open jessesimpson36 opened this issue 9 months ago • 3 comments

Describe the issue:

https://camunda.slack.com/archives/C03UR0V2R2M/p1715673565744409

There are situations where a user may upgrade from 9.3.3 to 10.0.5 without specifying their existingSecrets, and for the error message must not be empty, please add '--set ... to not happen.

Actual behavior:

Helm upgrade will fail initially due to

Error: UPGRADE FAILED: cannot patch "cpt-identity" with kind Deployment: Deployment.apps "cpt-identity" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app":"camunda-platform", "app.kubernetes.io/component":"identity", "app.kubernetes.io/instance":"cpt", "app.kubernetes.io/managed-by":"Helm", "app.kubernetes.io/name":"camunda-platform", "app.kubernetes.io/part-of":"camunda-platform"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable

And if you delete the identity deployment to bypass that, then the helm upgrade will succeed unexpectedly.

Expected behavior:

Error message is expected due to not supplying existingSecrets during the upgrade process:

Error: UPGRADE FAILED: execution error at (camunda-platform/charts/identity/templates/tasklist-secret.yaml:10:22):
PASSWORDS ERROR: You must provide your current passwords when upgrading the release.
                 Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims.
                 Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases

    'global.identity.auth.tasklist.existingSecret' must not be empty, please add '--set global.identity.auth.tasklist.existingSecret=$TASKLIST_SECRET' to the command. To get the current value:

        export TASKLIST_SECRET=$(kubectl get secret --namespace "camunda" "camunda-platform-test-tasklist-identity-secret" -o jsonpath="{.data.tasklist-secret}" | base64 --decode)

How to reproduce:

  1. Install helm install cpt camunda/camunda-platform --version 9.3.3
  2. Upgrade helm upgrade cpt camunda/camunda-platform --version 10.0.5
  3. If you didn't get any validation errors before it tries to apply a manifest, then you've reproduced it.

Logs:

No error message means no logs :cry: .

Environment:

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

  • Platform: KIND
  • Helm CLI version: v3.15.0
  • Chart version: 9.3.3 -> 10.0.5
  • Values file: default values.yaml

jessesimpson36 avatar May 22 '24 13:05 jessesimpson36