provider-helm
provider-helm copied to clipboard
crossplane-contrib
Release resource fails to determine status of the Helm release
What happened?
The Release resource never gets into any status.
The .status field is even present when I run kubectl get release my-release -o yaml
kubectl get release helm-test
NAME CHART VERSION SYNCED READY STATE REVISION DESCRIPTION AGE
helm-test crossplane-irsa-service-account 0.1.3 16m
How can we reproduce it?
My Helm chart is only creating a single Kubernetes resource, a ServiceAccount.
I can see that the service account resource is created as expected.
The Helm release itself is in status deployed.
helm3 ls -n johns-space
NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
helm-test johns-space 1 2021-07-21 10:20:18.166948602 +0000 UTC deployed crossplane-irsa-service-account-0.1.3 1.0.0
kubectl get release helm-test -o yaml:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
annotations:
crossplane.io/external-name: helm-test
kubectl.kubernetes.io/last-applied-configuration: |
...
creationTimestamp: 2021-07-21T10:20:17Z
finalizers:
- finalizer.managedresource.crossplane.io
generation: 2
managedFields:
- apiVersion: helm.crossplane.io/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
f:crossplane.io/external-name: {}
f:finalizers:
.: {}
v:"finalizer.managedresource.crossplane.io": {}
f:status:
.: {}
f:atProvider: {}
manager: crossplane-helm-provider
operation: Update
time: 2021-07-21T10:20:17Z
- apiVersion: helm.crossplane.io/v1beta1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:spec:
.: {}
f:forProvider:
.: {}
f:chart:
.: {}
f:name: {}
f:pullSecretRef:
.: {}
f:name: {}
f:namespace: {}
f:repository: {}
f:version: {}
f:namespace: {}
f:skipCreateNamespace: {}
f:values:
.: {}
f:serviceAccount: {}
f:providerConfigRef:
.: {}
f:name: {}
manager: kubectl.exe
operation: Update
time: 2021-07-21T10:20:17Z
name: helm-test
resourceVersion: "57346645"
uid: 3cfc444b-64c4-43e9-8f52-ac234393b37d
spec:
forProvider:
chart:
name: crossplane-irsa-service-account
pullSecretRef:
name: artifactory-basic-auth
namespace: crossplane-system
repository: https://my-artifactory.com/artifactory/helm-virtual
version: 0.1.3
namespace: johns-space
skipCreateNamespace: true
values:
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: test-annotation
name: my-sa
providerConfigRef:
name: helm-provider
kubectl describe release helm-test:
Name: helm-test
Namespace:
Labels: <none>
Annotations: crossplane.io/external-name=helm-test
kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"helm.crossplane.io/v1beta1","kind":"Release","metadata":{"annotations":{},"name":"helm-test","namespace":""},"spec":{"forProvider":{"cha...
API Version: helm.crossplane.io/v1beta1
Kind: Release
Metadata:
Creation Timestamp: 2021-07-21T10:20:17Z
Finalizers:
finalizer.managedresource.crossplane.io
Generation: 2
Managed Fields:
API Version: helm.crossplane.io/v1beta1
Fields Type: FieldsV1
Fields V 1:
F : Metadata:
F : Annotations:
F : Crossplane . Io / External - Name:
F : Finalizers:
.:
V :" Finalizer . Managedresource . Crossplane . Io ":
F : Status:
.:
F : At Provider:
Manager: crossplane-helm-provider
Operation: Update
Time: 2021-07-21T10:20:17Z
API Version: helm.crossplane.io/v1beta1
Fields Type: FieldsV1
Fields V 1:
F : Metadata:
F : Annotations:
.:
F : Kubectl . Kubernetes . Io / Last - Applied - Configuration:
F : Spec:
.:
F : For Provider:
.:
F : Chart:
.:
F : Name:
F : Pull Secret Ref:
.:
F : Name:
F : Namespace:
F : Repository:
F : Version:
F : Namespace:
F : Skip Create Namespace:
F : Values:
.:
F : Service Account:
F : Provider Config Ref:
.:
F : Name:
Manager: kubectl.exe
Operation: Update
Time: 2021-07-21T10:20:17Z
Resource Version: 57346645
UID: 3cfc444b-64c4-43e9-8f52-ac234393b37d
Spec:
For Provider:
Chart:
Name: crossplane-irsa-service-account
Pull Secret Ref:
Name: artifactory-basic-auth
Namespace: crossplane-system
Repository: https://my-artifactory.com/artifactory/helm-virtual
Version: 0.1.3
Namespace: johns-space
Skip Create Namespace: true
Values:
Service Account:
Annotations:
Eks . Amazonaws . Com / Role - Arn: test-annotation
Name: my-sa
Provider Config Ref:
Name: helm-provider
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CreatedExternalResource 12m managed/release.helm.crossplane.io Successfully requested creation of external resource
What environment did it happen in?
Crossplane version: crossplane/provider-helm:v0.7.2 and crossplane/crossplane:v1.3.0
You can find the helm chart I'm trying to install with provider-helm here:
crossplane-irsa-service-account.zip
Example command to test the chart locally (note: this is for Windows/Powershell)
> helm template helm-test2 . --set serviceAccount.name=test --set serviceAccount.annotations."eks\.amazonaws\.com\/role-arn"=whatever
---
# Source: crossplane-irsa-service-account/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: test
labels:
helm.sh/chart: crossplane-irsa-service-account-0.1.3
app.kubernetes.io/name: crossplane-irsa-service-account
app.kubernetes.io/instance: helm-test2
app.kubernetes.io/version: "1.0.0"
app.kubernetes.io/managed-by: Helm
annotations:
eks.amazonaws.com/role-arn: whatever
Example Release resource (note: you will need to adjust repository and pullSecretRef)
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
name: helm-test
spec:
forProvider:
namespace: your-namespace
values:
serviceAccount:
name: my-sa
annotations:
eks.amazonaws.com/role-arn: test-annotation
chart:
name: crossplane-irsa-service-account
repository: https://your-helm-registry.com/...
version: 0.1.3
pullSecretRef:
name: artifactory-basic-auth
namespace: crossplane-system
skipCreateNamespace: true
wait: false
providerConfigRef:
name: helm-provider
@juv thanks for the ticket.
Just tried on my side and it seems it worked fine.
Used the following release manifest:
apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
name: helm-test
spec:
forProvider:
namespace: your-namespace
values:
serviceAccount:
name: my-sa
annotations:
eks.amazonaws.com/role-arn: test-annotation
chart:
name: crossplane-irsa-service-account
url: https://storage.googleapis.com/helm-repo-dev/crossplane-irsa-service-account-0.1.3.tgz
skipCreateNamespace: true
wait: false
providerConfigRef:
name: helm-provider
and used this as provider config with admin privileges: https://github.com/crossplane-contrib/provider-helm/blob/master/examples/provider-config/provider-config-incluster.yaml
It appears that this error is related to RBAC and not directly related to the functionality.
The following configuration is not enough, note the resources for apiGroup helm.crossplane.io
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane-helm-provider
rules:
- apiGroups:
- ""
resources:
- serviceaccounts
- secrets
- events
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- helm.crossplane.io
resources:
- providerconfigs
- releases
- providerconfigusages
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
In here the subresource for the release status, i.e. releases/status, is missing.
When adding that subresource, it works:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: crossplane-helm-provider
rules:
- apiGroups:
- ""
resources:
- serviceaccounts
- secrets
- events
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- helm.crossplane.io
resources:
- providerconfigs
- releases
- releases/status
- providerconfigusages
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
Maybe an useful enhancement would be to print out error messages to the provider-helm logs, when updating the ReleaseStatus fails?