helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard
verified publisher icon openfga

Initial chart deployment fails: Error from server (NotFound): jobs.batch "openfga-migrate" not found

Open malud opened this issue 9 months ago • 6 comments

So basically our setup is ArgoCD which polls the gitops repo to apply this helm chart. However, the openfga pod fails with Back-off restarting failed container wait-for-migration in pod openfga. This happens due to the missing job.

This resource doesn’t get created automatically — I have to log in to our cluster and apply the job resource manually in order for the migrate init container to succeed, which in turn allows the FGA pod to run.

The job resource is the only one with a hook and weight annotation:

helm.sh/hook-weight: "-5"

Could this be the issue?

malud avatar Apr 08 '25 16:04 malud

@malud Any recommendations how to fix it? Does it work with older verisons. I try to setup openfga via Helm chart in our Kubernetes.

Image

jonasmock avatar Apr 18 '25 12:04 jonasmock

adding helm annotations to the service account and migrate job to create them during pre-install fixed it for me

# in values.yaml

serviceAccount:
  create: true

migrate:
  annotations:
    helm.sh/hook: "pre-install, post-upgrade, post-rollback, post-delete" # not post-install
    helm.sh/hook-weight: "-5"

marlenekoh avatar Apr 23 '25 09:04 marlenekoh

@jonasmock as mentioned, local template processing and kubectl apply to create the job resource but @marlenekoh has a great workaround here, thanks.

malud avatar Apr 24 '25 09:04 malud

Related to #107.

This is related how ArgoCD interprets some of Helm hooks. I did local helm install first and then after chart is applied once all works well via ArgoCD.

mkyc avatar May 19 '25 15:05 mkyc

This did not work for me. What worked for me was to remove the annotations on migrate and set serviceAccount hooks as follows.

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations:
    helm.sh/hook: "pre-install"
    helm.sh/hook-weight: "-6"

migrate:
  annotations:

With this setting, the openFGA service pods wait for the migrate pod to finish running. After the migrate pod finishes the service pods start successfully.

RhynoVDS avatar Jul 28 '25 00:07 RhynoVDS

try using migration type initContainer instead of job, it should fix the openfga-migrate not found issue, my environment is using ArgoCD

---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

helmCharts:
- name: openfga
  releaseName: openfga
  repo: https://openfga.github.io/helm-charts
  version: 0.2.38
  valuesInline:
    datastore:
      engine: postgres
      existingSecret: openfga-pg-app
      migrationType: initContainer # <-- change here, based on here https://github.com/openfga/helm-charts/blob/main/charts/openfga/templates/deployment.yaml#L55
      secretKeys:
        uriKey: uri
        passwordKey: password
        usernameKey: username

    serviceAccount:
      annotations:
        argocd.argoproj.io/hook: PreSync
        argocd.argoproj.io/sync-wave: "-2"

xshadowlegendx avatar Jul 28 '25 09:07 xshadowlegendx

Is there a reason that migrationType: job is the default?

djds avatar Dec 16 '25 23:12 djds