Helm: add omitHelmLabels so that people can generate static manifests without the Helm-specific labels
#74
Conversation
cert-manager-prow
bot
added
dco-signoff: yes
|
cert-manager has a similar value: https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml#L1380-L1384 |
|
Talked during the open standup: I noticed that the label app.kubernetes.io/version: "0.5.0"got removed. I will add it back using Note that I noticed that some users prefer when the label selectors don't have a variable version: quarkusio/quarkus#11070. But that seems to be only when a Pod is used directly since pod specs are immutable. In Openshift-routes, we use deployments which means this isn't a problem. |
|
I noticed some discrepancies with the image tag pattern in v0.5.0 and in v0.6.0: -image: "ghcr.io/cert-manager/cert-manager-openshift-routes:0.5.0"
+image: "ghcr.io/cert-manager/cert-manager-openshift-routes:v0.6.0"It looks like the 
Is that intended? I guess I'm OK with this change, but isn't this going to break anyone? @inteon |
Thanks for noticing this. I did not notice that this was how the current images were versioned and that it differs now. I do believe it makes sense to continue using this new pattern. It only makes sense to use the non-v prefix for Helm charts, not for the OCI image. |
|
I agree. I'll give notice to the users of openshift-routes just to make sure we are giving them a chance to complain before the change takes place. To that effect: → I created a GitHub issue and pinned it: #75 |
Signed-off-by: Maël Valais <[email protected]>
Signed-off-by: Tim Ramlot <[email protected]>
inteon
force-pushed
the
static-manifest
branch
from
3d06c13 to
b36d537
Compare
The labelselector in a Deployment is also immutable: # deployments.apps "openshift-routes" was not valid:
# * spec.template.metadata.labels: Invalid value: map[string]string{"app.kubernetes.io/component":"controller", "app.kubernetes.io/instance":"openshift-routes", "app.kubernetes.io/managed-by":"Helm", "app.kubernetes.io/name":"openshift-routes", "app.kubernetes.io/version":"0.6.0-alpha.0-20-gb36d5372ac760e", "helm.sh/chart":"openshift-routes-0.6.0-alpha.0-20-gb36d5372ac760e"}: `selector` does not match template `labels`
# * spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app.kubernetes.io/component":"controller88", "app.kubernetes.io/instance":"openshift-routes", "app.kubernetes.io/name":"openshift-routes"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable |
You are right, I forgot about |
Great, that is what I added here: b36d537 |
| @@ -1,7 +1,7 @@ | |||
| apiVersion: apps/v1 | |||
| kind: Deployment | |||
| metadata: | |||
| name: {{ include "openshift-routes.fullname" . }} | |||
| name: {{ include "openshift-routes.fullname" . }}-controller | |||
There was a problem hiding this comment.
This change is necessary to circumvent the following issue:
$ helm install openshift-routes -n cert-manager oci://ghcr.io/cert-manager/charts/openshift-routes --version=0.5.0
$ make helm-chart VERSION=v0.6.0-alpha.1
$ helm upgrade openshift-routes -n cert-manager _bin/scratch/image/openshift-routes-0.6.0-alpha.1.tgz
Error: UPGRADE FAILED: cannot patch "openshift-routes" with kind Deployment: Deployment.apps "openshift-routes" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app.kubernetes.io/component":"controller", "app.kubernetes.io/instance":"openshift-routes", "app.kubernetes.io/name":"openshift-routes"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable
There was a problem hiding this comment.
Renaming may solve the Helm use case, but it also means the controller name changes in the generated static manifest, which if just blindly kubectl applied would create a second deployment
There was a problem hiding this comment.
Indeed, seems like an annoying issue. Maybe we just leave the deployment name the same and ask users to use helm upgrade --force?
There was a problem hiding this comment.
What exactly is the label diff? Could we generate a template function that outputs the same labels as before?
There was a problem hiding this comment.
I guess that is the easiest solution: not changing the label selector. Will try to achieve that.
|
Updated diff after applying the latest changes included in this PR: make helm-chart VERSION=v0.6.0-alpha.0
diff -u \
<(helm template --show-only templates/deployment.yaml _bin/scratch/image/openshift-routes-0.6.0-alpha.0.tgz) \
<(helm template --show-only templates/deployment.yaml _bin/scratch/image/openshift-routes-0.6.0-alpha.0.tgz --set omitHelmLabels=true)--- helm template --show-only templates/deployment.yaml
+++ helm template --show-only templates/deployment.yaml --set omitHelmLabels=true
@@ -8,26 +8,19 @@
labels:
app.kubernetes.io/name: openshift-routes
app.kubernetes.io/component: controller
- app.kubernetes.io/instance: release-name
app.kubernetes.io/version: 0.6.0-alpha.0
- app.kubernetes.io/managed-by: Helm
- helm.sh/chart: openshift-routes-0.6.0-alpha.0
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: openshift-routes
app.kubernetes.io/component: controller
- app.kubernetes.io/instance: release-name
template:
metadata:
labels:
app.kubernetes.io/name: openshift-routes
app.kubernetes.io/component: controller
- app.kubernetes.io/instance: release-name
app.kubernetes.io/version: 0.6.0-alpha.0
- app.kubernetes.io/managed-by: Helm
- helm.sh/chart: openshift-routes-0.6.0-alpha.0
spec:
automountServiceAccountToken: true
serviceAccountName: release-name-openshift-routesProof that we can upgrade using Helm from v0.5.0 to v0.6.0-... $ helm install openshift-routes -n cert-manager oci://ghcr.io/cert-manager/charts/openshift-routes --version=0.5.0
$ make helm-chart VERSION=v0.6.0-alpha.1
$ helm upgrade openshift-routes -n cert-manager _bin/scratch/image/openshift-routes-0.6.0-alpha.1.tgz
Release "openshift-routes" has been upgraded. Happy Helming!
NAME: openshift-routes
LAST DEPLOYED: Mon Aug 12 16:53:08 2024
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 5
TEST SUITE: None |
|
Thanks for showing the diff output. I think this is good to go now. /lgtm |
|
@maelvls: you cannot LGTM your own PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
cert-manager-prow
bot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: maelvls The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
cert-manager-prow
bot
added
the
approved
|
I can't approve my own PR 😅 Can someone else LGTM, @ThatsMrTalbot maybe? Thanks. |
Signed-off-by: Tim Ramlot <[email protected]>
inteon
force-pushed
the
static-manifest
branch
from
aa19208 to
80614e7
Compare
|
/lgtm |
|
/unhold |
cert-manager-prow
bot
removed
the
do-not-merge/hold
In #73, I wondered how users could continue using a static manifests (e.g., for ArgoCD using the "static manifests" pattern). In this PR, I propose to add a Helm value to help with generating a static manifest free of Helm-specific labels.
To generate a static manifest free of Helm-specific labels, you will now be able to run:
The only two labels and labelSelectors left are the three non-Helm-specific labels:
Here are the labels that get removed when using
--set omitHelmLabels=true:Difference between the old v0.5.0 static manifest and the static manifest you would get using
--set omitHelmLabels=true: