Release resource fails to determine status of the Helm release

[juv]

What happened?

The Release resource never gets into any status. The .status field is even present when I run kubectl get release my-release -o yaml

 kubectl get release helm-test
NAME        CHART                             VERSION   SYNCED    READY     STATE     REVISION   DESCRIPTION   AGE
helm-test   crossplane-irsa-service-account   0.1.3                                                            16m

How can we reproduce it?

My Helm chart is only creating a single Kubernetes resource, a ServiceAccount. I can see that the service account resource is created as expected. The Helm release itself is in status deployed.

helm3 ls -n johns-space
NAME            NAMESPACE       REVISION        UPDATED                                 STATUS          CHART                                   APP VERSION
helm-test       johns-space     1               2021-07-21 10:20:18.166948602 +0000 UTC deployed        crossplane-irsa-service-account-0.1.3   1.0.0

kubectl get release helm-test -o yaml:

apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
  annotations:
    crossplane.io/external-name: helm-test
    kubectl.kubernetes.io/last-applied-configuration: |
      ...
  creationTimestamp: 2021-07-21T10:20:17Z
  finalizers:
  - finalizer.managedresource.crossplane.io
  generation: 2
  managedFields:
  - apiVersion: helm.crossplane.io/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          f:crossplane.io/external-name: {}
        f:finalizers:
          .: {}
          v:"finalizer.managedresource.crossplane.io": {}
      f:status:
        .: {}
        f:atProvider: {}
    manager: crossplane-helm-provider
    operation: Update
    time: 2021-07-21T10:20:17Z
  - apiVersion: helm.crossplane.io/v1beta1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:kubectl.kubernetes.io/last-applied-configuration: {}
      f:spec:
        .: {}
        f:forProvider:
          .: {}
          f:chart:
            .: {}
            f:name: {}
            f:pullSecretRef:
              .: {}
              f:name: {}
              f:namespace: {}
            f:repository: {}
            f:version: {}
          f:namespace: {}
          f:skipCreateNamespace: {}
          f:values:
            .: {}
            f:serviceAccount: {}
        f:providerConfigRef:
          .: {}
          f:name: {}
    manager: kubectl.exe
    operation: Update
    time: 2021-07-21T10:20:17Z
  name: helm-test
  resourceVersion: "57346645"
  uid: 3cfc444b-64c4-43e9-8f52-ac234393b37d
spec:
  forProvider:
    chart:
      name: crossplane-irsa-service-account
      pullSecretRef:
        name: artifactory-basic-auth
        namespace: crossplane-system
      repository: https://my-artifactory.com/artifactory/helm-virtual
      version: 0.1.3
    namespace: johns-space
    skipCreateNamespace: true
    values:
      serviceAccount:
        annotations:
          eks.amazonaws.com/role-arn: test-annotation
        name: my-sa
  providerConfigRef:
    name: helm-provider

kubectl describe release helm-test:

Name:         helm-test
Namespace:
Labels:       <none>
Annotations:  crossplane.io/external-name=helm-test
              kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"helm.crossplane.io/v1beta1","kind":"Release","metadata":{"annotations":{},"name":"helm-test","namespace":""},"spec":{"forProvider":{"cha...
API Version:  helm.crossplane.io/v1beta1
Kind:         Release
Metadata:
  Creation Timestamp:  2021-07-21T10:20:17Z
  Finalizers:
    finalizer.managedresource.crossplane.io
  Generation:  2
  Managed Fields:
    API Version:  helm.crossplane.io/v1beta1
    Fields Type:  FieldsV1
    Fields V 1:
      F : Metadata:
        F : Annotations:
          F : Crossplane . Io / External - Name:
        F : Finalizers:
          .:
          V :" Finalizer . Managedresource . Crossplane . Io ":
      F : Status:
        .:
        F : At Provider:
    Manager:      crossplane-helm-provider
    Operation:    Update
    Time:         2021-07-21T10:20:17Z
    API Version:  helm.crossplane.io/v1beta1
    Fields Type:  FieldsV1
    Fields V 1:
      F : Metadata:
        F : Annotations:
          .:
          F : Kubectl . Kubernetes . Io / Last - Applied - Configuration:
      F : Spec:
        .:
        F : For Provider:
          .:
          F : Chart:
            .:
            F : Name:
            F : Pull Secret Ref:
              .:
              F : Name:
              F : Namespace:
            F : Repository:
            F : Version:
          F : Namespace:
          F : Skip Create Namespace:
          F : Values:
            .:
            F : Service Account:
        F : Provider Config Ref:
          .:
          F : Name:
    Manager:         kubectl.exe
    Operation:       Update
    Time:            2021-07-21T10:20:17Z
  Resource Version:  57346645
  UID:               3cfc444b-64c4-43e9-8f52-ac234393b37d
Spec:
  For Provider:
    Chart:
      Name:  crossplane-irsa-service-account
      Pull Secret Ref:
        Name:               artifactory-basic-auth
        Namespace:          crossplane-system
      Repository:           https://my-artifactory.com/artifactory/helm-virtual
      Version:              0.1.3
    Namespace:              johns-space
    Skip Create Namespace:  true
    Values:
      Service Account:
        Annotations:
          Eks . Amazonaws . Com / Role - Arn:  test-annotation
        Name:                                  my-sa
  Provider Config Ref:
    Name:  helm-provider
Events:
  Type    Reason                   Age   From                                Message
  ----    ------                   ----  ----                                -------
  Normal  CreatedExternalResource  12m   managed/release.helm.crossplane.io  Successfully requested creation of external resource

What environment did it happen in?

Crossplane version: crossplane/provider-helm:v0.7.2 and crossplane/crossplane:v1.3.0

[juv]

You can find the helm chart I'm trying to install with provider-helm here: crossplane-irsa-service-account.zip

Example command to test the chart locally (note: this is for Windows/Powershell)

> helm template helm-test2 . --set serviceAccount.name=test --set serviceAccount.annotations."eks\.amazonaws\.com\/role-arn"=whatever
---
# Source: crossplane-irsa-service-account/templates/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: test
  labels:
    helm.sh/chart: crossplane-irsa-service-account-0.1.3
    app.kubernetes.io/name: crossplane-irsa-service-account
    app.kubernetes.io/instance: helm-test2
    app.kubernetes.io/version: "1.0.0"
    app.kubernetes.io/managed-by: Helm
  annotations:
    eks.amazonaws.com/role-arn: whatever

Example Release resource (note: you will need to adjust repository and pullSecretRef)

apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
  name: helm-test
spec:
  forProvider:
    namespace: your-namespace
    values:
      serviceAccount:
        name: my-sa
        annotations:
          eks.amazonaws.com/role-arn: test-annotation
    chart:
      name: crossplane-irsa-service-account
      repository: https://your-helm-registry.com/...
      version: 0.1.3
      pullSecretRef:
        name: artifactory-basic-auth
        namespace: crossplane-system
    skipCreateNamespace: true
    wait: false
  providerConfigRef:
    name: helm-provider

[turkenh]

@juv thanks for the ticket.

Just tried on my side and it seems it worked fine.

Used the following release manifest:

apiVersion: helm.crossplane.io/v1beta1
kind: Release
metadata:
  name: helm-test
spec:
  forProvider:
    namespace: your-namespace
    values:
      serviceAccount:
        name: my-sa
        annotations:
          eks.amazonaws.com/role-arn: test-annotation
    chart:
      name: crossplane-irsa-service-account
      url: https://storage.googleapis.com/helm-repo-dev/crossplane-irsa-service-account-0.1.3.tgz
    skipCreateNamespace: true
    wait: false
  providerConfigRef:
    name: helm-provider

and used this as provider config with admin privileges: https://github.com/crossplane-contrib/provider-helm/blob/master/examples/provider-config/provider-config-incluster.yaml

[juv]

It appears that this error is related to RBAC and not directly related to the functionality.

The following configuration is not enough, note the resources for apiGroup helm.crossplane.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: crossplane-helm-provider
rules:
  - apiGroups:
      - ""
    resources:
      - serviceaccounts
      - secrets
      - events
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - helm.crossplane.io
    resources:
      - providerconfigs
      - releases
      - providerconfigusages
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete

In here the subresource for the release status, i.e. releases/status, is missing.

When adding that subresource, it works:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: crossplane-helm-provider
rules:
  - apiGroups:
      - ""
    resources:
      - serviceaccounts
      - secrets
      - events
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
  - apiGroups:
      - helm.crossplane.io
    resources:
      - providerconfigs
      - releases
      - releases/status
      - providerconfigusages
    verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete

Maybe an useful enhancement would be to print out error messages to the provider-helm logs, when updating the ReleaseStatus fails?