[SURE-9101] ServiceAccount with helm hook in annotations isn't rendered

rancher / fleet

Deploy workloads from Git to large fleets of Kubernetes clusters

https://fleet.rancher.io/

Apache License 2.0

1.52k stars 229 forks source link

[SURE-9101] ServiceAccount with helm hook in annotations isn't rendered #2955

Closed p-se closed 1 week ago

p-se commented 1 month ago

Steps to reproduce

helm create reproducer
Remove all files from reproducer/templates/

Put the service account from below in reproducer/templates/serviceaccount.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
helm.sh/hook: pre-install, pre-upgrade
labels:
foo: bar
name: some-operator

Either use fleet test (deprecated) or fleet apply/target/deploy to render it's content. More specifically, the following commands can be used inside the chart:

fleet apply foo . -o bundle.yaml
fleet target -b bundle.yaml > bundledeployment.yaml
fleet deploy --dry-run -i bundledeployment.yaml

Observe that the rendered content is null
Remove the annotation with key helm.sh/hook and re-render
Observe the ServiceAccount being rendered successfully

The expected behavior is that the templates are rendered correctly and null is not returned, since the resources are created, even if they may just be temporarily created.

mmartin24 commented 2 weeks ago

@manno , considering pr was merged some time ago, can we consider this issue done?

manno commented 2 weeks ago

@mmartin24 yes, this should be fixed now.

Problem

Hook resources from Helm charts are not treated like regular resources from the templates folder. Hook resources are often jobs and other temporary resources, which might get deleted if the hook delete annotation used, too.

Hook resources did not show up in the Fleet CLI output.

Solution

CLI now prints hook resources.

However, we did not change Fleet to report hook resources in the UI and detect drift in hook resources.

Testing

Any chart that uses helm hooks would work. See https://helm.sh/docs/topics/charts_hooks/ for possible annotations.

sbulage commented 1 week ago

System Information

Rancher Version	Fleet Version
v2.10.0-alpha7	fleet:v0.11.0-rc.2

Before Fix

Create a serviceaccount.yaml without hook annotations
Follow the steps given in description.

With hook annotations

``` satya@opensuse15:~/test_helm_null> fleet deploy --dry-run -i bundledeployment_with_annotation_hook.yaml null ```

Without hook annotations

``` satya@opensuse15:~/test_helm_null> fleet deploy --dry-run -i bundledeployment.yaml - apiVersion: v1 kind: ServiceAccount metadata: annotations: objectset.rio.cattle.io/id: -foo labels: foo: bar objectset.rio.cattle.io/hash: b04d36fedb2060e587b06a543e59eabec47f3a8e name: some-operator ```

After Fix

Note: I used small script by @p-se

Script to check Fleet render the bundle

```bash #!/usr/bin/env bash if [ -z "$1" ]; then echo "Usage: $0 " exit 1 fi cd "$1" || exit fleet apply foo . -o bundle.yaml fleet target -b bundle.yaml > bundledeployment.yaml fleet deploy --dry-run -i bundledeployment.yaml ```

Without hook annotations

``` satya@opensuse15:~/test_helm_null> ./check_9101.sh satya - apiVersion: v1 kind: ServiceAccount metadata: annotations: objectset.rio.cattle.io/id: -foo-satya labels: foo: bar objectset.rio.cattle.io/hash: 7f360b04deabec487b06aa8ee536fedb20543e59 name: some-operator ```

Without hook annotations

``` satya@opensuse15:~/test_helm_null> ./check_9101.sh satya - apiVersion: v1 kind: ServiceAccount metadata: annotations: helm.sh/hook: pre-install, pre-upgrade labels: foo: bar name: some-operator ```