helmfile apply not call the helm `lookup template function`

[qianzhang613]

helmfile apply not call the helm lookup template function

whereas helmfile sync did

is there a bug?

[mrszop]

Oh wow, such an old post. It still applies and I can confirm this behaviour.

values.yaml:

neo4j:
  name: "staging"
  passwordFromSecret: neo4j-password

Running with helmfile apply:

helmfile apply --include-needs --context 5 --debug

COMBINED OUTPUT:
  Error: Failed to render chart: exit status 1: Error: execution error at (neo4j-standalone/templates/_helpers.tpl:392:19): Secret neo4j-password configured in 'neo4j.passwordFromSecret' not found
  Use --debug flag to render out invalid YAML
  Error: plugin "diff" exited with error

From template:

{{- define "neo4j.secretName" -}}
    {{- if .Values.neo4j.passwordFromSecret -}}
        {{- if not .Values.disableLookups -}}
            {{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.neo4j.passwordFromSecret) }}
            {{- $secretExists := $secret | all }}
            {{- if not ( $secretExists ) -}}
                {{ fail (printf "Secret %s configured in 'neo4j.passwordFromSecret' not found" .Values.neo4j.passwordFromSecret) }}
            {{- else if not (hasKey $secret.data "NEO4J_AUTH") -}}
                {{ fail (printf "Secret %s must contain key NEO4J_DATA" .Values.neo4j.passwordFromSecret) }}
            {{/*The secret must start with characters 'neo4j/`*/}}
            {{- else if not (index $secret.data "NEO4J_AUTH" | b64dec | regexFind "^neo4j\\/\\w*") -}}
                {{ fail (printf "Password in secret %s must start with the characters 'neo4j/'" .Values.neo4j.passwordFromSecret) }}
            {{- end -}}
        {{- end -}}
        {{- printf "%s" (tpl .Values.neo4j.passwordFromSecret $) -}}
    {{- else -}}
        {{- include "neo4j.name" . | printf "%s-auth" -}}
    {{- end -}}
{{- end -}}

Running helmfile sync works and all Values are set as expected.

❯ helmfile version

▓▓▓ helmfile

  Version            v0.151.0
  Git Commit         "brew"
  Build Date         17 Feb 23 07:09 CET (1 month ago)
  Commit Date        17 Feb 23 07:09 CET (1 month ago)
  Dirty Build        no
  Go version         1.19.6
  Compiler           gc
  Platform           darwin/arm64

❯ helm version
version.BuildInfo{Version:"v3.10.2", GitCommit:"50f003e5ee8704ec937a756c646870227d7c8b58", GitTreeState:"clean", GoVersion:"go1.18.8"}

Cheers

[ahmadalli]

This is due to the fact that diff plugin uses --dry-run and lookup would not be evaluated on --dry-run executions and returns an empty map instead.

This is tracked in https://github.com/databus23/helm-diff/issues/263 (which is pending for https://github.com/helm/helm/pull/9426 to be merged).

You see the error because helmfile apply relies on the diff plugin and checks if there's any changes that need to be applied

[jv4n5e]

According to https://github.com/databus23/helm-diff/issues/449 (which is a spin-off from https://github.com/databus23/helm-diff/issues/263), the helm-diff plugin now supports dry-run flags. Would it be possible to add a flag to helmfile apply that will pass down to the diff plugin and set the --dry-run flag?

[titaniteChuck]

Until it is added, I have successfully used this feature by setting HELM_DIFF_USE_UPGRADE_DRY_RUN=true before running helmfile apply using helm > v3.13.0 and helm diff > 3.9.4 . For information, on windows I use the one liner: pwsh -Command { $env:HELM_DIFF_USE_UPGRADE_DRY_RUN="true" ; helmfile apply } Linux: HELM_DIFF_USE_UPGRADE_DRY_RUN=true helmfile apply Ref: https://github.com/databus23/helm-diff/blob/master/README.md#upgrade