Open drewwells opened 1 year ago
I usually helm install with the skip crds flag, and then load it from raw yaml. Would that work?
Unfortunately, our CICD system would not be able to do this. We need a helm install --only-crds
so helm template --validate
does not fail.
We normally break out CRDs into a separate chart like cert-manager does. I think the best option is to have federation CRs as examples or a separate chart. Right now I disable the CRs with spire-server.controllerManager.identities.enabled=false
then install them in a separate chart internally.
This is related to https://github.com/spiffe/helm-charts/issues/411 as well.
@drewwells thanks for bringing this up. We definitely need to revisit how controller manager is integrated. Im not super familiiar with how cert manager works. Would that model work here?
No, its a CRD + CR issue not a Certificate issue. CRD management with helm has always been... problematic.
Some of the gory details are outlined in hip 11. https://github.com/helm/community/blob/main/hips/hip-0011.md
In layman's, you can read this https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#method-2-separate-charts
Hmm... If we moved it to a separate chart, we could conditionally embed it, and have it standalone. Then folks could use it either way.
@drewwells Plan we came up with is to create a sub chart with the crd and convert it to a template. Then eventually move it to a separate root level chart. Would appreciate your thoughts on this plan.
As long as we can install it as if it were a chart with only crds in it, then that will work fine.
Thats the plan.
If you're doing a fresh install of spire, it attempts to install both a CRD and CR. This is not supported in our CICD workflow (or a good practice). Other projects that require this do so in multiple steps like defining a separate CRD chart or a separate CR chart. I solve for this by installing a separate CR chart.
Repo steps: