Move helm chart

[onedr0p]

TL;DR the sealed-secrets project is going to maintain the helm chart (one of the key motivator is to ensure it will be kept backwards compatible and stay in sync with the main release manifest)

---

Seeing as the official Helm chart repo will be deprecated on Nov 13th 2020, does it make sense to maintain this chart here instead?

https://github.com/helm/charts/tree/master/stable/sealed-secrets

[mkmik]

The helm chart is maintained by the community; the sealed-secrets maintainers currently don't want to maintain the helm chart. If the current maintainers want to keep maintaining it they should move it somewhere.

Otherwise I can ask somebody at bitnami to maintain the helm chart for sealed secrets but last time I checked that involved putting the helm chart in a new git repo anyway (due to the way the application catalog team releases and tests helm chart, which includes lots of automation which mandates some uniformity)

[onedr0p]

Otherwise I can ask somebody at bitnami to maintain the helm chart for sealed secrets but last time I checked that involved putting the helm chart in a new git repo anyway (due to the way the application catalog team releases and tests helm chart, which includes lots of automation which mandates some uniformity)

Oh I see, the bitnami team has it's own repo for helm charts, this makes sense to move it to your chart repo instead. :)

https://github.com/bitnami/charts

[onedr0p]

Any update on this? We're getting closer and closer to the official helm charts being deprecated.

[mkmik]

Have you reached out to the current maintainer?

We cannot move the helm chart to the bitnami repo without effective forking the chart.

[carrodher]

Hi, I'm one of the Bitnami Catalog maintainers and I would like to share some notes. I think there are different processes involved here, being one independent of the other:

New Helm Chart addition to the Bitnami Catalog

TL;DR: The Helm Chart can be added to the Bitnami Catalog if the sealed-secrets image is released using the "Bitnami test & release pipeline" (internal work) and the Helm Chart source code follows the Bitnami standards and best practices (external contributions guided by Bitnami team)

As you can see in the CONTRIBUTING guideline, there are three topics that should be covered when adding a new Helm Chart to the catalog:

• The Helm Chart should use Bitnami based container images. If they don't exist, you can open a GitHub issue and we will work together to create them. 🔴
• Follow the same structure/patterns that the rest of the Bitnami Helm Charts and the Best Practices for Creating Production-Ready Helm charts guide. 🔴
• Use an OSI approved license for all the software. ✅

On one hand, the last item doesn't need any action as it is already fulfilled.

On the other hand, although the sealed-secrets is a Bitnami project, the release of the Docker image is not going through the "Bitnami test & release pipeline", this step is needed to meet the first requirement. As it is an internal system, this is something that needs to be implemented by the Bitnami team meaning that the addition of the sealed-secrets image to the internal pipeline is something that needs to be evaluated according to the capacity and other priorities.

In the same way, the second item is easier to solve since @onedr0p already created a PR with the Helm Chart source code. At this moment the code seems pretty similar to the one from stable/sealed-secrets and the Helm Chart logic needs to be adapted to meet the Bitnami requirements and good practices, that is something that usually the Bitnami team helps users during the PR review in order to create a Helm Chart with all the requirements.

Deprecation of stable/sealed-secrets

This process is something we already followed for the Bitnami Helm Charts that were contributed to stable in the past. As the deprecation is something that is going to happen sooner rather than later and the Helm Charts need to be moved to a new house, mainly there are two options:

• Provide a replacement for the current Helm Chart in the stable repo. This is the approach we followed, for example in this PR deprecating stable/wordpress in favor of bitnami/wordpress. In the case of the Bitnami Helm Charts, it was easy since both Helm Charts were a mirror and follow the same development process from the beginning. In the case of different Helm Charts, the maintainers should provide the proper instructions to migrate the existing deployments and users from stable to the new house. This new house should be decided by the maintainers since there can be different Helm Charts hosted in different repositories.
• Not provide a replacement for the current Helm Chart in the stable repo. In that case, the stable chart is going to be deprecated and delisted from everywhere but without an "official" alternative. The existing users should look in the hubs, i.e https://hub.kubeapps.com/charts?q=sealed-secrets for an alternative (if any) and try to upgrade the current deployments on their own without any "official" guidance

---

What I mean is that one thing is the addition of a sealed-secrets Helm Chart to the Bitnami Catalog and a different thing is that this new Helm Chart added to the Bitnami Catalog becomes the replacement of the current stable/sealed-secrets Helm Chart.

At Bitnami we are happy to incorporate new Helm Charts to our catalog and, in the same way, we are happy to work with current maintainers to provide a smooth transition from stable/sealed-secrets to the hypothetical bitnami/sealed-secrets, but as I mentioned at the beginning, the addition of the sealed-secrets Docker image to the Bitnami pipeline is something that needs to be done by the Bitnami team and it is going to depend on the capacity and priorities.

[davidkarlsen]

@carrodher If you decide on moving it to the bitnami chart repo I hope you can make the initial version compatible with the one in stable, as having to reinstall will mean problems due to keys disappearing etc

[mkmik]

Hi, I'm the sealed-secrets project maintainer, please read bitnami/charts#4017 (comment)

TL;DR the sealed-secrets project is going to maintain the helm chart (one of the key motivator is to ensure it will be kept backwards compatible and stay in sync with the main release manifest)

[mkmik]

I will keep this task open until the chart is actually moved here

[JohnLBevan]

FYI: There's been an announcement on the official stable and incubator repos for charts:

• https://charts.helm.sh/stable
• https://charts.helm.sh/incubator

I'm not sure whether this influences the above discussion?

[mkmik]

not really, the location problem just brought this topic to our attention; I believe consolidating the chart in the main repository will be beneficial to the community

[alexellis]

@stefanprodan - what are Weaveworks going to be doing - where you consume SealedSecrets for Flux etc?

[alexellis]

This needs to be pinned somewhere ->

#389 (comment)

[mkmik]

Updated the issue description and mentioned the decision to onboard the chart

[adusumillipraveen]

Has there been any update on this move as there is only a couple of days left for stable to be deprecated.

[mkmik]

I'm working on it; there were some yaks to be shaven (e.g. migrating off travis ci because of reasons)

[fliphess]

@mkmik

I'm in the middle of a migration from helm2 to helm3 and a newer k8s version so I could use the new chart location.

Is there anything I can do to help you get there?

If you need testers, please highlight me, I'm available :)
(No pressure btw, just offering help)

[JohnLBevan]

For anyone waiting for this migration, a temporary solution is to use the new stable; i.e.

spec:
  releaseName: sealed-secrets
  chart:
    #repository: https://kubernetes-charts.storage.googleapis.com/ # FROM THIS
    repository: https://charts.helm.sh/stable # TO THIS
    name: sealed-secrets
    version: 1.10.0

Longer term it makes sense to switch to Bitnami's solution once they get it up; but the above buys you time.

[davidkarlsen]

@mkmik Do you need any help on this?

[mkmik]

Yes please. I need:

1. A PR that copies the latest chart into the "/helm" dir in this repo.

2. a GH actions workflow that builds the chart and pushes it into a OCI registry. Since running that requires a token, I think I'll need to do the last step myself, but it would help having a working example in some demo repo; help appreciated!

[fliphess]

Working on a PR! :)

[stefanprodan]

a GH actions workflow that builds the chart and pushes it into a OCI registry

Can we please use GH Pages instead of OCI? OCI support is alpha in Helm and it will not work with Flux.

Here is an action that publishes charts to GH Pages it's being used for Flux, Flagger, OpenServiceMesh, SMI and other CNCF projects. https://github.com/stefanprodan/helm-gh-pages

[fliphess]

I've created an initial PR here: #483

Open to all suggestions as not all information is correct like owners etc.

[alexellis]

+1 to GitHub pages, see also make charts in inlets-operator for a simple example to copy.

[fliphess]

I'm a bit busy at work atm due to some sudden changes in planning... If there's anyone willing to create a second PR or add the gh-pages to mine that would be awesome.
Otherwise I can do it later this week / after work. (Except for the token creation)

[mkmik]

Ok for GH-pages.

[davidkarlsen]

Started an attempt at https://github.com/bitnami-labs/sealed-secrets/runs/1516963120?check_suite_focus=true#step:9:25 - but the resources are a bit out of date (old RBACs, old crd spec). Do you have an updated CRD?

[mkmik]

habemus chartam gubernāculī 🥳 🎉 🎈

$ helm repo add sealed-secrets https://bitnami-labs.github.io/sealed-secrets
$ helm install sealed-secrets/sealed-secrets

Sorry for taking so much time, despite the community being so willing to help I was the choke-point.

Please try it out. I'm interested here only in regressions from the previous helm chart. Other improvements will be handled in other tickets and from now on, changes in the manifests in the Plain old YAML release and the helm chart will be in sync.

[mkmik]

Readme updated. Closing