feat(helm): add ability for --dry-run to do lookup functions #9426
Conversation
helm-bot
added
the
size/S
|
FYI, I believe this test is not testing what it states in the current master branch. I think it will pass regardless of the DryRun field being sent to "true" or "false". https://github.com/helm/helm/blob/master/pkg/action/install_test.go#L245 I have attached a document of a sample of the basic tests I ran. I did not see any good way to positively test a successful lookup without using a live cluster. |
|
Any updates on this? I would support if something is missing. |
|
I'm also looking forward for this, and wish to help if any help is needed. |
|
@tapaskapadia Can you fix the merge conflicts? Or if you let me, I'm happy to do so. I can help out with testing if needed. |
pkg/action/action.go
Outdated
| // wishes and do not connect to the cluster. | ||
| if !dryRun && c.RESTClientGetter != nil { | ||
| // A `helm template` should not talk to the remote cluster. However, commands | ||
| // with `--dry-run` should be able to try to connect to the cluster. |
There was a problem hiding this comment.
This change is much more in line with user expectations, IMHO. Specifically, the sentence saying "when the user says to dry run, respect the user's wishes and do not connect to the cluster" is not in any way implied by naming convention or any best practices. Typically, dry run an operations means "do not mutate" not "do not read". Are there any documentation to update as well?
There was a problem hiding this comment.
Good call on updating the documentation: https://helm.sh/docs/chart_template_guide/functions_and_pipelines/#using-the-lookup-function
This page does reference that helm install --dry-run is not supposed to contact the cluster.
If this is approved this page will also need to be changed: https://github.com/helm/helm-www/blob/2875cecd9b1b8b6290e9fee595e288807f033eb5/content/ko/docs/chart_template_guide/functions_and_pipelines.md (for all the languages)
I'll rebase it to fix the merge conflicts. I may need a little help getting started if unit test cases are required as when I initially took at a stab at this it was not clear to me how to simulate having a real connection. |
tapaskapadia
force-pushed
the
feat/lookup-dryrun
branch
from
eb60bb6 to
be3f846
Compare
|
FWIW, |
|
I would prefer we not do this in this fashion, but instead do what kubectl does with Unfortunately, dry-run already broke the client-only contract. I'd still be against changing the comments to make it seem ok to do that further, especially if we're going to want to walk that back in helm 4. |
|
I found myself nodding furiously to this comment from @rickardp
That this topic is raised over and over again is surely a sign that dry-run must imply a client-only contract is not what everyone wants, because it makes Helm less useful for some of us, and our lives harder. @joejulian 's
|
|
+1 on that one. I had to re-implement deployment scripts to do necessary lookups outside of |
|
What is needed to get this merged? It looks like it has support from the community and, personally, I would really like to see it. |
|
Please support this. |
|
Any updates about the needed work to merge it ? |
|
ugently needed 👍🏻 |
|
Can I ask a question here? Would this feature be more likely to be approved and merged if it wasn't tied to the --dry-run flag? I can't speak for everyone, but what I'm looking for is the ability to do a full test run with connections to the remote cluster so lookups work. These cluster connections would run under the user's approved/provisioned security context, so there doesn't seem to be a security problem or potential to expose something that the user doesn't already have access to via kubectl. |
|
Looking at the k8s docs of the
So I think If you want to NOT connect to the cluster, why not using |
|
Looking at kubectl help: If you don't specify, it suggests "client" which has always been the default: I'm suggesting helm would do the same. |
|
+1 for this as I'm using the template functionality of Helm to integrate Helm into kluctl. I'm however not calling Helm binaries but instead use Helm as a go dependency and configure an install action so that it uses DryRun=true. I'd like to ask that whatever the final solution will be to allow lookup+dryRun, that this is also possible when Helm is used as a library and not only when it is used as a binary. |
This is a preparation to allow lookup in Helm charts. It will however not work before helm/helm#9426 or a comparable solution is merged.
|
+1 on this PR or any other PRs that can enhance the dry-run capability to perform lookup. |
|
@rickardp what is needed to merge this ? If needed I can help by creating a new MR with all this changes on the last version of |
|
I second @joejulian said about Currently I put a proposal on the main issue (rather than this implementation PR here |
|
What about |
|
@mattfarina is your review stale / should be dismissed? |
| if client.DryRunOption == "" { | ||
| client.DryRunOption = "none" | ||
| } |
There was a problem hiding this comment.
I think this is unreachable code. With NoOptDefVal being set you shouldn't run into a value of "" here.
|
@tapaskapadia thank you for this important contribution! |
|
Thank you @tapaskapadia, @rickardp, @joejulian, @QuentinN42, @mattfarina, and everyone else who helped push this through! This feature change took 2 years, 4 months and 20 days to merge! But it was finally completed - by a bunch of strangers on the internet, all working together, with no monetary incentive, contractual agreement, or under any hierarchical organization chart. Because of all this, a bunch of other strangers will now benefit - whether it's supporting a business, helping customers, just getting their day jobs done, or working on the tools they care about. Open Source lifts all boats ❤️ ⛵ ❤️ |
Helm PR helm/helm#9426 enables support for executing lookups during dry run. This PR is to make use of this new support in helm-diff. Backwards compatibility for older versions of helm is maintained by checking the helm version before setting the flag Addresses issue: databus23#449 Signed-off-by: MichaelMorris <michael.morris@est.tech>
Helm PR helm/helm#9426 enables support for executing lookups during dry run. This PR is to make use of this new support in helm-diff. Backwards compatibility for older versions of helm is maintained by checking the helm version before setting the flag Addresses issue: #449 Signed-off-by: MichaelMorris <michael.morris@est.tech>
Change lookup's description to reflect change on helm/helm#9426 Signed-off-by: Kerry Gougeon <kerrygougeon@gmail.com>
Change lookup's description to reflect change on helm/helm#9426 Signed-off-by: Kerry Gougeon <kerrygougeon@gmail.com>
<!--Thanks for your contribution. See [CONTRIBUTING](CONTRIBUTING.md)
for Pulumi's contribution guidelines.
Help us merge your changes more quickly by adding more details such
as labels, milestones, and reviewers.-->
### Proposed changes
<!--Give us a brief description of what you've done and what it solves.
-->
This PR fixes a problem with how Chart v4 uses the Helm library. The
design goal is to allow for connectivity during template rendering, to
support the lookup function (see helm/helm#9426)
and to provide an accurate [Capabilities
object](https://helm.sh/docs/chart_template_guide/builtin_objects/).
Unfortunately we were slightly too aggressive and caused some of Helm's
"non-template" code to execute.
This fix works by turning off the `helm template --validation` flag, so
that the internal `ClientOnly` flag is true thus avoiding [this block of
code](https://github.com/helm/helm/blob/6f32a8f9d338bacc3c6a1c0c3610012b01edb3d1/pkg/action/install.go#L345-L350)
that causes the unexpected error. A side-effect of `ClientOnly` being
true is that the capabilities aren't automatically set, and so we set
them using the provider's kube client (akin to using `--kube-version`).
Detailed changes:
- (chart.go) use ClientOnly mode, set KubeVersion and APIVersions
- (tool.go) remove redundant KubeVersion and ExtraAPIs
- (testdata/reference) add a version check
- (chart_test.go) unit tests for `.Capabilities`
- integration test to install cert-manager
### Related issues (optional)
<!--Refer to related PRs or issues: #1234, or 'Fixes #1234' or 'Closes
#1234'.
Or link to full URLs to issues or pull requests in other GitHub
repositories. -->
Closes #3045
When a helm command is run with the --dry-run flag, it will try to connect to the cluster
to be able to render lookup functions.
Closes #8137
Signed-off-by: Tapas Kapadia tapaskapadia10@gmail.com
What this PR does / why we need it: It is hard to debug the lookup function and currently there is not a good way to test it with any flags. #8137 Stated that the
--dry-runwas fair game to try to implement this logic as long as thehelm templatelogic stays the same.Special notes for your reviewer: This is my first PR for the Helm; please let me know if I need to add or change anything.
If applicable: