Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fleet always creates the target/default namespace, conflicting with non-Fleet namespace management #3034

Open
1 task done
KingJ opened this issue Oct 30, 2024 · 1 comment
Labels

Comments

@KingJ
Copy link

KingJ commented Oct 30, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Fleet will always pass in Helm's --create-namespace arg with a value of true, and there is no way to override or change this hard-coded value. As a result, if the namespace specified in the bundle's defaultNamespace or namespace properties does not already exist, Helm will create it.

This interferes with anything that creates namespaces outside of Fleet. To work around #304, we create projects and namespaces via Terraform using the rancher2 Terraform provider. However, due to Fleet's behaviour above this means that;

  • During creation of a Cluster, Fleet often jumps in and starts reconciling before our Terraform creates the project and namespace, causing the Terraform to fail since the namespace already exists.
  • During destruction of a Cluster, Terraform successfully destroys the namespace but Fleet will immediately re-create it.

Expected Behavior

While creating a namespace is useful for many deployment scenarios, we need to be able to prevent this in some scenarios - such as when we know a non-Fleet tool is responsible for provisioning and managing the lifecycle of a namespace. If the namespace does not exist, the bundle should fail and attempt to keep reconciling until it does exist.

This could be done via a new parameter in fleet.yaml, allowing the default to be changed.

Alternatively, if #304 was implemented we would no longer need to create the namespace via Terraform, as Fleet would create the namespace inside the project instead. However, i'd suspect that allowing the --create-namespace flag to be set/unset in fleet.yaml instead of always being hard-coded to true would be much simpler to implement!

Steps To Reproduce

  1. Deploy a bundle via Fleet, specifying a defaultNamespace or namespace that does not exist.
  2. Attempt to create that namespace via other means (e.g. via Terraform, kubectl etc.) - observe that this fails because the namespace already exists.
  3. Delete that namespace via other means (e.g. via kubectl) - observe that Fleet immediately re-creates the namespace.

The only workaround we have identified to prevent this is to scale the fleet-agent StatefulSet in the target cluster to 0. Having to do this manual action every time we create or destroy a cluster is not ideal. Pausing the GitRepo via the Fleet UI does not appear to prevent this.

Environment

- Architecture: amd64
- Fleet Version: v0.10.2
- Cluster:
  - Provider: All
  - Options: N/A
  - Kubernetes Version: All

Logs

Terraform error upon destroy;


Error: [ERROR] waiting for namespace (XXXXX) to be removed: unexpected state 'active', wanted target 'removed, forbidden'. last error: %!s(<nil>)

Anything else?

No response

@KingJ KingJ added the kind/bug label Oct 30, 2024
@rancherbot rancherbot added this to Fleet Oct 30, 2024
@github-project-automation github-project-automation bot moved this to 🆕 New in Fleet Oct 30, 2024
@manno
Copy link
Member

manno commented Dec 11, 2024

We now support labels and annotations on the created namespace. #2441

If we add an option to skip creation, should the deployment fail if the namespace doesn't exist?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: 🆕 New
Development

No branches or pull requests

2 participants