-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
H4HIP: CRD updating #379
base: main
Are you sure you want to change the base?
H4HIP: CRD updating #379
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,157 @@ | ||
--- | ||
hip: "9999" | ||
title: "Helm CRD updating" | ||
authors: [ "George Jenkins <[email protected]>" ] | ||
created: "2024-12-19" | ||
type: "feature" | ||
status: "draft" | ||
helm-version: "4" | ||
--- | ||
|
||
## Abstract | ||
|
||
<!-- | ||
A short (~200 word) description of the technical issue being addressed. | ||
--> | ||
|
||
Helm has historically taken a conservative approach to Custom Resource Definitions (CRDs). | ||
The concerns detailed in [HIP-0011](./hip-0011.md). | ||
|
||
This HIP aims to improve Helm's support for CRD management, while remaining in line with the rationales in `HIP-0011`. | ||
Ensuring chart consumers can continue to safely operate charts that provide CRDs. | ||
But extending Helm's CRD management to enable updates to CRDs. | ||
|
||
|
||
## Motivation | ||
|
||
<!-- | ||
Clearly explain why the existing design is inadequate to address the problem | ||
that the HIP solves. | ||
--> | ||
|
||
This HIP aims to improve the experience for chart authors and operators by extending Helm's ability to manage CRDs. | ||
Helm's conservative approach to date has limited the abilty for Helm's users (both authors and chart operators) to package and use Kubernetes applications that make use of CRDs. | ||
Today, Helm will only install CRDs (from the `crds/` directory) when installing a chart. | ||
CRDs are otherwise ignored for additional operations, including upgrades. | ||
|
||
CRDs have become more commonly utilized to extend Kubernetes functionality beyond its core primatives. | ||
Being conservative ensured Helm erred on the side of safety and didn't create an irreversible position for Helm nor its users. | ||
But has limited Helm's users, both chart operators and authors, to produce charts that expect to be able to manage CRDs. | ||
As such, improvements to Helm's CRD management, that allows Helm and charts to better manage and update CRDs are desired. | ||
|
||
The solution here aims to extend Helm's CRD management, while adhering to the concerns detailed in [HIP-0011](./hip-0011.md). | ||
While providing for better CRD management, but continuing to provide for safe operation of charts by chart operators. | ||
|
||
|
||
## Rationale | ||
|
||
<!-- | ||
Describe why particular design decisions were made. | ||
--> | ||
The two main reasons inferred from [HIP-0011](./hip-0011.md) that Helm is conservative with CRDs are: | ||
1. CRDs are a cluster-wide resource. | ||
Changes to cluster wide resources can (more easily) break applications beyond the scope of the chart | ||
2. Custom Resources (CRs) can be used as a data store. | ||
And removing the CRDs for those will irrevocably remove any CRs and cause parmenat loss of any contained data | ||
|
||
For 1., it is thought that Helm should not treat CRDs specially here. | ||
Helm will readily operate on many other cluster wide resources today: Cluster roles, priority classes, namespaces, etc. | ||
That the modification/removal of could easily cause breakage outside of the chart's release. | ||
Comment on lines
+57
to
+59
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Helm is a package manager rather than a general purpose management tool for Kubernetes resources. It's a subtle but important difference. Here are some ways to think about it...
Namespaces were not able to be created when 3.0.0 came out. The philosophy is that applications should be installed in a namespace but its not up to Helm to manage those and those should be created first, possibly part of configuration management. The namespace creation was added to provide backwards compatibility to Helm v2 (which had it) because we got so many issues filed about it. We have not considered Helm the right tool to manage all resources since it's targeted at applications and Kubernetes resources go beyond that. |
||
|
||
In general, Helm as a package manager should not try to prempt unintended functional changes from a chart. | ||
Validating functional changes is well beyond the scope of a package manager. | ||
Helm should treat CRDs the same as other (cluster-wide) resources, where a Helm chart upgrade that causes unintended functional effects should be reverted (rolled back) by the user (chart operator). | ||
And as long as that rollback path exists, this is a suitable path for users to mitigate breaking functional changes. | ||
Comment on lines
+61
to
+64
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Two thoughts here....
I remember meeting with Helm users who had tight controls on their clusters. They had many who could use their namespaces and few who could manage things at the cluster level. This shaped Helm v3 designs. For example, it's the reason Helm uses secrets instead of a CRD. Using a CRD would limit who could use it. |
||
|
||
For 2., Data loss should be treated more carefully. | ||
As data loss can be irrevocable or require significant effort to restore. | ||
And especially, an application/chart operator should not expect a chart upgrade to cause data loss. | ||
Helm can prevent Data loss can be prevented by ensuring CRDs are "appended" only (with special exceptions in the specification below). An in particular, appending allows a rollback to (effectively) restore existing cluster state. | ||
(It should also be noted that Helm will today remove other resources which may cause data loss e.g. secrets, config maps, namespace, etc. A special, hard-coded, exception does exist for persistent volumes) | ||
Comment on lines
+66
to
+70
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Data loss is different between CRDs and something like secrets. If I remove a secret it removes the one secret. This impacts that single case. If a CRD is deleted all the CRs are deleted. For example, you have user A with application instance of a chart. And you have user B in that same cluster with a separate instance of the same chart. These 2 users do not know about each other. If user A deletes a CRD, even unintentionally, it will remove the CRs for user B and cause data loss for user B. This is a very different surface area from something like deleting a secret. We also know that some don't have backups and will make changes in production. When things go wrong, Helm devs will get issues to triage and deal with. |
||
|
||
|
||
## Specification | ||
|
||
<!-- | ||
Describe the syntax and semantics of any new feature. | ||
--> | ||
|
||
_Note: This specification applies to CRDs in a chart's `crds/` directory only. CRDs deployed via `templates/` are out of scope. As Helm only considered CRDs released via the `crds/` directory to be managed by Helm_ | ||
|
||
When installing for upgrading, Helm will install new CRDs from the `crds/` directory if they don't exist in the cluster. | ||
If the CRD already exists, Helm will "append" or merge CRD updates into the cluster's existing CRD object with the logic detailed below. | ||
|
||
When rolling back, Helm will simply revert merge in the previously installed version. Effectively, this is reverting to the prior "storage" version only. | ||
|
||
When uninstalling: Helm will leave CRDs as is | ||
|
||
The append/merge logic is as follows. When updsting an existing CRD resource, Helm will: | ||
|
||
- merge/update CRDs metadata (labels, annotations etc) | ||
- merge/update `/spec/names` | ||
- append new versions to the `/versions` list | ||
- update existing versions with the exception of the schema field | ||
- If in the future, functionality exists that shows a CRD version schema changes are backwards compatible, Helm may allow updating CRD version's schema field | ||
- In particular, Helm will expect the update from the chart to correctly set a single version to `storage: true` | ||
- merge/update `/conversion` field | ||
- set `/preserveUnknownFields` if the incoming or existing preserveUnknownFields values is set (logical OR) | ||
|
||
If in the future, Kubernetes introduces new fields to the CRD API, Helm will ignore these fields by default. | ||
Helm will consider introducing new logic to update any new new field that follows the rationale section as appropriate. | ||
|
||
If the `--skip-crds` flag is supplied on install/upgrade/rollback, similar to today, Helm will ignore CRD changes. | ||
|
||
## Backwards compatibility | ||
|
||
The adjustment in CRD management behavior will be visible to end users. | ||
Chart upgrades which previously ignored CRD changes will now action them. | ||
Which may cause user facing behaviour | ||
|
||
These behavioural changes are consider to acceptable for Helm 4. | ||
|
||
## Security implications | ||
|
||
None determined. | ||
|
||
## How to teach this | ||
|
||
Helm's CRD handling docs need to be updated: <https://helm.sh/docs/chart_best_practices/custom_resource_definitions/> | ||
|
||
In particular, the merge logic described will need to be documented/described. | ||
|
||
## Reference implementation | ||
|
||
<!-- | ||
Link to any existing implementation and details about its state, e.g. | ||
proof-of-concept. | ||
--> | ||
|
||
## Rejected ideas | ||
|
||
<!-- | ||
Why certain ideas that were brought while discussing this HIP were not | ||
ultimately pursued. | ||
--> | ||
|
||
### Deleting CRDs / versions | ||
|
||
In order to prevent data loss, this HIP just considered how to update CRDs. | ||
And did not consider how to remove CRD versions nor CRDs themselves. | ||
|
||
## Open issues | ||
|
||
<!-- | ||
Any points that are still being decided/discussed. | ||
--> | ||
|
||
## References | ||
|
||
<!-- | ||
A collection of URLs or materials used as references through the HIP. | ||
--> | ||
|
||
- [HIP-0011: CRD Handling in Helm 3](./hip-0011.md) | ||
- Kubernetes CRD docuemntation: | ||
- <https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/> | ||
- <https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/> | ||
- <https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/custom-resource-definition-v1/> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not just beyond the scope of the instance of a chart but beyond the scope of the user who is installing the chart. You can have two users of a cluster who do not have knowledge of each other or their work. This is where breaking can happen.