Cert-manager: can't install helm chart with helm 3

Created on 4 Jun 2019  路  11Comments  路  Source: jetstack/cert-manager

Describe the bug:
Can't install the helm chart using helm 3 I have this error when I follow the steps in the doc: Error: the namespace from the provided object "kube-system" does not match the namespace "cert-manager". You must pass '--namespace=kube-system' to perform this operation.

Expected behaviour:
Chart installation success

Steps to reproduce the bug:
With helm 3 in a fresh k8s cluster

# Install the CustomResourceDefinition resources separately
kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.8/deploy/manifests/00-crds.yaml

# Create the namespace for cert-manager
kubectl create namespace cert-manager

# Label the cert-manager namespace to disable resource validation
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true

# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io

# Update your local Helm chart repository cache
helm repo update

# Install the cert-manager Helm chart
helm install \
  --name cert-manager \
  --namespace cert-manager \
  --version v0.8.0 \
  jetstack/cert-manager

Anything else we need to know?:

Environment details::

  • Kubernetes version (e.g. v1.10.2): v1.14.2
  • Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): Scaleway
  • cert-manager version (e.g. v0.4.0): v0.8.0
  • Install method (e.g. helm or static manifests): helm

/kind bug

aredeploy
Source
picture kariae

Most helpful comment

Helm needs to somehow workaround this. IMO, it is perfectly valid for a single chart to install resources into more than one namespace, and it's something that has previously worked in Helm 2 for a longwhile.

There isn't really anything we can do to work around this, as this resource must be created in order for cert-manager to function.

Could you open an issue on the Helm repo to explain the problem you're running into, so they are aware of our use-case and the regression between Helm 2 and 3? 馃槃

picture munnerz on 6 Jun 2019
👍4

All 11 comments

This is a known issue with the helm 3 alpha and is tracked in issue helm/helm#5628. A temporary workaround is to set the namespace in your kubectl context to the namespace you want to install to then run the helm install command.

kubectl config set-context CONTENT_NAME --namespace NAMESPACE

thoughtentity picture thoughtentity on 5 Jun 2019

I changed already the current context to be with the namespace cert-manager as you can see here 

kubectl config get-contexts
CURRENT   NAME                          CLUSTER      AUTHINFO           NAMESPACE
*         kubernetes-admin@kubernetes   kubernetes   kubernetes-admin   cert-manager

and I still have the same issue

kariae picture kariae on 5 Jun 2019

Helm needs to somehow workaround this. IMO, it is perfectly valid for a single chart to install resources into more than one namespace, and it's something that has previously worked in Helm 2 for a longwhile.

There isn't really anything we can do to work around this, as this resource must be created in order for cert-manager to function.

Could you open an issue on the Helm repo to explain the problem you're running into, so they are aware of our use-case and the regression between Helm 2 and 3? 馃槃

munnerz picture munnerz on 6 Jun 2019
👍4

This was most likely an overlooked regression, and we will look into why Helm is failing on resources that hard-code the namespace in their metadata. As @munnerz mentioned, that is a perfectly valid use case, and probably is something we should capture in a test case going forward.

I think this has also affected the prometheus-operator chart, so this isn't a one-off kinda thing either.

bacongobbler picture bacongobbler on 18 Jun 2019
👍2

I think we can close this one and follow up in the help repository, since I was in a hurry, I reverted to Helm2 temporary :D

kariae picture kariae on 18 Jun 2019

Is installing cert-manager manually the best workaround, or did anyone found a better helm-3 way... :)

xeor picture xeor on 11 Jul 2019

See https://github.com/helm/helm/issues/5953 for the upstream issue and https://github.com/helm/helm/pull/6046 for a fix.

bacongobbler picture bacongobbler on 19 Jul 2019

So, the original error now has gone away, but has been replaced with another known bug in Helm 3. Following up in https://github.com/helm/helm/issues/5654.

Reproduction steps using Kubernetes 1.15.0 deployed via minikube:

><> kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.8/deploy/manifests/00-crds.yaml
customresourcedefinition.apiextensions.k8s.io/certificates.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/challenges.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/clusterissuers.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/issuers.certmanager.k8s.io created
customresourcedefinition.apiextensions.k8s.io/orders.certmanager.k8s.io created
><> kubectl create namespace cert-manager
namespace/cert-manager created
><> kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
namespace/cert-manager labeled
><> kubectl config set-context minikube --namespace=cert-manager
Context "minikube" modified.
><> helm template cert-manager jetstack/cert-manager --version v0.8.0
Error: apiVersion "apiregistration.k8s.io/v1beta1" in cert-manager/charts/webhook/templates/apiservice.yaml is not available
bacongobbler picture bacongobbler on 19 Jul 2019

Never mind. I forgot that helm template does not establish a connection to Kubernetes for schema validation, so this error seems in line with the expected results.

The following steps work on dev-v3 once the CRDs have been established. This seems safe to close at this point.

kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.8/deploy/manifests/00-crds.yaml
kubectl create namespace cert-manager
kubectl label namespace cert-manager certmanager.k8s.io/disable-validation=true
kubectl config set-context minikube --namespace=cert-manager

Wait a few minutes, then:

helm install cert-manager jetstack/cert-manager --version v0.8.0
bacongobbler picture bacongobbler on 19 Jul 2019

Thanks for working on this @bacongobbler 馃槃 glad to hear it! We'll get our CI updated to include Helm 3 over the coming weeks.

munnerz picture munnerz on 16 Oct 2019

Awesome! Glad to hear.

It turns out that my previous comment was due to a discovery cache invalidation bug. It has since been fixed with https://github.com/helm/helm/pull/6332 and https://github.com/helm/helm/pull/6486, and the fixes are both available in 3.0.0-beta.4. cert-manager should now install without issue. :)

bacongobbler picture bacongobbler on 16 Oct 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jbouzekri picture jbouzekri  路  4Comments
caiobegotti picture caiobegotti  路  4Comments
f-f picture f-f  路  4Comments
Stono picture Stono  路  3Comments
kragniz picture kragniz  路  4Comments