Cert-manager: Helm2 to Helm3 migration

Created on 11 Dec 2019  路  7Comments  路  Source: jetstack/cert-manager

Describe the bug:
Migrating cert-manager helm chart from helm2 to helm3 is not working.

Expected behaviour:
There are no differences except for "app.kubernetes.io/managed-by":"Helm" and it should upgrade without problem

Steps to reproduce the bug:
Ive installed version v0.12.0 of cert-manager helm chart with helm2
Ive migrated helm releases using helm3 2to3 convert command.
When i run helm3 upgrade i have following error message 

wix-cert-manager
in ./helmfile.yaml: failed processing release wix-cert-manager: helm3 exited with status 1:
  Error: UPGRADE FAILED: cannot patch "wix-cert-manager-cainjector" with kind Deployment: Deployment.apps "wix-cert-manager-cainjector" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app":"cainjector", "app.kubernetes.io/instance":"wix-cert-manager", "app.kubernetes.io/managed-by":"Helm", "app.kubernetes.io/name":"cainjector"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable && cannot patch "wix-cert-manager" with kind Deployment: Deployment.apps "wix-cert-manager" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app":"cert-manager", "app.kubernetes.io/instance":"wix-cert-manager", "app.kubernetes.io/managed-by":"Helm", "app.kubernetes.io/name":"cert-manager"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable && cannot patch "wix-cert-manager-webhook" with kind Deployment: Deployment.apps "wix-cert-manager-webhook" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app":"webhook", "app.kubernetes.io/instance":"wix-cert-manager", "app.kubernetes.io/managed-by":"Helm", "app.kubernetes.io/name":"webhook"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable

Anything else we need to know?:
i can destroy converted release and redeploy it from helm3 and it will work ok.

Environment details::
kube v1.15.6
helm2 v2.16.1
helm3 v3.0.0
cert-manager v0.12.0

/kind bug

kinbug
Source
picture AlexShemeshWix

Most helpful comment

I have written a few simple string replacement commands to fix this issue. Hope this helps.

kubectl get deployment/cert-manager -o yaml -n cert-manager | sed "s/Tiller/Helm/g" | kubectl replace --force=true -f -

kubectl get deployment/cert-manager-cainjector -o yaml -n cert-manager | sed "s/Tiller/Helm/g" | kubectl replace --force=true -f -

kubectl get deployment/cert-manager-webhook -o yaml -n cert-manager | sed "s/Tiller/Helm/g" | kubectl replace --force=true -f -
picture Dylan-DutchAndBold on 7 Feb 2020
5

All 7 comments

@AlexShemeshWix There is not much that jetstack can do to fix this, as any changes to the charts will cause the same error. Kube limits specific fields as immutable.

I found a workaround which is to manually edit the 3 deployments generated cert-manager, cert-manager-cainjector and cert-manager-webhook and replace Tiller with Helm.
Then upgrading works after that

deiga picture deiga on 13 Dec 2019
👍4

Yes thats what i ended up doing. Not very efficient

AlexShemeshWix picture AlexShemeshWix on 13 Dec 2019

True, but this is not really a bug in Helm or the Chart.
The Chart probably should not use label selectors which might change this way, but this change shouldn't happen too often

deiga picture deiga on 13 Dec 2019
👍2

I ran into the same issue, it seems like if we migrate an existing release and there is a selector/label set to app.kubernetes.io/managed-by: {{ .Release.Service }} it fails, I have 20 deployments running through Helm and changing each deployments label is not a feasible solution.

venkatalolla picture venkatalolla on 8 Jan 2020

The right solution to this would be to not use app.kubernetes.io/managed-by label in a LabelSelector context. This specific label doesn't add anything to the selector anyway, since there are already

      app: {{ include "cainjector.name" . }}
      app.kubernetes.io/name: {{ include "cainjector.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}

labels that target this release.

diversario picture diversario on 6 Feb 2020
👍2

I have written a few simple string replacement commands to fix this issue. Hope this helps.

kubectl get deployment/cert-manager -o yaml -n cert-manager | sed "s/Tiller/Helm/g" | kubectl replace --force=true -f -

kubectl get deployment/cert-manager-cainjector -o yaml -n cert-manager | sed "s/Tiller/Helm/g" | kubectl replace --force=true -f -

kubectl get deployment/cert-manager-webhook -o yaml -n cert-manager | sed "s/Tiller/Helm/g" | kubectl replace --force=true -f -
Dylan-DutchAndBold picture Dylan-DutchAndBold on 7 Feb 2020
5

We have removed this label now as part of our selector, so this shouldn't come up again. As noted before, we sadly can't do anything to help those on older versions trying to upgrade.

munnerz picture munnerz on 23 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jakubknejzlik picture jakubknejzlik  路  3Comments
munjal-patel picture munjal-patel  路  3Comments
munnerz picture munnerz  路  4Comments
howardjohn picture howardjohn  路  3Comments
gaieges picture gaieges  路  3Comments