Ingress-nginx: Helm chart is not honoring namespace correctly.

Created on 17 Aug 2020  路  8Comments  路  Source: kubernetes/ingress-nginx

NGINX Ingress controller version: Latest master branch

Kubernetes version (use kubectl version): 1.16

Environment: Linux

What happened:
I am using the helm chart provided in this repo. I ran (I am using latest helm2, but using helm3 can generate same issue)

helm template ingress-nginx --name ingress-nginx --namespace ingress-nginx

Some yamls contains namespace: {{ .Release.Namespace }} so the corresponding output object contains namespace to be the one I specified, eg. ingress-nginx-admission rolebinding template got namespace "ingress-nginx".

However, other resources such as "nginx/templates/controller-deployment.yaml" is missing "namespace: {{ .Release.Namespace }}" thus the namespace is not honored and set to default.

When deploying this helm chart, this causes failure:
The job that creates the secret is failing due to the job itself is in default namespace however the rolebinding got created in the ingress-ngix namespace

kubectl --kubeconfig shan logs ingress-nginx-admission-create1-vmwpn
{"err":"secrets \"ingress-nginx-admission\" is forbidden: User \"system:serviceaccount:default:ingress-nginx-admission\" cannot get resource \"secrets\" in API group \"\" in the namespace \"default\"","level":"fatal","msg":"error getting secret","source":"k8s/k8s.go:104","time":"2020-08-17T06:32:00Z"}

In short, this prevents supporting ingress-nginx in other namespaces when trying to install using the helm chart created in this repo.

What you expected to happen:
Every resources that's namespace scoped should contain namespace: {{ .Release.Namespace }} or be provided some way so that the generated templates are in the target namespace. Otherwise, using the helm chart, we can only deploy everything in default namespace.

How to reproduce it:

I am using the helm chart provided in this repo. I ran (I am using latest helm2, but using helm3 can generate same issue)

helm template ingress-nginx --name ingress-nginx --namespace ingress-nginx

Looking at the output yaml, a lot of the objects are not created in "inrgess-nginx" namespaces. However, some did. causing issue.

Anything else we need to know:

/kind bug

kinbug
Source
picture Lokicity

All 8 comments

@Lokicity I think this is an issue with helm2.

ping @ChiefAlexander

aledbf picture aledbf on 17 Aug 2020

@

@Lokicity I think this is an issue with helm2.

ping @ChiefAlexander

Hi, Thanks for the quick reply. I ran the same command using helm3, it has the same issue. I think the issue is a lot of the templates missing namespace: {{ .Release.Namespace }} while some contains namespace: {{ .Release.Namespace }} causing an inconsistency. I am looking for a way to deploy all resources in the same namespaces other than default. However, with the current helm chart provided in this repo, I am unable to do so.

Lokicity picture Lokicity on 17 Aug 2020

As far as I'm aware the helm best practices are to not use namespace: {{ .Release.Namespace }} and so if we have locations that are present we should remove them.

There is however ongoing conversation around this that I found while reviewing what the best thing to do was. https://github.com/helm/helm/issues/5465

To generate the chart with all namespace locations you can use helm install --namespace whatever --dry-run

ChiefAlexander picture ChiefAlexander on 17 Aug 2020

@ChiefAlexander hi I read through the link you provided, it dosen't seem like the community has provided a consistent solution. Directly using helm install dosen't suit my use case as I am only trying to use helm to generate the yamls and I use kubectl apply to apply the generated yamls. ( this way I don't have to install helm/tiller on to the cluster due to business decision).

so using the suggested command by you helm install --namespace whatever --dry-run. With helm2, the issue is since Tiller is not installed on my cluster, this command just fails directly. With helm3, I am see error

 /mnt/c/Users/yangshan/Downloads/helm3/linux-amd64/helm install ingress-nginx ingress-nginx --namespace ingress-nginx --dry-run
Error: unable to build kubernetes objects from release manifest: error validating "": error validating data: ValidationError(ValidatingWebhookConfiguration.webhooks[0]): unknown field "admissionReviewVersions" in io.k8s.api.admissionregistration.v1beta1.Webhook

With the install command, both helm2 and helm3 requires me to connect to the cluster. However, my use case is only to use the template command to generate the templates.

My question is

  1. Are specifying namespaces supported and tested by using the helm chart in this repo? What is the suggested way of generating the template?
  2. is "Helm2" not supported and only "Helm3" is supported with the chart?
  3. Some resources in this chart such as ingress-nginx-admission contains namespace: {{ .Release.Namespace }}, from what I read from helm/helm#5465 it seemed to provide 2 ways of deploying
helm template nginx-ingress-1.3.1.tgz | kubectl create --namespace ingress-system -f -
helm template --namespace ingress-system nginx-ingress-1.3.1.tgz | kubectl create -f -

It is quite confusing, which way is the right way of deploying?

I think as helm 2 is not deprecated, all functionalities of helm2 should be supported properly by the chart. If I am trying to generate a yaml using helm2 syntax with --namespace, it should be generated properly. My use case is similar to what this person is describing: https://github.com/helm/helm/issues/5465#issuecomment-541298165 and currently it is not supported by the template given. What is your take on that? Thank you for your help.
Thanks!

Lokicity picture Lokicity on 17 Aug 2020

I think as helm 2 is not deprecated, all functionalities of helm2 should be supported properly by the chart.

I would prefer to not spend time on helm 2. Not only is deprecated, but the stable repo will be de-listed from the Helm Hub in November.

Edit: the test of the chart only uses helm3

aledbf picture aledbf on 18 Aug 2020

Ok, yeah I found some articles online saying it is time to deprecate helm2: https://helm.sh/blog/. I will see if I can find the solution using helm3. Thanks for your help!

Lokicity picture Lokicity on 18 Aug 2020
👍1

@Lokicity If you can, it is definitely time to upgrade to Helm 3 馃槃 There are 3 months of before support ends for Helm 2.

But even with Helm 3, if for some reason you wanted to inject namespace in generated output using helm template, as of Helm v3.1.0 you could use a post-renderer (such as kustomize) to accomplish transformations like that: https://helm.sh/docs/topics/advanced/#post-rendering

Ideally charts should be kept clean of templating out the namspace for these reasons.

scottrigby picture scottrigby on 19 Aug 2020

Closing. Please reopen if you have more questions or if the suggested approach is not working

aledbf picture aledbf on 27 Sep 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

boazj picture boazj  路  3Comments
cehoffman picture cehoffman  路  3Comments
briananstett picture briananstett  路  3Comments
geek876 picture geek876  路  3Comments
juliohm1978 picture juliohm1978  路  3Comments