mirror of https://github.com/helm/helm
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
main
dependabot/go_modules/dev-v3/github.com/lib/pq-1.11.1
dependabot/go_modules/main/github.com/lib/pq-1.11.1
release-4.1
release-3.19
release-4.0
dev-v3
release-3.20
copilot/backport-reflect-pointer-change
gjenkins8-patch-2
release-3.18
release-3.17
revert-toml-change
revert-13534-dev-v3-12987
add-lfx-insights
release-3.16
revert-11726-fixDepUpPerformance
release-3.15
dependabot/go_modules/k8s-io-4a36690ef2
release-3.14
release-3.13
release-3.12
release-3.11
release-3.10
Release
release-3.9
release-3.8
release-3.7
release-3.6
release-3.6.2
release-3.6.1
release-3.5
release-3.4
add-codeql
dev-v2
release-2.17
release-3.3
release-2.16
release-3.2
release-3.1
release-3.0
release-2.15
release-v3.0.0-beta.4
release-2.14
release-2.13
release-2.12
release-2.11
release-2.10
feat-v3/event-emitter-lua
release-2.9
release-2.8
release-2.7
release-2.6
release-2.5
release-2.4
release-2.3
release-2.2
release-2.1
release-2.0
kube-update-test
release-v1.2.1
v3.20.0
v4.1.0
v3.19.5
v4.0.5
v3.20.0-rc.1
v4.1.0-rc.1
v4.0.4
v3.19.4
v4.0.2
v3.19.3
v4.0.1
v3.19.2
v4.0.0
v3.19.1
v4.0.0-rc.1
v4.0.0-beta.2
v4.0.0-beta.1
v3.19.0
v3.19.0-rc.1
v4.0.0-alpha.1
v3.18.6
v3.18.5
v3.17.4
v3.18.4
v3.18.3
v3.18.2
v3.18.1
v3.18.0
v3.18.0-rc.2
v3.18.0-rc.1
v3.17.3
v3.17.2
v3.17.1
v3.17.0
v3.17.0-rc.1
v3.16.4
v3.16.3
v3.16.2
v3.16.1
v3.16.0
v3.16.0-rc.1
v3.15.4
v3.15.3
v3.15.2
v3.15.1
v3.15.0
v3.15.0-rc.2
v3.15.0-rc.1
v3.14.4
v3.14.3
v3.14.2
v3.14.1
v3.14.0
v3.14.0-rc.1
v3.13.3
v3.13.2
v3.13.1
v3.13.0
v3.13.0-rc.1
v3.12.3
v3.12.2
v3.12.1
v3.12.0
v3.12.0-rc.1
v3.11.3
v3.11.2
v3.12.0-dev.1
v3.11.1
v3.11.0
v3.11.0-rc.2
v3.11.0-rc.1
v3.10.3
v3.10.2
v3.10.1
v3.10.0
v3.10.0-rc.1
v3.9.4
v3.9.3
v3.9.2
v3.9.1
v3.9.0
v3.9.0-rc.1
v3.8.2
v3.8.1
v3.8.0
v3.8.0-rc.2
v3.8.0-rc.1
v3.7.2
v3.7.1
v3.7.0
v3.7.0-rc.3
v3.7.0-rc.2
v3.7.0-rc.1
v3.6.3
v3.6.2
v3.6.1
v3.6.0
v3.6.0-rc.1
v3.5.4
v3.5.3
v3.5.2
v3.5.1
v3.5.0
v3.5.0-rc.2
v3.5.0-rc.1
v3.4.2
v3.4.1
v3.4.0
v2.17.0
v3.4.0-rc.1
v2.17.0-rc.1
v3.3.4
v2.16.12
v3.3.3
v2.16.11
v3.3.2
v3.3.1
v2.16.10
v3.3.0
v3.3.0-rc.2
v3.3.0-rc.1
v2.16.9
v3.2.4
v2.16.8
v3.2.3
v3.2.2
v3.2.1
v2.16.7
v3.1.3
v3.2.0
v3.2.0-rc.1
v2.16.6
v2.16.5
v2.16.4
v3.1.2
v3.1.1
v2.16.3
v2.16.2
v3.1.0
v3.1.0-rc.3
v3.1.0-rc.2
v3.1.0-rc.1
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.16.1
v3.0.0-rc.4
v3.0.0-rc.3
v2.16.0
v3.0.0-rc.2
v2.16.0-rc.2
v2.16.0-rc.1
v3.0.0-rc.1
v2.15.2
v2.15.1
v3.0.0-beta.5
v2.15.0
v2.15.0-rc.2
v2.15.0-rc.1
v3.0.0-beta.4
v3.0.0-beta.3
v3.0.0-beta.2
v3.0.0-beta.1
v2.14.3
v3.0.0-alpha.2
v2.14.2
v2.14.1
v3.0.0-alpha.1
v2.14.0
v2.14.0-rc.2
v2.14.0-rc.1
v2.13.1
v2.13.1-rc.1
v2.13.0
v2.13.0-rc.2
v2.13.0-rc.1
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.12.0-rc.2
v2.12.0-rc.1
v2.11.0
v2.11.0-rc.4
v2.11.0-rc.3
v2.11.0-rc.2
v2.11.0-rc.1
v2.10.0
v2.10.0-rc.3
v2.10.0-rc.2
v2.10.0-rc.1
v2.9.1
v2.9.0
v2.9.0-rc5
v2.9.0-rc4
v2.9.0-rc3
v2.9.0-rc2
v2.9.0-rc1
v2.8.2
v2.8.2-rc1
v2.8.1
v2.8.0
v2.8.0-rc.1
v2.7.2
v2.7.1
v2.7.0
v2.7.0-rc1
v2.6.2
v2.6.1
v2.6.0
v2.5.1
v2.5.0
v2.4.2
v2.4.1
v2.4.0
v2.3.1
v2.3.0
1.999.0
v1.0
v1.1
v1.2
v1.2.1
v2.0.0
v2.0.0-alpha.1
v2.0.0-alpha.2
v2.0.0-alpha.3
v2.0.0-alpha.4
v2.0.0-alpha.5
v2.0.0-beta.1
v2.0.0-beta.2
v2.0.0-rc.1
v2.0.0-rc.2
v2.0.1
v2.0.2
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.2.0
v2.2.1
v2.2.2
v2.2.3
${ noResults }
Benoit Tigeot
054eabddd7
This is a rebase of https://github.com/helm/helm/pull/12299 as the pull request was tagged for Helm v4. Closes: https://github.com/helm/helm/issues/11375 Related: https://github.com/helm/helm/pull/7929 It was a pain to reproduce, here is a script: ``` set -u NS=default RELEASE=test-release CHART=./test-chart SA=limited-helm-sa HELM=${HELM:-./bin/helm} echo "Helm: $($HELM version)" echo "Cleaning…" $HELM uninstall "$RELEASE" -n "$NS" >/dev/null 2>&1 || true kubectl -n "$NS" delete sa "$SA" role "${SA}-role" rolebinding "${SA}-rb" >/dev/null 2>&1 || true kubectl -n "$NS" delete cronjob "$RELEASE-test-chart-cronjob" >/dev/null 2>&1 || true rm -rf "$CHART" /tmp/limited-helm-kubeconfig echo "Create minimal chart with only a CronJob" $HELM create "$CHART" >/dev/null rm -f "$CHART"/templates/{deployment.yaml,service.yaml,hpa.yaml,tests/test-connection.yaml,serviceaccount.yaml} cat > "$CHART/templates/cronjob.yaml" <<'YAML' apiVersion: batch/v1 kind: CronJob metadata: name: {{ include "test-chart.fullname" . }}-cronjob spec: schedule: "*/5 * * * *" jobTemplate: spec: template: spec: restartPolicy: OnFailure containers: - name: hello image: busybox command: ["/bin/sh","-c","date; echo Hello from CronJob"] YAML echo "RBAC: allow Helm storage, basic reads/creates, but NO delete on cronjobs" kubectl -n "$NS" apply -f - >/dev/null <<EOF apiVersion: v1 kind: ServiceAccount metadata: name: $SA --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: ${SA}-role rules: - apiGroups: [""] resources: ["secrets","configmaps"] verbs: ["get","list","watch","create","patch","update","delete"] - apiGroups: [""] resources: ["pods","events"] verbs: ["get","list","watch"] - apiGroups: ["batch"] resources: ["cronjobs"] verbs: ["get","list","watch","create","patch","update"] EOF kubectl -n "$NS" apply -f - >/dev/null <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: ${SA}-rb subjects: - kind: ServiceAccount name: $SA roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: ${SA}-role EOF echo "Create kubeconfig for that SA" TOKEN=$(kubectl -n "$NS" create token "$SA") SERVER=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}') CA_DATA=$(kubectl config view --minify --raw -o jsonpath='{.clusters[0].cluster.certificate-authority-data}') KCFG=/tmp/limited-helm-kubeconfig cat > "$KCFG" <<EOF apiVersion: v1 kind: Config clusters: - name: local cluster: server: $SERVER certificate-authority-data: $CA_DATA contexts: - name: limited context: cluster: local namespace: $NS user: $SA current-context: limited users: - name: $SA user: token: $TOKEN EOF set +e echo "Install (as limited SA)" KUBECONFIG="$KCFG" $HELM upgrade --install "$RELEASE" "$CHART" -n "$NS" --wait echo "CronJob after install:" kubectl -n "$NS" get cronjob "$RELEASE-test-chart-cronjob" || true echo "Remove CronJob from chart and add a small ConfigMap to force an upgrade" rm -f "$CHART/templates/cronjob.yaml" cat > "$CHART/templates/configmap.yaml" <<'YAML' apiVersion: v1 kind: ConfigMap metadata: name: {{ include "test-chart.fullname" . }}-config data: hello: world YAML echo "Upgrade without CronJob (as limited SA)" KUBECONFIG="$KCFG" $HELM upgrade --install "$RELEASE" "$CHART" -n "$NS" RC=$? echo "Post-upgrade verification" if kubectl -n "$NS" get cronjob "$RELEASE-test-chart-cronjob" >/dev/null 2>&1; then echo "OK: Stale CronJob still present: $RELEASE-test-chart-cronjob" else echo "NO_OK: CronJob deleted" fi echo "Helm exit code: $RC" exit 0 ``` With the current build: ```sh ./reproduce-helm-issue.sh Helm: version.BuildInfo{Version:"v4.0+unreleased", GitCommit:"f19bb9cd4c99943f7a4980d6670de44affe3e472", GitTreeState:"dirty", GoVersion:"go1.24.0"} Cleaning… Create minimal chart with CronJob + ConfigMap (we will remove both in v2) RBAC: allow Helm storage + delete for configmaps, but NO delete on cronjobs Create kubeconfig for that SA Install v1 (as limited SA) Release "test-release" does not exist. Installing it now. NAME: test-release LAST DEPLOYED: Tue Oct 14 18:55:57 2025 NAMESPACE: default STATUS: deployed REVISION: 1 DESCRIPTION: Install complete TEST SUITE: None NOTES: 1. Get the application URL by running these commands: export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=test-chart,app.kubernetes.io/instance=test-release" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace default $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") echo "Visit http://127.0.0.1:8080 to use your application" kubectl --namespace default port-forward $POD_NAME 8080:$CONTAINER_PORT Verify v1 objects exist NAME SCHEDULE TIMEZONE SUSPEND ACTIVE LAST SCHEDULE AGE test-release-test-chart-cronjob */5 * * * * <none> False 0 <none> 0s NAME DATA AGE test-release-test-chart-config 1 0s Prepare v2: remove BOTH CronJob and ConfigMap from the chart Upgrade to v2 (as limited SA) — expecting CronJob delete first, then ConfigMap - CronJob delete should FAIL (no delete permission) - ConfigMap delete should SUCCEED (delete allowed) — proves 'continue on error' and inverted order level=DEBUG msg="getting history for release" release=test-release level=DEBUG msg="getting release history" name=test-release level=DEBUG msg="preparing upgrade" name=test-release level=DEBUG msg="getting last revision" name=test-release level=DEBUG msg="getting release history" name=test-release level=DEBUG msg="number of dependencies in the chart" dependencies=0 level=DEBUG msg="determined release apply method" server_side_apply=true previous_release_apply_method=ssa level=DEBUG msg="performing update" name=test-release level=DEBUG msg="creating upgraded release" name=test-release level=DEBUG msg="creating release" key=sh.helm.release.v1.test-release.v2 level=DEBUG msg="getting release history" name=test-release level=DEBUG msg="using server-side apply for resource update" forceConflicts=false dryRun=false fieldValidationDirective=Strict upgradeClientSideFieldManager=false level=DEBUG msg="checking resources for changes" resources=0 level=DEBUG msg="deleting resource" namespace=default name=test-release-test-chart-config kind=ConfigMap level=DEBUG msg="deleting resource" namespace=default name=test-release-test-chart-cronjob kind=CronJob level=DEBUG msg="failed to delete resource" namespace=default name=test-release-test-chart-cronjob kind=CronJob error="cronjobs.batch \"test-release-test-chart-cronjob\" is forbidden: User \"system:serviceaccount:default:limited-helm-sa\" cannot delete resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" level=INFO msg="update completed" created=0 updated=0 deleted=1 level=WARN msg="update completed with errors" errors=1 level=DEBUG msg="updating release" key=sh.helm.release.v1.test-release.v1 level=WARN msg="upgrade failed" name=test-release error="failed to delete resource test-release-test-chart-cronjob: cronjobs.batch \"test-release-test-chart-cronjob\" is forbidden: User \"system:serviceaccount:default:limited-helm-sa\" cannot delete resource \"cronjobs\" in API group \"batch\" in the namespace \"default\"" level=DEBUG msg="updating release" key=sh.helm.release.v1.test-release.v2 Error: UPGRADE FAILED: failed to delete resource test-release-test-chart-cronjob: cronjobs.batch "test-release-test-chart-cronjob" is forbidden: User "system:serviceaccount:default:limited-helm-sa" cannot delete resource "cronjobs" in API group "batch" in the namespace "default" Post-upgrade verification Stale CronJob still present: test-release-test-chart-cronjob (expected if delete is forbidden) ConfigMap deleted as expected: test-release-test-chart-config (and after CronJob attempt) Helm exit code: 1 ``` With last version v3.19: ``` HELM=/usr/local/bin/helm ./reproduce-helm-issue.sh Helm: version.BuildInfo{Version:"v3.19.0", GitCommit:"3d8990f0836691f0229297773f3524598f46bda6", GitTreeState:"clean", GoVersion:"go1.24.7"} Cleaning… Create minimal chart with only a CronJob RBAC: allow Helm storage, basic reads/creates, but NO delete on cronjobs Create kubeconfig for that SA Install (as limited SA) Release "test-release" does not exist. Installing it now. NAME: test-release LAST DEPLOYED: Tue Oct 14 19:07:01 2025 NAMESPACE: default STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: 1. Get the application URL by running these commands: export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=test-chart,app.kubernetes.io/instance=test-release" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace default $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") echo "Visit http://127.0.0.1:8080 to use your application" kubectl --namespace default port-forward $POD_NAME 8080:$CONTAINER_PORT CronJob after install: NAME SCHEDULE TIMEZONE SUSPEND ACTIVE LAST SCHEDULE AGE test-release-test-chart-cronjob */5 * * * * <none> False 0 <none> 0s Remove CronJob from chart and add a small ConfigMap to force an upgrade Upgrade without CronJob (as limited SA) Release "test-release" has been upgraded. Happy Helming! NAME: test-release LAST DEPLOYED: Tue Oct 14 19:07:01 2025 NAMESPACE: default STATUS: deployed REVISION: 2 TEST SUITE: None NOTES: 1. Get the application URL by running these commands: export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=test-chart,app.kubernetes.io/instance=test-release" -o jsonpath="{.items[0].metadata.name}") export CONTAINER_PORT=$(kubectl get pod --namespace default $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") echo "Visit http://127.0.0.1:8080 to use your application" kubectl --namespace default port-forward $POD_NAME 8080:$CONTAINER_PORT Post-upgrade verification OK: Stale CronJob still present: test-release-test-chart-cronjob Helm exit code: 0 ``` Co-authored-by: dayeguilaiye <979014041@qq.com> Signed-off-by: Benoit Tigeot <benoit.tigeot@lifen.fr> |
4 months ago | |
|---|---|---|
| .. | ||
| fake | chore: Cleanup additional/redundant kube client Interfaces | 4 months ago |
| client.go | Return errors on upgrade when deletion fails | 4 months ago |
| client_test.go | Return errors on upgrade when deletion fails | 4 months ago |
| converter.go | Updating to helm.sh/helm/v4 | 1 year ago |
| factory.go | remove rest mapper | 1 year ago |
| interface.go | Apply suggestions from code review | 4 months ago |
| ready.go | Avoid accessing .Items on nil object | 4 months ago |
| ready_test.go | chore: enable usetesting linter | 8 months ago |
| resource.go | Consider GroupVersionKind when matching resources | 9 months ago |
| resource_policy.go | Updating to helm.sh/helm/v4 | 1 year ago |
| resource_test.go | Added test case to resource_test.go | 9 months ago |
| result.go | ref(*): Refactors kube client to be a bit more friendly | 7 years ago |
| roundtripper.go | fixing error handling from a previous PR | 12 months ago |
| roundtripper_test.go | test(pkg/kube/roundtripper): Add unit tests for roundtripper.go | 6 months ago |
| statuswait.go | Call slog directly instead of using a wrapper | 10 months ago |
| statuswait_test.go | chore: enable thelper | 9 months ago |
| wait.go | Kube client support server-side apply | 6 months ago |
| wait_test.go | test(pkg/kube/wait): Add unit tests for waitForPodSuccess, waitForJob and SelectorsForObject. | 6 months ago |