Skip to content

[ISSUE] Helm upgrade without secrets extraction steps does not trigger validation error between v9 and v10 #1842

New issue
New issue
Open
Open
[ISSUE] Helm upgrade without secrets extraction steps does not trigger validation error between v9 and v10#1842
Labels
kind/issueUnidentified issue, it could be a bug, misconfig, or anything in betweenpossibly-outdatedFor github issues over a year old
@jessesimpson36

Description

@jessesimpson36
jessesimpson36
opened on May 22, 2024

Describe the issue:

https://camunda.slack.com/archives/C03UR0V2R2M/p1715673565744409

There are situations where a user may upgrade from 9.3.3 to 10.0.5 without specifying their existingSecrets, and for the error message must not be empty, please add '--set ... to not happen.

Actual behavior:

Helm upgrade will fail initially due to

Error: UPGRADE FAILED: cannot patch "cpt-identity" with kind Deployment: Deployment.apps "cpt-identity" is invalid: spec.selector: Invalid value: v1.LabelSelector{MatchLabels:map[string]string{"app":"camunda-platform", "app.kubernetes.io/component":"identity", "app.kubernetes.io/instance":"cpt", "app.kubernetes.io/managed-by":"Helm", "app.kubernetes.io/name":"camunda-platform", "app.kubernetes.io/part-of":"camunda-platform"}, MatchExpressions:[]v1.LabelSelectorRequirement(nil)}: field is immutable

And if you delete the identity deployment to bypass that, then the helm upgrade will succeed unexpectedly.

Expected behavior:

Error message is expected due to not supplying existingSecrets during the upgrade process:

Error: UPGRADE FAILED: execution error at (camunda-platform/charts/identity/templates/tasklist-secret.yaml:10:22):
PASSWORDS ERROR: You must provide your current passwords when upgrading the release.
                 Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims.
                 Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases

    'global.identity.auth.tasklist.existingSecret' must not be empty, please add '--set global.identity.auth.tasklist.existingSecret=$TASKLIST_SECRET' to the command. To get the current value:

        export TASKLIST_SECRET=$(kubectl get secret --namespace "camunda" "camunda-platform-test-tasklist-identity-secret" -o jsonpath="{.data.tasklist-secret}" | base64 --decode)

How to reproduce:

  1. Install helm install cpt camunda/camunda-platform --version 9.3.3
  2. Upgrade helm upgrade cpt camunda/camunda-platform --version 10.0.5
  3. If you didn't get any validation errors before it tries to apply a manifest, then you've reproduced it.

Logs:

No error message means no logs 😢 .

Environment:

Please note: Without the following info, it's hard to resolve the issue and probably it will be closed.

  • Platform: KIND
  • Helm CLI version: v3.15.0
  • Chart version: 9.3.3 -> 10.0.5
  • Values file: default values.yaml

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/issueUnidentified issue, it could be a bug, misconfig, or anything in betweenpossibly-outdatedFor github issues over a year old

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions