Skip to content

CRDs fail to render with helm-diff #1185

New issue
New issue
Open
Open
CRDs fail to render with helm-diff#1185
Assignees
aerosouund
@mfinelli

Description

@mfinelli
mfinelli
opened on Sep 23, 2025

We use the helm-diff plugin to see the differences between versions and other changes before deploying them, but the chart provided by this repository throws an error -- a behavior that we don't see on other charts (even the main kyverno chart) when calling it the same way.

helm diff upgrade --install --color --values values.yaml policy-reporter policy-reporter/policy-reporter --version=3.5.0 --namespace=kyverno-policy-reporter

(Note that this invocation closely resembles the main helm install command)

Importantly, in our values.yaml we have the following set:

target:
  crd: true

Running the command throws the following error if the chart has already been installed (if the chart hasn't been installed yet then there is no error, but this makes sense given the error below):

Error: Failed to render chart: exit status 1: Error: Unable to continue with install: CustomResourceDefinition "targetconfigs.policyreporter.kyverno.io" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-namespace" must equal "default": current value is "kyverno-policy-reporter"

The error is "correct" in the sense that the annotation is as it says:

kubectl describe crd targetconfigs.policyreporter.kyverno.io | grep helm.sh
Annotations:  meta.helm.sh/release-name: policy-reporter
              meta.helm.sh/release-namespace: kyverno-policy-reporter

But this is by no means strange, for example a different CRD from the main kyverno install:

kubectl describe crd clusterpolicies.kyverno.io | grep helm.sh
              helm.sh/chart=crds-3.5.2
              meta.helm.sh/release-name: kyverno
              meta.helm.sh/release-namespace: kyverno

None of this blocks actually installing/updating the chart -- we use the terraform helm provider which happily installs/updates the chart without issue (I haven't tried the main Helm CLI to see how it behaves) -- but it doesn't prevent us from inspecting updated beforehand.

Any idea what might be going on? I'm happy to send a PR if I could be pointed in the right direction

Cheers

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions