nelm icon indicating copy to clipboard operation
nelm copied to clipboard
verified publisher icon werf

Hooks cleaned up too early

Open ilya-lesikov opened this issue 1 year ago • 2 comments

Before proceeding

  • [X] I didn't find a similar issue

Version

werf 2.6.0

How to reproduce

Deploy these resources:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: sa
  annotations:
    "helm.sh/hook": post-install, post-upgrade
    "helm.sh/hook-delete-policy": hook-succeeded
  ...
---
apiVersion: batch/v1
kind: Job
metadata:
  name: job
  annotations:
    "helm.sh/hook": post-install, post-upgrade
    "helm.sh/hook-delete-policy": hook-succeeded
  ...

Result

Service Account will be deleted too early, resulting in error.

Expected result

Service Account deleted along with the Job at the very end, after both are executed.

Additional information

Helm 3 deletes hooks after all the hooks in pre or post stage are deployed. In Nelm we delete hook immediately after it is deployed. This breaks backwards compatibility.

Probably we should have a separate stage to cleanup all hooks at once, which will be executed after all hooks deployed, just like in Helm 3.

ilya-lesikov avatar Jun 17 '24 13:06 ilya-lesikov

As a temporary workaround, remove hook-succeeded from helm.sh/hook-delete-policy annotation (or just overwrite it like this: nelm release install --annotations="helm.sh/hook-delete-policy=before-hook-creation")

ilya-lesikov avatar Mar 31 '25 16:03 ilya-lesikov

ingress-nginx 4.12.1 is also affected.

It has two Jobs requiring extra permissions (ServiceAccount + ClusterRole + ClusterRoleBinding). https://github.com/kubernetes/ingress-nginx/blob/helm-chart-4.12.1/charts/ingress-nginx/templates/admission-webhooks/job-patch/

The workaround from the previous message works fine 🎉.

AlexandrBoltris avatar Apr 08 '25 17:04 AlexandrBoltris

Must be fixed now.

ilya-lesikov avatar Oct 08 '25 13:10 ilya-lesikov