crd logic #144
Comments
|
The ongoing problem with CRDs is they cannot be easily deleted if they are referenced by at least one object. So removal might be difficult since Workload Registrar is managing the SPIFFEID instances. Sometimes CRD is deleted after successful creation, setup and execution of Workload Registrar that cleared the instances. This trick with checking for an existing instance of SPIFFEID helps with installation. Perhaps there is a better way to solve this. |
|
I usually just recommend managing the crds outside of helm. there have been so many bugs/inconsistencies with the helm engine and crds its pretty risky to rely on it. At very least, I'd recommend putting the "never delete" helm annotation on the crds to keep it a little safer. |
|
These are good suggestions. Thank you. I will test it with the helm annotation. |
|
After reviewing the Helm current best practices for dealing with CRDs https://helm.sh/docs/chart_best_practices/custom_resource_definitions/ |
|
I'd recommend leaving it in the chart where it is with the annotation to disallow deletion for a version. Otherwise, if anyone upgrades to the newer version, it could get unmanaged and deleted. Once it has been in for at least one released version (and users have upgraded to that specific version) it should be safe to move to the crd's directory I think. |
|
This issue has been addressed by PR #145 as per Helm documentation https://helm.sh/docs/howto/charts_tips_and_tricks/#tell-helm-not-to-uninstall-a-resource |
https://github.com/IBM/trusted-service-identity/blob/main/charts/spire/templates/spiffeid.spiffe.io_spiffeids.tpl
Won't the check pass the first time, having the crd be managed by the chart, then on upgrade, it sees it already exists, and then turn it back off causing it to get deleted?
The text was updated successfully, but these errors were encountered: