helm overwrite existing resources deployed by non-helm

[kumarpmd]

Hi:
I have an EKS cluster created with Terraform and working to implement AWS Console RBAC in the cluster discussed here. As part of this process, I am able to deploy the Role, Binding using Helm Chart and patch aws-auth configmap using kubectl.

Deploying configmap using Helm complains the resource already exists and requires the configmap metadata fields (ownership,etc) to be set to helm values. Ideally would like helm to overwrite the resource, so we can start developing custom charts and use helm for cluster updates/deployments.

Can helm overwrite existing resources deployed by non-helm, or is there a workaround that should make this possible ?

Error:
Error: rendered manifests contain a resource that already exists. Unable to continue with install: ConfigMap "aws-auth" in namespace "kube-system" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: key "app.kubernetes.io/managed-by" must equal "Helm": current value is "Terraform"; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "console-rbac"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "kube-system"

Output of helm version:
v3.5.3+g041ce5a

Output of kubectl version:
Client Version: v1.19.0
Server Version: v1.20.7-eks-d88609

Cloud Provider/Platform (AKS, GKE, Minikube etc.):
AWS EKS

[yxxhero]

@kumarpmd you can try to delete the existing resources deployed by non-helm by kubectl.

[kumarpmd]

@yxxhero Thank you. The deletion will work since it removes the "Terraform" ownership metadata. Requires an extra manual step, "kubectl patch" for example.
Ideally prefer to handle create and update with Helm. Any flags that can trigger overwrite, etc..

[bacongobbler]

This is not something we plan to support. Overwriting existing resources must be performed manually as there are many things that can go wrong with "commandeering" existing resources in the cluster.

Duplicate of #2730.

[SleepyBrett]

I want to say that over three companies working with kubernetes and helm this is my single largest annoyance in helm. Telling people 'we need to take downtime in order to start using a helm chart for service x. Is a non starter (sure i can delete the deployment with --cascade=false, but i still have to delete a service object so ... downtime).

For one service this is less of a problem, I can go in and manually patch all the resources pre helm install and 'fool it'. However I've faced cases where we want to replace HUNDREDS of services. Why can't I have a flag to solve this problem for me a --this-might-be-a-bad-idea-but-ignore-ownership-restrictions on install.

I've written such a thing but it's a hack:

1. run helm template capture the output
2. parse the output and find all the objects type/name/namespace
3. for objects patch object on the cluster with labels/annotations
4. actually run helm install

I've also written this type of logic into a companies deployment pipelines:

1. run helm install
2. if error output, parse object name/namespace/type out of error and patch
3. loop 1 until no error

TL;DR the transition from live services deployed without helm to live services deployed with helm is FRAUGHT and sticking your head in the sand and having such a strong opinion is just user hostile, it's a pattern with helm (see also app version embedded in chart, not bundling dependencies into charts, and strict semver versioning in general) and it's disappointing.

[mateuszdrab]

I also think it should be possible to make helm take ownership over a resource with some sort a --force flag instead of needing workarounds or downtime inducing changes

[resphantom]

Bruh, when you have to manually delete over 54 services in 2 production clusters (over 108 - helm 2 deployments) with service NodePorts, because no patch...And then redeploy all 108 services and add new NodePorts to the loadbalancer pools.

(Don't ask me why they we're using NodePorts for routing and manual setups, I was just there for 2 months...)

[elijah0kello]

This feature is really necessary. I think at the very least, helm should ask us if we'd like to overwrite.

[MartinEmrich]

Yes, or better, add a label/annotation to mark a ressource "adoptable". My example use case:

I create a Kubernetes Cluster on AWS (EKS). There's a concept of an "IAM Service Account", i.e. a Kubernetes ServiceAccount which also has configured privileges on AWS. These are usually not created by Helm, and ServiceAccounts are namespaced.

So you create your IAM serviceaccount, including the namespace it lives in. But now the Helm chart wants to create the namespace, too, but it is already there....

Or do I not include the namespace in the helm chart? what if the Chart should work on non-AWS-Clusters, too, where the namespace might not pop up beforehand?

Making the Namespace manifest a pre-install hook on an existing chart will (understandably) delete the namespace on the next update, including all resources within. So that's not an option either.

I'd love to see an annotation like "helm.sh/existing-resource-policy" with options like "reject" (default), but also "overwrite", "merge" or "adopt".

[sambabad]

I would like to bring this issue back. Unless there is another way to tell Helm to Override Values or Skip Values, this is an important feature as it allows for external optimization of K8S without hearing the next deployment.

[lucasfcnunes]

I had to create a Python script with that operates Helmfile via Taskfile in order to do this in a standard way.

Does https://kluctl.io (https://github.com/kluctl/kluctl) does this?