Enable Release Namespace Creation in Helm3

[ichekrygin]

Overview

Helm2 provided support for the Release namespace {{ .Release.Namespace }} via --namespace option if the release namespace did not exist. This functionality was considered rudimentary, and there were several requests from the community captured in #3503

Helm3 took a more opinionated approach on how to handle --namespace option w/non-existing namespaces by removing support for the release namespace creation. Irrespective of the --namespace option, the {{ .Release.Namespace }} is expected to exist before installing/upgrading any helm chart that utilizes --namespace option.

By dropping support for the Release Namespace creation via --namespace option in Helm3, we also dropped any possibility to install a Helm chart with non-existent namespace! As a result, the chart authors and chart users must rely on additional, external to Helm3 tools like kubectl to
prepare (create) Release Namespace before Helm chart installation.

It is understood that --namespace option to create namespace was sub-optimal in Helm2, which prompted requests from the helm user community similar to #3503.

Proposed Change

Rather than to remove support for the Release Namespace creation altogether, we can provide accommodations for helm chart authors to create the release namespace inline during the helm chart install by allow to define release namespace Inside as a template resource. Moreover, the helm chart authors will also be able to tailor the release namespace to the needs of the applications by including all necessary labels, annotations.

Consider following template for the Release Namespace manifest.

{{- if and .Release.Namespace (.Values.createReleaseNamespace | default false) -}}
apiVersion: v1
kind: Namespace
metadata:
  name: {{ .Release.Namespace }}
  annotations:
    my-annoation: {{ .Values.MyAnnotation }}
  labels:
    release: {{ .Release.Name }}
    my-other-label: other-label
{{- end -}}

In the example above, we chose to emulate current Helm3 chart functionality, i.e., do not create the release namespace by default.

The chart authors can decide whether or not allow multiple instances of their application to target the same namespace. For example, removing {{- if ... end -}} lines, effectively ensure that a given chart can only be installed into a newly created namespace and no two chart instances for this application can share the same namespace.

Processing and Assumptions

While the Release Namespace resource resembles other Helm template resources very closely, the processing of this resource is different.

Helm3 can perform a "special" pre-installation check to see if the Release Namespace is defined in the templates section. If it is - Helm3 will attempt to create the release namespace before recording release history, which utilizes the release namespace.

The "special" handling of the Release Namespace hs following assumptions/implications:

• The release namespace creation will be considered as a "special" functionality, i.e., since it is processed separately from the rest of the template resources (similar to crds)
• The release namespace artifact will be defined in the templates section, thus will be fully rendered just like any other templates resource (unlike crds)
• The release namespace resource will be "immutable," i.e., Helm3 will support only "Create" and "Delete" life-cycle events, and will not support "Update."
• Installing two charts that result in the resource namespace collision will be handled just like any other collision in templates resources.

Input Result Matrix (Helm3 Current)

Note: here and below, Namespace is synonymous to Release Namespace.

Note: in this example for simplicity we assume that all Helm chart artifacts are installed into the Release Namespace

#	Namespace Precondition	Namespace Option	Result	Explanation
1	Does not exist	None	Success: the helm chart is successfully installed into default namespace	The Release Namespace is neither existed, provided nor used
2	Does exist	None	Success: the helm chart is successfully installed into default namespace	The Release Namespace exists, however, neither provided nor used
3	Does not exist	Provided	Failure: the helm chart installation failed with "namespace not found"	The Release Namespace does not exist, and Helm3 will fail to perform all operations against this namespace
4	Does exist	Provided	Success: the helm chart is successfully installed into Provided release namespace	As expected

Input Result Matrix (Proposed)

Same use cases as above, but this time with proposed changed and with Helm chart that includes template definition for the Release Namespace.

#	Namespace	Namespace Option	Create Namespace Value	Result	Explanation
1	Does not exist	None	False	Success: the helm chart is successfully installed into default namespace	Same as current behavior: since the Release Namespace is provided yet it neither created nor used.
2	Does exits	None	False	Success: the helm chart is successfully installed into default namespace	Same as current behavior
3.0	Does not exist	Provided	False	Failure: the helm chart installation failed with "namespace not found"	Same as current behavior, since CreateNamespaceValue is set to false`
3.1	Does not exist	Provided	True	Success: the helm chart is installed into newly created release namespace	This is the new/proposed behavior
4.0	Does exist	Provided	False	Success: the helm chart is successfully installed into Provided release namespace	Same as current behavior
4.1	Does exist	Provided	True	Failure: namespace collision	Not "really a new" behavior since in this case the release namespace collision is no different than any Helm2/3 existing artifacts collision errors

Summary

The goal of this proposal is to entertain a possibility to provide Helm chart authors with functionality to define and provide support in terms of the properties when it comes down to the Release Namespace artifact.

With this proposal: Helm chart authors can allow users to:

• Install helm chart into an existing namespace (as currently supported)
• Install helm chart into a non-existing namespace (currently not supported)

while maintaining all the current Helm3 chart behaviors when it comes to storing Helm release information.

[thomastaylor312]

@ichekrygin Thanks for the detailed proposal and POC on this! Because this is a feature add (yes, it did exist in Helm 2, but was an explicit decision to remove), I have put this into the 3.1 milestone. We will come back around to this after we get through the Helm 3.0 release in a few weeks

[stevebail]

Good to know support for namespace creation during helm install might be back in v3.1. Is it possible to know the background about why it is considered "sub-optimal" in helm2? namespace creation with helm2 is working fine as far as I know.

[thomastaylor312]

Sure thing @stevebail. So the tl;dr is that we wanted helm to follow the same lines as kubectl and also that some users want to modify the namespace that Helm creates. Instead of trying to force everyone to do it a specific way, we leave it up to the user. See this comment for some more details: #5753 (comment)

[ichekrygin]

@stevebail @thomastaylor312 I had (and still have) a hard time finding "reasonable" justifications for [--namespace create the release namespace] functionality removal in Helm3. I understand the decision was made, i.e., what's done is done. However, I suspect many helm users will find this change to be "surprising" to say the least. Thus it is super important to have a clear and transparent explanation about the decision-making process behind this issue. Unfortunately for me, all the answers provided so far fell short of reaching that goal.

Focusing specifically on #5753 (comment)
tl;dr; on (#5753 (comment)) - there are two main themes:

1. The concern for (lack of) RBAC permission level for the user installing helm chart, i.e., admin level permissions needed for user installing helm chart
2. The accumulation of the requests from the helm community members dedicated to the "enhanced" functionality around --namespace creation.

I address 2. first for being the easiest. There could be multiple ways how we could have handled such requests, for example:

• address and implement requested functionality if it makes sense and if time permits.
• if time doesn't permit, create and assign such requests for up-coming Helm 3.+ releases
• reject requests if it doesn't make sense or if it goes against established practices and paradigms, with sufficient explanation, i.e., help to educate users on the "right" way, etc.
  The main point, if we decided to use the latter two, we still would preserve the existing (Helm2) functionality.
  Instead, it appears Helm3's response to this issue was more in line with "NO SOOP FOR YOU!"
  
  I.E., remove --namespace creation support altogether

As for 1., I have the following concerns.
It appears that Helm3 is trying to become "more opinionated" on what helm user RBAC permissions should be. While I can understand such a notion, I don't think I agree with it. I think Helm chart authors should decide on the installer RBAC permissions level since the author is the ultimate authority in that area. For the most part, this still holds (from Helm2->Helm3), i.e., helm chart authors can include cluster level scoped artifacts in the chart template.
Moreover, when it comes to CRD support, it appears Helm3 makes a decision in the opposite direction (in terms of RBAC + --namespace creation), and now includes support for CRD provisioning, which is excellent, but at the same time very inconsistent with the part of the rationale used for --namespace creation functionality deprecation.

Final point. I think to have Helm3 as a one-stop-shop tool is a highly desirable trait. Helm3 CRD support is both a welcomed addition and a step in the right direction. However, --namespace creation removal is a step (or a few) back, in my opinion.

P.S. at the end of #5753 (comment) @bacongobbler defers to @adamreese as to the authoritative source for information behind --namespace create removal, so I suspect there could be other motives not covered in the comment.

[stevebail]

@ichekrygin
Good info.

I am definitively not an authorize source and was definitively not involved in any decision :)
I am just trying to follow where this is going.
My personal view is:

1. I understand the reasoning to align with kubectl create --namespace. It makes sense to me now.
2. I also see why it is important to consider RBAC for managing cluster-level objects but maybe Helm3 went a little too far here.
3. Maybe a "middle ground solution" with an extra flag allowing the helm chart installer to also (separately) request the NS creation if he/she feels has sufficient proviledges to do so. If no, don't use this new flag and apply the install to the specified NS (assuming it is already present in the cluster)

My 2 cents.

[thomastaylor312]

It appears that Helm3 is trying to become "more opinionated" on what helm user RBAC permissions should be.

I'm not sure I understand the argument here. The goal behind any of these RBAC related decisions was explicitly to not be opinionated, meaning that we have no idea what kind of permissions a user may have. I don't think we can say the same for charts either, especially for charts in the stable repo.

I think you do have a point around CRD support. Perhaps we should make CRD installation opt-in instead of opt-out and namespace creation would behave the same way, but it might be too late for that.

[ichekrygin]

I am definitively not an authorize source

My bad, I copied wrong GitHub user, now it is corrected.

[ichekrygin]

I'm not sure I understand the argument here

@thomastaylor312 perhaps it is my misinterpretation of #5753 (comment):

Without this change, users must have cluster admin rights to install a chart, and we want to ensure that administrators can ensure users only have a restricted set of roles applied to each install.

I think the chart author is the authoritative source on what RBAC rights installing user should have, with or without the creation of --namespace. I.E., if the helm chart contains "cluster level scoped" artifacts, the treatment of those should be no different as --namespace artifact and inversely, the treatment of --namespace creation should be no different from any cluster-level chart artifacts. Thus, if users w/out propper RBAC permission attempt to install a chart with --namespace create option, they will get the same error when they try to install a chart with the template that contains cluster-level artifacts.

[thomastaylor312]

Ok, I missed one of the issues where this has sprawled across and now have a better grasp on it.

Essentially there have been several design concerns around having the namespace auto created for you that have been documented and explained by @bacongobbler and others. What it boils down to is: The scope of the --namespace flag has ballooned into something we cannot sustain/write a good UX for. Also, seeing as kubectl requires the exact same steps before sending a deployment (e.g. creating the namespace beforehand), this seems like the correct decision for right now.

What it comes down to is that this is a design and shipping decision that we have agreed upon, but we do understand your desire and point of view. I know there are pain points here, but I think they are something that can be addressed with a plugin or feature after 3.0 comes out, so please let us know if you have ways to work around the aforementioned design concerns. We are not against the use case in any way, but we want a way to support this in a sustainable fashion.

[thomastaylor312]

Well, I just gave in and whipped up a quick plugin for it: https://github.com/thomastaylor312/helm-namespace