From 6c4931d1c5701e70dfffd6c7c13a6d71b4b79ca0 Mon Sep 17 00:00:00 2001 From: vk-px Date: Mon, 9 Mar 2026 20:33:09 +0530 Subject: [PATCH 1/2] changes to make pxb compatible for Helm4 support --- .../templates/crds/_crd-helpers.tpl | 95 +++++++++ .../crds/crd-alertmanager.yaml | 13 +- .../crds/crd-alertmanagerconfigs.yaml | 11 +- .../{ => templates}/crds/crd-podmonitor.yaml | 13 +- .../{ => templates}/crds/crd-probes.yaml | 11 +- .../{ => templates}/crds/crd-prometheus.yaml | 13 +- .../crds/crd-prometheusrules.yaml | 13 +- .../crds/crd-servicemonitor.yaml | 12 +- .../crds/crd-thanosrulers.yaml | 11 +- .../pre-install-hook/pre-install-check.yaml | 183 +++++++++++++++++- .../pre-upgrade-hook/pre-upgrade-check.yaml | 77 +++++++- charts/px-central/values.yaml | 15 +- 12 files changed, 441 insertions(+), 26 deletions(-) create mode 100644 charts/px-central/templates/crds/_crd-helpers.tpl rename charts/px-central/{ => templates}/crds/crd-alertmanager.yaml (99%) rename charts/px-central/{ => templates}/crds/crd-alertmanagerconfigs.yaml (99%) rename charts/px-central/{ => templates}/crds/crd-podmonitor.yaml (98%) rename charts/px-central/{ => templates}/crds/crd-probes.yaml (98%) rename charts/px-central/{ => templates}/crds/crd-prometheus.yaml (99%) rename charts/px-central/{ => templates}/crds/crd-prometheusrules.yaml (89%) rename charts/px-central/{ => templates}/crds/crd-servicemonitor.yaml (98%) rename charts/px-central/{ => templates}/crds/crd-thanosrulers.yaml (99%) diff --git a/charts/px-central/templates/crds/_crd-helpers.tpl b/charts/px-central/templates/crds/_crd-helpers.tpl new file mode 100644 index 000000000..cb8530de2 --- /dev/null +++ b/charts/px-central/templates/crds/_crd-helpers.tpl @@ -0,0 +1,95 @@ +{{/* +============================================================================= +CRD Helper Templates for Helm 4 SSA Compatibility +============================================================================= + +These helpers support conditional CRD installation to prevent conflicts when +CRDs are pre-installed by another component (e.g., Portworx Enterprise). + +In Helm 4 with Server-Side Apply (SSA), CRD ownership conflicts occur when +multiple managers attempt to manage the same CRD. By conditionally installing +CRDs only when they don't exist, we avoid these conflicts. + +SUPPORTED VALUES for .Values.installCRDs: + - "true" : Always install CRDs (use when CRDs don't exist) + - "false" : Never install CRDs (use with ArgoCD when CRDs are managed separately, + or when Portworx Enterprise is pre-installed) + - "auto" : Use Helm lookup to detect if CRDs exist (default) + NOTE: With ArgoCD, lookup always returns empty, so "auto" behaves + like "true". ArgoCD users with pre-existing CRDs should use "false". + +ARGOCD USERS: + When deploying via ArgoCD with pre-existing CRDs (e.g., Portworx installed), + you MUST set installCRDs: "false" to avoid conflicts. ArgoCD uses `helm template` + which doesn't have cluster access, so the lookup function cannot detect existing CRDs. + + Alternatively, use ArgoCD's built-in skipCrds option: + spec: + source: + helm: + skipCrds: true +*/}} + +{{/* +Check if a CRD exists in the cluster. +Usage: {{ include "px-central.crdExists" "alertmanagers.monitoring.coreos.com" }} +Returns: "true" if the CRD exists, "false" otherwise + +NOTE: This returns "false" when used with ArgoCD (helm template) because + lookup requires cluster access which ArgoCD doesn't provide during rendering. +*/}} +{{- define "px-central.crdExists" -}} +{{- $crd := lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" . -}} +{{- if $crd }}true{{- else }}false{{- end -}} +{{- end -}} + +{{/* +Determine if a CRD should be installed based on installCRDs value. +Usage: {{ include "px-central.shouldInstallCRD" (dict "crdName" "alertmanagers.monitoring.coreos.com" "context" .) }} +Returns: "true" if the CRD should be installed, "false" otherwise + +Logic: + - installCRDs: "true" or true -> Always return "true" + - installCRDs: "false" or false -> Always return "false" + - installCRDs: "auto" (default) -> Use lookup to check if CRD exists + (NOTE: ArgoCD will always get "true" here due to lookup limitations) + +NOTE: Helm --set flag parses "false" as boolean, while values.yaml keeps it as string. + This helper handles both boolean and string types. +*/}} +{{- define "px-central.shouldInstallCRD" -}} +{{- /* Get installCRDs value, defaulting to "auto" if nil/empty string */ -}} +{{- $installCRDs := .context.Values.installCRDs -}} +{{- /* Check if installCRDs is nil or empty string (but NOT boolean false) */ -}} +{{- $isNilOrEmpty := and (not (kindIs "bool" $installCRDs)) (not $installCRDs) -}} +{{- if $isNilOrEmpty -}} +{{- $installCRDs = "auto" -}} +{{- end -}} +{{- /* Convert to string for consistent comparison */ -}} +{{- $installCRDsStr := toString $installCRDs -}} +{{- /* Handle "true" (also handles boolean true which becomes "true") */ -}} +{{- if eq $installCRDsStr "true" -}} +true +{{- /* Handle "false" (also handles boolean false which becomes "false") */ -}} +{{- else if eq $installCRDsStr "false" -}} +false +{{- else -}} +{{- /* installCRDs = "auto" - use lookup */ -}} +{{- $crdExists := include "px-central.crdExists" .crdName -}} +{{- if eq $crdExists "true" -}} +false +{{- else -}} +true +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +CRD labels - common labels for all CRDs +*/}} +{{- define "px-central.crdLabels" -}} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/part-of: px-central +helm.sh/chart: {{ include "px-central.chart" . }} +{{- end -}} diff --git a/charts/px-central/crds/crd-alertmanager.yaml b/charts/px-central/templates/crds/crd-alertmanager.yaml similarity index 99% rename from charts/px-central/crds/crd-alertmanager.yaml rename to charts/px-central/templates/crds/crd-alertmanager.yaml index 398e56f7c..1bf8d9177 100644 --- a/charts/px-central/crds/crd-alertmanager.yaml +++ b/charts/px-central/templates/crds/crd-alertmanager.yaml @@ -1,3 +1,11 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "alertmanagers.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagers.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -5,8 +13,6 @@ metadata: name: alertmanagers.monitoring.coreos.com labels: app: prometheus-operator - annotations: - "helm.sh/hook": crd-install spec: group: monitoring.coreos.com names: @@ -3209,4 +3215,5 @@ spec: type: object served: true storage: true - subresources: {} \ No newline at end of file + subresources: {} +{{- end }} diff --git a/charts/px-central/crds/crd-alertmanagerconfigs.yaml b/charts/px-central/templates/crds/crd-alertmanagerconfigs.yaml similarity index 99% rename from charts/px-central/crds/crd-alertmanagerconfigs.yaml rename to charts/px-central/templates/crds/crd-alertmanagerconfigs.yaml index 873dcfe9b..1bce17d17 100644 --- a/charts/px-central/crds/crd-alertmanagerconfigs.yaml +++ b/charts/px-central/templates/crds/crd-alertmanagerconfigs.yaml @@ -1,3 +1,11 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "alertmanagerconfigs.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.50.0/example/prometheus-operator-crd/monitoring.coreos.com_alertmanagerconfigs.yaml --- @@ -2438,4 +2446,5 @@ status: kind: "" plural: "" conditions: [] - storedVersions: [] \ No newline at end of file + storedVersions: [] +{{- end }} diff --git a/charts/px-central/crds/crd-podmonitor.yaml b/charts/px-central/templates/crds/crd-podmonitor.yaml similarity index 98% rename from charts/px-central/crds/crd-podmonitor.yaml rename to charts/px-central/templates/crds/crd-podmonitor.yaml index c6e866ebd..3bc80dbb5 100644 --- a/charts/px-central/crds/crd-podmonitor.yaml +++ b/charts/px-central/templates/crds/crd-podmonitor.yaml @@ -1,3 +1,11 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "podmonitors.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_podmonitors.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -5,8 +13,6 @@ metadata: name: podmonitors.monitoring.coreos.com labels: app: prometheus-operator - annotations: - "helm.sh/hook": crd-install spec: group: monitoring.coreos.com names: @@ -344,4 +350,5 @@ spec: - spec type: object served: true - storage: true \ No newline at end of file + storage: true +{{- end }} diff --git a/charts/px-central/crds/crd-probes.yaml b/charts/px-central/templates/crds/crd-probes.yaml similarity index 98% rename from charts/px-central/crds/crd-probes.yaml rename to charts/px-central/templates/crds/crd-probes.yaml index 4d298cfc9..925837907 100644 --- a/charts/px-central/crds/crd-probes.yaml +++ b/charts/px-central/templates/crds/crd-probes.yaml @@ -1,3 +1,11 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "probes.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.50.0/example/prometheus-operator-crd/monitoring.coreos.com_probes.yaml --- @@ -566,4 +574,5 @@ status: kind: "" plural: "" conditions: [] - storedVersions: [] \ No newline at end of file + storedVersions: [] +{{- end }} diff --git a/charts/px-central/crds/crd-prometheus.yaml b/charts/px-central/templates/crds/crd-prometheus.yaml similarity index 99% rename from charts/px-central/crds/crd-prometheus.yaml rename to charts/px-central/templates/crds/crd-prometheus.yaml index 7b4dbfe8b..5a70f528b 100644 --- a/charts/px-central/crds/crd-prometheus.yaml +++ b/charts/px-central/templates/crds/crd-prometheus.yaml @@ -1,3 +1,11 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "prometheuses.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition @@ -5,8 +13,6 @@ metadata: name: prometheuses.monitoring.coreos.com labels: app: prometheus-operator - annotations: - "helm.sh/hook": crd-install spec: group: monitoring.coreos.com names: @@ -4434,4 +4440,5 @@ spec: type: object served: true storage: true - subresources: {} \ No newline at end of file + subresources: {} +{{- end }} diff --git a/charts/px-central/crds/crd-prometheusrules.yaml b/charts/px-central/templates/crds/crd-prometheusrules.yaml similarity index 89% rename from charts/px-central/crds/crd-prometheusrules.yaml rename to charts/px-central/templates/crds/crd-prometheusrules.yaml index dd2121872..107043d6a 100644 --- a/charts/px-central/crds/crd-prometheusrules.yaml +++ b/charts/px-central/templates/crds/crd-prometheusrules.yaml @@ -1,3 +1,11 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "prometheusrules.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_prometheusrules.yaml apiVersion: apiextensions.k8s.io/v1 @@ -6,8 +14,6 @@ metadata: name: prometheusrules.monitoring.coreos.com labels: app: prometheus-operator - annotations: - "helm.sh/hook": crd-install spec: group: monitoring.coreos.com names: @@ -81,4 +87,5 @@ spec: - spec type: object served: true - storage: true \ No newline at end of file + storage: true +{{- end }} diff --git a/charts/px-central/crds/crd-servicemonitor.yaml b/charts/px-central/templates/crds/crd-servicemonitor.yaml similarity index 98% rename from charts/px-central/crds/crd-servicemonitor.yaml rename to charts/px-central/templates/crds/crd-servicemonitor.yaml index 3b27a4be4..b21f01f78 100644 --- a/charts/px-central/crds/crd-servicemonitor.yaml +++ b/charts/px-central/templates/crds/crd-servicemonitor.yaml @@ -1,10 +1,17 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "servicemonitors.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.47.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 - helm.sh/hook: crd-install name: servicemonitors.monitoring.coreos.com spec: group: monitoring.coreos.com @@ -363,4 +370,5 @@ spec: - spec type: object served: true - storage: true \ No newline at end of file + storage: true +{{- end }} diff --git a/charts/px-central/crds/crd-thanosrulers.yaml b/charts/px-central/templates/crds/crd-thanosrulers.yaml similarity index 99% rename from charts/px-central/crds/crd-thanosrulers.yaml rename to charts/px-central/templates/crds/crd-thanosrulers.yaml index d6e064312..94184c0ae 100644 --- a/charts/px-central/crds/crd-thanosrulers.yaml +++ b/charts/px-central/templates/crds/crd-thanosrulers.yaml @@ -1,3 +1,11 @@ +{{/* +Conditional CRD installation for Helm 4 SSA compatibility. +Only installs the CRD if it doesn't already exist in the cluster. +This preserves the full OpenAPI validation schema. + +For ArgoCD deployments with pre-existing CRDs, set installCRDs: "false" +*/}} +{{- if eq (include "px-central.shouldInstallCRD" (dict "crdName" "thanosrulers.monitoring.coreos.com" "context" .)) "true" }} # https://raw.githubusercontent.com/prometheus-operator/prometheus-operator/v0.50.0/example/prometheus-operator-crd/monitoring.coreos.com_thanosrulers.yaml --- apiVersion: apiextensions.k8s.io/v1 @@ -5030,4 +5038,5 @@ status: kind: "" plural: "" conditions: [] - storedVersions: [] \ No newline at end of file + storedVersions: [] +{{- end }} diff --git a/charts/px-central/templates/px-backup/pre-install-hook/pre-install-check.yaml b/charts/px-central/templates/px-backup/pre-install-hook/pre-install-check.yaml index bc6c13b53..c5630865f 100644 --- a/charts/px-central/templates/px-backup/pre-install-hook/pre-install-check.yaml +++ b/charts/px-central/templates/px-backup/pre-install-hook/pre-install-check.yaml @@ -7,6 +7,20 @@ {{- if not .Values.isUpgrade }} --- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: px-backup-pre-install-account + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-pre-install-hook + app.kubernetes.io/component: pxcentral-pre-install-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -67,6 +81,29 @@ rules: resources: ["resourcequotas"] verbs: ["get", "list", "watch"] --- +# Pre-install ClusterRole (cluster-scoped resources) +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Namespace }}-px-backup-pre-install-clusterrole + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-pre-install-hook + app.kubernetes.io/component: pxcentral-pre-install-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +rules: + # For ValidateNamespace + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + # For ValidateStorageClass / Storage provisioner validation + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] +--- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -82,13 +119,35 @@ metadata: {{- include "px-central.partOfLabel" . | nindent 4 }} subjects: - kind: ServiceAccount - name: default + name: px-backup-pre-install-account namespace: {{ .Release.Namespace }} roleRef: kind: Role name: px-backup-pre-install-role apiGroup: rbac.authorization.k8s.io --- +# Pre-install ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Namespace }}-px-backup-pre-install-clusterrolebinding + annotations: + "helm.sh/hook": pre-install + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-pre-install-hook + app.kubernetes.io/component: pxcentral-pre-install-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: px-backup-pre-install-account + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Namespace }}-px-backup-pre-install-clusterrole + apiGroup: rbac.authorization.k8s.io +--- apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -139,6 +198,7 @@ spec: kubernetes.azure.com/no-http-proxy-vars: "true" {{- end }} spec: + serviceAccountName: px-backup-pre-install-account {{- if $isOpenshiftCluster}} {{- else }} securityContext: @@ -243,6 +303,126 @@ spec: {{- end }} --- {{- if eq $pxBackupEnabled true }} +# Preflight ServiceAccount - runs on both pre-install and pre-upgrade +apiVersion: v1 +kind: ServiceAccount +metadata: + name: px-backup-preflight-account + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-preflight-check-hook + app.kubernetes.io/component: pxcentral-preflight-check-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +--- +# Preflight Role (namespace-scoped resources) +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: px-backup-preflight-role + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-preflight-check-hook + app.kubernetes.io/component: pxcentral-preflight-check-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +rules: + # For in-cluster keychain / image pull secrets + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "list", "watch"] + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + # For saving preflight results + - apiGroups: [""] + resources: ["configmaps"] + verbs: ["get", "list", "watch", "create", "update", "delete"] + # For job cleanup and log collection + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "list"] + - apiGroups: [""] + resources: ["pods/log"] + verbs: ["get"] + - apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["get", "list", "delete"] +--- +# Preflight ClusterRole (cluster-scoped resources like StorageClasses) +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Namespace }}-px-backup-preflight-clusterrole + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-preflight-check-hook + app.kubernetes.io/component: pxcentral-preflight-check-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +rules: + # For ValidateStorageClass + - apiGroups: ["storage.k8s.io"] + resources: ["storageclasses"] + verbs: ["get", "list", "watch"] + # For ValidateNamespace + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] +--- +# Preflight RoleBinding (namespace-scoped) +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: px-backup-preflight-rolebinding + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-preflight-check-hook + app.kubernetes.io/component: pxcentral-preflight-check-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: px-backup-preflight-account + namespace: {{ .Release.Namespace }} +roleRef: + kind: Role + name: px-backup-preflight-role + apiGroup: rbac.authorization.k8s.io +--- +# Preflight ClusterRoleBinding (for cluster-scoped resources) +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Namespace }}-px-backup-preflight-clusterrolebinding + annotations: + "helm.sh/hook": pre-install,pre-upgrade + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-preflight-check-hook + app.kubernetes.io/component: pxcentral-preflight-check-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: px-backup-preflight-account + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Namespace }}-px-backup-preflight-clusterrole + apiGroup: rbac.authorization.k8s.io +--- # Pre Flight check job apiVersion: batch/v1 kind: Job @@ -267,6 +447,7 @@ spec: kubernetes.azure.com/no-http-proxy-vars: "true" {{- end }} spec: + serviceAccountName: px-backup-preflight-account {{- if $isOpenshiftCluster}} {{- else }} securityContext: diff --git a/charts/px-central/templates/px-backup/pre-upgrade-hook/pre-upgrade-check.yaml b/charts/px-central/templates/px-backup/pre-upgrade-hook/pre-upgrade-check.yaml index 1bd49aaf6..bbddc9347 100644 --- a/charts/px-central/templates/px-backup/pre-upgrade-hook/pre-upgrade-check.yaml +++ b/charts/px-central/templates/px-backup/pre-upgrade-hook/pre-upgrade-check.yaml @@ -32,6 +32,20 @@ {{- end }} {{- end }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: px-backup-pre-upgrade-account + namespace: {{ .Release.Namespace }} + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "1" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-pre-upgrade-hook + app.kubernetes.io/component: pxcentral-pre-upgrade-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +--- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -39,6 +53,7 @@ metadata: namespace: {{ .Release.Namespace }} annotations: "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "2" "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: name: pxcentral-pre-upgrade-hook @@ -81,15 +96,39 @@ rules: - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "update", "patch"] - - apiGroups: ["apiextensions.k8s.io"] - resources: ["customresourcedefinitions"] - verbs: ["create", "update", "get", "patch", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["create", "update", "get", "patch", "list", "delete"] - apiGroups: [""] resources: ["pods/exec"] verbs: ["create"] + - apiGroups: [""] + resources: ["resourcequotas"] + verbs: ["get", "list", "watch"] +--- +# Pre-upgrade ClusterRole (cluster-scoped resources) +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Release.Namespace }}-px-backup-pre-upgrade-clusterrole + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "2" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-pre-upgrade-hook + app.kubernetes.io/component: pxcentral-pre-upgrade-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +rules: + # For ValidateNamespace + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["get", "list", "watch"] + # For PersistentVolumes (cluster-scoped) + - apiGroups: [""] + resources: ["persistentvolumes"] + verbs: ["create", "update", "get", "patch", "list", "delete"] + # For CustomResourceDefinitions (cluster-scoped) + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["create", "update", "get", "patch", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding @@ -98,6 +137,7 @@ metadata: namespace: {{ .Release.Namespace }} annotations: "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "3" "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded labels: name: pxcentral-pre-upgrade-hook @@ -105,13 +145,35 @@ metadata: {{- include "px-central.partOfLabel" . | nindent 4 }} subjects: - kind: ServiceAccount - name: default + name: px-backup-pre-upgrade-account namespace: {{ .Release.Namespace }} roleRef: kind: Role name: px-backup-mongodb-pre-upgrade-role apiGroup: rbac.authorization.k8s.io --- +# Pre-upgrade ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Release.Namespace }}-px-backup-pre-upgrade-clusterrolebinding + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-weight": "3" + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + name: pxcentral-pre-upgrade-hook + app.kubernetes.io/component: pxcentral-pre-upgrade-hook +{{- include "px-central.partOfLabel" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: px-backup-pre-upgrade-account + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ .Release.Namespace }}-px-backup-pre-upgrade-clusterrole + apiGroup: rbac.authorization.k8s.io +--- apiVersion: v1 kind: PersistentVolumeClaim metadata: @@ -162,6 +224,7 @@ spec: kubernetes.azure.com/no-http-proxy-vars: "true" {{- end }} spec: + serviceAccountName: px-backup-pre-upgrade-account {{- if $isOpenshiftCluster}} {{- else }} securityContext: diff --git a/charts/px-central/values.yaml b/charts/px-central/values.yaml index 556810170..9dc04c9f2 100644 --- a/charts/px-central/values.yaml +++ b/charts/px-central/values.yaml @@ -192,7 +192,20 @@ cassandra: maxHeapSize: newHeapSize: -installCRDs: false +## ============================================================================= +## CRD Installation Control +## ============================================================================= +## Helm relies on the templates to install CRDs, installCRDs is controls the +## of lookup funtionality of Helm during install/upgrade. +## ArgoCD uses `helm template` which doesn't have cluster access, so the +## lookup function cannot detect existing CRDs. With installCRDs: "auto", +## ArgoCD will ALWAYS include CRDs in the rendered output. +## +## If your cluster has pre-existing CRDs (e.g., from Portworx Enterprise), +## you MUST set installCRDs: "false" to avoid conflicts. +## +## +installCRDs: "auto" clusterDomain: "cluster.local" cassandraUsername: cassandra cassandraPassword: cassandra From d6603f754b71bf27cb4e8dff648fd333d9561881 Mon Sep 17 00:00:00 2001 From: vk-px Date: Wed, 25 Mar 2026 13:19:17 +0530 Subject: [PATCH 2/2] added retention and addressed review comments --- .../px-central/templates/crds/_crd-helpers.tpl | 6 ++++++ .../templates/crds/crd-alertmanager.yaml | 2 ++ .../templates/crds/crd-alertmanagerconfigs.yaml | 1 + .../templates/crds/crd-podmonitor.yaml | 2 ++ charts/px-central/templates/crds/crd-probes.yaml | 1 + .../templates/crds/crd-prometheus.yaml | 2 ++ .../templates/crds/crd-prometheusrules.yaml | 2 ++ .../templates/crds/crd-servicemonitor.yaml | 1 + .../templates/crds/crd-thanosrulers.yaml | 1 + .../pre-install-hook/pre-install-check.yaml | 16 ++++++++-------- charts/px-central/values.yaml | 14 +++++++------- 11 files changed, 33 insertions(+), 15 deletions(-) diff --git a/charts/px-central/templates/crds/_crd-helpers.tpl b/charts/px-central/templates/crds/_crd-helpers.tpl index cb8530de2..2d70a66c8 100644 --- a/charts/px-central/templates/crds/_crd-helpers.tpl +++ b/charts/px-central/templates/crds/_crd-helpers.tpl @@ -49,6 +49,7 @@ Usage: {{ include "px-central.shouldInstallCRD" (dict "crdName" "alertmanagers.m Returns: "true" if the CRD should be installed, "false" otherwise Logic: + - During upgrades: Always return "false" (CRDs were installed during initial install) - installCRDs: "true" or true -> Always return "true" - installCRDs: "false" or false -> Always return "false" - installCRDs: "auto" (default) -> Use lookup to check if CRD exists @@ -58,6 +59,10 @@ NOTE: Helm --set flag parses "false" as boolean, while values.yaml keeps it as s This helper handles both boolean and string types. */}} {{- define "px-central.shouldInstallCRD" -}} +{{- /* Skip CRD installation during upgrades - CRDs were installed during initial install */ -}} +{{- if or .context.Release.IsUpgrade .context.Values.isUpgrade -}} +false +{{- else -}} {{- /* Get installCRDs value, defaulting to "auto" if nil/empty string */ -}} {{- $installCRDs := .context.Values.installCRDs -}} {{- /* Check if installCRDs is nil or empty string (but NOT boolean false) */ -}} @@ -83,6 +88,7 @@ true {{- end -}} {{- end -}} {{- end -}} +{{- end -}} {{/* CRD labels - common labels for all CRDs diff --git a/charts/px-central/templates/crds/crd-alertmanager.yaml b/charts/px-central/templates/crds/crd-alertmanager.yaml index 1bf8d9177..fbbeadb50 100644 --- a/charts/px-central/templates/crds/crd-alertmanager.yaml +++ b/charts/px-central/templates/crds/crd-alertmanager.yaml @@ -11,6 +11,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: alertmanagers.monitoring.coreos.com + annotations: + helm.sh/resource-policy: keep labels: app: prometheus-operator spec: diff --git a/charts/px-central/templates/crds/crd-alertmanagerconfigs.yaml b/charts/px-central/templates/crds/crd-alertmanagerconfigs.yaml index 1bce17d17..d8964aa54 100644 --- a/charts/px-central/templates/crds/crd-alertmanagerconfigs.yaml +++ b/charts/px-central/templates/crds/crd-alertmanagerconfigs.yaml @@ -14,6 +14,7 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 + helm.sh/resource-policy: keep creationTimestamp: null name: alertmanagerconfigs.monitoring.coreos.com spec: diff --git a/charts/px-central/templates/crds/crd-podmonitor.yaml b/charts/px-central/templates/crds/crd-podmonitor.yaml index 3bc80dbb5..1f8cb5a59 100644 --- a/charts/px-central/templates/crds/crd-podmonitor.yaml +++ b/charts/px-central/templates/crds/crd-podmonitor.yaml @@ -11,6 +11,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: podmonitors.monitoring.coreos.com + annotations: + helm.sh/resource-policy: keep labels: app: prometheus-operator spec: diff --git a/charts/px-central/templates/crds/crd-probes.yaml b/charts/px-central/templates/crds/crd-probes.yaml index 925837907..4743e2757 100644 --- a/charts/px-central/templates/crds/crd-probes.yaml +++ b/charts/px-central/templates/crds/crd-probes.yaml @@ -14,6 +14,7 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 + helm.sh/resource-policy: keep creationTimestamp: null name: probes.monitoring.coreos.com spec: diff --git a/charts/px-central/templates/crds/crd-prometheus.yaml b/charts/px-central/templates/crds/crd-prometheus.yaml index 5a70f528b..1abbeb300 100644 --- a/charts/px-central/templates/crds/crd-prometheus.yaml +++ b/charts/px-central/templates/crds/crd-prometheus.yaml @@ -11,6 +11,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: prometheuses.monitoring.coreos.com + annotations: + helm.sh/resource-policy: keep labels: app: prometheus-operator spec: diff --git a/charts/px-central/templates/crds/crd-prometheusrules.yaml b/charts/px-central/templates/crds/crd-prometheusrules.yaml index 107043d6a..5e826dd18 100644 --- a/charts/px-central/templates/crds/crd-prometheusrules.yaml +++ b/charts/px-central/templates/crds/crd-prometheusrules.yaml @@ -12,6 +12,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: prometheusrules.monitoring.coreos.com + annotations: + helm.sh/resource-policy: keep labels: app: prometheus-operator spec: diff --git a/charts/px-central/templates/crds/crd-servicemonitor.yaml b/charts/px-central/templates/crds/crd-servicemonitor.yaml index b21f01f78..88787f798 100644 --- a/charts/px-central/templates/crds/crd-servicemonitor.yaml +++ b/charts/px-central/templates/crds/crd-servicemonitor.yaml @@ -12,6 +12,7 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 + helm.sh/resource-policy: keep name: servicemonitors.monitoring.coreos.com spec: group: monitoring.coreos.com diff --git a/charts/px-central/templates/crds/crd-thanosrulers.yaml b/charts/px-central/templates/crds/crd-thanosrulers.yaml index 94184c0ae..2a4068342 100644 --- a/charts/px-central/templates/crds/crd-thanosrulers.yaml +++ b/charts/px-central/templates/crds/crd-thanosrulers.yaml @@ -13,6 +13,7 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 + helm.sh/resource-policy: keep creationTimestamp: null name: thanosrulers.monitoring.coreos.com spec: diff --git a/charts/px-central/templates/px-backup/pre-install-hook/pre-install-check.yaml b/charts/px-central/templates/px-backup/pre-install-hook/pre-install-check.yaml index c5630865f..5e7c888dc 100644 --- a/charts/px-central/templates/px-backup/pre-install-hook/pre-install-check.yaml +++ b/charts/px-central/templates/px-backup/pre-install-hook/pre-install-check.yaml @@ -10,7 +10,7 @@ apiVersion: v1 kind: ServiceAccount metadata: - name: px-backup-pre-install-account + name: pxcentral-pre-install-account namespace: {{ .Release.Namespace }} annotations: "helm.sh/hook": pre-install @@ -119,7 +119,7 @@ metadata: {{- include "px-central.partOfLabel" . | nindent 4 }} subjects: - kind: ServiceAccount - name: px-backup-pre-install-account + name: pxcentral-pre-install-account namespace: {{ .Release.Namespace }} roleRef: kind: Role @@ -141,7 +141,7 @@ metadata: {{- include "px-central.partOfLabel" . | nindent 4 }} subjects: - kind: ServiceAccount - name: px-backup-pre-install-account + name: pxcentral-pre-install-account namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole @@ -198,7 +198,7 @@ spec: kubernetes.azure.com/no-http-proxy-vars: "true" {{- end }} spec: - serviceAccountName: px-backup-pre-install-account + serviceAccountName: pxcentral-pre-install-account {{- if $isOpenshiftCluster}} {{- else }} securityContext: @@ -307,7 +307,7 @@ spec: apiVersion: v1 kind: ServiceAccount metadata: - name: px-backup-preflight-account + name: pxcentral-preflight-account namespace: {{ .Release.Namespace }} annotations: "helm.sh/hook": pre-install,pre-upgrade @@ -394,7 +394,7 @@ metadata: {{- include "px-central.partOfLabel" . | nindent 4 }} subjects: - kind: ServiceAccount - name: px-backup-preflight-account + name: pxcentral-preflight-account namespace: {{ .Release.Namespace }} roleRef: kind: Role @@ -416,7 +416,7 @@ metadata: {{- include "px-central.partOfLabel" . | nindent 4 }} subjects: - kind: ServiceAccount - name: px-backup-preflight-account + name: pxcentral-preflight-account namespace: {{ .Release.Namespace }} roleRef: kind: ClusterRole @@ -447,7 +447,7 @@ spec: kubernetes.azure.com/no-http-proxy-vars: "true" {{- end }} spec: - serviceAccountName: px-backup-preflight-account + serviceAccountName: pxcentral-preflight-account {{- if $isOpenshiftCluster}} {{- else }} securityContext: diff --git a/charts/px-central/values.yaml b/charts/px-central/values.yaml index 9dc04c9f2..b21d12a89 100644 --- a/charts/px-central/values.yaml +++ b/charts/px-central/values.yaml @@ -195,15 +195,15 @@ cassandra: ## ============================================================================= ## CRD Installation Control ## ============================================================================= -## Helm relies on the templates to install CRDs, installCRDs is controls the -## of lookup funtionality of Helm during install/upgrade. -## ArgoCD uses `helm template` which doesn't have cluster access, so the -## lookup function cannot detect existing CRDs. With installCRDs: "auto", -## ArgoCD will ALWAYS include CRDs in the rendered output. +## NOTE: CRDs are automatically SKIPPED during upgrades. ## -## If your cluster has pre-existing CRDs (e.g., from Portworx Enterprise), -## you MUST set installCRDs: "false" to avoid conflicts. +## For FRESH INSTALLS: +## - "auto" : (default) Uses lookup to detect existing CRDs +## - "true" : Always install CRDs +## - "false" : Never install CRDs ## +## ArgoCD users: lookup doesn't work with `helm template`. +## If external Prometheus CRDs exist, set installCRDs: "false" ## installCRDs: "auto" clusterDomain: "cluster.local"