Lachlan presented these slides for the ongoing Weave Online User Group series. You can view the recording here: https://youtu.be/_YZRbS5GaYE
Adjusting your spyglass and looking out over the water, you can see how useful a package manager like Helm is. Perhaps you’ve used it to manage the fractal complexity of packages on your Kubernetes clusters (without losing track of versions stashed in the hold). But Helm 3 is rumored to be different, and you’re ready to get started on this exciting voyage – as soon as you have some idea of what’s port and what’s starboard!
In this story-fueled session, we’ll take you through differences from the Helm of yore, tips for a successful rollout or upgrade, and opportunities to shape the project’s future. The cloud native waters can be choppy, but a technical deep dive powered by open source tooling will steer you right!
Speaker: Lachlan Evenson, Principal Program Manager (Container Compute Team), Azure
Bio: Lachlan is a Principal Program Manager on the Container Compute team at Azure. He has spent the last few years working with Kubernetes and enabling cloud native journeys. Lachlan is a cloud native ambassador, emeritus Kubernetes release lead, Helm charts maintainer, and has deep operational knowledge of many Cloud Native projects. @LachlanEvenson
Host: Tamao Nakahara, Head of Developer Experience, Weaveworks
Bio: Tamao is passionate about Developer Experience and co-organizes devxcon.com. She has over 20 years of DevEx, ecosystem alliances, and event experience, including as Director of Developer Relations at New Relic, running open source community programs at VMware and Pivotal for Cloud Foundry, Spring, Hadoop, RabbitMQ, and Redis, and helping customers with Oracle virtualization at VMware.
To learn more about GitOps, check out: The Practical Guide to GitOps (eBook): http://bit.ly/gitops_guide
8. @LachlanEvenson
Making Helm more k8s-native
- Inheriting security controls from kubeconfig
- Using k8s RBAC to limit access & resources
- Replacing custom APIs for charts and
deployments with secrets
9. @LachlanEvenson
Farewell, Tiller
- simpler & more flexible architecture, security, &
upgrades
- now using Kubernetes API directly
- rendering Charts client-side; storing in release
- lowering the barrier of entry for contributors
12. @LachlanEvenson
Don’t worry!
- We intend to support Helm 2 charts
- You *should* be able to replace the Helm 2 binary with
the Helm 3 binary IF you take the following
considerations into account….
13. @LachlanEvenson
Namespace changes
- Release metadata is stored in the same namespace as the
release
- Templated resources with namespace set will be installed into
said namespace prior to the application of `--namespace` flag
- Helm will no longer create a namespace if it doesn’t already
exist
14. @LachlanEvenson
Chart dependency management
- Old style: requirements.yaml and requirements.lock
- New style: Chart.yaml and Chart.lock
(breaking change if you use helm dependency
subcommands)
15. @LachlanEvenson
- `crd-install` ignored in Helm 3.
Useful warning message if
CRDs are present in templates
directory
- Replaced with crds directory at
chart root
CRD installation
16. @LachlanEvenson
Release metadata
- No longer stored in Tiller namespace
- Stored as secret in release namespace
- Double base64 encoded JSON blob
- Not backwards compatible with Helm 2 release
metadata https://github.com/helm/helm-2to3
22. @LachlanEvenson
Chart Repository API
- working towards compat with OCI standard
- available now with a feature gate!
(eventually: pluggable auth! novel artifact types!
host on container registries of your choice!)
24. @LachlanEvenson
Library chart support
- shared by other charts
- does not create any release artifacts of its own
- A library chart’s templates can only
declare define elements
- allows simpler code reuse
25. @LachlanEvenson
Validating Chart Values with JSONSchema
- Chart values can now have
JSON Schema
- Chart maintainers may provide
typed schema for values.yaml
- Better error reporting
- https://v3.helm.sh/docs/topics/
charts/#schema-files
27. @LachlanEvenson
three-way merge for upgrade
- three-way merge patch during helm upgrade
- much like kubectl apply
- old config, new config, and current state
29. @LachlanEvenson
Top 3 ways Helm Releases fail
- Invalid Kubernetes resources
- Denied by Policy
- Role Based Access Control
30. @LachlanEvenson
invalid k8s resources
$ helm install stable/nginx-ingress --set
controller.replicaCount=two
Error: release estranged-arachnid failed:
Deployment in version "v1beta1" cannot be handled
as a Deployment: v1beta1.Deployment.Spec:
v1beta1.DeploymentSpec.Replicas: readUint32:
unexpected character: , error found in #10 byte
of ...|eplicas":"two","revi|..., bigger
context ...|default"},"spec":
{"minReadySeconds":0,"replicas":"two","revisionHi
storyLimit":10,"strategy":{},"temp|...
31. @LachlanEvenson
resources don’t work!?
(…on this k8s version)
$ helm install stable/nginx-ingress
Error: validation failed: unable to
recognize "": no matches for kind
"Deployment" in version "extensions/
v1beta1"
https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/
33. @LachlanEvenson
kubeval: find invalid deployments
$ helm kubeval stable/nginx-ingress --set
controller.replicaCount=two
[…]
The file nginx-ingress/templates/controller-
deployment.yaml contains an invalid Deployment
---> spec.replicas: Invalid type. Expected:
[integer,null], given: string
The file nginx-ingress/templates/default-backend-
deployment.yaml contains a valid Deployment
[…]
Error: plugin "kubeval" exited with error
34. @LachlanEvenson
kubeval: will a chart work with a given version?
$ helm kubeval stable/nginx-ingress -v 1.15.0
The file nginx-ingress/templates/controller-
serviceaccount.yaml contains a valid
ServiceAccount
The file nginx-ingress/templates/default-
backend-serviceaccount.yaml contains a valid
ServiceAccount
[…]
35. @LachlanEvenson
$ helm conftest stable/nginx-ingress
FAIL - nginx-ingress-controller in the Deployment
release-name-nginx-ingress-controller does not have
a memory limit set
FAIL - nginx-ingress-controller in the Deployment
release-name-nginx-ingress-controller does not have
a CPU limit set
[…]
Error: plugin "conftest" exited with error
conftest: fail if non-compliant with policy
36. @LachlanEvenson
$ helm conftest stable/nginx-ingress/ —set
controller.resources.limits.cpu=100m,contr
oller.resources.limits.memory=64Mi
$
conftest: fail if non-compliant with policy
37. @LachlanEvenson
… and spoiler alert: in Helm 3, with Tiller
gone, you won’t have the “cluster admin”
permissions anymore!
Helm 3 and RBAC
38. @LachlanEvenson
$ for i in `helm template stable/nginx-ingress | grep
-i Kind | awk -F: '{print $2}' | sort -u`; do echo "$i:
`kubectl auth can-i create $i`"; done
Warning: resource 'clusterroles' is not namespace
scoped in group 'rbac.authorization.k8s.io'
ClusterRole: no
Warning: resource 'clusterrolebindings' is not
namespace scoped in group 'rbac.authorization.k8s.io'
ClusterRoleBinding: no
Deployment: yes
Role: yes
RoleBinding: yes
Service: yes
ServiceAccount: yes
kubectl can-i
41. @LachlanEvenson
Security Audit
- Went great. No major vulns found!
- Preparing Helm for graduation
https://github.com/helm/community/blob/master/
security-audit/HLM-01-report.pdf
42. @LachlanEvenson
Support
After Helm 3 release
- 6 months of bugfixes and security issues
-12 months end-of-life, only security issues will
be accepted.
43. @LachlanEvenson
get involved!
- Upgrade to Helm 3
- https://v3.helm.sh/docs/faq/
- helm.sh for community calls
- feedback on new use cases & workflows
- test for backwards-compat with existing charts!