#helmfile - September 2020

v0.126.1: Fix test flake for INLINECODE_0 (#1449)
3e6542e (HEAD, tag: v0.126.1, origin/master, origin/HEAD, master) Fix test flake for commonLabels (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="689738084" data-permission-text="Title is private"...

v0.126.2: Fix wrong deletion order (#1451)
Fixes #1450

v0.126.2: Fix wrong deletion order (#1451)
5f1698d (HEAD, tag: v0.126.2, origin/master, origin/HEAD, master) Fix wrong deletion order (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="689932583" data-permission-text="Title is private"...

v0.127.0: Bump sprig to v3 (#1452)
Resolves #1294
Resolves <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="689490982" data-permission-text="Title is private"...

v0.127.0: Bump sprig to v3 (#1452)
efd26f2 (HEAD, tag: v0.127.0, origin/master, origin/HEAD, master) Bump sprig to v3 (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="689956556" data-permission-text="Title is private"...

Hey @mumoshu, I found a bug caused by https://github.com/roboll/helmfile/pull/1442 related to needs:. I have a helmfile that works perfectly fine on v0.125.8 but breaks on v0.125.9. The break is caused by the helmfile thinking a needs: item is invalid when in reality it is completely valid.

I'm trying to use environments and bases at the same while using variables in helmfile.yaml , I'm not sure if this is a bug or I'm doing something wrong, https://github.com/roboll/helmfile/issues/1454

I have an app that I want to deploy to stage only when the branch being deployed matches the branch name specified in an aws ssm parameter. I'm attempting to use installed template on my release, but I haven't been able to figure out the correct syntax or even if this is possible.

A simple version that doesn't include ssm (that I've confirmed works) would be:

installedTemplate: {{- if eq .Values.branch "master" }} true {{ else }} false {{ end }}

What I've tried for the ssm version:

installedTemplate: {{- if eq .Values.branch `{{ <ref+awsssm://DOWNLOAD_WORKER_BRANCH?region=us-west-1> }}` }} true {{ else }} false {{ end }}

Does anyone know if it's possible to do this? Any pointers in the right direction?

v0.128.0: Bump sprig to v3.1.0 and mergo 3.11 (#1456)
9d2c0d4 (HEAD, tag: v0.128.0, origin/master, origin/HEAD, master) Bump sprig to v3.1.0 and mergo 3.11 (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="691909066" data-permission-text="Title is private"...

anyone know if helmfile supports overriding a chart's appVersion somehow? (along the lines of what is discussed in this helm issue: https://github.com/helm/helm/issues/8194)

@Carlos R. has joined the channel

What is currently the best practice for installing CRDs before deploying something that needs them? For example, the instructions for using the Helm Operator are to:

1. Install the HelmRelease CRD using kubectl apply
2. Deploy the operator using Helm
If I want both to happen with one helmfile apply , what’s the best way right now to do that? I’m thinking of the incubator/raw helm chart, but that sounds kinda kludgey

I would like to use this functionality powered by vals: https://github.com/roboll/helmfile/pull/906

As far as I understood it will be rendered only under a release: block. WIn our case we have a common helmfile, and then we reuse this helmfile by referencing form other helmfiles via helmfiles: (sorry for such a cluncky explanation). In the repo with a common helmfile there is no credentials to connect to third-parties to grab the actual value. So, helmfile lint failed.

Does anybody know if any possibility to overwrite this or hide the error exists?

I am thinking loud, but..

Would be nice to have k8s service similar to https://github.com/jetstack/version-checker, of course there it possible to use https://github.com/roboll/helmfile#integrations renovate for gitops version check, but some active checking on actually deployed charts would be a great idea ( with metrics support of course )...

Related: https://github.com/FairwindsOps/nova/

@mumoshu ping

Thanks

EDIT:
I have hard time to keep charts updated, or at least have some overview about newer versions available...

Did something change recently on how {{ .Namespace }} works?

i just installed v0.128 and i get the following:

helmfile --file helmfile-preip.yaml --selector default=true --selector app=besu --namespace cyan-besu-15 apply

in ./helmfile-preip.yaml: in .helmfiles[0]: in helmfiles/1-before-all.yaml: failed processing release ingress: failed to render values files "values/nginx-ingress-values.yaml.gotmpl": failed to render [values/nginx-ingress-values.yaml.gotmpl], because of template: stringTemplate:6:19: executing "stringTemplate" at <.Namespace>: can't evaluate field Namespace in type state.releaseTemplateData

and the values file contains

controller:
  publishService:
    enabled: true
  scope:
    enabled: true
    namespace: {{ .Namespace }}
  extraArgs:
    default-ssl-certificate: "{{ .Namespace }}/wildcard"
  service:
    enabled: true
  replicaCount: 2
  minAvailable: 1


  resources:
    limits: {}
      #cpu: 500m
      #memory: 512Mi
    requests:
      cpu: 50m
      memory: 128Mi

nameOverride: {{ .Namespace }}-ingress

using {{ .Release.Namespace }} works. If i have to guess, https://github.com/roboll/helmfile/pull/1424 is the culprit

v0.128.1: Fix INLINECODE_0 error on env2map (#1463)
0482ba3 (HEAD, tag: v0.128.1, origin/master, origin/HEAD, master) Fix index out of range [1] with length 1 error on env2map (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="695488078"...

Anyone here got an answer to the following... https://stackoverflow.com/questions/63811855/using-nested-values-defined-in-environment

In the readme there's an example environments.production.values[].vault.enabled: false so I'm surprised my yaml doesn't work

has anyone figured out a way in helmfile to deploy jobs without hitting the immutable field issue?

v0.128.2: Re-add Release.Namespace in release values.yaml templates (#1466)
It was accidentally removed in #1424, and had been unexpectedly unavailable between v0.126.0 and v0.128.1.
Fixes <a class="issue-link js-issue-link"...

v0.128.2: Re-add Release.Namespace in release values.yaml templates (#1466)
832dcf4 (HEAD, tag: v0.128.2, origin/master, origin/HEAD, master) Re-add Release.Namespace in release values.yaml templates (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="697291695"...

Hi there 👋
Is it possible to use remote values from S3 using the go-getter syntax?

v0.129.0: Add experimental write-values command for writing values files only (…
0fad9f0 (HEAD, tag: v0.129.0, origin/master, origin/HEAD, master) Add experimental write-values command for writing values files only (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="699300090"...

v0.129.1: Add tailormed to users (#1467)
Update USERS.md

I’ve got a configmap template that contains othernodes = {{ .Values.orion.otherNodes }} where othernodes is an array of strings. but in this specific config i need each of the strings to be wrapped in quotes but it comes out as [ string, string ] without quotes. Is there a quick way to quote each item in the list?

v0.129.1: Add tailormed to users (#1467)
134d5be (HEAD, tag: v0.129.1, origin/master, origin/HEAD, master) Add tailormed to users (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="698282052" data-permission-text="Title is private"...

v0.129.2: Bump vals (#1475)
Ref variantdev/vals#34

v0.129.2: Bump vals (#1475)
5dd65e8 (HEAD, tag: v0.129.2, origin/master, origin/HEAD, master) Bump vals (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="700691836" data-permission-text="Title is private"...

Is anyone relying on the undefined behaviour of Helmfile that a multiple negated conditions in a single selector like helmfile -l foo!=foo,bar!=bar is unexpectedly treated as an OR sometimes?

I'm redefining it to be always AND, so that the behavior is consistent:

https://github.com/roboll/helmfile/pull/1478

This might be just a bug but I wanted inform you all for clarity because this seems like a long-standing bug anyway. Thanks!

v0.129.3: Treat selector with multiple conditions an AND (#1478)
028bcc5 (HEAD, tag: v0.129.3, origin/master, origin/HEAD, master) Treat selector with multiple conditions an AND (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="701512861" data-permission-text="Title...

New to helmfile, I was thinking to use this for testing helm charts after deployment in K8S env.

What I am fuzzy about it how to inject values into values.yaml per release. I wanted to avoid creating massive directory structure for different types of tests with env.sh, but rather just define values in the releases.

charts:
  dgraph:
    name: dgraph
    enabled: true
    namespace: dg-1
    chart: ./charts/charts/dgraph
    env:
      - path/to/env.sh
    values:
      - charts/dgraph/helmfile/base.yaml.gotmpl

or maybe:

env:
 DGRAPH_ALPHA_ACL_ENABLED: false
 DGRAPH_ALPHA_ACL_FILE_CONTENT: secret
 DGRAPH_ALPHA_ACL_SECRET_FILE: /dgraph/acl/secret_file

Is there a way to do something like this?

I cannot get off the ground with helmfile. Running into this, not sure what to do:

in ./helmfile.yaml: error during helmfile.yaml.part.1 parsing: template: stringTemplate:2:17: executing "stringTemplate" at <.Values.charts>: map has no entry for key "charts"

I setup simple charts.yaml:

charts:
  azuregateway:
    name: minio
    enabled: true
    namespace: minio
    repository:
      name: minio
      url: <https://helm.min.io/>
    chart: minio/minio
    values:
      - envs/aks/tf.minio_config.yaml

and helmfile.yaml with:

helmDefaults:
  timeout: 600
  recreatePods: false
  tillerless: true
  force: true

environments:
  default:
    values:
      - ./charts.yaml
      - ./values.yaml
      {{- if env "ENV_DIR" }}
      - {{ requiredEnv "ENV_DIR" }}/charts.yaml.gotmpl
      - {{ requiredEnv "ENV_DIR" }}/values.yaml.gotmpl
      {{- end }}

repositories:
{{- range .Values.charts }}
{{- if and .enabled (hasKey . "repository") }}
  - name: {{ .repository.name }}
    url: {{ .repository.url }}
{{- end }}
{{- end }}

releases:
{{- range .Values.charts }}
{{- if .enabled }}
  - name: {{ .name }}
    namespace: {{ .namespace }}
    chart: {{ .chart }}
    version: "{{ . | getOrNil "version" }}"
    values:
    {{- range .values }}
      - {{ . }}
    {{- end }}
    secrets:
    {{- range . | getOrNil "secrets" }}
      - {{ . }}
    {{- end }}
  {{- end }}
{{- end }}

😢

hitting an issue where helmfile apply, appears to run without error

but my release is not actually installed.

hey all, is there a way to default to an empty map/list ? {{ .Values | get "my-value" {} }} something like this?

man I am banging my head against the wall. I have a helmfile template test that I run locally and it works perfectly and then my gitlab-ci runs it (in the same container) and it fails

It makes no sense that the needs: would fail on the exact same code in the CI test

Can Helmfile work with manifests? I am seeing more and more use operators directly rather than Helm charts.

Or maybe I should look at Kustomize. Any good articles on helmfile driving kustomize?

I would like to use some Kustomize in non-helmchart releases

I've not used kustomize myself, but there's this: https://github.com/roboll/helmfile/blob/master/docs/advanced-features.md#deploy-kustomizations-with-helmfile

Gitlab.com uses Helmfile https://about.gitlab.com/blog/2020/09/16/year-of-kubernetes/

How do you do dependencies between to releaeses?

I have a CRD that depends on the operator to be installed, so I am looking for easy way to have that CRD depend on the helm chart to install the operator

@mumoshu Hopefully a quick question for you: is there any control/configuration over Helmfile’s exec behavior around errors/non-zero exit codes? Specifically I’d like to do something like:
{{ (contains "error: the server doesn't have a resource type" (exec "kubectl" (list "-n" (env "KUBE_NAMESPACE") "get" "<resource>")))) }}
Seems like there is no way to proceed with exec if it errors/exits with non-zero?

I just installed helmfile with brew (helmfile version v0.129.3). I'm trying to use repositories I always use, but helmfile gives me this: Error: repository name (jaegertracing) already exists, please specify a different name

repositories:
  - name: jaegertracing
    url: <https://jaegertracing.github.io/helm-charts>
  - name: dgraph
    url: <https://charts.dgraph.io>

I guess this is underlying problem with helm. I never had it not be idempotent.

helm has broken idempotence in versions 3.3.2 and 3.3.3.
Thus you cannot use helmfile with those versions.

Is it possible to helmfile apply for only a single release instead of all of them in specified in the helmfile.yaml?

I’ve got the following string in my helmfile.yaml:

...
values:
  - ...
    backendBaseUriPattern: "https://$instance$.<http://dev.my-domain.com|dev.my-domain.com>"
...

And it get’s rendered during helmfile apply given the value of instance from the following range construction:

{{- range $instance, $map := .Environment.Values.instances }}

In the end after rendering it looks like

backendBaseUriPattern: "<https://my-instance.dev.my-domain.com>"

Is this an expected behaviour? Btw, the aforementioned values: block doesn’t belong to this range.

v0.129.4: Enable INLINECODE_0 testing only enabled and selected releases (#1…
…486)
Resolves #1483

v0.129.4: Enable INLINECODE_0 testing only enabled and selected releases (#1…
b176408 (HEAD, tag: v0.129.4, origin/master, origin/HEAD, master) Enable helmfile test testing only enabled and selected releases (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="703982737"...

☝️ contains the fix for the "repository name already exists" error due to the helm update

v0.130.0: Add support for ChartCenter (#1492)
942b9a6 (HEAD, tag: v0.130.0, origin/master, origin/HEAD, master) Add support for ChartCenter (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="705302089" data-permission-text="Title is private"...

Hey, I'm getting a bit confused about how state values files are propagated. I'm pointing helmfile at a directory of helmfiles. They contain templating for {{ .Values.bla }} which I provide with --state-values-file ...or so I thought. Helmfile complains that it can't find bla in .Values

Hi all - what is the best way to share some values between all releases in helm file ?
I just don't want to copy the same set of values or include values file in each release ?

I tried to declare values via environments, but it seems the environment values are not automatically assigned to releases

is it via release templatting ?
https://github.com/roboll/helmfile/blob/master/docs/writing-helmfile.md#release-template--conventional-directory-structure

I'm a bit unclear on how the selectors mechanism works -- do the selectors only apply within helmfiles: [] or can they be applied to individual releases too?

Hi, is it possible to define custom templates inside values template files ?
like in Helm charts

{{- define "my.values.template" -}}
...
{{- end -}}

Are there any best practices for annotating a namespace that gets created by Helm during sync?

anyone here who uses the vals tool standalone?

not sure where I would have to go with questions about this, seems pretty interlinked with helmfile

How do I use bases: when I have a directory of helmfiles?

I have

bases:
- ../base.yaml

at the top of every helmfile but it seems to get ignored

sometimes we use something like {{- tpl (readFile "../common/templates.yaml") . | nindent 0 }} instead of bases

hmm, I guess it's because bases get combined as independent YAML documents

so if I define templates: in a base, it isn't useable

@voron is {{- readFile "../common/templates.yaml" | toYaml }} not sufficient?

toYaml shouldn't be required imho

try and get an answer

hmm, I just seem to end up with a blank string (even though the file exists)

oh nevermind it only appears on the third pass

any ideas what this error means: err: no releases found that matches specified selector() and environment(local), in any helmfile? This only seems to happen when I have a helmfiles section.

the YAML that gets generated looks fine to me:

 3: repositories:
 4:   - name: incubator
 5:     url: <https://kubernetes-charts-incubator.storage.googleapis.com>
 6:   - name: uswitch
 7:     url: <https://uswitch.github.io/kiam-helm-charts/charts>
 8:   - name: bitnami
 9:     url: <https://charts.bitnami.com/bitnami>
10:   - name: traefik
11:     url: <https://containous.github.io/traefik-helm-chart>
12:   - name: pomerium
13:     url: <https://helm.pomerium.io>
14:
15: helmfiles:
16:   - path: ./cluster.d
17:     values:
18:       - ../deployments/local/config.yaml.gotmpl
19:   - path: ../deployments/local/helmfile.d
20:     values:
21:       - ../deployments/local/config.yaml.gotmpl

I suppose you need to define environments in your root helmfile

That's what we have in our root helmfile

bases:
  - "common/repositories.yaml"
  - "common/helm-defaults.yaml"
environments:
  dev:
  prod:
helmfiles:
  - dev/helmfile.yaml
  - prod/helmfile.yaml

and in env-specific prod/helmfile

bases:
  - "../common/repositories.yaml"
  - "../common/helm-defaults.yaml"

environments:
  prod:
{{- tpl (readFile "../common/templates.yaml") . | nindent 0 }}

releases:
...

anyone running containerized Shibboleth and have a helm chart they started with?

Guys?
How can I reference Release.Namespace in values?
Like:

releases:
- name: test
  namespace: default
  createNamespace: true
  chart: incubator/raw
  version: 0.2.3
  values:
    - resources:
      - apiVersion: <http://cert-manager.io/v1|cert-manager.io/v1>
        kind: Certificate
        metadata:
          name: <http://test.example.com|test.example.com>
          namespace: {{ .Release.Namespace }}
        spec:
          secretName: test.example.com-tls
          issuerRef:
            name: {{ .Values.issuer }}
          dnsNames:
          - <http://test.example.com|test.example.com>

Thanks

I'm very confused -- I have a simple helmfile with a single release, but when I run helmfile -f simple.yaml diff I get:

err: no releases found that matches specified selector() and environment(default), in any helmfile

Hey All, Is there any way to set --allow-no-matching-release in helmDefaults ?

I guess there's no way to pass through state values from --state-values-file to helmfiles included with helmfiles: []

We occasionally have releases failing with a message like this. After the message rendering of template fails on first missing value that is in secrets file. We suspect some sort of race condition, since it's not consistent. Does this error message ring any bells?

 /home/jenkins/agent/workspace/frontend-nu_release_8.38.0/deploy/helmfile/environments/staging/secrets-nunl.sops.yaml.dec is newer than /home/jenkins/agent/workspace/frontend-nu_release_8.38.0/deploy/helmfile/environments/staging/secrets-nunl.sops.yaml

I was reading the cloudposse page on helmfile and it sounds like the best practice recommendation is to have one big helmfile with all your releases, and then filter things using selectors -- does anyone here have experience with doing that?

Right now I've split things up into environment-specific helmfiles, and then include a "shared" helmfile using helmfiles: []. It works, but it feels like there are a lot of moving parts to manage.

well, despite of a lot of moving parts it's much better than manage values & secrets manually keeping things DRY.

hmm, should hooks be running for charts that have installed: false?

installed:false means delete release , so I expect all delete-related hooks may take place. If you wanna skip the release - use condition:

What's the upside of using Helmfile instead of the helm-operator and HelmRelease Crds?

Is there any way to merge a glob of files containing some YAML lists into one resulting list and use it as values for a chart?
What I'm trying to do is to use incubator/raw chart, but split templates: into multiple files in a directory with a pattern ????-*.yaml.gotmpl, for e.g.:
• config/0001-first-bunch.yaml.gotmpl
• config/0002-second-bunch.yaml.gotmpl
• config/9999-last-bunch.yaml.gotmpl
Any advice much appreciated!

Hey All, I'm using bases: and I have two files that define an environment:
environments.yaml

 0: environments:
 1:   prod:
 2:     missingFileHandler: Error
 3:     values:
 4:       - ../vars/helmfile/realms/prod.yaml

and global_vars.yaml

 0: environments:
 1:   prod:
 2:     values:
 3:       - vault_image: my_vault_image:1.5.3

I'm using these via

bases:
 - environments.yaml
 - global_vars.yaml

and I'm putting that in every file down the helmfile chain. My helmfile that has a releases block is erroring because it can't see .Values.vault_image

 executing "stringTemplate" at <.Values.vault_image>: can't evaluate field Values in type interface 

Anyone know what I'm doing wrong?

Greetings! I was wondering if anyone could explain the difference (keeping helmfile context in mind I guess) between values[templates[]] and values[resources[]] within incubator raw chart? Or maybe point at the doc to read about it? Thank you!

Hi there!
I am trying to integrate helm secrets with my configuration of helfile,

The current setup is based on local chart which is rendered using 3 files:
configuration1.yaml
configuration2.yaml
secret_resource.yaml
Where secret_resource.yaml contains

kind: Secret
apiVersion:
metadata:
  name: dummy_secret_name
data:
  sseret-key: secret

Following the samples where I specified encoded secret.yaml(with sseret-key: secret) along with .sops.yaml. Then I changed my secret_resource.yaml to secret_resource.yaml.gotmpl and changed line sseret-key: to sseret-key: {{ index .Values "sseret-key`"}}. The bummer is that helmfile do not detect gotmpl and because of that the secret resource is not created. Question is: Is there any workaround?

How do you install helm charts with values that use operators? For example:

  - name: gamma-monitor
    namespace: monitoring
    chart: stable/prometheus-operator
    version: 9.3.0
    values:
      - ./prometheus_grafana.yaml
      - grafana:
          adminPassword: {{ requiredEnv "GRAFANA_ADMIN_PASSWORD" }}

I will all sorts of errors:

 Error: Failed to render chart: exit status 1: Error: unable to build kubernetes objects from release manifest: [unable to recognize "": no matches for kind "Alertmanager" in version "<http://monitoring.coreos.com/v1|monitoring.coreos.com/v1>", unable to recognize no matches for kind "ServiceMonitor" in version "<http://monitoring.coreos.com/v1|monitoring.coreos.com/v1>", unable to recognize "": no matches for kind "Prometheus" in version "<http://monitoring.coreos.com/v1|monitoring.coreos.com/v1>", unable to recognize "": no matches for kind "PrometheusRule" in version "<http://monitoring.coreos.com/v1|monitoring.coreos.com/v1>", unable to recognize "": no matches for kind "ServiceMonitor" in version "<http://monitoring.coreos.com|monitoring.coreos.com>

Do the --set and --values arguments that get passed to helmfile sync/apply/write-values refer to Helm values or to Helmfile state values? If it's the former, should they take precedence over values files specified in the helmfile?
Experimenting with helmfile write-values, it seems like passing --set doesn't do override anything provided in the helmfile.

I've just tested it with helmfile diff --set image.tag=123 and it shows me the diff with image tag change to 123 instead of dev specified by helmfile itself.

I see correct output with hemfile template but helmfile write-values ignores --set

@vixus0 submit a PR or file a bug to fix it pls

@voron Will do :)

@voron https://github.com/roboll/helmfile/pull/1503/files - any suggestions for getting a passing test would be handy

I am using helmfile to deploy different variants and I don't want to map an variant to an environment instead I would like to pass the values.yaml and secrets.yaml file as an argument to helmfile,£

I found --state-values-file but I couldn't find the equivalent cli argument for the secret.