feat(helm): preflight check for cert-manager presence#383
Draft
WentingWu666666 wants to merge 1 commit into
Draft
feat(helm): preflight check for cert-manager presence#383WentingWu666666 wants to merge 1 commit into
WentingWu666666 wants to merge 1 commit into
Conversation
The chart unconditionally creates cert-manager.io/v1 Issuer and Certificate resources for the validating webhook and the CNPG plugin sidecars. If cert-manager is not installed in the cluster, the install `succeeds` from Helm's perspective but the operator never becomes ready (webhook TLS Secret is never issued, readiness probe never passes), and the user is left to figure out why. Add a templates/00_preflight.yaml that uses .Capabilities.APIVersions.Has to detect cert-manager.io/v1 and fail the install/upgrade with an actionable error message naming the missing dependency and how to install it. The check is on by default and gated by certManager.preflightCheck so it can be disabled for offline templating (GitOps render pipelines) where API discovery is unreliable. Disabling does NOT remove the dependency. Addresses M4 from documentdb#381. Verified locally: - `helm template` without cert-manager API: fails with our error. - `helm template --api-versions cert-manager.io/v1`: renders. - `helm template --set certManager.preflightCheck=false`: renders. - `helm upgrade --dry-run` on kind (cert-manager installed): passes. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
|
🤖 Auto-triaged by documentdb-triage-tool. Applied: Reasoningeffort from diff stats (30+0 LOC, 2 files); LLM: Adds a small Helm preflight template (~few lines) to fail fast when cert-manager is absent, improving UX for a silent failure mode; part of a tracked GA-readiness audit. If a label is wrong, remove it manually and ping |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does
Adds a Helm preflight check that fails the install/upgrade with an actionable error when cert-manager is not installed in the target cluster.
Why
The chart unconditionally creates
cert-manager.io/v1IssuerandCertificateresources for the validating webhook and the CNPG plugin sidecars. Today, if cert-manager is missing:helm installreturns success.Failing loud at install time is much friendlier.
How
templates/00_preflight.yamluses.Capabilities.APIVersions.Has "cert-manager.io/v1"and{{- fail }}to abort if absent.Gated by
certManager.preflightCheck(defaulttrue) so it can be disabled for offline templating (GitOps render pipelines) where API discovery returns only stable Kubernetes APIs.Local verification
helm template(no API discovery)helm template --api-versions cert-manager.io/v1helm template --set certManager.preflightCheck=falsehelm upgrade --dry-runon kind (cert-manager installed)Tracking