|
1 | 1 | # Helm Releases |
2 | 2 |
|
| 3 | +<!-- menuweight:10 --> |
| 4 | + |
3 | 5 | The `HelmRelease` API allows for controller-driven reconciliation of Helm |
4 | 6 | releases via Helm actions such as install, upgrade, test, uninstall, and |
5 | 7 | rollback. In addition to this, it detects and corrects cluster state drift |
@@ -62,16 +64,15 @@ In the above example: |
62 | 64 | named `podinfo` is created, pointing to the Helm repository from which the |
63 | 65 | podinfo chart can be installed. |
64 | 66 | - A HelmRelease named `podinfo` is created, that will create a [HelmChart](https://fluxcd.io/flux/components/source/helmcharts/) object |
65 | | - object from [the `.spec.chart`](#chart-template) and watch it for Artifact |
66 | | - changes. |
| 67 | + from [the `.spec.chart`](#chart-template) and watch it for Artifact changes. |
67 | 68 | - The controller will fetch the chart from the HelmChart's Artifact and use it |
68 | 69 | together with the `.spec.releaseName` and `.spec.values` to confirm if the |
69 | 70 | Helm release exists and is up-to-date. |
70 | 71 | - If the Helm release does not exist, is not up-to-date, or has not observed to |
71 | | - be made by the controller, then the controller will install or upgrade the |
72 | | - release. If this fails, it is allowed to retry the operation a number of |
73 | | - times while requeueing between attempts, as defined by the respective |
74 | | - [remediation configurations](#configuring-failure-handling). |
| 72 | + be made by the controller based on [the HelmRelease's history](#history), then |
| 73 | + the controller will install or upgrade the release. If this fails, it is |
| 74 | + allowed to retry the operation a number of times while requeueing between |
| 75 | + attempts, as defined by the respective [remediation configurations](#configuring-failure-handling). |
75 | 76 | - If the [Helm tests](#test-configuration) for the release have not been run |
76 | 77 | before for this release, the HelmRelease will run them. |
77 | 78 | - When the Helm release in storage is up-to-date, the controller will check if |
@@ -214,7 +215,7 @@ uninstalled before installing a new release with the new name. |
214 | 215 | **Note:** When the composition exceeds the maximum length of 53 characters, the |
215 | 216 | name is shortened by hashing the release name with SHA-256. The resulting name |
216 | 217 | is then composed of the first 40 characters of the release name, followed by a |
217 | | -dash (`-`), followed by the 12 characters of the hash. For example, |
| 218 | +dash (`-`), followed by the first 12 characters of the hash. For example, |
218 | 219 | `a-very-lengthy-target-namespace-with-a-nice-object-name` becomes |
219 | 220 | `a-very-lengthy-target-namespace-with-a-nic-97af5d7f41f3`. |
220 | 221 |
|
@@ -481,7 +482,8 @@ The field offers the following subfields: |
481 | 482 |
|
482 | 483 | To make the controller run the [Helm tests available for the chart](https://helm.sh/docs/topics/chart_tests/) |
483 | 484 | after a successful Helm install or upgrade, `.spec.test.enable` can be set to |
484 | | -`true`. |
| 485 | +`true`. When enabled, the test results will be available in the |
| 486 | +[`.status.history`](#history) field and emitted as a Kubernetes Event. |
485 | 487 |
|
486 | 488 | By default, when tests are enabled, failures in tests are considered release |
487 | 489 | failures, and thus are subject to the triggering Helm action's remediation |
@@ -586,7 +588,7 @@ to the controller logs (with `--log-level=debug`). |
586 | 588 |
|
587 | 589 | Furthermore, when `.spec.driftDetection.mode` is set to `enabled`, the |
588 | 590 | controller will attempt to correct the drift by creating and patching the |
589 | | -resources based on the server-side apply dry-run result. |
| 591 | +resources based on the server-side dry-run apply result. |
590 | 592 |
|
591 | 593 | At the end of the correction attempt, it will emit a Kubernetes Event with a |
592 | 594 | summary of the changes it made and any failures it encountered. In case of a |
@@ -977,6 +979,9 @@ When the flag is set, HelmReleases which do not have a `.spec.serviceAccountName |
977 | 979 | specified will use the Service Account name provided by |
978 | 980 | `--default-service-account=<name>` in the namespace of the HelmRelease object. |
979 | 981 |
|
| 982 | +For further best practices on securing helm-controller, see our |
| 983 | +[best practices guide](https://fluxcd.io/flux/security/best-practices). |
| 984 | + |
980 | 985 | ### Remote clusters / Cluster-API |
981 | 986 |
|
982 | 987 | Using a [`.spec.kubeConfig` reference](#kubeconfig-reference), it is possible |
@@ -1078,9 +1083,9 @@ flux reconcile helmrelease <helmrelease-name> |
1078 | 1083 | ### Forcing a release |
1079 | 1084 |
|
1080 | 1085 | To instruct the helm-controller to forcefully perform a Helm install or |
1081 | | -upgrade, it can be annotated with `reconcile.fluxcd.io/forceAt: <arbitrary value>` |
1082 | | -while simultaneously [triggering a reconcile](#triggering-a-reconcile) with the |
1083 | | -same value. |
| 1086 | +upgrade without making changes to the spec, it can be annotated with |
| 1087 | +`reconcile.fluxcd.io/forceAt: <arbitrary value>` while simultaneously |
| 1088 | +[triggering a reconcile](#triggering-a-reconcile) with the same value. |
1084 | 1089 |
|
1085 | 1090 | Annotating the resource forces a one-off Helm install or upgrade if the |
1086 | 1091 | `<arbitrary-value>` differs from the last value the controller acted on, as |
|
0 commit comments