/kind bug
What happened:
Helm v4 defaults to server-side apply.
Upgrading manila-csi fails with a server-side apply conflict on the aggregated ClusterRole objects for the controller and node plugins.
The error is:
Upgrade "manila-csi" failed: conflict occurred while applying object /manila-csi-openstack-manila-csi-controllerplugin rbac.authorization.k8s.io/v1, Kind=ClusterRole: Apply failed with 1 conflict: conflict with "clusterrole-aggregation-controller": .rules
conflict occurred while applying object /manila-csi-openstack-manila-csi-nodeplugin rbac.authorization.k8s.io/v1, Kind=ClusterRole: Apply failed with 1 conflict: conflict with "clusterrole-aggregation-controller": .rules
The chart renders these clusteroles using an aggregationRule and rules: []:
|
aggregationRule: |
|
clusterRoleSelectors: |
|
- matchLabels: |
|
rbac.manila.csi.openstack.org/aggregate-to-controller-{{ include "openstack-manila-csi.name" . }}: "true" |
|
rules: [] |
|
aggregationRule: |
|
clusterRoleSelectors: |
|
- matchLabels: |
|
rbac.manila.csi.openstack.org/aggregate-to-nodeplugin-{{ include "openstack-manila-csi.name" . }}: "true" |
|
rules: [] |
But clusterrole-aggregation-controller takes ownership of the .rules field after creation and populates from matching aggregated roles:
managedFields:
- manager: helm
operation: Apply
fieldsV1:
f:aggregationRule:
f:clusterRoleSelectors: {}
- manager: clusterrole-aggregation-controller
operation: Apply
fieldsV1:
f:rules: {}So next helm upgrade results in an rbac conflict.
What you expected to happen:
Helm upgrades should work with SSA, i.e. the default for Helm 4
How to reproduce it:
- Install manila-csi-plugin into a cluster using Helm 4, which defaults to SSA for new releases
- Let
clusterrole-aggregation-controller populate the aggregated rules
- The next
helm upgrade will fail
Anything else we need to know?:
Can rules: [] just be removed?
Environment:
- openstack-cloud-controller-manager version: 2.35.0
- manila-csi-plugin version: 2.35.0
- Helm version: 4.2.0
- Kubernetes version: 1.34.6
/kind bug
What happened:
Helm v4 defaults to server-side apply.
Upgrading
manila-csifails with a server-side apply conflict on the aggregated ClusterRole objects for the controller and node plugins.The error is:
The chart renders these clusteroles using an
aggregationRuleandrules: []:cloud-provider-openstack/charts/manila-csi-plugin/templates/controllerplugin-clusterrole.yaml
Lines 7 to 11 in 46c2161
cloud-provider-openstack/charts/manila-csi-plugin/templates/nodeplugin-clusterrole.yaml
Lines 7 to 11 in 46c2161
But
clusterrole-aggregation-controllertakes ownership of the.rulesfield after creation and populates from matching aggregated roles:So next helm upgrade results in an rbac conflict.
What you expected to happen:
Helm upgrades should work with SSA, i.e. the default for Helm 4
How to reproduce it:
clusterrole-aggregation-controllerpopulate the aggregated ruleshelm upgradewill failAnything else we need to know?:
Can
rules: []just be removed?Environment: