HelmRelease
Post renderer
https://fluxcd.io/flux/components/helm/helmreleases/#post-renderers
HelmRelease resources has a built-in Kustomize compatible Post Renderer, which provides some Kustomize directives.
Note that the patchesStrategicMerge and patchesJson6902 directive is deprecated, just use patches instead.
Troubleshooting
Experiment with helm template locally first. See also Flux Helm Release troubleshooting.
Secrets
K8s Secrets
Manage with sealed-secrets.
With kubeseal, secrets can be safely committed in Git. After reconciliation, use kubectl get -A sealedsecret to check decryption status.
Reference Secrets from HelmRelease
Secrets used in valuesFrom should be put into the same namespace as the HelmRelease. kubeseal encryption is associated with cluster namespace, so if you got it wrong, it has to be re-encrypted.
Note that targetPath in arrays like array[0].name is not supported. See https://github.com/helm/helm/issues/8320.
Deploy credentials rotation
Fine-grained PAT from GitHub only lasts for a year.
To rotate the SSH key generated at bootstrap, first delete the secret from the cluster with:
kubectl -n flux-system delete secret flux-systemThen run flux bootstrap again.
Common Debug Commands
flux logs --tail 10 -fHelm controller Logs
kubectl describe -n flux-system helmrelease [name]Retry Helm install
flux reconcile hr [name] --with-source # Attempt deploy
# If retries are exhausted
flux suspend hr [name]
flux resume hr [name]Restore from fault
this namespace may not be deleted
flux delete kustomization node-feature-discovery
# wait for resources being deleted
# force kill
flux suspend kustomization node-feature-discoveryRun flux suspend kustomization <name> to force delete a Kustomization in deletion that mistook a resource it did not own as its own.
2024-10-01T00:00:00Z error Kustomization/node-feature-discovery.flux-system - Reconciler error delete failed, errors: Namespace/kube-system delete failed: namespaces "kube-system" is forbidden: this namespace may not be deleted;