Deploying Helm charts that use strict value validation breaks with Garden

[twelvemo]

Bug

Current Behavior

It is not possible to install helm charts with Garden that use strict values validation via a values.schema.json that include the additionalProperties: false stanza. For an overview of json schema validation for helm values see here.
Garden adds custom values to a chart deployed with Garden to add some metadata to the helm release. This is an example of a values file that Garden produces:

service:
  type: LoadBalancer
  ports:
    - name: https
      port: 443
      protocol: TCP
      targetPort: 443
.garden:
  moduleName: istio-gateway
  projectName: istio-example
  version: v-5f013b4127

When additionalProperties: false is set in the values.schema.json of a chart the deploy will fail with following error:

Error: INSTALLATION FAILED: values don't meet the specifications of the schema(s) in the following chart(s):
gateway:
- (root): Additional property .garden is not allowed

Expected behavior

Garden deploys the helm chart.

Reproducible example

Deploy the istio gateway Helm Chart with Garden e.g.:

kind: Deploy
name: istio-gateway
description: Install istio gateway helm chart
type: helm
spec:
  chart:
    name: gateway
    version: 1.17.1
    repo: https://istio-release.storage.googleapis.com/charts

Workaround

If you maintain the chart, consider setting additionalProperties: true in the validation schema. If it is a public chart the only way to install it is to download it and store it locally and set additionalProperties: true.
There is an open issue in Helm like helm/helm#10398 to override the validation client-side.

Suggested solution(s)

Store the Garden related metadata in a configmap or secret in the same namespace similar to test results instead of Helm values.

Additional context

If you run into this error please give the issue a thumbsup, currently we only saw this with the istio chart.

Your environment

• OS:
• How I'm running Kubernetes:

garden version

[worldofgeese]

A community member was bitten by this bug just now when attempting to deploy jupyterhub/jupyterhub. I have validated this bug myself using the following action provided by the community member:

kind: Deploy
type: helm
name: platformhub-helm
spec:
  releaseName: jupyterhub
  namespace: jupyterhub
  chart:
    repo: https://jupyterhub.github.io/helm-chart/
    name: jupyterhub
    version: "1.2.0"

The Discord forum post is available here.

[Walther]

This depends on upstream helm:

• issue Proposal: disable values schema validation for charts including a values.schema.json file helm/helm#10398
• pull request Add skip-schema-validation flag helm/helm#11510

[DnMllr]

Hello, I've also run into this issue with regards to the helm chart for the open telemetry collector. As you can see, additionalProperties are set to false in values.schema.json. While helm/helm#11510 seems like it should get in sometime soon, it will also be an all or nothing solution regarding schema validation. It might be nice to benefit from both schema validation and also use garden to manage values, which, if I understand correctly, will require garden to move its metadata into a configmap or secret regardless of what helm does upstream, as @twelvemo suggested.

[jamesylgan]

+1 - having the same OpenTelemetry Collector <> Garden issue.

[salotz]

Hitting this myself for Jupyterhub. Upstream looks like they are dragging their feet. Starting to see a pattern with Helm features.
I think the only option is to assume Helm developers will do nothing, so I'm +1 on the more robust ConfigMap value mgmt.