Helm cannot install the chart if the global setting is disabled

[aliabbasjaffri]

If the global settings are disabled but the individual settings are enabled, the helm doesn't seem to install the chart, with the error: no objects visited

[krzysztof-miemiec]

I think it's related to this Helm issue: helm/helm#4670

TL;DR: Helm assumes it's invalid to deploy no resources. Additionally, Helm assumes it's invalid to deploy only Secrets/ConfigMaps/Jobs.

My issue is that I can't deploy only an injector with such vaules.yaml:

global:
  enabled: false
injector:
  authPath: kubernetes/cluster-beta
  enabled: true
  externalVaultAddr: https://vault.example.com
  logFormat: json
  priorityClassName: required
  resources:
    limits:
      cpu: 20m
      memory: 100Mi
    requests:
      cpu: 5m
      memory: 50Mi
  revokeOnShutdown: true

One of proposed workarounds is to always deploy a dummy Deployment with replicas count set to 0.

[bitfactory-henno-schooljan]

The documentation says you can disable the global setting and enable components selectively:

https://www.vaultproject.io/docs/platform/k8s/helm/configuration#enabled

However, this is not true. It will never work, as the chart checks for both values to be true:

vault-helm/templates/injector-deployment.yaml

Line 1 in 0c28645

{{- if and (eq (.Values.injector.enabled | toString) "true" ) (eq (.Values.global.enabled | toString) "true") }}

[krzysztof-miemiec]

@bitfactory-henno-schooljan that's true. When I created a chart dummy deployment, only the deployment was created, so it was not a Helm bug there. I ended up reading the source of this Helm chart and came up with this (that's my complete values.yaml for injector-only setup, nothing more, nothing less):

injector:
  enabled: true
  externalVaultAddr: https://vault.example.com # This is the important part here
  authPath: kubernetes/cluster-beta

  logFormat: json
  revokeOnShutdown: true
  namespaceSelector: null

  resources:
    requests:
      cpu: 5m
      memory: 50Mi
    limits:
      cpu: 20m
      memory: 100Mi

injector.externalVaultAddr is enough for chart to disable everything besides injector and connect to Vault at specified address. If you play with other flags (like server.enable=false), it doesn't work correctly.

[devth]

As the above comment says, the documentation is not accurately reflecting the actual logic on the chart. Is this intentional? Which one is correct?

In the mean time I will try @krzysztof-miemiec's workaround.

[tvoran]

Hi folks, it appears the documentation is indeed not correct when it says individual components can be enabled when global.enabled=false. We'll see about correcting the documentation and/or the chart. Sorry about that!

In the meantime, the docs for injector.externalVaultAddr are correct in that setting externalVaultAddr disables the other components in the chart besides the injector: https://www.vaultproject.io/docs/platform/k8s/helm/configuration#externalvaultaddr

[seboudry]

Hi!
Any news about doc / templates changes on global.enabled?
This is my first time using this chart and it's kinda weird to enable or disable each component individually.
BTW, I only need the Vault CSI provider

[swenson]

I believe this has been fixed after #703 -- if it hasn't been, please feel free to re-open.