Helm Chart produces invalid yaml, leading to error when deploying with flux2

[jdftapi]

Environment

Installation method: Deploy helm chart from this repo as a [helmrelease resource with flux2](https://fluxcd.io/docs/use-cases/helm/#getting-started)
Kubernetes version: v1.21.3
Dashboard version (v1.x is not supported. Use v2.0 or later.): helm chart v5.0.5
Operating system: not applicable
Node.js version ('node --version' output): not applicable
Go version ('go version' output): not applicable

Steps to reproduce

We use flux2 to deploy kubernetes manifests from git. Flux offers resources called 'helmrepository' and 'helmrelease' in order to allow installation of helm charts in a declarative manner. Our resources look like this:

apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
  name: kubernetes-dashboard
spec:
  interval: 12h
  url: https://kubernetes.github.io/dashboard/
---                                                                          
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  labels:
    kustomize.toolkit.fluxcd.io/name: flux-system
    kustomize.toolkit.fluxcd.io/namespace: flux-system
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
spec:
  chart:
    spec:
      chart: kubernetes-dashboard
      sourceRef:
        kind: HelmRepository
        name: kubernetes-dashboard
        namespace: kubernetes-dashboard
      version: '*'
  interval: 30m0s
  releaseName: kubernetes-dashboard
  values:
    extraArgs:
    - --enable-insecure-login
    ingress:
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.middlewares: traefik-system-hstsheaders@kubernetescrd
        traefik.ingress.kubernetes.io/router.tls: "true"
        traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
      className: traefik-lb
      enabled: true
      hosts:
      - redacted.hostname.com
    labels:
      name: kubernetes-dashboard
    podSecurityPolicy:
      enabled: true
    protocolHttp: true
    rbac:
      clusterReadOnlyRole: true
    service:
      externalPort: 80

Observed result

We have currently installed v5.0.4 of the helm chart this way and flux is trying to upgrade to v5.0.5 but fails with the following error message:

  Normal  error  10m (x29 over 3h18m)  helm-controller  reconciliation failed: Helm upgrade failed: error while running post render on files: map[string]interface {}(nil): yaml: unmarshal errors:
  line 28: mapping key "annotations" already defined at line 27

Expected result

The installation via flux2 should run without error.

Comments

I suspect the regression was introduced in this commit, as the psp.yaml template now contains two metadata.annotation keys, which is compiled into syntactically invalid yaml by helm.

This can be reproduced by creating a values.yaml file like:

podSecurityPolicy:
  enabled: true

and run helm template kubernetes-dashboard/kubernetes-dashboard -f values.yaml | less. The generated YAML for the PSP will have duplicate keys for metadata.annotation. Unfortunately, helm itself will just ignore one of the annotation keys, but flux2 will not (rightfully so, if you ask me).

See Also:
Discussion about similar issue in Flux Project
Similar issue in other Helm Chart Project

I will gladly provide a PR fixing this issue.

[jdftapi]

Should be fixed in v5.0.6 of the helm chart, see #6678