helm: Manifests with hooks not getting deleted during helm uninstall

Output of helm version:

version.BuildInfo{Version:"v3.4.2", GitCommit:"23dd3af5e19a02d4f4baa5b2f242645a1a3af629", GitTreeState:"clean", GoVersion:"go1.14.13"}

Output of kubectl version:

Client Version: version.Info{Major:"1", Minor:"14", GitVersion:"v1.14.6", GitCommit:"96fac5cd13a5dc064f7d9f4f23030a6aeface6cc", GitTreeState:"clean", BuildDate:"2019-08-19T11:13:49Z", GoVersion:"go1.12.9", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.0+d4cacc0", GitCommit:"d4cacc0", GitTreeState:"clean", BuildDate:"2020-04-23T19:49:32Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}

Cloud Provider/Platform (AKS, GKE, Minikube etc.): Openshift

I’m trying to facilitate the ability to work with PodDisruptionBudget in my chart, and have run into a few things.

A PodDisruptionBudget in older versions of Kubernetes/Openshift is immutable, and results in the need to do something like https://github.com/kubernetes/kubernetes/issues/45398#issuecomment-478619253:

apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
  name: {{ template "app.name" . }}
  release: {{ .Release.Name }}
  annotations:
    "helm.sh/hook": "post-upgrade, post-install"
    "helm.sh/hook-delete-policy": "before-hook-creation"
spec:

I’ve made sure that "helm.sh/resource-policy": keep isn’t being set
Not sure if it’s strictly tied to the hooks, but when running helm uninstall, the PodDisruptionBudget is NOT deleted

I feel like I’m missing something obvious about the hooks and how they should be used that’s preventing this from deleting successfully, but I can’t seem to find any documentation to this effect.

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 7
Comments: 16 (3 by maintainers)

Most upvoted comments

+1 for this feature. I came here to find out why my hooked resources didn’t get cleaned up. We rely on hooks for https://github.com/open-policy-agent/gatekeeper because some custom resources rely on the CRDs created by the binary running in the deployment of the main chart. So we use "helm.sh/hook": post-install,post-upgrade but would still like them to be cleaned up if renamed/removed from the chart. Given the fact that helm.sh/resource-policy: keep is mentioned in the relevant docs part I would think that the expected behavior is actually that the resources get cleaned up if one doesn’t have the keep annotation. So while yes, it changes the behavior, I think it changes it to the actual expected behavior. It wouldn’t break anything from previous helm releases, it would just change the behavior (to what I would argue is expected anyway).

+15

jonnylangefeld on Mar 21, 2022

+1 for this feature. I came here to find out why my hooked resources didn’t get cleaned up. We rely on hooks for https://github.com/open-policy-agent/gatekeeper because some custom resources rely on the CRDs created by the binary running in the deployment of the main chart. So we use "helm.sh/hook": post-install,post-upgrade but would still like them to be cleaned up if renamed/removed from the chart. Given the fact that helm.sh/resource-policy: keep is mentioned in the relevant docs part I would think that the expected behavior is actually that the resources get cleaned up if one doesn’t have the keep annotation. So while yes, it changes the behavior, I think it changes it to the actual expected behavior. It wouldn’t break anything from previous helm releases, it would just change the behavior (to what I would argue is expected anyway).

@bacongobbler Can we simply add a middle ground like: helm.sh/resource-policy: delete

Deleting hooks on uninstall when explicitly set. It would work-out to be perfectly backwards compatible and offer those options to projects that need it.

Ornias1993 on Mar 8, 2023

What about the line that states:

Garbage collection of hook resources when the corresponding release is deleted may be added to Helm 3 in the future.

That is also documented. This PR aims to facilitate that…

tomcruise81 on Jan 25, 2021

It is intentional behavior for hooks to NOT be removed when helm uninstall is invoked. From the documentation:

Practically speaking, this means that if you create resources in a hook, you cannot rely upon helm uninstall to remove the resources. To destroy such resources, you need to either add a custom helm.sh/hook-delete-policy annotation to the hook template file, or set the time to live (TTL) field of a Job resource.

Because this is documented, intended behavior, I’m closing this as this proposal directly contradicts with the hook system’s described behavior, and there is clear recommended paths to move forward should you wish for hooks to be removed.

bacongobbler on Jan 25, 2021