Skip to content

🐛 Fix flaky Helm installations by separating provider CRs from operator deployment #832

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

🐛 Fix flaky Helm installations by separating provider CRs from operator deployment #832

wants to merge 2 commits into from

Conversation

kahirokunn
Copy link
Member

@kahirokunn kahirokunn commented Jun 19, 2025
edited
Loading

Fixes: #534

What type of PR is this?

/kind bug

What this PR does / why we need it:

This PR fixes the flaky Helm installation issue where provider Custom Resources fail to install due to webhook validation errors. The root cause is that provider CRs are being applied at the same time as the operator deployment, before the webhook service is ready.

Problem:
When installing the cluster-api-operator Helm chart, users frequently encounter errors like:

Error: failed post-install: warning: Hook post-install cluster-api-operator/templates/core-conditions.yaml failed: 1 error occurred:
        * Internal error occurred: failed calling webhook "vcoreprovider.kb.io": failed to call webhook: Post "https://capi-operator-webhook-service.cluster-api-operator-docker.svc:443/mutate-operator-cluster-x-k8s-io-v1alpha2-coreprovider?timeout=10s": no endpoints available for service "capi-operator-webhook-service"

Solution:
Split the Helm chart into two separate charts:

  1. cluster-api-operator - Contains only the operator deployment and its resources
  2. cluster-api-operator-providers - Contains all provider Custom Resources

This ensures the operator is fully running before any provider CRs are applied.

Which issue(s) this PR fixes:

Fixes #[issue-number]

Special notes for your reviewer:

The installation process now requires two steps:

# 1. Install the operator
helm install capi-operator ./cluster-api-operator --namespace capi-operator-system --create-namespace

# 2. Wait for operator to be ready
kubectl wait --for=condition=ready pod -l app=capi-operator -n capi-operator-system --timeout=300s

# 3. Install provider CRs
helm install capi-providers ./cluster-api-operator-providers --namespace capi-operator-system

Release note:

BREAKING CHANGE: The cluster-api-operator Helm chart has been split into two charts to fix webhook validation errors during installation. Users must now install `cluster-api-operator` first, wait for it to be ready, then install `cluster-api-operator-providers`.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Jun 19, 2025
@netlify Netlify
Copy link

netlify bot commented Jun 19, 2025
edited
Loading

Deploy Preview for kubernetes-sigs-cluster-api-operator ready!

Name Link
🔨 Latest commit cb5a66d
🔍 Latest deploy log https://app.netlify.com/projects/kubernetes-sigs-cluster-api-operator/deploys/6856db66ef63db0008921726
😎 Deploy Preview https://deploy-preview-832--kubernetes-sigs-cluster-api-operator.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 19, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign alexander-demicev for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jun 19, 2025
@kahirokunn kahirokunn changed the title fix: split provider CRs from operator deployment 🐛 Fix flaky Helm installations by separating provider CRs from operator deployment Jun 19, 2025
@kahirokunn kahirokunn marked this pull request as draft June 19, 2025 07:37
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 19, 2025
@kahirokunn kahirokunn marked this pull request as ready for review June 19, 2025 07:41
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 19, 2025
@kahirokunn kahirokunn marked this pull request as draft June 19, 2025 09:03
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 19, 2025
@kahirokunn kahirokunn marked this pull request as ready for review June 19, 2025 15:47
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 19, 2025
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 20, 2025
@kahirokunn kahirokunn force-pushed the fix-flaky-install2 branch 3 times, most recently from 3f03d48 to 71ebea3 Compare June 20, 2025 00:24
@kahirokunn
fix: split provider CRs from operator deployment
c773386 
This commit splits the cluster-api-operator Helm chart into two
separate charts to resolve flaky installations caused by webhook
validation timing issues.

Problem:
- Provider Custom Resources (CoreProvider, BootstrapProvider, etc.)
  were applied at the same time as the operator deployment.
- The webhook service was not yet ready, leading to validation errors:
  "no endpoints available for service 'capi-operator-webhook-service'".

Solution:
- Create two charts:
  1. cluster-api-operator: contains only the operator deployment and
     its resources.
  2. cluster-api-operator-providers: contains all provider Custom
     Resources.
- Installing the operator first allows the webhook to start before
  provider CRs are applied.

Installation now requires:
1. Install operator:
   helm install capi-operator capi-operator/cluster-api-operator \
     --create-namespace -n capi-operator-system --wait --timeout 90s
2. Install providers:
   helm install capi-providers \
     capi-operator/cluster-api-operator-providers \
     -n capi-operator-system \
     --set infrastructure.docker.enabled=true \
     --set cert-manager.enabled=true \
     --set configSecret.name=${CREDENTIALS_SECRET_NAME} \
     --set configSecret.namespace=${CREDENTIALS_SECRET_NAMESPACE}

Fixes: kubernetes-sigs#534
Signed-off-by: kahirokunn <okinakahiro@gmail.com>
@kahirokunn kahirokunn force-pushed the fix-flaky-install2 branch 5 times, most recently from c2fda14 to 2ee1de5 Compare June 20, 2025 02:13
@kahirokunn kahirokunn force-pushed the fix-flaky-install2 branch 11 times, most recently from 996a078 to 097ce06 Compare June 21, 2025 07:20
@k8s-ci-robot k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jun 21, 2025
@kahirokunn kahirokunn force-pushed the fix-flaky-install2 branch 7 times, most recently from 1dbedc6 to 5725787 Compare June 21, 2025 15:04
@k8s-ci-robot k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Jun 21, 2025
@kahirokunn kahirokunn force-pushed the fix-flaky-install2 branch 3 times, most recently from e4c4127 to ea36d6e Compare June 21, 2025 16:15
@kahirokunn
Copy link
Member Author

Hi @dtzar and @furkatgofurov7,

When you have a moment, could you please review ?

This update splits the chart into operator and provider components, ensuring the operator’s webhook is fully ready before provider CRs are applied. As a result, the no endpoints available for service "capi-operator-webhook-service" validation error has been resolved.

Also, since this PR would result in a breaking change, I think it would be best to either create a new helm chart and gradually migrate to it, or continue to use both. I would appreciate your feedback on this as well.

Thank you for your time and feedback.

Best regards,
@kahirokunn

@kahirokunn
🌱 Add smoke test workflow
cb5a66d 
Add a new GitHub Actions workflow for smoke testing.

Signed-off-by: kahirokunn <okinakahiro@gmail.com>
@kahirokunn kahirokunn force-pushed the fix-flaky-install2 branch from ea36d6e to cb5a66d Compare June 21, 2025 16:18
@k8s-ci-robot
Copy link
Contributor

Keywords which can automatically close issues and at(@) or hashtag(#) mentions are not allowed in commit messages.

The list of commits with invalid commit messages:

  • c773386 fix: split provider CRs from operator deployment

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@k8s-ci-robot
Copy link
Contributor

@kahirokunn: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cluster-api-operator-verify-main cb5a66d link true /test pull-cluster-api-operator-verify-main
pull-cluster-api-operator-e2e-main cb5a66d link true /test pull-cluster-api-operator-e2e-main

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Danil-Grigorev Danil-Grigorev Awaiting requested review from Danil-Grigorev

@neolit123 neolit123 Awaiting requested review from neolit123

@Fedosin Fedosin Awaiting requested review from Fedosin

@timothysc timothysc Awaiting requested review from timothysc

@alexander-demicev alexander-demicev Awaiting requested review from alexander-demicev

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Helm Chart CRDs Placement Causes Flaky Installations
2 participants
@kahirokunn @k8s-ci-robot