We're in the process of removing Helm from our IAC setup and switching to using just Terraform. Our system is currently running live in production so simply deleting all the Helm charts and re-deploying with Terraform is not an option as the system must maintain uptime.
Our original idea was to:
- Use a tool like k2tf to convert the Helm yamls to Terraform config
- Run
tf import ...
to import the existing k8s resource in Terraform state - Run
tf apply
to allow Terraform to strip off any attached Helm metadata such as labels/annotations - Update the helm chart to no longer include the resource and deploy it
Unfortunately, this doesn't appear to work as step 4 still deletes the resource. We had hoped that the Helm labels/annotations cleaned up in step 3 would make Helm think it doesn't own the resource anymore and thus not delete it, but it seems the Helm release still maintained some knowledge of it.
Any ideas on how this could be done? I know there are ways to delete a Helm chart a leave the resources in place but as mentioned this isn't really an option for us. We want to slowly migrate resources out of the Helm chart. Is there someway to explicitly tell Helm to "disown" a resource?
CodePudding user response:
After some digging through the docs, I found the "helm.sh/resource-policy": keep
annotation: https://helm.sh/docs/howto/charts_tips_and_tricks/#tell-helm-not-to-uninstall-a-resource
By applying this to a resource it means Helm won't delete it even if you run a helm upgrade
to a chart version with the resource removed.
So our strategy for migrating a resource from Helm to TF goes as follows:
- Attach the
"helm.sh/resource-policy": keep
annotation to the desired resource then release and deploy the Helm chart. - Remove the resource description from the Helm chart and release and deploy again.
- Write the terraform config for that resource (using k2tf from the original yaml if appropriate)
- Run
tf import ...
on the now orphaned k8s resource - Run
tf apply
to bring everything up to date