将Helm V2升级迁移至Helm V3

为避免Helm V2 Tiller服务端一些潜在的安全问题,例如攻击者可以通过Tiller在集群内安装未经授权的应用,并且使用更多的Helm特性,推荐您将Helm V2升级至Helm V3版本。本文介绍如何将Helm V2升级迁移至Helm V3。

升级迁移步骤

本小节以升级至Helm v3.3.0为例,介绍如何升级迁移Helm V2。关于Helm版本的更多信息,请参见Helm

说明

若允许应用重装,建议您参见文档删除应用后重装。具体操作,请参见【组件升级】Helm V2 Tiller升级公告

  1. 执行以下命令,安装Helm V3。

    wget https://get.helm.sh/helm-v3.3.0-linux-amd64.tar.gz
    tar -xzvf helm-v3.3.0-linux-amd64.tar.gz
    mv linux-amd64/helm /usr/local/bin/helm
    helm version

    预期输出:

    version.BuildInfo{Version:"v3.3.0", GitCommit:"e29ce2a54e96cd02ccfce88bee4f58bb6e2a****", GitTreeState:"clean", GoVersion:"go1.13.4"}
  2. 执行以下命令,安装Helm 2to3。

    本小节以安装Chart ack-node-local-dns为例,介绍如何安装。

    git clone https://github.com/helm/helm-2to3.git
    helm plugin install ./helm-2to3
  3. 执行以下命令,升级Chart ack-node-local-dns至Helm V3。

    helm 2to3 convert ack-node-local-dns --delete-v2-releases

    预期输出:

    2022/12/27 17:12:50 Release "ack-node-local-dns" will be converted from Helm v2 to Helm v3.
    2022/12/27 17:12:50 [Helm 3] Release "ack-node-local-dns" will be created.
    2022/12/27 17:12:50 [Helm 3] ReleaseVersion "ack-node-local-dns.v1" will be created.
    2022/12/27 17:12:50 [Helm 3] ReleaseVersion "ack-node-local-dns.v1" created.
    2022/12/27 17:12:50 [Helm 3] Release "ack-node-local-dns" created.
    2022/12/27 17:12:50 [Helm 2] Release "ack-node-local-dns" will be deleted.
    2022/12/27 17:12:50 [Helm 2] ReleaseVersion "ack-node-local-dns.v1" will be deleted.
    2022/12/27 17:12:50 [Helm 2] ReleaseVersion "ack-node-local-dns.v1" deleted.
    2022/12/27 17:12:50 [Helm 2] Release "ack-node-local-dns" deleted.
    2022/12/27 17:12:50 Release "ack-node-local-dns" was converted successfully from Helm v2 to Helm v3.

Helm V2升级迁移常见问题

apiVersion版本不一致导致的资源已存在问题

问题现象

集群版本升级后,Helm V2升级迁移出现错误提示rendered manifests contain a new resource that already exists. Unable to continue with update: existing resource conflict: kind: MutatingWebhookConfiguration, namespace: , name: mse-pilot-ack-mse-pilot

问题原因

集群版本升级后,1.22版本不支持v1beta1,而其他低版本还支持v1beta1,所以集群升级到高版本之后可能报错。

解决方案

您需要升级apiVersion版本。具体操作,请参见通过helm-mapkubeapis插件原地升级apiVersion

Helm V2升级至Helm V3,但升级Chart版本报错

问题现象

Helm V2升级迁移至V3,但升级Chart版本时(例如,升级v1.3.5版本至v1.5.3),出现错误提示err: rendered manifests contain a resource that already exists. Unable to continue with update: MutatingWebhookConfiguration \"ack-node-local-dns-admission-controller\" in namespace \"\" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key \"app.kubernetes.io/managed-by\": must be set to \"Helm\"; annotation validation error: missing key \"meta.helm.sh/release-name\": must be set to \"ack-node-local-dns\"

问题原因

该资源没有对应的Helm归属。

解决方案

您可以通过以下任意一种方式解决。

  • 将该资源配置归属到对应的Helm。

    1. 执行以下命令,修改对应的配置文件。

      kubectl edit MutatingWebhookConfiguration ack-node-local-dns-admission-controller
    2. 增加如下annotationslabels对应到Release中。

        annotations:
          meta.helm.sh/release-name: ack-node-local-dns
          meta.helm.sh/release-namespace: kube-system
        labels:
          app.kubernetes.io/managed-by: Helm
  • 执行以下命令,删除该资源。

    kubectl delete MutatingWebhookConfiguration ack-node-local-dns-admission-controller