Applying nexus 5.1.0 (from 5.0.0) leads to a deployment issues

[EugenMayer]

Going from 5.0.0 to 5.1.0 i get this error

cannot patch "nexus" with kind StatefulSet: StatefulSet.apps "nexus" is invalid: spec: Forbidden: updates to statefulset spec for fields other than 'replicas', 'ordinals', 'template', 'updateStrategy', 'persistentVolumeClaimRetentionPolicy' and 'minReadySeconds' are forbidden

with this configuration.

image:
  tag: ${tag}

properties:
- nexus.skipDefaultRepositories=true
- nexus.scripts.allowCreation=false
- nexus.clustered=false
- nexus.loadAsOSS=true
- nexus.orient.enabled=false
- nexus.datastore.enabled=true

config:
  enabled: false

fullnameOverride: ${nexus_name}
nameOverride: ${nexus_name}

serviceAccount:
  create: false

persistence:
  enabled: true
  size: ${storage_size}Gi
  storageClass: "local-path"

service:
  enabled: true
  name: ${nexus_name}

install4jAddVmParams: "-XX:MaxDirectMemorySize=2048m -Xms2000m -Xmx6000m"

env:
  - name: NEXUS_SECURITY_RANDOMPASSWORD
    value: "false"

plugins:
  - name: nexus-repository-composer
    url: https://search.maven.org/remotecontent?filepath=org/sonatype/nexus/plugins/nexus-repository-composer/0.1.5/nexus-repository-composer-0.1.5-bundle.kar

podSecurityContext:
  fsGroup: 200

securityContext:
  runAsGroup: 200
  runAsUser: 200
  fsGroupChangePolicy: "OnRootMismatch"

licence:
  enabled: false

Misc:

• i did not change the configuration in any way (deploying helm charts via terraform, so that can be told quiet for sure)
• running k8s 1.30.5

[stevehipwell]

Do you have diff (e.g. Helm Diff plugin) for the changes? The only changes I can see are inside the template so should be fine.

[EugenMayer]

AFAICS updates in template are not allowed (see the error msg). Beside that, not sure how to create this kind of a diff - applying fails and i never get to see the "want" state as a yaml structured file at all. I can only lookup the have state with lens or via kubectl. Do you have hints here?

[stevehipwell]

Changing template is allowed, the error says what can change. You could diff the StatefulSet resource in cluster compared to a helm template run.

[stevehipwell]

@EugenMayer any luck checking what Helm is attempting to change?

[EugenMayer]

Not yet, main reason is effort since i use terraform with helm, with values preconfigured via tf - replicating it for helm tepmlate is quiet some work.

kind of 'heads deep' in other things right now, sorry

[stevehipwell]

@EugenMayer I've found the bug, which has been present for a long time and I was convinced I'd already squashed it as none of my other charts has it. I'm about to release 5.2.0 which fixes it it but you'll need to manually delete the statefulset with an orphan cascade to be able to get the fix.

Also unrelated but two of your values are throwing warnings. The chart already manages the NEXUS_SECURITY_RANDOMPASSWORD env variable and if you want to set fsGroupChangePolicy that should be on the podSecurityContext not the securityContext.

[EugenMayer]

but you'll need to manually delete the statefulset with an orphan cascade to be able to get the fix.
AFAIU this would remove my volumes, so i really have to be careful here. Thanks for taking a look into this issue!

Sidennote, you Confluence/Jira charts had the same issue (i'am not using them any longer, using the offical dc charts, but it was an issue back in the days)

Also unrelated but two of your values are throwing warnings. The chart already manages the NEXUS_SECURITY_RANDOMPASSWORD env variable and if you want to set fsGroupChangePolicy that should be on the podSecurityContext not the securityContext.

Thanks, inc your suggestions. Very helpful

[stevehipwell]

Sidennote, you Confluence/Jira charts had the same issue (i'am not using them any longer, using the offical dc charts, but it was an issue back in the days)

Yes they did...and currently do! 🤦🏻

Thanks for this observation, I had fixed them all as the ones I actually use all work correctly but it looks like this "fix" might have been in my head!!

[EugenMayer]

Yes they did...and currently do! 🤦🏻

I told you that back in the days - see #497

but it looks like this "fix" might have been in my head!!

bean there, done that :)

[stevehipwell]

@EugenMayer I fixed Jira based on #497 but for some reason both Confluence and SonarQube were missed.

[EugenMayer]

@stevehipwell as i found out today, one can remove the sts using --cascade=orphan which would leave the pods deployed

https://kubernetes.io/docs/tasks/run-application/delete-stateful-set/#deleting-a-statefulset

kubectl delete sts -n nexus nexus --cascade=orphan

since the pods are not removed, the pv/pvc are not removedd either and thus the entire operation becomes non-destructive

[stevehipwell]

@EugenMayer yes that's how I generally work around this kind of thing, see #1063 (comment) ("you'll need to manually delete the statefulset with an orphan cascade to be able to get the fix"). I think I was on my phone when I sent that message so apologies for not being clearer and providing the command.

[EugenMayer]

it's all good - i learned something and this is on my side! Thanks