helm chart fails to install when enabling runAsNonRoot and using customentrypoints

[anthonysomerset]

Describe the Bug

when using runAsNonRoot and customentrypoints the helm chart fails to install with error in kubernetes for the preinstall

  Warning  FailedMount             26s (x10 over 4m36s)   kubelet                  MountVolume.SetUp failed for volume "puppetserver-customentrypoints" : configmap "puppetserver-customentrypoints" not found

Expected Behavior

Helm chart should install, preinstall should create the configmap properly if required

Steps to Reproduce

try to install helm chart with values similar to below
install will fail after some time from helm

Environment

• Version: 9.3.4
• Platform AKS - with external PGDB

Additional Context

I am trying to inject a basic autosign conf as i don't want to generically have autosign enabled for everything and i was attempting to come from a "baremetal" environment (without puppetdb)

I am also doing this because i found disabling autosign (false) prevents the initial server certs from being signed as well (probably worth raising a seperate bug somewhere there)

FYI i also note similar error if i try putting netrc value into values and eyaml keys (which is a bad idea anyway so i've fixed the error of my ways there)

it looks almost like the preinstall is too early so the configmap isn't created yet and won't get created unless the preinstall succeeds - in my case i am not sure the configmap is even needed in the preinstall or not but others may need it as the run as nonroot

I am happy to disable runAsNonRoot if the CA certs are persisted but the readme suggests that certs get regenerated so is a little unclear here

my values.yaml - sensitive data redacted

global:
  runAsNonRoot: true
  postgresql:
    auth:
      username: secureusername
      password: reallysecurepass
      database: securedbname
        
puppetserver:
  customentrypoints:
    enabled: true
    configmaps:
      configure_autosign.sh: |-
        #!/bin/bash
        cat > /etc/puppetlabs/puppet/autosign.conf <<EOF
        *.domain
        *.puppet.svc.cluster.local        
        EOF
        # Configure puppet to use a custom ENC script (if it exists)
        if test -n "${AUTOSIGN}" ; then
          puppet config set autosign "$AUTOSIGN" --section master
        fi
  tag: 7.16.0-v1.4.0
#  preGeneratedCertsJob:
#    enabled: true
  masters:
    extraEnv:
      AUTOSIGN: "/etc/puppetlabs/puppet/autosign.conf"
    fqdns:
      alternateServerNames: "puppet-ca.domain"
    multiMasters:
      enabled: true
      manualScaling:
        masters: 2
  compilers:
    enabled: true
    kind: Deployment
    manualScaling:
      compilers: 3
    fqdns:
      alternateServerNames: "puppet-enc.domain,puppet.domain"
  puppeturl: "https://url/repo.git"
r10k:
  asSidecar: false
  code:
    viaHttps:
      credentials:
        netrc:
          existingSecret: netrc-secret
hiera:
  eyaml:
    existingSecret: eyaml-secret      
puppetdb:
  tag: 7.17.1-v1.4.0
  extraEnv:
    PUPPETDB_POSTGRES_HOSTNAME: myexternaldb.postgres.database.azure.com

puppetboard:
  enabled: true
  tag: 5.4.0
postgresql:
  enabled: false

[Xtigyro]

@anthonysomerset Thanks for the bug report!

If you find a way to fix this, please feel free to send our way a PR. This chart is 100% community maintained.

[anthonysomerset]

Some initial research around this

i think helm/helm#2622 and helm/helm#8694 are related issues in that we likely need to add configmaps and secrets etc to the pre-install hook but with the right resource policies to prevent deletion prior to spinning up the environment proper

that or the pre install job would need to be handled in an init-container but that sounds far more of a larger change to implement

[Xtigyro]

@anthonysomerset Definitely sounds a bit bigger than initially expected, yeah.