Gatekeeper + Helmfile — Error: “no matches for kind ConstraintTemplate” when deploying Gatekeeper and policies together

[shay1197]

Hi,

I’m trying to deploy Gatekeeper and my policies together using Helmfile (version 1.x).

I have one release that installs Gatekeeper itself and another release that applies my Gatekeeper policies (ConstraintTemplates and Constraints).

When I deploy them together in a single Helmfile run, I get this error:

error: resource mapping not found for name: "require-global-pull-secret"
no matches for kind "RequirePullSecret" in version "constraints.gatekeeper.sh/v1"
ensure CRDs are installed first

The Gatekeeper pods and CRDs are created successfully, but it seems that the constraint kinds (like RequirePullSecret) are not yet registered with the Kubernetes API server when the policy release starts to apply.

Is there an official or recommended way to ensure that Gatekeeper finishes registering all custom kinds before applying ConstraintTemplates and Constraints when using Helmfile (or other automation tools like Argo CD)?

Thanks in advance,
Shay

[JaydipGabani]

@shay1197 I recommend creating all ConstraintTemplate first and then create Constraints, it give a little buffer between creating ConstraintTemplate and Constraints back to back without adding manual delay. There is an issue open to add a metrics related to template ingestion - #4016, feel free to upvote or comment on that issue if this is something that is helpful to you.