そういえば実際に確認した事がなかったので確認した。
https://helm.sh/ja/docs/chart_best_practices/custom_resource_definitions/
以下の chart で確認してみる
- prometheus-operator-crds: crd のみ
- kube-prometheus-stack: subchart に crd
- k8s-monitoring: subchart に prometheus-operator-crds
- prometheus-operator-crds
- templates として crd が定義されているから、
helm upgradeで一緒に更新してくれる - ただし、当然ながら chart を消すと一緒に crd も消える
- crd が消えるから custom resource も消える
- 個別に管理している分には、そこまで問題にならないかな
- templates として crd が定義されているから、
- kube-prometheus-stack:
- crds として定義されているから
helm upgradeでは更新されない crds.upgradeJob.enabledを付けると helm hook で upgrade のときに一緒に crd を更新してくれる- ただし
crds.upgradeJob.forceConflictsがないと managed field の衝突で失敗する
- ただし
- helm で管理されないので、削除しても crd は残る
--take-ownershipで prometheus-operator-crds を入れるとのっとりができる
- crds として定義されているから
- k8s-monitoring:
- prometheus-operator-crds を subchart として install している
- そのため、k8s-monitoring を uninstall すると、prometheus-operator の crd も一緒に消える
- 意識しないで消しちゃうとかありそうでちょっ怖い
❯❯ helm template .charts/prometheus-operator-crds-25.0.0 > .charts/prometheus-operator-crds-25.0.0.yaml
❯❯ helm template .charts/prometheus-operator-crds-27.0.0 > .charts/prometheus-operator-crds-27.0.0.yaml
❯❯ dyff between -b -ogithub .charts/prometheus-operator-crds-{25,27}.0.0.yaml | tail -n20
@@ spec.versions.v1.schema.openAPIV3Schema.properties.spec.properties.remoteWrite.items.properties.azureAd.properties.oauth.description @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/thanosrulers.monitoring.coreos.com
! ± value change in multiline text (one insert, one deletion)
oauth defines the oauth config that is being used to authenticate.
- Cannot be set at the same time as `managedIdentity` or `sdk`.
+ Cannot be set at the same time as `managedIdentity`, `sdk` or `workloadIdentity`.
It requires Prometheus >= v2.48.0 or Thanos >= v0.31.0.
@@ spec.versions.v1.schema.openAPIV3Schema.properties.spec.properties.remoteWrite.items.properties.azureAd.properties.sdk.description @@
# apiextensions.k8s.io/v1/CustomResourceDefinition/thanosrulers.monitoring.coreos.com
! ± value change in multiline text (one insert, one deletion)
sdk defines the Azure SDK config that is being used to authenticate.
See https://learn.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication
- Cannot be set at the same time as `oauth` or `managedIdentity`.
+ Cannot be set at the same time as `oauth`, `managedIdentity` or `workloadIdentity`.
It requires Prometheus >= v2.52.0 or Thanos >= v0.36.0.
install 25.0.0
❯❯ helm install prometheus-operator-crds oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds --version 25.0.0
Pulled: ghcr.io/prometheus-community/charts/prometheus-operator-crds:25.0.0
Digest: sha256:00d91e57c0ee86b5f119540470c31cae0bc3bfecda8277dedad306ae4564431e
NAME: prometheus-operator-crds
update to 27.0.0
❯❯ helm upgrade prometheus-operator-crds oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds --version 27.0.0
prometheus-operator-crds の場合は crd も新しくなってくれる。
❯❯ kubectl get crds alertmanagerconfigs.monitoring.coreos.com -oyaml | grep -e 'operator.prometheus.io/version'
operator.prometheus.io/version: 0.89.0
❯❯ kubectl get crds thanosrulers.monitoring.coreos.com -oyaml | grep -ie 'Cannot be set at the same time as'
Cannot be set at the same time as `sigv4`, `basicAuth`, `oauth2`, or `azureAd`.
Cannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `sigv4`.
Cannot be set at the same time as `oauth`, `sdk` or `workloadIdentity`.
Cannot be set at the same time as `managedIdentity`, `sdk` or `workloadIdentity`.
Cannot be set at the same time as `oauth`, `managedIdentity` or `workloadIdentity`.
Cannot be set at the same time as `oauth`, `managedIdentity`, or `sdk`.
Cannot be set at the same time as `sigv4`, `authorization`, `oauth2`, or `azureAd`.
Cannot be set at the same time as `sigv4`, `authorization`, `basicAuth`, or `azureAd`.
Cannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `azureAd`.
何故かというと templates として入ってるから。
.charts/prometheus-operator-crds-27.0.0
├── charts
│ └── crds
│ └── templates
├── ci
└── hack
削除すると crd が一緒に消える
❯❯ helm uninstall prometheus-operator-crds
release "prometheus-operator-crds" uninstalled
❯❯ kubectl get crds
No resources found
crds があるけど、何でも受けいれる crd になってるから更新されることも壊れることもなさそう。
crds.upgradeJob.enabled を有効にすれば更新するけど、そうでなければ更新しないはず。
install:
❯❯ helm install kube-prometheus oci://ghcr.io/prometheus-community/charts/kube-prometheus-stack --version 80.0.0
Pulled: ghcr.io/prometheus-community/charts/kube-prometheus-stack:80.0.0
Digest: sha256:62efb9fe8cf70e0fc7e67ad32f9ea378a3856ca44028cb2fe56f483974730e1c
NAME: kube-prometheus
80.0.0 では古めの crd
❯❯ kubectl get crds thanosrulers.monitoring.coreos.com -oyaml | grep -ie 'Cannot be set at the same time as'
Cannot be set at the same time as `sigv4`, `basicAuth`, `oauth2`, or `azureAd`.
Cannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `sigv4`.
Cannot be set at the same time as `oauth` or `sdk`.
Cannot be set at the same time as `managedIdentity` or `sdk`.
Cannot be set at the same time as `oauth` or `managedIdentity`.
Cannot be set at the same time as `sigv4`, `authorization`, `oauth2`, or `azureAd`.
Cannot be set at the same time as `sigv4`, `authorization`, `basicAuth`, or `azureAd`.
Cannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `azureAd`.
upgrade:
❯❯ helm upgrade kube-prometheus oci://ghcr.io/prometheus-community/charts/kube-prometheus-stack --version 82.0.0
Pulled: ghcr.io/prometheus-community/charts/kube-prometheus-stack:82.0.0
Digest: sha256:3d664d08d510d2cb3615fa3d0a3a499b958b38e199e6037d4049b4aaaa067902
Release "kube-prometheus" has been upgraded. Happy Helming!
NAME: kube-prometheus
crd が変わってない事が確認できる。
❯❯ kubectl get crds thanosrulers.monitoring.coreos.com -oyaml | grep -ie 'Cannot be set at the same time as'
Cannot be set at the same time as `sigv4`, `basicAuth`, `oauth2`, or `azureAd`.
Cannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `sigv4`.
Cannot be set at the same time as `oauth` or `sdk`.
Cannot be set at the same time as `managedIdentity` or `sdk`.
Cannot be set at the same time as `oauth` or `managedIdentity`.
Cannot be set at the same time as `sigv4`, `authorization`, `oauth2`, or `azureAd`.
Cannot be set at the same time as `sigv4`, `authorization`, `basicAuth`, or `azureAd`.
Cannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `azureAd`.
ただの install は当然だめ
❯❯ helm install prometheus-operator-crds oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds --version 25.0.0
Pulled: ghcr.io/prometheus-community/charts/prometheus-operator-crds:25.0.0
Digest: sha256:00d91e57c0ee86b5f119540470c31cae0bc3bfecda8277dedad306ae4564431e
Error: INSTALLATION FAILED: unable to continue with install: CustomResourceDefinition "alertmanagerconfigs.monitoring.coreos.com" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; label validation error: missing key "app.kubernetes.io/managed-by": must be set to "Helm"; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "prometheus-operator-crds"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "default"
--take-ownership でのっとり
❯❯ helm install prometheus-operator-crds oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds --version 25.0.0 --take-ownership
Pulled: ghcr.io/prometheus-community/charts/prometheus-operator-crds:25.0.0
Digest: sha256:00d91e57c0ee86b5f119540470c31cae0bc3bfecda8277dedad306ae4564431e
NAME: prometheus-operator-crds
LAST DEPLOYED: Mon Feb 23 17:35:47 2026
NAMESPACE: default
STATUS: deployed
REVISION: 1
DESCRIPTION: Install complete
TEST SUITE: None
のっとれた
❯❯ kubectl get crds prometheuses.monitoring.coreos.com -ojson | jq '.metadata.annotations'
{
"controller-gen.kubebuilder.io/version": "v0.19.0",
"meta.helm.sh/release-name": "prometheus-operator-crds",
"meta.helm.sh/release-namespace": "default",
"operator.prometheus.io/version": "0.87.0"
}
❯❯ kubectl get crds -ojson | jq '.items[].metadata|{name, "release-name":.annotations["meta.helm.sh/release-name"]}' --compact-output
{"name":"alertmanagerconfigs.monitoring.coreos.com","release-name":"prometheus-operator-crds"}
{"name":"alertmanagers.monitoring.coreos.com","release-name":"prometheus-operator-crds"}
{"name":"podmonitors.monitoring.coreos.com","release-name":"prometheus-operator-crds"}
{"name":"probes.monitoring.coreos.com","release-name":"prometheus-operator-crds"}
{"name":"prometheusagents.monitoring.coreos.com","release-name":"prometheus-operator-crds"}
{"name":"prometheuses.monitoring.coreos.com","release-name":"prometheus-operator-crds"}
{"name":"prometheusrules.monitoring.coreos.com","release-name":"prometheus-operator-crds"}
{"name":"scrapeconfigs.monitoring.coreos.com","release-name":"prometheus-operator-crds"}
{"name":"servicemonitors.monitoring.coreos.com","release-name":"prometheus-operator-crds"}
{"name":"thanosrulers.monitoring.coreos.com","release-name":"prometheus-operator-crds"}
install:
❯❯ helm install kube-prometheus oci://ghcr.io/prometheus-community/charts/kube-prometheus-stack --version 80.0.0
upgrade:
❯❯ helm upgrade kube-prometheus oci://ghcr.io/prometheus-community/charts/kube-prometheus-stack --version 82.0.0 --set crds.upgradeJob.enabled=true
こけた
❯❯ helm upgrade kube-prometheus oci://ghcr.io/prometheus-community/charts/kube-prometheus-stack --version 82.0.0 --set crds.upgradeJob.enabled=true
Pulled: ghcr.io/prometheus-community/charts/kube-prometheus-stack:82.0.0
Digest: sha256:3d664d08d510d2cb3615fa3d0a3a499b958b38e199e6037d4049b4aaaa067902
level=WARN msg="upgrade failed" name=kube-prometheus error="pre-upgrade hooks failed: resource Job/default/kube-prometheus-crds-upgrade not ready. status: Failed, message: Job Failed. failed: 1/1"
Error: UPGRADE FAILED: pre-upgrade hooks failed: resource Job/default/kube-prometheus-crds-upgrade not ready. status: Failed, message: Job Failed. failed: 1/1
field が conflict していると
kubectl Apply failed with 2 conflicts: conflicts with "helm":
kubectl - .metadata.annotations.operator.prometheus.io/version
kubectl - .spec.versions
kubectl Please review the fields above--they currently have other managers. Here
kubectl are the ways you can resolve this warning:
kubectl * If you intend to manage all of these fields, please re-run the apply
kubectl command with the `--force-conflicts` flag.
kubectl * If you do not intend to manage all of the fields, please edit your
kubectl manifest to remove references to the fields that should keep their
kubectl current managers.
kubectl * You may co-own fields by updating your manifest to match the existing
kubectl value; in this case, you'll become the manager if the other manager(s)
kubectl stop managing the field (remove it from their configuration).
kubectl See https://kubernetes.io/docs/reference/using-api/server-side-apply/#conflicts
upgradeJob.forceConflicts がある
https://github.com/prometheus-community/helm-charts/pull/5288/changes
つけるとうまくいく
❯❯ helm upgrade kube-prometheus oci://ghcr.io/prometheus-community/charts/kube-prometheus-stack --version 82.0.0 --set crds.upgradeJob.enabled=true --set crds.upgradeJob.forceConflicts=true
Pulled: ghcr.io/prometheus-community/charts/kube-prometheus-stack:82.0.0
Digest: sha256:3d664d08d510d2cb3615fa3d0a3a499b958b38e199e6037d4049b4aaaa067902
Release "kube-prometheus" has been upgraded. Happy Helming!
ちゃんと変わってる
❯❯ kubectl get crds thanosrulers.monitoring.coreos.com -oyaml | grep -ie 'Cannot be set at the same time as'
Cannot be set at the same time as `sigv4`, `basicAuth`, `oauth2`, or `azureAd`.
Cannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `sigv4`.
Cannot be set at the same time as `oauth`, `sdk` or `workloadIdentity`.
Cannot be set at the same time as `managedIdentity`, `sdk` or `workloadIdentity`.
Cannot be set at the same time as `oauth`, `managedIdentity` or `workloadIdentity`.
Cannot be set at the same time as `oauth`, `managedIdentity`, or `sdk`.
Cannot be set at the same time as `sigv4`, `authorization`, `oauth2`, or `azureAd`.
Cannot be set at the same time as `sigv4`, `authorization`, `basicAuth`, or `azureAd`.
Cannot be set at the same time as `authorization`, `basicAuth`, `oauth2`, or `azureAd`.
release を削除しても crd は残る
❯❯ helm uninstall kube-prometheus
release "kube-prometheus" uninstalled
❯❯ kubectl get crds
NAME CREATED AT
alertmanagerconfigs.monitoring.coreos.com 2026-02-23T08:47:47Z
alertmanagers.monitoring.coreos.com 2026-02-23T08:47:47Z
...
prometheus-operator-crds に依存しているから消えるはず。
values.yaml
cluster: { name: kind }
destinations:
- name: metrics
type: prometheus
url: https://prometheus.example.com/api/prom/push
prometheusOperatorObjects:
enabled: true
crds: { deploy: true }
alloy-metrics: { enabled: true }
install:
❯❯ helm install k8s-monitoring grafana/k8s-monitoring --version 3.8.0 --values values.yaml
NAME: k8s-monitoring
crd ある
❯❯ kubectl get crds
NAME CREATED AT
alertmanagerconfigs.monitoring.coreos.com 2026-02-23T09:29:30Z
alertmanagers.monitoring.coreos.com 2026-02-23T09:29:30Z
alloys.collectors.grafana.com 2026-02-23T09:04:18Z
uninstall
❯❯ helm uninstall k8s-monitoring
release "k8s-monitoring" uninstalled
消えた
❯❯ kubectl get crds
NAME CREATED AT
alloys.collectors.grafana.com 2026-02-23T09:04:18Z