Update Nutanix CSI driver to 3.3.8 using Helm

EDIT 2026-01-14:
Nutanix have now released CSI Driver 3.6.0 witch fixes this precheck issue described below.

nutanix-csi-storage 3.6.0 · nutanix/nutanix-helm-releases

Nutanix Container Storage Interface (CSI) Driver

ORIGINAL POST:

Quick headsup if some of you are using the Nutanix CSI driver outside of NKP.

CSI Driver 3.3.8 Secret Management Change
In CSI versions < 3.3.8, you could create the Prism Central secret manually outside of Helm with createPrismCentralSecret: false, and it worked fine, and reference it with pcSecretName: ntnx-pc-secret in values.

When i tried to update using helm i got this error in rancher fleet:

ErrApplied(1) [Cluster fleet-default/gdm-rke2-test: execution error at (nutanix-csi-storage/templates/secret-check.yaml:71:8): PC secret 'ntnx-pc-secret' in namespace 'ntnx-system' not found when usePC is set to true. Please create the secret before installing or upgrading the chart.]

But the secret was sure there:

kubectl -n ntnx-system get secrets

NAME                                         TYPE                 DATA   AGE
ntnx-pc-secret                               Opaque               1      76d

In 3.3.8, the chart seams to use Kubernetes lookup() function in secret-check.yaml to validate the secret exists during template rendering. This breaks GitOps workflows (like Rancher Fleet) because:

• Fleet renders Helm templates in its controller context
• lookup() can't see manually created secrets in the target cluster
• Installation fails with: "PC secret 'ntnx-pc-secret' not found"

curl -sL https://github.com/nutanix/helm-releases/releases/download/nutanix-csi-storage-3.3.8/nutanix-csi-storage-3.3.8.tgz | tar -xzOf - nutanix-csi-storage/templates/secret-check.yaml

Found the lookup() function at line 71 in secret-check.yaml:

{{- $pcSecret := lookup "v1" "Secret" $releaseNamespace $pcSecretName }}
{{- if not $pcSecret }}
  {{- fail (printf "PC secret '%s' in namespace '%s' not found when usePC is set to true. Please create the secret before installing or upgrading the chart." $pcSecretName $releaseNamespace) }}
{{- end }}

Workaround:
Set createPrismCentralSecret: true and inject credentials from a separate secret using Fleet's valuesFrom (or similar GitOps pattern). This lets Helm create and own the secret, passing validation, while keeping credentials out of Git.

valuesFrom:
  - secretKeyRef:
      name: csi-pc-credentials
      key: csi-pc-credentials  # Contains: pcUsername, pcPassword, prismCentralEndPoint
values:
  createPrismCentralSecret: true

The lookup validation makes sense for direct Helm installs but breaks GitOps tooling.

Nutanix should Consider making the validation optional or GitOps-friendly in future releases.

The creation of the secret oneliner looks like this:

kubectl create secret generic csi-pc-credentials -n ntnx-system --from-literal=csi-pc-credentials=$'pcUsername: username\npcPassword: ThePassword\nprismCentralEndPoint: prism-central.domain.local'

Hope this helps someone :)

cheers!