Sign in Subscribe

Update Nutanix CSI driver to 3.3.8 using Helm

Jonas Högman

2 min read
Update Nutanix CSI driver to 3.3.8 using Helm

Quick headsup if some of you are using the Nutanix CSI driver outside of NKP.

CSI Driver 3.3.8 Secret Management Change
In CSI versions < 3.3.8, you could create the Prism Central secret manually outside of Helm with createPrismCentralSecret: false, and it worked fine, and reference it with pcSecretName: ntnx-pc-secret in values.

When i tried to update using helm i got this error in rancher fleet:

ErrApplied(1) [Cluster fleet-default/gdm-rke2-test: execution error at (nutanix-csi-storage/templates/secret-check.yaml:71:8): PC secret 'ntnx-pc-secret' in namespace 'ntnx-system' not found when usePC is set to true. Please create the secret before installing or upgrading the chart.]

But the secret was sure there:

kubectl -n ntnx-system get secrets

NAME                                         TYPE                 DATA   AGE
ntnx-pc-secret                               Opaque               1      76d

In 3.3.8, the chart seams to use Kubernetes lookup() function in secret-check.yaml to validate the secret exists during template rendering. This breaks GitOps workflows (like Rancher Fleet) because:

  • Fleet renders Helm templates in its controller context
  • lookup() can't see manually created secrets in the target cluster
  • Installation fails with: "PC secret 'ntnx-pc-secret' not found"
curl -sL https://github.com/nutanix/helm-releases/releases/download/nutanix-csi-storage-3.3.8/nutanix-csi-storage-3.3.8.tgz | tar -xzOf - nutanix-csi-storage/templates/secret-check.yaml

Found the lookup() function at line 71 in secret-check.yaml:

{{- $pcSecret := lookup "v1" "Secret" $releaseNamespace $pcSecretName }}
{{- if not $pcSecret }}
  {{- fail (printf "PC secret '%s' in namespace '%s' not found when usePC is set to true. Please create the secret before installing or upgrading the chart." $pcSecretName $releaseNamespace) }}
{{- end }}

Workaround:
Set createPrismCentralSecret: true and inject credentials from a separate secret using Fleet's valuesFrom (or similar GitOps pattern). This lets Helm create and own the secret, passing validation, while keeping credentials out of Git.

valuesFrom:
  - secretKeyRef:
      name: csi-pc-credentials
      key: csi-pc-credentials  # Contains: pcUsername, pcPassword, prismCentralEndPoint
values:
  createPrismCentralSecret: true

The lookup validation makes sense for direct Helm installs but breaks GitOps tooling.

Nutanix should Consider making the validation optional or GitOps-friendly in future releases.

The creation of the secret oneliner looks like this:

kubectl create secret generic csi-pc-credentials -n ntnx-system --from-literal=csi-pc-credentials=$'pcUsername: username\npcPassword: ThePassword\nprismCentralEndPoint: prism-central.domain.local'

Hope this helps someone :)

cheers!

Sign up to get the latest posts by email :)

Enter your email
Subscribe