Reduce the mean time to recovery (MTTR) in case of failed deployments

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>

Author: matheuscscp

.github/workflows/e2e.yaml

@@ -712,8 +712,6 @@ jobs:
 
           kubectl -n helm-system delete -f config/testdata/$test_name
       - name: Run install test fail test
-        # TODO: re-enable after upgrading to Helm 4.1.1 (https://github.com/helm/helm/pull/31730)
-        if: false
         run: |
           test_name=install-test-fail
           kubectl -n helm-system apply -f config/testdata/$test_name
@@ -739,8 +737,6 @@ jobs:
 
           kubectl -n helm-system delete -f config/testdata/$test_name
       - name: Run install test fail ignore test
-        # TODO: re-enable after upgrading to Helm 4.1.1 (https://github.com/helm/helm/pull/31730)
-        if: false
         run: |
           test_name=install-test-fail-ignore
           kubectl -n helm-system apply -f config/testdata/$test_name
@@ -863,8 +859,6 @@ jobs:
 
           kubectl delete -n helm-system -f config/testdata/$test_name/install.yaml
       - name: Run upgrade test fail test
-        # TODO: re-enable after upgrading to Helm 4.1.1 (https://github.com/helm/helm/pull/31730)
-        if: false
         run: |
           test_name=upgrade-test-fail
           kubectl -n helm-system apply -f config/testdata/$test_name/install.yaml

api/v2/helmrelease_types.go

@@ -194,7 +194,7 @@ type HelmReleaseSpec struct {
 	// health of custom resources using Common Expression Language (CEL).
 	// The expressions are evaluated only when the specific Helm action
 	// taking place has wait enabled, i.e. DisableWait is false, and the
-	// 'watcher' WaitStrategy is used.
+	// 'poller' WaitStrategy is used.
 	// +optional
 	HealthCheckExprs []kustomize.CustomHealthCheck `json:"healthCheckExprs,omitempty"`
 }
@@ -441,8 +441,8 @@ type HelmChartTemplateVerification struct {
 type WaitStrategyName string
 
 const (
-	// WaitStrategyWatcher is the strategy for watching resource statuses via kstatus.
-	WaitStrategyWatcher WaitStrategyName = "watcher"
+	// WaitStrategyPoller is the strategy for polling resource statuses via kstatus.
+	WaitStrategyPoller WaitStrategyName = "poller"
 
 	// WaitStrategyLegacy is the legacy strategy for waiting for resources to be ready
 	// used in Helm v3.
@@ -453,12 +453,12 @@ const (
 // resources to become ready.
 type WaitStrategy struct {
 	// Name is Helm's wait strategy for waiting for applied resources to
-	// become ready. One of 'watcher' or 'legacy'. The 'watcher' strategy uses
-	// kstatus to watch resource statuses, while the 'legacy' strategy uses
+	// become ready. One of 'poller' or 'legacy'. The 'poller' strategy uses
+	// kstatus to poll resource statuses, while the 'legacy' strategy uses
 	// Helm v3's waiting logic.
-	// Defaults to 'watcher', or to 'legacy' when UseHelm3Defaults feature
+	// Defaults to 'poller', or to 'legacy' when UseHelm3Defaults feature
 	// gate is enabled.
-	// +kubebuilder:validation:Enum=watcher;legacy
+	// +kubebuilder:validation:Enum=poller;legacy
 	// +required
 	Name WaitStrategyName `json:"name"`
 }

config/crd/bases/helm.toolkit.fluxcd.io_helmreleases.yaml

@@ -355,7 +355,7 @@ spec:
                   health of custom resources using Common Expression Language (CEL).
                   The expressions are evaluated only when the specific Helm action
                   taking place has wait enabled, i.e. DisableWait is false, and the
-                  'watcher' WaitStrategy is used.
+                  'poller' WaitStrategy is used.
                 items:
                   description: CustomHealthCheck defines the health check for custom
                     resources.
@@ -1102,13 +1102,13 @@ spec:
                   name:
                     description: |-
                       Name is Helm's wait strategy for waiting for applied resources to
-                      become ready. One of 'watcher' or 'legacy'. The 'watcher' strategy uses
-                      kstatus to watch resource statuses, while the 'legacy' strategy uses
+                      become ready. One of 'poller' or 'legacy'. The 'poller' strategy uses
+                      kstatus to poll resource statuses, while the 'legacy' strategy uses
                       Helm v3's waiting logic.
-                      Defaults to 'watcher', or to 'legacy' when UseHelm3Defaults feature
+                      Defaults to 'poller', or to 'legacy' when UseHelm3Defaults feature
                       gate is enabled.
                     enum:
-                    - watcher
+                    - poller
                     - legacy
                     type: string
                 required:

config/testdata/server-side-apply/rollback-upgrade.yaml

@@ -29,4 +29,4 @@ spec:
     replicaCount: 2
     faults:
       unready: true
-  timeout: 3s
+  timeout: 10s

config/testdata/upgrade-fail-remediate/upgrade.yaml

@@ -25,4 +25,4 @@ spec:
     replicaCount: 2
     faults:
       unready: true
-  timeout: 3s
+  timeout: 10s

config/testdata/upgrade-fail-retry/upgrade.yaml

@@ -25,4 +25,4 @@ spec:
     replicaCount: 2
     faults:
       unready: true
-  timeout: 3s
+  timeout: 10s

docs/api/v2/helm.md

@@ -435,7 +435,7 @@ resources to become ready.</p>
 health of custom resources using Common Expression Language (CEL).
 The expressions are evaluated only when the specific Helm action
 taking place has wait enabled, i.e. DisableWait is false, and the
-&lsquo;watcher&rsquo; WaitStrategy is used.</p>
+&lsquo;poller&rsquo; WaitStrategy is used.</p>
 </td>
 </tr>
 </table>
@@ -1603,7 +1603,7 @@ resources to become ready.</p>
 health of custom resources using Common Expression Language (CEL).
 The expressions are evaluated only when the specific Helm action
 taking place has wait enabled, i.e. DisableWait is false, and the
-&lsquo;watcher&rsquo; WaitStrategy is used.</p>
+&lsquo;poller&rsquo; WaitStrategy is used.</p>
 </td>
 </tr>
 </tbody>
@@ -3471,10 +3471,10 @@ WaitStrategyName
 </td>
 <td>
 <p>Name is Helm&rsquo;s wait strategy for waiting for applied resources to
-become ready. One of &lsquo;watcher&rsquo; or &lsquo;legacy&rsquo;. The &lsquo;watcher&rsquo; strategy uses
-kstatus to watch resource statuses, while the &lsquo;legacy&rsquo; strategy uses
+become ready. One of &lsquo;poller&rsquo; or &lsquo;legacy&rsquo;. The &lsquo;poller&rsquo; strategy uses
+kstatus to poll resource statuses, while the &lsquo;legacy&rsquo; strategy uses
 Helm v3&rsquo;s waiting logic.
-Defaults to &lsquo;watcher&rsquo;, or to &lsquo;legacy&rsquo; when UseHelm3Defaults feature
+Defaults to &lsquo;poller&rsquo;, or to &lsquo;legacy&rsquo; when UseHelm3Defaults feature
 gate is enabled.</p>
 </td>
 </tr>

docs/spec/v2/helmreleases.md

@@ -952,14 +952,14 @@ for resources to become ready after Helm actions.
 The field offers the following subfields:
 
 - `.name` (Required): The strategy for waiting for resources to be ready.
-  One of `watcher` or `legacy`. The `watcher` strategy uses kstatus to watch resource
+  One of `poller` or `legacy`. The `poller` strategy uses kstatus to poll resource
   statuses, while the `legacy` strategy uses Helm v3's waiting logic. Defaults to
-  `watcher`, or to `legacy` when the `UseHelm3Defaults` feature gate is enabled.
+  `poller`, or to `legacy` when the `UseHelm3Defaults` feature gate is enabled.
 
 ```yaml
 spec:
   waitStrategy:
-    name: watcher
+    name: poller
 ```
 
 ### Health check expressions
@@ -968,8 +968,8 @@ spec:
 checks on custom resources using [Common Expression Language (CEL)](https://cel.dev/).
 
 The expressions are evaluated only when the Helm action taking place has wait
-enabled (i.e. `.spec.<action>.disableWait` is `false`) and the `watcher`
-wait strategy is used (i.e. `.spec.waitStrategy.name` is `watcher`).
+enabled (i.e. `.spec.<action>.disableWait` is `false`) and the `poller`
+wait strategy is used (i.e. `.spec.waitStrategy.name` is `poller`).
 
 The `.spec.healthCheckExprs` field accepts a list of objects with the following fields:
 

internal/action/client.go

@@ -0,0 +1,78 @@
+/*
+Copyright 2026 The Flux authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package action
+
+import (
+	"context"
+
+	helmkube "helm.sh/helm/v4/pkg/kube"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+
+	"github.com/fluxcd/pkg/ssa"
+)
+
+// Client wraps a Helm kube Client to replace the kstatus implementation.
+type Client struct {
+	// We need to embed the struct and not helmkube.Interface
+	// as Helm adds more methods to the struct over time
+	// without adding them to the interface. This ensures
+	// we always embed all methods.
+	*helmkube.Client
+
+	newResourceManager func(sr ...NewStatusReaderFunc) *ssa.ResourceManager
+	waitContext        context.Context
+}
+
+// Ensure Client implements helmkube.Interface.
+var _ helmkube.Interface = (*Client)(nil)
+
+// Ensure Client implements helmkube.InterfaceWaitOptions.
+var _ helmkube.InterfaceWaitOptions = (*Client)(nil)
+
+// NewClient returns a new Helm kube Client that uses kstatus for waits.
+func NewClient(getter genericclioptions.RESTClientGetter) *Client {
+	return &Client{Client: helmkube.New(getter)}
+}
+
+// GetWaiter implements helmkube.InterfaceWaitOptions by returning
+// a custom kstatus-based Waiter.
+func (c *Client) GetWaiter(strategy helmkube.WaitStrategy) (helmkube.Waiter, error) {
+	return c.newWaiter(strategy)
+}
+
+// GetWaiterWithOptions implements helmkube.InterfaceWaitOptions by
+// returning a custom kstatus-based Waiter.
+func (c *Client) GetWaiterWithOptions(strategy helmkube.WaitStrategy,
+	opts ...helmkube.WaitOption) (helmkube.Waiter, error) {
+	return c.newWaiter(strategy, opts...)
+}
+
+// newWaiter returns a new Waiter based on the provided strategy.
+func (c *Client) newWaiter(strategy helmkube.WaitStrategy,
+	opts ...helmkube.WaitOption) (helmkube.Waiter, error) {
+
+	if strategy == helmkube.LegacyStrategy || c.newResourceManager == nil {
+		return c.Client.GetWaiterWithOptions(strategy, opts...)
+	}
+
+	return &waiter{
+		c:                  c.Client,
+		strategy:           strategy,
+		newResourceManager: c.newResourceManager,
+		waitContext:        c.waitContext,
+	}, nil
+}

internal/action/config.go

@@ -17,16 +17,17 @@ limitations under the License.
 package action
 
 import (
+	"context"
 	"fmt"
 	"log/slog"
 
-	"github.com/fluxcd/cli-utils/pkg/kstatus/polling/engine"
 	helmaction "helm.sh/helm/v4/pkg/action"
-	helmkube "helm.sh/helm/v4/pkg/kube"
 	helmstorage "helm.sh/helm/v4/pkg/storage"
 	helmdriver "helm.sh/helm/v4/pkg/storage/driver"
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 
+	"github.com/fluxcd/pkg/ssa"
+
 	"github.com/fluxcd/helm-controller/internal/storage"
 )
 
@@ -45,15 +46,18 @@ type ConfigFactory struct {
 	// Getter is the RESTClientGetter used to get the RESTClient for the
 	// Kubernetes API.
 	Getter genericclioptions.RESTClientGetter
-	// KubeClient is the (Helm) Kubernetes client, it is Helm-specific and
+	// KubeClient is the (wrapped) Helm Kubernetes client, it is Helm-specific and
 	// contains a factory used for lazy-loading.
-	KubeClient *helmkube.Client
+	KubeClient *Client
 	// Driver to use for the Helm action.
 	Driver helmdriver.Driver
 	// StorageLog is the logger to use for the Helm storage driver.
 	StorageLog slog.Handler
-	// StatusReader is the status reader used to evaluate custom health checks.
-	StatusReader engine.StatusReader
+	// NewResourceManager is the resource manager used to evaluate custom health checks.
+	NewResourceManager func(sr ...NewStatusReaderFunc) *ssa.ResourceManager
+	// WaitContext is the context used for waiting operations in the Helm
+	// Kubernetes client.
+	WaitContext context.Context
 }
 
 // ConfigFactoryOption is a function that configures a ConfigFactory.
@@ -62,7 +66,7 @@ type ConfigFactoryOption func(*ConfigFactory) error
 // NewConfigFactory returns a new ConfigFactory configured with the provided
 // options.
 func NewConfigFactory(getter genericclioptions.RESTClientGetter, opts ...ConfigFactoryOption) (*ConfigFactory, error) {
-	kubeClient := helmkube.New(getter)
+	kubeClient := NewClient(getter)
 	factory := &ConfigFactory{
 		Getter:     getter,
 		KubeClient: kubeClient,
@@ -133,10 +137,19 @@ func WithStorageLog(log slog.Handler) ConfigFactoryOption {
 	}
 }
 
-// WithStatusReader sets the ConfigFactory.StatusReader.
-func WithStatusReader(reader engine.StatusReader) ConfigFactoryOption {
+// WithResourceManager sets the ConfigFactory.ResourceManager.
+func WithResourceManager(mgr func(sr ...NewStatusReaderFunc) *ssa.ResourceManager) ConfigFactoryOption {
+	return func(f *ConfigFactory) error {
+		f.NewResourceManager = mgr
+		return nil
+	}
+}
+
+// WithWaitContext sets the context used for waiting operations in the Helm
+// Kubernetes client.
+func WithWaitContext(ctx context.Context) ConfigFactoryOption {
 	return func(f *ConfigFactory) error {
-		f.StatusReader = reader
+		f.WaitContext = ctx
 		return nil
 	}
 }
@@ -156,11 +169,12 @@ func (c *ConfigFactory) NewStorage(observers ...storage.ObserveFunc) *helmstorag
 // Build returns a new Helm action.Configuration configured with the receiver
 // values, and the provided logger and observer(s).
 func (c *ConfigFactory) Build(log slog.Handler, observers ...storage.ObserveFunc) *helmaction.Configuration {
-	client := c.KubeClient
+	client := NewClient(c.Getter)
+	client.newResourceManager = c.NewResourceManager
+	client.waitContext = c.WaitContext
 
 	var opts []helmaction.ConfigurationOption
 	if log != nil {
-		client = helmkube.New(c.Getter)
 		client.SetLogger(log)
 		opts = append(opts, helmaction.ConfigurationSetLogger(log))
 	}