From 424ee6740583783306272fbb63af3fb27dc176a7 Mon Sep 17 00:00:00 2001
From: ian-flores <iflores.siaca@posit.co>
Date: Tue, 13 Jan 2026 10:12:11 -0800
Subject: [PATCH] fix(chart): remove kustomize-adopt hook that fails on tainted
 clusters

Remove the pre-install/pre-upgrade hook Job that adopts kustomize-managed
resources into Helm. This hook cannot be scheduled on clusters with taints
(e.g., workload-type=session:NoSchedule, nvidia.com/gpu=true:NoSchedule).

PTD has its own migration job that handles CRD adoption, making this
hook redundant.

Removed resources:
- Job: kustomize-adopt
- ServiceAccount: cleanup
- ClusterRole: cleanup
- ClusterRoleBinding: cleanup
---
 dist/chart/Chart.yaml                         |   4 +-
 .../migration/kustomize-cleanup-job.yaml      | 137 ------------------
 2 files changed, 2 insertions(+), 139 deletions(-)
 delete mode 100644 dist/chart/templates/migration/kustomize-cleanup-job.yaml

diff --git a/dist/chart/Chart.yaml b/dist/chart/Chart.yaml
index 39c6573e..155f9a99 100644
--- a/dist/chart/Chart.yaml
+++ b/dist/chart/Chart.yaml
@@ -2,8 +2,8 @@ apiVersion: v2
 name: team-operator
 description: Kubernetes operator for managing Posit Team deployments
 type: application
-version: 1.0.3
-appVersion: "1.0.3"
+version: 1.0.4
+appVersion: "1.0.4"
 home: "https://github.com/posit-dev/team-operator"
 sources:
   - "https://github.com/posit-dev/team-operator"
diff --git a/dist/chart/templates/migration/kustomize-cleanup-job.yaml b/dist/chart/templates/migration/kustomize-cleanup-job.yaml
deleted file mode 100644
index d244e52b..00000000
--- a/dist/chart/templates/migration/kustomize-cleanup-job.yaml
+++ /dev/null
@@ -1,137 +0,0 @@
-{{- /*
-Pre-install hook to adopt kustomize-managed resources into Helm.
-This enables migration from kustomize to Helm installation.
-
-The Job:
-- Runs BEFORE Helm installs any resources (pre-install hook)
-- Patches resources with 'managed-by: kustomize' label to have Helm ownership
-- Helm can then adopt these resources instead of failing on conflict
-- Safe on new clusters (no resources to patch)
-*/ -}}
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ .Release.Name }}-kustomize-adopt
-  namespace: {{ .Release.Namespace }}
-  labels:
-    {{- include "chart.labels" . | nindent 4 }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "-5"
-    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
-spec:
-  ttlSecondsAfterFinished: 60
-  template:
-    metadata:
-      labels:
-        {{- include "chart.labels" . | nindent 8 }}
-    spec:
-      serviceAccountName: {{ .Release.Name }}-cleanup
-      restartPolicy: Never
-      containers:
-        - name: adopt
-          image: bitnami/kubectl:1.28
-          command:
-            - /bin/sh
-            - -c
-            - |
-              set -e
-              echo "Adopting kustomize-managed resources into Helm release '{{ .Release.Name }}'..."
-
-              RELEASE_NAME="{{ .Release.Name }}"
-              RELEASE_NAMESPACE="{{ .Release.Namespace }}"
-
-              # Function to patch a resource with Helm ownership labels/annotations
-              adopt_resource() {
-                local resource_type=$1
-                local resource_name=$2
-                local namespace_flag=$3
-
-                echo "Adopting $resource_type/$resource_name..."
-                kubectl patch $resource_type $resource_name $namespace_flag --type=merge -p "{
-                  \"metadata\": {
-                    \"labels\": {
-                      \"app.kubernetes.io/managed-by\": \"Helm\"
-                    },
-                    \"annotations\": {
-                      \"meta.helm.sh/release-name\": \"$RELEASE_NAME\",
-                      \"meta.helm.sh/release-namespace\": \"$RELEASE_NAMESPACE\"
-                    }
-                  }
-                }" 2>/dev/null || echo "  (not found or already adopted)"
-              }
-
-              # Adopt CRDs (cluster-scoped, no namespace flag)
-              adopt_resource crd chronicles.core.posit.team ""
-              adopt_resource crd connects.core.posit.team ""
-              adopt_resource crd flightdecks.core.posit.team ""
-              adopt_resource crd packagemanagers.core.posit.team ""
-              adopt_resource crd postgresdatabases.core.posit.team ""
-              adopt_resource crd sites.core.posit.team ""
-              adopt_resource crd workbenches.core.posit.team ""
-
-              # Adopt namespace-scoped resources in posit-team-system
-              # These are the resources created by kustomize deploy
-              adopt_resource deployment team-operator-controller-manager "-n $RELEASE_NAMESPACE"
-              adopt_resource serviceaccount team-operator-controller-manager "-n $RELEASE_NAMESPACE"
-              adopt_resource role team-operator-leader-election-role "-n $RELEASE_NAMESPACE"
-              adopt_resource rolebinding team-operator-leader-election-rolebinding "-n $RELEASE_NAMESPACE"
-              adopt_resource service team-operator-controller-manager-metrics-service "-n $RELEASE_NAMESPACE"
-
-              # Adopt cluster-scoped resources
-              adopt_resource clusterrole team-operator-manager-role ""
-              adopt_resource clusterrole team-operator-metrics-auth-role ""
-              adopt_resource clusterrole team-operator-metrics-reader ""
-              adopt_resource clusterrolebinding team-operator-manager-rolebinding ""
-              adopt_resource clusterrolebinding team-operator-metrics-auth-rolebinding ""
-
-              echo "Adoption complete"
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ .Release.Name }}-cleanup
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "-10"
-    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ .Release.Name }}-cleanup
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "-10"
-    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
-rules:
-  - apiGroups: [""]
-    resources: ["serviceaccounts", "services"]
-    verbs: ["get", "list", "patch"]
-  - apiGroups: ["apps"]
-    resources: ["deployments"]
-    verbs: ["get", "list", "patch"]
-  - apiGroups: ["rbac.authorization.k8s.io"]
-    resources: ["roles", "rolebindings", "clusterroles", "clusterrolebindings"]
-    verbs: ["get", "list", "patch"]
-  - apiGroups: ["apiextensions.k8s.io"]
-    resources: ["customresourcedefinitions"]
-    verbs: ["get", "list", "patch"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ .Release.Name }}-cleanup
-  annotations:
-    "helm.sh/hook": pre-install,pre-upgrade
-    "helm.sh/hook-weight": "-10"
-    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: {{ .Release.Name }}-cleanup
-subjects:
-  - kind: ServiceAccount
-    name: {{ .Release.Name }}-cleanup
-    namespace: {{ .Release.Namespace }}