From b55376f6cdc50ea2a0ef62f3ad09b2383f267b6e Mon Sep 17 00:00:00 2001 From: ian-flores Date: Tue, 20 Jan 2026 14:35:25 -0800 Subject: [PATCH 1/2] feat: add helm.sh/resource-policy: keep to all chart resources Adds resource protection annotation to all Kubernetes resources created by the chart. This prevents resources from being deleted during helm uninstall, enabling safe migration to helm-controller management. Resources protected: - Deployment, ServiceAccount - ClusterRoles, Roles, ClusterRoleBindings, RoleBindings - Service, ServiceMonitor - Certificates, Issuer --- dist/chart/templates/certmanager/certificate.yaml | 10 ++++------ dist/chart/templates/manager/manager.yaml | 2 ++ dist/chart/templates/metrics/metrics-service.yaml | 2 ++ dist/chart/templates/prometheus/monitor.yaml | 2 ++ .../templates/rbac/auth_proxy_client_clusterrole.yaml | 2 ++ dist/chart/templates/rbac/auth_proxy_role.yaml | 2 ++ dist/chart/templates/rbac/auth_proxy_role_binding.yaml | 2 ++ dist/chart/templates/rbac/chronicle_editor_role.yaml | 2 ++ dist/chart/templates/rbac/chronicle_viewer_role.yaml | 2 ++ dist/chart/templates/rbac/connect_editor_role.yaml | 2 ++ dist/chart/templates/rbac/connect_viewer_role.yaml | 2 ++ dist/chart/templates/rbac/leader_election_role.yaml | 2 ++ .../templates/rbac/leader_election_role_binding.yaml | 2 ++ .../templates/rbac/packagemanager_editor_role.yaml | 2 ++ .../templates/rbac/packagemanager_viewer_role.yaml | 2 ++ .../templates/rbac/postgresdatabase_editor_role.yaml | 2 ++ .../templates/rbac/postgresdatabase_viewer_role.yaml | 2 ++ dist/chart/templates/rbac/role.yaml | 4 ++++ dist/chart/templates/rbac/role_binding.yaml | 4 ++++ dist/chart/templates/rbac/service_account.yaml | 5 +++-- dist/chart/templates/rbac/site_editor_role.yaml | 2 ++ dist/chart/templates/rbac/site_viewer_role.yaml | 2 ++ dist/chart/templates/rbac/workbench_editor_role.yaml | 2 ++ dist/chart/templates/rbac/workbench_viewer_role.yaml | 2 ++ 24 files changed, 55 insertions(+), 8 deletions(-) diff --git a/dist/chart/templates/certmanager/certificate.yaml b/dist/chart/templates/certmanager/certificate.yaml index 33d2f249..6c9227bf 100644 --- a/dist/chart/templates/certmanager/certificate.yaml +++ b/dist/chart/templates/certmanager/certificate.yaml @@ -3,6 +3,8 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: selfsigned-issuer @@ -16,9 +18,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: - {{- if .Values.crd.keep }} - "helm.sh/resource-policy": keep - {{- end }} + helm.sh/resource-policy: keep name: serving-cert namespace: {{ .Release.Namespace }} labels: @@ -40,9 +40,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: annotations: - {{- if .Values.crd.keep }} - "helm.sh/resource-policy": keep - {{- end }} + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: metrics-certs diff --git a/dist/chart/templates/manager/manager.yaml b/dist/chart/templates/manager/manager.yaml index 6a937c06..a850cbce 100644 --- a/dist/chart/templates/manager/manager.yaml +++ b/dist/chart/templates/manager/manager.yaml @@ -3,6 +3,8 @@ kind: Deployment metadata: name: team-operator-controller-manager namespace: {{ .Release.Namespace }} + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} control-plane: controller-manager diff --git a/dist/chart/templates/metrics/metrics-service.yaml b/dist/chart/templates/metrics/metrics-service.yaml index 88b9d0bc..0bb2f73b 100644 --- a/dist/chart/templates/metrics/metrics-service.yaml +++ b/dist/chart/templates/metrics/metrics-service.yaml @@ -4,6 +4,8 @@ kind: Service metadata: name: team-operator-controller-manager-metrics-service namespace: {{ .Release.Namespace }} + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} spec: diff --git a/dist/chart/templates/prometheus/monitor.yaml b/dist/chart/templates/prometheus/monitor.yaml index 6f305fea..c1fe594e 100644 --- a/dist/chart/templates/prometheus/monitor.yaml +++ b/dist/chart/templates/prometheus/monitor.yaml @@ -3,6 +3,8 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: team-operator-controller-manager-metrics-monitor diff --git a/dist/chart/templates/rbac/auth_proxy_client_clusterrole.yaml b/dist/chart/templates/rbac/auth_proxy_client_clusterrole.yaml index 846ab287..702636fd 100755 --- a/dist/chart/templates/rbac/auth_proxy_client_clusterrole.yaml +++ b/dist/chart/templates/rbac/auth_proxy_client_clusterrole.yaml @@ -2,6 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: team-operator-metrics-reader diff --git a/dist/chart/templates/rbac/auth_proxy_role.yaml b/dist/chart/templates/rbac/auth_proxy_role.yaml index 2bb72f41..4504bcd9 100755 --- a/dist/chart/templates/rbac/auth_proxy_role.yaml +++ b/dist/chart/templates/rbac/auth_proxy_role.yaml @@ -2,6 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: proxy-role diff --git a/dist/chart/templates/rbac/auth_proxy_role_binding.yaml b/dist/chart/templates/rbac/auth_proxy_role_binding.yaml index 493b38a4..119219ff 100755 --- a/dist/chart/templates/rbac/auth_proxy_role_binding.yaml +++ b/dist/chart/templates/rbac/auth_proxy_role_binding.yaml @@ -2,6 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: proxy-rolebinding diff --git a/dist/chart/templates/rbac/chronicle_editor_role.yaml b/dist/chart/templates/rbac/chronicle_editor_role.yaml index 729633df..33ad0f18 100755 --- a/dist/chart/templates/rbac/chronicle_editor_role.yaml +++ b/dist/chart/templates/rbac/chronicle_editor_role.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: chronicle-editor-role diff --git a/dist/chart/templates/rbac/chronicle_viewer_role.yaml b/dist/chart/templates/rbac/chronicle_viewer_role.yaml index 2a1c9662..71749d0d 100755 --- a/dist/chart/templates/rbac/chronicle_viewer_role.yaml +++ b/dist/chart/templates/rbac/chronicle_viewer_role.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: chronicle-viewer-role diff --git a/dist/chart/templates/rbac/connect_editor_role.yaml b/dist/chart/templates/rbac/connect_editor_role.yaml index a14ed1ff..ea4751f2 100755 --- a/dist/chart/templates/rbac/connect_editor_role.yaml +++ b/dist/chart/templates/rbac/connect_editor_role.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: connect-editor-role diff --git a/dist/chart/templates/rbac/connect_viewer_role.yaml b/dist/chart/templates/rbac/connect_viewer_role.yaml index 44390838..834f4587 100755 --- a/dist/chart/templates/rbac/connect_viewer_role.yaml +++ b/dist/chart/templates/rbac/connect_viewer_role.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: connect-viewer-role diff --git a/dist/chart/templates/rbac/leader_election_role.yaml b/dist/chart/templates/rbac/leader_election_role.yaml index 6b780c60..37a4b8ab 100755 --- a/dist/chart/templates/rbac/leader_election_role.yaml +++ b/dist/chart/templates/rbac/leader_election_role.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} namespace: {{ .Release.Namespace }} diff --git a/dist/chart/templates/rbac/leader_election_role_binding.yaml b/dist/chart/templates/rbac/leader_election_role_binding.yaml index db74f972..885f5810 100755 --- a/dist/chart/templates/rbac/leader_election_role_binding.yaml +++ b/dist/chart/templates/rbac/leader_election_role_binding.yaml @@ -2,6 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} namespace: {{ .Release.Namespace }} diff --git a/dist/chart/templates/rbac/packagemanager_editor_role.yaml b/dist/chart/templates/rbac/packagemanager_editor_role.yaml index d0883956..399086a7 100755 --- a/dist/chart/templates/rbac/packagemanager_editor_role.yaml +++ b/dist/chart/templates/rbac/packagemanager_editor_role.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: packagemanager-editor-role diff --git a/dist/chart/templates/rbac/packagemanager_viewer_role.yaml b/dist/chart/templates/rbac/packagemanager_viewer_role.yaml index 76cabee3..e44153f2 100755 --- a/dist/chart/templates/rbac/packagemanager_viewer_role.yaml +++ b/dist/chart/templates/rbac/packagemanager_viewer_role.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: packagemanager-viewer-role diff --git a/dist/chart/templates/rbac/postgresdatabase_editor_role.yaml b/dist/chart/templates/rbac/postgresdatabase_editor_role.yaml index daba7055..da07e2a2 100755 --- a/dist/chart/templates/rbac/postgresdatabase_editor_role.yaml +++ b/dist/chart/templates/rbac/postgresdatabase_editor_role.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: postgresdatabase-editor-role diff --git a/dist/chart/templates/rbac/postgresdatabase_viewer_role.yaml b/dist/chart/templates/rbac/postgresdatabase_viewer_role.yaml index fad88dd2..e4716e28 100755 --- a/dist/chart/templates/rbac/postgresdatabase_viewer_role.yaml +++ b/dist/chart/templates/rbac/postgresdatabase_viewer_role.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: postgresdatabase-viewer-role diff --git a/dist/chart/templates/rbac/role.yaml b/dist/chart/templates/rbac/role.yaml index c03a278e..d7aca30b 100755 --- a/dist/chart/templates/rbac/role.yaml +++ b/dist/chart/templates/rbac/role.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: team-operator-manager-role @@ -23,6 +25,8 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: + annotations: + helm.sh/resource-policy: keep name: team-operator-manager-role namespace: {{ .Values.watchNamespace }} rules: diff --git a/dist/chart/templates/rbac/role_binding.yaml b/dist/chart/templates/rbac/role_binding.yaml index b99f94e0..c671a1d7 100755 --- a/dist/chart/templates/rbac/role_binding.yaml +++ b/dist/chart/templates/rbac/role_binding.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: team-operator-manager-rolebinding @@ -18,6 +20,8 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: + annotations: + helm.sh/resource-policy: keep name: team-operator-manager-rolebinding namespace: {{ .Values.watchNamespace }} labels: diff --git a/dist/chart/templates/rbac/service_account.yaml b/dist/chart/templates/rbac/service_account.yaml index 93e0a323..40c43b31 100755 --- a/dist/chart/templates/rbac/service_account.yaml +++ b/dist/chart/templates/rbac/service_account.yaml @@ -4,12 +4,13 @@ kind: ServiceAccount metadata: labels: {{- include "chart.labels" . | nindent 4 }} - {{- if and .Values.controllerManager.serviceAccount .Values.controllerManager.serviceAccount.annotations }} annotations: + helm.sh/resource-policy: keep + {{- if and .Values.controllerManager.serviceAccount .Values.controllerManager.serviceAccount.annotations }} {{- range $key, $value := .Values.controllerManager.serviceAccount.annotations }} {{ $key }}: {{ $value }} {{- end }} - {{- end }} + {{- end }} name: {{ .Values.controllerManager.serviceAccountName }} namespace: {{ .Release.Namespace }} {{- end -}} diff --git a/dist/chart/templates/rbac/site_editor_role.yaml b/dist/chart/templates/rbac/site_editor_role.yaml index bced8acc..93366baf 100755 --- a/dist/chart/templates/rbac/site_editor_role.yaml +++ b/dist/chart/templates/rbac/site_editor_role.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: site-editor-role diff --git a/dist/chart/templates/rbac/site_viewer_role.yaml b/dist/chart/templates/rbac/site_viewer_role.yaml index 1edfda7d..526c4319 100755 --- a/dist/chart/templates/rbac/site_viewer_role.yaml +++ b/dist/chart/templates/rbac/site_viewer_role.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: site-viewer-role diff --git a/dist/chart/templates/rbac/workbench_editor_role.yaml b/dist/chart/templates/rbac/workbench_editor_role.yaml index 0660f901..ab033bd1 100755 --- a/dist/chart/templates/rbac/workbench_editor_role.yaml +++ b/dist/chart/templates/rbac/workbench_editor_role.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: workbench-editor-role diff --git a/dist/chart/templates/rbac/workbench_viewer_role.yaml b/dist/chart/templates/rbac/workbench_viewer_role.yaml index 25f8a90c..8dfbe7d1 100755 --- a/dist/chart/templates/rbac/workbench_viewer_role.yaml +++ b/dist/chart/templates/rbac/workbench_viewer_role.yaml @@ -3,6 +3,8 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: + annotations: + helm.sh/resource-policy: keep labels: {{- include "chart.labels" . | nindent 4 }} name: workbench-viewer-role From 3ae9adab9cd510ef0bf9ab8d31a809cda6cedd0a Mon Sep 17 00:00:00 2001 From: ian-flores Date: Tue, 20 Jan 2026 14:44:55 -0800 Subject: [PATCH 2/2] feat: make resource-policy annotation configurable Adds resourcePolicy.keep value (default: true) to control the helm.sh/resource-policy: keep annotation on non-CRD resources. Independent from crd.keep which controls CRDs only. --- dist/chart/templates/certmanager/certificate.yaml | 6 ++++++ dist/chart/templates/manager/manager.yaml | 2 ++ dist/chart/templates/metrics/metrics-service.yaml | 2 ++ dist/chart/templates/prometheus/monitor.yaml | 2 ++ .../chart/templates/rbac/auth_proxy_client_clusterrole.yaml | 2 ++ dist/chart/templates/rbac/auth_proxy_role.yaml | 2 ++ dist/chart/templates/rbac/auth_proxy_role_binding.yaml | 2 ++ dist/chart/templates/rbac/chronicle_editor_role.yaml | 2 ++ dist/chart/templates/rbac/chronicle_viewer_role.yaml | 2 ++ dist/chart/templates/rbac/connect_editor_role.yaml | 2 ++ dist/chart/templates/rbac/connect_viewer_role.yaml | 2 ++ dist/chart/templates/rbac/leader_election_role.yaml | 2 ++ dist/chart/templates/rbac/leader_election_role_binding.yaml | 2 ++ dist/chart/templates/rbac/packagemanager_editor_role.yaml | 2 ++ dist/chart/templates/rbac/packagemanager_viewer_role.yaml | 2 ++ dist/chart/templates/rbac/postgresdatabase_editor_role.yaml | 2 ++ dist/chart/templates/rbac/postgresdatabase_viewer_role.yaml | 2 ++ dist/chart/templates/rbac/role.yaml | 4 ++++ dist/chart/templates/rbac/role_binding.yaml | 4 ++++ dist/chart/templates/rbac/service_account.yaml | 4 ++++ dist/chart/templates/rbac/site_editor_role.yaml | 2 ++ dist/chart/templates/rbac/site_viewer_role.yaml | 2 ++ dist/chart/templates/rbac/workbench_editor_role.yaml | 2 ++ dist/chart/templates/rbac/workbench_viewer_role.yaml | 2 ++ dist/chart/values.yaml | 6 ++++++ 25 files changed, 64 insertions(+) diff --git a/dist/chart/templates/certmanager/certificate.yaml b/dist/chart/templates/certmanager/certificate.yaml index 6c9227bf..59139f4b 100644 --- a/dist/chart/templates/certmanager/certificate.yaml +++ b/dist/chart/templates/certmanager/certificate.yaml @@ -3,8 +3,10 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: selfsigned-issuer @@ -17,8 +19,10 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} name: serving-cert namespace: {{ .Release.Namespace }} labels: @@ -39,8 +43,10 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: metrics-certs diff --git a/dist/chart/templates/manager/manager.yaml b/dist/chart/templates/manager/manager.yaml index a850cbce..e25a740f 100644 --- a/dist/chart/templates/manager/manager.yaml +++ b/dist/chart/templates/manager/manager.yaml @@ -3,8 +3,10 @@ kind: Deployment metadata: name: team-operator-controller-manager namespace: {{ .Release.Namespace }} +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} control-plane: controller-manager diff --git a/dist/chart/templates/metrics/metrics-service.yaml b/dist/chart/templates/metrics/metrics-service.yaml index 0bb2f73b..09bba95d 100644 --- a/dist/chart/templates/metrics/metrics-service.yaml +++ b/dist/chart/templates/metrics/metrics-service.yaml @@ -4,8 +4,10 @@ kind: Service metadata: name: team-operator-controller-manager-metrics-service namespace: {{ .Release.Namespace }} +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} spec: diff --git a/dist/chart/templates/prometheus/monitor.yaml b/dist/chart/templates/prometheus/monitor.yaml index c1fe594e..b5f335d8 100644 --- a/dist/chart/templates/prometheus/monitor.yaml +++ b/dist/chart/templates/prometheus/monitor.yaml @@ -3,8 +3,10 @@ apiVersion: monitoring.coreos.com/v1 kind: ServiceMonitor metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: team-operator-controller-manager-metrics-monitor diff --git a/dist/chart/templates/rbac/auth_proxy_client_clusterrole.yaml b/dist/chart/templates/rbac/auth_proxy_client_clusterrole.yaml index 702636fd..4b883b69 100755 --- a/dist/chart/templates/rbac/auth_proxy_client_clusterrole.yaml +++ b/dist/chart/templates/rbac/auth_proxy_client_clusterrole.yaml @@ -2,8 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: team-operator-metrics-reader diff --git a/dist/chart/templates/rbac/auth_proxy_role.yaml b/dist/chart/templates/rbac/auth_proxy_role.yaml index 4504bcd9..10cbbd0f 100755 --- a/dist/chart/templates/rbac/auth_proxy_role.yaml +++ b/dist/chart/templates/rbac/auth_proxy_role.yaml @@ -2,8 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: proxy-role diff --git a/dist/chart/templates/rbac/auth_proxy_role_binding.yaml b/dist/chart/templates/rbac/auth_proxy_role_binding.yaml index 119219ff..8dbe7108 100755 --- a/dist/chart/templates/rbac/auth_proxy_role_binding.yaml +++ b/dist/chart/templates/rbac/auth_proxy_role_binding.yaml @@ -2,8 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: proxy-rolebinding diff --git a/dist/chart/templates/rbac/chronicle_editor_role.yaml b/dist/chart/templates/rbac/chronicle_editor_role.yaml index 33ad0f18..48183839 100755 --- a/dist/chart/templates/rbac/chronicle_editor_role.yaml +++ b/dist/chart/templates/rbac/chronicle_editor_role.yaml @@ -3,8 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: chronicle-editor-role diff --git a/dist/chart/templates/rbac/chronicle_viewer_role.yaml b/dist/chart/templates/rbac/chronicle_viewer_role.yaml index 71749d0d..3c617f1a 100755 --- a/dist/chart/templates/rbac/chronicle_viewer_role.yaml +++ b/dist/chart/templates/rbac/chronicle_viewer_role.yaml @@ -3,8 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: chronicle-viewer-role diff --git a/dist/chart/templates/rbac/connect_editor_role.yaml b/dist/chart/templates/rbac/connect_editor_role.yaml index ea4751f2..eda38524 100755 --- a/dist/chart/templates/rbac/connect_editor_role.yaml +++ b/dist/chart/templates/rbac/connect_editor_role.yaml @@ -3,8 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: connect-editor-role diff --git a/dist/chart/templates/rbac/connect_viewer_role.yaml b/dist/chart/templates/rbac/connect_viewer_role.yaml index 834f4587..619a6616 100755 --- a/dist/chart/templates/rbac/connect_viewer_role.yaml +++ b/dist/chart/templates/rbac/connect_viewer_role.yaml @@ -3,8 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: connect-viewer-role diff --git a/dist/chart/templates/rbac/leader_election_role.yaml b/dist/chart/templates/rbac/leader_election_role.yaml index 37a4b8ab..6855dc57 100755 --- a/dist/chart/templates/rbac/leader_election_role.yaml +++ b/dist/chart/templates/rbac/leader_election_role.yaml @@ -3,8 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} namespace: {{ .Release.Namespace }} diff --git a/dist/chart/templates/rbac/leader_election_role_binding.yaml b/dist/chart/templates/rbac/leader_election_role_binding.yaml index 885f5810..16ce7827 100755 --- a/dist/chart/templates/rbac/leader_election_role_binding.yaml +++ b/dist/chart/templates/rbac/leader_election_role_binding.yaml @@ -2,8 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} namespace: {{ .Release.Namespace }} diff --git a/dist/chart/templates/rbac/packagemanager_editor_role.yaml b/dist/chart/templates/rbac/packagemanager_editor_role.yaml index 399086a7..5c49ade3 100755 --- a/dist/chart/templates/rbac/packagemanager_editor_role.yaml +++ b/dist/chart/templates/rbac/packagemanager_editor_role.yaml @@ -3,8 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: packagemanager-editor-role diff --git a/dist/chart/templates/rbac/packagemanager_viewer_role.yaml b/dist/chart/templates/rbac/packagemanager_viewer_role.yaml index e44153f2..5d8b9b50 100755 --- a/dist/chart/templates/rbac/packagemanager_viewer_role.yaml +++ b/dist/chart/templates/rbac/packagemanager_viewer_role.yaml @@ -3,8 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: packagemanager-viewer-role diff --git a/dist/chart/templates/rbac/postgresdatabase_editor_role.yaml b/dist/chart/templates/rbac/postgresdatabase_editor_role.yaml index da07e2a2..23cb0624 100755 --- a/dist/chart/templates/rbac/postgresdatabase_editor_role.yaml +++ b/dist/chart/templates/rbac/postgresdatabase_editor_role.yaml @@ -3,8 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: postgresdatabase-editor-role diff --git a/dist/chart/templates/rbac/postgresdatabase_viewer_role.yaml b/dist/chart/templates/rbac/postgresdatabase_viewer_role.yaml index e4716e28..f8eada85 100755 --- a/dist/chart/templates/rbac/postgresdatabase_viewer_role.yaml +++ b/dist/chart/templates/rbac/postgresdatabase_viewer_role.yaml @@ -3,8 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: postgresdatabase-viewer-role diff --git a/dist/chart/templates/rbac/role.yaml b/dist/chart/templates/rbac/role.yaml index d7aca30b..46dfe436 100755 --- a/dist/chart/templates/rbac/role.yaml +++ b/dist/chart/templates/rbac/role.yaml @@ -3,8 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: team-operator-manager-role @@ -25,8 +27,10 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} name: team-operator-manager-role namespace: {{ .Values.watchNamespace }} rules: diff --git a/dist/chart/templates/rbac/role_binding.yaml b/dist/chart/templates/rbac/role_binding.yaml index c671a1d7..5445f72f 100755 --- a/dist/chart/templates/rbac/role_binding.yaml +++ b/dist/chart/templates/rbac/role_binding.yaml @@ -3,8 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: team-operator-manager-rolebinding @@ -20,8 +22,10 @@ subjects: apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} name: team-operator-manager-rolebinding namespace: {{ .Values.watchNamespace }} labels: diff --git a/dist/chart/templates/rbac/service_account.yaml b/dist/chart/templates/rbac/service_account.yaml index 40c43b31..262a34bf 100755 --- a/dist/chart/templates/rbac/service_account.yaml +++ b/dist/chart/templates/rbac/service_account.yaml @@ -4,13 +4,17 @@ kind: ServiceAccount metadata: labels: {{- include "chart.labels" . | nindent 4 }} +{{- if or .Values.resourcePolicy.keep (and .Values.controllerManager.serviceAccount .Values.controllerManager.serviceAccount.annotations) }} annotations: + {{- if .Values.resourcePolicy.keep }} helm.sh/resource-policy: keep + {{- end }} {{- if and .Values.controllerManager.serviceAccount .Values.controllerManager.serviceAccount.annotations }} {{- range $key, $value := .Values.controllerManager.serviceAccount.annotations }} {{ $key }}: {{ $value }} {{- end }} {{- end }} +{{- end }} name: {{ .Values.controllerManager.serviceAccountName }} namespace: {{ .Release.Namespace }} {{- end -}} diff --git a/dist/chart/templates/rbac/site_editor_role.yaml b/dist/chart/templates/rbac/site_editor_role.yaml index 93366baf..15c7b16b 100755 --- a/dist/chart/templates/rbac/site_editor_role.yaml +++ b/dist/chart/templates/rbac/site_editor_role.yaml @@ -3,8 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: site-editor-role diff --git a/dist/chart/templates/rbac/site_viewer_role.yaml b/dist/chart/templates/rbac/site_viewer_role.yaml index 526c4319..230f7bda 100755 --- a/dist/chart/templates/rbac/site_viewer_role.yaml +++ b/dist/chart/templates/rbac/site_viewer_role.yaml @@ -3,8 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: site-viewer-role diff --git a/dist/chart/templates/rbac/workbench_editor_role.yaml b/dist/chart/templates/rbac/workbench_editor_role.yaml index ab033bd1..4dac030e 100755 --- a/dist/chart/templates/rbac/workbench_editor_role.yaml +++ b/dist/chart/templates/rbac/workbench_editor_role.yaml @@ -3,8 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: workbench-editor-role diff --git a/dist/chart/templates/rbac/workbench_viewer_role.yaml b/dist/chart/templates/rbac/workbench_viewer_role.yaml index 8dfbe7d1..181609e4 100755 --- a/dist/chart/templates/rbac/workbench_viewer_role.yaml +++ b/dist/chart/templates/rbac/workbench_viewer_role.yaml @@ -3,8 +3,10 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: +{{- if .Values.resourcePolicy.keep }} annotations: helm.sh/resource-policy: keep +{{- end }} labels: {{- include "chart.labels" . | nindent 4 }} name: workbench-viewer-role diff --git a/dist/chart/values.yaml b/dist/chart/values.yaml index 3b526c7d..c745ec46 100644 --- a/dist/chart/values.yaml +++ b/dist/chart/values.yaml @@ -81,6 +81,12 @@ crd: # the Helm release is uninstalled. keep: true +# Resource policy for non-CRD resources (Deployment, RBAC, Services, etc.) +# When enabled, adds helm.sh/resource-policy: keep annotation to prevent +# deletion during helm uninstall +resourcePolicy: + keep: true + # [METRICS]: Set to true to generate manifests for exporting metrics. # To disable metrics export set false, and ensure that the # ControllerManager argument "--metrics-bind-address=:8443" is removed.