feat: add helm.sh/resource-policy: keep to all chart resources#45
feat: add helm.sh/resource-policy: keep to all chart resources#45ian-flores merged 2 commits intomainfrom
Conversation
Adds resource protection annotation to all Kubernetes resources created by the chart. This prevents resources from being deleted during helm uninstall, enabling safe migration to helm-controller management. Resources protected: - Deployment, ServiceAccount - ClusterRoles, Roles, ClusterRoleBindings, RoleBindings - Service, ServiceMonitor - Certificates, Issuer
|
Claude finished @ian-flores's task —— View job Reviewing PR
Review submitted with observations on the certificate template behavior change and a suggestion for configurability. |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Review Summary
Overall the changes are straightforward and consistent across all 24 templates. The annotation placement follows existing patterns.
Observations:
-
Certificate templates behavior change: The certificates (
serving-cert,metrics-certs) previously used the conditional{{ if .Values.crd.keep }}pattern to match CRD behavior. This PR changes them to unconditionalkeep. If this is intentional, consider updating the PR description since it mentions "CRDs already have configurable protection viacrd.keep: true" but certificates no longer follow this same configurable pattern. -
Configurability consideration: All non-CRD resources now unconditionally get the
keepannotation. For flexibility after the migration is complete, consider adding a configurable value (e.g.,resourcePolicy.keep: true) to mirror thecrd.keeppattern. This is optional if unconditional is the desired long-term behavior. -
Service Account template (
dist/chart/templates/rbac/service_account.yaml): The refactoring correctly ensuresannotations:block is always present withhelm.sh/resource-policy: keep, while preserving user-configurable annotations. Good approach.
Helm Chart Checklist:
- Templates structure looks correct
- Annotation consistently applied across all resources
- RBAC templates unchanged except for annotation (no permission changes)
LGTM with minor suggestions above. The changes serve their stated purpose for the helm-controller migration.
Adds resourcePolicy.keep value (default: true) to control the helm.sh/resource-policy: keep annotation on non-CRD resources. Independent from crd.keep which controls CRDs only.
2 participants
Summary
Adds
helm.sh/resource-policy: keepannotation to all Kubernetes resources created by the Helm chart.Why
This enables safe migration from direct Pulumi Helm Release management to helm-controller (HelmChart CR) management. When Pulumi removes its Release resource,
helm uninstallruns but resources with this annotation are preserved. The new HelmChart CR then adopts the existing resources viahelm upgrade.Resources Protected
Note: CRDs already have configurable protection via
crd.keep: true(default).Related
thoughts/shared/plans/2026-01-20-team-operator-helm-controller-migration.md