Skip to content

fix(helm): sync CRDs and fix helm-generate post-processing#60

Merged
ian-flores merged 6 commits intomainfrom
fix-helm-generate-sync
Feb 2, 2026
Merged

fix(helm): sync CRDs and fix helm-generate post-processing#60
ian-flores merged 6 commits intomainfrom
fix-helm-generate-sync

Conversation

@ian-flores
Copy link
Collaborator

@ian-flores ian-flores commented Jan 29, 2026

Summary

  • Sync Helm chart CRDs with base CRDs to include recent API changes (sessionTolerations, flightdeck.enabled)
  • Add Makefile post-processing to fix kubebuilder-generated files after helm-generate
  • Remove unused resourcePolicy.keep feature from all templates
  • Delete config/rbac/auth_proxy_service.yaml to prevent duplicate service creation

Technical Context

Why CRDs were out of sync

The base CRDs in config/crd/bases/ are generated from api/*_types.go via make manifests. The Helm chart CRDs in dist/chart/templates/crd/ are generated from the base CRDs via make helm-generate. However, helm-generate was only run once when Helm charts were first migrated, causing drift as new API fields were added.

Solution: Regenerated Helm CRDs from base CRDs. Going forward, developers should run make helm-generate after API changes.

Why Makefile post-processing is needed

The kubebuilder helm plugin generates certificate.yaml and metrics-service.yaml from internal Go templates (not from config/). These templates hardcode the metrics service name as team-operator-controller-manager-metrics-service.

Since we template the serviceAccountName via Helm values, the service name should be {{ .Values.controllerManager.serviceAccountName }}-metrics-service. The sed commands in the Makefile patch these generated files to use the templated value.

There is no source file to modify - the templates live inside the kubebuilder binary itself.

Why resourcePolicy.keep was removed

This Helm annotation (helm.sh/resource-policy: keep) prevents resources from being deleted on uninstall. For CRDs, we already have the dedicated crd.keep value. For other resources (RBAC, services, etc.), we want standard Helm lifecycle management - they should be cleaned up when the release is uninstalled.

Why auth_proxy_service.yaml was deleted

The metrics service is already defined in dist/chart/templates/metrics/metrics-service.yaml. Having a source file in config/rbac/auth_proxy_service.yaml caused kubebuilder to generate a duplicate in dist/chart/templates/rbac/auth_proxy_service.yaml. Deleting the source file prevents this duplicate.

Test plan

  • Run helm template team-operator dist/chart and verify no duplicate services
  • Verify certificate dnsNames include the templated service name
  • Deploy to test cluster and verify metrics endpoint works

@ian-flores
fix(helm): sync CRDs and fix helm-generate post-processing
72657e8 
Regenerate Helm chart CRDs from base CRDs to include recent API changes
(sessionTolerations, flightdeck.enabled) that were only in config/crd/bases/.

Key changes:
- Sync Helm CRDs with base CRDs (source of truth is config/crd/bases/)
- Add Makefile post-processing to fix kubebuilder-generated files
- Remove unused resourcePolicy.keep feature from all templates
- Delete config/rbac/auth_proxy_service.yaml to prevent duplicate service

Why post-processing in Makefile:
The kubebuilder helm plugin generates certificate.yaml and metrics-service.yaml
from internal Go templates (not from config/), hardcoding the metrics service
name. Since we template the serviceAccountName via Helm values, we need to
patch these generated files to use {{ .Values.controllerManager.serviceAccountName }}-metrics-service
instead of the hardcoded team-operator-controller-manager-metrics-service.

Why remove resourcePolicy.keep:
This Helm annotation prevents resources from being deleted on uninstall.
For CRDs we have the dedicated crd.keep value. For other resources
(RBAC, services, etc.), we want standard Helm lifecycle management.

Why delete auth_proxy_service.yaml:
The metrics service is already defined in dist/chart/templates/metrics/
metrics-service.yaml. Having a source file in config/rbac/ caused
kubebuilder to generate a duplicate in dist/chart/templates/rbac/.
@claude

This comment was marked as outdated.

Sign in to view
claude[bot]

This comment was marked as outdated.

Sign in to view

@ian-flores
fix: comment out auth_proxy instead of deleting files
91a2c74 
Keep the auth_proxy files but disable them by commenting out the
references in kustomization.yaml. This is cleaner than deleting
files since kubebuilder won't regenerate them if they're just disabled.
@ian-flores
docs: add comment explaining test-chart.yml removal
f4b91d3
@ian-flores
fix: include auth_proxy_service.yaml in commented out section
9a10cd3
@ian-flores

This comment was marked as resolved.

Sign in to view
@ian-flores

This comment was marked as resolved.

Sign in to view
@ian-flores ian-flores marked this pull request as ready for review January 29, 2026 18:41
@ian-flores ian-flores requested review from Lytol and amdove January 29, 2026 18:43
Lytol
Lytol approved these changes Jan 29, 2026
View reviewed changes
Copy link

@Lytol Lytol left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clear description in the PR notes! I have two comments/questions, but as long as you're comfortable with them, don't let it stop you from merging.

  1. The Connect and Workbench CRDs have really big diffs that I didn't see any reasons for in the PR description. Were you expecting these?
  2. Yay for fixing the helm-generate target to cover the eccentricities/fallout. Are we still expecting engineers to manually run this on changes? I didn't see any changes that would cause it to automatically run in typical workflows or CI.

dist/chart/templates/crd/core.posit.team_connects.yaml
Copy link

@Lytol Lytol Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This diff (for the Connect CRD) seems surprisingly large. Is this expected given the description in the PR?

dist/chart/templates/crd/core.posit.team_workbenches.yaml
Copy link

@Lytol Lytol Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as the Connect CRD. Is this large diff expected?

@Lytol Lytol mentioned this pull request Jan 29, 2026
Closed
@ian-flores
ci: add helm-generate sync check to build workflow
0902ee7 
Ensures Helm chart CRDs stay in sync with base kustomize CRDs by
running make helm-generate and failing if it produces any diff.
@ian-flores
build: add kubebuilder installation target for helm-generate
7af5893 
Adds automatic kubebuilder binary download (v4.5.1) to support running
make helm-generate in CI. Downloads the pre-built binary from GitHub
releases since go install doesn't include all plugins.
@ian-flores
Copy link
Collaborator Author

ian-flores commented Feb 2, 2026

@Lytol Yes, this is expected. The Helm CRDs had drifted from the kustomize source (e.g., affinity was incorrectly typed as an array).

@ian-flores ian-flores merged commit ee80c7e into main Feb 2, 2026
2 checks passed
@ian-flores ian-flores deleted the fix-helm-generate-sync branch February 2, 2026 16:37
This was referenced Feb 12, 2026
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@Lytol Lytol Lytol approved these changes

@amdove amdove Awaiting requested review from amdove

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ian-flores @Lytol

Comments