fix(team-operator): add retain_on_delete protection for CRDs and namespace#90
Merged
fix(team-operator): add retain_on_delete protection for CRDs and namespace#90
Conversation
…space When migrating from kustomize to Helm deployment, Pulumi would see old kustomize-managed CRD resources as orphaned and delete them, causing cascade deletion of Site custom resources. This fix: - Creates protected CRD resources with retain_on_delete=True - Uses aliases to link to old kustomize resource URNs - Sets skip_crds=True on Helm release to avoid conflicts - Adds ignore_changes=["*"] so Pulumi doesn't modify CRDs - Adds retain_on_delete=True to posit-team namespace Fixes cascade deletion issue seen in npower01-production migration.
ian-flores
force-pushed
the
fix-crd-retain-on-delete
branch
from
1bff1bc to
8c2d8ce
Compare
Remove CRD protection code that was causing conflicts with existing CRDs. Keep only retain_on_delete=True on namespace. CRD protection needs more work to handle existing CRDs properly.
Add configuration option to skip CRD installation during Helm deployment, enabling safe migration from kustomize-managed CRDs. When enabled: - Sets crd.enable=false in Helm values (prevents template rendering) - Sets skip_crds=true on ReleaseArgs (skips crds/ directory) - Keeps crd.keep=true as defense-in-depth This allows the migration job to patch existing CRDs with Helm ownership labels without risk of accidental deletion during the kustomize-to-Helm transition.
timtalbot
approved these changes
Jan 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When migrating from kustomize to Helm deployment, Pulumi sees old kustomize-managed CRD resources as orphaned and deletes them. This causes cascade deletion of Site custom resources - as happened in npower01-production.
This fix adds protection to prevent Pulumi from deleting critical resources during migration:
retain_on_delete=Trueandignore_changes=["*"]skip_crds=Trueon Helm release to avoid conflictsretain_on_delete=Trueto posit-team namespaceRoot Cause
The migration from kustomize to Helm changed how CRDs are managed:
kustomize.Directorycreated CRDs as individual Pulumi resourcesThe
helm.sh/resource-policy: keepannotation only protects against Helm-initiated deletion, not Pulumi-initiated deletion.Test plan
ptd ensureon a workload that hasn't migrated yet - verify CRDs are protectedpulumi previewto verify no unexpected deletions🤖 Generated with Claude Code