feat(chart): add automatic Skyhook resource cleanup on helm uninstall

Add pre-delete hook to automatically clean up Skyhook and DeploymentPolicy
resources during helm uninstall, eliminating the manual step previously
required to avoid reinstall issues.

Enabled by default with configurable timeout (120s). Can be disabled with
cleanup.enabled=false.

Author: lockwobr

README.md

@@ -141,19 +141,53 @@ kubectl wait --for=jsonpath='{.status.status}'=complete skyhook/skyhook-sample -
 kubectl describe skyhook skyhook-sample
 ```
 
-### ⚠️ Important: Before Uninstalling **(really only important if you want to reinstall)**
+### Uninstalling
 
-**Always delete all Skyhook Custom Resources before running `helm uninstall`:**
+**Automatic Cleanup (Default):** By default, the Helm chart includes a pre-delete hook that automatically cleans up all Skyhook and DeploymentPolicy resources before uninstalling:
 
 ```bash
-# Delete all Skyhook resources first (REQUIRED before uninstall)
-kubectl delete skyhooks --all --all-namespaces
+# Uninstall the chart (cleanup happens automatically)
+helm uninstall skyhook --namespace skyhook
+```
+
+The pre-delete hook will:
+- Delete all Skyhook resources
+- Delete all DeploymentPolicy resources  
+- Complete quickly if no resources exist
+- Wait for finalizers to be processed if resources exist
+- Proceed with uninstall even if cleanup times out (job deadline: 2 minutes)
+
+**Configuration Options:**
+
+To disable automatic cleanup and manage resources manually:
+
+```bash
+helm install skyhook ./chart --namespace skyhook --set cleanup.enabled=false
+```
+
+To adjust the job timeout:
+
+```bash
+helm install skyhook ./chart --namespace skyhook \
+  --set cleanup.jobTimeoutSeconds=180
+```
+
+**Manual Cleanup (if needed):**
+
+If you disabled automatic cleanup or need to clean up resources manually:
+
+```bash
+# Delete all Skyhook resources first
+kubectl delete skyhooks --all
+
+# Delete all DeploymentPolicy resources
+kubectl delete deploymentpolicies --all
 
 # Then uninstall the chart
 helm uninstall skyhook --namespace skyhook
 ```
 
-**Why?** If you `helm uninstall` while Skyhook CRs still exist, finalizers will leave the CRD in a broken state, causing reinstalls to fail.
+**Why cleanup matters:** If you uninstall while Skyhook CRs with finalizers still exist, it can leave resources in a broken state that may cause reinstall issues.
 
 ## Monitoring and Troubleshooting
 

chart/README.md

@@ -37,6 +37,8 @@ Settings | Description | Default |
 | imagePullSecret | the secret used to pull the operator controller image, agent image, and package images. | "" |
 | estimatedPackageCount | estimated number of packages to be installed on the cluster, this is used to calculate the resources for the operator controller. | 1 |
 | estimatedNodeCount | estimated number of nodes in the cluster, this is used to calculate the resources for the operator controller | 1 |
+| cleanup.enabled | Automatically delete all Skyhook and DeploymentPolicy resources during helm uninstall. Recommended to prevent orphaned CRs. | true |
+| cleanup.jobTimeoutSeconds | Hard deadline for the entire cleanup job during uninstall. The job will be killed if it exceeds this time. | 120 |
 
 ### NOTES
 - **estimatedPackageCount** and **estimatedNodeCount** are used to size the resource requirements. Default setting should be good for nodes > 1000 and packages 1-2 or nodes > 500 and packages >= 4. If your approaching this size deployment it would make sense to set these. You can also override them by explicitly with `controllerManager.manager.resources` the values file has an example.
@@ -70,3 +72,52 @@ This Helm chart follows independent versioning from the operator and agent compo
 ### Chart Version vs App Version
 - **Chart version** (`version` in Chart.yaml): Tracks changes to chart templates, values, and configuration (NOTE: agent version in set in the values.)
 - **App version** (`appVersion` in Chart.yaml): Recommended stable operator version for this chart release
+
+## Uninstalling
+
+### Automatic Cleanup (Default Behavior)
+
+By default, the Helm chart includes a pre-delete hook that automatically cleans up all Skyhook and DeploymentPolicy custom resources before uninstalling. This prevents orphaned resources that could cause issues during reinstallation.
+
+```bash
+# Uninstall with automatic cleanup (default)
+helm uninstall skyhook --namespace skyhook
+```
+
+The pre-delete hook will:
+- Delete all Skyhook resources cluster-wide
+- Delete all DeploymentPolicy resources cluster-wide
+- Wait for finalizers to be processed
+- Proceed with uninstall even if cleanup times out (job deadline: 2 minutes, configurable via `cleanup.jobTimeoutSeconds`)
+
+### Disabling Automatic Cleanup
+
+If you need to preserve Skyhook resources during uninstall (e.g., for backup/migration scenarios), disable the cleanup feature:
+
+```yaml
+# values.yaml
+cleanup:
+  enabled: false
+```
+
+When disabled, you must manually delete resources before uninstalling to avoid issues:
+
+```bash
+# Manual cleanup when automatic cleanup is disabled
+kubectl delete skyhooks --all
+kubectl delete deploymentpolicies --all
+helm uninstall skyhook --namespace skyhook
+```
+
+### Configuring Timeout Values
+
+For large clusters or when resources have complex finalizers, you may need to adjust the job timeout:
+
+```yaml
+# values.yaml
+cleanup:
+  enabled: true
+  jobTimeoutSeconds: 180  # 3 minutes total job deadline
+```
+
+**Note:** The job will be killed if it exceeds `jobTimeoutSeconds`. The default of 120 seconds (2 minutes) should be sufficient for most clusters.

chart/templates/cleanup-skyhooks-job.yaml

@@ -0,0 +1,79 @@
+{{- if .Values.cleanup.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: "{{ include "chart.fullname" . }}-skyhook-cleanup"
+  namespace: "{{ .Release.Namespace }}"
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    "helm.sh/hook-weight": "-5"
+spec:
+  activeDeadlineSeconds: {{ .Values.cleanup.jobTimeoutSeconds }}
+  template:
+    spec:
+      restartPolicy: Never
+      automountServiceAccountToken: false
+      serviceAccountName: {{ include "chart.fullname" . }}-controller-manager
+      {{- with .Values.controllerManager.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 10001
+        seccompProfile:
+          type: RuntimeDefault
+      volumes:
+      - name: kube-api-access
+        projected:
+          defaultMode: 420
+          sources:
+          - serviceAccountToken:
+              path: token
+              expirationSeconds: 3607
+          - configMap:
+              items:
+              - key: ca.crt
+                path: ca.crt
+              name: kube-root-ca.crt
+          - downwardAPI:
+              items:
+              - fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+                path: namespace
+      containers:
+      - name: cleanup
+        image: {{ .Values.webhook.removalImage | default "bitnami/kubectl" }}{{- if .Values.webhook.removalDigest }}{{- if .Values.webhook.removalTag }}:{{ .Values.webhook.removalTag | default "latest" }}@{{ .Values.webhook.removalDigest }}{{- else }}@{{ .Values.webhook.removalDigest }}{{- end }}{{- else }}:{{ .Values.webhook.removalTag | default "latest" }}{{- end }}
+        imagePullPolicy: Always
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: kube-api-access
+          readOnly: true
+        resources:
+          limits:
+            cpu: {{ .Values.limitRange.default.cpu }}
+            memory: {{ .Values.limitRange.default.memory }}
+          requests:
+            cpu: {{ .Values.limitRange.defaultRequest.cpu }}
+            memory: {{ .Values.limitRange.defaultRequest.memory }}
+        command:
+        - /bin/sh
+        - -c
+        - |
+          # Delete all Skyhook resources (cluster-scoped)
+          # Using || true to ensure job succeeds even if delete times out
+          kubectl delete skyhooks --all --ignore-not-found || true
+          # Delete all DeploymentPolicy resources (cluster-scoped)
+          kubectl delete deploymentpolicies --all --ignore-not-found || true
+          echo "Cleanup completed"
+{{- end }}

chart/templates/cleanup-webhook-job.yaml

@@ -8,6 +8,7 @@ metadata:
     "helm.sh/hook": pre-delete
     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
 spec:
+  activeDeadlineSeconds: {{ .Values.cleanup.jobTimeoutSeconds }}
   template:
     spec:
       restartPolicy: Never

chart/values.yaml

@@ -161,6 +161,15 @@ webhook:
   removalTag: latest
   removalDigest: "sha256:1bc359beb3ae3982591349df11db50b0917b0596e8bed8ab9cf0c8a84a3502d1"
 
+## cleanup: Configuration for pre-delete cleanup jobs
+cleanup:
+  ## enabled: When true, automatically deletes all Skyhook and DeploymentPolicy
+  ## resources before helm uninstall. Recommended to prevent orphaned CRs.
+  enabled: true
+  ## jobTimeoutSeconds: Hard deadline for the entire cleanup job.
+  ## The job will be killed if it exceeds this time.
+  jobTimeoutSeconds: 120
+
 metrics:
   addServiceAccountBinding: false
   serviceAccountName: prometheus

k8s-tests/chainsaw/helm/helm-chart-test/README.md

@@ -2,24 +2,27 @@
 
 ## Purpose
 
-Validates that the Helm chart deploys correctly with custom configurations, including custom deployment names and tolerations.
+Validates that the Helm chart deploys correctly with custom configurations, including custom deployment names, tolerations, and automatic cleanup on uninstall.
 
 ## Test Scenario
 
 1. Reset state from previous runs
-2. Install the Helm chart with custom values:
-   - Different deployment name than `skyhook-operator`
-   - Custom tolerations
-3. Verify the operator is scheduled correctly
-4. Apply a skyhook and verify it completes
-5. Assert metrics and state are correct
+2. Install the Helm chart with a "bad" node taint and verify pods don't schedule
+3. Change to a "good" node taint that matches configured tolerations
+4. Reinstall the Helm chart (tests uninstall + reinstall flow)
+5. Verify the operator is scheduled correctly with tolerations
+6. Apply a DeploymentPolicy and Skyhook
+7. Verify the Skyhook completes successfully
+8. Uninstall the Helm chart (verifies pre-delete hook cleans up Skyhook/DeploymentPolicy resources automatically)
 
 ## Key Features Tested
 
 - Custom deployment name support
 - Toleration configuration via Helm values
-- Operator deployment and scheduling
+- Operator deployment and scheduling with node taints
 - End-to-end skyhook processing with Helm-deployed operator
+- Automatic cleanup of Skyhook and DeploymentPolicy resources during helm uninstall
+- Pre-delete hook tolerates node taints (can schedule on same nodes as operator)
 
 ## Files
 

k8s-tests/chainsaw/helm/helm-chart-test/assert-no-schedule.yaml

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 #
 #
@@ -119,8 +119,6 @@ spec:
     terminationMessagePolicy: File
   dnsPolicy: ClusterFirst
   enableServiceLinks: true
-  imagePullSecrets:
-  - name: node-init-secret
   preemptionPolicy: PreemptLowerPriority
   priority: 0
   restartPolicy: Always

k8s-tests/chainsaw/helm/helm-chart-test/assert-scheduled.yaml

@@ -1,4 +1,4 @@
-# SPDX-FileCopyrightText: Copyright (c) 2025 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
+# SPDX-FileCopyrightText: Copyright (c) 2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 #
 #
@@ -119,8 +119,6 @@ spec:
     terminationMessagePolicy: File
   dnsPolicy: ClusterFirst
   enableServiceLinks: true
-  imagePullSecrets:
-  - name: node-init-secret
   preemptionPolicy: PreemptLowerPriority
   priority: 0
   restartPolicy: Always

k8s-tests/chainsaw/helm/helm-chart-test/chainsaw-test.yaml

@@ -62,19 +62,22 @@ spec:
         file: skyhook.yaml
     - assert:
         file: assert-skyhook-complete.yaml
+    - script:
+        content: |
+          ## Remove helm chart (pre-delete hook should clean up Skyhooks/DeploymentPolicies)
+          ## If cleanup fails or times out, helm uninstall will fail
+          ../uninstall-helm-chart.sh foobar
     finally:
     - script:
         content: |
-          ## Cleanup deployment policy test resources
+          ## Cleanup any remaining resources
           ../skyhook-cli reset helm-test-skyhook --confirm 2>/dev/null || true
-          kubectl delete skyhook helm-test-skyhook --ignore-not-found || true
-          kubectl delete deploymentpolicy helm-test-policy -n skyhook --ignore-not-found || true
     - script:
         content: |
           ## Remove taint from nodes
           ../untaint-nodes.sh dedicated=bogus:NoSchedule
           ../untaint-nodes.sh dedicated=system-cpu:NoSchedule
     - script:
         content: |
-          ## Remove helm chart
-          ../uninstall-helm-chart.sh foobar
+          ## Remove helm chart if still present
+          ../uninstall-helm-chart.sh foobar || true

operator/README.md

@@ -217,14 +217,14 @@ helm install skyhook-operator ./chart --namespace skyhook
 
 to remove operator from a cluster:
 ```
-## remove operator
+## remove operator (automatic cleanup enabled by default)
 helm uninstall skyhook-operator --namespace skyhook
 
 ## delete CRD
 make uninstall
 ```
 
-**NOTE**: because there is a finalizer on it you need to need to delete the SCRs before uninstalling the CRD or operator. If you remove the operator first, delete the CRD or SCR can hang trying to finalize. Easiest way to fix is re install the operator. You can clean up by hand, but could be some work. cleaning up: configmaps, uncording nodes, removing taints, and deleting running pods
+**NOTE**: The Helm chart includes automatic cleanup of Skyhook and DeploymentPolicy resources during uninstall (enabled by default). If you've disabled automatic cleanup (`cleanup.enabled: false`), you must manually delete SCRs before uninstalling to avoid finalizer issues. If you remove the operator before deleting SCRs with finalizers, they can hang. To fix: reinstall the operator, delete resources, then uninstall properly. Manual cleanup may require removing configmaps, uncordoning nodes, removing taints, and deleting running pods.
 
 
 ## Helm Chart and General Config infra