feat(chart): remove AllowlistSynchronizer automatically

This requires the workload allowlists in version 1.0.1, as they provide
an allowlist for this new job.

Author: basti1302

helm-chart/dash0-operator/README.md

@@ -2157,12 +2157,6 @@ clusters:
   disabled, collecting these requires access to the `/pod` endpoint of the kubelet API which is not available in GKE
   autopilot due to the lack of the `nodes/proxy` permission
 
-**Note:** The `AllowlistSynchronizer` resource is not removed automatically with `helm uninstall dash0-operator`.
-If you decide to remove the Dash0 operator Helm release from the cluster, you might want to delete the
-`AllowlistSynchronizer` manually afterward, for example by executing
-`kubectl delete AllowlistSynchronizer dash0-allowlist-synchronizer`.
-Deleting the `AllowlistSynchronizer` will also delete all associated `WorkloadAllowlist` resources.
-
 Refer to <https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads> for more information
 on `AllowlistSynchronizer`, `WorkloadAllowlist`, and related concepts.
 
@@ -2192,6 +2186,7 @@ spec:
     - Dash0/operator/v1.0.1/dash0-opentelemetry-cluster-metrics-collector-v1.0.1.yaml
     - Dash0/operator/v1.0.1/dash0-opentelemetry-collector-agent-v1.0.1.yaml
     - Dash0/operator/v1.0.1/dash0-operator-manager-v1.0.1.yaml
+    - Dash0/operator/v1.0.1/dash0-post-delete-remove-allowlist-synchronizer-v1.0.1.yaml
     - Dash0/operator/v1.0.1/dash0-post-install-v1.0.1.yaml
     - Dash0/operator/v1.0.1/dash0-pre-delete-v1.0.1.yaml
     - Dash0/operator/v1.0.1/dash0-target-allocator-v1.0.1.yaml

helm-chart/dash0-operator/templates/_helpers.tpl

@@ -42,6 +42,10 @@ helm.sh/chart: {{ include "dash0-operator.chartNameWithVersion" . }}
 {{- default (printf "%s-controller" (include "dash0-operator.chartName" .)) .Values.operator.serviceAccount.name }}
 {{- end }}
 
+{{- define "dash0-operator.postDeleteHookServiceAccountName" -}}
+{{- printf "%s-post-delete" (include "dash0-operator.chartName" .) }}
+{{- end }}
+
 {{/* otelcol resources config map name */}}
 {{- define "dash0-operator.extraConfigMapName" -}}
 {{ include "dash0-operator.chartName" . }}-extra-config

helm-chart/dash0-operator/templates/operator/gke-autopilot-allowlist-synchronizer.yaml

@@ -24,6 +24,7 @@ spec:
     - Dash0/operator/v1.0.1/dash0-opentelemetry-cluster-metrics-collector-v1.0.1.yaml
     - Dash0/operator/v1.0.1/dash0-opentelemetry-collector-agent-v1.0.1.yaml
     - Dash0/operator/v1.0.1/dash0-operator-manager-v1.0.1.yaml
+    - Dash0/operator/v1.0.1/dash0-post-delete-remove-allowlist-synchronizer-v1.0.1.yaml
     - Dash0/operator/v1.0.1/dash0-post-install-v1.0.1.yaml
     - Dash0/operator/v1.0.1/dash0-pre-delete-v1.0.1.yaml
     - Dash0/operator/v1.0.1/dash0-target-allocator-v1.0.1.yaml

helm-chart/dash0-operator/templates/operator/post-delete-remove-allowlist-synchronizer.yaml

@@ -0,0 +1,122 @@
+{{- if (and .Values.operator.gke.autopilot.enabled .Values.operator.gke.autopilot.deployAllowlistSynchronizer) }}
+{{/*
+This job needs its own separate ClusterRole, ClusterRoleBinding and ServiceAccount because all resources from the main
+Helm chart have already been deleted by the time this runs.
+*/}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "dash0-operator.postDeleteHookServiceAccountName" . }}
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-weight": "-10"
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "dash0-operator.chartName" . }}-post-delete-role
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
+rules:
+  - apiGroups:
+    - apiextensions.k8s.io
+    resources:
+    - customresourcedefinitions
+    verbs:
+    - get
+  - apiGroups:
+    - auto.gke.io
+    resources:
+    - allowlistsynchronizers
+    verbs:
+    - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "dash0-operator.chartName" . }}-post-delete-role-binding
+  annotations:
+    "helm.sh/hook": post-delete
+    "helm.sh/hook-weight": "-4"
+    "helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded,hook-failed"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "dash0-operator.chartName" . }}-post-delete-role
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "dash0-operator.postDeleteHookServiceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "dash0-operator.chartName" . }}-post-delete-remove-allowlist-synchronizer
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: dash0-operator
+    app.kubernetes.io/component: remove-allowlist-synchronizer
+    {{- include "dash0-operator.labels" . | nindent 4 }}
+    dash0.com/enable: "false"
+  annotations:
+    helm.sh/hook: post-delete
+    helm.sh/hook-weight: "0"
+    helm.sh/hook-delete-policy: "hook-succeeded"
+spec:
+  template:
+    metadata:
+      name: {{ .Release.Name }}-post-delete-job-remove-allowlist-synchronizer
+      labels:
+        app.kubernetes.io/name: dash0-operator
+        app.kubernetes.io/component: remove-allowlist-synchronizer
+        app.kubernetes.io/instance: post-delete-hook
+        app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+        helm.sh/chart: {{ include "dash0-operator.chartNameWithVersion" . }}
+        cloud.google.com/matching-allowlist: dash0-post-delete-remove-allowlist-synchronizer-v1.0.1
+    spec:
+      restartPolicy: OnFailure
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: "dash0.com/enable"
+                    operator: "NotIn"
+                    values: ["false"]
+                  - key: "kubernetes.io/os"
+                    operator: "In"
+                    values: ["linux"]
+{{- if .Values.operator.tolerations }}
+      tolerations:
+        {{- toYaml .Values.operator.tolerations | nindent 8 }}
+{{- end }}
+{{- if .Values.operator.managerPriorityClassName }}
+      priorityClassName: {{ .Values.operator.managerPriorityClassName }}
+{{- end }}
+      containers:
+        - name: remove-allowlist-synchronizer-job
+          image: {{ include "dash0-operator.image" . | quote }}
+          imagePullPolicy: {{ .Values.operator.image.pullPolicy }}
+          command:
+            - /manager
+          args:
+            - "--delete-allowlist-synchronizer"
+          {{ include "dash0-operator.restrictiveContainerSecurityContext" dict | nindent 10 }}
+          env:
+            - name: GOMEMLIMIT
+              value: {{ .Values.operator.managerContainerResources.gomemlimit }}
+          resources:
+            {{- unset (.Values.operator.managerContainerResources | mustDeepCopy) "gomemlimit" | toYaml | nindent 12 }}
+      {{- with .Values.operator.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: {{ template "dash0-operator.postDeleteHookServiceAccountName" . }}
+      automountServiceAccountToken: true
+  backoffLimit: 2
+{{- end }}

helm-chart/dash0-operator/tests/operator/__snapshot__/gke-autopilot-allowlist-synchronizer_test.yaml.snap

@@ -12,6 +12,7 @@ should install the GKE Autopilot AllowlistSynchronizer if operator.gke.autopilot
         - Dash0/operator/v1.0.1/dash0-opentelemetry-cluster-metrics-collector-v1.0.1.yaml
         - Dash0/operator/v1.0.1/dash0-opentelemetry-collector-agent-v1.0.1.yaml
         - Dash0/operator/v1.0.1/dash0-operator-manager-v1.0.1.yaml
+        - Dash0/operator/v1.0.1/dash0-post-delete-remove-allowlist-synchronizer-v1.0.1.yaml
         - Dash0/operator/v1.0.1/dash0-post-install-v1.0.1.yaml
         - Dash0/operator/v1.0.1/dash0-pre-delete-v1.0.1.yaml
         - Dash0/operator/v1.0.1/dash0-target-allocator-v1.0.1.yaml

internal/postdelete/operator_post_delete_handler.go

@@ -0,0 +1,130 @@
+// SPDX-FileCopyrightText: Copyright 2026 Dash0 Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package postdelete
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/go-logr/logr"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/rest"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	dash0v1alpha1 "github.com/dash0hq/dash0-operator/api/operator/v1alpha1"
+	dash0v1beta1 "github.com/dash0hq/dash0-operator/api/operator/v1beta1"
+)
+
+const (
+	defaultTimeout = 2 * time.Minute
+
+	gkeAutopilotAllowlistSynchronizerGroup   = "auto.gke.io"
+	gkeAutopilotAllowlistSynchronizerKind    = "AllowlistSynchronizer"
+	gkeAutopilotAllowlistSynchronizerVersion = "v1"
+	dash0AllowlistSynchronizerName           = "dash0-allowlist-synchronizer"
+)
+
+var (
+	// "allowlistsynchronizers"
+	gkeAutopilotAllowlistSynchronizerPlural = fmt.Sprintf("%ss", strings.ToLower(gkeAutopilotAllowlistSynchronizerKind))
+
+	// "allowlistsynchronizers.auto.gke.io"
+	gkeAutopilotAllowlistSynchronizerCrdName = fmt.Sprintf(
+		"%s.%s",
+		gkeAutopilotAllowlistSynchronizerPlural,
+		gkeAutopilotAllowlistSynchronizerGroup,
+	)
+)
+
+type OperatorPostDeleteHandler struct {
+	client  client.WithWatch
+	logger  *logr.Logger
+	timeout time.Duration
+}
+
+func NewOperatorPostDeleteHandler() (*OperatorPostDeleteHandler, error) {
+	config := ctrl.GetConfigOrDie()
+	return NewOperatorPostDeleteHandlerFromConfig(config)
+}
+
+func NewOperatorPostDeleteHandlerFromConfig(config *rest.Config) (*OperatorPostDeleteHandler, error) {
+	logger := ctrl.Log.WithName("dash0-remove-allowlist-synchronizer")
+	s := runtime.NewScheme()
+	if err := dash0v1alpha1.AddToScheme(s); err != nil {
+		return nil, err
+	}
+	if err := dash0v1beta1.AddToScheme(s); err != nil {
+		return nil, err
+	}
+	if err := apiextensionsv1.AddToScheme(s); err != nil {
+		return nil, err
+	}
+	k8sClient, err := client.NewWithWatch(config, client.Options{
+		Scheme: s,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to create the dynamic client: %w", err)
+	}
+
+	return &OperatorPostDeleteHandler{
+		client:  k8sClient,
+		logger:  &logger,
+		timeout: defaultTimeout,
+	}, nil
+}
+
+func (h *OperatorPostDeleteHandler) setTimeout(timeout time.Duration) {
+	h.timeout = timeout
+}
+
+func (h *OperatorPostDeleteHandler) DeleteGkeAutopilotAllowlistSynchronizer(ctx context.Context, logger *logr.Logger) error {
+	if err := h.client.Get(ctx, client.ObjectKey{
+		Name: gkeAutopilotAllowlistSynchronizerCrdName,
+	}, &apiextensionsv1.CustomResourceDefinition{}); err != nil {
+		if !apierrors.IsNotFound(err) {
+			logger.Error(
+				err,
+				fmt.Sprintf(
+					"error when checking for the existence of the GKE Autopilot AllowlistSynchronizer CRD (client.Get(\"%s\") failed)",
+					gkeAutopilotAllowlistSynchronizerCrdName,
+				))
+		}
+
+		// The AllowlistSynchronizer CRD does not exist, hence we can be sure that the Dash0 AllowlistSynchronizer also
+		// does not exist. Abort the attempt to delete the AllowlistSynchronizer and terminate with exit code 0.
+		return nil
+	}
+
+	dash0AllowlistSynchronizer := &unstructured.Unstructured{}
+	dash0AllowlistSynchronizer.SetGroupVersionKind(schema.GroupVersionKind{
+		Group:   gkeAutopilotAllowlistSynchronizerGroup,
+		Kind:    gkeAutopilotAllowlistSynchronizerKind,
+		Version: gkeAutopilotAllowlistSynchronizerVersion,
+	})
+	dash0AllowlistSynchronizer.SetName(dash0AllowlistSynchronizerName)
+
+	if err := h.client.Delete(ctx, dash0AllowlistSynchronizer); err != nil {
+		if apierrors.IsNotFound(err) {
+			// The dash0-allowlist-synchronizer resource does not exist, nothing to do.
+			return nil
+		} else {
+			logger.Error(
+				err,
+				fmt.Sprintf(
+					"error when attempting to delete the Dash0 AllowlistSynchronizer (%s: %s)",
+					dash0AllowlistSynchronizerName,
+					gkeAutopilotAllowlistSynchronizerCrdName,
+				))
+			return err
+		}
+	}
+	return nil
+}