refactor: move CRD apply from Helm hook Job to init container on operator Deployment (#6780)

Signed-off-by: Julien Mancuso <jmancuso@nvidia.com>

deploy/helm/charts/platform/components/operator/templates/deployment.yaml

@@ -58,6 +58,17 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.upgradeCRD }}
+      initContainers:
+      - name: crd-apply
+        image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default .Chart.AppVersion }}
+        imagePullPolicy: {{ .Values.controllerManager.manager.image.pullPolicy | default "IfNotPresent" }}
+        securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext | nindent 10 }}
+        command: ["/crd-apply"]
+        args:
+          - "--crds-dir=/opt/dynamo-operator/crds/"
+          - "--version={{ .Chart.AppVersion }}"
+      {{- end }}
       containers:
       - args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent
           8 }}

deploy/helm/charts/platform/components/operator/templates/upgrade-crd.yaml

-# SPDX-FileCopyrightText: Copyright (c) 2025-2026 NVIDIA CORPORATION & AFFILIATES. All rights reserved.
-# SPDX-License-Identifier: Apache-2.0
-
-{{- if .Values.upgradeCRD }}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{ include "dynamo-operator.fullname" . }}-{{ .Release.Namespace }}-crd-apply-sa
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
-    helm.sh/hook-weight: "0"
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: {{ include "dynamo-operator.fullname" . }}-{{ .Release.Namespace }}-crd-apply-role
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
-    helm.sh/hook-weight: "0"
-rules:
-  - apiGroups:
-      - apiextensions.k8s.io
-    resources:
-      - customresourcedefinitions
-    verbs:
-      - create
-      - get
-      - list
-      - watch
-      - patch
-      - update
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: {{ include "dynamo-operator.fullname" . }}-{{ .Release.Namespace }}-crd-apply-binding
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
-    helm.sh/hook-weight: "0"
-subjects:
-  - kind: ServiceAccount
-    name: {{ include "dynamo-operator.fullname" . }}-{{ .Release.Namespace }}-crd-apply-sa
-    namespace: {{ .Release.Namespace }}
-roleRef:
-  kind: ClusterRole
-  name: {{ include "dynamo-operator.fullname" . }}-{{ .Release.Namespace }}-crd-apply-role
-  apiGroup: rbac.authorization.k8s.io
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: {{ include "dynamo-operator.fullname" . }}-crd-apply
-  namespace: {{ .Release.Namespace }}
-  annotations:
-    helm.sh/hook: pre-install,pre-upgrade
-    helm.sh/hook-weight: "1"
-    helm.sh/hook-delete-policy: hook-succeeded,before-hook-creation
-  labels:
-    {{- include "dynamo-operator.labels" . | nindent 4 }}
-    app.kubernetes.io/component: crd-apply
-spec:
-  template:
-    metadata:
-      name: {{ include "dynamo-operator.fullname" . }}-crd-apply
-      labels:
-        {{- include "dynamo-operator.labels" . | nindent 8 }}
-        app.kubernetes.io/component: crd-apply
-    spec:
-      serviceAccountName: {{ include "dynamo-operator.fullname" . }}-{{ .Release.Namespace }}-crd-apply-sa
-      {{- with .Values.imagePullSecrets }}
-      imagePullSecrets:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.controllerManager.tolerations }}
-      tolerations:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.controllerManager.affinity }}
-      affinity:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
-      securityContext:
-        seccompProfile:
-          type: RuntimeDefault
-        runAsNonRoot: true
-      containers:
-        - name: crd-apply
-          image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag | default .Chart.AppVersion }}
-          imagePullPolicy: {{ .Values.controllerManager.manager.image.pullPolicy | default "IfNotPresent" }}
-          command: ["/crd-apply"]
-          args:
-            - "--crds-dir=/opt/dynamo-operator/crds/"
-            - "--version={{ .Chart.AppVersion }}"
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - ALL
-          resources:
-            limits:
-              cpu: 500m
-              memory: 256Mi
-            requests:
-              cpu: 100m
-              memory: 128Mi
-      restartPolicy: OnFailure
-{{- end }}

deploy/helm/charts/platform/components/operator/values.yaml

@@ -16,8 +16,9 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 
-# Whether to manage CRDs via a pre-install/pre-upgrade hook Job.
-# The Job runs the operator image with the crd-apply tool to apply CRDs via server-side apply.
+# Whether to apply CRDs via an init container on the operator Deployment.
+# Uses server-side apply with the bundled /crd-apply binary.
+# Set to false if CRDs are managed externally (e.g., via GitOps or a separate pipeline).
 upgradeCRD: true
 
 # Namespace restriction configuration for the operator