force secrets-job to run first

[mickume]

Added annotations to help GitOps/ArgoCD deploy resources in the correct order.

The deployment of the operator stalls because secrets

• jumpstarter-controller-secret
• jumpstarter-router-secret
  are not being created prior to other resources depending on them.

Summary by CodeRabbit

• Chores
  • Updated deployment configuration for controller components to establish proper synchronization ordering during rollout.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR adds the Argo CD sync-wave annotation (argocd.argoproj.io/sync-wave: "-1") to four Kubernetes resources in the Jumpstarter Helm chart, controlling their synchronization priority to occur before default resources during Argo CD deployments.

Changes

Cohort / File(s)	Summary
RBAC Resources deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/role.yaml, deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/role_binding.yaml, deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/service_account.yaml	Add argocd.argoproj.io/sync-wave: "-1" annotation to metadata.annotations block for each resource to ensure RBAC objects sync before other resources
Job Resource deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/secrets-job.yaml	Add argocd.argoproj.io/sync-wave: "-1" annotation to metadata.annotations for sync ordering

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Move job to argocd Sync hook #124: Also modifies Argo CD annotations in secrets-job.yaml, adjusting sync behavior control.

Suggested reviewers

• mangelajo

Poem

🐰 Hops with glee across the sync-wave,
Annotations dance in "-1" waves,
RBAC first, then jobs take flight,
Argo CD orders all just right! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'force secrets-job to run first' directly and specifically describes the main change: adding ArgoCD sync-wave annotations to ensure the secrets-job executes before other resources.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 64b465d and 429959c.

📒 Files selected for processing (4)

• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/role.yaml
• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/role_binding.yaml
• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/service_account.yaml
• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/secrets-job.yaml

🧰 Additional context used

🧠 Learnings (6)

📚 Learning: 2025-11-14T15:47:36.325Z

Learnt from: mangelajo
Repo: jumpstarter-dev/jumpstarter-controller PR: 190
File: api/v1alpha1/exporter_helpers.go:16-24
Timestamp: 2025-11-14T15:47:36.325Z
Learning: In the jumpstarter-controller project, migration annotations (jumpstarter.dev/migrated-namespace and jumpstarter.dev/migrated-uid) that override namespace and UID values in authentication tokens are acceptable without additional validation webhooks because the security model assumes only administrators have write access to Exporter and Client resources via K8s RBAC.

Applied to files:

• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/service_account.yaml
• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/role.yaml

📚 Learning: 2025-05-13T19:56:27.924Z

Learnt from: NickCao
Repo: jumpstarter-dev/jumpstarter-controller PR: 137
File: deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/router-deployment.yaml:23-26
Timestamp: 2025-05-13T19:56:27.924Z
Learning: In the jumpstarter-controller project, the router service uses the same ConfigMap as the controller service (controller-cm.yaml) even though it has been moved to its own separate deployment.

Applied to files:

• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/service_account.yaml

📚 Learning: 2025-10-24T11:57:23.796Z

Learnt from: mangelajo
Repo: jumpstarter-dev/jumpstarter-controller PR: 170
File: deploy/operator/internal/controller/jumpstarter/jumpstarter_controller.go:328-333
Timestamp: 2025-10-24T11:57:23.796Z
Learning: In the jumpstarter-controller operator (deploy/operator/), the design allows only one Jumpstarter CR per namespace, which will be enforced by a validation webhook. This constraint eliminates concerns about resource name collisions within a namespace.

Applied to files:

• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/service_account.yaml
• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/role.yaml
• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/secrets-job.yaml

📚 Learning: 2025-10-24T11:57:13.484Z

Learnt from: mangelajo
Repo: jumpstarter-dev/jumpstarter-controller PR: 170
File: deploy/operator/internal/controller/jumpstarter/rbac.go:193-196
Timestamp: 2025-10-24T11:57:13.484Z
Learning: In the Jumpstarter operator codebase (deploy/operator/internal/controller/jumpstarter/rbac.go), the Role created by `createRole()` defines RBAC permissions for the managed Jumpstarter controller application, not for the operator itself. The managed controller needs delete permissions on secrets for its runtime operations.

Applied to files:

• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/role.yaml
• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/role_binding.yaml
• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/secrets-job.yaml

📚 Learning: 2025-05-13T19:57:56.811Z

Learnt from: NickCao
Repo: jumpstarter-dev/jumpstarter-controller PR: 137
File: hack/deploy_with_helm.sh:26-34
Timestamp: 2025-05-13T19:57:56.811Z
Learning: The jumpstarter-dev repository uses a custom kind cluster configuration that allows NodePort services to use non-standard ports 5080 and 5443, outside the default Kubernetes NodePort range (30000-32767).

Applied to files:

• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/role.yaml

📚 Learning: 2025-05-13T19:57:56.811Z

Learnt from: NickCao
Repo: jumpstarter-dev/jumpstarter-controller PR: 137
File: hack/deploy_with_helm.sh:26-34
Timestamp: 2025-05-13T19:57:56.811Z
Learning: The jumpstarter project uses a custom kind cluster configuration with an expanded NodePort range (3000-32767) and explicit port mappings for ingress (5080/5443) and gRPC services (30010/30011 mapped to 8082/8083).

Applied to files:

• deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/role.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (7)

• GitHub Check: tests
• GitHub Check: e2e-test-operator
• GitHub Check: deploy-kind
• GitHub Check: lint-go
• GitHub Check: e2e-tests-release-0-7
• GitHub Check: e2e-tests (ubuntu-24.04-arm)
• GitHub Check: e2e-tests (ubuntu-24.04)

🔇 Additional comments (4)

deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/service_account.yaml (1)

6-7: LGTM!

The sync-wave annotation ensures this ServiceAccount is created before default-wave resources, which is necessary since the secrets-job references it via serviceAccountName: controller-manager.

deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/secrets-job.yaml (1)

8-12: LGTM!

Adding sync-wave: "-1" to this Sync hook ensures it runs after wave -1 resources (including its required RBAC dependencies) are applied, but before wave 0 resources. This correctly addresses the deployment stall issue where secrets weren't available for dependent resources.

deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/role.yaml (1)

6-7: LGTM!

The sync-wave annotation ensures this ClusterRole is available when the ClusterRoleBinding and secrets-job need it.

deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/role_binding.yaml (1)

6-7: LGTM!

This completes the coordinated sync-wave annotations across all RBAC resources. With ServiceAccount, ClusterRole, ClusterRoleBinding, and the secrets-job all at wave "-1", Argo CD will:

1. Apply the RBAC resources (wave -1)
2. Execute the Sync hook (secrets-job)
3. Proceed to wave 0 resources that depend on the created secrets

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}