Helm chart: add customPodAnnotations and customDeploymentAnnotations support

[geoffmore]

Overview

The PGO Helm chart supports customPodLabels for injecting custom labels into the operator pod template, but has no equivalent for annotations. This makes it impossible to add pod-level annotations (e.g., kube-linter ignore directives, Prometheus scrape config, Datadog/OTel annotations) without a post-renderer.

Use Case

When deploying PGO via the OCI Helm chart in a CI pipeline with kube-linter, several checks flag the operator Deployment for expected operator behavior. The standard way to suppress these per-object is via ignore-check.kube-linter.io/* annotations on the pod, but there's no way to inject them through chart values.

kube-linter failures on PGO 6.0.1 Helm chart (all expected for a k8s operator):

Check	Object	Reason it's a false positive
access-to-create-pods	ClusterRoleBinding	Operator creates StatefulSets and Jobs
access-to-secrets	ClusterRoleBinding	Operator manages PostgreSQL user Secrets
liveness-port	Deployment	Probe targets port 8081 which is not declared as a containerPort
readiness-port	Deployment	Same as above
minimum-two-replicas	Deployment	Singleton operator with leader election
no-node-affinity	Deployment	Operator does not need node affinity
no-rolling-update-strategy	Deployment	Recreate is intentional for leader election safety
restart-policy	Deployment	Deployment default is Always, just not explicit

Desired Behavior

Add annotation support at both the Deployment and pod template levels, mirroring the existing customPodLabels pattern.

Deployment-level annotations are used by GitOps tools (ArgoCD sync options, Flux reconciliation config) and other controllers. Pod-level annotations are used by service meshes, linters, observability agents, etc.

values.yaml:

# customDeploymentAnnotations: {}
# customPodAnnotations: {}

templates/_helpers.tpl (alongside existing install.customPodLabels):

+{{/*
+Custom Deployment Annotations
+*/}}
+{{- define "install.customDeploymentAnnotations" -}}
+{{- if .Values.customDeploymentAnnotations -}}
+{{ toYaml .Values.customDeploymentAnnotations }}
+{{- end}}
+{{- end }}
+
+{{/*
+Custom Pod Annotations
+*/}}
+{{- define "install.customPodAnnotations" -}}
+{{- if .Values.customPodAnnotations -}}
+{{ toYaml .Values.customPodAnnotations }}
+{{- end}}
+{{- end }}

templates/manager.yaml (Deployment metadata and pod template):

 metadata:
   name: {{ .Chart.Name }}
   labels:
     {{- include "install.labels" . | nindent 4 }}
     {{- include "install.clusterLabels" . | nindent 4 }}
+  {{- with (include "install.customDeploymentAnnotations" .) }}
+  annotations:
+    {{- . | nindent 4 }}
+  {{- end }}
 spec:
   ...
   template:
     metadata:
       labels:
         {{- include "install.clusterLabels" . | nindent 8 }}
         {{- include "install.customPodLabels" . | nindent 8 }}
+      {{- with (include "install.customPodAnnotations" .) }}
+      annotations:
+        {{- . | nindent 8 }}
+      {{- end }}

Secondary: undeclared health check port

The Deployment's liveness/readiness probes target port 8081 but only port 8443 (metrics) is declared as a containerPort. Adding the health check port would improve compatibility with linting tools and make the pod spec self-documenting:

       ports:
       - containerPort: 8443
         name: metrics
+      - containerPort: 8081
+        name: health
       livenessProbe:
         httpGet:
           path: /readyz
-          port: 8081
+          port: health

Note on chart source

The Helm chart source does not appear to be publicly available — it is not in this repository or any other CrunchyData repository that I could find. The diffs above are based on the extracted chart from the OCI registry (helm pull oci://registry.developers.crunchydata.com/crunchydata/pgo --version 6.0.1).

Related Issues

• Adding custom labels to the pgo pod #3524 — Adding custom labels to the pgo pod (led to customPodLabels)
• Please, add nodeSelector spec into PGO Helm values #3759 — Add nodeSelector to Helm values (led to affinity/tolerations support)

Environment

• PGO Helm chart version: 6.0.1 (oci://registry.developers.crunchydata.com/crunchydata/pgo)
• Kubernetes: v1.34.10+k3s1
• Deployment method: ArgoCD with kube-linter in CI