feat(bundler): add pre-flight checks to deploy.sh and post-flight to undeploy.sh

yuanchen8911 · yuanchen8911 · commit 6676a4a66f75 · 2026-03-11T18:11:25.000-07:00
deploy.sh now runs pre-flight checks before installing components:
- Detects terminating namespaces that overlap with bundle components
- Detects stale mutating/validating webhooks whose backing services
  no longer exist (blocks pod creation with fail-closed webhooks)
- Detects unavailable API services (blocks namespace deletion)
- Aborts with actionable fix instructions if issues are found

undeploy.sh now runs post-flight verification after cleanup:
- Warns about remaining terminating namespaces
- Warns about stale webhooks missed by the orphan cleanup
- Warns about unavailable API services
- Reports clean/dirty state for subsequent deploy.sh

These checks prevent silent deployment failures caused by stale
cluster-scoped resources from a previous install/uninstall cycle.
diff --git a/pkg/bundler/deployer/helm/templates/deploy.sh.tmpl b/pkg/bundler/deployer/helm/templates/deploy.sh.tmpl
@@ -47,6 +47,63 @@ helm_failed() {
 # all pods start successfully. These components are installed without --wait.
 ASYNC_COMPONENTS="kai-scheduler"
 
+# ==============================================================================
+# Pre-flight checks
+# ==============================================================================
+# Verify the cluster is clean before deploying. Stale webhooks, terminating
+# namespaces, and orphaned API services from a previous install can block pod
+# creation and namespace deletion, causing silent deployment failures.
+
+preflight_failed=false
+
+# Check for terminating namespaces that overlap with our components
+for ns in {{ range .Components }}{{ .Namespace }} {{ end }}; do
+  phase=$(kubectl get ns "${ns}" -o jsonpath='{.status.phase}' 2>/dev/null || true)
+  if [[ "${phase}" == "Terminating" ]]; then
+    echo "ERROR: namespace '${ns}' is still terminating from a previous install."
+    echo "  Wait for it to finish, or force-finalize with:"
+    echo "    kubectl get ns ${ns} -o json | jq '.spec.finalizers=[]' | kubectl replace --raw /api/v1/namespaces/${ns}/finalize -f -"
+    preflight_failed=true
+  fi
+done
+
+# Check for stale mutating webhooks whose backing services no longer exist
+if command -v jq &>/dev/null; then
+  while IFS=$'\t' read -r wh_name svc_ns svc_name; do
+    if ! kubectl get svc "${svc_name}" -n "${svc_ns}" &>/dev/null; then
+      echo "ERROR: mutating webhook '${wh_name}' references non-existent service ${svc_ns}/${svc_name}."
+      echo "  This will block pod creation. Delete with: kubectl delete mutatingwebhookconfiguration ${wh_name}"
+      preflight_failed=true
+    fi
+  done < <(kubectl get mutatingwebhookconfigurations -o json 2>/dev/null | \
+    jq -r '.items[] | .metadata.name as $wh | .webhooks[]? | select(.clientConfig.service != null) | [$wh, .clientConfig.service.namespace, .clientConfig.service.name] | @tsv' 2>/dev/null || true)
+
+  # Check for stale validating webhooks
+  while IFS=$'\t' read -r wh_name svc_ns svc_name; do
+    if ! kubectl get svc "${svc_name}" -n "${svc_ns}" &>/dev/null; then
+      echo "ERROR: validating webhook '${wh_name}' references non-existent service ${svc_ns}/${svc_name}."
+      echo "  This will block resource creation. Delete with: kubectl delete validatingwebhookconfiguration ${wh_name}"
+      preflight_failed=true
+    fi
+  done < <(kubectl get validatingwebhookconfigurations -o json 2>/dev/null | \
+    jq -r '.items[] | .metadata.name as $wh | .webhooks[]? | select(.clientConfig.service != null) | [$wh, .clientConfig.service.namespace, .clientConfig.service.name] | @tsv' 2>/dev/null || true)
+fi
+
+# Check for stale API services (e.g., custom.metrics.k8s.io from prometheus-adapter)
+for api_svc in $(kubectl get apiservices -o json 2>/dev/null | jq -r '.items[] | select(.status.conditions[]? | .type == "Available" and .status == "False") | .metadata.name' 2>/dev/null || true); do
+  echo "ERROR: API service '${api_svc}' is unavailable. This can block namespace deletion."
+  echo "  Delete with: kubectl delete apiservice ${api_svc}"
+  preflight_failed=true
+done
+
+if [[ "${preflight_failed}" == "true" ]]; then
+  echo ""
+  echo "Pre-flight checks failed. Fix the issues above before deploying."
+  echo "To skip pre-flight checks, run: ./undeploy.sh first, then retry."
+  exit 1
+fi
+
+echo "Pre-flight checks passed."
 echo "Deploying Cloud Native Stack components..."
 
 # Install components in order
diff --git a/pkg/bundler/deployer/helm/templates/undeploy.sh.tmpl b/pkg/bundler/deployer/helm/templates/undeploy.sh.tmpl
@@ -188,4 +188,48 @@ done
 {{ range .Namespaces -}}
 delete_orphaned_webhooks_for_ns "{{ . }}"
 {{ end }}
+# ==============================================================================
+# Post-flight verification
+# ==============================================================================
+# Verify the cluster is clean after undeployment. Warn about any stale
+# resources that could block a subsequent deploy.
+
+postflight_issues=false
+
+# Check for remaining terminating namespaces
+TERMINATING=$(kubectl get namespaces -o jsonpath='{range .items[?(@.status.phase=="Terminating")]}{.metadata.name}{" "}{end}' 2>/dev/null || true)
+if [[ -n "${TERMINATING}" ]]; then
+  echo "WARNING: namespaces still terminating: ${TERMINATING}"
+  echo "  A subsequent deploy.sh may fail. Wait or force-finalize these namespaces."
+  postflight_issues=true
+fi
+
+# Check for stale webhooks
+if command -v jq &>/dev/null; then
+  stale_wh=$(kubectl get mutatingwebhookconfigurations,validatingwebhookconfigurations -o json 2>/dev/null | \
+    jq -r '.items[] | .metadata.name as $wh | .webhooks[]? | select(.clientConfig.service != null) | [$wh, .clientConfig.service.namespace, .clientConfig.service.name] | @tsv' 2>/dev/null | \
+    while IFS=$'\t' read -r wh_name svc_ns svc_name; do
+      kubectl get svc "${svc_name}" -n "${svc_ns}" &>/dev/null || echo "${wh_name}"
+    done || true)
+  if [[ -n "${stale_wh}" ]]; then
+    echo "WARNING: stale webhooks found (backing service missing): ${stale_wh}"
+    postflight_issues=true
+  fi
+fi
+
+# Check for stale API services
+stale_apis=$(kubectl get apiservices -o json 2>/dev/null | jq -r '.items[] | select(.status.conditions[]? | .type == "Available" and .status == "False") | .metadata.name' 2>/dev/null || true)
+if [[ -n "${stale_apis}" ]]; then
+  echo "WARNING: unavailable API services found: ${stale_apis}"
+  echo "  These can block namespace deletion. Delete with: kubectl delete apiservice <name>"
+  postflight_issues=true
+fi
+
+if [[ "${postflight_issues}" == "true" ]]; then
+  echo ""
+  echo "Post-flight: some stale resources remain. Run deploy.sh pre-flight checks to verify before redeploying."
+else
+  echo "Post-flight: cluster is clean."
+fi
+
 echo "Undeployment complete."
