Skip to content

Hook delete policy annotation evaluation behavior discrepancy between helm/argo #26702

New issue
New issue
Open
#26828
Open
Hook delete policy annotation evaluation behavior discrepancy between helm/argo#26702
#26828
Labels
bugSomething isn't workingfeature:hooksIssue related to Argo Sync or Helm hooks
@mxie-philips

Description

@mxie-philips
mxie-philips
opened on Mar 5, 2026

Checklist:

  • I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
  • I've included steps to reproduce the bug.
  • I've pasted the output of argocd version.

Describe the bug

According to the docs, ArgoCD will map helm helm.sh/hook-delete-policy annotations to their respective argocd.argoproj.io/hook-delete-policy annotations. In helm, I've observed that hook delete annotations (specifically hook-succeeded) are executed after each hook event type (e.g pre-install, then post-install). In Argo, the hook-succeeded annotation seems to be executed after the entire sync (pre-sync, sync, and post-sync) is completed. This results in potentially different behaviors when a chart is deployed via helm vs. Argo when using hook delete annotations.

I've illustrated this below by having a post-install Job trying to reference a pre-install ServiceAccount with all hook delete annotations set. This fails when using helm as the ServiceAccount is deleted after the pre-install step and the Job can't reference it, but succeeds using argo as the ServiceAccount will stay alive until the very end of the sync.

To Reproduce

Create a basic chart with the following contents in a manifests .yaml file. Attempt installation using both helm and argoCD to observe the differences in behavior.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: normal-sa
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: pre-sa
  annotations:
    "helm.sh/hook": pre-install
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
---
apiVersion: batch/v1
kind: Job
metadata:
  name: post-job
  annotations:
    "helm.sh/hook": post-install
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
spec:
  backoffLimit: 1
  template:
    spec:
      serviceAccountName: pre-sa
      restartPolicy: Never
      containers:
      - name: cont
        image: busybox
        command: ["sh", "-c", "echo post-install job running; sleep 5"]

Expected behavior

I would expect that argo hook delete annotations would be evaluated at the end of each phase (pre-sync, then sync, then post-sync) , but am unsure if it was implemented this way on purpose.

Screenshots

Image

Version

Image Image

Logs

N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingfeature:hooksIssue related to Argo Sync or Helm hooks

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions