From 61191dadcbb8736d6e0ce34c7325aef533fc3cfd Mon Sep 17 00:00:00 2001
From: Amelia Lu <peirulu@amazon.com>
Date: Wed, 1 Apr 2026 22:08:00 +0000
Subject: [PATCH 1/3] add helm.sh/hook annotation to resolve race condition

---
 charts/eks-anywhere-packages/templates/package.yaml           | 4 ++++
 .../templates/packagebundlecontroller.yaml                    | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/charts/eks-anywhere-packages/templates/package.yaml b/charts/eks-anywhere-packages/templates/package.yaml
index 0b9a4a49..72cea87b 100644
--- a/charts/eks-anywhere-packages/templates/package.yaml
+++ b/charts/eks-anywhere-packages/templates/package.yaml
@@ -7,6 +7,8 @@ apiVersion: packages.eks.amazonaws.com/v1alpha1
 kind: Package
 metadata:
   annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "10"
     "helm.sh/resource-policy": keep
     "anywhere.eks.aws.com/internal": "true"
   name: eks-anywhere-packages
@@ -27,6 +29,8 @@ apiVersion: packages.eks.amazonaws.com/v1alpha1
 kind: Package
 metadata:
   annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "10"
     "helm.sh/resource-policy": keep
     "anywhere.eks.aws.com/internal": "true"
   name: eks-anywhere-packages-{{ .Values.clusterName }}
diff --git a/charts/eks-anywhere-packages/templates/packagebundlecontroller.yaml b/charts/eks-anywhere-packages/templates/packagebundlecontroller.yaml
index c37506bf..0ff6b953 100644
--- a/charts/eks-anywhere-packages/templates/packagebundlecontroller.yaml
+++ b/charts/eks-anywhere-packages/templates/packagebundlecontroller.yaml
@@ -5,6 +5,9 @@
 apiVersion: packages.eks.amazonaws.com/v1alpha1
 kind: PackageBundleController
 metadata:
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "10"
   name: {{.Values.clusterName}}
   namespace: eksa-packages
 spec:

From 61877c6c4a76c20dc262a0ad1ab3ab4d0cc39838 Mon Sep 17 00:00:00 2001
From: Amelia Lu <peirulu@amazon.com>
Date: Mon, 6 Apr 2026 23:09:32 +0000
Subject: [PATCH 2/3] Add annotation to credential provider packages

---
 charts/eks-anywhere-packages/templates/credentialpackage.yaml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/charts/eks-anywhere-packages/templates/credentialpackage.yaml b/charts/eks-anywhere-packages/templates/credentialpackage.yaml
index 09e63bee..dfff4614 100644
--- a/charts/eks-anywhere-packages/templates/credentialpackage.yaml
+++ b/charts/eks-anywhere-packages/templates/credentialpackage.yaml
@@ -8,6 +8,9 @@ metadata:
   name: ecr-credential-provider-package
   namespace: eksa-packages-{{.Values.clusterName}}
   annotations:
+    "helm.sh/resource-policy": keep
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-weight": "10"
     "helm.sh/resource-policy": keep
     "anywhere.eks.aws.com/internal": "true"
 spec:

From de2a3ab41ef31bb924ac4bc81aa614e6bf3cc3d2 Mon Sep 17 00:00:00 2001
From: Amelia Lu <peirulu@amazon.com>
Date: Mon, 13 Apr 2026 18:56:45 +0000
Subject: [PATCH 3/3] add cleanup hook

---
 .../templates/cleanup-hook.yaml               | 50 +++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 charts/eks-anywhere-packages/templates/cleanup-hook.yaml

diff --git a/charts/eks-anywhere-packages/templates/cleanup-hook.yaml b/charts/eks-anywhere-packages/templates/cleanup-hook.yaml
new file mode 100644
index 00000000..b92cd334
--- /dev/null
+++ b/charts/eks-anywhere-packages/templates/cleanup-hook.yaml
@@ -0,0 +1,50 @@
+{{- $render := include "eks-anywhere-packages.rendertype" . }}
+{{- $namespace := printf "%s-%s" "eksa-packages" .Values.clusterName -}}
+{{- if or (eq $render "controller") (eq $render "workload") }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "eks-anywhere-packages.fullname" . }}-cleanup
+  namespace: {{ .Values.namespace }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
+  labels:
+    {{- include "eks-anywhere-packages.labels" . | nindent 4 }}
+spec:
+  backoffLimit: 1
+  ttlSecondsAfterFinished: 60
+  template:
+    spec:
+      serviceAccountName: {{ include "eks-anywhere-packages.serviceAccountName" . }}
+      restartPolicy: Never
+      containers:
+      - name: cleanup
+        image: {{.Values.sourceRegistry}}{{ template "template.image" .Values.controller }}
+        command:
+        - /bin/sh
+        - -c
+        - |
+          TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+          APISERVER=https://kubernetes.default.svc
+          CACERT=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+
+          delete_resource() {
+            local url="$1"
+            local code
+            code=$(curl -s -o /dev/null -w "%{http_code}" --cacert "$CACERT" \
+              -H "Authorization: Bearer $TOKEN" \
+              -X DELETE "$url")
+            if [ "$code" = "200" ] || [ "$code" = "404" ]; then
+              echo "OK ($code): $url"
+            else
+              echo "WARN ($code): $url"
+            fi
+          }
+
+          delete_resource "$APISERVER/apis/packages.eks.amazonaws.com/v1alpha1/namespaces/{{ $namespace }}/packages/eks-anywhere-packages"
+          delete_resource "$APISERVER/apis/packages.eks.amazonaws.com/v1alpha1/namespaces/{{ $namespace }}/packages/ecr-credential-provider-package"
+          delete_resource "$APISERVER/apis/packages.eks.amazonaws.com/v1alpha1/namespaces/eksa-packages/packagebundlecontrollers/{{ .Values.clusterName }}"
+          echo "Cleanup complete"
+{{- end }}