From 3a7ee648bd505d0c0ea32c1f55dfc4fb2659ec5d Mon Sep 17 00:00:00 2001 From: Gianluca Mardente Date: Tue, 13 Jan 2026 21:52:45 +0100 Subject: [PATCH] Pre and post delete checks --- api/v1beta1/clusterpromotion_types.go | 14 + api/v1beta1/spec.go | 14 + api/v1beta1/zz_generated.deepcopy.go | 28 + ...fig.projectsveltos.io_clusterprofiles.yaml | 212 ++++ ...g.projectsveltos.io_clusterpromotions.yaml | 218 ++++ ...ig.projectsveltos.io_clustersummaries.yaml | 218 ++++ .../config.projectsveltos.io_profiles.yaml | 212 ++++ controllers/clusterpromotion_controller.go | 3 + controllers/delete_checks.go | 80 ++ controllers/handlers_helm.go | 12 + controllers/handlers_kustomize.go | 46 +- controllers/handlers_resources.go | 113 ++- manifest/manifest.yaml | 956 +++++++++++++++++- 13 files changed, 1989 insertions(+), 137 deletions(-) create mode 100644 controllers/delete_checks.go diff --git a/api/v1beta1/clusterpromotion_types.go b/api/v1beta1/clusterpromotion_types.go index 1f110584..d526dc7b 100644 --- a/api/v1beta1/clusterpromotion_types.go +++ b/api/v1beta1/clusterpromotion_types.go @@ -178,6 +178,20 @@ type ProfileSpec struct { // This field is optional. If not set, Sveltos default behavior is to keep retrying. // +optional MaxConsecutiveFailures *uint `json:"maxConsecutiveFailures,omitempty"` + + // PreDeleteChecks is a slice of Lua functions to run against + // the managed cluster *before* Sveltos starts deleting resources. + // If any of these fail, the deletion process is halted. + // +listType=atomic + // +optional + PreDeleteChecks []libsveltosv1beta1.ValidateHealth `json:"preDeleteChecks,omitempty"` + + // PostDeleteChecks is a slice of Lua functions to run against + // the managed cluster *after* Sveltos has deleted all resources. + // This ensures that the environment has reached the desired clean state. + // +listType=atomic + // +optional + PostDeleteChecks []libsveltosv1beta1.ValidateHealth `json:"postDeleteChecks,omitempty"` } // AutoTrigger defines the conditions for an automatic promotion. diff --git a/api/v1beta1/spec.go b/api/v1beta1/spec.go index a9c0dd67..53309919 100644 --- a/api/v1beta1/spec.go +++ b/api/v1beta1/spec.go @@ -807,6 +807,20 @@ type Spec struct { // +optional MaxConsecutiveFailures *uint `json:"maxConsecutiveFailures,omitempty"` + // PreDeleteChecks is a slice of Lua functions to run against + // the managed cluster *before* Sveltos starts deleting resources. + // If any of these fail, the deletion process is halted. + // +listType=atomic + // +optional + PreDeleteChecks []libsveltosv1beta1.ValidateHealth `json:"preDeleteChecks,omitempty"` + + // PostDeleteChecks is a slice of Lua functions to run against + // the managed cluster *after* Sveltos has deleted all resources. + // This ensures that the environment has reached the desired clean state. + // +listType=atomic + // +optional + PostDeleteChecks []libsveltosv1beta1.ValidateHealth `json:"postDeleteChecks,omitempty"` + // ExtraLabels: These labels will be added by Sveltos to all Kubernetes resources deployed in // a managed cluster based on this ClusterProfile/Profile instance. // **Important:** If a resource deployed by Sveltos already has a label with a key present in diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index 2ab49f0b..ec78f38d 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -1114,6 +1114,20 @@ func (in *ProfileSpec) DeepCopyInto(out *ProfileSpec) { *out = new(uint) **out = **in } + if in.PreDeleteChecks != nil { + in, out := &in.PreDeleteChecks, &out.PreDeleteChecks + *out = make([]apiv1beta1.ValidateHealth, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.PostDeleteChecks != nil { + in, out := &in.PostDeleteChecks, &out.PostDeleteChecks + *out = make([]apiv1beta1.ValidateHealth, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProfileSpec. @@ -1245,6 +1259,20 @@ func (in *Spec) DeepCopyInto(out *Spec) { *out = new(uint) **out = **in } + if in.PreDeleteChecks != nil { + in, out := &in.PreDeleteChecks, &out.PreDeleteChecks + *out = make([]apiv1beta1.ValidateHealth, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.PostDeleteChecks != nil { + in, out := &in.PostDeleteChecks, &out.PostDeleteChecks + *out = make([]apiv1beta1.ValidateHealth, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.ExtraLabels != nil { in, out := &in.ExtraLabels, &out.ExtraLabels *out = make(map[string]string, len(*in)) diff --git a/config/crd/bases/config.projectsveltos.io_clusterprofiles.yaml b/config/crd/bases/config.projectsveltos.io_clusterprofiles.yaml index e2412a27..3bee46aa 100644 --- a/config/crd/bases/config.projectsveltos.io_clusterprofiles.yaml +++ b/config/crd/bases/config.projectsveltos.io_clusterprofiles.yaml @@ -1008,6 +1008,218 @@ spec: type: object type: array x-kubernetes-list-type: atomic + postDeleteChecks: + description: |- + PostDeleteChecks is a slice of Lua functions to run against + the managed cluster *after* Sveltos has deleted all resources. + This ensures that the environment has reached the desired clean state. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for the + rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based on + current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check + type: string + namespace: + description: |- + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. + type: string + script: + description: |- + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. + type: string + required: + - featureID + - group + - kind + - name + - version + type: object + type: array + x-kubernetes-list-type: atomic + preDeleteChecks: + description: |- + PreDeleteChecks is a slice of Lua functions to run against + the managed cluster *before* Sveltos starts deleting resources. + If any of these fail, the deletion process is halted. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for the + rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based on + current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check + type: string + namespace: + description: |- + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. + type: string + script: + description: |- + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. + type: string + required: + - featureID + - group + - kind + - name + - version + type: object + type: array + x-kubernetes-list-type: atomic reloader: default: false description: |- diff --git a/config/crd/bases/config.projectsveltos.io_clusterpromotions.yaml b/config/crd/bases/config.projectsveltos.io_clusterpromotions.yaml index ae8169c0..66af7600 100644 --- a/config/crd/bases/config.projectsveltos.io_clusterpromotions.yaml +++ b/config/crd/bases/config.projectsveltos.io_clusterpromotions.yaml @@ -909,6 +909,224 @@ spec: type: object type: array x-kubernetes-list-type: atomic + postDeleteChecks: + description: |- + PostDeleteChecks is a slice of Lua functions to run against + the managed cluster *after* Sveltos has deleted all resources. + This ensures that the environment has reached the desired clean state. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in + EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for + the rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed + Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed + Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based + on current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check + type: string + namespace: + description: |- + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. + type: string + script: + description: |- + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. + type: string + required: + - featureID + - group + - kind + - name + - version + type: object + type: array + x-kubernetes-list-type: atomic + preDeleteChecks: + description: |- + PreDeleteChecks is a slice of Lua functions to run against + the managed cluster *before* Sveltos starts deleting resources. + If any of these fail, the deletion process is halted. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in + EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for + the rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed + Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed + Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based + on current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check + type: string + namespace: + description: |- + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. + type: string + script: + description: |- + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. + type: string + required: + - featureID + - group + - kind + - name + - version + type: object + type: array + x-kubernetes-list-type: atomic reloader: default: false description: |- diff --git a/config/crd/bases/config.projectsveltos.io_clustersummaries.yaml b/config/crd/bases/config.projectsveltos.io_clustersummaries.yaml index 1f7e6f68..4120017a 100644 --- a/config/crd/bases/config.projectsveltos.io_clustersummaries.yaml +++ b/config/crd/bases/config.projectsveltos.io_clustersummaries.yaml @@ -1046,6 +1046,224 @@ spec: type: object type: array x-kubernetes-list-type: atomic + postDeleteChecks: + description: |- + PostDeleteChecks is a slice of Lua functions to run against + the managed cluster *after* Sveltos has deleted all resources. + This ensures that the environment has reached the desired clean state. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in + EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for + the rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed + Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed + Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based + on current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check + type: string + namespace: + description: |- + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. + type: string + script: + description: |- + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. + type: string + required: + - featureID + - group + - kind + - name + - version + type: object + type: array + x-kubernetes-list-type: atomic + preDeleteChecks: + description: |- + PreDeleteChecks is a slice of Lua functions to run against + the managed cluster *before* Sveltos starts deleting resources. + If any of these fail, the deletion process is halted. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in + EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for + the rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed + Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed + Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based + on current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check + type: string + namespace: + description: |- + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. + type: string + script: + description: |- + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. + type: string + required: + - featureID + - group + - kind + - name + - version + type: object + type: array + x-kubernetes-list-type: atomic reloader: default: false description: |- diff --git a/config/crd/bases/config.projectsveltos.io_profiles.yaml b/config/crd/bases/config.projectsveltos.io_profiles.yaml index c2cc1ede..e48821f4 100644 --- a/config/crd/bases/config.projectsveltos.io_profiles.yaml +++ b/config/crd/bases/config.projectsveltos.io_profiles.yaml @@ -1008,6 +1008,218 @@ spec: type: object type: array x-kubernetes-list-type: atomic + postDeleteChecks: + description: |- + PostDeleteChecks is a slice of Lua functions to run against + the managed cluster *after* Sveltos has deleted all resources. + This ensures that the environment has reached the desired clean state. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for the + rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based on + current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check + type: string + namespace: + description: |- + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. + type: string + script: + description: |- + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. + type: string + required: + - featureID + - group + - kind + - name + - version + type: object + type: array + x-kubernetes-list-type: atomic + preDeleteChecks: + description: |- + PreDeleteChecks is a slice of Lua functions to run against + the managed cluster *before* Sveltos starts deleting resources. + If any of these fail, the deletion process is halted. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for the + rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based on + current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check + type: string + namespace: + description: |- + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. + type: string + script: + description: |- + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. + type: string + required: + - featureID + - group + - kind + - name + - version + type: object + type: array + x-kubernetes-list-type: atomic reloader: default: false description: |- diff --git a/controllers/clusterpromotion_controller.go b/controllers/clusterpromotion_controller.go index d86aebad..606aa873 100644 --- a/controllers/clusterpromotion_controller.go +++ b/controllers/clusterpromotion_controller.go @@ -525,8 +525,11 @@ func (r *ClusterPromotionReconciler) reconcileStageProfile(ctx context.Context, KustomizationRefs: promotionScope.ClusterPromotion.Spec.ProfileSpec.KustomizationRefs, ValidateHealths: promotionScope.ClusterPromotion.Spec.ProfileSpec.ValidateHealths, Patches: promotionScope.ClusterPromotion.Spec.ProfileSpec.Patches, + PatchesFrom: promotionScope.ClusterPromotion.Spec.ProfileSpec.PatchesFrom, DriftExclusions: promotionScope.ClusterPromotion.Spec.ProfileSpec.DriftExclusions, MaxConsecutiveFailures: promotionScope.ClusterPromotion.Spec.ProfileSpec.MaxConsecutiveFailures, + PreDeleteChecks: promotionScope.ClusterPromotion.Spec.ProfileSpec.PreDeleteChecks, + PostDeleteChecks: promotionScope.ClusterPromotion.Spec.ProfileSpec.PostDeleteChecks, // 2. Set the stage-specific ClusterSelector ClusterSelector: stage.ClusterSelector, diff --git a/controllers/delete_checks.go b/controllers/delete_checks.go new file mode 100644 index 00000000..5de03712 --- /dev/null +++ b/controllers/delete_checks.go @@ -0,0 +1,80 @@ +/* +Copyright 2026. projectsveltos.io. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package controllers + +import ( + "context" + + "github.com/go-logr/logr" + + configv1beta1 "github.com/projectsveltos/addon-controller/api/v1beta1" + "github.com/projectsveltos/addon-controller/controllers/clustercache" + "github.com/projectsveltos/addon-controller/lib/clusterops" + libsveltosv1beta1 "github.com/projectsveltos/libsveltos/api/v1beta1" + "github.com/projectsveltos/libsveltos/lib/clusterproxy" + logs "github.com/projectsveltos/libsveltos/lib/logsettings" +) + +func validatePreDeleteChecks(ctx context.Context, clusterSummary *configv1beta1.ClusterSummary, + featureID libsveltosv1beta1.FeatureID, logger logr.Logger) error { + + return validateDeleteChecks(ctx, clusterSummary, featureID, clusterSummary.Spec.ClusterProfileSpec.PreDeleteChecks, logger) +} + +func validatePostDeleteChecks(ctx context.Context, clusterSummary *configv1beta1.ClusterSummary, + featureID libsveltosv1beta1.FeatureID, logger logr.Logger) error { + + return validateDeleteChecks(ctx, clusterSummary, featureID, clusterSummary.Spec.ClusterProfileSpec.PostDeleteChecks, logger) +} + +func validateDeleteChecks(ctx context.Context, clusterSummary *configv1beta1.ClusterSummary, + featureID libsveltosv1beta1.FeatureID, deleteChecks []libsveltosv1beta1.ValidateHealth, logger logr.Logger) error { + + if len(deleteChecks) == 0 { + return nil + } + + isPullMode, err := clusterproxy.IsClusterInPullMode(ctx, getManagementClusterClient(), clusterSummary.Spec.ClusterNamespace, + clusterSummary.Spec.ClusterName, clusterSummary.Spec.ClusterType, logger) + if err != nil { + logger.V(logs.LogDebug).Error(err, "failed to verify if Cluster is in pull mode") + return err + } + + if !isPullMode { + return nil + } + + adminNamespace, adminName := getClusterSummaryAdmin(clusterSummary) + cacheMgr := clustercache.GetManager() + remoteRestConfig, err := cacheMgr.GetKubernetesRestConfig(ctx, getManagementClusterClient(), clusterSummary.Spec.ClusterNamespace, + clusterSummary.Spec.ClusterName, adminNamespace, adminName, clusterSummary.Spec.ClusterType, logger) + if err != nil { + logger.V(logs.LogDebug).Error(err, "failed to get cluster rest.Config") + return err + } + + logger.V(logs.LogDebug).Info("validate pre delete checks") + err = clusterops.ValidateHealthPolicies(ctx, remoteRestConfig, clusterSummary.Spec.ClusterProfileSpec.PreDeleteChecks, + featureID, logger) + if err != nil { + logger.V(logs.LogDebug).Error(err, "pre delete check failed") + return err + } + + return nil +} diff --git a/controllers/handlers_helm.go b/controllers/handlers_helm.go index 013f1233..6927af45 100644 --- a/controllers/handlers_helm.go +++ b/controllers/handlers_helm.go @@ -528,11 +528,23 @@ func undeployHelmChartResources(ctx context.Context, c client.Client, clusterSum logger.V(logs.LogDebug).Info("undeployHelmChartResources") + err := validatePreDeleteChecks(ctx, clusterSummary, libsveltosv1beta1.FeatureHelm, logger) + if err != nil { + logger.V(logs.LogInfo).Error(err, "pre delete checks failed") + return err + } + releaseReports, err := uninstallHelmCharts(ctx, c, clusterSummary, kubeconfig, logger) if err != nil { return err } + err = validatePostDeleteChecks(ctx, clusterSummary, libsveltosv1beta1.FeatureHelm, logger) + if err != nil { + logger.V(logs.LogInfo).Error(err, "post delete checks failed") + return err + } + // First get the helm releases currently managed and uninstall all the ones // not referenced anymore. Only if this operation succeeds, removes all stale // helm release registration for this clusterSummary. diff --git a/controllers/handlers_kustomize.go b/controllers/handlers_kustomize.go index bcfd2f96..4d463171 100644 --- a/controllers/handlers_kustomize.go +++ b/controllers/handlers_kustomize.go @@ -305,8 +305,6 @@ func undeployKustomizeRefs(ctx context.Context, c client.Client, logger.V(logs.LogDebug).Info("undeployKustomizeRefs") - var resourceReports []libsveltosv1beta1.ResourceReport - // Undeploy from management cluster _, err = undeployStaleResources(ctx, true, getManagementClusterConfig(), c, libsveltosv1beta1.FeatureKustomize, clusterSummary, getDeployedGroupVersionKinds(clusterSummary, libsveltosv1beta1.FeatureKustomize), @@ -321,49 +319,7 @@ func undeployKustomizeRefs(ctx context.Context, c client.Client, return err } } else { - // Only resources previously deployed by ClusterSummary are removed here. Even if profile is created by serviceAccount - // use cluster-admin account to do the removal - cacheMgr := clustercache.GetManager() - remoteRestConfig, err := cacheMgr.GetKubernetesRestConfig(ctx, c, clusterNamespace, clusterName, - "", "", clusterSummary.Spec.ClusterType, logger) - if err != nil { - return err - } - - remoteClient, err := clusterproxy.GetKubernetesClient(ctx, c, clusterNamespace, clusterName, - "", "", clusterSummary.Spec.ClusterType, logger) - if err != nil { - return err - } - - // Undeploy from managed cluster - resourceReports, err = undeployStaleResources(ctx, false, remoteRestConfig, remoteClient, libsveltosv1beta1.FeatureKustomize, - clusterSummary, getDeployedGroupVersionKinds(clusterSummary, libsveltosv1beta1.FeatureKustomize), - map[string]libsveltosv1beta1.Resource{}, logger) - if err != nil { - return err - } - - profileRef, err := configv1beta1.GetProfileRef(clusterSummary) - if err != nil { - return err - } - - err = updateReloaderWithDeployedResources(ctx, clusterSummary, profileRef, libsveltosv1beta1.FeatureKustomize, - nil, true, logger) - if err != nil { - return err - } - - isDrynRun := clusterSummary.Spec.ClusterProfileSpec.SyncMode == configv1beta1.SyncModeDryRun - err = clusterops.UpdateClusterConfiguration(ctx, c, isDrynRun, true, clusterNamespace, clusterName, clusterType, - profileRef, libsveltosv1beta1.FeatureKustomize, []configv1beta1.DeployedResource{}, nil) - if err != nil { - return err - } - - err = updateClusterReportWithResourceReports(ctx, c, clusterSummary, remoteRestConfig == nil, - resourceReports, libsveltosv1beta1.FeatureKustomize) + err = pushModeUndeployResources(ctx, c, clusterSummary, libsveltosv1beta1.FeatureKustomize, logger) if err != nil { return err } diff --git a/controllers/handlers_resources.go b/controllers/handlers_resources.go index d020eede..473e4e26 100644 --- a/controllers/handlers_resources.go +++ b/controllers/handlers_resources.go @@ -391,64 +391,89 @@ func undeployResources(ctx context.Context, c client.Client, return combinedErr } } else { - // Only resources previously deployed by ClusterSummary are removed here. Even if profile is created by serviceAccount - // use cluster-admin account to do the removal - remoteClient, err := clusterproxy.GetKubernetesClient(ctx, c, clusterNamespace, clusterName, - "", "", clusterSummary.Spec.ClusterType, logger) + err = pushModeUndeployResources(ctx, c, clusterSummary, libsveltosv1beta1.FeatureResources, logger) if err != nil { return err } + } - cacheMgr := clustercache.GetManager() - remoteRestConfig, err := cacheMgr.GetKubernetesRestConfig(ctx, c, clusterNamespace, clusterName, - "", "", clusterSummary.Spec.ClusterType, logger) - if err != nil { - return err - } + if clusterSummary.Spec.ClusterProfileSpec.SyncMode == configv1beta1.SyncModeDryRun { + return &configv1beta1.DryRunReconciliationError{} + } - var resourceReports []libsveltosv1beta1.ResourceReport + manager := getManager() + manager.stopStaleWatchForMgmtResource(nil, clusterSummary, libsveltosv1beta1.FeatureResources) - // Undeploy from managed cluster - resourceReports, err = undeployStaleResources(ctx, false, remoteRestConfig, remoteClient, - libsveltosv1beta1.FeatureResources, clusterSummary, - getDeployedGroupVersionKinds(clusterSummary, libsveltosv1beta1.FeatureResources), - map[string]libsveltosv1beta1.Resource{}, logger) - combinedErr := errors.Join(localUndeployErr, err) - if combinedErr != nil { - return combinedErr - } + return nil +} - profileRef, err := configv1beta1.GetProfileRef(clusterSummary) - if err != nil { - return err - } +func pushModeUndeployResources(ctx context.Context, c client.Client, clusterSummary *configv1beta1.ClusterSummary, + featureID libsveltosv1beta1.FeatureID, logger logr.Logger) error { - err = updateReloaderWithDeployedResources(ctx, clusterSummary, profileRef, libsveltosv1beta1.FeatureResources, - nil, true, logger) - if err != nil { - return err - } + clusterNamespace := clusterSummary.Spec.ClusterNamespace + clusterName := clusterSummary.Spec.ClusterName + clusterType := clusterSummary.Spec.ClusterType - isDrynRun := clusterSummary.Spec.ClusterProfileSpec.SyncMode == configv1beta1.SyncModeDryRun - err = clusterops.UpdateClusterConfiguration(ctx, c, isDrynRun, true, clusterNamespace, clusterName, - clusterType, profileRef, libsveltosv1beta1.FeatureResources, []configv1beta1.DeployedResource{}, nil) - if err != nil { - return err - } + err := validatePreDeleteChecks(ctx, clusterSummary, featureID, logger) + if err != nil { + logger.V(logs.LogInfo).Error(err, "pre delete checks failed") + return err + } - err = updateClusterReportWithResourceReports(ctx, c, clusterSummary, isPullMode, - resourceReports, libsveltosv1beta1.FeatureResources) - if err != nil { - return err - } + // Only resources previously deployed by ClusterSummary are removed here. Even if profile is created by serviceAccount + // use cluster-admin account to do the removal + cacheMgr := clustercache.GetManager() + remoteRestConfig, err := cacheMgr.GetKubernetesRestConfig(ctx, c, clusterNamespace, clusterName, + "", "", clusterSummary.Spec.ClusterType, logger) + if err != nil { + return err } - if clusterSummary.Spec.ClusterProfileSpec.SyncMode == configv1beta1.SyncModeDryRun { - return &configv1beta1.DryRunReconciliationError{} + remoteClient, err := clusterproxy.GetKubernetesClient(ctx, c, clusterNamespace, clusterName, + "", "", clusterSummary.Spec.ClusterType, logger) + if err != nil { + return err } - manager := getManager() - manager.stopStaleWatchForMgmtResource(nil, clusterSummary, libsveltosv1beta1.FeatureResources) + var resourceReports []libsveltosv1beta1.ResourceReport + + // Undeploy from managed cluster + resourceReports, err = undeployStaleResources(ctx, false, remoteRestConfig, remoteClient, featureID, + clusterSummary, getDeployedGroupVersionKinds(clusterSummary, featureID), + map[string]libsveltosv1beta1.Resource{}, logger) + if err != nil { + return err + } + + err = validatePostDeleteChecks(ctx, clusterSummary, featureID, logger) + if err != nil { + logger.V(logs.LogInfo).Error(err, "post delete checks failed") + return err + } + + profileRef, err := configv1beta1.GetProfileRef(clusterSummary) + if err != nil { + return err + } + + err = updateReloaderWithDeployedResources(ctx, clusterSummary, profileRef, featureID, + nil, true, logger) + if err != nil { + return err + } + + isDrynRun := clusterSummary.Spec.ClusterProfileSpec.SyncMode == configv1beta1.SyncModeDryRun + err = clusterops.UpdateClusterConfiguration(ctx, c, isDrynRun, true, clusterNamespace, clusterName, clusterType, + profileRef, featureID, []configv1beta1.DeployedResource{}, nil) + if err != nil { + return err + } + + err = updateClusterReportWithResourceReports(ctx, c, clusterSummary, remoteRestConfig == nil, + resourceReports, featureID) + if err != nil { + return err + } return nil } diff --git a/manifest/manifest.yaml b/manifest/manifest.yaml index 181a7782..324b13cb 100644 --- a/manifest/manifest.yaml +++ b/manifest/manifest.yaml @@ -1317,6 +1317,218 @@ spec: type: object type: array x-kubernetes-list-type: atomic + postDeleteChecks: + description: |- + PostDeleteChecks is a slice of Lua functions to run against + the managed cluster *after* Sveltos has deleted all resources. + This ensures that the environment has reached the desired clean state. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for the + rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based on + current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check + type: string + namespace: + description: |- + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. + type: string + script: + description: |- + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. + type: string + required: + - featureID + - group + - kind + - name + - version + type: object + type: array + x-kubernetes-list-type: atomic + preDeleteChecks: + description: |- + PreDeleteChecks is a slice of Lua functions to run against + the managed cluster *before* Sveltos starts deleting resources. + If any of these fail, the deletion process is halted. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for the + rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based on + current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check + type: string + namespace: + description: |- + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. + type: string + script: + description: |- + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. + type: string + required: + - featureID + - group + - kind + - name + - version + type: object + type: array + x-kubernetes-list-type: atomic reloader: default: false description: |- @@ -2650,26 +2862,244 @@ spec: type: boolean path: description: |- - Path to the directory containing the YAML files. - Defaults to 'None', which translates to the root path of the SourceRef. - Used only for GitRepository;OCIRepository;Bucket + Path to the directory containing the YAML files. + Defaults to 'None', which translates to the root path of the SourceRef. + Used only for GitRepository;OCIRepository;Bucket + type: string + tier: + default: 100 + description: |- + Tier controls the order of deployment for resources coming from different PolicyRefs + within the same ClusterProfile or Profile. + When two PolicyRefs attempt to deploy the same resource, the PolicyRef with the lowest + Tier value takes priority and deploys/updates the resource. + This priority mechanism is only checked after the parent ClusterProfile has won + the primary conflict resolution against other ClusterProfiles. + Higher Tier values represent lower priority. The default Tier value is 100. + format: int32 + minimum: 1 + type: integer + required: + - kind + - name + type: object + type: array + x-kubernetes-list-type: atomic + postDeleteChecks: + description: |- + PostDeleteChecks is a slice of Lua functions to run against + the managed cluster *after* Sveltos has deleted all resources. + This ensures that the environment has reached the desired clean state. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in + EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for + the rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed + Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed + Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based + on current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check + type: string + namespace: + description: |- + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. + type: string + script: + description: |- + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. + type: string + required: + - featureID + - group + - kind + - name + - version + type: object + type: array + x-kubernetes-list-type: atomic + preDeleteChecks: + description: |- + PreDeleteChecks is a slice of Lua functions to run against + the managed cluster *before* Sveltos starts deleting resources. + If any of these fail, the deletion process is halted. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in + EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for + the rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed + Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed + Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based + on current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check + type: string + namespace: + description: |- + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. type: string - tier: - default: 100 + script: description: |- - Tier controls the order of deployment for resources coming from different PolicyRefs - within the same ClusterProfile or Profile. - When two PolicyRefs attempt to deploy the same resource, the PolicyRef with the lowest - Tier value takes priority and deploys/updates the resource. - This priority mechanism is only checked after the parent ClusterProfile has won - the primary conflict resolution against other ClusterProfiles. - Higher Tier values represent lower priority. The default Tier value is 100. - format: int32 - minimum: 1 - type: integer + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. + type: string required: + - featureID + - group - kind - name + - version type: object type: array x-kubernetes-list-type: atomic @@ -4619,48 +5049,266 @@ spec: - Secret type: string name: - description: |- - Name of the referenced resource. - Name can be expressed as a template and instantiate using any cluster field. - minLength: 1 + description: |- + Name of the referenced resource. + Name can be expressed as a template and instantiate using any cluster field. + minLength: 1 + type: string + namespace: + description: |- + Namespace of the referenced resource. + For ClusterProfile namespace can be left empty. In such a case, namespace will + be implicit set to cluster's namespace. + For Profile namespace must be left empty. Profile namespace will be used. + Namespace can be expressed as a template and instantiate using any cluster field. + type: string + optional: + default: false + description: |- + Optional indicates that the referenced resource is not mandatory. + If set to true and the resource is not found, the error will be ignored, + and Sveltos will continue processing other PolicyRefs. + type: boolean + path: + description: |- + Path to the directory containing the YAML files. + Defaults to 'None', which translates to the root path of the SourceRef. + Used only for GitRepository;OCIRepository;Bucket + type: string + tier: + default: 100 + description: |- + Tier controls the order of deployment for resources coming from different PolicyRefs + within the same ClusterProfile or Profile. + When two PolicyRefs attempt to deploy the same resource, the PolicyRef with the lowest + Tier value takes priority and deploys/updates the resource. + This priority mechanism is only checked after the parent ClusterProfile has won + the primary conflict resolution against other ClusterProfiles. + Higher Tier values represent lower priority. The default Tier value is 100. + format: int32 + minimum: 1 + type: integer + required: + - kind + - name + type: object + type: array + x-kubernetes-list-type: atomic + postDeleteChecks: + description: |- + PostDeleteChecks is a slice of Lua functions to run against + the managed cluster *after* Sveltos has deleted all resources. + This ensures that the environment has reached the desired clean state. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in + EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for + the rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed + Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed + Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based + on current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check + type: string + namespace: + description: |- + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. + type: string + script: + description: |- + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. + type: string + required: + - featureID + - group + - kind + - name + - version + type: object + type: array + x-kubernetes-list-type: atomic + preDeleteChecks: + description: |- + PreDeleteChecks is a slice of Lua functions to run against + the managed cluster *before* Sveltos starts deleting resources. + If any of these fail, the deletion process is halted. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in + EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for + the rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed + Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed + Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based + on current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check type: string namespace: description: |- - Namespace of the referenced resource. - For ClusterProfile namespace can be left empty. In such a case, namespace will - be implicit set to cluster's namespace. - For Profile namespace must be left empty. Profile namespace will be used. - Namespace can be expressed as a template and instantiate using any cluster field. + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. type: string - optional: - default: false - description: |- - Optional indicates that the referenced resource is not mandatory. - If set to true and the resource is not found, the error will be ignored, - and Sveltos will continue processing other PolicyRefs. - type: boolean - path: + script: description: |- - Path to the directory containing the YAML files. - Defaults to 'None', which translates to the root path of the SourceRef. - Used only for GitRepository;OCIRepository;Bucket + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. type: string - tier: - default: 100 - description: |- - Tier controls the order of deployment for resources coming from different PolicyRefs - within the same ClusterProfile or Profile. - When two PolicyRefs attempt to deploy the same resource, the PolicyRef with the lowest - Tier value takes priority and deploys/updates the resource. - This priority mechanism is only checked after the parent ClusterProfile has won - the primary conflict resolution against other ClusterProfiles. - Higher Tier values represent lower priority. The default Tier value is 100. - format: int32 - minimum: 1 - type: integer required: + - featureID + - group - kind - name + - version type: object type: array x-kubernetes-list-type: atomic @@ -6103,6 +6751,218 @@ spec: type: object type: array x-kubernetes-list-type: atomic + postDeleteChecks: + description: |- + PostDeleteChecks is a slice of Lua functions to run against + the managed cluster *after* Sveltos has deleted all resources. + This ensures that the environment has reached the desired clean state. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for the + rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based on + current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check + type: string + namespace: + description: |- + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. + type: string + script: + description: |- + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. + type: string + required: + - featureID + - group + - kind + - name + - version + type: object + type: array + x-kubernetes-list-type: atomic + preDeleteChecks: + description: |- + PreDeleteChecks is a slice of Lua functions to run against + the managed cluster *before* Sveltos starts deleting resources. + If any of these fail, the deletion process is halted. + items: + properties: + evaluateCEL: + description: |- + EvaluateCEL contains a list of named CEL (Common Expression Language) rules. + Each rule will be evaluated in order against each object selected based on + the criteria defined above. Each rule's expression must return a boolean value + indicating whether the object is a match. + + Evaluation stops at the first rule that returns true; subsequent + rules will not be evaluated. + items: + description: CELRule defines a named CEL rule used in EvaluateCEL. + properties: + name: + description: Name is a human-readable identifier for the + rule. + type: string + rule: + description: |- + Rule is the CEL (Common Expression Language) expression to evaluate. + It must return a bool + type: string + required: + - name + - rule + type: object + type: array + featureID: + description: |- + FeatureID is an indentifier of the feature (Helm/Kustomize/Resources) + This field indicates when to run this check. + For instance: + - if set to Helm this check will be run after all helm + charts specified in the ClusterProfile are deployed. + - if set to Resources this check will be run after the content + of all the ConfigMaps/Secrets referenced by ClusterProfile in the + PolicyRef sections is deployed + enum: + - Resources + - Helm + - Kustomize + type: string + group: + description: Group of the resource to fetch in the managed Cluster. + type: string + kind: + description: Kind of the resource to fetch in the managed Cluster. + minLength: 1 + type: string + labelFilters: + description: LabelFilters allows to filter resources based on + current labels. + items: + properties: + key: + description: Key is the label key + type: string + operation: + description: Operation is the comparison operation + enum: + - Equal + - Different + - Has + - DoesNotHave + type: string + value: + description: Value is the label value + type: string + required: + - key + - operation + type: object + type: array + name: + description: Name is the name of this check + type: string + namespace: + description: |- + Namespace of the resource to fetch in the managed Cluster. + Empty for resources scoped at cluster level. + type: string + script: + description: |- + Script is a text containing a lua script. + Must return struct with field "health" + representing whether object is a match (true or false) + type: string + version: + description: Version of the resource to fetch in the managed + Cluster. + type: string + required: + - featureID + - group + - kind + - name + - version + type: object + type: array + x-kubernetes-list-type: atomic reloader: default: false description: |-