Skip to content

feat(kubewarden-controller): Delete all CRs in pre-delete hook#1774

Closed
viccuad wants to merge 1 commit into
kubewarden:mainfrom
viccuad:feat/expand-pre-delete-hook
Closed

feat(kubewarden-controller): Delete all CRs in pre-delete hook#1774
viccuad wants to merge 1 commit into
kubewarden:mainfrom
viccuad:feat/expand-pre-delete-hook

Conversation

@viccuad
Copy link
Copy Markdown
Member

@viccuad viccuad commented May 27, 2026

Description

On 1.36, without this change:

  • Deleting a PolicyServer sets its policies as scheduled.
  • Recommended policies are managed via Helm and removed when kubewarden-defaults is uninstalled.
  • User-managed policies will never be deleted, and linger after the removal of the CRDs, as they have finalizers.

With this change:
All CRs will be removed when uninstalling the kubewarden-controller chart. This includes charts of downstream consumers that use a single chart approach.

The used image, kuberlr/kubectl, has busybox, hence ash as shell. Use the shell to remove all CRs. Removing all CRs in potentially all namespaces is costly; do backgrounds jobs with &, wait, and only then remove the policyservers.

Test

Tested locally by deploying charts with recommended policies, a user-managed policy and policy server, and uninstalling the charts one by one.

Additional Information

Tradeoff

Potential improvement

Checklist

@viccuad
feat(kubewarden-controller): Delete all CRs in pre-delete hook
94dc10b 
On 1.36, without this change:
- Deleting a PolicyServer sets its policies as scheduled.
- Recommended policies are managed via Helm and removed when
  `kubewarden-defaults` is uninstalled.
- User-managed policies will never be deleted, and linger after
  the removal of the CRDs, as they have finalizers.

With this change:
All CRs will be removed when uninstalling the `kubewarden-controller`
chart. This includes charts of downstream consumers that use a single
chart approach.

The used image, kuberlr/kubectl, has busybox, hence `ash` as shell.
Use the shell to remove all CRs. Removing all CRs in potentially all
namespaces is costly; do backgrounds jobs with `&`, wait, and only
then remove the policyservers.

Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
@viccuad viccuad self-assigned this May 27, 2026
Copilot AI review requested due to automatic review settings May 27, 2026 12:14
@viccuad viccuad requested a review from a team as a code owner May 27, 2026 12:14
viccuad
viccuad commented May 27, 2026
View reviewed changes
Comment thread charts/kubewarden-controller/templates/pre-delete-hook.yaml
- /bin/sh
- -c
- |
kubectl delete --wait --all clusteradmissionpolicies.policies.kubewarden.io &
Copy link
Copy Markdown
Member Author

@viccuad viccuad May 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We used to not have the waits. It may be better to remove them.

Copilot AI reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the kubewarden-controller Helm chart’s pre-delete hook job to delete all Kubewarden policy-related Custom Resources (across cluster and all namespaces where applicable) before deleting PolicyServer resources, to prevent CRs with finalizers from lingering after uninstall.

Changes:

  • Replace the pre-delete hook’s single kubectl delete invocation with a shell script that deletes ClusterAdmissionPolicy* and AdmissionPolicy* resources in parallel.
  • Add a wait barrier so policy resources are deleted before deleting PolicyServer resources.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread charts/kubewarden-controller/templates/pre-delete-hook.yaml
Comment on lines +47 to +48
wait &&
kubectl delete --wait --all policyservers.policies.kubewarden.io
Comment thread charts/kubewarden-controller/templates/pre-delete-hook.yaml
Comment on lines +43 to +48
kubectl delete --wait --all clusteradmissionpolicies.policies.kubewarden.io &
kubectl delete --wait --all --all-namespaces admissionpolicies.policies.kubewarden.io &
kubectl delete --wait --all clusteradmissionpolicygroups.policies.kubewarden.io &
kubectl delete --wait --all --all-namespaces admissionpolicygroups.policies.kubewarden.io &
wait &&
kubectl delete --wait --all policyservers.policies.kubewarden.io
jvanz
jvanz reviewed May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jvanz jvanz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, LGTM. But I think that copilot comments are good suggestions.

@flavio
Copy link
Copy Markdown
Member

flavio commented May 27, 2026

closing as discussed during the daily

@flavio flavio closed this May 27, 2026
@github-project-automation github-project-automation Bot moved this from Pending review to Done in Kubewarden Admission Controller May 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jvanz jvanz jvanz left review comments

Copilot code review Copilot Copilot left review comments

Assignees

@viccuad viccuad

Labels

None yet

Projects

Kubewarden Admission Controller
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@viccuad @flavio @jvanz