Skip to content

Commit ca5371f

Browse files
committed
up
1 parent 1311456 commit ca5371f

4 files changed

Lines changed: 94 additions & 0 deletions

File tree

CLAUDE.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -523,6 +523,11 @@ PVC populated from last backup
523523
- Automatically injects NFS volume into VolSync mover jobs
524524
- No manual NFS configuration needed per app
525525

526+
3. **volsync-orphan-cleanup.yaml** - Orphan resource cleanup (ClusterCleanupPolicy)
527+
- Runs every 15 minutes
528+
- Deletes orphaned ReplicationSource, ReplicationDestination, ExternalSecret when backup label is removed from PVC or PVC is deleted
529+
- Prevents stale backup/restore jobs from running after disabling backups
530+
526531
### PVC Plumber Service
527532

528533
**Purpose**: Checks Kopia repository for existing backups before PVC creation

infrastructure/controllers/kyverno/kustomization.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ resources:
66
- rbac-patch.yaml
77
- policies/volsync-pvc-backup-restore.yaml
88
- policies/volsync-nfs-inject.yaml
9+
- policies/volsync-orphan-cleanup.yaml
910
helmCharts:
1011
- name: kyverno
1112
repo: https://kyverno.github.io/kyverno
Lines changed: 58 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,58 @@
1+
---
2+
apiVersion: kyverno.io/v2
3+
kind: ClusterCleanupPolicy
4+
metadata:
5+
name: volsync-orphan-cleanup
6+
annotations:
7+
argocd.argoproj.io/sync-wave: "4"
8+
policies.kyverno.io/title: VolSync Orphan Resource Cleanup
9+
policies.kyverno.io/description: >-
10+
Cleans up orphaned VolSync backup resources when the backup label is removed
11+
from the corresponding PVC or the PVC no longer exists. Runs every 15 minutes.
12+
Targets resources generated by the volsync-pvc-backup-restore policy
13+
(identified by app.kubernetes.io/managed-by=kyverno and volsync.backup/pvc labels).
14+
spec:
15+
schedule: "*/15 * * * *"
16+
match:
17+
any:
18+
- resources:
19+
kinds:
20+
- ReplicationSource
21+
- ReplicationDestination
22+
selector:
23+
matchExpressions:
24+
- key: app.kubernetes.io/managed-by
25+
operator: In
26+
values: ["kyverno"]
27+
- key: volsync.backup/pvc
28+
operator: Exists
29+
- resources:
30+
kinds:
31+
- ExternalSecret
32+
selector:
33+
matchExpressions:
34+
- key: app.kubernetes.io/managed-by
35+
operator: In
36+
values: ["kyverno"]
37+
- key: volsync.backup/pvc
38+
operator: Exists
39+
exclude:
40+
any:
41+
- resources:
42+
namespaces:
43+
- kube-system
44+
- volsync-system
45+
- kyverno
46+
context:
47+
- name: pvcName
48+
variable:
49+
jmesPath: 'target.metadata.labels."volsync.backup/pvc"'
50+
- name: pvcBackupLabel
51+
apiCall:
52+
urlPath: "/api/v1/namespaces/{{target.metadata.namespace}}/persistentvolumeclaims"
53+
jmesPath: "items[?metadata.name=='{{pvcName}}'].metadata.labels.backup | [0] || ''"
54+
conditions:
55+
all:
56+
- key: "{{ pvcBackupLabel }}"
57+
operator: NotIn
58+
values: ["hourly", "daily"]

infrastructure/controllers/kyverno/values.yaml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,36 @@ cleanupController:
6262
requests:
6363
cpu: 100m
6464
memory: 64Mi
65+
rbac:
66+
clusterRole:
67+
extraResources:
68+
- apiGroups:
69+
- ""
70+
resources:
71+
- persistentvolumeclaims
72+
verbs:
73+
- get
74+
- list
75+
- watch
76+
- apiGroups:
77+
- volsync.backube
78+
resources:
79+
- replicationsources
80+
- replicationdestinations
81+
verbs:
82+
- get
83+
- list
84+
- watch
85+
- delete
86+
- apiGroups:
87+
- external-secrets.io
88+
resources:
89+
- externalsecrets
90+
verbs:
91+
- get
92+
- list
93+
- watch
94+
- delete
6595

6696
reportsController:
6797
replicas: 1

0 commit comments

Comments
 (0)