rancher-partner-charts/charts/f5/nginx-service-mesh/templates/post-delete-hook.yaml

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: post-delete
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": post-delete
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "-5"
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: post-delete.builtin.nsm.nginx
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": post-delete
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "-5"
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["delete"]
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["list"]
- apiGroups: ["spiffeid.spiffe.io"]
  resources: ["spiffeids"]
  verbs: ["get", "list", "patch", "update"]
{{- if eq .Values.environment "openshift" }}
- apiGroups: ["security.openshift.io"]
  resources: ["securitycontextconstraints"]
  resourceNames: ["post-delete-permissions.builtin.nsm.nginx"]
  verbs: ["use"]
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: post-delete.builtin.nsm.nginx
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": post-delete
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "-5"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: post-delete.builtin.nsm.nginx
subjects:
- kind: ServiceAccount
  name: post-delete
  namespace: {{ .Release.Namespace }}
{{- if (include "docker-config-json" .) }}
---
apiVersion: v1
kind: Secret
metadata:
  name: {{ include "registry-key-name" . }}
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": post-delete
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "-5"
data:
  .dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
type: kubernetes.io/dockerconfigjson
{{- end }}
---
apiVersion: batch/v1
kind: Job
metadata:
  name: remove-spiffeids
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": post-delete
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "0"
spec:
  template:
    metadata:
      name: remove-spiffeids
    spec:
      restartPolicy: Never
      serviceAccountName: post-delete
      containers:
      - name: remove-spiffeids
        image: {{ include "hook.image-server" . }}/kubectl
        imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
        securityContext:
          allowPrivilegeEscalation: false
          privileged: false
          runAsUser: 101 #nginx
        command:
        - /bin/sh
        - -c
        - |
          for ns in $(kubectl get ns --no-headers -o custom-columns=":metadata.name"); do
            if [ $(kubectl get spiffeids -n $ns 2>/dev/null | wc -l) -ne 0 ]; then
              kubectl patch spiffeid $(kubectl get spiffeids -n $ns | awk '{print $1}' | tail -n +2) --type='merge' -p '{"metadata":{"finalizers":null}}' -n $ns
            fi
          done
{{- if (include "docker-config-json" .) }}
---
apiVersion: batch/v1
kind: Job
metadata:
  name: remove-registry-secrets
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": post-delete
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "0"
spec:
  template:
    metadata:
      name: remove-registry-secrets
    spec:
      restartPolicy: Never
      serviceAccountName: post-delete
      containers:
      - name: remove-registry-secrets
        image: {{ include "hook.image-server" . }}/kubectl
        imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
        securityContext:
          allowPrivilegeEscalation: false
          privileged: false
          runAsUser: 101 #nginx
        command:
        - /bin/sh
        - -c
        - |
          for ns in $(kubectl get ns --no-headers -o custom-columns=":metadata.name" | grep -v {{ .Release.Namespace }}); do
            kubectl -n $ns delete secret {{ include "registry-key-name" . }} --ignore-not-found
          done
{{- end }}
{{- if eq .Values.environment "openshift" }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: post-delete-csi
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": post-delete
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "-5"
imagePullSecrets:
- name: {{ include "registry-key-name" . }}
---
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
  name: post-delete-permissions.builtin.nsm.nginx
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": post-delete
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "-5"
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
seLinuxContext:
  type: MustRunAs
runAsUser:
  type: RunAsAny
readOnlyRootFilesystem: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: post-delete-csi.builtin.nsm.nginx
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": post-delete
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "-5"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: post-delete-csi
  namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: csi-driver-cleanup
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": post-delete
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "-5"
data:
  sentinel.yaml: |
    ---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: csi-driver-sentinel
      labels:
        app.kubernetes.io/part-of: nginx-service-mesh
    imagePullSecrets:
    - name: {{ include "registry-key-name" . }}
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: csi-driver-sentinel.builtin.nsm.nginx
      labels:
        app.kubernetes.io/part-of: nginx-service-mesh
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: cluster-admin
    subjects:
    - kind: ServiceAccount
      name: csi-driver-sentinel
      namespace: {{ .Release.Namespace }}
    ---
    apiVersion: batch/v1
    kind: Job
    metadata:
      name: csi-driver-sentinel
      labels:
        app.kubernetes.io/part-of: nginx-service-mesh
    spec:
      ttlSecondsAfterFinished: 0
      template:
        spec:
          restartPolicy: Never
          serviceAccountName: csi-driver-sentinel
          containers:
          - name: csi-driver-sentinel
            image: {{ include "hook.image-server" . }}/kubectl
            imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
            command:
            - /bin/sh
            - -c
            - |
              while [ $(kubectl get pods -A -o=jsonpath='{.items[?(@.metadata.annotations.injector\.nsm\.nginx\.com/status=="injected")].metadata.name}' | wc -w) -gt 0 ]; do
                sleep 5
              done
              kubectl delete daemonset spiffe-csi-driver --ignore-not-found
              kubectl delete serviceaccount spiffe-csi-driver --ignore-not-found
              kubectl delete clusterrole system:openshift:scc:nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found
              kubectl delete rolebinding system:openshift:scc:nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found
              kubectl delete scc nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found
              kubectl delete scc nginx-mesh-sidecar-permissions --ignore-not-found
              kubectl delete secret {{ include "registry-key-name" . }} --ignore-not-found
              kubectl delete serviceaccount csi-driver-sentinel --ignore-not-found
              kubectl delete clusterrolebinding csi-driver-sentinel.builtin.nsm.nginx --ignore-not-found
  {{- if (include "docker-config-json" .) }}
  secret.yaml: |
    ---
    apiVersion: v1
    kind: Secret
    metadata:
      name: {{ include "registry-key-name" . }}
      labels:
        app.kubernetes.io/part-of: nginx-service-mesh
    data:
      .dockerconfigjson: {{ include "docker-config-json" . | b64enc }}
    type: kubernetes.io/dockerconfigjson
  {{- end }}
---
apiVersion: batch/v1
kind: Job
metadata:
  name: csi-driver-cleanup
  labels:
    app.kubernetes.io/part-of: nginx-service-mesh
  annotations:
    "helm.sh/hook": post-delete
    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
    "helm.sh/hook-weight": "5"
spec:
  template:
    metadata:
      name: csi-driver-cleanup
    spec:
      restartPolicy: Never
      serviceAccountName: post-delete-csi
      containers:
      - name: csi-driver-cleanup
        image: {{ include "hook.image-server" . }}/kubectl
        imagePullPolicy: {{ .Values.registry.imagePullPolicy }}
        securityContext:
          allowPrivilegeEscalation: false
          privileged: false
          runAsUser: 101 #nginx
        command:
        - /bin/sh
        - -c
        - |
          res=$(kubectl get pods -o=jsonpath='{.items[?(@.metadata.annotations.injector\.nsm\.nginx\.com/status=="injected")].metadata.name}' -A | wc -w)
          if [ $res -eq 0 ]; then
            kubectl delete daemonset spiffe-csi-driver --ignore-not-found
            kubectl delete serviceaccount spiffe-csi-driver --ignore-not-found
            kubectl delete clusterrole system:openshift:scc:nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found
            kubectl delete rolebinding system:openshift:scc:nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found
            kubectl delete scc nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found
            kubectl delete scc nginx-mesh-sidecar-permissions --ignore-not-found
          else
            {{- if (include "docker-config-json" .) }}
            kubectl get secret {{ include "registry-key-name" . }}
            if [ $? != 0 ]; then
              kubectl create -f /tmp/config/secret.yaml
            fi
            {{- end }}
            kubectl create -f /tmp/config/sentinel.yaml
          fi
        volumeMounts:
        - name: sentinel
          mountPath: /tmp/config
      volumes:
      - name: sentinel
        configMap:
          name: csi-driver-cleanup
{{- end }}