--- apiVersion: v1 kind: ServiceAccount metadata: name: post-delete labels: app.kubernetes.io/part-of: nginx-service-mesh annotations: "helm.sh/hook": post-delete "helm.sh/hook-delete-policy": hook-succeeded,hook-failed "helm.sh/hook-weight": "-5" imagePullSecrets: - name: {{ include "registry-key-name" . }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: post-delete.builtin.nsm.nginx labels: app.kubernetes.io/part-of: nginx-service-mesh annotations: "helm.sh/hook": post-delete "helm.sh/hook-delete-policy": hook-succeeded,hook-failed "helm.sh/hook-weight": "-5" rules: - apiGroups: [""] resources: ["secrets"] verbs: ["delete"] - apiGroups: [""] resources: ["namespaces"] verbs: ["list"] - apiGroups: ["spiffeid.spiffe.io"] resources: ["spiffeids"] verbs: ["get", "list", "patch", "update"] {{- if eq .Values.environment "openshift" }} - apiGroups: ["security.openshift.io"] resources: ["securitycontextconstraints"] resourceNames: ["post-delete-permissions.builtin.nsm.nginx"] verbs: ["use"] {{- end }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: post-delete.builtin.nsm.nginx labels: app.kubernetes.io/part-of: nginx-service-mesh annotations: "helm.sh/hook": post-delete "helm.sh/hook-delete-policy": hook-succeeded,hook-failed "helm.sh/hook-weight": "-5" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: post-delete.builtin.nsm.nginx subjects: - kind: ServiceAccount name: post-delete namespace: {{ .Release.Namespace }} {{- if (include "docker-config-json" .) }} --- apiVersion: v1 kind: Secret metadata: name: {{ include "registry-key-name" . }} labels: app.kubernetes.io/part-of: nginx-service-mesh annotations: "helm.sh/hook": post-delete "helm.sh/hook-delete-policy": hook-succeeded,hook-failed "helm.sh/hook-weight": "-5" data: .dockerconfigjson: {{ include "docker-config-json" . | b64enc }} type: kubernetes.io/dockerconfigjson {{- end }} --- apiVersion: batch/v1 kind: Job metadata: name: remove-spiffeids labels: app.kubernetes.io/part-of: nginx-service-mesh annotations: "helm.sh/hook": post-delete "helm.sh/hook-delete-policy": hook-succeeded,hook-failed "helm.sh/hook-weight": "0" spec: template: metadata: name: remove-spiffeids spec: restartPolicy: Never serviceAccountName: post-delete containers: - name: remove-spiffeids image: {{ include "hook.image-server" . }}/kubectl imagePullPolicy: {{ .Values.registry.imagePullPolicy }} securityContext: allowPrivilegeEscalation: false privileged: false runAsUser: 101 #nginx command: - /bin/sh - -c - | for ns in $(kubectl get ns --no-headers -o custom-columns=":metadata.name"); do if [ $(kubectl get spiffeids -n $ns 2>/dev/null | wc -l) -ne 0 ]; then kubectl patch spiffeid $(kubectl get spiffeids -n $ns | awk '{print $1}' | tail -n +2) --type='merge' -p '{"metadata":{"finalizers":null}}' -n $ns fi done {{- if (include "docker-config-json" .) }} --- apiVersion: batch/v1 kind: Job metadata: name: remove-registry-secrets labels: app.kubernetes.io/part-of: nginx-service-mesh annotations: "helm.sh/hook": post-delete "helm.sh/hook-delete-policy": hook-succeeded,hook-failed "helm.sh/hook-weight": "0" spec: template: metadata: name: remove-registry-secrets spec: restartPolicy: Never serviceAccountName: post-delete containers: - name: remove-registry-secrets image: {{ include "hook.image-server" . }}/kubectl imagePullPolicy: {{ .Values.registry.imagePullPolicy }} securityContext: allowPrivilegeEscalation: false privileged: false runAsUser: 101 #nginx command: - /bin/sh - -c - | for ns in $(kubectl get ns --no-headers -o custom-columns=":metadata.name" | grep -v {{ .Release.Namespace }}); do kubectl -n $ns delete secret {{ include "registry-key-name" . }} --ignore-not-found done {{- end }} {{- if eq .Values.environment "openshift" }} --- apiVersion: v1 kind: ServiceAccount metadata: name: post-delete-csi labels: app.kubernetes.io/part-of: nginx-service-mesh annotations: "helm.sh/hook": post-delete "helm.sh/hook-delete-policy": hook-succeeded,hook-failed "helm.sh/hook-weight": "-5" imagePullSecrets: - name: {{ include "registry-key-name" . }} --- apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: post-delete-permissions.builtin.nsm.nginx labels: app.kubernetes.io/part-of: nginx-service-mesh annotations: "helm.sh/hook": post-delete "helm.sh/hook-delete-policy": hook-succeeded,hook-failed "helm.sh/hook-weight": "-5" allowHostDirVolumePlugin: false allowHostIPC: false allowHostNetwork: false allowHostPID: false allowHostPorts: false allowPrivilegedContainer: false seLinuxContext: type: MustRunAs runAsUser: type: RunAsAny readOnlyRootFilesystem: false --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: post-delete-csi.builtin.nsm.nginx labels: app.kubernetes.io/part-of: nginx-service-mesh annotations: "helm.sh/hook": post-delete "helm.sh/hook-delete-policy": hook-succeeded,hook-failed "helm.sh/hook-weight": "-5" roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: post-delete-csi namespace: {{ .Release.Namespace }} --- apiVersion: v1 kind: ConfigMap metadata: name: csi-driver-cleanup labels: app.kubernetes.io/part-of: nginx-service-mesh annotations: "helm.sh/hook": post-delete "helm.sh/hook-delete-policy": hook-succeeded,hook-failed "helm.sh/hook-weight": "-5" data: sentinel.yaml: | --- apiVersion: v1 kind: ServiceAccount metadata: name: csi-driver-sentinel labels: app.kubernetes.io/part-of: nginx-service-mesh imagePullSecrets: - name: {{ include "registry-key-name" . }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: csi-driver-sentinel.builtin.nsm.nginx labels: app.kubernetes.io/part-of: nginx-service-mesh roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: csi-driver-sentinel namespace: {{ .Release.Namespace }} --- apiVersion: batch/v1 kind: Job metadata: name: csi-driver-sentinel labels: app.kubernetes.io/part-of: nginx-service-mesh spec: ttlSecondsAfterFinished: 0 template: spec: restartPolicy: Never serviceAccountName: csi-driver-sentinel containers: - name: csi-driver-sentinel image: {{ include "hook.image-server" . }}/kubectl imagePullPolicy: {{ .Values.registry.imagePullPolicy }} command: - /bin/sh - -c - | while [ $(kubectl get pods -A -o=jsonpath='{.items[?(@.metadata.annotations.injector\.nsm\.nginx\.com/status=="injected")].metadata.name}' | wc -w) -gt 0 ]; do sleep 5 done kubectl delete daemonset spiffe-csi-driver --ignore-not-found kubectl delete serviceaccount spiffe-csi-driver --ignore-not-found kubectl delete clusterrole system:openshift:scc:nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found kubectl delete rolebinding system:openshift:scc:nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found kubectl delete scc nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found kubectl delete scc nginx-mesh-sidecar-permissions --ignore-not-found kubectl delete secret {{ include "registry-key-name" . }} --ignore-not-found kubectl delete serviceaccount csi-driver-sentinel --ignore-not-found kubectl delete clusterrolebinding csi-driver-sentinel.builtin.nsm.nginx --ignore-not-found {{- if (include "docker-config-json" .) }} secret.yaml: | --- apiVersion: v1 kind: Secret metadata: name: {{ include "registry-key-name" . }} labels: app.kubernetes.io/part-of: nginx-service-mesh data: .dockerconfigjson: {{ include "docker-config-json" . | b64enc }} type: kubernetes.io/dockerconfigjson {{- end }} --- apiVersion: batch/v1 kind: Job metadata: name: csi-driver-cleanup labels: app.kubernetes.io/part-of: nginx-service-mesh annotations: "helm.sh/hook": post-delete "helm.sh/hook-delete-policy": hook-succeeded,hook-failed "helm.sh/hook-weight": "5" spec: template: metadata: name: csi-driver-cleanup spec: restartPolicy: Never serviceAccountName: post-delete-csi containers: - name: csi-driver-cleanup image: {{ include "hook.image-server" . }}/kubectl imagePullPolicy: {{ .Values.registry.imagePullPolicy }} securityContext: allowPrivilegeEscalation: false privileged: false runAsUser: 101 #nginx command: - /bin/sh - -c - | res=$(kubectl get pods -o=jsonpath='{.items[?(@.metadata.annotations.injector\.nsm\.nginx\.com/status=="injected")].metadata.name}' -A | wc -w) if [ $res -eq 0 ]; then kubectl delete daemonset spiffe-csi-driver --ignore-not-found kubectl delete serviceaccount spiffe-csi-driver --ignore-not-found kubectl delete clusterrole system:openshift:scc:nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found kubectl delete rolebinding system:openshift:scc:nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found kubectl delete scc nginx-mesh-spiffe-csi-driver-permissions --ignore-not-found kubectl delete scc nginx-mesh-sidecar-permissions --ignore-not-found else {{- if (include "docker-config-json" .) }} kubectl get secret {{ include "registry-key-name" . }} if [ $? != 0 ]; then kubectl create -f /tmp/config/secret.yaml fi {{- end }} kubectl create -f /tmp/config/sentinel.yaml fi volumeMounts: - name: sentinel mountPath: /tmp/config volumes: - name: sentinel configMap: name: csi-driver-cleanup {{- end }}