chore(cleanup): add ingress and csi resource cleanup components

contexts/aws-example/blueprint.yaml

@@ -43,6 +43,11 @@ kustomize:
   source: core
   dependsOn:
   - policy-base
+- name: csi
+  path: csi
+  source: core
+  cleanup:
+  - pvcs
 - name: ingress
   path: ingress
   source: core
@@ -53,6 +58,9 @@ kustomize:
   - nginx
   - nginx/flux-webhook
   - nginx/web
+  cleanup:
+  - loadbalancers
+  - ingresses
 - name: pki-base
   path: pki/base
   source: core

kustomize/ingress/cleanup/ingresses/deployment.yaml

@@ -0,0 +1,98 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ingress-cleanup
+  namespace: system-cleanup
+spec:
+  replicas: 1
+  progressDeadlineSeconds: 900
+  selector:
+    matchLabels:
+      app: ingress-cleanup
+  template:
+    metadata:
+      labels:
+        app: ingress-cleanup
+    spec:
+      serviceAccountName: ingress-cleanup
+      volumes:
+      - name: completion
+        emptyDir: {}
+      initContainers:
+      - name: cleanup
+        # renovate: datasource=docker depName=kubectl package=bitnami/kubectl
+        image: bitnami/kubectl:1.33.1
+        env:
+        - name: RESOURCE_WAIT_TIMEOUT
+          value: "300"
+        - name: RESOURCE_CHECK_INTERVAL
+          value: "10"
+        resources:
+          limits:
+            cpu: "100m"
+            memory: "64Mi"
+          requests:
+            cpu: "50m"
+            memory: "32Mi"
+        volumeMounts:
+        - name: completion
+          mountPath: /tmp/cleanup
+        command:
+        - /bin/sh
+        - -c
+        - |
+          echo "Processing Ingresses..."
+          echo "Found Ingresses:"
+          kubectl get ingress --all-namespaces -o name || exit 1
+
+          # Delete all Ingresses
+          echo "Deleting all Ingresses..."
+          kubectl delete ingress --all --all-namespaces || exit 1
+
+          # Wait for Ingresses to be deleted
+          echo "Waiting for Ingresses to be deleted..."
+          while true; do
+            remaining=$(kubectl get ingress --all-namespaces --no-headers 2>/dev/null | wc -l)
+            if [ "$remaining" = "0" ]; then
+              echo "All Ingresses deleted"
+              break
+            fi
+            echo "Still waiting for $remaining Ingresses to be deleted..."
+            # Try to wait for each remaining Ingress
+            for ingress in $(kubectl get ingress --all-namespaces -o name); do
+              kubectl wait --for=delete $ingress --timeout=${RESOURCE_WAIT_TIMEOUT}s || exit 1
+            done
+            sleep ${RESOURCE_CHECK_INTERVAL}
+          done
+
+          # Final verification
+          echo "Verifying cleanup..."
+          echo "Remaining Ingresses:"
+          kubectl get ingress --all-namespaces -o name || exit 1
+          echo "Ingress cleanup completed successfully"
+
+          # Create success file
+          touch /tmp/cleanup/success
+      containers:
+      - name: status
+        # renovate: datasource=docker depName=alpine package=alpine
+        image: alpine:3.21.3
+        resources:
+          limits:
+            cpu: "10m"
+            memory: "16Mi"
+          requests:
+            cpu: "10m"
+            memory: "16Mi"
+        volumeMounts:
+        - name: completion
+          mountPath: /tmp/cleanup
+        command:
+        - /bin/sh
+        - -c
+        - |
+          if [ ! -f /tmp/cleanup/success ]; then
+            exit 1
+          fi
+          sleep infinity 

kustomize/ingress/cleanup/ingresses/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+- rbac.yaml
+- deployment.yaml 

kustomize/ingress/cleanup/ingresses/rbac.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ingress-cleanup-role
+rules:
+- apiGroups: ["networking.k8s.io"]
+  resources: ["ingresses"]
+  verbs: ["get", "list", "delete", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ingress-cleanup-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-cleanup-role
+subjects:
+- kind: ServiceAccount
+  name: ingress-cleanup
+  namespace: system-cleanup
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ingress-cleanup
+  namespace: system-cleanup 

kustomize/ingress/cleanup/kustomization.yaml

@@ -0,0 +1 @@
+resources: []

kustomize/ingress/cleanup/loadbalancers/deployment.yaml

@@ -0,0 +1,98 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: loadbalancer-cleanup
+  namespace: system-cleanup
+spec:
+  replicas: 1
+  progressDeadlineSeconds: 900
+  selector:
+    matchLabels:
+      app: loadbalancer-cleanup
+  template:
+    metadata:
+      labels:
+        app: loadbalancer-cleanup
+    spec:
+      serviceAccountName: loadbalancer-cleanup
+      volumes:
+      - name: status
+        emptyDir: {}
+      initContainers:
+      - name: cleanup
+        # renovate: datasource=docker depName=kubectl package=bitnami/kubectl
+        image: bitnami/kubectl:1.33.1
+        env:
+        - name: RESOURCE_WAIT_TIMEOUT
+          value: "300"
+        - name: RESOURCE_CHECK_INTERVAL
+          value: "10"
+        resources:
+          limits:
+            cpu: "100m"
+            memory: "64Mi"
+          requests:
+            cpu: "50m"
+            memory: "32Mi"
+        volumeMounts:
+        - name: status
+          mountPath: /tmp/status
+        command:
+        - /bin/sh
+        - -c
+        - |
+          echo "Processing LoadBalancer Services in system-ingress namespace..."
+          echo "Found LoadBalancer Services:"
+          kubectl get services -n system-ingress -o jsonpath='{.items[?(@.spec.type=="LoadBalancer")].metadata.name}' || exit 1
+
+          # Delete all LoadBalancer Services
+          echo "Deleting all LoadBalancer Services..."
+          kubectl delete services -n system-ingress --field-selector spec.type=LoadBalancer || exit 1
+
+          # Wait for LoadBalancer Services to be deleted
+          echo "Waiting for LoadBalancer Services to be deleted..."
+          while true; do
+            remaining=$(kubectl get services -n system-ingress --field-selector spec.type=LoadBalancer --no-headers 2>/dev/null | wc -l)
+            if [ "$remaining" = "0" ]; then
+              echo "All LoadBalancer Services deleted"
+              break
+            fi
+            echo "Still waiting for $remaining LoadBalancer Services to be deleted..."
+            # Try to wait for each remaining Service
+            for svc in $(kubectl get services -n system-ingress --field-selector spec.type=LoadBalancer -o name); do
+              kubectl wait --for=delete $svc --timeout=${RESOURCE_WAIT_TIMEOUT}s || exit 1
+            done
+            sleep ${RESOURCE_CHECK_INTERVAL}
+          done
+
+          # Final verification
+          echo "Verifying cleanup..."
+          echo "Remaining LoadBalancer Services:"
+          kubectl get services -n system-ingress --field-selector spec.type=LoadBalancer -o name || exit 1
+          echo "LoadBalancer cleanup completed successfully"
+
+          # Create success file
+          touch /tmp/status/success
+      containers:
+      - name: pause
+        # renovate: datasource=docker depName=alpine package=alpine
+        image: alpine:3.21.3
+        resources:
+          limits:
+            cpu: "10m"
+            memory: "16Mi"
+          requests:
+            cpu: "10m"
+            memory: "16Mi"
+        volumeMounts:
+        - name: status
+          mountPath: /tmp/status
+        command:
+        - /bin/sh
+        - -c
+        - |
+          if [ ! -f /tmp/status/success ]; then
+            exit 1
+          fi
+          sleep infinity 

kustomize/ingress/cleanup/loadbalancers/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+- rbac.yaml
+- deployment.yaml 

kustomize/ingress/cleanup/loadbalancers/rbac.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: loadbalancer-cleanup-role
+rules:
+- apiGroups: [""]
+  resources: ["services"]
+  verbs: ["get", "list", "delete", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: loadbalancer-cleanup-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: loadbalancer-cleanup-role
+subjects:
+- kind: ServiceAccount
+  name: loadbalancer-cleanup
+  namespace: system-cleanup
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: loadbalancer-cleanup
+  namespace: system-cleanup