Add cleanup modes to namespace toHost syncing (#2856)

* Add imported marked annotation to prevent deletion of imported namespaces

* Add hostNamespaces config struct to vcluster config

* Add GetValues to helm client implementation

* Add cleanup handlers for namespaces and use them when removing vcluster helm release

* Move cleanup code to pkg/cli, simplify helm.GetValues

* Fix errors logging

* Disable UID deletion for namespace importer

This caused recreation of namespaces imported into vclsuter on host

* Rename vcluster config in delete helm cmd

Author: janekbaraniewski

chart/values.schema.json

@@ -3645,6 +3645,16 @@
         "scope"
       ]
     },
+    "SyncHostSettings": {
+      "properties": {
+        "cleanup": {
+          "type": "string",
+          "description": "Cleanup defines the cleanup policy for host resources when vCluster is deleted.\nAllowed values: \"all\", \"synced\", \"none\"."
+        }
+      },
+      "additionalProperties": false,
+      "type": "object"
+    },
     "SyncNodeSelector": {
       "properties": {
         "all": {
@@ -3898,6 +3908,10 @@
           },
           "type": "object",
           "description": "ExtraLabels are additional labels to add to the namespace in the host cluster."
+        },
+        "hostNamespaces": {
+          "$ref": "#/$defs/SyncHostSettings",
+          "description": "HostNamespaces defines configuration for handling host namespaces."
         }
       },
       "additionalProperties": false,

chart/values.yaml

@@ -108,6 +108,11 @@ sync:
       enabled: false
       # MappingsOnly defines if creation of namespaces not matched by mappings should be allowed.
       mappingsOnly: false
+      # HostNamespaces defines configuration for handling host namespaces.
+      hostNamespaces:
+        # Cleanup defines the cleanup policy for host resources when vCluster is deleted.
+        # Allowed values: "all", "synced", "none".
+        cleanup: "synced"
 
   # Configure what resources vCluster should sync from the host cluster to the virtual cluster.
   fromHost:

config/config.go

@@ -896,6 +896,27 @@ type SyncToHostNamespaces struct {
 
 	// ExtraLabels are additional labels to add to the namespace in the host cluster.
 	ExtraLabels map[string]string `json:"extraLabels,omitempty"`
+
+	// HostNamespaces defines configuration for handling host namespaces.
+	HostNamespaces SyncHostSettings `json:"hostNamespaces,omitempty"`
+}
+
+// HostDeletionPolicy defines the policy for deletion of synced host resources.
+type HostDeletionPolicy string
+
+const (
+	// HostDeletionPolicyAll signifies a policy affecting all resources in host cluster matching any of syncing rules.
+	HostDeletionPolicyAll HostDeletionPolicy = "all"
+	// HostDeletionPolicySynced signifies a policy affecting only resources in host cluster created through syncing process from vCluster.
+	HostDeletionPolicySynced HostDeletionPolicy = "synced"
+	// HostDeletionPolicyNone signifies that no host resources are affected by this policy.
+	HostDeletionPolicyNone HostDeletionPolicy = "none"
+)
+
+type SyncHostSettings struct {
+	// Cleanup defines the cleanup policy for host resources when vCluster is deleted.
+	// Allowed values: "all", "synced", "none".
+	Cleanup HostDeletionPolicy `json:"cleanup,omitempty"`
 }
 
 type SyncToHostCustomResource struct {

config/values.yaml

@@ -57,6 +57,8 @@ sync:
     namespaces:
       enabled: false
       mappingsOnly: false
+      hostNamespaces:
+        cleanup: "synced"
 
   fromHost:
     events:

pkg/cli/cleanup_namespaces.go

@@ -0,0 +1,167 @@
+package cli
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/loft-sh/log"
+	"github.com/loft-sh/vcluster/config"
+	"github.com/loft-sh/vcluster/pkg/util/namespaces"
+	"github.com/loft-sh/vcluster/pkg/util/translate"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+// NamespaceCleanupHandler defines the function signature for namespace cleanup operations.
+type NamespaceCleanupHandler func(
+	ctx context.Context,
+	mainPhysicalNamespace string,
+	vClusterName string,
+	nsSyncConfig config.SyncToHostNamespaces,
+	k8sClient *kubernetes.Clientset,
+	logger log.Logger,
+) error
+
+// GetNamespaceCleanupHandler returns a NamespaceCleanupHandler function based on the provided policy.
+func GetNamespaceCleanupHandler(policy config.HostDeletionPolicy) (NamespaceCleanupHandler, error) {
+	switch policy {
+	case config.HostDeletionPolicyAll:
+		return cleanupAllNamespaces, nil
+	case config.HostDeletionPolicySynced:
+		return cleanupSyncedNamespaces, nil
+	case config.HostDeletionPolicyNone:
+		return cleanupNoneNamespaces, nil
+	default:
+		return nil, fmt.Errorf("unsupported host namespace cleanup policy: %s", policy)
+	}
+}
+
+// cleanupNoneNamespaces is a no-op handler for the 'none' policy.
+func cleanupNoneNamespaces(
+	_ context.Context,
+	_ string, _ string,
+	_ config.SyncToHostNamespaces,
+	_ *kubernetes.Clientset,
+	_ log.Logger,
+) error {
+	return nil
+}
+
+// cleanupSyncedNamespaces handles deletion of namespaces for the 'synced' policy.
+// It deletes namespaces from the host cluster that were created as a result of syncing process from vCluster,
+func cleanupSyncedNamespaces(
+	ctx context.Context,
+	mainPhysicalNamespace string,
+	vClusterName string,
+	_ config.SyncToHostNamespaces,
+	k8sClient *kubernetes.Clientset,
+	logger log.Logger,
+) error {
+	logger.Infof("Starting cleanup of vCluster '%s' namespaces.", vClusterName)
+
+	if mainPhysicalNamespace == "" || vClusterName == "" {
+		return fmt.Errorf("main physical namespace or vCluster name is empty")
+	}
+
+	labelSelector := translate.MarkerLabel + "=" + translate.SafeConcatName(mainPhysicalNamespace, "x", vClusterName)
+	nsList, err := k8sClient.CoreV1().Namespaces().List(ctx, metav1.ListOptions{LabelSelector: labelSelector})
+	if err != nil {
+		return fmt.Errorf("list namespaces: %w", err)
+	}
+
+	if nsList == nil || len(nsList.Items) == 0 {
+		logger.Infof("No additional managed namespaces found with label selector '%s'.", labelSelector)
+		return nil
+	}
+
+	var errs []error
+	for _, ns := range nsList.Items {
+		// Check if namespace was imported, if yes we skip deletion for 'synced' policy.
+		if ns.Annotations != nil && ns.Annotations[translate.ImportedMarkerAnnotation] == "true" {
+			logger.Infof("Namespace %s was imported, skip cleanup.", ns.Name)
+			continue
+		}
+
+		logger.Infof("Attempting to delete virtual cluster namespace %s.", ns.Name)
+		err := k8sClient.CoreV1().Namespaces().Delete(ctx, ns.Name, metav1.DeleteOptions{})
+		if err != nil {
+			errs = append(errs, fmt.Errorf("namespace %s: %w", ns.Name, err))
+		} else {
+			logger.Donef("Successfully deleted virtual cluster namespace %s.", ns.Name)
+		}
+	}
+
+	if len(errs) > 0 {
+		return fmt.Errorf("cleanup of vCluster '%s' namespaces finished with errors: %w", vClusterName, errors.Join(errs...))
+	}
+
+	logger.Infof("Cleanup of vCluster '%s' namespaces finished.", vClusterName)
+	return nil
+}
+
+// cleanupAllNamespaces handles deletion of namespaces for the 'all' policy.
+// It deletes all namespaces matching target patterns in mappings, regardless of whether they were imported, created through syncing or not.
+func cleanupAllNamespaces(
+	ctx context.Context,
+	_ string,
+	vClusterName string,
+	nsSyncConfig config.SyncToHostNamespaces,
+	k8sClient *kubernetes.Clientset,
+	logger log.Logger,
+) error {
+	logger.Infof("Starting cleanup of vCluster '%s' namespaces.", vClusterName)
+	mappingsConfig := nsSyncConfig.Mappings
+
+	if len(mappingsConfig.ByName) == 0 {
+		logger.Infof("No namespace mappings defined.")
+		logger.Infof("Cleanup of vCluster '%s' namespaces finished.", vClusterName)
+		return nil
+	}
+	logger.Debugf("Processing %d namespace mappings for potential deletion.", len(mappingsConfig.ByName))
+
+	hostNamespaces, err := k8sClient.CoreV1().Namespaces().List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return fmt.Errorf("list all host namespaces for mapping check: %w", err)
+	}
+
+	if hostNamespaces == nil || len(hostNamespaces.Items) == 0 {
+		logger.Infof("No host namespaces found to check against mappings.")
+		logger.Infof("Cleanup of vCluster '%s' namespaces finished - no namespaces found.", vClusterName)
+		return nil
+	}
+
+	var errs []error
+	for _, hostNs := range hostNamespaces.Items {
+		// Check if this hostNs matches any mapping rule target
+		for _, hostTargetPatternRaw := range mappingsConfig.ByName {
+			processedHostTargetPattern := namespaces.ProcessNamespaceName(hostTargetPatternRaw, vClusterName)
+
+			var currentRuleMatches bool
+			if namespaces.IsPattern(processedHostTargetPattern) {
+				_, currentRuleMatches = namespaces.MatchAndExtractWildcard(hostNs.Name, processedHostTargetPattern)
+			} else {
+				currentRuleMatches = (hostNs.Name == processedHostTargetPattern)
+			}
+
+			if currentRuleMatches {
+				logger.Infof("Attempting to delete virtual cluster namespace %s.", hostNs.Name)
+				err := k8sClient.CoreV1().Namespaces().Delete(ctx, hostNs.Name, metav1.DeleteOptions{})
+				if err != nil {
+					errs = append(errs, fmt.Errorf("delete virtual cluster namespace %s: %w", hostNs.Name, err))
+				} else {
+					logger.Donef("Successfully deleted virtual cluster namespace %s.", hostNs.Name)
+				}
+				// This namespace has been handled. Skip other mappings and move to the next one.
+				break
+			}
+		}
+	}
+
+	if len(errs) > 0 {
+		return fmt.Errorf("cleanup of vCluster '%s' namespaces finished with errors: %w", vClusterName, errors.Join(errs...))
+	}
+
+	logger.Infof("Cleanup of vCluster '%s' namespaces finished.", vClusterName)
+	return nil
+}

pkg/cli/delete_helm.go

@@ -7,8 +7,10 @@ import (
 	"os/exec"
 	"time"
 
+	"github.com/ghodss/yaml"
 	managementv1 "github.com/loft-sh/api/v4/pkg/apis/management/v1"
 	"github.com/loft-sh/log"
+	"github.com/loft-sh/vcluster/config"
 	"github.com/loft-sh/vcluster/pkg/cli/find"
 	"github.com/loft-sh/vcluster/pkg/cli/flags"
 	"github.com/loft-sh/vcluster/pkg/cli/localkubernetes"
@@ -117,9 +119,22 @@ func DeleteHelm(ctx context.Context, platformClient platform.Client, options *De
 		}
 	}
 
+	helmClient := helm.NewClient(cmd.rawConfig, cmd.log, helmBinaryPath)
+	// before removing vCluster release, we need to get the config from values for later use
+	values, err := helmClient.GetValues(ctx, vClusterName, cmd.Namespace, true)
+	if err != nil {
+		return err
+	}
+
+	vclusterConfig := &config.Config{}
+	err = yaml.Unmarshal(values, vclusterConfig)
+	if err != nil {
+		return err
+	}
+
 	// we have to delete the chart
 	cmd.log.Infof("Delete vcluster %s...", vClusterName)
-	err = helm.NewClient(cmd.rawConfig, cmd.log, helmBinaryPath).Delete(vClusterName, cmd.Namespace)
+	err = helmClient.Delete(vClusterName, cmd.Namespace)
 	if err != nil {
 		return err
 	}
@@ -179,7 +194,18 @@ func DeleteHelm(ctx context.Context, platformClient platform.Client, options *De
 		cmd.DeleteNamespace = false
 	}
 
-	// try to delete the namespace
+	// if namespace sync is enabled, use cleanup handlers to handle namespace cleanup
+	if vclusterConfig.Sync.ToHost.Namespaces.Enabled {
+		runNamespaceCleanup, err := GetNamespaceCleanupHandler(vclusterConfig.Sync.ToHost.Namespaces.HostNamespaces.Cleanup)
+		if err != nil {
+			return fmt.Errorf("get cleanup handler: %w", err)
+		}
+		if err := runNamespaceCleanup(ctx, cmd.Namespace, vClusterName, vclusterConfig.Sync.ToHost.Namespaces, cmd.kubeClient, cmd.log); err != nil {
+			return fmt.Errorf("run namespace cleanup: %w", err)
+		}
+	}
+
+	// check if we should cleanup vCluster host namespace
 	if cmd.DeleteNamespace {
 		// delete namespace
 		err = cmd.kubeClient.CoreV1().Namespaces().Delete(ctx, cmd.Namespace, metav1.DeleteOptions{})
@@ -191,29 +217,7 @@ func DeleteHelm(ctx context.Context, platformClient platform.Client, options *De
 			cmd.log.Donef("Successfully deleted virtual cluster namespace %s", cmd.Namespace)
 		}
 
-		// delete multi namespace mode namespaces
-		namespaces, err := cmd.kubeClient.CoreV1().Namespaces().List(ctx, metav1.ListOptions{
-			LabelSelector: translate.MarkerLabel + "=" + translate.SafeConcatName(cmd.Namespace, "x", vClusterName),
-		})
-		if err != nil && !kerrors.IsForbidden(err) {
-			return fmt.Errorf("list namespaces: %w", err)
-		}
-
-		// delete all namespaces
-		if namespaces != nil && len(namespaces.Items) > 0 {
-			for _, namespace := range namespaces.Items {
-				err = cmd.kubeClient.CoreV1().Namespaces().Delete(ctx, namespace.Name, metav1.DeleteOptions{})
-				if err != nil {
-					if !kerrors.IsNotFound(err) {
-						return fmt.Errorf("delete namespace: %w", err)
-					}
-				} else {
-					cmd.log.Donef("Successfully deleted virtual cluster namespace %s", namespace.Name)
-				}
-			}
-		}
-
-		// wait for vcluster deletion
+		// wait for namespace deletion
 		if cmd.Wait {
 			cmd.log.Info("Waiting for virtual cluster to be deleted...")
 			for {

pkg/controllers/resources/namespaces/syncer.go

@@ -10,6 +10,7 @@ import (
 	"github.com/loft-sh/vcluster/pkg/syncer/synccontext"
 	"github.com/loft-sh/vcluster/pkg/syncer/translator"
 	syncertypes "github.com/loft-sh/vcluster/pkg/syncer/types"
+	"github.com/loft-sh/vcluster/pkg/util/translate"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
@@ -67,7 +68,8 @@ var _ syncertypes.OptionsProvider = &namespaceSyncer{}
 
 func (s *namespaceSyncer) Options() *syncertypes.Options {
 	return &syncertypes.Options{
-		ObjectCaching: true,
+		ObjectCaching:      true,
+		DisableUIDDeletion: true,
 	}
 }
 
@@ -110,13 +112,31 @@ func (s *namespaceSyncer) Sync(ctx *synccontext.SyncContext, event *synccontext.
 func (s *namespaceSyncer) SyncToVirtual(ctx *synccontext.SyncContext, event *synccontext.SyncToVirtualEvent[*corev1.Namespace]) (_ ctrl.Result, retErr error) {
 	// virtual object is not here anymore, so we delete
 	if event.VirtualOld != nil || event.Host.DeletionTimestamp != nil {
+		// first, lets check if host object was imported - if so, we don't delete it
+		if event.Host.Annotations != nil && event.Host.Annotations[translate.ImportedMarkerAnnotation] == "true" {
+			ctx.Log.Infof("host object %s/%s was imported, not deleting it", event.Host.Namespace, event.Host.Name)
+			return ctrl.Result{}, nil
+		}
+
 		return patcher.DeleteHostObject(ctx, event.Host, event.VirtualOld, "virtual object was deleted")
 	}
 
+	// add marker annotation to host object and update it
+	_, err := controllerutil.CreateOrPatch(ctx, ctx.PhysicalClient, event.Host, func() error {
+		if event.Host.Annotations == nil {
+			event.Host.Annotations = map[string]string{}
+		}
+		event.Host.Annotations[translate.ImportedMarkerAnnotation] = "true"
+		return nil
+	})
+	if err != nil {
+		return ctrl.Result{}, fmt.Errorf("create or patch host object: %w", err)
+	}
+
 	newNamespace := s.translateToVirtual(ctx, event.Host)
 	ctx.Log.Infof("create virtual namespace %s", newNamespace.Name)
 
-	err := pro.ApplyPatchesVirtualObject(ctx, nil, newNamespace, event.Host, ctx.Config.Sync.ToHost.Namespaces.Patches, false)
+	err = pro.ApplyPatchesVirtualObject(ctx, nil, newNamespace, event.Host, ctx.Config.Sync.ToHost.Namespaces.Patches, false)
 	if err != nil {
 		return ctrl.Result{}, err
 	}