redhat-cop / resource-locker-operator

Apache License 2.0
30 stars 14 forks source link

Enforce deletion of resources via RL CR #50

Open rflorenc opened 3 years ago

rflorenc commented 3 years ago

I have been testing the resource-locker-operator with the end goal of locking/patching resources feed in by ArgoCD in a GitOps scenario. One use case that comes to mind is the possibility to also delete resources which are not owned by Argo/Helm applications, like for example APIServer or Node resources.

This could be done via a new action field in the RL CR spec, which could then perform the delete operation on the resource. Example:

apiVersion: redhatcop.redhat.io/v1alpha1
kind: ResourceLocker
metadata:
  name: APIServer
spec:
  resources:
    - apiVersion: v1
      kind: Secret
      name: kubeadmin
      namespace: kube-system
      action: delete
  serviceAccount:
    name: my-admin

End result being the secret being deleted and enforce deleted by the RLO. Would this be something that could be added as a feature to the RLO?

raffaelespazzoli commented 3 years ago

It seems to me that this feature would break the fully declarative approach to managing configuration moving towards an imperative model. In general the rule is that if you don't want an object, you should not create it. Can you make a realistic example where this would be useful?