Invoke DeleteItemActions on backup deletion (#2815)

* Add serving and listing support Signed-off-by: Nolan Brubaker <brubakern@vmware.com>
2025-12-23 06:15:21 +00:00 · 2020-08-20 20:24:29 -04:00
parent 71fd7cc5a7
commit 718a94ad05
17 changed files with 963 additions and 361 deletions
--- a/internal/delete/delete_item_action_handler.go
+++ b/internal/delete/delete_item_action_handler.go
@@ -0,0 +1,199 @@
+/*
+Copyright 2020 the Velero contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package delete
+
+import (
+	"io"
+
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/apimachinery/pkg/util/sets"
+
+	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
+	"github.com/vmware-tanzu/velero/pkg/archive"
+	"github.com/vmware-tanzu/velero/pkg/discovery"
+	"github.com/vmware-tanzu/velero/pkg/plugin/velero"
+	"github.com/vmware-tanzu/velero/pkg/util/collections"
+	"github.com/vmware-tanzu/velero/pkg/util/filesystem"
+)
+
+// Context provides the necessary environment to run DeleteItemAction plugins
+type Context struct {
+	Backup          *velerov1api.Backup
+	BackupReader    io.Reader
+	Actions         []velero.DeleteItemAction
+	Filesystem      filesystem.Interface
+	Log             logrus.FieldLogger
+	DiscoveryHelper discovery.Helper
+
+	resolvedActions []resolvedAction
+}
+
+func InvokeDeleteActions(ctx *Context) error {
+	var err error
+	ctx.resolvedActions, err = resolveActions(ctx.Actions, ctx.DiscoveryHelper)
+
+	// No actions installed and no error means we don't have to continue;
+	// just do the backup deletion without worrying about plugins.
+	if len(ctx.resolvedActions) == 0 && err == nil {
+		ctx.Log.Debug("No delete item actions present, proceeding with rest of backup deletion process")
+		return nil
+	} else if err != nil {
+		return errors.Wrapf(err, "error resolving actions")
+	}
+
+	// get items out of backup tarball into a temp directory
+	dir, err := archive.NewExtractor(ctx.Log, ctx.Filesystem).UnzipAndExtractBackup(ctx.BackupReader)
+	if err != nil {
+		return errors.Wrapf(err, "error extracting backup")
+
+	}
+	defer ctx.Filesystem.RemoveAll(dir)
+	ctx.Log.Debugf("Downloaded and extracted the backup file to: %s", dir)
+
+	backupResources, err := archive.NewParser(ctx.Log, ctx.Filesystem).Parse(dir)
+	processdResources := sets.NewString()
+
+	ctx.Log.Debugf("Trying to reconcile resource names with Kube API server.")
+	// Transform resource names based on what's canonical in the API server.
+	for resource := range backupResources {
+		gvr, _, err := ctx.DiscoveryHelper.ResourceFor(schema.ParseGroupResource(resource).WithVersion(""))
+		if err != nil {
+			return errors.Wrapf(err, "failed to resolve resource into complete group/version/resource: %v", resource)
+		}
+
+		groupResource := gvr.GroupResource()
+
+		// We've already seen this group/resource, so don't process it again.
+		if processdResources.Has(groupResource.String()) {
+			continue
+		}
+
+		// Get a list of all items that exist for this resource
+		resourceList := backupResources[groupResource.String()]
+		if resourceList == nil {
+			// After canonicalization from the API server, the resources may not exist in the tarball
+			// Skip them if that's the case.
+			continue
+		}
+
+		// Iterate over all items, grouped by namespace.
+		for namespace, items := range resourceList.ItemsByNamespace {
+			nsLog := ctx.Log.WithField("namespace", namespace)
+			nsLog.Info("Starting to check for items in namespace")
+
+			// Filter applicable actions based on namespace only once per namespace.
+			actions := ctx.getApplicableActions(groupResource, namespace)
+
+			// Process individual items from the backup
+			for _, item := range items {
+				itemPath := archive.GetItemFilePath(dir, resource, namespace, item)
+
+				// obj is the Unstructured item from the backup
+				obj, err := archive.Unmarshal(ctx.Filesystem, itemPath)
+				if err != nil {
+					return errors.Wrapf(err, "Could not unmarshal item: %v", item)
+				}
+
+				itemLog := nsLog.WithField("item", obj.GetName())
+				itemLog.Infof("invoking DeleteItemAction plugins")
+
+				for _, action := range actions {
+					if !action.selector.Matches(labels.Set(obj.GetLabels())) {
+						continue
+					}
+					err = action.Execute(&velero.DeleteItemActionExecuteInput{
+						Item:   obj,
+						Backup: ctx.Backup,
+					})
+					// Since we want to keep looping even on errors, log them instead of just returning.
+					if err != nil {
+						itemLog.WithError(err).Error("plugin error")
+
+					}
+				}
+			}
+		}
+	}
+	return nil
+}
+
+// getApplicableActions takes resolved DeleteItemActions and filters them for a given group/resource and namespace.
+func (ctx *Context) getApplicableActions(groupResource schema.GroupResource, namespace string) []resolvedAction {
+	var actions []resolvedAction
+
+	for _, action := range ctx.resolvedActions {
+		if !action.resourceIncludesExcludes.ShouldInclude(groupResource.String()) {
+			continue
+		}
+
+		if namespace != "" && !action.namespaceIncludesExcludes.ShouldInclude(namespace) {
+			continue
+		}
+
+		if namespace == "" && !action.namespaceIncludesExcludes.IncludeEverything() {
+			continue
+		}
+
+		actions = append(actions, action)
+	}
+
+	return actions
+}
+
+// resolvedActions are DeleteItemActions decorated with resource/namespace include/exclude collections, as well as label selectors for easy comparison.
+type resolvedAction struct {
+	velero.DeleteItemAction
+
+	resourceIncludesExcludes  *collections.IncludesExcludes
+	namespaceIncludesExcludes *collections.IncludesExcludes
+	selector                  labels.Selector
+}
+
+// resolveActions resolves the AppliesTo ResourceSelectors of DeleteItemActions plugins against the Kubernetes discovery API for fully-qualified names.
+func resolveActions(actions []velero.DeleteItemAction, helper discovery.Helper) ([]resolvedAction, error) {
+	var resolved []resolvedAction
+
+	for _, action := range actions {
+		resourceSelector, err := action.AppliesTo()
+		if err != nil {
+			return nil, err
+		}
+
+		resources := collections.GetResourceIncludesExcludes(helper, resourceSelector.IncludedResources, resourceSelector.ExcludedResources)
+		namespaces := collections.NewIncludesExcludes().Includes(resourceSelector.IncludedNamespaces...).Excludes(resourceSelector.ExcludedNamespaces...)
+
+		selector := labels.Everything()
+		if resourceSelector.LabelSelector != "" {
+			if selector, err = labels.Parse(resourceSelector.LabelSelector); err != nil {
+				return nil, err
+			}
+		}
+
+		res := resolvedAction{
+			DeleteItemAction:          action,
+			resourceIncludesExcludes:  resources,
+			namespaceIncludesExcludes: namespaces,
+			selector:                  selector,
+		}
+		resolved = append(resolved, res)
+	}
+
+	return resolved, nil
+}
--- a/internal/delete/delete_item_action_handler_test.go
+++ b/internal/delete/delete_item_action_handler_test.go
@@ -0,0 +1,268 @@
+/*
+Copyright 2020 the Velero contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package delete
+
+import (
+	"context"
+	"io"
+	"sort"
+	"testing"
+
+	"github.com/sirupsen/logrus"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+
+	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
+	"github.com/vmware-tanzu/velero/pkg/builder"
+	"github.com/vmware-tanzu/velero/pkg/discovery"
+	"github.com/vmware-tanzu/velero/pkg/plugin/velero"
+	"github.com/vmware-tanzu/velero/pkg/test"
+	kubeutil "github.com/vmware-tanzu/velero/pkg/util/kube"
+)
+
+func TestInvokeDeleteItemActionsRunForCorrectItems(t *testing.T) {
+	// Declare test-singleton objects.
+	fs := test.NewFakeFileSystem()
+	log := logrus.StandardLogger()
+
+	tests := []struct {
+		name         string
+		backup       *velerov1api.Backup
+		apiResources []*test.APIResource
+		tarball      io.Reader
+		actions      map[*recordResourcesAction][]string // recordResourceActions are the plugins that will capture item ids, the []string values are the ids we'll test against.
+	}{
+		{
+			name:   "single action with no selector runs for all items",
+			backup: builder.ForBackup("velero", "velero").Result(),
+			tarball: test.NewTarWriter(t).
+				AddItems("pods", builder.ForPod("ns-1", "pod-1").Result(), builder.ForPod("ns-2", "pod-2").Result()).
+				AddItems("persistentvolumes", builder.ForPersistentVolume("pv-1").Result(), builder.ForPersistentVolume("pv-2").Result()).
+				Done(),
+			apiResources: []*test.APIResource{test.Pods(), test.PVs()},
+			actions: map[*recordResourcesAction][]string{
+				new(recordResourcesAction): {"ns-1/pod-1", "ns-2/pod-2", "pv-1", "pv-2"},
+			},
+		},
+		{
+			name:   "single action with a resource selector for namespaced resources runs only for matching resources",
+			backup: builder.ForBackup("velero", "velero").Result(),
+			tarball: test.NewTarWriter(t).
+				AddItems("pods", builder.ForPod("ns-1", "pod-1").Result(), builder.ForPod("ns-2", "pod-2").Result()).
+				AddItems("persistentvolumes", builder.ForPersistentVolume("pv-1").Result(), builder.ForPersistentVolume("pv-2").Result()).
+				Done(),
+			apiResources: []*test.APIResource{test.Pods(), test.PVs()},
+			actions: map[*recordResourcesAction][]string{
+				new(recordResourcesAction).ForResource("pods"): {"ns-1/pod-1", "ns-2/pod-2"},
+			},
+		},
+		{
+			name:   "single action with a resource selector for cluster-scoped resources runs only for matching resources",
+			backup: builder.ForBackup("velero", "velero").Result(),
+			tarball: test.NewTarWriter(t).
+				AddItems("pods", builder.ForPod("ns-1", "pod-1").Result(), builder.ForPod("ns-2", "pod-2").Result()).
+				AddItems("persistentvolumes", builder.ForPersistentVolume("pv-1").Result(), builder.ForPersistentVolume("pv-2").Result()).
+				Done(),
+			apiResources: []*test.APIResource{test.Pods(), test.PVs()},
+			actions: map[*recordResourcesAction][]string{
+				new(recordResourcesAction).ForResource("persistentvolumes"): {"pv-1", "pv-2"},
+			},
+		},
+		{
+			name:   "single action with a namespace selector runs only for resources in that namespace",
+			backup: builder.ForBackup("velero", "velero").Result(),
+			tarball: test.NewTarWriter(t).
+				AddItems("pods", builder.ForPod("ns-1", "pod-1").Result(), builder.ForPod("ns-2", "pod-2").Result()).
+				AddItems("persistentvolumeclaims", builder.ForPersistentVolumeClaim("ns-1", "pvc-1").Result(), builder.ForPersistentVolumeClaim("ns-2", "pvc-2").Result()).
+				AddItems("persistentvolumes", builder.ForPersistentVolume("pv-1").Result(), builder.ForPersistentVolume("pv-2").Result()).
+				Done(),
+			apiResources: []*test.APIResource{test.Pods(), test.PVCs(), test.PVs()},
+			actions: map[*recordResourcesAction][]string{
+				new(recordResourcesAction).ForNamespace("ns-1"): {"ns-1/pod-1", "ns-1/pvc-1"},
+			},
+		},
+		{
+			name:   "multiple actions, each with a different resource selector using short name, run for matching resources",
+			backup: builder.ForBackup("velero", "velero").Result(),
+			tarball: test.NewTarWriter(t).
+				AddItems("pods", builder.ForPod("ns-1", "pod-1").Result(), builder.ForPod("ns-2", "pod-2").Result()).
+				AddItems("persistentvolumeclaims", builder.ForPersistentVolumeClaim("ns-1", "pvc-1").Result(), builder.ForPersistentVolumeClaim("ns-2", "pvc-2").Result()).
+				AddItems("persistentvolumes", builder.ForPersistentVolume("pv-1").Result(), builder.ForPersistentVolume("pv-2").Result()).
+				Done(),
+			apiResources: []*test.APIResource{test.Pods(), test.PVCs(), test.PVs()},
+			actions: map[*recordResourcesAction][]string{
+				new(recordResourcesAction).ForResource("po"): {"ns-1/pod-1", "ns-2/pod-2"},
+				new(recordResourcesAction).ForResource("pv"): {"pv-1", "pv-2"},
+			},
+		},
+		{
+			name:   "actions with selectors that don't match anything don't run for any resources",
+			backup: builder.ForBackup("velero", "velero").Result(),
+			tarball: test.NewTarWriter(t).
+				AddItems("pods", builder.ForPod("ns-1", "pod-1").Result()).
+				AddItems("persistentvolumeclaims", builder.ForPersistentVolumeClaim("ns-2", "pvc-2").Result()).
+				Done(),
+			apiResources: []*test.APIResource{test.Pods(), test.PVCs(), test.PVs()},
+			actions: map[*recordResourcesAction][]string{
+				new(recordResourcesAction).ForNamespace("ns-1").ForResource("persistentvolumeclaims"): nil,
+				new(recordResourcesAction).ForNamespace("ns-2").ForResource("pods"):                   nil,
+			},
+		},
+		{
+			name:   "single action with label selector runs only for those items",
+			backup: builder.ForBackup("velero", "velero").Result(),
+			tarball: test.NewTarWriter(t).
+				AddItems("pods", builder.ForPod("ns-1", "pod-1").ObjectMeta(builder.WithLabels("app", "app1")).Result(), builder.ForPod("ns-2", "pod-2").Result()).
+				AddItems("persistentvolumeclaims", builder.ForPersistentVolumeClaim("ns-1", "pvc-1").Result(), builder.ForPersistentVolumeClaim("ns-2", "pvc-2").ObjectMeta(builder.WithLabels("app", "app1")).Result()).
+				Done(),
+			apiResources: []*test.APIResource{test.Pods(), test.PVCs()},
+			actions: map[*recordResourcesAction][]string{
+				new(recordResourcesAction).ForLabelSelector("app=app1"): {"ns-1/pod-1", "ns-2/pvc-2"},
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			// test harness contains the fake API server/discovery client
+			h := newHarness(t)
+			for _, r := range tc.apiResources {
+				h.addResource(t, r)
+			}
+
+			// Get the plugins out of the map in order to use them.
+			actions := []velero.DeleteItemAction{}
+			for action := range tc.actions {
+				actions = append(actions, action)
+			}
+
+			c := &Context{
+				Backup:          tc.backup,
+				BackupReader:    tc.tarball,
+				Filesystem:      fs,
+				DiscoveryHelper: h.discoveryHelper,
+				Actions:         actions,
+				Log:             log,
+			}
+
+			err := InvokeDeleteActions(c)
+			require.NoError(t, err)
+
+			// Compare the plugins against the ids that we wanted.
+			for action, want := range tc.actions {
+				sort.Strings(want)
+				sort.Strings(action.ids)
+				assert.Equal(t, want, action.ids)
+			}
+		})
+	}
+}
+
+// TODO: unify this with the test harness in pkg/restore/restore_test.go
+type harness struct {
+	*test.APIServer
+	discoveryHelper discovery.Helper
+}
+
+func newHarness(t *testing.T) *harness {
+	t.Helper()
+
+	apiServer := test.NewAPIServer(t)
+	log := logrus.StandardLogger()
+
+	discoveryHelper, err := discovery.NewHelper(apiServer.DiscoveryClient, log)
+	require.NoError(t, err)
+
+	return &harness{
+		APIServer:       apiServer,
+		discoveryHelper: discoveryHelper,
+	}
+}
+
+// addResource adds an APIResource and it's items to a faked API server for testing.
+func (h *harness) addResource(t *testing.T, resource *test.APIResource) {
+	t.Helper()
+
+	h.DiscoveryClient.WithAPIResource(resource)
+	require.NoError(t, h.discoveryHelper.Refresh())
+
+	for _, item := range resource.Items {
+		obj, err := runtime.DefaultUnstructuredConverter.ToUnstructured(item)
+		require.NoError(t, err)
+
+		unstructuredObj := &unstructured.Unstructured{Object: obj}
+		if resource.Namespaced {
+			_, err = h.DynamicClient.Resource(resource.GVR()).Namespace(item.GetNamespace()).Create(context.TODO(), unstructuredObj, metav1.CreateOptions{})
+		} else {
+			_, err = h.DynamicClient.Resource(resource.GVR()).Create(context.TODO(), unstructuredObj, metav1.CreateOptions{})
+		}
+		require.NoError(t, err)
+	}
+}
+
+// recordResourcesAction is a delete item action that can be configured to run
+// for specific resources/namespaces and simply record the items that is is
+// executed for.
+type recordResourcesAction struct {
+	selector velero.ResourceSelector
+	ids      []string
+}
+
+func (a *recordResourcesAction) AppliesTo() (velero.ResourceSelector, error) {
+	return a.selector, nil
+}
+
+func (a *recordResourcesAction) Execute(input *velero.DeleteItemActionExecuteInput) error {
+	metadata, err := meta.Accessor(input.Item)
+	if err != nil {
+		return err
+	}
+
+	a.ids = append(a.ids, kubeutil.NamespaceAndName(metadata))
+
+	return nil
+}
+
+func (a *recordResourcesAction) ForResource(resource string) *recordResourcesAction {
+	a.selector.IncludedResources = append(a.selector.IncludedResources, resource)
+	return a
+}
+
+func (a *recordResourcesAction) ForNamespace(namespace string) *recordResourcesAction {
+	a.selector.IncludedNamespaces = append(a.selector.IncludedNamespaces, namespace)
+	return a
+}
+
+func (a *recordResourcesAction) ForLabelSelector(selector string) *recordResourcesAction {
+	a.selector.LabelSelector = selector
+	return a
+}
+
+func TestInvokeDeleteItemActionsWithNoPlugins(t *testing.T) {
+	c := &Context{
+		Backup: builder.ForBackup("velero", "velero").Result(),
+		Log:    logrus.StandardLogger(),
+		// No other fields are set on the assumption that if 0 actions are present,
+		// the backup tarball and file system being empty will produce no errors.
+	}
+	err := InvokeDeleteActions(c)
+	require.NoError(t, err)
+}