add jmespath support

Signed-off-by: Markus Blaschke <[email protected]>

Author: mblaschke

README.md

@@ -5,7 +5,7 @@
 [![Quay.io](https://img.shields.io/badge/Quay.io-webdevops%2Fkube--janitor-blue)](https://quay.io/repository/webdevops/kube-janitor)
 [![Artifact Hub](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/kube-janitor)](https://artifacthub.io/packages/search?repo=kube-janitor)
 
-Kubernetes janitor which deletes resources by TTL annotation or label written in Golang
+Kubernetes janitor which deletes resources by TTL annotations/labels and static rules written in Golang
 
 ## Configuration
 
@@ -61,6 +61,7 @@ Supported relative timestamps ([`time.Duration`](https://pkg.go.dev/time) and [`
 
 ## Metrics
 
-| Metric                                           | Description                                                        |
-|--------------------------------------------------|--------------------------------------------------------------------|
-| `kube_janitor_resource_expiry_timestamp_seconds` | Expiry date (unix timestamp) for every resource which was detected |
+| Metric                                                | Description                                                                                         |
+|-------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
+| `kube_janitor_resource_ttl_expiry_timestamp_seconds`  | Expiry date (unix timestamp) for every resource which was detected matching the TTL expiry          |
+| `kube_janitor_resource_rule_expiry_timestamp_seconds` | Expiry date (unix timestamp) for every resource which was detected matching the static expiry rules |

example.yaml

@@ -19,10 +19,18 @@ rules:
       - group: ""
         version: v1
         kind: configmaps
+        # JMESpath for additional selector, should return true if resource should be used for TTL checks, optional
+        jmespath: |-
+          !(metadata.annotations."kubernetes.io/description")
+
+        # kubernetes selector (matchLabels, matchExpressions), optional
         selector:
           matchLabels:
             foo: bar
+
+    # kubernetes selector (matchLabels, matchExpressions), optional
     namespaceSelector:
       matchLabels:
         kubernetes.io/metadata.name: default
-    ttl: 1d
+
+    ttl: 1m

go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/go-logr/logr v1.4.3
 	github.com/goccy/go-yaml v1.19.0
 	github.com/jessevdk/go-flags v1.6.1
+	github.com/jmespath-community/go-jmespath v1.1.1
 	github.com/prometheus/client_golang v1.23.2
 	github.com/webdevops/go-common v0.0.0-20251205143010-9409efa47a03
 	k8s.io/api v0.34.3
@@ -57,6 +58,7 @@ require (
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
+	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
 	golang.org/x/net v0.48.0 // indirect
 	golang.org/x/oauth2 v0.34.0 // indirect
 	golang.org/x/sys v0.39.0 // indirect

go.sum

@@ -69,6 +69,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/jessevdk/go-flags v1.6.1 h1:Cvu5U8UGrLay1rZfv/zP7iLpSHGUZ/Ou68T0iX1bBK4=
 github.com/jessevdk/go-flags v1.6.1/go.mod h1:Mk8T1hIAWpOiJiHa9rJASDK2UGWji0EuPGBnNLMooyc=
+github.com/jmespath-community/go-jmespath v1.1.1 h1:bFikPhsi/FdmlZhVgSCd2jj1e7G/rw+zyQfyg5UF+L4=
+github.com/jmespath-community/go-jmespath v1.1.1/go.mod h1:4gOyFJsR/Gk+05RgTKYrifT7tBPWD8Lubtb5jRrfy9I=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
@@ -140,6 +142,8 @@ go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8=
+golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=

kube_janitor/config.go

@@ -2,8 +2,10 @@ package kube_janitor
 
 import (
 	"errors"
+	"fmt"
 	"strings"
 
+	jmespath "github.com/jmespath-community/go-jmespath"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
@@ -15,21 +17,23 @@ type (
 	}
 
 	ConfigTtl struct {
-		Annotation string             `json:"annotation"`
-		Label      string             `json:"label"`
-		Resources  []*ConfigResources `json:"resources"`
+		Annotation string            `json:"annotation"`
+		Label      string            `json:"label"`
+		Resources  []*ConfigResource `json:"resources"`
 	}
 
-	ConfigResources struct {
-		Group    string                `json:"group"`
-		Version  string                `json:"version"`
-		Kind     string                `json:"kind"`
-		Selector *metav1.LabelSelector `json:"selector"`
+	ConfigResource struct {
+		Group            string                `json:"group"`
+		Version          string                `json:"version"`
+		Kind             string                `json:"kind"`
+		Selector         *metav1.LabelSelector `json:"selector"`
+		JmesPath         string                `json:"jmespath"`
+		jmesPathcompiled jmespath.JMESPath
 	}
 
 	ConfigRule struct {
 		Id                string                `json:"id"`
-		Resources         []*ConfigResources    `json:"resources"`
+		Resources         []*ConfigResource     `json:"resources"`
 		NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector"`
 		Ttl               string                `json:"ttl"`
 	}
@@ -38,7 +42,7 @@ type (
 func NewConfig() *Config {
 	return &Config{
 		Ttl: &ConfigTtl{
-			Resources: []*ConfigResources{},
+			Resources: []*ConfigResource{},
 		},
 		Rules: []*ConfigRule{},
 	}
@@ -80,11 +84,24 @@ func (c *ConfigRule) Validate() error {
 	return nil
 }
 
-func (c *ConfigResources) String() string {
+func (c *ConfigResource) CompiledJmesPath() jmespath.JMESPath {
+	if c.jmesPathcompiled == nil {
+		compiledPath, err := jmespath.Compile(c.JmesPath)
+		if err != nil {
+			panic(fmt.Errorf(`failed to compile jmespath "%s": %w`, c.JmesPath, err))
+		}
+
+		c.jmesPathcompiled = compiledPath
+	}
+
+	return c.jmesPathcompiled
+}
+
+func (c *ConfigResource) String() string {
 	return c.AsGVR().String()
 }
 
-func (c *ConfigResources) AsGVR() schema.GroupVersionResource {
+func (c *ConfigResource) AsGVR() schema.GroupVersionResource {
 	return schema.GroupVersionResource{
 		Group:    c.Group,
 		Version:  c.Version,

kube_janitor/task.common.go

@@ -2,23 +2,71 @@ package kube_janitor
 
 import (
 	"context"
+	"encoding/json"
 	"log/slog"
 
+	jmespath "github.com/jmespath-community/go-jmespath"
 	"github.com/prometheus/client_golang/prometheus"
 	"github.com/webdevops/go-common/log/slogger"
 	prometheusCommon "github.com/webdevops/go-common/prometheus"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
-	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-func (j *Janitor) checkResourceTtlAndTriggerDeleteIfExpired(ctx context.Context, logger *slogger.Logger, gvr schema.GroupVersionResource, resource unstructured.Unstructured, ttlValue string, metricResourceTtl *prometheusCommon.MetricList, labels prometheus.Labels) error {
+func (j *Janitor) checkResourceIsSkippedByJmesPath(resource unstructured.Unstructured, jmesPath jmespath.JMESPath) (bool, error) {
+
+	resourceRaw, err := resource.MarshalJSON()
+	if err != nil {
+		return true, err
+	}
+	var data any
+	err = json.Unmarshal(resourceRaw, &data)
+	if err != nil {
+		return true, err
+	}
+
+	// check if resource is valid by JMES path
+	result, err := jmesPath.Search(data)
+	if err != nil {
+		return true, err
+	}
+
+	switch v := result.(type) {
+	case string:
+		// skip if string is empty
+		if len(v) == 0 {
+			return true, nil
+		}
+	case bool:
+		// skip if false (not selected)
+		return !v, nil
+	case nil:
+		// nil? jmes path didn't find anything? better skip the resource
+		return true, nil
+	}
+
+	return false, nil
+}
+
+func (j *Janitor) checkResourceTtlAndTriggerDeleteIfExpired(ctx context.Context, logger *slogger.Logger, resourceConfig *ConfigResource, resource unstructured.Unstructured, ttlValue string, metricResourceTtl *prometheusCommon.MetricList, labels prometheus.Labels) error {
 	resourceLogger := logger.With(
 		slog.String("namespace", resource.GetNamespace()),
 		slog.String("resource", resource.GetName()),
 		slog.String("ttl", ttlValue),
 	)
 
+	if resourceConfig.JmesPath != "" {
+		skipped, err := j.checkResourceIsSkippedByJmesPath(resource, resourceConfig.CompiledJmesPath())
+		if err != nil {
+			return err
+		}
+
+		if skipped {
+			resourceLogger.Debug("resource skipped by JMES path")
+			return nil
+		}
+	}
+
 	parsedDate, expired, err := j.checkExpiryDate(resource.GetCreationTimestamp().Time, ttlValue)
 	if err != nil {
 		resourceLogger.Error("unable to parse expiration date", slog.String("raw", ttlValue), slog.Any("error", err))
@@ -39,7 +87,7 @@ func (j *Janitor) checkResourceTtlAndTriggerDeleteIfExpired(ctx context.Context,
 			resourceLogger.Info("resource is expired, would delete resource (DRY-RUN)", slog.Time("expirationDate", *parsedDate))
 		} else {
 			resourceLogger.Info("deleting expired resource", slog.Time("expirationDate", *parsedDate))
-			err := j.dynClient.Resource(gvr).Namespace(resource.GetNamespace()).Delete(ctx, resource.GetName(), metav1.DeleteOptions{})
+			err := j.dynClient.Resource(resourceConfig.AsGVR()).Namespace(resource.GetNamespace()).Delete(ctx, resource.GetName(), metav1.DeleteOptions{})
 			if err != nil {
 				return err
 			}

kube_janitor/task.rules.go

@@ -34,7 +34,7 @@ func (j *Janitor) runRules(ctx context.Context) error {
 					return j.checkResourceTtlAndTriggerDeleteIfExpired(
 						ctx,
 						gvkLogger,
-						resourceType.AsGVR(),
+						resourceType,
 						resource,
 						rule.Ttl,
 						metricResourceRule,

kube_janitor/task.ttl.go

@@ -40,7 +40,7 @@ func (j *Janitor) runTtlResources(ctx context.Context) error {
 			return j.checkResourceTtlAndTriggerDeleteIfExpired(
 				ctx,
 				gvkLogger,
-				resourceType.AsGVR(),
+				resourceType,
 				resource,
 				ttlValue,
 				metricResourceTtl,