add support for fixed ttl by rules

Signed-off-by: Markus Blaschke <[email protected]>

Author: mblaschke

example.yaml

@@ -1,3 +1,4 @@
+## TTL removal by annotation or label
 ttl:
   ## checks all resources by annotation
   annotation: janitor/ttl
@@ -10,3 +11,18 @@ ttl:
     - {group: "", version: v1, kind: configmaps}
     - {group: "", version: v1, kind: secrets}
     - {group: apps, version: v1, kind: deployments}
+
+# static rules (fixed TTLs without using ttl definition in labels/annotations)
+rules:
+  - id: default
+    resources:
+      - group: ""
+        version: v1
+        kind: configmaps
+        selector:
+          matchLabels:
+            foo: bar
+    namespaceSelector:
+      matchLabels:
+        kubernetes.io/metadata.name: default
+    ttl: 1d

go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/jessevdk/go-flags v1.6.1
 	github.com/prometheus/client_golang v1.23.2
 	github.com/webdevops/go-common v0.0.0-20251205143010-9409efa47a03
+	k8s.io/api v0.34.3
 	k8s.io/apimachinery v0.34.3
 	k8s.io/client-go v0.34.3
 	sigs.k8s.io/controller-runtime v0.22.4
@@ -20,8 +21,25 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.13.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
+	github.com/go-openapi/jsonpointer v0.22.4 // indirect
+	github.com/go-openapi/jsonreference v0.21.4 // indirect
+	github.com/go-openapi/swag v0.25.4 // indirect
+	github.com/go-openapi/swag/cmdutils v0.25.4 // indirect
+	github.com/go-openapi/swag/conv v0.25.4 // indirect
+	github.com/go-openapi/swag/fileutils v0.25.4 // indirect
+	github.com/go-openapi/swag/jsonname v0.25.4 // indirect
+	github.com/go-openapi/swag/jsonutils v0.25.4 // indirect
+	github.com/go-openapi/swag/loading v0.25.4 // indirect
+	github.com/go-openapi/swag/mangling v0.25.4 // indirect
+	github.com/go-openapi/swag/netutils v0.25.4 // indirect
+	github.com/go-openapi/swag/stringutils v0.25.4 // indirect
+	github.com/go-openapi/swag/typeutils v0.25.4 // indirect
+	github.com/go-openapi/swag/yamlutils v0.25.4 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/google/gnostic-models v0.7.1 // indirect
+	github.com/google/uuid v1.6.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/lmittmann/tint v1.1.2 // indirect
@@ -38,15 +56,18 @@ require (
 	github.com/x448/float16 v0.8.4 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/net v0.48.0 // indirect
 	golang.org/x/oauth2 v0.34.0 // indirect
 	golang.org/x/sys v0.39.0 // indirect
 	golang.org/x/term v0.38.0 // indirect
 	golang.org/x/text v0.32.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.13.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20251125145642-4e65d59e963e // indirect
 	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect
 	sigs.k8s.io/randfill v1.0.0 // indirect

go.sum

@@ -18,10 +18,10 @@ github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sa
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
 github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/go-openapi/jsonpointer v0.22.3 h1:dKMwfV4fmt6Ah90zloTbUKWMD+0he+12XYAsPotrkn8=
-github.com/go-openapi/jsonpointer v0.22.3/go.mod h1:0lBbqeRsQ5lIanv3LHZBrmRGHLHcQoOXQnf88fHlGWo=
-github.com/go-openapi/jsonreference v0.21.3 h1:96Dn+MRPa0nYAR8DR1E03SblB5FJvh7W6krPI0Z7qMc=
-github.com/go-openapi/jsonreference v0.21.3/go.mod h1:RqkUP0MrLf37HqxZxrIAtTWW4ZJIK1VzduhXYBEeGc4=
+github.com/go-openapi/jsonpointer v0.22.4 h1:dZtK82WlNpVLDW2jlA1YCiVJFVqkED1MegOUy9kR5T4=
+github.com/go-openapi/jsonpointer v0.22.4/go.mod h1:elX9+UgznpFhgBuaMQ7iu4lvvX1nvNsesQ3oxmYTw80=
+github.com/go-openapi/jsonreference v0.21.4 h1:24qaE2y9bx/q3uRK/qN+TDwbok1NhbSmGjjySRCHtC8=
+github.com/go-openapi/jsonreference v0.21.4/go.mod h1:rIENPTjDbLpzQmQWCj5kKj3ZlmEh+EFVbz3RTUh30/4=
 github.com/go-openapi/swag v0.25.4 h1:OyUPUFYDPDBMkqyxOTkqDYFnrhuhi9NR6QVUvIochMU=
 github.com/go-openapi/swag v0.25.4/go.mod h1:zNfJ9WZABGHCFg2RnY0S4IOkAcVTzJ6z2Bi+Q4i6qFQ=
 github.com/go-openapi/swag/cmdutils v0.25.4 h1:8rYhB5n6WawR192/BfUu2iVlxqVR9aRgGJP6WaBoW+4=
@@ -34,6 +34,8 @@ github.com/go-openapi/swag/jsonname v0.25.4 h1:bZH0+MsS03MbnwBXYhuTttMOqk+5KcQ98
 github.com/go-openapi/swag/jsonname v0.25.4/go.mod h1:GPVEk9CWVhNvWhZgrnvRA6utbAltopbKwDu8mXNUMag=
 github.com/go-openapi/swag/jsonutils v0.25.4 h1:VSchfbGhD4UTf4vCdR2F4TLBdLwHyUDTd1/q4i+jGZA=
 github.com/go-openapi/swag/jsonutils v0.25.4/go.mod h1:7OYGXpvVFPn4PpaSdPHJBtF0iGnbEaTk8AvBkoWnaAY=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.4 h1:IACsSvBhiNJwlDix7wq39SS2Fh7lUOCJRmx/4SN4sVo=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.4/go.mod h1:Mt0Ost9l3cUzVv4OEZG+WSeoHwjWLnarzMePNDAOBiM=
 github.com/go-openapi/swag/loading v0.25.4 h1:jN4MvLj0X6yhCDduRsxDDw1aHe+ZWoLjW+9ZQWIKn2s=
 github.com/go-openapi/swag/loading v0.25.4/go.mod h1:rpUM1ZiyEP9+mNLIQUdMiD7dCETXvkkC30z53i+ftTE=
 github.com/go-openapi/swag/mangling v0.25.4 h1:2b9kBJk9JvPgxr36V23FxJLdwBrpijI26Bx5JH4Hp48=
@@ -46,6 +48,10 @@ github.com/go-openapi/swag/typeutils v0.25.4 h1:1/fbZOUN472NTc39zpa+YGHn3jzHWhv4
 github.com/go-openapi/swag/typeutils v0.25.4/go.mod h1:Ou7g//Wx8tTLS9vG0UmzfCsjZjKhpjxayRKTHXf2pTE=
 github.com/go-openapi/swag/yamlutils v0.25.4 h1:6jdaeSItEUb7ioS9lFoCZ65Cne1/RZtPBZ9A56h92Sw=
 github.com/go-openapi/swag/yamlutils v0.25.4/go.mod h1:MNzq1ulQu+yd8Kl7wPOut/YHAAU/H6hL91fF+E2RFwc=
+github.com/go-openapi/testify/enable/yaml/v2 v2.0.2 h1:0+Y41Pz1NkbTHz8NngxTuAXxEodtNSI1WG1c/m5Akw4=
+github.com/go-openapi/testify/enable/yaml/v2 v2.0.2/go.mod h1:kme83333GCtJQHXQ8UKX3IBZu6z8T5Dvy5+CW3NLUUg=
+github.com/go-openapi/testify/v2 v2.0.2 h1:X999g3jeLcoY8qctY/c/Z8iBHTbwLz7R2WXd6Ub6wls=
+github.com/go-openapi/testify/v2 v2.0.2/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54=
 github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
 github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/goccy/go-yaml v1.19.0 h1:EmkZ9RIsX+Uq4DYFowegAuJo8+xdX3T/2dwNPXbxEYE=

kube_janitor/config.go

@@ -4,12 +4,14 @@ import (
 	"errors"
 	"strings"
 
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
 type (
 	Config struct {
-		Ttl *ConfigTtl `json:"ttl"`
+		Ttl   *ConfigTtl    `json:"ttl"`
+		Rules []*ConfigRule `json:"rules"`
 	}
 
 	ConfigTtl struct {
@@ -19,9 +21,17 @@ type (
 	}
 
 	ConfigResources struct {
-		Group   string `json:"group"`
-		Version string `json:"version"`
-		Kind    string `json:"kind"`
+		Group    string                `json:"group"`
+		Version  string                `json:"version"`
+		Kind     string                `json:"kind"`
+		Selector *metav1.LabelSelector `json:"selector"`
+	}
+
+	ConfigRule struct {
+		Id                string                `json:"id"`
+		Resources         []*ConfigResources    `json:"resources"`
+		NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector"`
+		Ttl               string                `json:"ttl"`
 	}
 )
 
@@ -30,6 +40,7 @@ func NewConfig() *Config {
 		Ttl: &ConfigTtl{
 			Resources: []*ConfigResources{},
 		},
+		Rules: []*ConfigRule{},
 	}
 }
 
@@ -38,14 +49,16 @@ func (c *Config) Validate() error {
 		return err
 	}
 
+	for _, rule := range c.Rules {
+		if err := rule.Validate(); err != nil {
+			return err
+		}
+	}
+
 	return nil
 }
 
 func (c *ConfigTtl) Validate() error {
-	if c.Label == "" && c.Annotation == "" {
-		return errors.New("label or annotation is required")
-	}
-
 	if c.Label != "" {
 		if strings.Contains(c.Label, " ") {
 			return errors.New("label must not contain spaces")
@@ -55,6 +68,18 @@ func (c *ConfigTtl) Validate() error {
 	return nil
 }
 
+func (c *ConfigRule) Validate() error {
+	if c.Id == "" {
+		return errors.New("rules requires an id")
+	}
+
+	if len(c.Resources) == 0 {
+		return errors.New("rules requires at least one resource")
+	}
+
+	return nil
+}
+
 func (c *ConfigResources) String() string {
 	return c.AsGVR().String()
 }
@@ -66,3 +91,7 @@ func (c *ConfigResources) AsGVR() schema.GroupVersionResource {
 		Resource: c.Kind,
 	}
 }
+
+func (c *ConfigRule) String() string {
+	return c.Id
+}

kube_janitor/kube.go

@@ -2,23 +2,100 @@ package kube_janitor
 
 import (
 	"context"
+	"fmt"
+	"strings"
 
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
 const (
 	KubeListLimit = 100
+
+	KubeNoNamespace = ""
+
+	KubeSelectorError = "<error>"
+	KubeSelectorNone  = "<none>"
 )
 
-func (j *Janitor) kubeEachResource(ctx context.Context, gvr schema.GroupVersionResource, labelSelector string, callback func(unstructured unstructured.Unstructured) error) error {
+func (j *Janitor) kubeBuildLabelSelector(selector *metav1.LabelSelector) (string, error) {
+	// no selector
+	if selector == nil {
+		return "", nil
+	}
+
+	compiledSelector := metav1.FormatLabelSelector(selector)
+	if strings.EqualFold(compiledSelector, KubeSelectorError) {
+		return "", fmt.Errorf(`unable to compile Kubernetes selector for resource: %v`, selector)
+	}
+
+	if !strings.EqualFold(compiledSelector, KubeSelectorNone) {
+		return compiledSelector, nil
+	}
+
+	return "", nil
+}
+
+func (j *Janitor) kubeEachNamespace(ctx context.Context, selector *metav1.LabelSelector, callback func(namespace corev1.Namespace) error) error {
+	labelSelector, err := j.kubeBuildLabelSelector(selector)
+	if err != nil {
+		return err
+	}
+
+	listOpts := metav1.ListOptions{
+		Limit:         KubeListLimit,
+		LabelSelector: labelSelector,
+	}
+	for {
+		result, err := j.kubeClient.CoreV1().Namespaces().List(ctx, listOpts)
+		if err != nil {
+			return err
+		}
+
+		for _, item := range result.Items {
+			err := callback(item)
+			if err != nil {
+				return err
+			}
+		}
+
+		if result.GetContinue() != "" {
+			listOpts.Continue = result.GetContinue()
+			continue
+		}
+
+		break
+	}
+
+	return nil
+}
+
+func (j *Janitor) kubeEachResource(ctx context.Context, gvr schema.GroupVersionResource, namespace string, selector *metav1.LabelSelector, callback func(unstructured unstructured.Unstructured) error) error {
+	labelSelector, err := j.kubeBuildLabelSelector(selector)
+	if err != nil {
+		return err
+	}
+
 	listOpts := metav1.ListOptions{
 		Limit:         KubeListLimit,
 		LabelSelector: labelSelector,
 	}
 	for {
-		result, err := j.dynClient.Resource(gvr).List(ctx, listOpts)
+		var (
+			result *unstructured.UnstructuredList
+			err    error
+		)
+
+		if namespace != KubeNoNamespace {
+			// get by namespace
+			result, err = j.dynClient.Resource(gvr).Namespace(namespace).List(ctx, listOpts)
+		} else {
+			// get all
+			result, err = j.dynClient.Resource(gvr).List(ctx, listOpts)
+		}
+
 		if err != nil {
 			return err
 		}

kube_janitor/manager.go

@@ -11,6 +11,7 @@ import (
 	yaml "github.com/goccy/go-yaml"
 	"github.com/webdevops/go-common/log/slogger"
 	"k8s.io/client-go/dynamic"
+	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/clientcmd"
 	kubelog "sigs.k8s.io/controller-runtime/pkg/log"
@@ -22,7 +23,8 @@ type (
 
 		config *Config
 
-		dynClient *dynamic.DynamicClient
+		kubeClient *kubernetes.Clientset
+		dynClient  *dynamic.DynamicClient
 
 		logger *slogger.Logger
 
@@ -64,6 +66,11 @@ func (j *Janitor) connect() {
 		}
 	}
 
+	j.kubeClient, err = kubernetes.NewForConfig(config)
+	if err != nil {
+		panic(err.Error())
+	}
+
 	j.dynClient, err = dynamic.NewForConfig(config)
 	if err != nil {
 		panic(err)
@@ -140,9 +147,22 @@ func (j *Janitor) Start(interval time.Duration) {
 
 func (j *Janitor) Run() error {
 	j.connect()
+	ctx := context.Background()
+
+	if j.config.Ttl.Label != "" || j.config.Ttl.Annotation != "" {
+		if err := j.runTtlResources(ctx); err != nil {
+			return err
+		}
+	} else {
+		j.logger.Debug("skipping TTL run, no label or annotation defined")
+	}
 
-	if err := j.runTtlResources(); err != nil {
-		return err
+	if len(j.config.Rules) > 0 {
+		if err := j.runRules(ctx); err != nil {
+			return err
+		}
+	} else {
+		j.logger.Debug("skipping rules run, no rules defined")
 	}
 
 	return nil