Janitor Cleanup Based on VPC ID

[sudharshanibm]

Enhances the IBM Cloud Janitor functionality to support resource cleanup based on a specific VPC ID.

Changes Introduced:

• Added conditional logic to clean up resources (subnets, floating IPs, load balancers) based on the VPC they are associated with.
• When vpc-id is passed in the API call, the janitor filters and deletes:
  • Subnets within the specified VPC
  • Unbound floating IPs (with conditional checks if VPC is specified)
  • Load balancers attached to subnets belonging to the specified VPC
• If vpc-id is not provided, the cleanup falls back to using the resource group as the default filter.

Why:
This allows more granular and targeted cleanup, especially useful when multiple VPCs exist under the same resource group.

[k8s-ci-robot]

Hi @sudharshanibm. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Amulyam24]

/ok-to-test

[Amulyam24]

/cc @Prajyot-Parab

[Prajyot-Parab]

what will happen incase of multiple subnets?

[sudharshanibm]

Thanks @Prajyot-Parab ,
For pointing out.
I have updated the code now such that it iterates through all subnets attached to each load balancer and:

• Checks if at least one subnet belongs to the target VPC (client.VPCID)
• If any one subnet is in the correct VPC, the load balancer is marked for deletion
• If none of the subnets belong to the target VPC, the load balancer is skipped

Built an ibmcloud-janitor-boskos image with updated code and validated the changes

[Amulyam24]

is this function used anywhere?

[Amulyam24]

won't returning true skip the LB for deletion when subnets are 0?

[sudharshanibm]

yes returning true here intentionally skips deletion of the load balancer when len(fullLB.Subnets) == 0 because without subnets, we cannot verify if the load balancer belongs to the specified VPC
this is a safe check to avoid accidentally deleting unrelated resources.

[Amulyam24]

in that case, do you think its better to delete the LBs in that resource group as there is chance that it could be stale?

[sudharshanibm]

yes load balancers with no subnets are likely to be stale. Initially, I skipped deleting them to avoid any risk of removing unrelated resources, especially since we couldn't verify their VPC association without subnet info

now I've updated the logic to safely allow deletion of such LBs if they belong to the specified resource group.

[Amulyam24]

when subnets for the LB exist in the desired VPC, will it delete LB directly if it has subnets attached to it?

[sudharshanibm]

yes it will attempt to delete the LB even if it has subnets attached, as long as those subnets belong to the desired VPC

[Amulyam24]

one question here, shouldn't this be true? If subnet is attached to the VPC passed in user-data, we want to skip deletion. Returning false would proceed to LB deletion right?

[Amulyam24]

Suggested change

	fullLB, _, err := client.GetLoadBalancer(&vpcv1.GetLoadBalancerOptions{ID: lb.ID})
	lbDetails, _, err := client.GetLoadBalancer(&vpcv1.GetLoadBalancerOptions{ID: lb.ID})

[Amulyam24]

minor nits, can be enhanced in future if user-data would be removed.

[Amulyam24]

this condition would already be satisfied in L107 right? I think we can directly go ahead with deletion.

[sudharshanibm]

yes actually the check for the resource group is already being done earlier, so once we detect that len(lbDetails.Subnets) == 0 we can directly proceed with deletion.
However, we're using lbDetails here, which contains more complete information than what we get from the list call.
I’ve updated the code to eliminate the redundant check.

[Amulyam24]

and reason for adding GetLoadbalancer call? will the ListLoadbalancers output not have the details of subnets in the LB output?

[sudharshanibm]

yes the GetLoadBalancer call is required because the output from ListLoadBalancers does not include detailed information about attached subnets
It only returns high-level metadata for each LB and in order to access the subnets field with actual values, we need to call GetLoadBalancer which contains the full details of the resource

[Amulyam24]

can you please cross check? I see that LB list returned in ListLoadbalancers and LB inGetLoadbalancer are pointing to the same type - https://pkg.go.dev/github.com/IBM/[email protected]/vpcv1#LoadBalancer which has subnet details.

[sudharshanibm]

I’ve manually verified the behavior with the updated code and checked the outputs, found that the ListLoadBalancers response already includes the subnet details.
so I’ve modified the code to remove the redundant check and directly proceed with deletion when no subnets are attached.

=== Output from GetLoadBalancer ===
Name: k8s-test-lb
  Subnet #1:
    ID: xxxx-xxxx-xxxx-xxxx-xxxx
    Name: k8s-test-subnet

=== Output from ListLoadBalancers ===
Name: k8s-test-lb
  Subnet #1:
    ID: xxxx-xxxx-xxxx-xxxx-xxxx
    Name: k8s-test-subnet

here both outputs return the subnet details. so, the GetLoadBalancer call to fetch detailed subnet information is not required as you mentioned and we can proceed with deletion if len(lbDetails.Subnets) == 0 without additional checks

[Amulyam24]

Thanks for verifying.

[Amulyam24]

Suggested change

	resourceLogger.Info("Skipping VPC deletion as specific VPC ID was provided")
	resourceLogger.Info("Skipping VPC deletion as VPC ID is passed in user-data")

Better to log VPC name as well.

[Amulyam24]

Suggested change

	// No VPCID provided, just check resource group
	// No VPC ID is provided, check if LB's resource group matches the ID passed in user-data

[Amulyam24]

Suggested change

	// Skip bound FIPs if VPCID is specified
	// Skip bound FIPs if VPC ID is specified

[Amulyam24]

Suggested change

	// List subnets with optional VPC filter
	listSubnetOpts := &vpcv1.ListSubnetsOptions{
	listSubnetOpts := &vpcv1.ListSubnetsOptions{

[Amulyam24]

Suggested change

	if client.VPCID != "" {
	// List subnets with optional VPC filter
	if client.VPCID != "" {

[Amulyam24]

Suggested change

	// No subnets: assume stale, delete if in the correct resource group
	// LB does not have attached subnets, can procced with deletion
	can

[Amulyam24]

Suggested change

	resourceLogger.WithField("name", *lb.Name).Warn("load balancer has no subnets, assuming stale and eligible for deletion")
	resourceLogger.WithField("name", *lb.Name).Warn("load balancer has no attached subnets, assuming stale and proceed with deletion")

[Amulyam24]

missed removing the unused function?

[Amulyam24]

Suggested change

	return lb.ResourceGroup == nil || *lb.ResourceGroup.ID != client.ResourceGroupID
	}
	lbDetails, _, err := client.GetLoadBalancer(&vpcv1.GetLoadBalancerOptions{ID: lb.ID})
	if err != nil {
	resourceLogger.WithField("name", *lb.Name).Error("failed to get load balancer details")
	*errs = append(*errs, err)
	return true
	}
	if len(lbDetails.Subnets) == 0 {
	// LB does not have attached subnets, can procced with deletion
	if lbDetails.ResourceGroup != nil && *lbDetails.ResourceGroup.ID == client.ResourceGroupID {
	resourceLogger.WithField("name", *lb.Name).Warn("load balancer has no attached subnets, assuming stale and proceed with deletion")
	return false
	}
	return true
	}
	return lb.ResourceGroup == nil || *lb.ResourceGroup.ID != client.ResourceGroupID
	}
	if len(lb.Subnets) == 0 {
	// LB does not have attached subnets, can procced with deletion
	resourceLogger.WithField("name", *lb.Name).Warn("load balancer has no attached subnets, assuming stale and proceed with deletion")
	return false
	}

will this work?

[Amulyam24]

minor nit, LGTM!

[Amulyam24]

Suggested change

	// Check subnets for validity
	// Check if subnets belong to the VPC using ID passed in user-data. If yes, skip deletion of LB

[Amulyam24]

Suggested change

	if len(lb.Subnets) == 0 {
	// LB does not have attached subnets, can proceed with deletion
	resourceLogger.WithField("name", *lb.Name).Warn("load balancer has no attached subnets, assuming stale and proceed with deletion")
	return false
	}
	// Check if subnets belong to the VPC using ID passed in user-data. If yes, skip deletion of LB
	for _, subnetRef := range lb.Subnets {
	subnet, _, err := client.GetSubnet(&vpcv1.GetSubnetOptions{ID: subnetRef.ID})
	if err != nil {
	resourceLogger.WithFields(logrus.Fields{
	"name": *lb.Name,
	"subnet_id": subnetRef.ID,
	}).Error("failed to get subnet details")
	*errs = append(*errs, err)
	continue
	}
	if subnet.VPC != nil && *subnet.VPC.ID == client.VPCID {
	return false
	}
	}
	return true
	}
	// Check if subnets belong to the VPC using ID passed in user-data. If yes, skip deletion of LB
	for _, subnetRef := range lb.Subnets {
	subnet, _, err := client.GetSubnet(&vpcv1.GetSubnetOptions{ID: subnetRef.ID})
	if err != nil {
	resourceLogger.WithFields(logrus.Fields{
	"name": *lb.Name,
	"subnet_id": subnetRef.ID,
	}).Error("failed to get subnet details")
	*errs = append(*errs, err)
	continue
	}
	if subnet.VPC != nil && *subnet.VPC.ID == client.VPCID {
	return true
	}
	}
	resourceLogger.WithField("name", *lb.Name).Warn("load balancer has no attached subnets, assuming stale and proceeding with deletion")
	return false
	}

Can this be simlified as above?

[Amulyam24]

@sudharshanibm ^^^

[Amulyam24]

This might be a breaking change for VPC resource types which are using janitor and don't have zone in user-data. I see you are only loading zone but not using it anywhere, Is this change needed?

Wouldn't adding it in user-data alone be sufficient?

[sudharshanibm]

Yes, adding it to the user-data itself is sufficient.
Can we make it optional, so that it doesn’t break existing resources?

[Amulyam24]

VPC zone is not used anywhere in the janitor, any reason for making it optional?

[Amulyam24]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Amulyam24, sudharshanibm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• common/ibmcloud/OWNERS [Amulyam24]
• internal/ibmcloud-janitor/OWNERS [Amulyam24]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment