🚀 Add deletionPolicy to Agent Pool controller (#584)

Author: arybolovlev

.changes/unreleased/BREAKING CHANGES-584-20250415-124806.yaml

@@ -0,0 +1,5 @@
+kind: BREAKING CHANGES
+body: '`AgentPool`: The new field, `spec.deletionPolicy`, is set to `retain` by default, which changes the previous default controller behavior when resources are deleted. The previous behavior corresponded to the `destroy` deletion policy value. This change is considered safer in cases of accidental resource deletion, planned migration, or other scenarios involving the deletion of a custom resource.'
+time: 2025-04-15T12:48:06.601466+02:00
+custom:
+    PR: "584"

.changes/unreleased/ENHANCEMENTS-584-20250415-124914.yaml

@@ -0,0 +1,5 @@
+kind: ENHANCEMENTS
+body: '`AgentPool`: Add a new field, `spec.deletionPolicy`, that specifies the behavior of the custom resource and its associated agent pool when the custom resource is deleted.'
+time: 2025-04-15T12:49:14.665714+02:00
+custom:
+    PR: "584"

.changes/unreleased/NOTES-494-20250415-125014.yaml

@@ -0,0 +1,5 @@
+kind: NOTES
+body: The `AgentPool` CRD has been changed. Please follow the Helm chart instructions on how to upgrade it.
+time: 2025-04-15T12:50:14.615385+02:00
+custom:
+    PR: "494"

api/v1alpha2/agentpool_types.go

@@ -8,6 +8,17 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+// DeletionPolicy defines the strategy the Kubernetes operator uses when you delete a resource, either manually or by a system event.
+// You must use one of the following values:
+// - `retain`: When you delete the custom resource, the operator does not delete the agent pool.
+// - `destroy`: The operator will attempt to remove the managed HCP Terraform agent pool.
+type AgentPoolDeletionPolicy string
+
+const (
+	AgentPoolDeletionPolicyRetain  AgentPoolDeletionPolicy = "retain"
+	AgentPoolDeletionPolicyDestroy AgentPoolDeletionPolicy = "destroy"
+)
+
 // Agent Token is a secret token that a HCP Terraform Agent is used to connect to the HCP Terraform Agent Pool.
 // In `spec` only the field `Name` is allowed, the rest are used in `status`.
 // More infromation:
@@ -133,6 +144,19 @@ type AgentPoolSpec struct {
 	// Agent deployment settings
 	//+optional
 	AgentDeploymentAutoscaling *AgentDeploymentAutoscaling `json:"autoscaling,omitempty"`
+
+	// The Deletion Policy specifies the behavior of the custom resource and its associated agent pool when the custom resource is deleted.
+	// - `retain`: When you delete the custom resource, the operator will remove only the custom resource.
+	//   The HCP Terraform agent pool will be retained. The managed tokens will remain active on the HCP Terraform side; however, the corresponding secrets and managed agents will be removed.
+	// - `destroy`: The operator will attempt to remove the managed HCP Terraform agent pool.
+	//   On success, the managed agents and the corresponding secret with tokens will be removed along with the custom resource.
+	//   On failure, the managed agents will be scaled down to 0, and the managed tokens, along with the corresponding secret, will be removed. The operator will continue attempting to remove the agent pool until it succeeds.
+	// Default: `retain`.
+	//
+	//+kubebuilder:validation:Enum:=retain;destroy
+	//+kubebuilder:default=retain
+	//+optional
+	DeletionPolicy AgentPoolDeletionPolicy `json:"deletionPolicy,omitempty"`
 }
 
 // AgentDeploymentAutoscalingStatus

charts/hcp-terraform-operator/crds/app.terraform.io_agentpools.yaml

@@ -8170,6 +8170,20 @@ spec:
                 - maxReplicas
                 - minReplicas
                 type: object
+              deletionPolicy:
+                default: retain
+                description: |-
+                  The Deletion Policy specifies the behavior of the custom resource and its associated agent pool when the custom resource is deleted.
+                  - `retain`: When you delete the custom resource, the operator will remove only the custom resource.
+                    The HCP Terraform agent pool will be retained. The managed tokens will remain active on the HCP Terraform side; however, the corresponding secrets and managed agents will be removed.
+                  - `destroy`: The operator will attempt to remove the managed HCP Terraform agent pool.
+                    On success, the managed agents and the corresponding secret with tokens will be removed along with the custom resource.
+                    On failure, the managed agents will be scaled down to 0, and the managed tokens, along with the corresponding secret, will be removed. The operator will continue attempting to remove the agent pool until it succeeds.
+                  Default: `retain`.
+                enum:
+                - retain
+                - destroy
+                type: string
               name:
                 description: |-
                   Agent Pool name.

config/crd/bases/app.terraform.io_agentpools.yaml

@@ -8167,6 +8167,20 @@ spec:
                 - maxReplicas
                 - minReplicas
                 type: object
+              deletionPolicy:
+                default: retain
+                description: |-
+                  The Deletion Policy specifies the behavior of the custom resource and its associated agent pool when the custom resource is deleted.
+                  - `retain`: When you delete the custom resource, the operator will remove only the custom resource.
+                    The HCP Terraform agent pool will be retained. The managed tokens will remain active on the HCP Terraform side; however, the corresponding secrets and managed agents will be removed.
+                  - `destroy`: The operator will attempt to remove the managed HCP Terraform agent pool.
+                    On success, the managed agents and the corresponding secret with tokens will be removed along with the custom resource.
+                    On failure, the managed agents will be scaled down to 0, and the managed tokens, along with the corresponding secret, will be removed. The operator will continue attempting to remove the agent pool until it succeeds.
+                  Default: `retain`.
+                enum:
+                - retain
+                - destroy
+                type: string
               name:
                 description: |-
                   Agent Pool name.

docs/api-reference.md

@@ -104,6 +104,20 @@ More infromation:
 | `spec` _[AgentPoolSpec](#agentpoolspec)_ |  |
 
 
+#### AgentPoolDeletionPolicy
+
+_Underlying type:_ _string_
+
+DeletionPolicy defines the strategy the Kubernetes operator uses when you delete a resource, either manually or by a system event.
+You must use one of the following values:
+- `retain`: When you delete the custom resource, the operator does not delete the agent pool.
+- `destroy`: The operator will attempt to remove the managed HCP Terraform agent pool.
+
+_Appears in:_
+- [AgentPoolSpec](#agentpoolspec)
+
+
+
 #### AgentPoolSpec
 
 
@@ -121,6 +135,7 @@ _Appears in:_
 | `agentTokens` _[AgentToken](#agenttoken) array_ | List of the agent tokens to generate. |
 | `agentDeployment` _[AgentDeployment](#agentdeployment)_ | Agent deployment settings |
 | `autoscaling` _[AgentDeploymentAutoscaling](#agentdeploymentautoscaling)_ | Agent deployment settings |
+| `deletionPolicy` _[AgentPoolDeletionPolicy](#agentpooldeletionpolicy)_ | The Deletion Policy specifies the behavior of the custom resource and its associated agent pool when the custom resource is deleted.<br />- `retain`: When you delete the custom resource, the operator will remove only the custom resource.<br />  The HCP Terraform agent pool will be retained. The managed tokens will remain active on the HCP Terraform side; however, the corresponding secrets and managed agents will be removed.<br />- `destroy`: The operator will attempt to remove the managed HCP Terraform agent pool.<br />  On success, the managed agents and the corresponding secret with tokens will be removed along with the custom resource.<br />  On failure, the managed agents will be scaled down to 0, and the managed tokens, along with the corresponding secret, will be removed. The operator will continue attempting to remove the agent pool until it succeeds.<br />Default: `retain`. |
 
 
 

internal/controller/agentpool_controller.go

@@ -212,28 +212,6 @@ func (r *AgentPoolReconciler) updateAgentPool(ctx context.Context, ap *agentPool
 	return ap.tfClient.Client.AgentPools.Update(ctx, ap.instance.Status.AgentPoolID, options)
 }
 
-func (r *AgentPoolReconciler) deleteAgentPool(ctx context.Context, ap *agentPoolInstance) error {
-	if ap.instance.Status.AgentPoolID == "" {
-		ap.log.Info("Reconcile Agent Pool", "msg", fmt.Sprintf("status.agentPoolID is empty, remove finalizer %s", agentPoolFinalizer))
-		return r.removeFinalizer(ctx, ap)
-	}
-	err := ap.tfClient.Client.AgentPools.Delete(ctx, ap.instance.Status.AgentPoolID)
-	if err != nil {
-		// if agent pool wasn't found, it means it was deleted from the TF Cloud bypass the operator
-		// in this case, remove the finalizer and let Kubernetes remove the object permanently
-		if err == tfc.ErrResourceNotFound {
-			ap.log.Info("Reconcile Agent Pool", "msg", fmt.Sprintf("Agent Pool ID %s not found, remove finalizer", agentPoolFinalizer))
-			return r.removeFinalizer(ctx, ap)
-		}
-		ap.log.Error(err, "Reconcile Agent Pool", "msg", fmt.Sprintf("failed to delete Agent Pool ID %s, retry later", agentPoolFinalizer))
-		r.Recorder.Eventf(&ap.instance, corev1.EventTypeWarning, "ReconcileAgentPool", "Failed to delete Agent Pool ID %s, retry later", ap.instance.Status.AgentPoolID)
-		return err
-	}
-
-	ap.log.Info("Reconcile Agent Pool", "msg", fmt.Sprintf("agent pool ID %s has been deleted, remove finalizer", ap.instance.Status.AgentPoolID))
-	return r.removeFinalizer(ctx, ap)
-}
-
 func (r *AgentPoolReconciler) readAgentPool(ctx context.Context, ap *agentPoolInstance) (*tfc.AgentPool, error) {
 	return ap.tfClient.Client.AgentPools.ReadWithOptions(ctx, ap.instance.Status.AgentPoolID, &tfc.AgentPoolReadOptions{
 		Include: []tfc.AgentPoolIncludeOpt{

internal/controller/agentpool_controller_autoscaling_test.go

@@ -13,6 +13,7 @@ import (
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -72,7 +73,12 @@ var _ = Describe("Agent Pool controller", Ordered, func() {
 
 	AfterEach(func() {
 		Expect(tfClient.Workspaces.Delete(ctx, organization, workspace)).To(Succeed())
+		// Delete Agent Pool CR
 		Expect(k8sClient.Delete(ctx, instance)).To(Succeed())
+		Eventually(func() bool {
+			err := k8sClient.Get(ctx, namespacedName, instance)
+			return errors.IsNotFound(err)
+		}).Should(BeTrue())
 	})
 
 	Context("Autoscaling", func() {
@@ -100,6 +106,7 @@ var _ = Describe("Agent Pool controller", Ordered, func() {
 					return run.Status == tfc.RunApplied
 				}).Should(BeTrue())
 				// Create a new Agent Pool
+				instance.Spec.DeletionPolicy = appv1alpha2.AgentPoolDeletionPolicyDestroy
 				Expect(k8sClient.Create(ctx, instance)).Should(Succeed())
 				Eventually(func() bool {
 					Expect(k8sClient.Get(ctx, namespacedName, instance)).Should(Succeed())
@@ -154,6 +161,7 @@ var _ = Describe("Agent Pool controller", Ordered, func() {
 				return run.Status == tfc.RunApplied
 			}).Should(BeTrue())
 			// New Agent Pool
+			instance.Spec.DeletionPolicy = appv1alpha2.AgentPoolDeletionPolicyDestroy
 			Expect(k8sClient.Create(ctx, instance)).Should(Succeed())
 			Eventually(func() bool {
 				Expect(k8sClient.Get(ctx, namespacedName, instance)).Should(Succeed())

internal/controller/agentpool_controller_deletion_policy.go

@@ -0,0 +1,85 @@
+// Copyright (c) HashiCorp, Inc.
+// SPDX-License-Identifier: MPL-2.0
+
+package controller
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	tfc "github.com/hashicorp/go-tfe"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	appv1alpha2 "github.com/hashicorp/hcp-terraform-operator/api/v1alpha2"
+)
+
+func (r *AgentPoolReconciler) deleteAgentPool(ctx context.Context, ap *agentPoolInstance) error {
+	ap.log.Info("Reconcile Agent Pool", "msg", fmt.Sprintf("deletion policy is %s", ap.instance.Spec.DeletionPolicy))
+
+	if ap.instance.Status.AgentPoolID == "" {
+		ap.log.Info("Reconcile Agent Pool", "msg", fmt.Sprintf("status.agentPoolID is empty, remove finalizer %s", agentPoolFinalizer))
+		return r.removeFinalizer(ctx, ap)
+	}
+
+	switch ap.instance.Spec.DeletionPolicy {
+	case appv1alpha2.AgentPoolDeletionPolicyRetain:
+		ap.log.Info("Reconcile Agent Pool", "msg", fmt.Sprintf("remove finalizer %s", agentPoolFinalizer))
+		return r.removeFinalizer(ctx, ap)
+	case appv1alpha2.AgentPoolDeletionPolicy(appv1alpha2.DeletionPolicyDestroy):
+		// Attempt to delete the agent pool first. If successful, no other actions are required.
+		// Otherwise, scale down the agents to 0 and delete all tokens.
+		err := ap.tfClient.Client.AgentPools.Delete(ctx, ap.instance.Status.AgentPoolID)
+		if err != nil {
+			// If agent pool wasn't found, it means it was deleted from the HCP Terraform bypass the operator.
+			// In this case, remove the finalizer and let Kubernetes remove the object permanently
+			if err == tfc.ErrResourceNotFound {
+				ap.log.Info("Reconcile Agent Pool", "msg", fmt.Sprintf("agent pool ID %s not found, remove finalizer", agentPoolFinalizer))
+				return r.removeFinalizer(ctx, ap)
+			}
+			ap.log.Error(err, "Reconcile Agent Pool", "msg", fmt.Sprintf("failed to delete Agent Pool ID %s, retry later", agentPoolFinalizer))
+			r.Recorder.Eventf(&ap.instance, corev1.EventTypeWarning, "ReconcileAgentPool", "Failed to delete Agent Pool ID %s, retry later", ap.instance.Status.AgentPoolID)
+			// Do not return the error here; proceed further to cale down the agents to 0 and delete all tokens.
+		} else {
+			ap.log.Info("Reconcile Agent Pool", "msg", fmt.Sprintf("agent pool ID %s has been deleted, remove finalizer", ap.instance.Status.AgentPoolID))
+			return r.removeFinalizer(ctx, ap)
+		}
+		// Downscale agents
+		if ap.instance.Status.AgentDeploymentAutoscalingStatus != nil && ap.instance.Status.AgentDeploymentAutoscalingStatus.DesiredReplicas != nil {
+			if *ap.instance.Status.AgentDeploymentAutoscalingStatus.DesiredReplicas > 0 {
+				ap.log.Info("Reconcile Agent Pool", "msg", fmt.Sprintf("scale agents from %d to 0", *ap.instance.Status.AgentDeploymentAutoscalingStatus.DesiredReplicas))
+				var n int32 = 0
+				if err := r.scaleAgentDeployment(ctx, ap, &n); err != nil {
+					ap.log.Error(err, "Reconcile Agent Pool", "msg", "failed to scale agents")
+					return err
+				}
+				ap.instance.Status.AgentDeploymentAutoscalingStatus = &appv1alpha2.AgentDeploymentAutoscalingStatus{
+					DesiredReplicas: &n,
+					LastScalingEvent: &metav1.Time{
+						Time: time.Now(),
+					},
+				}
+				ap.log.Info("Reconcile Agent Pool", "msg", "successfully scaled agents to 0")
+			}
+		}
+		// Remove tokens
+		if len(ap.instance.Status.AgentTokens) > 0 {
+			ap.log.Info("Reconcile Agent Pool", "msg", "remove tokens")
+			for _, t := range ap.instance.Status.AgentTokens {
+				err := ap.tfClient.Client.AgentTokens.Delete(ctx, t.ID)
+				if err != nil && err != tfc.ErrResourceNotFound {
+					ap.log.Error(err, "Reconcile Agent Pool", "msg", fmt.Sprintf("failed to remove token %s", t.ID))
+					return err
+				}
+				err = r.removeToken(ctx, ap, t.ID)
+				if err != nil {
+					return err
+				}
+			}
+			ap.log.Info("Reconcile Agent Pool", "msg", "successfully deleted tokens")
+		}
+	}
+
+	return nil
+}