From 9398254432c3479f777b960a63bfd87075aa4d05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= <cjeanner@redhat.com>
Date: Mon, 9 Mar 2026 14:54:23 +0100
Subject: [PATCH] Add ArgoCD postDelete hooks and README documentation

- Add postDelete hook components for controlplane, dataplane, and deploy-operators
- Document hooks in README with usage examples and component table
- Add PostDelete hooks section to ArgoCD orchestration principles

README edition involved AI assistance.

--
AI-Tool: Cursor
AI-Agent: Composer
AI-Mode: Agent

Made-with: Cursor
---
 README.md                                     | 50 +++++++++++++++++++
 .../controlplane/controlplaneCleaning.yaml    | 44 ++++++++++++++++
 .../controlplane/kustomization.yaml           |  6 +++
 .../OpenStackDataPlaneService-deletion.yaml   | 22 ++++++++
 .../postDelete/dataplane/kustomization.yaml   |  6 +++
 .../deploy-operators/kustomization.yaml       |  6 +++
 .../deploy-operators/observability-csv.yaml   | 21 ++++++++
 7 files changed, 155 insertions(+)
 create mode 100644 components/argocd/hooks/postDelete/controlplane/controlplaneCleaning.yaml
 create mode 100644 components/argocd/hooks/postDelete/controlplane/kustomization.yaml
 create mode 100644 components/argocd/hooks/postDelete/dataplane/OpenStackDataPlaneService-deletion.yaml
 create mode 100644 components/argocd/hooks/postDelete/dataplane/kustomization.yaml
 create mode 100644 components/argocd/hooks/postDelete/deploy-operators/kustomization.yaml
 create mode 100644 components/argocd/hooks/postDelete/deploy-operators/observability-csv.yaml

diff --git a/README.md b/README.md
index 9a38e78..f7633e9 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,12 @@ We’re using sync-waves annotations for specific jobs and actions.
 
 The range -20;20 is reserved.
 
+### PostDelete hooks
+
+PostDelete hooks run cleanup Jobs when ArgoCD Applications are deleted (e.g., orphaned
+PVCs, Vault resources). See [ArgoCD postDelete hooks](#argocd-postdelete-hooks)
+in Consume proposed components for available components and usage.
+
 ### Healthchecks
 
 TBD
@@ -182,6 +188,50 @@ These annotations enable ArgoCD to determine the order that resources are create
     # [...]
     ```
 
+### ArgoCD postDelete hooks
+
+PostDelete hooks run Jobs after an ArgoCD Application is deleted. They perform
+cleanup that would otherwise not happen automatically when resources are removed,
+such as orphaned PersistentVolumeClaims, Vault-related resources, or
+operator-specific CRs. [Learn more about ArgoCD resource hooks](https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/).
+
+**Available components**
+
+| Component | Purpose |
+|-----------|---------|
+| `components/argocd/hooks/postDelete/controlplane` | Waits for pods to terminate in `openstack` namespace, then deletes PVCs, VaultStaticSecrets, VaultAuth, VaultConnection, and Secrets |
+| `components/argocd/hooks/postDelete/dataplane` | Deletes all `OpenStackDataPlaneService` resources before namespace cleanup |
+| `components/argocd/hooks/postDelete/deploy-operators` | Deletes `cluster-observability-operator` ClusterServiceVersion (CSV) resources |
+
+**Example usage**
+
+Include the relevant postDelete component(s) in your Application or overlay, alongside
+the annotations component:
+
+```yaml
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+# [...]
+spec:
+  source:
+    # [...]
+    kustomize:
+      components:
+        - https://github.com/openstack-gitops/rhoso-gitops/components/argocd/annotations?ref=TAG
+        - https://github.com/openstack-gitops/rhoso-gitops/components/argocd/hooks/postDelete/controlplane?ref=TAG
+```
+
+From within an overlay or base kustomization:
+
+```yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+components:
+  - https://github.com/openstack-gitops/rhoso-gitops/components/argocd/annotations?ref=TAG
+  - https://github.com/openstack-gitops/rhoso-gitops/components/argocd/hooks/postDelete/controlplane?ref=TAG
+  # [...]
+```
+
 ## External resources
 
 1. [Official RHOSO documentation](https://docs.redhat.com/en/documentation/red_hat_openstack_services_on_openshift/18.0)
diff --git a/components/argocd/hooks/postDelete/controlplane/controlplaneCleaning.yaml b/components/argocd/hooks/postDelete/controlplane/controlplaneCleaning.yaml
new file mode 100644
index 0000000..4769ea4
--- /dev/null
+++ b/components/argocd/hooks/postDelete/controlplane/controlplaneCleaning.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: ctlplane
+  namespace: openshift-gitops
+  annotations:
+    argocd.argoproj.io/hook: PostDelete
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+
+spec:
+  template:
+    spec:
+      serviceAccountName: openshift-gitops-argocd-application-controller
+      restartPolicy: Never
+      containers:
+        - name: wait-and-clean
+          image: registry.redhat.io/openshift4/ose-cli:latest
+          command: ['sh', '-c']
+          args:
+            - |
+              NAMESPACE="openstack"
+              MAX_ATTEMPTS=70   # Number of retries
+              SLEEP_SECONDS=10  # Interval (seconds) between checks
+              attempt=1
+
+              while [ $attempt -le $MAX_ATTEMPTS ]; do
+                # Count pods in the namespace
+                pod_count=$(oc get pods -n "$NAMESPACE" --no-headers | wc -l)
+                if [ "$pod_count" -eq 0 ]; then
+                  echo "All pods have been removed from namespace $NAMESPACE."
+                  break
+                else
+                  echo "Attempt $attempt: $pod_count pods still present in $NAMESPACE."
+                  ((attempt++))
+                  sleep "$SLEEP_SECONDS"
+                fi
+              done
+              [ "$(oc get pods -n "$NAMESPACE" --no-headers | wc -l)" -eq 0 ] || exit 1
+              oc -n openstack delete PersistentVolumeClaim --all
+              oc -n openstack delete VaultStaticSecret --all
+              oc -n openstack delete VaultAuth --all
+              oc -n openstack delete VaultConnection --all
+              oc -n openstack delete Secrets --all
diff --git a/components/argocd/hooks/postDelete/controlplane/kustomization.yaml b/components/argocd/hooks/postDelete/controlplane/kustomization.yaml
new file mode 100644
index 0000000..3d811c7
--- /dev/null
+++ b/components/argocd/hooks/postDelete/controlplane/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - ./controlplaneCleaning.yaml
diff --git a/components/argocd/hooks/postDelete/dataplane/OpenStackDataPlaneService-deletion.yaml b/components/argocd/hooks/postDelete/dataplane/OpenStackDataPlaneService-deletion.yaml
new file mode 100644
index 0000000..354965d
--- /dev/null
+++ b/components/argocd/hooks/postDelete/dataplane/OpenStackDataPlaneService-deletion.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: delete-services
+  namespace: openshift-gitops
+  annotations:
+    argocd.argoproj.io/hook: PostDelete
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+
+spec:
+  template:
+    spec:
+      serviceAccountName: openshift-gitops-argocd-application-controller
+      restartPolicy: Never
+      containers:
+        - name: dataplane-services
+          image: registry.redhat.io/openshift4/ose-cli:latest
+          command: ['sh', '-c']
+          args:
+            - |
+              oc -n openstack delete OpenStackDataPlaneService --all
diff --git a/components/argocd/hooks/postDelete/dataplane/kustomization.yaml b/components/argocd/hooks/postDelete/dataplane/kustomization.yaml
new file mode 100644
index 0000000..31f69fb
--- /dev/null
+++ b/components/argocd/hooks/postDelete/dataplane/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - ./OpenStackDataPlaneService-deletion.yaml
diff --git a/components/argocd/hooks/postDelete/deploy-operators/kustomization.yaml b/components/argocd/hooks/postDelete/deploy-operators/kustomization.yaml
new file mode 100644
index 0000000..9d530fa
--- /dev/null
+++ b/components/argocd/hooks/postDelete/deploy-operators/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+resources:
+  - ./observability-csv.yaml
diff --git a/components/argocd/hooks/postDelete/deploy-operators/observability-csv.yaml b/components/argocd/hooks/postDelete/deploy-operators/observability-csv.yaml
new file mode 100644
index 0000000..8198fa1
--- /dev/null
+++ b/components/argocd/hooks/postDelete/deploy-operators/observability-csv.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: clean-observability
+  namespace: openshift-gitops
+  annotations:
+    argocd.argoproj.io/hook: PostDelete
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+
+spec:
+  template:
+    spec:
+      serviceAccountName: openshift-gitops-argocd-application-controller
+      restartPolicy: Never
+      containers:
+        - name: clean-observability-csv
+          image: registry.redhat.io/openshift4/ose-cli:latest
+          command: ['sh', '-c']
+          args:
+            - oc get csv -A | awk '/cluster-observability-operator/ {print $1, $2}' | sort -u | xargs -n2 sh -c 'oc -n $0 delete csv $1'