Inactive workloads optimization

Co-authored-by: Riccardo Marco Miracapillo s324163 <s324163@studenti.polito.it>
Co-authored-by: Andrea Buonaurio <65712954+andreabuon@users.noreply.github.com>

Author: 3 people

.github/workflows/build-matrix.json

@@ -6,6 +6,13 @@
         "build-args": "COMPONENT=instance-operator",
         "harbor-project": "crownlabs-core"
     },
+    {
+        "component": "instance-automation",
+        "context": "./operators",
+        "dockerfile": "./operators/build/golang-common/Dockerfile",
+        "build-args": "COMPONENT=instance-automation",
+        "harbor-project": "crownlabs-core"
+    },
     {
         "component": "operator",
         "context": "./operators",
@@ -54,12 +61,6 @@
         "dockerfile": "./operators/build/crownlabs-image-list/Dockerfile",
         "harbor-project": "crownlabs-core"
     },
-    {
-        "component": "delete-stale-instances",
-        "context": "./operators",
-        "dockerfile": "./operators/build/delete-stale-instances/Dockerfile",
-        "harbor-project": "crownlabs-core"
-    },
     {
         "component": "frontend-app",
         "context": "./frontend",

.github/workflows/test.yml

@@ -91,7 +91,6 @@ jobs:
         working-directory: operators/
         run: |
           make test
-          make test-python
 
       - name: Send coverage
         if: steps.pathFilter.outputs.operators == 'true'

deploy/crownlabs/Chart.lock

@@ -5,9 +5,12 @@ dependencies:
 - name: qlkube
   repository: file://../../qlkube/deploy/qlkube
   version: 0.1.0
+- name: crownmail
+  repository: file://../../operators/deploy/crownmail
+  version: 0.1.0
 - name: instance-operator
   repository: file://../../operators/deploy/instance-operator
-  version: 0.1.1
+  version: 0.1.2
 - name: tenant-operator
   repository: file://../../operators/deploy/tenant-operator
   version: 0.1.0
@@ -17,9 +20,6 @@ dependencies:
 - name: image-list
   repository: file://../../operators/deploy/image-list
   version: 0.1.0
-- name: delete-stale-instances
-  repository: file://../../operators/deploy/delete-stale-instances
-  version: 0.1.0
 - name: exam-agent
   repository: file://../../operators/deploy/exam-agent
   version: 0.1.0
@@ -29,5 +29,5 @@ dependencies:
 - name: policies
   repository: file://../../policies
   version: 0.1.0
-digest: sha256:94f282fd3eb152d3693b5d98117d3cd48ca6570be13a48552de2b3b036696f46
-generated: "2022-07-08T12:10:33.942195264+02:00"
+digest: sha256:3ef8ee147fe7efb16c335870531e1a71deecbbe87d85671734d71c101560e235
+generated: "2025-08-22T12:30:28.50327485+02:00"

deploy/crownlabs/Chart.yaml

@@ -35,8 +35,13 @@ dependencies:
   repository: file://../../operators/deploy/operator
   condition: operator.enabled
 
+- name: crownmail
+  version: "0.1.0"
+  repository: file://../../operators/deploy/crownmail
+  condition: crownmail.enabled
+
 - name: instance-operator
-  version: "0.1.1"
+  version: "0.1.2"
   repository: file://../../operators/deploy/instance-operator
   condition: instance-operator.enabled
 
@@ -50,11 +55,6 @@ dependencies:
   repository: file://../../operators/deploy/image-list
   condition: image-list.enabled
 
-- name: delete-stale-instances
-  version: "0.1.0"
-  repository: file://../../operators/deploy/delete-stale-instances
-  condition: delete-stale-instances.enabled
-
 - name: exam-agent
   version: "0.1.0"
   repository: file://../../operators/deploy/exam-agent

deploy/crownlabs/values.yaml

@@ -77,6 +77,21 @@ operator:
       baseWorkspaces: utilities
     enableMutating: true
 
+crownmail:
+  templates:
+    name: crownmail-templates
+    sourceFolder: mail-templates
+  configs:
+    name: crownmail-configs
+    sourceFolder: mail-configs
+    smtp:
+      server: override.smtp.example.com
+      port: "123"
+      identity: override-debug
+      username: override-debug@example.com
+      password: override-debugpassword
+      from: override-crownlabs@example.com
+
 instance-operator:
   replicaCount: 1
   image:
@@ -89,8 +104,10 @@ instance-operator:
       instancesAuthUrl: https://crownlabs.example.com/auth
     containerEnvironmentOptions:
       tag: ""
-      vncImage: crownlabs/tigervnc
       websockifyImage: crownlabs/websockify
+      vncImage: crownlabs/tigervnc
+      contentDownloaderImage: crownlabs/content-downloader
+      contentUploaderImage: crownlabs/content-uploader
       instmetricsServerEndpoint: crownlabs-instmetrics.crownlabs-production:9090
     containerVmSnapshots:
       kanikoImage: gcr.io/kaniko-project/executor
@@ -100,6 +117,35 @@ instance-operator:
       url: registry.crownlabs.example.com
       secretName: registry-credentials
     maxConcurrentReconciles: 1
+    maxAutomationConcurrentReconciles: 1
+    monitoring:
+      prometheusURL: http://kube-prometheus-stack-prometheus.monitoring:9090
+      queryNginxAvailable: count(up{service="ingress-nginx-external-controller-metrics"})
+      queryBastionSSHAvailable: count(up{container="bastion-operator-tracker-sidecar"})
+      queryWebSSHAvailable: count(up{container="webssh"})
+      queryNginxData: nginx_ingress_controller_requests{exported_namespace="%s", exported_service="%s"}
+      queryBastionSSHData: bastion_ssh_connections{destination_ip="%s"}
+      queryWebSSHData: bastion_web_ssh_connections{destination_ip="%s"}
+      queryStep: 5m
+    mailTemplateDir: /etc/crownmail/templates
+    mailConfigDir: /etc/crownmail/configs
+    automation:
+      enableInstanceSubmission: true
+      enableInstanceTermination: true
+      enableInstanceInactiveTermination: true
+      enableInstanceExpiration: true
+      maxConcurrentTerminationReconciles: 1
+      maxConcurrentInactiveTerminationReconciles: 1
+      maxConcurrentExpirationReconciles: 1
+      maxConcurrentSubmissionReconciles: 1
+      terminationStatusCheckTimeout: "3s"
+      terminationStatusCheckInterval: "2m"
+      inactiveTerminationStatusCheckTimeout: "3s"
+      inactiveTerminationMaxNumberOfAlerts: 3
+      enableInactivityNotifications: true
+      enableExpirationNotifications: true
+      inactiveTerminationNotificationInterval: "24h"
+      expirationNotificationInterval: "24h"
 
 bastion-operator:
   replicaCount: 1
@@ -139,14 +185,6 @@ image-list:
     imageListName: crownlabs-virtual-machine-images
     updateInterval: 60
 
-delete-stale-instances:
-  image:
-    repository: crownlabs/delete-stale-instances
-  rbacResourcesName: crownlabs-delete-stale-instances
-  configurations:
-    dryRun: true
-    schedule: "*/15 * * * *"
-
 exam-agent:
   replicaCount: 1
   configurations:

operators/Makefile

@@ -20,9 +20,6 @@ gen: generate fmt vet manifests
 test:
 	go test ./... -coverprofile coverage.out -covermode=count
 
-test-python: python-dependencies
-	python3 ./cmd/delete-stale-instances/test_delete_stale_instances.py
-
 # Install CRDs into a cluster
 install: manifests
 	kubectl apply -f deploy/crds
@@ -79,10 +76,25 @@ run-instance: generate
 				--instances-auth-url=crownlabs.polito.it/app/instances/auth\
 				--container-env-sidecars-tag=v0.14.5
 
+run-instance-automation: generate
+	go run cmd/instance-automation/main.go\
+				--namespace-whitelist=crownlabs.polito.it/operator-selector=local\
+				--container-env-sidecars-tag=v0.14.5\
+				--enable-instance-submission=false\
+				--enable-instance-termination=false\
+				--enable-instance-inactive-termination=true\
+				--enable-instance-expiration=false\
+				--mail-template-dir=deploy/crownmail/mail-templates\
+				--mail-config-dir=deploy/crownmail/mail-configs\
+				--enable-inactivity-notifications=false\
+				--enable-expiration-notifications=false
+
 #the double target below is used to set DOMAIN for local targets
 #reference: https://www.gnu.org/software/make/manual/html_node/Target_002dspecific.html
 run-instance-local: DOMAIN="crownlabsfake.polito.it"
-run-instance-local: samples-local install-local run-instance
+run-instance-local: install-local samples-res-local run-instance
+
+run-instance-automation-local: install-local samples-res-local run-instance-automation
 
 run-operator: generate
 	go run cmd/operator/main.go\
@@ -98,14 +110,27 @@ run-operator: generate
 run-tenant: run-operator
 
 install-local: manifests
-	kubectl apply -f deploy/crds
-	kubectl apply -f tests/crds
+	kubectl apply -f deploy/crds --wait
+	kubectl apply -f tests/crds --wait
 
-python-dependencies:
-	pip3 install -r ./build/delete-stale-instances/requirements.txt
+uninstall-local: manifests
+	kubectl delete -f deploy/crds
+	kubectl delete -f tests/crds
 
-samples-local:
+samples-res-local:
 	kubectl apply -f ./samples/
 
-clean-local:
+clean-res-local:
 	kubectl delete -f ./samples/
+
+clean-local: clean-res-local uninstall-local
+
+force-clean-local:
+	-for resource in $$(kubectl get tenants.crownlabs.polito.it -o name 2>/dev/null); do kubectl patch $$resource --type='merge' -p='{"metadata":{"finalizers":[]}}' 2>/dev/null || true; done
+	-for resource in $$(kubectl get workspaces.crownlabs.polito.it -o name 2>/dev/null); do kubectl patch $$resource --type='merge' -p='{"metadata":{"finalizers":[]}}' 2>/dev/null || true; done
+	-for resource in $$(kubectl get instances.crownlabs.polito.it -o name 2>/dev/null); do kubectl patch $$resource --type='merge' -p='{"metadata":{"finalizers":[]}}' 2>/dev/null || true; done
+	-for resource in $$(kubectl get templates.crownlabs.polito.it -o name 2>/dev/null); do kubectl patch $$resource --type='merge' -p='{"metadata":{"finalizers":[]}}' 2>/dev/null || true; done
+	-kubectl delete tenants.crownlabs.polito.it,workspaces.crownlabs.polito.it,instances.crownlabs.polito.it,templates.crownlabs.polito.it --all --force --grace-period=0 2>/dev/null || true
+	-kubectl delete configmap crownlabs-mail-config --namespace=default --ignore-not-found
+	-kubectl delete -f deploy/crds --ignore-not-found
+	-kubectl delete -f tests/crds --ignore-not-found

operators/README.md

@@ -134,6 +134,46 @@ The Instance Operator requires Golang 1.16 and `make`. To build the operator:
 go build ./cmd/instance-operator/main.go
 ```
 
+### Instance Automation Operator
+
+The **Instance Automation Controller** (`instautoctrl` package) is responsible for all the automation tasks with regard to Instances, focusing on four main actions:
+
+- instance inactivity
+- instance expiration
+- instance termination
+- instance submission
+
+The first two actions ensure that unused or expired resources are efficiently managed, improving resource utilization and reducing unnecessary costs, while still providing tenants with proper notifications as well as flexibility to the administrator through configuration options and annotations.
+
+The last two actions are instead related to exam automation, allowing to automatically terminate Instances and submit exam files.
+
+You can find the full documentation [here](/operators/pkg/instautoctrl/README.md).
+
+#### Instance Inactive Termination controller
+
+This controller periodically checks running Instances to determine if they are still in use or can be terminated because of inactivity.
+Each **Template** resource associated with an Instance defines an `InactivityTimeout` field, which represents the period of inactivity after which the Instance is considered unused.
+If omitted, this field is automatically added in the Template resource with a `never` value set by default, meaning that Instances created from that template will be ignored by this controller.
+
+To evaluate whether an Instance is active, the controller relies on **Prometheus** metrics.
+It verifies whether the tenant has accessed the Instance recently, either through the frontend (by analyzing Ingress metrics) or via SSH (using a specific SSH bastion tracker metric).
+If activity is detected, the controller postpones the check.
+If no activity is recorded for a time longer than the `InactivityTimeout`, the process of inactivity handling begins.
+When an Instance has been marked as inactive, the controller starts sending email notifications to tenants, warning them that the Instance will be paused or deleted if they do not access it.
+The number of notifications sent is defined by the `inactiveTerminationMaxNumberOfAlerts` parameter in the Helm chart.
+Once this limit is reached, the controller takes action: **persistent Instances are paused**, while **non-persistent Instances are deleted**.
+After the final action, an additional email is sent to inform the tenant.
+Both the controller and the email notifications can be enabled or disabled through the Helm chart using the `enableInstanceInactiveTermination` and `enableInactivityNotifications` parameters.
+In addition, the behavior can be customized using annotations. For example, the `CustomNumberOfAlertsAnnotation` on a Template allows overriding the default number of notifications for a specific Instance type, while the `InstanceInactivityIgnoreNamespace` annotation, set to `True` on a Namespace completely excludes its Instances from the inactivity termination logic.
+
+#### Instance Expiration controller
+While the Instance Inactive Termination Controller deletes Instances when these are not used for an extended period of time, this controller (_Instance Expiration Controller_) introduces an orthogonal feature, i.e., the capability to delete an Instance when its maximum lifespan has expired, no matter if the instance has been used or not.
+Each Template defines a `DeleteAfter` field that specifies how long an Instance can exist before it must be removed. When an Instance reaches this limit, the controller automatically deletes it.
+Analogously to the Instance Inactive Termination Controller, omitting the `DeleteAfter` field means it is automatically set to `never` by default, meaning that Instances created from that template will be ignored by this controller.
+As with inactivity termination, this feature can be managed through Helm chart parameters: `enableInstanceExpiration` controls whether the controller is active, while `enableExpirationNotifications` enables or disables email alerts to inform tenants before deletion.
+This feature can be used when we know already that an Instance will not be needed after a given period; a possible example is the instance used to carry out an exam, which can be safely deleted when the exam has finished.
+The `ExpirationIgnoreNamespace` annotation, when set to `True`, allows to ignore all Instances in a Namespace, preventing them from being deleted due to expiration.
+
 ## SSH bastion
 
 The SSH bastion is composed of three basic blocks:

operators/api/v1alpha2/template_types.go

@@ -71,6 +71,13 @@ type TemplateSpec struct {
 	// or stopped to save resources. If set to "never", the instance will not be
 	// automatically terminated.
 	DeleteAfter string `json:"deleteAfter,omitempty"`
+
+	// +kubebuilder:validation:Pattern="^(never|[0-9]+[mhd])$"
+	// +kubebuilder:default="never"
+	// The maximum period of inactivity after which an Instance referencing
+	// the current Template will be automatically stopped or deleted to
+	// save resources.
+	InactivityTimeout string `json:"inactivityTimeout,omitempty"`
 }
 
 // TemplateStatus reflects the most recently observed status of the Template.