ngrok · jonstacks · May 16, 2025 · May 15, 2025
@@ -79,6 +79,8 @@
 	// agent(tunnel driver) flags
 	region  string
 	rootCAs string
+
+	defaultDomainReclaimPolicy string
 }
 
 func agentCmd() *cobra.Command {
@@ -107,6 +109,8 @@
 	c.Flags().BoolVar(&opts.disableGatewayReferenceGrants, "disable-reference-grants", false, "Opts-out of requiring ReferenceGrants for cross namespace references in Gateway API config")
 	c.Flags().BoolVar(&opts.enableFeatureBindings, "enable-feature-bindings", false, "Enables the Endpoint Bindings controller")
 
+	c.Flags().StringVar(&opts.defaultDomainReclaimPolicy, "default-domain-reclaim-policy", string(ingressv1alpha1.DomainReclaimPolicyDelete), "The default domain reclaim policy to apply to created domains")
+
 	opts.zapOpts = &zap.Options{}
 	goFlagSet := flag.NewFlagSet("manager", flag.ContinueOnError)
 	opts.zapOpts.BindFlags(goFlagSet)
@@ -118,6 +122,11 @@
 func runAgentController(ctx context.Context, opts agentManagerOpts) error {
 	ctrl.SetLogger(zap.New(zap.UseFlagOptions(opts.zapOpts)))
 
+	defaultDomainReclaimPolicy, err := validateDomainReclaimPolicy(opts.defaultDomainReclaimPolicy)
+	if err != nil {
+		return err
+	}
+
 	buildInfo := version.Get()
 	setupLog.Info("starting agent-manager", "version", buildInfo.Version, "commit", buildInfo.GitCommit)
 
@@ -180,11 +189,12 @@
 	}
 
 	if err = (&agentcontroller.AgentEndpointReconciler{
-		Client:       mgr.GetClient(),
-		Log:          ctrl.Log.WithName("controllers").WithName("agentendpoint"),
-		Scheme:       mgr.GetScheme(),
-		Recorder:     mgr.GetEventRecorderFor("agentendpoint-controller"),
-		TunnelDriver: td,
+		Client:                     mgr.GetClient(),
+		Log:                        ctrl.Log.WithName("controllers").WithName("agentendpoint"),
+		Scheme:                     mgr.GetScheme(),
+		Recorder:                   mgr.GetEventRecorderFor("agentendpoint-controller"),
+		TunnelDriver:               td,
+		DefaultDomainReclaimPolicy: defaultDomainReclaimPolicy,
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "AgentEndpoint")
 		os.Exit(1)

@@ -130,6 +130,8 @@
 	ngrokAPIKey string
 
 	region string
+
+	defaultDomainReclaimPolicy string
 }
 
 func apiCmd() *cobra.Command {
@@ -167,6 +169,7 @@
 	c.Flags().StringVar(&opts.bindings.serviceAnnotations, "bindings-service-annotations", "", "Service Annotations to propagate to the target service")
 	c.Flags().StringVar(&opts.bindings.serviceLabels, "bindings-service-labels", "", "Service Labels to propagate to the target service")
 	c.Flags().StringVar(&opts.bindings.ingressEndpoint, "bindings-ingress-endpoint", "", "The endpoint the bindings forwarder connects to")
+	c.Flags().StringVar(&opts.defaultDomainReclaimPolicy, "default-domain-reclaim-policy", string(ingressv1alpha1.DomainReclaimPolicyDelete), "The default domain reclaim policy to apply to created domains")
 
 	opts.zapOpts = &zap.Options{}
 	goFlagSet := flag.NewFlagSet("manager", flag.ContinueOnError)
@@ -309,6 +312,11 @@
 
 // runNormalMode runs the operator in normal operation mode
 func runNormalMode(ctx context.Context, opts apiManagerOpts, k8sClient client.Client, mgr ctrl.Manager, tcpRouteCRDInstalled, tlsRouteCRDInstalled bool) error {
+	defaultDomainReclaimPolicy, err := validateDomainReclaimPolicy(opts.defaultDomainReclaimPolicy)
+	if err != nil {
+		return err
+	}
+
 	ngrokClientset, err := loadNgrokClientset(ctx, opts)
 	if err != nil {
 		return fmt.Errorf("Unable to load ngrokClientSet: %w", err)
@@ -324,7 +332,7 @@
 	var k8sResourceDriver *managerdriver.Driver
 	if opts.enableFeatureIngress || opts.enableFeatureGateway {
 		// we only need a driver if these features are enabled
-		k8sResourceDriver, err = getK8sResourceDriver(ctx, mgr, opts, tcpRouteCRDInstalled, tlsRouteCRDInstalled)
+		k8sResourceDriver, err = getK8sResourceDriver(ctx, mgr, opts, tcpRouteCRDInstalled, tlsRouteCRDInstalled, *defaultDomainReclaimPolicy)
 		if err != nil {
 			return fmt.Errorf("unable to create Driver: %w", err)
 		}
@@ -340,7 +348,7 @@
 
 	if opts.enableFeatureIngress {
 		setupLog.Info("Ingress feature set enabled")
-		if err := enableIngressFeatureSet(ctx, opts, mgr, k8sResourceDriver, ngrokClientset); err != nil {
+		if err := enableIngressFeatureSet(ctx, opts, mgr, k8sResourceDriver, ngrokClientset, *defaultDomainReclaimPolicy); err != nil {
 			return fmt.Errorf("unable to enable Ingress feature set: %w", err)
 		}
 	} else {
@@ -470,13 +478,14 @@
 }
 
 // getK8sResourceDriver returns a new Driver instance that is seeded with the current state of the cluster.
-func getK8sResourceDriver(ctx context.Context, mgr manager.Manager, options apiManagerOpts, tcpRouteCRDInstalled, tlsRouteCRDInstalled bool) (*managerdriver.Driver, error) {
+func getK8sResourceDriver(ctx context.Context, mgr manager.Manager, options apiManagerOpts, tcpRouteCRDInstalled, tlsRouteCRDInstalled bool, defaultDomainReclaimPolicy ingressv1alpha1.DomainReclaimPolicy) (*managerdriver.Driver, error) {
 	logger := mgr.GetLogger().WithName("cache-store-driver")
 
 	driverOpts := []managerdriver.DriverOpt{
 		managerdriver.WithGatewayEnabled(options.enableFeatureGateway),
 		managerdriver.WithClusterDomain(options.clusterDomain),
 		managerdriver.WithDisableGatewayReferenceGrants(options.disableGatewayReferenceGrants),
+		managerdriver.WithDefaultDomainReclaimPolicy(defaultDomainReclaimPolicy),
 	}
 
 	if tcpRouteCRDInstalled {
@@ -515,7 +524,7 @@
 }
 
 // enableIngressFeatureSet enables the Ingress feature set for the operator
-func enableIngressFeatureSet(_ context.Context, opts apiManagerOpts, mgr ctrl.Manager, driver *managerdriver.Driver, ngrokClientset ngrokapi.Clientset) error {
+func enableIngressFeatureSet(_ context.Context, opts apiManagerOpts, mgr ctrl.Manager, driver *managerdriver.Driver, ngrokClientset ngrokapi.Clientset, defaultDomainReclaimPolicy ingressv1alpha1.DomainReclaimPolicy) error {
 	if err := (&ingresscontroller.IngressReconciler{
 		Client:               mgr.GetClient(),
 		Log:                  ctrl.Log.WithName("controllers").WithName("ingress"),
@@ -623,11 +632,12 @@
 	}
 
 	if err := (&ngrokcontroller.CloudEndpointReconciler{
-		Client:         mgr.GetClient(),
-		Log:            ctrl.Log.WithName("controllers").WithName("cloud-endpoint"),
-		Scheme:         mgr.GetScheme(),
-		Recorder:       mgr.GetEventRecorderFor("cloud-endpoint-controller"),
-		NgrokClientset: ngrokClientset,
+		Client:                     mgr.GetClient(),
+		Log:                        ctrl.Log.WithName("controllers").WithName("cloud-endpoint"),
+		Scheme:                     mgr.GetScheme(),
+		Recorder:                   mgr.GetEventRecorderFor("cloud-endpoint-controller"),
+		NgrokClientset:             ngrokClientset,
+		DefaultDomainReclaimPolicy: ptr.To(defaultDomainReclaimPolicy),
 	}).SetupWithManager(mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "CloudEndpoint")
 		os.Exit(1)

@@ -0,0 +1,25 @@
+package cmd
+
+import (
+	"fmt"
+
+	ingressv1alpha1 "github.com/ngrok/ngrok-operator/api/ingress/v1alpha1"
+	"k8s.io/utils/ptr"
+)
+
+func validateDomainReclaimPolicy(policy string) (*ingressv1alpha1.DomainReclaimPolicy, error) {
+	switch policy {
+	case string(ingressv1alpha1.DomainReclaimPolicyDelete):
+		return ptr.To(ingressv1alpha1.DomainReclaimPolicyDelete), nil
+	case string(ingressv1alpha1.DomainReclaimPolicyRetain):
+		return ptr.To(ingressv1alpha1.DomainReclaimPolicyRetain), nil
+	default:
+		return nil, fmt.Errorf("invalid default domain reclaim policy: %s. Allowed Values are: %v",
+			policy,
+			[]ingressv1alpha1.DomainReclaimPolicy{
+				ingressv1alpha1.DomainReclaimPolicyDelete,
+				ingressv1alpha1.DomainReclaimPolicyRetain,
+			},
+		)
+	}
+}
@@ -70,31 +70,32 @@ To uninstall the chart:
 
 ### Operator Manager parameters
 
-| Name                                 | Description                                                                               | Value   |
-| ------------------------------------ | ----------------------------------------------------------------------------------------- | ------- |
-| `replicaCount`                       | The number of controllers to run.                                                         | `1`     |
-| `affinity`                           | Affinity for the controller pod assignment                                                | `{}`    |
-| `podAffinityPreset`                  | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`       | `""`    |
-| `podAntiAffinityPreset`              | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`  | `soft`  |
-| `nodeAffinityPreset.type`            | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard` | `""`    |
-| `nodeAffinityPreset.key`             | Node label key to match. Ignored if `affinity` is set.                                    | `""`    |
-| `nodeAffinityPreset.values`          | Node label values to match. Ignored if `affinity` is set.                                 | `[]`    |
-| `nodeSelector`                       | Node labels for manager pod(s)                                                            | `{}`    |
-| `tolerations`                        | Tolerations for manager pod(s)                                                            | `[]`    |
-| `topologySpreadConstraints`          | Topology Spread Constraints for manager pod(s)                                            | `[]`    |
-| `priorityClassName`                  | Priority class for pod scheduling                                                         | `""`    |
-| `lifecycle`                          | an object containing lifecycle configuration                                              | `{}`    |
-| `podDisruptionBudget.create`         | Enable a Pod Disruption Budget creation                                                   | `false` |
-| `podDisruptionBudget.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable                            | `""`    |
-| `podDisruptionBudget.minAvailable`   | Minimum number/percentage of pods that should remain scheduled                            | `""`    |
-| `resources.limits`                   | The resources limits for the container                                                    | `{}`    |
-| `resources.requests`                 | The requested resources for the container                                                 | `{}`    |
-| `extraVolumes`                       | An array of extra volumes to add to the controller.                                       | `[]`    |
-| `extraVolumeMounts`                  | An array of extra volume mounts to add to the controller.                                 | `[]`    |
-| `extraEnv`                           | an object of extra environment variables to add to the controller.                        | `{}`    |
-| `serviceAccount.create`              | Specifies whether a ServiceAccount should be created                                      | `true`  |
-| `serviceAccount.name`                | The name of the ServiceAccount to use.                                                    | `""`    |
-| `serviceAccount.annotations`         | Additional annotations to add to the ServiceAccount                                       | `{}`    |
+| Name                                 | Description                                                                                                                                    | Value    |
+| ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------- | -------- |
+| `replicaCount`                       | The number of controllers to run.                                                                                                              | `1`      |
+| `affinity`                           | Affinity for the controller pod assignment                                                                                                     | `{}`     |
+| `podAffinityPreset`                  | Pod affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`                                                            | `""`     |
+| `podAntiAffinityPreset`              | Pod anti-affinity preset. Ignored if `affinity` is set. Allowed values: `soft` or `hard`                                                       | `soft`   |
+| `nodeAffinityPreset.type`            | Node affinity preset type. Ignored if `affinity` is set. Allowed values: `soft` or `hard`                                                      | `""`     |
+| `nodeAffinityPreset.key`             | Node label key to match. Ignored if `affinity` is set.                                                                                         | `""`     |
+| `nodeAffinityPreset.values`          | Node label values to match. Ignored if `affinity` is set.                                                                                      | `[]`     |
+| `nodeSelector`                       | Node labels for manager pod(s)                                                                                                                 | `{}`     |
+| `tolerations`                        | Tolerations for manager pod(s)                                                                                                                 | `[]`     |
+| `topologySpreadConstraints`          | Topology Spread Constraints for manager pod(s)                                                                                                 | `[]`     |
+| `priorityClassName`                  | Priority class for pod scheduling                                                                                                              | `""`     |
+| `lifecycle`                          | an object containing lifecycle configuration                                                                                                   | `{}`     |
+| `podDisruptionBudget.create`         | Enable a Pod Disruption Budget creation                                                                                                        | `false`  |
+| `podDisruptionBudget.maxUnavailable` | Maximum number/percentage of pods that may be made unavailable                                                                                 | `""`     |
+| `podDisruptionBudget.minAvailable`   | Minimum number/percentage of pods that should remain scheduled                                                                                 | `""`     |
+| `resources.limits`                   | The resources limits for the container                                                                                                         | `{}`     |
+| `resources.requests`                 | The requested resources for the container                                                                                                      | `{}`     |
+| `extraVolumes`                       | An array of extra volumes to add to the controller.                                                                                            | `[]`     |
+| `extraVolumeMounts`                  | An array of extra volume mounts to add to the controller.                                                                                      | `[]`     |
+| `extraEnv`                           | an object of extra environment variables to add to the controller.                                                                             | `{}`     |
+| `serviceAccount.create`              | Specifies whether a ServiceAccount should be created                                                                                           | `true`   |
+| `serviceAccount.name`                | The name of the ServiceAccount to use.                                                                                                         | `""`     |
+| `serviceAccount.annotations`         | Additional annotations to add to the ServiceAccount                                                                                            | `{}`     |
+| `defaultDomainReclaimPolicy`         | The default domain reclaim policy to use for domains created by the operator. Valid values are "Delete" and "Retain". The default is "Delete". | `Delete` |
 
 ### Logging configuration
 

@@ -91,6 +91,7 @@ spec:
         - --health-probe-bind-address=:8081
         - --metrics-bind-address=:8080
         - --manager-name={{ include "ngrok-operator.fullname" . }}-agent-manager
+        - --default-domain-reclaim-policy={{ .Values.defaultDomainReclaimPolicy }}
         securityContext:
           allowPrivilegeEscalation: false
         env:

@@ -72,6 +72,7 @@ spec:
         args:
         - api-manager
         - --release-name={{ .Release.Name }}
+        - --default-domain-reclaim-policy={{ .Values.defaultDomainReclaimPolicy }}
         {{- include "ngrok-operator.manager.cliFeatureFlags" . | nindent 8 }}
         {{- if .Values.oneClickDemoMode }}
         - --one-click-demo-mode

@@ -90,3 +90,11 @@ tests:
   - equal:
       path: spec.template.spec.containers[0].resources
       value: *resources
+- it: Should set the default domain reclaim policy arg
+  set:
+    defaultDomainReclaimPolicy: "Retain"
+  template: agent/deployment.yaml
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[0].args
+      content: --default-domain-reclaim-policy=Retain
@@ -277,6 +277,15 @@ tests:
   - contains:
       path: spec.template.spec.containers[0].args
       content: --zap-stacktrace-level=error
+- it: Should set the default domain reclaim policy arg
+  set:
+    defaultDomainReclaimPolicy: "Retain"
+  template: controller-deployment.yaml
+  documentIndex: 0 # Document 0 is the deployment since its the first template
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[0].args
+      content: --default-domain-reclaim-policy=Retain
 - it: Defaults to having "soft" pod anti-affinity
   template: controller-deployment.yaml
   documentIndex: 0 # Document 0 is the deployment since its the first template