Use a job to create the helm hooks pod

Author: cognifloyd

templates/hooks/job_packs-volumes.yaml

@@ -484,6 +484,116 @@ spec:
     {{- end }}
 
 {{- end }}
+{{- if $.Values.st2.packs.volumes.enabled }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ $.Release.Name }}-job-st2canary-for-writable-packs-volumes
+  labels: {{- include "stackstorm-ha.labels" (list $ "st2canary") | nindent 4 }}
+  annotations:
+    helm.sh/hook: pre-install, pre-upgrade, pre-rollback
+    helm.sh/hook-weight: "-5" # fairly high priority
+    helm.sh/hook-delete-policy: hook-succeeded
+  {{- if $.Values.st2canary.annotations }}
+    {{- toYaml $.Values.st2canary.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  template:
+    metadata:
+      name: job-st2canary-for-writable-packs-volumes
+      labels: {{- include "stackstorm-ha.labels" (list $ "st2canary") | nindent 8 }}
+      annotations:
+      {{- if $.Values.st2canary.annotations }}
+        {{- toYaml $.Values.st2canary.annotations | nindent 8 }}
+      {{- end }}
+    spec:
+      imagePullSecrets:
+      {{- if $.Values.image.pullSecret }}
+      - name: {{ $.Values.image.pullSecret }}
+      {{- end }}
+      initContainers: []
+      containers:
+      - name: st2canary-for-writable-packs-volumes
+        image: '{{ template "stackstorm-ha.imageRepository" $ }}/st2actionrunner:{{ tpl $.Values.image.tag $ }}'
+        #image: busybox:1.28
+        imagePullPolicy: {{ $.Values.image.pullPolicy }}
+        {{- with $.Values.securityContext }}
+        securityContext: {{- toYaml . | nindent 10 }}
+        {{- end }}
+        # TODO: maybe use kubectl to assert the volumes have RWX mode
+        # If volume is a persistentVolumeClaim, then:
+        #   the PVC must only have ReadWriteMany in spec.accessModes
+        # If volume is something else, then validating through metadata is iffy.
+        #   azureFile, cephfs, csi, glusterfs, nfs, pvc, quobyte, need at least:
+        #     readOnly: false
+        #   ephemeral volumes could also work, ... but that config is even deeper.
+        command:
+          - 'sh'
+          - '-ec'
+          - |
+            echo Testing write permissions for packs volumes.
+            echo If this passes, the pod will automatically be deleted.
+            echo If this fails, inspect the pod for errors in kubernetes,
+            echo and then delete this st2canary pod manually.
+            echo
+            echo Testing write permissions on packs volume...
+            touch /opt/stackstorm/packs/.write-test
+            rm /opt/stackstorm/packs/.write-test
+            echo
+            echo Testing write permissions on virtualenvs volume...
+            touch /opt/stackstorm/virtualenvs/.write-test
+            rm /opt/stackstorm/virtualenvs/.write-test
+            echo
+            {{- if $.Values.st2.packs.volumes.configs }}
+            echo Testing write permissions on configs volume...
+            touch /opt/stackstorm/configs/.write-test
+            rm /opt/stackstorm/configs/.write-test
+            echo
+            {{- end }}
+            echo DONE
+        volumeMounts:
+        {{- include "stackstorm-ha.packs-volume-mounts" $ | nindent 8 }}
+        {{/* do not include the pack-configs-volume-mount helper here */}}
+        - name: st2-pack-configs-vol
+          mountPath: /opt/stackstorm/configs/
+          readOnly: false
+        {{- range $.Values.st2canary.extra_volumes }}
+        - name: {{ required "Each volume must have a 'name' in st2canary.extra_volumes" .name }}
+          {{- tpl (required "Each volume must have a 'mount' definition in st2canary.extra_volumes" .mount | toYaml) $ | nindent 10 }}
+        {{- end }}
+        resources:
+          {{- toYaml $.Values.st2canary.resources | nindent 10 }}
+      volumes:
+        {{- include "stackstorm-ha.packs-volumes" $ | nindent 8 }}
+        {{- if $.Values.st2.packs.volumes.configs }}
+          {{/* do not include the pack-configs-volume helper here */}}
+        - name: st2-pack-configs-vol
+          {{- toYaml $.Values.st2.packs.volumes.configs | nindent 10 }}
+        {{- end }}
+        {{- range $.Values.st2canary.extra_volumes }}
+        - name: {{ required "Each volume must have a 'name' in st2canary.extra_volumes" .name }}
+          {{- tpl (required "Each volume must have a 'volume' definition in st2canary.extra_volumes" .volume | toYaml) $ | nindent 10 }}
+        {{- end }}
+    {{- if $.Values.dnsPolicy }}
+      dnsPolicy: {{ $.Values.dnsPolicy }}
+    {{- end }}
+    {{- with $.Values.dnsConfig }}
+      dnsConfig: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with $.Values.podSecurityContext }}
+      securityContext: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with $.Values.st2canary.nodeSelector }}
+      nodeSelector: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with $.Values.st2canary.affinity }}
+      affinity: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with $.Values.st2canary.tolerations }}
+      tolerations: {{- toYaml . | nindent 8 }}
+    {{- end }}
+{{- end }}
 {{- range .Values.jobs.extra_hooks -}}
   {{- $name := print "extra-helm-hook" (include "stackstorm-ha.hyphenPrefix" (required "You must name each entry in jobs.extra_hooks." .name)) }}
   {{- if not ($.Values.jobs.skip | has $name) }}