Use a job to create the helm hooks pod

Author: cognifloyd

templates/hooks/job_packs-volumes.yaml

@@ -1,97 +1,106 @@
 {{- if $.Values.st2.packs.volumes.enabled }}
 ---
-apiVersion: v1
-kind: Pod
+apiVersion: batch/v1
+kind: Job
 metadata:
   name: {{ $.Release.Name }}-st2canary-packs-volumes-validation
   labels: {{- include "stackstorm-ha.labels" (list $ "st2canary") | nindent 4 }}
   annotations:
-    "helm.sh/hook": pre-install,pre-upgrade,pre-rollback
-    "helm.sh/hook-weight": -5 # fairly high priority
-    "helm.sh/hook-delete-policy": hook-succeeded
+    helm.sh/hook: pre-install, pre-upgrade, pre-rollback
+    helm.sh/hook-weight: "-5" # fairly high priority
+    helm.sh/hook-delete-policy: hook-succeeded
     {{- if $.Values.st2canary.annotations }}
       {{- toYaml $.Values.st2canary.annotations | nindent 4 }}
     {{- end }}
 spec:
-  imagePullSecrets:
-    {{- if $.Values.image.pullSecret }}
-    - name: {{ $.Values.image.pullSecret }}
-    {{- end }}
-  initContainers: []
-  containers:
-    - name: st2canary-packs-volumes-validation
-      image: '{{ template "stackstorm-ha.imageRepository" $ }}/st2actionrunner:{{ tpl $.Values.image.tag $ }}'
-      #image: busybox:1.28
-      imagePullPolicy: {{ $.Values.image.pullPolicy }}
-      {{- with $.Values.securityContext }}
-      securityContext: {{- toYaml . | nindent 8 }}
+  template:
+    metadata:
+      name: {{ $.Release.Name }}-st2canary-packs-volumes-validation
+      labels: {{- include "stackstorm-ha.labels" (list $ "st2canary") | nindent 8 }}
+      annotations:
+      {{- if $.Values.st2canary.annotations }}
+        {{- toYaml $.Values.st2canary.annotations | nindent 8 }}
       {{- end }}
-      # TODO: maybe use kubectl to assert the volumes have RWX mode
-      # If volume is a persistentVolumeClaim, then:
-      #   the PVC must only have ReadWriteMany in spec.accessModes
-      # If volume is something else, then validating through metadata is iffy.
-      #   azureFile, cephfs, csi, glusterfs, nfs, pvc, quobyte, need at least:
-      #     readOnly: false
-      #   ephemeral volumes could also work, ... but that config is even deeper.
-      command:
-        - 'sh'
-        - '-ec'
-        - |
-          echo Testing write permissions for packs volumes.
-          echo If this passes, the pod will automatically be deleted.
-          echo If this fails, inspect the pod for errors in kubernetes,
-          echo and then delete this st2canary pod manually.
-          echo
-          echo Testing write permissions on packs volume...
-          touch /opt/stackstorm/packs/.write-test
-          rm /opt/stackstorm/packs/.write-test
-          echo
-          echo Testing write permissions on virtualenvs volume...
-          touch /opt/stackstorm/virtualenvs/.write-test
-          rm /opt/stackstorm/virtualenvs/.write-test
-          echo
-          {{- if $.Values.st2.packs.volumes.configs }}
-          echo Testing write permissions on configs volume...
-          touch /opt/stackstorm/configs/.write-test
-          rm /opt/stackstorm/configs/.write-test
-          echo
-          {{- end }}
-          echo DONE
-      volumeMounts:
+    spec:
+      imagePullSecrets:
+        {{- if $.Values.image.pullSecret }}
+        - name: {{ $.Values.image.pullSecret }}
+        {{- end }}
+      initContainers: []
+      containers:
+      - name: st2canary-packs-volumes-validation
+        image: '{{ template "stackstorm-ha.imageRepository" $ }}/st2actionrunner:{{ tpl $.Values.image.tag $ }}'
+        #image: busybox:1.28
+        imagePullPolicy: {{ $.Values.image.pullPolicy }}
+        {{- with $.Values.securityContext }}
+        securityContext: {{- toYaml . | nindent 10 }}
+        {{- end }}
+        # TODO: maybe use kubectl to assert the volumes have RWX mode
+        # If volume is a persistentVolumeClaim, then:
+        #   the PVC must only have ReadWriteMany in spec.accessModes
+        # If volume is something else, then validating through metadata is iffy.
+        #   azureFile, cephfs, csi, glusterfs, nfs, pvc, quobyte, need at least:
+        #     readOnly: false
+        #   ephemeral volumes could also work, ... but that config is even deeper.
+        command:
+          - 'sh'
+          - '-ec'
+          - |
+            echo Testing write permissions for packs volumes.
+            echo If this passes, the pod will automatically be deleted.
+            echo If this fails, inspect the pod for errors in kubernetes,
+            echo and then delete this st2canary pod manually.
+            echo
+            echo Testing write permissions on packs volume...
+            touch /opt/stackstorm/packs/.write-test
+            rm /opt/stackstorm/packs/.write-test
+            echo
+            echo Testing write permissions on virtualenvs volume...
+            touch /opt/stackstorm/virtualenvs/.write-test
+            rm /opt/stackstorm/virtualenvs/.write-test
+            echo
+            {{- if $.Values.st2.packs.volumes.configs }}
+            echo Testing write permissions on configs volume...
+            touch /opt/stackstorm/configs/.write-test
+            rm /opt/stackstorm/configs/.write-test
+            echo
+            {{- end }}
+            echo DONE
+        volumeMounts:
         {{- include "stackstorm-ha.packs-volume-mounts" $ | nindent 8 }}
         {{/* do not include the pack-configs-volume-mount helper here */}}
         - name: st2-pack-configs-vol
           mountPath: /opt/stackstorm/configs/
           readOnly: false
-      resources:
-        {{- toYaml $.Values.st2canary.resources | nindent 8 }}
-  volumes:
-    {{- include "stackstorm-ha.packs-volumes" $ | nindent 4 }}
-    {{- if $.Values.st2.packs.volumes.configs }}
-      {{/* do not include the pack-configs-volume helper here */}}
-    - name: st2-pack-configs-vol
-      {{- toYaml $.Values.st2.packs.volumes.configs | nindent 6 }}
+        resources:
+          {{- toYaml $.Values.st2canary.resources | nindent 10 }}
+      volumes:
+        {{- include "stackstorm-ha.packs-volumes" $ | nindent 8 }}
+        {{- if $.Values.st2.packs.volumes.configs }}
+          {{/* do not include the pack-configs-volume helper here */}}
+        - name: st2-pack-configs-vol
+          {{- toYaml $.Values.st2.packs.volumes.configs | nindent 10 }}
+        {{- end }}
+        {{- range $.Values.st2canary.extra_volumes }}
+        - name: {{ required "Each volume must have a 'name' in st2canary.extra_volumes" .name }}
+          {{- tpl (required "Each volume must have a 'volume' definition in st2canary.extra_volumes" .volume | toYaml) $ | nindent 10 }}
+        {{- end }}
+    {{- if $.Values.dnsPolicy }}
+      dnsPolicy: {{ $.Values.dnsPolicy }}
+    {{- end }}
+    {{- with $.Values.dnsConfig }}
+      dnsConfig: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with $.Values.podSecurityContext }}
+      securityContext: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with $.Values.st2canary.nodeSelector }}
+      nodeSelector: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with $.Values.st2canary.affinity }}
+      affinity: {{- toYaml . | nindent 8 }}
     {{- end }}
-    {{- range $.Values.st2canary.extra_volumes }}
-    - name: {{ required "Each volume must have a 'name' in st2canary.extra_volumes" .name }}
-      {{- tpl (required "Each volume must have a 'volume' definition in st2canary.extra_volumes" .volume | toYaml) $ | nindent 6 }}
+    {{- with $.Values.st2canary.tolerations }}
+      tolerations: {{- toYaml . | nindent 8 }}
     {{- end }}
-  {{- if $.Values.dnsPolicy }}
-  dnsPolicy: {{ $.Values.dnsPolicy }}
-  {{- end }}
-  {{- with $.Values.dnsConfig }}
-  dnsConfig: {{- toYaml . | nindent 4 }}
-  {{- end }}
-  {{- with $.Values.podSecurityContext }}
-  securityContext: {{- toYaml . | nindent 4 }}
-  {{- end }}
-  {{- with $.Values.st2canary.nodeSelector }}
-  nodeSelector: {{- toYaml . | nindent 4 }}
-  {{- end }}
-  {{- with $.Values.st2canary.affinity }}
-  affinity: {{- toYaml . | nindent 4 }}
-  {{- end }}
-  {{- with $.Values.st2canary.tolerations }}
-  tolerations: {{- toYaml . | nindent 4 }}
-  {{- end }}
 {{- end }}