MLE-14605: Changes to set permissions to mount paths for root to rootless upgrade (#257)

Co-authored-by: sumanthravipati <[email protected]>

Author: sumanthravipati

README.md

@@ -124,8 +124,8 @@ Following table lists all the parameters supported by the latest MarkLogic Helm
 | `image.pullPolicy`                                  | Image pull policy for MarkLogic image                                                                                                                                                  | `IfNotPresent`             |
 | `initContainers.configureGroup.image`               | Image for configureGroup InitContainer                                                                                                                                                 | `curlimages/curl:8.6.0`    |
 | `initContainers.configureGroup.pullPolicy`          | Pull policy for configureGroup InitContainer                                                                                                                                           | `IfNotPresent`             |
-| `initContainers.copyCerts.image`                    | Image for copyCerts InitContainer                                                                                                                                                      | `redhat/ubi9:9.3`          |
-| `initContainers.copyCerts.pullPolicy`               | Pull policy for copyCerts InitContainer                                                                                                                                                | `IfNotPresent`             |
+| `initContainers.utilContainer.image`                | Image for copyCerts and volume permission change for root to rootless upgrade InitContainer                                                                                                                                                      | `redhat/ubi9:9.3`          |
+| `initContainers.utilContainer.pullPolicy`           | Pull policy for copyCerts and volume permission change for root to rootless upgrade InitContainer                                                                                                                                                | `IfNotPresent`             |
 | `imagePullSecrets`                                  | Registry secret names as an array                                                                                                                                                      | `[]`                       |
 | `hugepages.enabled`                                 | Parameter to enable Hugepage on MarkLogic                                                                                                                                              | `false`                    |
 | `hugepages.mountPath`                               | Mountpath for Hugepages                                                                                                                                                                | `/dev/hugepages`           |

charts/templates/_helpers.tpl

@@ -210,6 +210,18 @@ Validate values file
 {{- end }}
 {{- end }}
 
+{{/*
+Validate root to rootless upgrade
+*/}}
+{{- define "marklogic.rootToRootlessUpgrade" -}}
+{{- if .Values.rootToRootlessUpgrade }}
+{{- if not (.Values.image.tag | contains "rootless") }}
+{{- $errorMessage := printf "%s" "Root to Rootless Upgrade is supported only if rootToRootlessUpgrade flag is true and image type is rootless."  }}
+{{- fail $errorMessage }}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{/*
 Name to distinguish marklogic image whether root or rootless
 */}}

charts/templates/configmap-scripts.yaml

@@ -828,5 +828,29 @@ data:
     fi
 
     info "helm script completed"
+
+root-rootless-upgrade.sh: |
+    #!/bin/bash
+    log () {
+      local TIMESTAMP=$(date +"%Y-%m-%d %T.%3N")
+      # Check to make sure pod doesn't terminate if PID value is empty for any reason
+      if [ -n "$pid" ]; then
+          echo "${TIMESTAMP} $@" > /proc/$pid/fd/1
+      fi
+    }
+    
+    pid=$(pgrep start.marklogic)
+
+    log "Info: [root-rootless-upgrade] Execution Start"
+
+    # Change the permission on default data directory
+    chown -R 1000:100 /var/opt/MarkLogic
+    log "Info: [root-rootless-upgrade] Data Directory Permission Update Completed"
+
+    # Logic to set permission for additional volume mounts
+    {{ range $_, $v := .Values.additionalVolumeMounts }}
+        chown -R 1000:100 {{ $v.mountPath }}
+        log "Info: [root-rootless-upgrade] Additional Mount Path Permission Update Completed: {{ $v.mountPath }}"
+    {{ end }}
       
 

charts/templates/statefulset.yaml

@@ -32,6 +32,7 @@
 
 {{- include "marklogic.checkUpgradeError" . -}}
 {{- include "marklogic.checkInputError" . }}
+{{- include "marklogic.rootToRootlessUpgrade" . }}
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -69,11 +70,11 @@ spec:
       topologySpreadConstraints: {{- toYaml . | nindent 6}}
       {{- end }}
       terminationGracePeriodSeconds: {{ .Values.terminationGracePeriod }}
-      {{- if eq .Values.tls.enableOnDefaultAppServers true }}
       initContainers: 
+      {{- if eq .Values.tls.enableOnDefaultAppServers true }}
       - name: copy-certs
-        image: {{ .Values.initContainers.copyCerts.image | quote }}
-        imagePullPolicy: {{ .Values.initContainers.copyCerts.pullPolicy | quote }}
+        image: {{ .Values.initContainers.utilContainer.image | quote }}
+        imagePullPolicy: {{ .Values.initContainers.utilContainer.pullPolicy | quote }}
         command: ["/bin/sh", "/tmp/helm-scripts/copy-certs.sh"]
         volumeMounts:
         {{- if .Values.tls.certSecretNames }}
@@ -102,6 +103,20 @@ spec:
         - configMapRef:
             name: {{ include "marklogic.fullname" . }}
       {{- end }}
+      {{- if eq .Values.rootToRootlessUpgrade true }}
+      - name: root-rootless-upgrade
+        image: {{ .Values.initContainers.utilContainer.image | quote }}
+        imagePullPolicy: {{ .Values.initContainers.utilContainer.pullPolicy | quote }}
+        command: ["/bin/sh", "/tmp/helm-scripts/root-rootless-upgrade.sh"]
+        volumeMounts:
+          - name: datadir
+            mountPath: /var/opt/MarkLogic
+          {{- if .Values.additionalVolumeMounts }}
+          {{- toYaml .Values.additionalVolumeMounts | nindent 10 }}
+          {{- end }}
+          - name: helm-scripts
+            mountPath: /tmp/helm-scripts
+      {{- end }}
       containers:
         - name: marklogic-server
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"

charts/values.yaml

@@ -39,6 +39,9 @@ group:
 ## The name of the host to join. If not provided, the deployment is a bootstrap host.
 bootstrapHostName: ""
 
+## Flag to enable to migrate from MarkLogic root to rootless image
+rootToRootlessUpgrade: false
+
 ## Marklogic image parameters
 image:
   repository: marklogicdb/marklogic-db
@@ -50,7 +53,7 @@ initContainers:
   configureGroup:
     image: "curlimages/curl:8.6.0"
     pullPolicy: IfNotPresent
-  copyCerts:
+  utilContainer:
     image: "redhat/ubi9:9.3"
     pullPolicy: IfNotPresent