diff --git a/CHANGELOG.md b/CHANGELOG.md
index 934f12ac8bf3953bbc6fe90f56e57c58f38e883b..0b12c28bccdc75bafccaa11918cdaf31fc7788aa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,9 +3,10 @@
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
---
-## [5.5.1-bb.6] - 2025-02-20
+## [5.5.1-bb.6] 2025-02-26
### Changed
+- Added pre-upgrade job to remove MinIO Tenant Pool prior to upgrade
- Set `.Values.nginx.enabled` to `false` as this is deprecated in favor of `gateway`
## [5.5.1-bb.5] - 2025-02-14
diff --git a/README.md b/README.md
index b855641232101a1c8249c16b2c57e81d9195d70a..bcc2bd43a8e3aebd99afee2fb2dc90e75ba30cc4 100644
--- a/README.md
+++ b/README.md
@@ -56,6 +56,15 @@ helm install mimir chart/
| istio.enabled | bool | `false` | Toggle istio configuration |
| istio.hardened | object | `{"alloy":{"enabled":true,"namespaces":["monitoring"],"principals":["cluster.local/ns/monitoring/sa/monitoring-alloy"]},"customAuthorizationPolicies":[],"customServiceEntries":[],"enabled":false,"grafana":{"enabled":true,"namespaces":["monitoring"],"principals":["cluster.local/ns/monitoring/sa/monitoring-grafana"]},"minio":{"enabled":true},"minioOperator":{"enabled":true,"namespaces":["minio-operator"],"principals":["cluster.local/ns/minio-operator/sa/minio-operator"]},"outboundTrafficPolicyMode":"REGISTRY_ONLY","prometheus":{"enabled":true,"namespaces":["monitoring"],"principals":["cluster.local/ns/monitoring/sa/monitoring-monitoring-kube-prometheus"]}}` | Default peer authentication values |
| istio.mtls.mode | string | `"STRICT"` | STRICT = Allow only mutual TLS traffic, PERMISSIVE = Allow both plain text and mutual TLS traffic |
+| upgradeJob.enabled | bool | `true` | |
+| upgradeJob.name | string | `"mimir-upgrade-job"` | |
+| upgradeJob.image.repository | string | `"registry1.dso.mil/ironbank/big-bang/base"` | image repository for upgradeJob |
+| upgradeJob.image.tag | string | `"2.1.0"` | image tag for upgradeJob |
+| upgradeJob.image.imagePullPolicy | string | `"IfNotPresent"` | |
+| upgradeJob.image.pullSecrets | string | `"private-registry"` | |
+| upgradeJob.serviceAccount | string | `"upgrade-job-svc-account"` | |
+| upgradeJob.role | string | `"upgrade-role"` | |
+| upgradeJob.roleBinding | string | `"upgrade-rolebinding"` | |
| bbtests.enabled | bool | `false` | |
| bbtests.cypress.enabled | bool | `true` | |
| bbtests.cypress.artifacts | bool | `true` | |
diff --git a/chart/templates/bigbang/upgrade/_helpers.tpl b/chart/templates/bigbang/upgrade/_helpers.tpl
new file mode 100644
index 0000000000000000000000000000000000000000..c97114d5270acf29e3bef2d33f303ae0c27afcc1
--- /dev/null
+++ b/chart/templates/bigbang/upgrade/_helpers.tpl
@@ -0,0 +1,13 @@
+{{- define "mimir.shouldDeployUpgradeResources" -}}
+{{/* Define upgradeVersion inside the template so it's available when the template is used */}}
+{{- $upgradeVersion := "5.5.1-bb.5" -}}
+{{- if and .Release.IsUpgrade (index .Values "minio-tenant" "enabled") .Values.upgradeJob.enabled -}}
+ {{- $helmRelease := lookup "helm.toolkit.fluxcd.io/v2" "HelmRelease" "bigbang" "mimir" -}}
+ {{- if $helmRelease -}}
+ {{- $currentVersion := index $helmRelease.status.history 0 "chartVersion" -}}
+ {{- if semverCompare (print "<" $upgradeVersion) $currentVersion -}}
+true
+ {{- end -}}
+ {{- end -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/chart/templates/bigbang/upgrade/job.yaml b/chart/templates/bigbang/upgrade/job.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..9392fa512d5204ad452758a9a452810931a62207
--- /dev/null
+++ b/chart/templates/bigbang/upgrade/job.yaml
@@ -0,0 +1,98 @@
+{{- if eq (include "mimir.shouldDeployUpgradeResources" .) "true" }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ .Values.upgradeJob.name }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": pre-upgrade
+ "helm.sh/hook-weight": "0"
+ "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
+spec:
+ template:
+ metadata:
+ spec:
+ automountServiceAccountToken: true
+ imagePullSecrets:
+ - name: {{ .Values.upgradeJob.image.pullSecrets }}
+ serviceAccountName: {{ .Values.upgradeJob.serviceAccount }}
+ containers:
+ - name: {{ .Values.upgradeJob.name }}
+ image: {{ .Values.upgradeJob.image.repository }}:{{ .Values.upgradeJob.image.tag }}
+ imagePullPolicy: {{ .Values.upgradeJob.image.imagePullPolicy }}
+ command:
+ - "/bin/bash"
+ - "-c"
+ - |
+ set -e # Exit on first error
+ trap 'echo "Error occurred at line $LINENO"; exit 1' ERR
+
+ # Step 1: Delete the tenant
+ echo "Deleting tenant 'mimir-mimir-minio-tenant' in namespace 'mimir'..."
+ kubectl delete tenant mimir-mimir-minio-tenant -n mimir || {
+ echo "Tenant deletion failed or was already deleted.";
+ exit 1;
+ }
+
+ # Step 2: Remove finalizers from all matching PVs
+ echo "Removing finalizers from Persistent Volumes..."
+
+ # Create an array to hold PV names that will be patched
+ pv_list=()
+
+ kubectl get pv -o json | jq -r '
+ .items[] |
+ select(.spec.claimRef.namespace=="mimir" and (.spec.claimRef.name | test("^data[0-9]-mimir-mimir-minio-tenant-pool-.*"))) |
+ .metadata.name' | while read -r pv; do
+ echo "Patching PV: $pv"
+ kubectl patch pv "$pv" --type=json -p '[{"op": "remove", "path": "/metadata/finalizers"}]' || {
+ echo "Failed to remove finalizer from PV: $pv";
+ exit 1;
+ }
+
+ # If patching is successful, add PV to the list for deletion later
+ pv_list+=("$pv")
+ done
+
+ # Step 3: Delete all matching PVs
+ echo "Deleting Persistent Volumes..."
+ for pv in "${pv_list[@]}"; do
+ echo "Deleting PV: $pv"
+ kubectl delete pv "$pv" || {
+ echo "Failed to delete PV: $pv";
+ exit 1;
+ }
+ done
+
+ # Step 4: Delete all PVCs that contain 'data*-mimir*' in their name
+ echo "Deleting Persistent Volume Claims (PVCs) that match 'data*-mimir*'..."
+
+ kubectl get pvc -n mimir -o json | jq -r '
+ .items[] |
+ select(.metadata.name | test("data.*-mimir.*")) |
+ .metadata.name' | while read -r pvc; do
+ echo "Deleting PVC: $pvc"
+ kubectl delete pvc "$pvc" -n mimir || {
+ echo "Failed to delete PVC: $pvc";
+ exit 1;
+ }
+ done
+
+ echo "MinIO Tenant Cleanup completed!"
+
+ resources:
+ requests:
+ cpu: 100m
+ memory: 256Mi
+ limits:
+ cpu: 100m
+ memory: 256Mi
+ securityContext:
+ capabilities:
+ drop: ["ALL"]
+ readOnlyRootFilesystem: true
+ runAsNonRoot: true
+ runAsUser: 1000
+ runAsGroup: 1000
+ restartPolicy: Never
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/bigbang/upgrade/networkPolicy.yaml b/chart/templates/bigbang/upgrade/networkPolicy.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..30824449a7f2d2d213a44f9b372059c5bad2893a
--- /dev/null
+++ b/chart/templates/bigbang/upgrade/networkPolicy.yaml
@@ -0,0 +1,28 @@
+{{- if eq (include "mimir.shouldDeployUpgradeResources" .) "true" }}
+ {{- if .Values.networkPolicies.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: api-egress-upgrade-job
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": pre-upgrade
+ "helm.sh/hook-weight": "-10"
+ "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
+spec:
+ egress:
+ - to:
+ - ipBlock:
+ cidr: {{ .Values.networkPolicies.controlPlaneCidr }}
+ {{- if eq .Values.networkPolicies.controlPlaneCidr "0.0.0.0/0" }}
+ # ONLY Block requests to AWS metadata IP
+ except:
+ - 169.254.169.254/32
+ {{- end }}
+ podSelector:
+ matchLabels:
+ app.kubernetes.io/name: {{ .Values.upgradeJob.name }}
+ policyTypes:
+ - Egress
+ {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/bigbang/upgrade/role.yaml b/chart/templates/bigbang/upgrade/role.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..5c69cfb626c9de2aa628d500c60023844337609d
--- /dev/null
+++ b/chart/templates/bigbang/upgrade/role.yaml
@@ -0,0 +1,15 @@
+{{- if include "mimir.shouldDeployUpgradeResources" . }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ .Values.upgradeJob.role }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": pre-upgrade
+ "helm.sh/hook-weight": "-10"
+ "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
+rules:
+- apiGroups: ["minio.min.io",""]
+ resources: ["tenants","persistentvolumeclaims","persistentvolumes"]
+ verbs: ["get", "list", "delete"]
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/bigbang/upgrade/roleBinding.yaml b/chart/templates/bigbang/upgrade/roleBinding.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6b28782bf594553d59c2d73f34474723edf97119
--- /dev/null
+++ b/chart/templates/bigbang/upgrade/roleBinding.yaml
@@ -0,0 +1,19 @@
+{{- if include "mimir.shouldDeployUpgradeResources" . }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ .Values.upgradeJob.roleBinding }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": pre-upgrade
+ "helm.sh/hook-weight": "-10"
+ "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ .Values.upgradeJob.role }}
+subjects:
+- kind: ServiceAccount
+ name: {{ .Values.upgradeJob.serviceAccount }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
\ No newline at end of file
diff --git a/chart/templates/bigbang/upgrade/serviceAccount.yaml b/chart/templates/bigbang/upgrade/serviceAccount.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..e8b59370946eb22e8983688413c4b2c82a37491a
--- /dev/null
+++ b/chart/templates/bigbang/upgrade/serviceAccount.yaml
@@ -0,0 +1,11 @@
+{{- if include "mimir.shouldDeployUpgradeResources" . }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ .Values.upgradeJob.serviceAccount }}
+ namespace: {{ .Release.Namespace }}
+ annotations:
+ "helm.sh/hook": pre-upgrade
+ "helm.sh/hook-weight": "-10"
+ "helm.sh/hook-delete-policy": hook-succeeded,hook-failed,before-hook-creation
+{{- end }}
\ No newline at end of file
diff --git a/chart/values.yaml b/chart/values.yaml
index 748ae099003838c370630e7bdb779a155553c157..2f61edab3407eeda516df37a1bb081ba501216f0 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -219,6 +219,20 @@ istio:
# PERMISSIVE = Allow both plain text and mutual TLS traffic
mode: STRICT
+upgradeJob:
+ enabled: true
+ name: mimir-upgrade-job
+ image:
+ # -- image repository for upgradeJob
+ repository: registry1.dso.mil/ironbank/big-bang/base
+ # -- image tag for upgradeJob
+ tag: 2.1.0
+ imagePullPolicy: IfNotPresent
+ pullSecrets: private-registry
+ serviceAccount: upgrade-job-svc-account
+ role: upgrade-role
+ roleBinding: upgrade-rolebinding
+
bbtests:
enabled: false
cypress: