Micah Nagel · 06751255 · 7b46e323 · b94854c0 · 67e75c36 · b4503b5f
--- a/chart/templates/init/volume-upgrade-job.yaml

+ 36

− 7
+++ b/chart/templates/init/volume-upgrade-job.yaml

+ 36

− 7
-{{- if and .Values.console.localVolumeUpgrade .Release.IsUpgrade }}
+{{- if and .Values.console.volumeUpgrade .Release.IsUpgrade }}
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
 @@ -7,7 +7,7 @@ metadata:
  annotations:
    "helm.sh/hook": pre-upgrade
    "helm.sh/hook-weight": "-2"
-    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
 spec:
  egress:
    - to:
 @@ -33,13 +33,13 @@ metadata:
  annotations:
    "helm.sh/hook": pre-upgrade
    "helm.sh/hook-weight": "-1"
-    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
 spec:
  template:
    metadata:
      name: {{ template "twistlock-console.name" . }}
      namespace: {{ .Release.Namespace }}
-      labels: {{- include "twistlock-console.selector" . | nindent 8 }}
+      labels:
        app.kubernetes.io/name: twistlock-volume-upgrade-job
      {{- if .Values.annotations }}
      annotations:
 @@ -50,6 +50,16 @@ spec:
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
+      affinity:
+        podAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: name
+                operator: In
+                values:
+                - {{ template "twistlock-console.name" . }}
+            topologyKey: "kubernetes.io/hostname"
      restartPolicy: OnFailure
      serviceAccountName: volume-upgrade-svc-acct
      securityContext:
 @@ -67,9 +77,21 @@ spec:
          runAsGroup: 0
        command:
          - /bin/bash
-          - -xc
+          - -c
          - |
-            if ! id -u "twistlock" &>/dev/null; then kubectl scale --replicas=0 deployment/twistlock-console -n twistlock && while [[ $(kubectl get deployment twistlock-console -n twistlock -o jsonpath='{.status.readyReplicas}') -gt 0 ]]; do sleep 10; done && useradd -u 2674 twistlock && chown -R 2674:2674 /var/lib/twistlock /var/lib/twistlock-backup; fi
+            useradd -u 2674 twistlock
+            if [[ ! "$(stat --format '%U' /var/lib/twistlock)" == "twistlock" ]]; then
+              echo "Scaling down console deployment to prepare for permissions changes..."
+              kubectl scale --replicas=0 deployment/twistlock-console -n twistlock
+              while [[ $(kubectl get pod -l name="{{ template "twistlock-console.name" . }}" -n twistlock --output name | wc -l) -gt 0 ]]; do
+                sleep 10
+              done
+              echo "Updating PVC permissions to twistlock user ownership..."
+              chown -R 2674:2674 /var/lib/twistlock /var/lib/twistlock-backup
+              echo "Permissions update complete!"
+            else
+              echo "No permissions changes required."
+            fi
            {{- if .Values.istio.enabled }}
            until curl -fsI http://localhost:15021/healthz/ready; do
              echo "Waiting for Istio sidecar proxy..."
 @@ -79,6 +101,13 @@ spec:
            echo "Stopping the istio proxy..."
            curl -X POST http://localhost:15020/quitquitquit
            {{- end }}
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: 100m
+            memory: 256Mi
        volumeMounts:
        - name: console-persistent-volume
          mountPath: "/var/lib/twistlock"
 @@ -90,4 +119,4 @@ spec:
      - name: console-persistent-volume
        persistentVolumeClaim:
          claimName: {{ template "twistlock-console.name" . }}
-{{- end }}
 \ No newline at end of file
+{{- end }}