first commit

templates/pre-upgrade-hook.yaml

@@ -0,0 +1,229 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pre-upgrade-check-sa
+  annotations:
+    # hook will be executed before helm upgrade
+    "helm.sh/hook": pre-upgrade,pre-rollback
+    # don't cleanup the job on hook failure
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+    # hook with lower weight value will run firstly
+    "helm.sh/hook-weight": "0"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: pre-upgrade-check-cluster-role
+  annotations:
+    # hook will be executed before helm upgrade
+    "helm.sh/hook": pre-upgrade,pre-rollback
+    # don't cleanup the job on hook failure
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+    # hook with lower weight value will run firstly
+    "helm.sh/hook-weight": "0"
+rules:
+  - apiGroups:
+      - amd.com
+    resources:
+      - deviceconfigs
+    verbs:
+      - list
+      - get
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: pre-upgrade-check-cluster-role-binding
+  annotations:
+    # hook will be executed before helm upgrade
+    "helm.sh/hook": pre-upgrade,pre-rollback
+    # don't cleanup the job on hook failure
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+    # hook with lower weight value will run firstly
+    "helm.sh/hook-weight": "1"
+subjects:
+  - kind: ServiceAccount
+    name: pre-upgrade-check-sa
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: pre-upgrade-check-cluster-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: pre-upgrade-check
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "helm-charts-k8s.labels" . | nindent 4 }}
+  annotations:
+    # hook will be executed before helm upgrade
+    "helm.sh/hook": pre-upgrade,pre-rollback
+    # don't cleanup the job on hook failure
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+    # hook with lower weight value will run firstly
+    "helm.sh/hook-weight": "2"
+spec:
+  backoffLimit: 0 # once the job finished first run, don't retry to create another pod
+  ttlSecondsAfterFinished: 60 # job info will be kept for 1 min then deleted
+  template:
+    spec:
+      serviceAccountName: pre-upgrade-check-sa
+      containers:
+        - name: pre-upgrade-check
+          image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag }}
+          command:
+            - /bin/sh
+            - -c
+            - |
+              # Ignore the lack of CRDs, probably haven't actually been installed yet
+              # this provides idempotentcy when "things" don't understand the difference between
+              # install and upgrade. E.g. Argo turns pre-upgrade hook into its PreSync hook
+              installed=$(kubectl api-resources -owide | grep -i amd.com | grep -i deviceconfig)
+              if [ -z ${installed} ] ; then
+                exit 0
+              fi
+
+              # List all DeviceConfig CRs
+              deviceconfigs=$(kubectl get deviceconfigs -n {{ .Release.Namespace }} -o json)
+
+              echo "DeviceConfigs JSON:"
+              echo "$deviceconfigs" | jq .
+
+              # Check if any UpgradeState is in the blocked states
+              blocked_states='["Upgrade-Not-Started", "Upgrade-Started", "Install-In-Progress", "Upgrade-In-Progress"]'
+              if echo "$deviceconfigs" | jq --argjson blocked_states "$blocked_states" -e '
+                  .items[] |
+                  .status.nodeModuleStatus // {} |
+                  to_entries |
+                  any(.value.status as $state | ($blocked_states | index($state)))' > /dev/null; then
+                echo "Upgrade blocked: Some DeviceConfigs are in a disallowed UpgradeState."
+                exit 1
+              else
+                echo "All DeviceConfigs are in an allowed state. Proceeding with upgrade."
+                exit 0
+              fi
+      {{- if .Values.controllerManager.manager.imagePullSecrets }}
+      imagePullSecrets:
+      - name: {{ .Values.controllerManager.manager.imagePullSecrets }}
+      {{- end }}
+      {{- with .Values.controllerManager.manager.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controllerManager.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+{{- if .Values.upgradeCRD }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: upgrade-crd-hook-sa
+  annotations:
+    # hook will be executed before helm upgrade
+    "helm.sh/hook": pre-upgrade,pre-rollback
+    # don't cleanup the job on hook failure
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+    # hook with lower weight value will run firstly
+    "helm.sh/hook-weight": "1"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: upgrade-crd-hook-cluster-role
+  annotations:
+    # hook will be executed before helm upgrade
+    "helm.sh/hook": pre-upgrade,pre-rollback
+    # don't cleanup the job on hook failure
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+    # hook with lower weight value will run firstly
+    "helm.sh/hook-weight": "1"
+rules:
+  - apiGroups:
+      - apiextensions.k8s.io
+    resources:
+      - customresourcedefinitions
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - patch
+      - update
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: upgrade-crd-hook-cluster-role-binding
+  annotations:
+    # hook will be executed before helm upgrade
+    "helm.sh/hook": pre-upgrade,pre-rollback
+    # don't cleanup the job on hook failure
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+    # hook with lower weight value will run firstly
+    "helm.sh/hook-weight": "2"
+subjects:
+  - kind: ServiceAccount
+    name: upgrade-crd-hook-sa
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: upgrade-crd-hook-cluster-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: upgrade-crd
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "helm-charts-k8s.labels" . | nindent 4 }}
+  annotations:
+    # hook will be executed before helm upgrade
+    "helm.sh/hook": pre-upgrade,pre-rollback
+    # don't cleanup the job on hook failure
+    "helm.sh/hook-delete-policy": before-hook-creation, hook-succeeded
+    # hook with lower weight value will run firstly
+    "helm.sh/hook-weight": "3"
+spec:
+  template:
+    metadata:
+      name: upgrade-crd
+    spec:
+      serviceAccountName: upgrade-crd-hook-sa
+      {{- if .Values.controllerManager.manager.imagePullSecrets }}
+      imagePullSecrets:
+      - name: {{ .Values.controllerManager.manager.imagePullSecrets }}
+      {{- end }}
+      {{- with .Values.controllerManager.manager.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controllerManager.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: upgrade-crd
+          image: {{ .Values.controllerManager.manager.image.repository }}:{{ .Values.controllerManager.manager.image.tag }}
+          imagePullPolicy: {{ .Values.controllerManager.manager.imagePullPolicy }}
+          command:
+          - /bin/sh
+          - -c
+          - |
+            kubectl apply -f /opt/helm-charts-crds-k8s/deviceconfig-crd.yaml
+            {{- if index .Values "node-feature-discovery" "enabled" }}
+            kubectl apply -f /opt/helm-charts-crds-k8s/nfd-api-crds.yaml
+            {{- end }}
+            {{- if .Values.kmm.enabled }}
+            kubectl apply -f /opt/helm-charts-crds-k8s/module-crd.yaml
+            kubectl apply -f /opt/helm-charts-crds-k8s/nodemodulesconfig-crd.yaml
+            {{- end }}
+      restartPolicy: OnFailure
+{{- end }}
+# Run helm upgrade with --no-hooks to bypass the pre-upgrade hook