cloudfoundry-incubator · manno · Feb 15, 2021 · Feb 12, 2021 · Feb 11, 2021 · Feb 15, 2021
diff --git a/deploy/helm/quarks/hooks/pre-upgrade/change-qsts-labels-v7.1.sh b/deploy/helm/quarks/hooks/pre-upgrade/change-qsts-labels-v7.1.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# # Changed Labels in quarks-operator v7.1.3
+#
+# The content of the `quarks.cloudfoundry.org/quarks-statefulset-name` label changed. It now containts the name of the quarks statefulset owning the statefulset and pod. The label is used to create `startup-ordinal` labels that are stable across pod restarts.
+#
+# A new label `quarks.cloudfoundry.org/statefulset-name` was added. It contains the name of the statefulset, which might include an optional zone suffix (e.g. `-z0`).
+# The label is used by the active passive controller to find all the pods of a statefulset.
+#
+# Code change: https://github.com/cloudfoundry-incubator/quarks-statefulset/blob/master/pkg/kube/controllers/quarksstatefulset/quarksstatefulset_reconciler.go#L247-L268
+
+
+# Update labels so active-passive works again, this needs to be done for all workload namespaces, but we only support single namespace mode here:
+if [ -n "$SINGLE_NAMESPACE" ]; then
+  for pod in $(kubectl get pods -n "$SINGLE_NAMESPACE" -o name -l quarks.cloudfoundry.org/deployment-name --ignore-not-found)
+  do
+      echo 1>&2 "POD $pod ..."
+
+      qsts_name=$(kubectl get -n "$SINGLE_NAMESPACE" "$pod" -o jsonpath="{.metadata.labels.quarks\.cloudfoundry\.org/quarks-statefulset-name}")
+      sts_name="$qsts_name"
+      qsts_name=$(echo "$qsts_name" | sed -e 's/-z[0-9]\+$//')
+
+      if test -z "${qsts_name}" ; then
+        echo 1>&2 "SKIP $pod: empty"
+        continue
+      fi
+
+      echo 1>&2 "PATCH names=$sts_name/$qsts_name"
+
+      kubectl label --overwrite -n "$SINGLE_NAMESPACE" "$pod" "quarks.cloudfoundry.org/statefulset-name=$sts_name"
+      kubectl label --overwrite -n "$SINGLE_NAMESPACE" "$pod" "quarks.cloudfoundry.org/quarks-statefulset-name=$qsts_name"
+  done
+fi
diff --git a/deploy/helm/quarks/hooks/pre-upgrade/removedm.sh b/deploy/helm/quarks/hooks/pre-upgrade/removedm.sh
diff --git a/deploy/helm/quarks/templates/hooks.yaml b/deploy/helm/quarks/templates/hooks.yaml
@@ -1,101 +1,6 @@
 # generate helm hooks from contents in the `hooks` folder
 {{ range $_, $hook := tuple "pre-delete" "pre-upgrade" }}
 ---
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: {{$hook}}-helm-hook
-  namespace: {{ $.Release.Namespace | quote }}
-  labels:
-    app.kubernetes.io/instance: {{ $.Release.Name | quote }}
-    app.kubernetes.io/managed-by: {{ $.Release.Service | quote }}
-  annotations:
-    "helm.sh/hook": {{$hook}}
-    "helm.sh/hook-weight": "-2"
-    "helm.sh/hook-delete-policy": before-hook-creation
----
-{{- if $.Values.global.rbac.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  annotations:
-    "helm.sh/hook": {{$hook}}
-    "helm.sh/hook-weight": "-2"
-    "helm.sh/hook-delete-policy": before-hook-creation
-  name: cf-operator-{{$hook}}-helm-hook
-rules:
-- apiGroups:
-  - admissionregistration.k8s.io
-  resources:
-  - mutatingwebhookconfigurations
-  verbs:
-  - delete
----
-{{- if $.Values.global.singleNamespace.create }}
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: {{$hook}}-helm-hook
-  namespace: {{ $.Values.global.singleNamespace.name | quote }}
-  annotations:
-    "helm.sh/hook": {{$hook}}
-    "helm.sh/hook-weight": "-2"
-    "helm.sh/hook-delete-policy": before-hook-creation
-rules:
-- apiGroups: [quarks.cloudfoundry.org]
-  resources: [quarksjobs]
-  resourceNames: [dm]
-  verbs: [delete]
----
-{{- end }}
-apiVersion: v1
-kind: List
-metadata:
-  annotations:
-    rbac.authorization.kubernetes.io/autoupdate: "true"
-    "helm.sh/hook": {{$hook}}
-    "helm.sh/hook-weight": "-2"
-    "helm.sh/hook-delete-policy": before-hook-creation
-items:
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: ClusterRoleBinding
-    metadata:
-      name: {{$hook}}-helm-hook
-      annotations:
-        rbac.authorization.kubernetes.io/autoupdate: "true"
-        "helm.sh/hook": {{$hook}}
-        "helm.sh/hook-weight": "-2"
-        "helm.sh/hook-delete-policy": before-hook-creation
-    subjects:
-    - kind: ServiceAccount
-      name: {{$hook}}-helm-hook
-      namespace: {{ $.Release.Namespace }}
-    roleRef:
-      kind: ClusterRole
-      name: cf-operator-{{$hook}}-helm-hook
-      apiGroup: rbac.authorization.k8s.io
-  {{- if $.Values.global.singleNamespace.create }}
-  - apiVersion: rbac.authorization.k8s.io/v1
-    kind: RoleBinding
-    metadata:
-      name: {{$hook}}-helm-hook
-      namespace: {{ $.Values.global.singleNamespace.name | quote }}
-      annotations:
-        rbac.authorization.kubernetes.io/autoupdate: "true"
-        "helm.sh/hook": {{$hook}}
-        "helm.sh/hook-weight": "-2"
-        "helm.sh/hook-delete-policy": before-hook-creation
-    subjects:
-    - kind: ServiceAccount
-      name: {{$hook}}-helm-hook
-      namespace: {{ $.Release.Namespace }}
-    roleRef:
-      kind: Role
-      name: {{$hook}}-helm-hook
-      apiGroup: rbac.authorization.k8s.io
-  {{- end }}
-{{- end }}
----
 apiVersion: batch/v1
 kind: Job
 metadata:
@@ -130,11 +35,11 @@ spec:
         - name: SINGLE_NAMESPACE
           value: {{ $.Values.global.singleNamespace.name | quote }}
         {{- end }}
-        command: ["/bin/bash","-cex"]
-        args: 
+        command: ["/bin/bash","-cx"]
+        args:
         - |
-           for f in /hooks/*.sh; do 
-            bash "$f" -H || break
+           for f in /hooks/*.sh; do
+             bash "$f"
            done
         volumeMounts:
         - name: hooks
@@ -144,6 +49,7 @@ spec:
       - name: hooks
         configMap:
           name: {{$hook}}-hook-scripts
+
 ---
 {{- $path := printf "hooks/%s/*" $hook }}
 apiVersion: "v1"

diff --git a/deploy/helm/quarks/templates/role-hooks.yml b/deploy/helm/quarks/templates/role-hooks.yml
@@ -0,0 +1,99 @@
+{{- if $.Values.global.rbac.create }}
+# generate helm hooks from contents in the `hooks` folder
+{{ range $_, $hook := tuple "pre-delete" "pre-upgrade" }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    "helm.sh/hook": {{$hook}}
+    "helm.sh/hook-weight": "-2"
+    "helm.sh/hook-delete-policy": before-hook-creation
+  name: cf-operator-{{$hook}}-helm-hook
+rules:
+- apiGroups:
+  - admissionregistration.k8s.io
+  resources:
+  - mutatingwebhookconfigurations
+  verbs:
+  - delete
+
+# hooks only work in singleNamespace mode, this lists all required permissions
+# for running the scripts
+{{- if $.Values.global.singleNamespace.create }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{$hook}}-helm-hook
+  namespace: {{ $.Values.global.singleNamespace.name | quote }}
+  annotations:
+    "helm.sh/hook": {{$hook}}
+    "helm.sh/hook-weight": "-2"
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+- apiGroups: [quarks.cloudfoundry.org]
+  resources: [quarksjobs]
+  resourceNames: [dm]
+  verbs: [delete]
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - patch
+  - list
+{{- end }}
+
+---
+apiVersion: v1
+kind: List
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+    "helm.sh/hook": {{$hook}}
+    "helm.sh/hook-weight": "-2"
+    "helm.sh/hook-delete-policy": before-hook-creation
+items:
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: ClusterRoleBinding
+    metadata:
+      name: {{$hook}}-helm-hook
+      annotations:
+        rbac.authorization.kubernetes.io/autoupdate: "true"
+        "helm.sh/hook": {{$hook}}
+        "helm.sh/hook-weight": "-2"
+        "helm.sh/hook-delete-policy": before-hook-creation
+    subjects:
+    - kind: ServiceAccount
+      name: {{$hook}}-helm-hook
+      namespace: {{ $.Release.Namespace }}
+    roleRef:
+      kind: ClusterRole
+      name: cf-operator-{{$hook}}-helm-hook
+      apiGroup: rbac.authorization.k8s.io
+
+  {{- if $.Values.global.singleNamespace.create }}
+  - apiVersion: rbac.authorization.k8s.io/v1
+    kind: RoleBinding
+    metadata:
+      name: {{$hook}}-helm-hook
+      namespace: {{ $.Values.global.singleNamespace.name | quote }}
+      annotations:
+        rbac.authorization.kubernetes.io/autoupdate: "true"
+        "helm.sh/hook": {{$hook}}
+        "helm.sh/hook-weight": "-2"
+        "helm.sh/hook-delete-policy": before-hook-creation
+    subjects:
+    - kind: ServiceAccount
+      name: {{$hook}}-helm-hook
+      namespace: {{ $.Release.Namespace }}
+    roleRef:
+      kind: Role
+      name: {{$hook}}-helm-hook
+      apiGroup: rbac.authorization.k8s.io
+  {{- end }}
+
+{{- end }}
+{{- end }}
diff --git a/deploy/helm/quarks/templates/service-account-hooks.yml b/deploy/helm/quarks/templates/service-account-hooks.yml
@@ -0,0 +1,16 @@
+# generate helm hooks from contents in the `hooks` folder
+{{ range $_, $hook := tuple "pre-delete" "pre-upgrade" }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{$hook}}-helm-hook
+  namespace: {{ $.Release.Namespace | quote }}
+  labels:
+    app.kubernetes.io/instance: {{ $.Release.Name | quote }}
+    app.kubernetes.io/managed-by: {{ $.Release.Service | quote }}
+  annotations:
+    "helm.sh/hook": {{$hook}}
+    "helm.sh/hook-weight": "-2"
+    "helm.sh/hook-delete-policy": before-hook-creation
+{{- end }}