From cdacbc6c0c1309e3b5a34a2c50c3b4b86e37bdfd Mon Sep 17 00:00:00 2001 From: Roland Schlaefli Date: Mon, 29 Jun 2026 22:03:36 +0200 Subject: [PATCH] fix(codeapi-chart): make package PVC argo-safe --- helm/codeapi/templates/package-init-job.yaml | 10 +++++----- helm/codeapi/templates/pvc.yaml | 12 +++++------- helm/codeapi/values.yaml | 3 +-- 3 files changed, 11 insertions(+), 14 deletions(-) diff --git a/helm/codeapi/templates/package-init-job.yaml b/helm/codeapi/templates/package-init-job.yaml index ad7d2a6..e0574b8 100644 --- a/helm/codeapi/templates/package-init-job.yaml +++ b/helm/codeapi/templates/package-init-job.yaml @@ -1,7 +1,7 @@ {{/* Package Init Job -Runs as a Helm pre-install/pre-upgrade hook to populate the packages PVC -with Python, Node, Bun, and Bash runtimes for the NsJail sandbox. +Runs before deployments in Argo CD syncs to populate the packages PVC with +Python, Node, Bun, and Bash runtimes for the NsJail sandbox. */}} {{- if and .Values.workerSandbox.enabled .Values.workerSandbox.packages.initJob.enabled }} {{- $packageInitNodeSelector := .Values.workerSandbox.sandboxRunner.nodeSelector }} @@ -21,9 +21,9 @@ metadata: {{- include "codeapi.labels" . | nindent 4 }} app.kubernetes.io/component: package-init annotations: - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "-5" - "helm.sh/hook-delete-policy": before-hook-creation + "argocd.argoproj.io/hook": Sync + "argocd.argoproj.io/sync-wave": "-5" + "argocd.argoproj.io/hook-delete-policy": BeforeHookCreation,HookSucceeded spec: backoffLimit: {{ .Values.workerSandbox.packages.initJob.backoffLimit }} {{- if .Values.workerSandbox.packages.initJob.ttlSecondsAfterFinished }} diff --git a/helm/codeapi/templates/pvc.yaml b/helm/codeapi/templates/pvc.yaml index 1ef46b4..570c924 100644 --- a/helm/codeapi/templates/pvc.yaml +++ b/helm/codeapi/templates/pvc.yaml @@ -8,7 +8,8 @@ NOTE on access modes: Requires storage class that supports RWX (NFS, EFS, Azure Files, GlusterFS, etc.) If using the initJob to populate packages: -- The PVC is created as a Helm hook (pre-install) so it exists before the init job runs +- The PVC is created as a normal retained resource so Argo CD never deletes it + as a hook during upgrades - The init job writes packages to the PVC - Worker pods then mount the PVC (read-only at container level) */}} @@ -22,14 +23,11 @@ metadata: name: {{ include "codeapi.fullname" . }}-packages labels: {{- include "codeapi.labels" . | nindent 4 }} - {{- if .Values.workerSandbox.packages.initJob.enabled }} annotations: - # Create PVC before the init job runs (lower weight = runs first) - "helm.sh/hook": pre-install,pre-upgrade - "helm.sh/hook-weight": "-10" - # Keep the PVC across upgrades (don't delete) + # Create PVC before the init job runs in Argo CD syncs. + "argocd.argoproj.io/sync-wave": "-10" + # Keep the PVC across app deletion/prune events. "helm.sh/resource-policy": keep - {{- end }} spec: accessModes: - {{ .Values.workerSandbox.packages.persistence.accessMode | default "ReadWriteOnce" }} diff --git a/helm/codeapi/values.yaml b/helm/codeapi/values.yaml index 2007a0f..1e01594 100644 --- a/helm/codeapi/values.yaml +++ b/helm/codeapi/values.yaml @@ -293,8 +293,7 @@ workerSandbox: # If you have pre-built packages, specify the existing claim existingClaim: "" - # Init job to populate packages on first install - # Runs as a Helm pre-install/pre-upgrade hook + # Init job to populate packages before sandbox deployments in Argo CD syncs # Compiles Python from source and downloads Node/Bun binaries initJob: enabled: true