feat: Add post-upgrade hook to clean up deprecated node conditions

rupalis-nv · rupalis-nv · commit 5a35edeabf0a · 2025-11-11T15:33:10.000+05:30
diff --git a/distros/kubernetes/nvsentinel/files/node-condition-cleanup.sh b/distros/kubernetes/nvsentinel/files/node-condition-cleanup.sh
@@ -0,0 +1,91 @@
+#!/bin/bash
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+if [ -z "$DEPRECATED_CONDITIONS" ]; then
+  echo "No deprecated conditions configured"
+  exit 0
+fi
+
+IFS=',' read -ra conditions <<< "$DEPRECATED_CONDITIONS"
+echo "Node Condition Cleanup: Removing ${conditions[*]}"
+
+nodes=$(kubectl get nodes -o jsonpath='{.items[*].metadata.name}')
+node_count=$(echo "$nodes" | wc -w | tr -d ' ')
+echo "Processing $node_count nodes (up to 6 in parallel)..."
+
+process_node() {
+  local node=$1
+  local removed=0
+  
+  # Fetch current conditions once
+  local current_conditions
+  current_conditions=$(kubectl get node "$node" -o json 2>/dev/null | jq -c '.status.conditions // []' 2>/dev/null || echo "[]")
+  
+  if [ "$current_conditions" = "[]" ]; then
+    echo "- $node: no conditions found"
+    return
+  fi
+  
+  # Check if any deprecated conditions exist and filter them out
+  local filtered_conditions="$current_conditions"
+  local found_conditions=()
+  
+  for condition in "${conditions[@]}"; do
+    # Check if this condition exists
+    local exists
+    exists=$(echo "$current_conditions" | jq --arg type "$condition" 'any(.[]; .type == $type)' 2>/dev/null || echo "false")
+    
+    if [ "$exists" = "true" ]; then
+      found_conditions+=("$condition")
+      filtered_conditions=$(echo "$filtered_conditions" | jq --arg type "$condition" '[.[] | select(.type != $type)]' 2>/dev/null || echo "$filtered_conditions")
+    fi
+  done
+  
+  if [ ${#found_conditions[@]} -eq 0 ]; then
+    return
+  fi
+  
+  # Apply the filtered conditions atomically
+  local patch_output
+  if patch_output=$(kubectl patch node "$node" --type=json -p="[{\"op\":\"replace\",\"path\":\"/status/conditions\",\"value\":$filtered_conditions}]" --subresource=status 2>&1); then
+    echo "✓ $node: removed ${#found_conditions[@]} condition(s): ${found_conditions[*]}"
+  else
+    echo "⚠ $node: failed to remove conditions - $patch_output"
+  fi
+}
+
+active_jobs=0
+max_parallel=6
+processed=0
+
+for node in $nodes; do
+  process_node "$node" &
+  active_jobs=$((active_jobs + 1))
+  processed=$((processed + 1))
+  
+  if [ $active_jobs -ge $max_parallel ]; then
+    wait -n 2>/dev/null || true
+    active_jobs=$((active_jobs - 1))
+  fi
+  
+  if [ $((processed % 10)) -eq 0 ]; then
+    echo "[$processed/$node_count nodes started]"
+  fi
+done
+
+wait
+echo "Cleanup completed for $node_count nodes"
diff --git a/distros/kubernetes/nvsentinel/templates/node-condition-cleanup-hook.yaml b/distros/kubernetes/nvsentinel/templates/node-condition-cleanup-hook.yaml
@@ -0,0 +1,142 @@
+# Copyright (c) 2025, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+{{- if .Values.nodeConditionCleanup.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "nvsentinel.fullname" . }}-node-condition-cleanup
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "nvsentinel.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "nvsentinel.fullname" . }}-node-condition-cleanup
+  labels:
+    {{- include "nvsentinel.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/status
+    verbs:
+      - get
+      - patch
+      - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "nvsentinel.fullname" . }}-node-condition-cleanup
+  labels:
+    {{- include "nvsentinel.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "nvsentinel.fullname" . }}-node-condition-cleanup
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "nvsentinel.fullname" . }}-node-condition-cleanup
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "nvsentinel.fullname" . }}-node-condition-cleanup
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "nvsentinel.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-upgrade
+    helm.sh/hook-weight: "-5"
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: BeforeHookCreation
+spec:
+  backoffLimit: 3
+  activeDeadlineSeconds: 300
+  template:
+    metadata:
+      labels:
+        {{- include "nvsentinel.selectorLabels" . | nindent 8 }}
+        app.kubernetes.io/component: node-condition-cleanup
+    spec:
+      serviceAccountName: {{ include "nvsentinel.fullname" . }}-node-condition-cleanup
+      restartPolicy: OnFailure
+      {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeConditionCleanup.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeConditionCleanup.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: cleanup
+        image: {{ .Values.nodeConditionCleanup.image.repository }}:{{ .Values.nodeConditionCleanup.image.tag }}
+        imagePullPolicy: {{ .Values.nodeConditionCleanup.image.pullPolicy }}
+        env:
+        - name: DEPRECATED_CONDITIONS
+          value: {{ .Values.nodeConditionCleanup.deprecatedConditions | join "," | quote }}
+        command:
+        - /bin/bash
+        - -c
+        - |
+{{ .Files.Get "files/node-condition-cleanup.sh" | indent 10 }}
+        resources:
+          {{- toYaml .Values.nodeConditionCleanup.resources | nindent 10 }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          runAsUser: 65534
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+            - ALL
+          seccompProfile:
+            type: RuntimeDefault
+{{- end }}
diff --git a/distros/kubernetes/nvsentinel/values.yaml b/distros/kubernetes/nvsentinel/values.yaml
@@ -105,3 +105,21 @@ platformConnector:
       - "cloud.google.com/gce-topology-subblock"
 
 socketPath: "/var/run/nvsentinel.sock"
+
+# Node condition cleanup hook configuration
+nodeConditionCleanup:
+  enabled: false
+  deprecatedConditions: []
+  # - "OldConditionType1"
+  # - "OldConditionType2"
+  image:
+    repository: docker.io/bitnamilegacy/kubectl
+    tag: "1.30.6"
+    pullPolicy: IfNotPresent
+  resources:
+    limits:
+      cpu: 100m
+      memory: 128Mi
+    requests:
+      cpu: 50m
+      memory: 64Mi
