✨ Add Helm hook to roll out osu-web pods by age

Author: ThePooN

osu/osu-web/Chart.yaml

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 2025.1013.0
+version: 2025.1025.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "2025.1013.0"
+appVersion: "2025.1025.0"
 
 dependencies:
   - name: osu-beatmap-difficulty-lookup-cache

osu/osu-web/templates/upgrade-order.yaml

@@ -0,0 +1,108 @@
+# This hook sets the `controller.kubernetes.io/pod-deletion-cost` on every pod to the creation timestamp.
+# The Kubernetes rollout will then terminate pods by order of creation, allowing topologySpreadConstraints to succeed in environments with not much nodes headroom.
+{{- if .Values.upgradeOrderJob.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "osu-web-chart.fullname" . }}-upgrade-order
+  labels:
+    {{- include "osu-web-chart.labels" (dict "root" . "options" (dict "component" "upgrade-order")) | nindent 4 }}
+    tier: wait-for-deploy
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "osu-web-chart.fullname" . }}-upgrade-order
+  labels:
+    {{- include "osu-web-chart.labels" (dict "root" . "options" (dict "component" "upgrade-order")) | nindent 4 }}
+    tier: wait-for-deploy
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - get
+      - list
+      - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "osu-web-chart.fullname" . }}-upgrade-order
+  labels:
+    {{- include "osu-web-chart.labels" (dict "root" . "options" (dict "component" "upgrade-order")) | nindent 4 }}
+    tier: wait-for-deploy
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "osu-web-chart.fullname" . }}-upgrade-order
+    apiGroup: ""
+roleRef:
+  kind: Role
+  name: {{ include "osu-web-chart.fullname" . }}-upgrade-order
+  apiGroup: ""
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "osu-web-chart.fullname" . }}-upgrade-order
+  labels:
+    {{- include "osu-web-chart.labels" (dict "root" . "options" (dict "component" "upgrade-order")) | nindent 4 }}
+    tier: wait-for-deploy
+  annotations:
+    "helm.sh/hook": pre-upgrade
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": before-hook-creation
+spec:
+  template:
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ include "osu-web-chart.fullname" . }}-upgrade-order
+      securityContext:
+        {{- toYaml .Values.upgradeOrderJob.podSecurityContext | nindent 8 }}
+      containers:
+        - name: kubectl
+          securityContext:
+            {{- toYaml .Values.upgradeOrderJob.securityContext | nindent 12 }}
+          image: {{ .Values.upgradeOrderJob.image }}
+          {{- with .Values.upgradeOrderJob.imagePullPolicy }}
+          imagePullPolicy: {{ . }}
+          {{- end }}
+          command:
+            - /bin/bash
+            - -c
+            - |
+              set -e
+
+              POD_TIMESTAMPS=$(
+                kubectl get pods --selector=app.kubernetes.io/instance={{ .Release.Name }} -o json \
+                | jq -r '.items[] | "\(.metadata.name) \(.metadata.creationTimestamp | fromdateiso8601)"'
+              )
+
+              echo "$POD_TIMESTAMPS" | while read -r pod timestamp; do
+                kubectl annotate --overwrite pod/"$pod" controller.kubernetes.io/pod-deletion-cost="$timestamp"
+              done
+          resources:
+            {{- toYaml (.Values.upgradeOrderJob.resources | default .Values.resources) | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 12 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 12 }}
+      {{- end }}
+{{- end -}}

osu/osu-web/values.yaml

@@ -538,3 +538,14 @@ assets:
     securityContext:
       runAsUser: 1001
       runAsGroup: 1001
+
+upgradeOrderJob:
+  enabled: false
+  image: bitnamisecure/kubectl:latest
+  imagePullPolicy: IfNotPresent
+  resources:
+    requests:
+      cpu: 10m
+      memory: 64Mi
+    limits:
+      memory: 128Mi