GDB-10462: Updated cluster jobs to always use the temp folder

- Updated all cluster jobs to explicitly use `/tmp` as a working directory to avoid
  permission errors due to the default security context's `readOnlyRootFilesystem`
  when the container has a starting folder different from `/tmp`.
- Updated all utility scripts to use temporary files under `/tmp` for the same reason.
- Prepared for version 11.0.1

CHANGELOG.md

@@ -1,5 +1,15 @@
 # GraphDB Helm chart release notes
 
+## Version 11.0.1
+
+GraphDB Helm 11.0.1 is a patch release that includes bug fixes.
+
+### Fixed
+
+- Updated all cluster jobs to explicitly use `/tmp` as a working directory to avoid permission errors due to the default security
+  context's `readOnlyRootFilesystem` when the container has a starting folder different from `/tmp`.
+- Updated all utility scripts to use temporary files under `/tmp` for the same reason.
+
 ## Version 11.0.0
 
 Version 11 of the chart addresses a bunch of legacy issues and aims to provide much better user experience and reliability.

Chart.yaml

@@ -5,7 +5,7 @@ apiVersion: v2
 name: graphdb
 description: GraphDB is a highly efficient, scalable and robust graph database with RDF and SPARQL support.
 type: application
-version: 11.0.0
+version: 11.0.1
 appVersion: 10.6.4
 kubeVersion: ^1.26.0-0
 home: https://graphdb.ontotext.com/

files/scripts/graphdb.sh

@@ -5,25 +5,29 @@ set -o nounset
 set -o pipefail
 
 function createCluster {
-  waitAllNodes $1
+  local node_count=$1
   local configLocation=$2
   local timeout=$3
+  local response
+
+  waitAllNodes "$node_count"
 
   echo "Creating cluster"
-  curl -o response.json -isSL -m "${timeout}" -X POST \
+  response=$(mktemp)
+  curl -o "$response" -isSL -m "${timeout}" -X POST \
        -d @"$configLocation" \
        --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \
        --header 'Content-Type: application/json' \
        --header 'Accept: */*' \
        "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/cluster/config"
 
-  if grep -q 'HTTP/1.1 201' "response.json"; then
+  if grep -q 'HTTP/1.1 201' "$response"; then
     echo "Cluster creation successful!"
-  elif grep -q 'Cluster already exists.\|HTTP/1.1 409' "response.json" ; then
+  elif grep -q 'Cluster already exists.\|HTTP/1.1 409' "$response" ; then
     echo "Cluster already exists"
   else
     echo "Cluster creation failed, received response:"
-    cat response.json
+    cat "$response"
     echo
     exit 1
   fi
@@ -59,11 +63,13 @@ function waitAllNodes {
 }
 
 function createRepositoryFromFile {
-  waitAllNodes $1
+  local node_count=$1
   local repositoriesConfigsLocation=$2
   local timeout=60
   local success=true
 
+  waitAllNodes "$node_count"
+
   echo "Creating repositories"
   for filename in ${repositoriesConfigsLocation}/*.ttl; do
     repositoryName=$(grep "rep:repositoryID" "${filename}" | sed -ne 's/rep:repositoryID "//p' | sed -ne 's/" ;//p' | sed -ne 's/^[[:space:]]*//p')

files/scripts/update-cluster.sh

@@ -7,23 +7,26 @@ set -o pipefail
 function patchCluster {
   local configLocation=$1
   local timeout=$2
+  local response
 
-  echo "Patching cluster"
   waitService "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/proxy/ready"
-  curl -o patchResponse.json -isSL -m "$timeout" -X PATCH \
+
+  echo "Patching cluster"
+  response=$(mktemp)
+  curl -o "$response" -isSL -m "$timeout" -X PATCH \
        --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \
        --header 'Content-Type: application/json' \
        --header 'Accept: application/json' \
        -d @"$configLocation" \
        "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/rest/cluster/config"
 
-  if grep -q 'HTTP/1.1 200' "patchResponse.json"; then
+  if grep -q 'HTTP/1.1 200' "$response"; then
     echo "Patch successful"
-  elif grep -q 'Cluster does not exist.\|HTTP/1.1 412' "patchResponse.json" ; then
+  elif grep -q 'Cluster does not exist.\|HTTP/1.1 412' "$response" ; then
     echo "Cluster does not exist"
   else
     echo "Cluster patch failed, received response:"
-    cat patchResponse.json
+    cat "$response"
     echo
     exit 1
   fi
@@ -36,6 +39,7 @@ function removeNodes {
   # DNS suffix in the form of namespace.svc.cluster.local
   local dns_suffix
   dns_suffix=$(awk '/search/{print $2}' /etc/resolv.conf)
+  local response
 
   echo "Cluster reported: $currentNodes current nodes"
   echo "Cluster is expected to have: $expectedNodes nodes"
@@ -53,28 +57,30 @@ function removeNodes {
     exit 0
   fi
 
-  echo "Scaling the cluster down"
   for ((i = expectedNodes; i < currentNodes; i++)) do
     nodes=${nodes}\"${GRAPHDB_POD_NAME}-$i.${GRAPHDB_SERVICE_NAME}.${dns_suffix}:${GRAPHDB_SERVICE_RPC_PORT}\"
     if [ $i -lt $(expr $currentNodes - 1) ]; then
       nodes=${nodes}\,
     fi
   done
-
   nodes=\{\"nodes\":\[${nodes}\]\}
+
   waitService "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/proxy/ready"
-  curl -o clusterRemove.json -isSL -m 15 -X DELETE \
+
+  echo "Scaling the cluster down"
+  response=$(mktemp)
+  curl -o "$response" -isSL -m 15 -X DELETE \
        --header 'Content-Type: application/json' \
        --header 'Accept: application/json' \
        --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \
        -d "${nodes}" \
        "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/rest/cluster/config/node"
 
-  if grep -q 'HTTP/1.1 200' "clusterRemove.json"; then
+  if grep -q 'HTTP/1.1 200' "$response"; then
     echo "Scaling down successful."
   else
     echo "Issue scaling down:"
-    cat clusterRemove.json
+    cat "$response"
     echo
     exit 1
   fi
@@ -88,6 +94,7 @@ function addNodes {
   # DNS suffix in the form of namespace.svc.cluster.local
   local dns_suffix
   dns_suffix=$(awk '/search/{print $2}' /etc/resolv.conf)
+  local response
 
   echo "Cluster reported: $currentNodes current nodes"
   echo "Cluster is expected to have: $expectedNodes nodes"
@@ -98,34 +105,36 @@ function addNodes {
     exit 0
   fi
 
-  echo "Scaling the cluster up"
   for ((i = currentNodes; i < expectedNodes; i++)) do
     nodes=${nodes}\"${GRAPHDB_POD_NAME}-$i.${GRAPHDB_SERVICE_NAME}.${dns_suffix}:${GRAPHDB_SERVICE_RPC_PORT}\"
     if [ $i -lt $(expr $expectedNodes - 1) ]; then
       nodes=${nodes}\,
     fi
   done
-
   nodes=\{\"nodes\":\[${nodes}\]\}
+
   waitService "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/proxy/ready"
-  curl -o clusterAdd.json -isSL -m "${timeout}" -X POST \
+
+  echo "Scaling the cluster up"
+  response=$(mktemp)
+  curl -o "$response" -isSL -m "${timeout}" -X POST \
        --header 'Content-Type: application/json' \
        --header 'Accept: application/json' \
        --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \
        -d "${nodes}" \
        "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/rest/cluster/config/node"
 
-  if grep -q 'HTTP/1.1 200' "clusterAdd.json"; then
+  if grep -q 'HTTP/1.1 200' "$response"; then
     echo "Scaling successful."
-  elif grep -q 'Mismatching fingerprints\|HTTP/1.1 412' "clusterAdd.json"; then
+  elif grep -q 'Mismatching fingerprints\|HTTP/1.1 412' "$response"; then
     echo "Issue scaling:"
-    cat clusterAdd.json
+    cat "$response"
     echo
     echo "Manual clear of the mismatched repositories will be required to add the node"
     exit 1
   else
     echo "Issue scaling:"
-    cat clusterAdd.json
+    cat "$response"
     echo
     exit 1
   fi
@@ -134,32 +143,38 @@ function addNodes {
 function deleteCluster {
   waitService "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/repositories"
 
-  curl -o response.json -isSL -m 15 -X DELETE \
+  local response
+  response=$(mktemp)
+  curl -o "$response" -isSL -m 15 -X DELETE \
        --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \
        --header 'Accept: */*' \
        "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/cluster/config?force=false"
 
-  if grep -q 'HTTP/1.1 200' "response.json"; then
+  if grep -q 'HTTP/1.1 200' "$response"; then
     echo "Cluster deletion successful!"
-  elif grep -q 'Node is not part of the cluster.\|HTTP/1.1 412' "response.json" ; then
+  elif grep -q 'Node is not part of the cluster.\|HTTP/1.1 412' "$response" ; then
     echo "No cluster present."
   else
     echo "Cluster deletion failed, received response:"
-    cat response.json
+    cat "$response"
     echo
     exit 1
   fi
 }
 
 function getNodeCountInCurrentCluster {
   local node_address="http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}"
+
   waitService "${node_address}/rest/repositories"
-  curl -o clusterResponse.json -isSL -m 15 -X GET \
+
+  local response
+  response=$(mktemp)
+  curl -o "$response" -isSL -m 15 -X GET \
        --header 'Content-Type: application/json' \
        --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \
        --header 'Accept: */*' \
        "${node_address}/rest/cluster/config"
-  grep -o "${GRAPHDB_SERVICE_NAME}" "clusterResponse.json" | grep -c ""
+  grep -o "${GRAPHDB_SERVICE_NAME}" "$response" | grep -c ""
 }
 
 function waitService {
@@ -169,7 +184,7 @@ function waitService {
   local max_attempts=100
 
   until curl --output /dev/null -fsSL -m 5 -H "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" --silent --fail "${address}"; do
-    if [[ ${attempt_counter} -eq ${max_attempts} ]];then
+    if [[ ${attempt_counter} -eq ${max_attempts} ]]; then
       echo "Max attempts reached"
       exit 1
     fi

templates/graphdb/statefulset.yaml

@@ -225,6 +225,7 @@ spec:
           {{- with .Values.initContainerResources }}
           resources: {{ toYaml . | nindent 12 }}
           {{- end }}
+          workingDir: /tmp
           command: [ "bash", "-c" ]
           args:
             - |

templates/jobs/job-create-cluster.yaml

@@ -66,6 +66,7 @@ spec:
             - name: cluster-config
               mountPath: /tmp/cluster-config/cluster-config.json
               subPath: {{ .Values.cluster.config.configmapKey }}
+          workingDir: /tmp
           command: ["bash"]
           args:
             - "/tmp/utils/graphdb.sh"

templates/jobs/job-patch-cluster.yaml

@@ -70,6 +70,7 @@ spec:
             - name: cluster-config
               mountPath: /tmp/cluster-config/cluster-config.json
               subPath: {{ .Values.cluster.config.configmapKey }}
+          workingDir: /tmp
           command: ["bash"]
           args:
             - "/tmp/utils/update-cluster.sh"

templates/jobs/job-provision-repositories.yaml

@@ -65,6 +65,7 @@ spec:
               mountPath: /tmp/utils
             - name: repositories-config
               mountPath: /tmp/repositories-config
+          workingDir: /tmp
           command: ["bash"]
           args:
             - "/tmp/utils/graphdb.sh"

templates/jobs/job-scale-down-cluster.yaml

@@ -65,6 +65,7 @@ spec:
               mountPath: /tmp
             - name: graphdb-utils
               mountPath: /tmp/utils
+          workingDir: /tmp
           command: ["bash"]
           args:
             - "/tmp/utils/update-cluster.sh"

templates/jobs/job-scale-up-cluster.yaml

@@ -66,6 +66,7 @@ spec:
               mountPath: /tmp
             - name: graphdb-utils
               mountPath: /tmp/utils
+          workingDir: /tmp
           command: ["bash"]
           args:
             - "/tmp/utils/update-cluster.sh"

templates/proxy/statefulset.yaml

@@ -183,6 +183,7 @@ spec:
               mountPath: /tmp/graphdb/graphdb-extra-secret.properties
               subPath: {{ .Values.proxy.configuration.extraProperties.secretKey }}
             {{- end }}
+          workingDir: /tmp
           command: [ "bash", "-c" ]
           args:
             - |