Detach loop devices post shutdown

Add sidecar container teardown

Monitor Concourse processes post shutdown
and detach main container loop devices left alone.
Disk space is released on the node from the dead pod.

Signed-off-by: David Rozé <droze@baylibre.com>

Author: david-baylibre

templates/worker-configmap.yaml

@@ -24,3 +24,30 @@ data:
         fi
       done
     done
+  teardown-entrypoint.sh: |
+    #!/usr/bin/sh
+    apk add --no-cache losetup
+    while true; do
+      pid=$(pgrep -o -f "entrypoint.sh worker")
+      # Get loop devices from the main container and store them
+      nsenter --mount=/proc/${pid}/ns/mnt mount | grep loop | cut -d\  -f1 > /tmp/loopdev.txt
+      sleep 60
+    done
+  teardown-pre-stop-hook.sh: |
+    #!/usr/bin/sh
+    while true; do
+      if ! pgrep concourse >/dev/null 2>&1; then
+
+        # Wait until filesystem is no longer busy
+        while (lsof | grep "${CONCOURSE_WORK_DIR}/volumes") >/dev/null 2>&1; do
+          sleep 1
+        done
+
+        # Detach main container loop devices
+        cat /tmp/loopdev.txt | xargs -r -n1 losetup -d
+
+        exit 0
+      fi
+
+      sleep 1
+    done

templates/worker-deployment.yaml

@@ -108,6 +108,7 @@ spec:
 {{- end }}
           securityContext:
             privileged: true
+          shareProcessNamespace: true
           volumeMounts:
             - name: concourse-keys
               mountPath: {{ .Values.worker.keySecretsPath | quote }}
@@ -128,6 +129,34 @@ spec:
             - name: concourse-work-dir
               mountPath: {{ .Values.concourse.worker.workDir | quote }}
             {{- end }}
+        - name: teardown
+          image: cgr.dev/chainguard/wolfi-base
+          command: ["/usr/bin/sh", "-c", "sh /entrypoint.sh"]
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - "/usr/bin/sh"
+                  - "-c"
+                  - "sh /pre-stop-hook.sh 2>&1"
+          env:
+            {{- if .Values.concourse.worker.workDir }}
+            - name: CONCOURSE_WORK_DIR
+              value: {{ .Values.concourse.worker.workDir | quote }}
+            {{- end }}
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: concourse-worker
+              mountPath: /entrypoint.sh
+              subPath: teardown-entrypoint.sh
+            - name: concourse-worker
+              mountPath: /pre-stop-hook.sh
+              subPath: teardown-pre-stop-hook.sh
+            {{- if include "concourse.are-there-additional-volumes.with-the-name.concourse-work-dir" . | not }}
+            - name: concourse-work-dir
+              mountPath: {{ .Values.concourse.worker.workDir | quote }}
+            {{- end }}
 
 {{- if .Values.worker.additionalVolumeMounts }}
 {{ toYaml .Values.worker.additionalVolumeMounts | indent 12 }}