feat(helm): use fsGroupChangePolicy=OnRootMismatch to speed up pod starts (#13942)

Signed-off-by: Mathieu Parent <[email protected]>

Author: sathieu

docs/sources/setup/install/helm/reference.md

@@ -7087,6 +7087,7 @@ null
 			<td><pre lang="json">
 {
   "fsGroup": 10001,
+  "fsGroupChangePolicy": "OnRootMismatch",
   "runAsGroup": 10001,
   "runAsNonRoot": true,
   "runAsUser": 10001

production/helm/loki/CHANGELOG.md

@@ -13,6 +13,7 @@ Entries should include a reference to the pull request that introduced the chang
 
 ## Unreleased
 
+- [ENHANCEMENT] Use fsGroupChangePolicy=OnRootMismatch on loki to speed up pod starts [#13942](https://github.com/grafana/loki/pull/13942)
 
 ## 6.46.0
 

production/helm/loki/templates/_helpers.tpl

@@ -1267,3 +1267,14 @@ azure:
 storage_prefix: {{ .storage_prefix }}
 {{- end }}
 {{- end }}
+
+{{/*
+Pod security context
+*/}}
+{{- define "loki.podSecurityContext" -}}
+{{- if semverCompare ">=1.23-0" $.Capabilities.KubeVersion.GitVersion }}
+{{- toYaml .Values.loki.podSecurityContext }}
+{{- else }}
+{{- toYaml (omit .Values.loki.podSecurityContext "fsGroupChangePolicy")  }}
+{{- end }}
+{{- end -}}

production/helm/loki/templates/backend/statefulset-backend.yaml

@@ -67,7 +67,7 @@ spec:
       {{- end }}
       {{- include "loki.backendPriorityClassName" . | nindent 6 }}
       securityContext:
-        {{- toYaml .Values.loki.podSecurityContext | nindent 8 }}
+        {{- include "loki.podSecurityContext" . | nindent 8 }}
       terminationGracePeriodSeconds: {{ .Values.backend.terminationGracePeriodSeconds }}
       {{- if and (semverCompare ">=1.33-0" (include "loki.kubeVersion" .)) (kindIs "bool" .Values.backend.hostUsers) }}
       hostUsers: {{ .Values.backend.hostUsers }}

production/helm/loki/templates/bloom-builder/deployment-bloom-builder.yaml

@@ -58,7 +58,7 @@ spec:
       {{- end }}
       {{- include "loki.bloomBuilderPriorityClassName" . | nindent 6 }}
       securityContext:
-        {{- toYaml .Values.loki.podSecurityContext | nindent 8 }}
+        {{- include "loki.podSecurityContext" . | nindent 8 }}
       terminationGracePeriodSeconds: {{ .Values.bloomBuilder.terminationGracePeriodSeconds }}
       {{- with .Values.bloomBuilder.initContainers }}
       initContainers:

production/helm/loki/templates/bloom-gateway/statefulset-bloom-gateway.yaml

@@ -62,7 +62,7 @@ spec:
       {{- end }}
       {{- include "loki.bloomGatewayPriorityClassName" . | nindent 6 }}
       securityContext:
-        {{- toYaml .Values.loki.podSecurityContext | nindent 8 }}
+        {{- include "loki.podSecurityContext" . | nindent 8 }}
       terminationGracePeriodSeconds: {{ .Values.bloomGateway.terminationGracePeriodSeconds }}
       {{- with .Values.bloomGateway.initContainers }}
       initContainers:

production/helm/loki/templates/bloom-planner/statefulset-bloom-planner.yaml

@@ -62,7 +62,7 @@ spec:
       {{- end }}
       {{- include "loki.bloomPlannerPriorityClassName" . | nindent 6 }}
       securityContext:
-        {{- toYaml .Values.loki.podSecurityContext | nindent 8 }}
+        {{- include "loki.podSecurityContext" . | nindent 8 }}
       terminationGracePeriodSeconds: {{ .Values.bloomPlanner.terminationGracePeriodSeconds }}
       {{- with .Values.bloomPlanner.initContainers }}
       initContainers:

production/helm/loki/templates/compactor/statefulset-compactor.yaml

@@ -69,7 +69,7 @@ spec:
       {{- end }}
       {{- include "loki.compactorPriorityClassName" . | nindent 6 }}
       securityContext:
-        {{- toYaml .Values.loki.podSecurityContext | nindent 8 }}
+        {{- include "loki.podSecurityContext" . | nindent 8 }}
       terminationGracePeriodSeconds: {{ .Values.compactor.terminationGracePeriodSeconds }}
       {{- with .Values.compactor.initContainers }}
       initContainers:

production/helm/loki/templates/distributor/deployment-distributor.yaml

@@ -65,7 +65,7 @@ spec:
       {{- end }}
       {{- include "loki.distributorPriorityClassName" . | nindent 6 }}
       securityContext:
-        {{- toYaml .Values.loki.podSecurityContext | nindent 8 }}
+        {{- include "loki.podSecurityContext" . | nindent 8 }}
       terminationGracePeriodSeconds: {{ .Values.distributor.terminationGracePeriodSeconds }}
       {{- with .Values.distributor.initContainers }}
       initContainers:

production/helm/loki/templates/index-gateway/statefulset-index-gateway.yaml

@@ -68,7 +68,7 @@ spec:
       {{- end }}
       {{- include "loki.indexGatewayPriorityClassName" . | nindent 6 }}
       securityContext:
-        {{- toYaml .Values.loki.podSecurityContext | nindent 8 }}
+        {{- include "loki.podSecurityContext" . | nindent 8 }}
       terminationGracePeriodSeconds: {{ .Values.indexGateway.terminationGracePeriodSeconds }}
       {{- with .Values.indexGateway.initContainers }}
       initContainers: