concourse · david-baylibre · Dec 8, 2025 · Dec 8, 2025 · Dec 15, 2025 · Dec 15, 2025
diff --git a/templates/worker-configmap.yaml b/templates/worker-configmap.yaml
@@ -0,0 +1,53 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "concourse.worker.fullname" . }}
+  labels:
+    app: {{ template "concourse.worker.fullname" . }}
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+data:
+  post-start-hook.sh: |
+    #!/bin/bash
+    losetup -d $(losetup -a | grep "volumes\.img (deleted)" | cut -d: -f1)
+    exit 0
+  pre-stop-hook.sh: |
+    #!/bin/bash
+    pid=$(pgrep -o -f "entrypoint.sh worker")
+    while true; do
+      kill -s {{ .Values.concourse.worker.shutdownSignal }} $pid
+      for i in {0..60}; do
+        sleep 1
+        if ! [ -e /proc/$pid ]; then
+          exit 0
+        fi
+      done
+    done
+  teardown-entrypoint.sh: |
+    #!/usr/bin/sh
+    apk add --no-cache losetup
+    while true; do
+      pid=$(pgrep -o -f "entrypoint.sh worker")
+      # Get loop devices from the main container and store them
+      nsenter --mount=/proc/${pid}/ns/mnt mount | grep loop | cut -d\  -f1 > /tmp/loopdev.txt
+      sleep 60
+    done
+  teardown-pre-stop-hook.sh: |
+    #!/usr/bin/sh
+    while true; do
+      if ! pgrep concourse >/dev/null 2>&1; then
+
+        # Wait until filesystem is no longer busy
+        while (lsof | grep "${CONCOURSE_WORK_DIR}/volumes") >/dev/null 2>&1; do
+          sleep 1
+        done
+
+        # Detach main container loop devices
+        cat /tmp/loopdev.txt | xargs -r -n1 losetup -d
+
+        exit 0
+      fi
+
+      sleep 1
+    done
diff --git a/templates/worker-deployment.yaml b/templates/worker-deployment.yaml
@@ -81,6 +81,11 @@ spec:
 {{ toYaml .Values.worker.readinessProbe | indent 12 }}
 {{- end }}
           lifecycle:
+            postStart:
+              exec:
+                command:
+                  - "/bin/bash"
+                  - "/post-start-hook.sh"
             preStop:
               exec:
                 command:
@@ -103,11 +108,15 @@ spec:
 {{- end }}
           securityContext:
             privileged: true
+          shareProcessNamespace: true
           volumeMounts:
             - name: concourse-keys
               mountPath: {{ .Values.worker.keySecretsPath | quote }}
               readOnly: true
-            - name: pre-stop-hook
+            - name: concourse-worker
+              mountPath: /post-start-hook.sh
+              subPath: post-start-hook.sh
+            - name: concourse-worker
               mountPath: /pre-stop-hook.sh
               subPath: pre-stop-hook.sh
             {{- if and (not (kindIs "invalid" .Values.secrets.workerAdditionalCerts)) (.Values.secrets.workerAdditionalCerts | toString) }}
@@ -120,6 +129,34 @@ spec:
             - name: concourse-work-dir
               mountPath: {{ .Values.concourse.worker.workDir | quote }}
             {{- end }}
+        - name: teardown
+          image: cgr.dev/chainguard/wolfi-base
+          command: ["/usr/bin/sh", "-c", "sh /entrypoint.sh"]
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - "/usr/bin/sh"
+                  - "-c"
+                  - "sh /pre-stop-hook.sh 2>&1"
+          env:
+            {{- if .Values.concourse.worker.workDir }}
+            - name: CONCOURSE_WORK_DIR
+              value: {{ .Values.concourse.worker.workDir | quote }}
+            {{- end }}
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: concourse-worker
+              mountPath: /entrypoint.sh
+              subPath: teardown-entrypoint.sh
+            - name: concourse-worker
+              mountPath: /pre-stop-hook.sh
+              subPath: teardown-pre-stop-hook.sh
+            {{- if include "concourse.are-there-additional-volumes.with-the-name.concourse-work-dir" . | not }}
+            - name: concourse-work-dir
+              mountPath: {{ .Values.concourse.worker.workDir | quote }}
+            {{- end }}
 
 {{- if .Values.worker.additionalVolumeMounts }}
 {{ toYaml .Values.worker.additionalVolumeMounts | indent 12 }}
@@ -161,7 +198,7 @@ spec:
 {{- if .Values.worker.additionalVolumes }}
 {{ toYaml .Values.worker.additionalVolumes | indent 8 }}
 {{- end }}
-        - name: pre-stop-hook
+        - name: concourse-worker
           configMap:
             name: {{ template "concourse.worker.fullname" . }}
         - name: concourse-keys

diff --git a/templates/worker-prestop-configmap.yaml b/templates/worker-prestop-configmap.yaml