add system-upgrade

2025-10-01 16:05:55 +02:00 · 2021-04-04 15:33:28 +02:00
parent c81bc35a2c
commit 0d074c37b5
3 changed files with 188 additions and 0 deletions
--- a/cluster/system-upgrade/k3s-plan.yaml
+++ b/cluster/system-upgrade/k3s-plan.yaml
@@ -0,0 +1,83 @@
+---
+#
+# Server plan
+#
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: k3s-server
+  namespace: system-upgrade
+spec:
+  concurrency: 1
+  cordon: true
+  nodeSelector:
+    matchExpressions:
+      - key: node-role.kubernetes.io/master
+        operator: In
+        values:
+          - "true"
+      - key: k3os.io/mode
+        operator: DoesNotExist
+      - key: kubernetes.io/arch
+        operator: In
+        values:
+          - "amd64"
+  serviceAccountName: system-upgrade
+  tolerations:
+    - key: "node-role.kubernetes.io/master"
+      operator: "Exists"
+  upgrade:
+    image: rancher/k3s-upgrade
+  channel: https://update.k3s.io/v1-release/channels/v1.20
+---
+#
+# Agent plan
+#
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: k3s-agent
+  namespace: system-upgrade
+  labels:
+    k3s-upgrade: agent
+spec:
+  concurrency: 1
+  channel: https://update.k3s.io/v1-release/channels/v1.20
+  nodeSelector:
+    matchExpressions:
+      - key: k3s-upgrade
+        operator: Exists
+      - key: k3s-upgrade
+        operator: NotIn
+        values:
+          - "disabled"
+          - "false"
+      - key: k3s.io/hostname
+        operator: Exists
+      - key: k3os.io/mode
+        operator: DoesNotExist
+      - key: node-role.kubernetes.io/master
+        operator: NotIn
+        values:
+          - "true"
+  serviceAccountName: system-upgrade
+  tolerations:
+    - key: kubernetes.io/arch
+      effect: NoSchedule
+      operator: Equal
+      value: amd64
+    - key: kubernetes.io/arch
+      effect: NoSchedule
+      operator: Equal
+      value: arm64
+    - key: kubernetes.io/arch
+      effect: NoSchedule
+      operator: Equal
+      value: arm
+  prepare:
+    image: rancher/k3s-upgrade
+    args:
+      - "prepare"
+      - "k3s-server"
+  upgrade:
+    image: rancher/k3s-upgrade
--- a/cluster/system-upgrade/namespace.yaml
+++ b/cluster/system-upgrade/namespace.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: system-upgrade
+  labels:
+    goldilocks.fairwinds.com/enabled: "true"
--- a/cluster/system-upgrade/system-upgrade-controller.yaml
+++ b/cluster/system-upgrade/system-upgrade-controller.yaml
@@ -0,0 +1,98 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: system-upgrade
+  namespace: system-upgrade
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system-upgrade
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: system-upgrade
+    namespace: system-upgrade
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: default-controller-env
+  namespace: system-upgrade
+data:
+  SYSTEM_UPGRADE_CONTROLLER_DEBUG: "false"
+  SYSTEM_UPGRADE_CONTROLLER_THREADS: "2"
+  SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: "900"
+  SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: "99"
+  SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: "Always"
+  SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: "rancher/kubectl:v1.19.7"
+  SYSTEM_UPGRADE_JOB_PRIVILEGED: "true"
+  SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: "900"
+  SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: "15m"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: system-upgrade-controller
+  namespace: system-upgrade
+spec:
+  selector:
+    matchLabels:
+      upgrade.cattle.io/controller: system-upgrade-controller
+  template:
+    metadata:
+      labels:
+        upgrade.cattle.io/controller: system-upgrade-controller
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: "node-role.kubernetes.io/master"
+                    operator: In
+                    values:
+                      - "true"
+      serviceAccountName: system-upgrade
+      tolerations:
+        - key: "CriticalAddonsOnly"
+          operator: "Exists"
+        - key: "node-role.kubernetes.io/master"
+          operator: "Exists"
+          effect: "NoSchedule"
+        - effect: NoExecute
+          operator: Exists
+        - effect: NoSchedule
+          operator: Exists
+      containers:
+        - name: system-upgrade-controller
+          image: rancher/system-upgrade-controller:v0.6.2
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - configMapRef:
+                name: default-controller-env
+          env:
+            - name: SYSTEM_UPGRADE_CONTROLLER_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.labels['upgrade.cattle.io/controller']
+            - name: SYSTEM_UPGRADE_CONTROLLER_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          volumeMounts:
+            - name: etc-ssl
+              mountPath: /etc/ssl
+            - name: tmp
+              mountPath: /tmp
+      volumes:
+        - name: etc-ssl
+          hostPath:
+            path: /etc/ssl
+            type: Directory
+        - name: tmp
+          emptyDir: {}