From 359d0a761fdcc7c8f2420d2928390452249401de Mon Sep 17 00:00:00 2001 From: David Landry Date: Sun, 22 Sep 2024 19:35:27 -0400 Subject: [PATCH] chore(in-cluster): update rke2 system upgrade controller; add crd --- .../rke2-system-upgrade-controller.yaml | 150 +++- .../in-cluster/rke2-system-upgrade-crd.yaml | 642 ++++++++++++++++++ 2 files changed, 783 insertions(+), 9 deletions(-) create mode 100644 bootstrap/cluster-resources/in-cluster/rke2-system-upgrade-crd.yaml diff --git a/bootstrap/cluster-resources/in-cluster/rke2-system-upgrade-controller.yaml b/bootstrap/cluster-resources/in-cluster/rke2-system-upgrade-controller.yaml index d951e17..0b0f9ee 100644 --- a/bootstrap/cluster-resources/in-cluster/rke2-system-upgrade-controller.yaml +++ b/bootstrap/cluster-resources/in-cluster/rke2-system-upgrade-controller.yaml @@ -1,13 +1,118 @@ -apiVersion: v1 -kind: Namespace +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole metadata: - labels: - pod-security.kubernetes.io/enforce: privileged - name: system-upgrade + name: system-upgrade-controller +rules: +- apiGroups: + - batch + resources: + - jobs + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - update +- apiGroups: + - upgrade.cattle.io + resources: + - plans + - plans/status + verbs: + - get + - list + - watch + - create + - patch + - update + - delete --- -apiVersion: v1 -kind: ServiceAccount +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role metadata: + name: system-upgrade-controller + namespace: system-upgrade +rules: +- apiGroups: + - batch + resources: + - jobs + verbs: + - create + - delete + - deletecollection + - patch + - update + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: system-upgrade-controller-drainer +rules: +- apiGroups: + - "" + resources: + - pods/eviction + verbs: + - create +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list +- apiGroups: + - "" + resources: + - nodes + verbs: + - get + - patch +- apiGroups: + - apps + resources: + - statefulsets + - daemonsets + - replicasets + verbs: + - get + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system-upgrade-drainer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system-upgrade-controller-drainer +subjects: +- kind: ServiceAccount name: system-upgrade namespace: system-upgrade --- @@ -18,12 +123,39 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: cluster-admin + name: system-upgrade-controller subjects: - kind: ServiceAccount name: system-upgrade namespace: system-upgrade --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: system-upgrade + namespace: system-upgrade +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: system-upgrade-controller +subjects: +- kind: ServiceAccount + name: system-upgrade + namespace: system-upgrade +--- +apiVersion: v1 +kind: Namespace +metadata: + labels: + pod-security.kubernetes.io/enforce: privileged + name: system-upgrade +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: system-upgrade + namespace: system-upgrade +--- apiVersion: v1 data: SYSTEM_UPGRADE_CONTROLLER_DEBUG: "false" @@ -74,7 +206,7 @@ spec: envFrom: - configMapRef: name: default-controller-env - image: rancher/system-upgrade-controller:v0.13.2 + image: rancher/system-upgrade-controller:v0.13.4 imagePullPolicy: IfNotPresent name: system-upgrade-controller securityContext: diff --git a/bootstrap/cluster-resources/in-cluster/rke2-system-upgrade-crd.yaml b/bootstrap/cluster-resources/in-cluster/rke2-system-upgrade-crd.yaml new file mode 100644 index 0000000..6fb5343 --- /dev/null +++ b/bootstrap/cluster-resources/in-cluster/rke2-system-upgrade-crd.yaml @@ -0,0 +1,642 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: plans.upgrade.cattle.io +spec: + group: upgrade.cattle.io + names: + categories: + - upgrade + kind: Plan + plural: plans + singular: plan + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.upgrade.image + name: Image + type: string + - jsonPath: .spec.channel + name: Channel + type: string + - jsonPath: .spec.version + name: Version + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + channel: + nullable: true + type: string + concurrency: + type: integer + cordon: + type: boolean + drain: + nullable: true + properties: + deleteEmptydirData: + nullable: true + type: boolean + deleteLocalData: + nullable: true + type: boolean + disableEviction: + type: boolean + force: + type: boolean + gracePeriod: + nullable: true + type: integer + ignoreDaemonSets: + nullable: true + type: boolean + podSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + skipWaitForDeleteTimeout: + type: integer + timeout: + nullable: true + type: integer + type: object + exclusive: + type: boolean + imagePullSecrets: + items: + properties: + name: + nullable: true + type: string + type: object + nullable: true + type: array + jobActiveDeadlineSecs: + type: integer + nodeSelector: + nullable: true + properties: + matchExpressions: + items: + properties: + key: + nullable: true + type: string + operator: + nullable: true + type: string + values: + items: + nullable: true + type: string + nullable: true + type: array + type: object + nullable: true + type: array + matchLabels: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + type: object + prepare: + nullable: true + properties: + args: + items: + nullable: true + type: string + nullable: true + type: array + command: + items: + nullable: true + type: string + nullable: true + type: array + envFrom: + items: + properties: + configMapRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + prefix: + nullable: true + type: string + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + nullable: true + type: array + envs: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + valueFrom: + nullable: true + properties: + configMapKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + fieldRef: + nullable: true + properties: + apiVersion: + nullable: true + type: string + fieldPath: + nullable: true + type: string + type: object + resourceFieldRef: + nullable: true + properties: + containerName: + nullable: true + type: string + divisor: + nullable: true + type: string + resource: + nullable: true + type: string + type: object + secretKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + type: object + nullable: true + type: array + image: + nullable: true + type: string + securityContext: + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + nullable: true + properties: + add: + items: + nullable: true + type: string + nullable: true + type: array + drop: + items: + nullable: true + type: string + nullable: true + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + nullable: true + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + nullable: true + type: integer + seLinuxOptions: + nullable: true + properties: + level: + nullable: true + type: string + role: + nullable: true + type: string + type: + nullable: true + type: string + user: + nullable: true + type: string + type: object + seccompProfile: + nullable: true + properties: + localhostProfile: + nullable: true + type: string + type: + nullable: true + type: string + type: object + windowsOptions: + nullable: true + properties: + gmsaCredentialSpec: + nullable: true + type: string + gmsaCredentialSpecName: + nullable: true + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + nullable: true + type: string + type: object + type: object + volumes: + items: + properties: + destination: + nullable: true + type: string + name: + nullable: true + type: string + source: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + secrets: + items: + properties: + ignoreUpdates: + type: boolean + name: + nullable: true + type: string + path: + nullable: true + type: string + type: object + nullable: true + type: array + serviceAccountName: + nullable: true + type: string + tolerations: + items: + properties: + effect: + nullable: true + type: string + key: + nullable: true + type: string + operator: + nullable: true + type: string + tolerationSeconds: + nullable: true + type: integer + value: + nullable: true + type: string + type: object + nullable: true + type: array + upgrade: + nullable: true + properties: + args: + items: + nullable: true + type: string + nullable: true + type: array + command: + items: + nullable: true + type: string + nullable: true + type: array + envFrom: + items: + properties: + configMapRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + prefix: + nullable: true + type: string + secretRef: + nullable: true + properties: + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + nullable: true + type: array + envs: + items: + properties: + name: + nullable: true + type: string + value: + nullable: true + type: string + valueFrom: + nullable: true + properties: + configMapKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + fieldRef: + nullable: true + properties: + apiVersion: + nullable: true + type: string + fieldPath: + nullable: true + type: string + type: object + resourceFieldRef: + nullable: true + properties: + containerName: + nullable: true + type: string + divisor: + nullable: true + type: string + resource: + nullable: true + type: string + type: object + secretKeyRef: + nullable: true + properties: + key: + nullable: true + type: string + name: + nullable: true + type: string + optional: + nullable: true + type: boolean + type: object + type: object + type: object + nullable: true + type: array + image: + nullable: true + type: string + securityContext: + nullable: true + properties: + allowPrivilegeEscalation: + nullable: true + type: boolean + capabilities: + nullable: true + properties: + add: + items: + nullable: true + type: string + nullable: true + type: array + drop: + items: + nullable: true + type: string + nullable: true + type: array + type: object + privileged: + nullable: true + type: boolean + procMount: + nullable: true + type: string + readOnlyRootFilesystem: + nullable: true + type: boolean + runAsGroup: + nullable: true + type: integer + runAsNonRoot: + nullable: true + type: boolean + runAsUser: + nullable: true + type: integer + seLinuxOptions: + nullable: true + properties: + level: + nullable: true + type: string + role: + nullable: true + type: string + type: + nullable: true + type: string + user: + nullable: true + type: string + type: object + seccompProfile: + nullable: true + properties: + localhostProfile: + nullable: true + type: string + type: + nullable: true + type: string + type: object + windowsOptions: + nullable: true + properties: + gmsaCredentialSpec: + nullable: true + type: string + gmsaCredentialSpecName: + nullable: true + type: string + hostProcess: + nullable: true + type: boolean + runAsUserName: + nullable: true + type: string + type: object + type: object + volumes: + items: + properties: + destination: + nullable: true + type: string + name: + nullable: true + type: string + source: + nullable: true + type: string + type: object + nullable: true + type: array + type: object + version: + nullable: true + type: string + required: + - upgrade + type: object + status: + properties: + applying: + items: + nullable: true + type: string + nullable: true + type: array + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + latestHash: + nullable: true + type: string + latestVersion: + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {}