From 5215484f9c93f40885467842642713b7f227b80d Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Sun, 28 Jun 2020 20:25:43 +0200 Subject: [PATCH] install and configure system upgrade controller this brings (semi) automated k3s upgrades. YAY! --- _apps/system-upgrade-controller.yaml | 23 +++++ .../k3s-upgrade-plan.yaml | 54 +++++++++++ .../system-upgrade-controller.yaml | 93 +++++++++++++++++++ 3 files changed, 170 insertions(+) create mode 100644 _apps/system-upgrade-controller.yaml create mode 100644 system-upgrade-controller/k3s-upgrade-plan.yaml create mode 100644 system-upgrade-controller/system-upgrade-controller.yaml diff --git a/_apps/system-upgrade-controller.yaml b/_apps/system-upgrade-controller.yaml new file mode 100644 index 0000000..61d0315 --- /dev/null +++ b/_apps/system-upgrade-controller.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: system-upgrade-controller + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: system-upgrade + server: https://kubernetes.default.svc + project: default + source: + path: system-upgrade-controller + repoURL: https://git.tbrnt.ch/tobru/gitops-tbrnt.git + targetRevision: HEAD + directory: + recurse: true +--- +apiVersion: v1 +kind: Namespace +metadata: + name: system-upgrade diff --git a/system-upgrade-controller/k3s-upgrade-plan.yaml b/system-upgrade-controller/k3s-upgrade-plan.yaml new file mode 100644 index 0000000..0ae0a3e --- /dev/null +++ b/system-upgrade-controller/k3s-upgrade-plan.yaml @@ -0,0 +1,54 @@ +# These plans are adapted from work by Dax McDonald (https://github.com/daxmc99) and Hussein Galal (https://github.com/galal-hussein) +# in support of Rancher v2 managed k3s upgrades. See Also: https://rancher.com/docs/k3s/latest/en/upgrades/automated/ +--- +apiVersion: upgrade.cattle.io/v1 +kind: Plan +metadata: + name: k3s-server + namespace: system-upgrade + labels: + k3s-upgrade: server +spec: + concurrency: 1 + version: v1.18.4+k3s1 + nodeSelector: + matchExpressions: + - {key: k3s-upgrade, operator: Exists} + - {key: k3s-upgrade, operator: NotIn, values: ["disabled", "false"]} + - {key: k3s.io/hostname, operator: Exists} + - {key: k3os.io/mode, operator: DoesNotExist} + - {key: node-role.kubernetes.io/master, operator: In, values: ["true"]} + serviceAccountName: system-upgrade + cordon: false +# drain: +# force: true + upgrade: + image: tobru/k3s-upgrade-alpine +--- +apiVersion: upgrade.cattle.io/v1 +kind: Plan +metadata: + name: k3s-agent + namespace: system-upgrade + labels: + k3s-upgrade: agent +spec: + concurrency: 2 + version: v1.18.4+k3s1 + nodeSelector: + matchExpressions: + - {key: k3s-upgrade, operator: Exists} + - {key: k3s-upgrade, operator: NotIn, values: ["disabled", "false"]} + - {key: k3s.io/hostname, operator: Exists} + - {key: k3os.io/mode, operator: DoesNotExist} + - {key: node-role.kubernetes.io/master, operator: NotIn, values: ["true"]} + serviceAccountName: system-upgrade + prepare: + # Since v0.5.0-m1 SUC will use the resolved version of the plan for the tag on the prepare container. + # image: rancher/k3s-upgrade:v1.17.4-k3s1 + image: tobru/k3s-upgrade-alpine + args: ["prepare", "k3s-server"] + drain: + force: true + upgrade: + image: rancher/k3s-upgrade diff --git a/system-upgrade-controller/system-upgrade-controller.yaml b/system-upgrade-controller/system-upgrade-controller.yaml new file mode 100644 index 0000000..1109332 --- /dev/null +++ b/system-upgrade-controller/system-upgrade-controller.yaml @@ -0,0 +1,93 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: system-upgrade + namespace: system-upgrade +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: system-upgrade +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: system-upgrade + namespace: system-upgrade +--- +apiVersion: v1 +data: + SYSTEM_UPGRADE_CONTROLLER_DEBUG: "false" + SYSTEM_UPGRADE_CONTROLLER_THREADS: "2" + SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: "900" + SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: "99" + SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: Always + SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: rancher/kubectl:v1.18.3 + SYSTEM_UPGRADE_JOB_PRIVILEGED: "true" + SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: "900" + SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m +kind: ConfigMap +metadata: + name: default-controller-env + namespace: system-upgrade +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: system-upgrade-controller + namespace: system-upgrade +spec: + selector: + matchLabels: + upgrade.cattle.io/controller: system-upgrade-controller + template: + metadata: + labels: + upgrade.cattle.io/controller: system-upgrade-controller + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/master + operator: In + values: + - "true" + containers: + - env: + - name: SYSTEM_UPGRADE_CONTROLLER_NAME + valueFrom: + fieldRef: + fieldPath: metadata.labels['upgrade.cattle.io/controller'] + - name: SYSTEM_UPGRADE_CONTROLLER_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - configMapRef: + name: default-controller-env + image: rancher/system-upgrade-controller:v0.6.1 + imagePullPolicy: IfNotPresent + name: system-upgrade-controller + volumeMounts: + - mountPath: /etc/ssl + name: etc-ssl + - mountPath: /tmp + name: tmp + serviceAccountName: system-upgrade + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + volumes: + - hostPath: + path: /etc/ssl + type: Directory + name: etc-ssl + - emptyDir: {} + name: tmp