diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/.mjfilter.py b/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/.mjfilter.py deleted file mode 100644 index 3ace63dfa..000000000 --- a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/.mjfilter.py +++ /dev/null @@ -1 +0,0 @@ -main = lambda data: data.get("bootstrap_distribution", "k3s") in ["talos"] diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2 deleted file mode 100644 index 2d9030e79..000000000 --- a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml.j2 +++ /dev/null @@ -1,32 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: kubelet-csr-approver -spec: - interval: 30m - chart: - spec: - chart: kubelet-csr-approver - version: 1.2.2 - sourceRef: - kind: HelmRepository - name: postfinance - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - #% filter indent(width=4, first=True) %# - #% include 'partials/kubelet-csr-approver-values.partial.yaml.j2' %# - #% endfilter %# - metrics: - enable: true - serviceMonitor: - enabled: true diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml.j2 b/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml.j2 deleted file mode 100644 index adfb4940a..000000000 --- a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml.j2 +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app kubelet-csr-approver - namespace: flux-system -spec: - targetNamespace: kube-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/kube-system/kubelet-csr-approver/app - prune: false # never should be deleted - sourceRef: - kind: GitRepository - name: home-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml.j2 b/kubernetes/raspberry/system-upgrade/k3s/app/kustomization.yaml similarity index 77% rename from bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml.j2 rename to kubernetes/raspberry/system-upgrade/k3s/app/kustomization.yaml index 5dd7baca7..adbf0d4af 100644 --- a/bootstrap/templates/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml.j2 +++ b/kubernetes/raspberry/system-upgrade/k3s/app/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./helmrelease.yaml + - plan.yaml diff --git a/kubernetes/raspberry/system-upgrade/k3s/app/plan.yaml b/kubernetes/raspberry/system-upgrade/k3s/app/plan.yaml new file mode 100644 index 000000000..3f5d561bc --- /dev/null +++ b/kubernetes/raspberry/system-upgrade/k3s/app/plan.yaml @@ -0,0 +1,55 @@ +--- +apiVersion: upgrade.cattle.io/v1 +kind: Plan +metadata: + name: controllers + namespace: system-upgrade +spec: + version: "${KUBE_VERSION}" + upgrade: + image: rancher/k3s-upgrade + serviceAccountName: system-upgrade + concurrency: 1 + cordon: true + nodeSelector: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + tolerations: + - effect: NoSchedule + operator: Exists + - effect: NoExecute + operator: Exists + - key: node-role.kubernetes.io/control-plane + effect: NoSchedule + operator: Exists + - key: node-role.kubernetes.io/master + effect: NoSchedule + operator: Exists + - key: node-role.kubernetes.io/etcd + effect: NoExecute + operator: Exists + - key: CriticalAddonsOnly + operator: Exists +--- +apiVersion: upgrade.cattle.io/v1 +kind: Plan +metadata: + name: workers + namespace: system-upgrade +spec: + version: "${KUBE_VERSION}" + serviceAccountName: system-upgrade + concurrency: 1 + nodeSelector: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + prepare: + image: rancher/k3s-upgrade + args: ["prepare", "controllers"] + drain: + force: true + skipWaitForDeleteTimeout: 60 + upgrade: + image: rancher/k3s-upgrade diff --git a/kubernetes/raspberry/system-upgrade/k3s/ks.yaml b/kubernetes/raspberry/system-upgrade/k3s/ks.yaml new file mode 100644 index 000000000..6c564da2f --- /dev/null +++ b/kubernetes/raspberry/system-upgrade/k3s/ks.yaml @@ -0,0 +1,27 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app system-upgrade-k3s + namespace: flux-system +spec: + targetNamespace: system-upgrade + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: system-upgrade-controller + path: ./kubernetes/raspberry/system-upgrade/k3s/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + wait: false + interval: 1h + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + # renovate: datasource=github-releases depName=k3s-io/k3s + KUBE_VERSION: v1.31.1+k3s1 diff --git a/kubernetes/raspberry/system-upgrade/kustomization.yaml b/kubernetes/raspberry/system-upgrade/kustomization.yaml new file mode 100644 index 000000000..75dd20ee9 --- /dev/null +++ b/kubernetes/raspberry/system-upgrade/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - k3s/ks.yaml + - namespace.yaml + - system-upgrade-controller/ks.yaml diff --git a/kubernetes/raspberry/system-upgrade/namespace.yaml b/kubernetes/raspberry/system-upgrade/namespace.yaml new file mode 100644 index 000000000..a9df5e5f8 --- /dev/null +++ b/kubernetes/raspberry/system-upgrade/namespace.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: system-upgrade + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: privileged diff --git a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml.j2 b/kubernetes/raspberry/system-upgrade/system-upgrade-controller/app/helmrelease.yaml similarity index 80% rename from bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml.j2 rename to kubernetes/raspberry/system-upgrade/system-upgrade-controller/app/helmrelease.yaml index d35a6c4c2..e5d79bbf5 100644 --- a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/helmrelease.yaml.j2 +++ b/kubernetes/raspberry/system-upgrade/system-upgrade-controller/app/helmrelease.yaml @@ -1,14 +1,16 @@ --- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app system-upgrade-controller + namespace: system-upgrade spec: - interval: 30m + interval: 1h chart: spec: chart: app-template - version: 3.5.0 + version: 3.5.1 sourceRef: kind: HelmRepository name: bjw-s @@ -24,21 +26,28 @@ spec: controllers: system-upgrade-controller: strategy: RollingUpdate + pod: + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + seccompProfile: + type: RuntimeDefault containers: app: image: repository: docker.io/rancher/system-upgrade-controller - tag: v0.14.1 + tag: v0.14.2 env: SYSTEM_UPGRADE_CONTROLLER_DEBUG: false SYSTEM_UPGRADE_CONTROLLER_THREADS: 2 SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: 900 SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: 99 SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: IfNotPresent - SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: registry.k8s.io/kubectl:v1.31.1 + SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: registry.k8s.io/kubectl:v1.31.2 SYSTEM_UPGRADE_JOB_PRIVILEGED: true SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: 900 - SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 15m + SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: 1h SYSTEM_UPGRADE_CONTROLLER_NAME: *app SYSTEM_UPGRADE_CONTROLLER_NAMESPACE: valueFrom: @@ -47,13 +56,11 @@ spec: securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } - defaultPodOptions: - securityContext: - runAsNonRoot: true - runAsUser: 65534 - runAsGroup: 65534 - seccompProfile: { type: RuntimeDefault } + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml.j2 b/kubernetes/raspberry/system-upgrade/system-upgrade-controller/app/kustomization.yaml similarity index 90% rename from bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml.j2 rename to kubernetes/raspberry/system-upgrade/system-upgrade-controller/app/kustomization.yaml index 9026c1a6b..6526cbf60 100644 --- a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/kustomization.yaml.j2 +++ b/kubernetes/raspberry/system-upgrade/system-upgrade-controller/app/kustomization.yaml @@ -3,6 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: # renovate: datasource=github-releases depName=rancher/system-upgrade-controller - - https://github.com/rancher/system-upgrade-controller/releases/download/v0.14.1/crd.yaml + - https://github.com/rancher/system-upgrade-controller/releases/download/v0.14.2/crd.yaml - helmrelease.yaml - rbac.yaml diff --git a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/rbac.yaml.j2 b/kubernetes/raspberry/system-upgrade/system-upgrade-controller/app/rbac.yaml similarity index 100% rename from bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/app/rbac.yaml.j2 rename to kubernetes/raspberry/system-upgrade/system-upgrade-controller/app/rbac.yaml diff --git a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/ks.yaml.j2 b/kubernetes/raspberry/system-upgrade/system-upgrade-controller/ks.yaml similarity index 58% rename from bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/ks.yaml.j2 rename to kubernetes/raspberry/system-upgrade/system-upgrade-controller/ks.yaml index 7fe74b4af..96375821f 100644 --- a/bootstrap/templates/kubernetes/apps/system-upgrade/system-upgrade-controller/ks.yaml.j2 +++ b/kubernetes/raspberry/system-upgrade/system-upgrade-controller/ks.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -9,12 +10,12 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/apps/system-upgrade/system-upgrade-controller/app + path: ./kubernetes/raspberry/system-upgrade/system-upgrade-controller/app prune: true sourceRef: kind: GitRepository - name: home-kubernetes + name: flux-system wait: true - interval: 30m + interval: 1h retryInterval: 1m timeout: 5m