Update unattended-upgrades

addons/unattended-upgrades/README.md

@@ -17,25 +17,28 @@ This addon provides bunch of DaemonSets and operators:
   DaemonSet that will install `unattended-upgrades`
 * **RHEL/CentOS/Rocky Linux/Amazon Linux 2**
   DaemonSet that will install and configure `yum-cron`/`dnf-automatic`
-* **Debian/Ubuntu/RHEL/CentOS/Rocky Linux/Amazon Linux 2**
-  [Kured](https://github.com/weaveworks/kured) (DaemonSet and operator) that
-  will orchestrate node rebootes in case when it's required (kernel upgrades)
 * **Flatcar Linux**
   [Flatcar Linux Update Operator](https://github.com/kinvolk/flatcar-linux-update-operator)
 
 ## Deployment instructions
 
-Copy files from this directory to your configured addons directory.
-
-In `kubeone.yaml` config:
+In `kubeone.yaml` config add:
 ```yaml
 addons:
   enable: true
-  path: "./addons"
+  addons:
+    - name: "unattended-upgrades"
 ```
 
 ## Information about permissions
 
 Since daemonSets provided by this addon are making changes on the nodes
 themselves they require elevated permissions like full root access to the host
 machine.
+
+## Development
+
+### Generate Flatcar Linux Update Operator YAML
+```shell
+kubectl kustomize ./fluo > fluo.yaml
+```

addons/unattended-upgrades/apt.yaml

@@ -19,43 +19,44 @@ spec:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
             nodeSelectorTerms:
-            - matchExpressions:
-              - key: v1.machine-controller.kubermatic.io/operating-system
-                operator: In
-                values:
-                - ubuntu
-            - matchExpressions:
-              - key: v1.kubeone.io/operating-system
-                operator: In
-                values:
-                - ubuntu
-                - debian
+              - matchExpressions:
+                  - key: v1.machine-controller.kubermatic.io/operating-system
+                    operator: In
+                    values:
+                      - ubuntu
+              - matchExpressions:
+                  - key: v1.kubeone.io/operating-system
+                    operator: In
+                    values:
+                      - ubuntu
+                      - debian
       tolerations:
-      - key: node-role.kubernetes.io/control-plane
-        effect: NoSchedule
-      - key: node-role.kubernetes.io/master
-        effect: NoSchedule
+        - key: node-role.kubernetes.io/control-plane
+          effect: NoSchedule
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
       hostPID: true
       containers:
-      - name: "unattended-upgrades-install"
-        image: "alpine:3.12.4"
-        securityContext:
-          privileged: true
-        command:
-        - /bin/sh
-        - -c
-        - |
-          set -xeuo pipefail
-          apk add --no-cache bash util-linux
-          nsenter -t 1 -m -u -i -n -p -- bash -c "${STARTUP_SCRIPT}"
-          sleep inf
-        env:
-        - name: STARTUP_SCRIPT
-          value: |
-            set -xeuo pipefail
-            export DEBIAN_FRONTEND=noninteractive
-            apt-get install -y --no-install-recommends \
-              apt-utils \
-              unattended-upgrades
-            echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
-            dpkg-reconfigure -f noninteractive unattended-upgrades
+        - name: "unattended-upgrades-install"
+          image: "alpine:3"
+          imagePullPolicy: Always
+          securityContext:
+            privileged: true
+          command:
+            - /bin/sh
+            - -c
+            - |
+              set -xeuo pipefail
+              apk add --no-cache bash util-linux
+              nsenter -t 1 -m -u -i -n -p -- bash -c "${STARTUP_SCRIPT}"
+              sleep inf
+          env:
+            - name: STARTUP_SCRIPT
+              value: |
+                set -xeuo pipefail
+                export DEBIAN_FRONTEND=noninteractive
+                apt-get install -y --no-install-recommends \
+                  apt-utils \
+                  unattended-upgrades
+                echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
+                dpkg-reconfigure -f noninteractive unattended-upgrades

addons/unattended-upgrades/fluo.yaml

@@ -121,6 +121,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: flatcar-linux-update-agent
+  namespace: reboot-coordinator
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
@@ -134,6 +135,7 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: flatcar-linux-update-operator-sa
+  namespace: reboot-coordinator
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -198,7 +200,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: {{ Registry "ghcr.io" }}/flatcar/flatcar-linux-update-operator:v0.9.0
+        image: '{{ Registry "ghcr.io" }}/flatcar/flatcar-linux-update-operator:v0.10.0-rc1'
         name: update-operator
       serviceAccountName: flatcar-linux-update-operator-sa
       tolerations:
@@ -249,7 +251,7 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
-        image: {{ Registry "ghcr.io" }}/flatcar/flatcar-linux-update-operator:v0.9.0
+        image: '{{ Registry "ghcr.io" }}/flatcar/flatcar-linux-update-operator:v0.10.0-rc1'
         name: update-agent
         securityContext:
           runAsUser: 0

addons/unattended-upgrades/fluo/Kustomization

@@ -0,0 +1,61 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: reboot-coordinator
+
+resources:
+  - https://github.com/flatcar/flatcar-linux-update-operator/examples/deploy?ref=v0.10.0-rc1
+
+patches:
+  - target:
+      group: apps
+      version: v1
+      kind: Deployment
+      name: flatcar-linux-update-operator
+    patch: |-
+      - op: add
+        path: /spec/template/spec/affinity
+        value:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+                - matchExpressions:
+                  - key: v1.machine-controller.kubermatic.io/operating-system
+                    operator: In
+                    values:
+                    - flatcar
+                - matchExpressions:
+                  - key: v1.kubeone.io/operating-system
+                    operator: In
+                    values:
+                    - flatcar
+      - op: replace
+        path: /spec/template/spec/containers/0/image
+        value: |-
+          {{ Registry "ghcr.io" }}/flatcar/flatcar-linux-update-operator:v0.10.0-rc1
+
+  - target:
+      group: apps
+      version: v1
+      kind: DaemonSet
+      name: flatcar-linux-update-agent
+    patch: |-
+      - op: add
+        path: /spec/template/spec/affinity
+        value:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+                - matchExpressions:
+                  - key: v1.machine-controller.kubermatic.io/operating-system
+                    operator: In
+                    values:
+                    - flatcar
+                - matchExpressions:
+                  - key: v1.kubeone.io/operating-system
+                    operator: In
+                    values:
+                    - flatcar
+      - op: replace
+        path: /spec/template/spec/containers/0/image
+        value: |-
+          {{ Registry "ghcr.io" }}/flatcar/flatcar-linux-update-operator:v0.10.0-rc1

addons/unattended-upgrades/kured.yaml

@@ -1,170 +1,9 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kured
-rules:
-# Allow kured to read spec.unschedulable
-# Allow kubectl to drain/uncordon
+# This manifest was dropped in favour of the upstream helm chart
+# see more at https://github.com/kubereboot/charts/tree/main/charts/kured
 #
-# NB: These permissions are tightly coupled to the bundled version of kubectl; the ones below
-# match https://github.com/kubernetes/kubernetes/blob/v1.19.4/staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go
-#
-- apiGroups: [""]
-  resources: ["nodes"]
-  verbs:     ["get", "patch"]
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs:     ["list","delete","get"]
-- apiGroups: ["apps"]
-  resources: ["daemonsets"]
-  verbs:     ["get"]
-- apiGroups: [""]
-  resources: ["pods/eviction"]
-  verbs:     ["create"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kured
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kured
-subjects:
-- kind: ServiceAccount
-  name: kured
-  namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  namespace: kube-system
-  name: kured
-rules:
-# Allow kured to lock/unlock itself
-- apiGroups:     ["apps"]
-  resources:     ["daemonsets"]
-  resourceNames: ["kured"]
-  verbs:         ["update"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  namespace: kube-system
-  name: kured
-subjects:
-- kind: ServiceAccount
-  namespace: kube-system
-  name: kured
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: kured
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kured
-  namespace: kube-system
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: kured # Must match `--ds-name`
-  namespace: kube-system # Must match `--ds-namespace`
-spec:
-  selector:
-    matchLabels:
-      name: kured
-  updateStrategy:
-    type: RollingUpdate
-  template:
-    metadata:
-      labels:
-        name: kured
-    spec:
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: v1.machine-controller.kubermatic.io/operating-system
-                operator: In
-                values:
-                - amzn
-                - centos
-                - rhel
-                - rockylinux
-                - ubuntu
-            - matchExpressions:
-              - key: v1.kubeone.io/operating-system
-                operator: In
-                values:
-                - amzn
-                - centos
-                - debian
-                - rhel
-                - rockylinux
-                - ubuntu
-      serviceAccountName: kured
-      tolerations:
-        - key: node-role.kubernetes.io/control-plane
-          effect: NoSchedule
-        - key: node-role.kubernetes.io/master
-          effect: NoSchedule
-      hostPID: true # Facilitate entering the host mount namespace via init
-      restartPolicy: Always
-      containers:
-        - name: kured
-          # If you find yourself here wondering why there is no
-          # :latest tag on Docker Hub,see the FAQ in the README
-          image: {{ Registry "ghcr.io" }}/kubereboot/kured:1.13.2
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            privileged: true # Give permission to nsenter /proc/1/ns/mnt
-          ports:
-            - containerPort: 8080
-              name: metrics
-          env:
-            # Pass in the name of the node on which this pod is scheduled
-            # for use with drain/uncordon operations and lock acquisition
-            - name: KURED_NODE_ID
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-          command:
-            - /usr/bin/kured
-#            - --force-reboot=false
-#            - --drain-grace-period=-1
-#            - --skip-wait-for-delete-timeout=0
-#            - --drain-timeout=0
-#            - --period=1h
-#            - --ds-namespace=kube-system
-#            - --ds-name=kured
-#            - --lock-annotation=weave.works/kured-node-lock
-#            - --lock-ttl=0
-#            - --prometheus-url=http://prometheus.monitoring.svc.cluster.local
-#            - --alert-filter-regexp=^RebootRequired$
-#            - --alert-firing-only=false
-#            - --reboot-sentinel=/var/run/reboot-required
-#            - --prefer-no-schedule-taint=""
-#            - --reboot-sentinel-command=""
-#            - --slack-hook-url=https://hooks.slack.com/...
-#            - --slack-username=prod
-#            - --slack-channel=alerting
-#            - --notify-url="" # See also shoutrrr url format
-#            - --message-template-drain=Draining node %s
-#            - --message-template-reboot=Rebooting node %s
-#            - --message-template-uncordon=Node %s rebooted & uncordoned successfully!
-#            - --blocking-pod-selector=runtime=long,cost=expensive
-#            - --blocking-pod-selector=name=temperamental
-#            - --blocking-pod-selector=...
-#            - --reboot-days=sun,mon,tue,wed,thu,fri,sat
-#            - --reboot-delay=90s
-#            - --start-time=0:00
-#            - --end-time=23:59:59
-#            - --time-zone=UTC
-#            - --annotate-nodes=false
-#            - --lock-release-delay=30m
-#            - --log-format=text
+# Manual replacement in KubeOne API could be:
+# helmReleases:
+#   - chart: kured
+#     repoURL: https://kubereboot.github.io/charts
+#     namespace: kube-system
+#     version: 5.4.2