From 49f9aecbb6eb0e2bde1558a990098c60285f6e27 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sat, 17 Feb 2024 23:47:37 +0100
Subject: [PATCH] feat(system-upgrade): Split controller service account and
executer service account
---
bootstrap/system-upgrades/clusterrolebinding.yaml | 2 +-
bootstrap/system-upgrades/serviceaccount.yaml | 7 ++++++-
clusters/k8s01/system-upgrades/dns.yaml | 10 +++++-----
clusters/k8s01/system-upgrades/iscsid_hotfix.yaml | 2 +-
clusters/k8s01/system-upgrades/registry.yaml | 10 +++++-----
infrastructure/system-upgrades/disable-syslog.yaml | 2 +-
.../system-upgrades/fedora-system-upgrade.yaml | 2 +-
.../system-upgrades/fedora-temperature-management.yaml | 3 ++-
infrastructure/system-upgrades/fedora.yaml | 2 +-
infrastructure/system-upgrades/kubelet.yaml | 2 +-
infrastructure/system-upgrades/kubernetes.yaml | 2 +-
infrastructure/system-upgrades/logrotate.yaml | 7 +++----
infrastructure/system-upgrades/longhorn-lvm.yaml | 2 +-
infrastructure/system-upgrades/longhorn-setup.yaml | 2 +-
14 files changed, 30 insertions(+), 25 deletions(-)
diff --git a/bootstrap/system-upgrades/clusterrolebinding.yaml b/bootstrap/system-upgrades/clusterrolebinding.yaml
index 1c30e7f06..e8da22cd2 100644
--- a/bootstrap/system-upgrades/clusterrolebinding.yaml
+++ b/bootstrap/system-upgrades/clusterrolebinding.yaml
@@ -9,7 +9,7 @@ roleRef:
name: system-upgrade-controller-drainer
subjects:
- kind: ServiceAccount
- name: system-upgrade
+ name: system-upgrade-executer
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
diff --git a/bootstrap/system-upgrades/serviceaccount.yaml b/bootstrap/system-upgrades/serviceaccount.yaml
index fbc97293c..6b126f3e6 100644
--- a/bootstrap/system-upgrades/serviceaccount.yaml
+++ b/bootstrap/system-upgrades/serviceaccount.yaml
@@ -2,4 +2,9 @@
apiVersion: v1
kind: ServiceAccount
metadata:
- name: system-upgrade
\ No newline at end of file
+ name: system-upgrade
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: system-upgrade-executer
\ No newline at end of file
diff --git a/clusters/k8s01/system-upgrades/dns.yaml b/clusters/k8s01/system-upgrades/dns.yaml
index 4f25a0bcf..cf9d2404a 100644
--- a/clusters/k8s01/system-upgrades/dns.yaml
+++ b/clusters/k8s01/system-upgrades/dns.yaml
@@ -14,8 +14,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2023-03-18T18:27:42Z"
- mac: ENC[AES256_GCM,data:5MqduGX/jfJFIJl3xEQZdXJl7/qDcigDEe5tWglV6s5oJNYBp++eO8+6dQkI5VB/iL67LQzKYDG8tWTPKwgkBzlBJNpketA/A23/bNLmhZpIORY+ppaqOpJvh+GNgNJDMVHahfptk0WxSuVwg02j70h+UcvQ6rD/EeCcJjfbJ3I=,iv:Aryc/Irz/VC+SgSjwQnAxw9hLFUad1siYJVB28zsnI8=,tag:sMtNEIj5tIHzqXKKK+I2mg==,type:str]
+ lastmodified: "2024-02-17T22:50:28Z"
+ mac: ENC[AES256_GCM,data:zS3YEPWCK6rHy9tb7lj9SBdb9mSQr57FCT0Ok01mNYeQLG5nZF6AQtmUos854nnmMLF1cjSDw8QXb09nij49+iCa/wMVuSiN7+OM+PoIAt9zTWIBsf4+xJtHz7d1/yjuuhdS8UaINRHvINBhfVh3FAbPLIv877yHxffe0D1EOEM=,iv:BvAhmaU35hPM66V+oP7dBvwpwXDLB+/Ti7LRWoI2w+g=,tag:XZHBjI+98lMVAwNGYuiSMg==,type:str]
pgp:
- created_at: "2022-04-28T22:36:58Z"
enc: |-
@@ -74,7 +74,7 @@ spec:
operator: In
values:
- fedora
- serviceAccountName: system-upgrade
+ serviceAccountName: system-upgrade-executer
secrets:
- name: fedora-configure-dns
path: /host/run/system-upgrade/secrets/fedora
@@ -97,8 +97,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2023-03-18T18:27:42Z"
- mac: ENC[AES256_GCM,data:5MqduGX/jfJFIJl3xEQZdXJl7/qDcigDEe5tWglV6s5oJNYBp++eO8+6dQkI5VB/iL67LQzKYDG8tWTPKwgkBzlBJNpketA/A23/bNLmhZpIORY+ppaqOpJvh+GNgNJDMVHahfptk0WxSuVwg02j70h+UcvQ6rD/EeCcJjfbJ3I=,iv:Aryc/Irz/VC+SgSjwQnAxw9hLFUad1siYJVB28zsnI8=,tag:sMtNEIj5tIHzqXKKK+I2mg==,type:str]
+ lastmodified: "2024-02-17T22:50:28Z"
+ mac: ENC[AES256_GCM,data:zS3YEPWCK6rHy9tb7lj9SBdb9mSQr57FCT0Ok01mNYeQLG5nZF6AQtmUos854nnmMLF1cjSDw8QXb09nij49+iCa/wMVuSiN7+OM+PoIAt9zTWIBsf4+xJtHz7d1/yjuuhdS8UaINRHvINBhfVh3FAbPLIv877yHxffe0D1EOEM=,iv:BvAhmaU35hPM66V+oP7dBvwpwXDLB+/Ti7LRWoI2w+g=,tag:XZHBjI+98lMVAwNGYuiSMg==,type:str]
pgp:
- created_at: "2022-04-28T22:36:58Z"
enc: |-
diff --git a/clusters/k8s01/system-upgrades/iscsid_hotfix.yaml b/clusters/k8s01/system-upgrades/iscsid_hotfix.yaml
index f8795328c..6d87269e8 100644
--- a/clusters/k8s01/system-upgrades/iscsid_hotfix.yaml
+++ b/clusters/k8s01/system-upgrades/iscsid_hotfix.yaml
@@ -51,7 +51,7 @@ spec:
- "35"
- "36"
- "37"
- serviceAccountName: system-upgrade
+ serviceAccountName: system-upgrade-executer
secrets:
- name: fedora-install-iscsi-hotfix
path: /host/run/system-upgrade/secrets/fedora
diff --git a/clusters/k8s01/system-upgrades/registry.yaml b/clusters/k8s01/system-upgrades/registry.yaml
index 92f2b3ad9..0bd78d4a8 100644
--- a/clusters/k8s01/system-upgrades/registry.yaml
+++ b/clusters/k8s01/system-upgrades/registry.yaml
@@ -13,8 +13,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2023-03-18T18:28:08Z"
- mac: ENC[AES256_GCM,data:SVU3XUNB5dGrhMBfeMXchdMAUK3JiG4UppcPjHKYJCLdplbOCkxauwe2WdPzMcHx1CSNho2tFL+tbMqIdzZRp7pw0HMfL/m+5cSrnLEwdlhOubevf6h3zyiA/WaO9LpvsZp+OBcFUNHqlbGi74GDJwhna3aizr5qbvCX4KybTac=,iv:qRFVg/0IAgO3eMXCKo57pVdq28DRlQkjkkn3Acn5lKM=,tag:gcrkIVLhhL+Jag5g3pUlEg==,type:str]
+ lastmodified: "2024-02-17T22:49:46Z"
+ mac: ENC[AES256_GCM,data:hUZLz2wH5Nq3TmnZp+tiHzkQ5/LBQ0RGJgb0ShGc4BNqWPr1GihMpx9ZxgIra8vPuMZOePFtoMZmwY4cko0csXGdHOAEVPjGJSEEoR7kQ9Gq+QQkklIA/4cZ7PFGSnwnNe18EfbQqM/SAVd08L0N0SBmAu222gUnj32jaeHdANU=,iv:bXOhebWxFvvQgRfWQB/SOWr8ZOiNeIS/mKs9Kl8NBQs=,tag:uK/QOkZwBWuNFcRJXLoAig==,type:str]
pgp:
- created_at: "2022-01-21T21:30:49Z"
enc: |-
@@ -73,7 +73,7 @@ spec:
operator: In
values:
- fedora
- serviceAccountName: system-upgrade
+ serviceAccountName: system-upgrade-executer
secrets:
- name: crio-registry-config
path: /host/run/system-upgrade/secrets/crio-registry-config
@@ -92,8 +92,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2023-03-18T18:28:08Z"
- mac: ENC[AES256_GCM,data:SVU3XUNB5dGrhMBfeMXchdMAUK3JiG4UppcPjHKYJCLdplbOCkxauwe2WdPzMcHx1CSNho2tFL+tbMqIdzZRp7pw0HMfL/m+5cSrnLEwdlhOubevf6h3zyiA/WaO9LpvsZp+OBcFUNHqlbGi74GDJwhna3aizr5qbvCX4KybTac=,iv:qRFVg/0IAgO3eMXCKo57pVdq28DRlQkjkkn3Acn5lKM=,tag:gcrkIVLhhL+Jag5g3pUlEg==,type:str]
+ lastmodified: "2024-02-17T22:49:46Z"
+ mac: ENC[AES256_GCM,data:hUZLz2wH5Nq3TmnZp+tiHzkQ5/LBQ0RGJgb0ShGc4BNqWPr1GihMpx9ZxgIra8vPuMZOePFtoMZmwY4cko0csXGdHOAEVPjGJSEEoR7kQ9Gq+QQkklIA/4cZ7PFGSnwnNe18EfbQqM/SAVd08L0N0SBmAu222gUnj32jaeHdANU=,iv:bXOhebWxFvvQgRfWQB/SOWr8ZOiNeIS/mKs9Kl8NBQs=,tag:uK/QOkZwBWuNFcRJXLoAig==,type:str]
pgp:
- created_at: "2022-01-21T21:30:49Z"
enc: |-
diff --git a/infrastructure/system-upgrades/disable-syslog.yaml b/infrastructure/system-upgrades/disable-syslog.yaml
index 1b3b8a464..1abfcae8f 100644
--- a/infrastructure/system-upgrades/disable-syslog.yaml
+++ b/infrastructure/system-upgrades/disable-syslog.yaml
@@ -32,7 +32,7 @@ spec:
values:
- "36"
- "37"
- serviceAccountName: system-upgrade
+ serviceAccountName: system-upgrade-executer
secrets:
- name: disable-syslog
path: /host/run/system-upgrade/secrets/disable-syslog
diff --git a/infrastructure/system-upgrades/fedora-system-upgrade.yaml b/infrastructure/system-upgrades/fedora-system-upgrade.yaml
index 3353a6ec6..594b09f71 100644
--- a/infrastructure/system-upgrades/fedora-system-upgrade.yaml
+++ b/infrastructure/system-upgrades/fedora-system-upgrade.yaml
@@ -39,7 +39,7 @@ spec:
operator: In
values:
- "true"
- serviceAccountName: system-upgrade
+ serviceAccountName: system-upgrade-executer
secrets:
- name: fedora-38-to-39-system-upgrade
path: /host/run/system-upgrade/secrets/fedora
diff --git a/infrastructure/system-upgrades/fedora-temperature-management.yaml b/infrastructure/system-upgrades/fedora-temperature-management.yaml
index 241b23a9e..b34f15785 100644
--- a/infrastructure/system-upgrades/fedora-temperature-management.yaml
+++ b/infrastructure/system-upgrades/fedora-temperature-management.yaml
@@ -57,7 +57,8 @@ spec:
values:
- "37"
- "38"
- serviceAccountName: system-upgrade
+ - "39"
+ serviceAccountName: system-upgrade-executer
secrets:
- name: fedora-install-temperature-management
path: /host/run/system-upgrade/secrets/fedora
diff --git a/infrastructure/system-upgrades/fedora.yaml b/infrastructure/system-upgrades/fedora.yaml
index 4e63b44c0..a608a9eae 100644
--- a/infrastructure/system-upgrades/fedora.yaml
+++ b/infrastructure/system-upgrades/fedora.yaml
@@ -41,7 +41,7 @@ spec:
- "37"
- "38"
- "39"
- serviceAccountName: system-upgrade
+ serviceAccountName: system-upgrade-executer
secrets:
- name: fedora-dnf-upgrade
path: /host/run/system-upgrade/secrets/fedora
diff --git a/infrastructure/system-upgrades/kubelet.yaml b/infrastructure/system-upgrades/kubelet.yaml
index daed3ec61..ed43a1a2f 100644
--- a/infrastructure/system-upgrades/kubelet.yaml
+++ b/infrastructure/system-upgrades/kubelet.yaml
@@ -42,7 +42,7 @@ spec:
- "37"
- "38"
- "39"
- serviceAccountName: system-upgrade
+ serviceAccountName: serviceAccountName: system-upgrade-executer
drain:
deleteLocalData: true
ignoreDaemonSets: true
diff --git a/infrastructure/system-upgrades/kubernetes.yaml b/infrastructure/system-upgrades/kubernetes.yaml
index 886fe197e..f073d4566 100644
--- a/infrastructure/system-upgrades/kubernetes.yaml
+++ b/infrastructure/system-upgrades/kubernetes.yaml
@@ -85,7 +85,7 @@ spec:
- "39"
- key: node-role.kubernetes.io/control-plane
operator: Exists
- serviceAccountName: system-upgrade
+ serviceAccountName: system-upgrade-executer
secrets:
- name: kubernetes-upgrade
path: /host/run/system-upgrade/secrets/kubernetes-upgrade
diff --git a/infrastructure/system-upgrades/logrotate.yaml b/infrastructure/system-upgrades/logrotate.yaml
index dacff3253..538296c58 100644
--- a/infrastructure/system-upgrades/logrotate.yaml
+++ b/infrastructure/system-upgrades/logrotate.yaml
@@ -45,10 +45,9 @@ spec:
- key: feature.node.kubernetes.io/system-os_release.VERSION_ID.major
operator: In
values:
- - "35"
- - "36"
- - "37"
- serviceAccountName: system-upgrade
+ - "38"
+ - "39"
+ serviceAccountName: system-upgrade-executer
secrets:
- name: logrotate-setup
path: /host/run/system-upgrade/secrets/logrotate-setup
diff --git a/infrastructure/system-upgrades/longhorn-lvm.yaml b/infrastructure/system-upgrades/longhorn-lvm.yaml
index bb561190b..ece200ebd 100644
--- a/infrastructure/system-upgrades/longhorn-lvm.yaml
+++ b/infrastructure/system-upgrades/longhorn-lvm.yaml
@@ -75,7 +75,7 @@ spec:
matchExpressions:
- key: plan.upgrade.cattle.io/longhorn-setup
operator: Exists
- serviceAccountName: system-upgrade
+ serviceAccountName: system-upgrade-executer
secrets:
- name: longhorn-lvm
path: /host/run/system-upgrade/secrets/longhorn-lvm
diff --git a/infrastructure/system-upgrades/longhorn-setup.yaml b/infrastructure/system-upgrades/longhorn-setup.yaml
index ccfcb91db..51cc97920 100644
--- a/infrastructure/system-upgrades/longhorn-setup.yaml
+++ b/infrastructure/system-upgrades/longhorn-setup.yaml
@@ -34,7 +34,7 @@ spec:
values:
- "37"
- "38"
- serviceAccountName: system-upgrade
+ serviceAccountName: system-upgrade-executer
secrets:
- name: longhorn-setup
path: /host/run/system-upgrade/secrets/longhorn-setup
--
GitLab