diff --git a/bootstrap/system-upgrades/clusterrole.yaml b/bootstrap/system-upgrades/clusterrole.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..ef2f99b3a26e780a4414739cec3640aee888dd96
--- /dev/null
+++ b/bootstrap/system-upgrades/clusterrole.yaml
@@ -0,0 +1,61 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: system-upgrade-controller
+rules:
+- apiGroups:
+ - batch
+ resources:
+ - jobs
+ verbs:
+ - create
+ - delete
+ - deletecollection
+ - patch
+ - update
+- apiGroups:
+ - ""
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - upgrade.cattle.io
+ resources:
+ - plans
+ verbs:
+ - get
+ - list
+ - watch
+ - create
+ - patch
+ - delete
+---
+# Borrowed from https://stackoverflow.com/a/63553032
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: system-upgrade-controller-drainer
+rules:
+ # Needed to evict pods
+ - apiGroups: [""]
+ resources: ["pods/eviction"]
+ verbs: ["create"]
+ # Needed to list pods by Node
+ - apiGroups: [""]
+ resources: ["pods"]
+ verbs: ["get", "list"]
+ # Needed to cordon Nodes
+ - apiGroups: [""]
+ resources: ["nodes"]
+ verbs: ["get", "patch"]
+ # Needed to determine Pod owners
+ - apiGroups: ["apps"]
+ resources: ["statefulsets"]
+ verbs: ["get", "list"]
+ # Needed to determine Pod owners
+ - apiGroups: ["extensions"]
+ resources: ["daemonsets", "replicasets"]
+ verbs: ["get", "list"]
diff --git a/bootstrap/system-upgrades/clusterrolebinding.yaml b/bootstrap/system-upgrades/clusterrolebinding.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..4a1ae37fecc4a954385fec49c8210be134cea972
--- /dev/null
+++ b/bootstrap/system-upgrades/clusterrolebinding.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: system-upgrade-drainer
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system-upgrade-controller-drainer
+subjects:
+- kind: ServiceAccount
+ name: system-upgrade
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: system-upgrade
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: system-upgrade-controller
+subjects:
+- kind: ServiceAccount
+ name: system-upgrade
\ No newline at end of file
diff --git a/bootstrap/system-upgrades/crd.yaml b/bootstrap/system-upgrades/crd.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..6fb5343a16a251f296c929102d69a32a67c84be7
--- /dev/null
+++ b/bootstrap/system-upgrades/crd.yaml
@@ -0,0 +1,642 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+ name: plans.upgrade.cattle.io
+spec:
+ group: upgrade.cattle.io
+ names:
+ categories:
+ - upgrade
+ kind: Plan
+ plural: plans
+ singular: plan
+ preserveUnknownFields: false
+ scope: Namespaced
+ versions:
+ - additionalPrinterColumns:
+ - jsonPath: .spec.upgrade.image
+ name: Image
+ type: string
+ - jsonPath: .spec.channel
+ name: Channel
+ type: string
+ - jsonPath: .spec.version
+ name: Version
+ type: string
+ name: v1
+ schema:
+ openAPIV3Schema:
+ properties:
+ spec:
+ properties:
+ channel:
+ nullable: true
+ type: string
+ concurrency:
+ type: integer
+ cordon:
+ type: boolean
+ drain:
+ nullable: true
+ properties:
+ deleteEmptydirData:
+ nullable: true
+ type: boolean
+ deleteLocalData:
+ nullable: true
+ type: boolean
+ disableEviction:
+ type: boolean
+ force:
+ type: boolean
+ gracePeriod:
+ nullable: true
+ type: integer
+ ignoreDaemonSets:
+ nullable: true
+ type: boolean
+ podSelector:
+ nullable: true
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ nullable: true
+ type: string
+ operator:
+ nullable: true
+ type: string
+ values:
+ items:
+ nullable: true
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ matchLabels:
+ additionalProperties:
+ nullable: true
+ type: string
+ nullable: true
+ type: object
+ type: object
+ skipWaitForDeleteTimeout:
+ type: integer
+ timeout:
+ nullable: true
+ type: integer
+ type: object
+ exclusive:
+ type: boolean
+ imagePullSecrets:
+ items:
+ properties:
+ name:
+ nullable: true
+ type: string
+ type: object
+ nullable: true
+ type: array
+ jobActiveDeadlineSecs:
+ type: integer
+ nodeSelector:
+ nullable: true
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ nullable: true
+ type: string
+ operator:
+ nullable: true
+ type: string
+ values:
+ items:
+ nullable: true
+ type: string
+ nullable: true
+ type: array
+ type: object
+ nullable: true
+ type: array
+ matchLabels:
+ additionalProperties:
+ nullable: true
+ type: string
+ nullable: true
+ type: object
+ type: object
+ prepare:
+ nullable: true
+ properties:
+ args:
+ items:
+ nullable: true
+ type: string
+ nullable: true
+ type: array
+ command:
+ items:
+ nullable: true
+ type: string
+ nullable: true
+ type: array
+ envFrom:
+ items:
+ properties:
+ configMapRef:
+ nullable: true
+ properties:
+ name:
+ nullable: true
+ type: string
+ optional:
+ nullable: true
+ type: boolean
+ type: object
+ prefix:
+ nullable: true
+ type: string
+ secretRef:
+ nullable: true
+ properties:
+ name:
+ nullable: true
+ type: string
+ optional:
+ nullable: true
+ type: boolean
+ type: object
+ type: object
+ nullable: true
+ type: array
+ envs:
+ items:
+ properties:
+ name:
+ nullable: true
+ type: string
+ value:
+ nullable: true
+ type: string
+ valueFrom:
+ nullable: true
+ properties:
+ configMapKeyRef:
+ nullable: true
+ properties:
+ key:
+ nullable: true
+ type: string
+ name:
+ nullable: true
+ type: string
+ optional:
+ nullable: true
+ type: boolean
+ type: object
+ fieldRef:
+ nullable: true
+ properties:
+ apiVersion:
+ nullable: true
+ type: string
+ fieldPath:
+ nullable: true
+ type: string
+ type: object
+ resourceFieldRef:
+ nullable: true
+ properties:
+ containerName:
+ nullable: true
+ type: string
+ divisor:
+ nullable: true
+ type: string
+ resource:
+ nullable: true
+ type: string
+ type: object
+ secretKeyRef:
+ nullable: true
+ properties:
+ key:
+ nullable: true
+ type: string
+ name:
+ nullable: true
+ type: string
+ optional:
+ nullable: true
+ type: boolean
+ type: object
+ type: object
+ type: object
+ nullable: true
+ type: array
+ image:
+ nullable: true
+ type: string
+ securityContext:
+ nullable: true
+ properties:
+ allowPrivilegeEscalation:
+ nullable: true
+ type: boolean
+ capabilities:
+ nullable: true
+ properties:
+ add:
+ items:
+ nullable: true
+ type: string
+ nullable: true
+ type: array
+ drop:
+ items:
+ nullable: true
+ type: string
+ nullable: true
+ type: array
+ type: object
+ privileged:
+ nullable: true
+ type: boolean
+ procMount:
+ nullable: true
+ type: string
+ readOnlyRootFilesystem:
+ nullable: true
+ type: boolean
+ runAsGroup:
+ nullable: true
+ type: integer
+ runAsNonRoot:
+ nullable: true
+ type: boolean
+ runAsUser:
+ nullable: true
+ type: integer
+ seLinuxOptions:
+ nullable: true
+ properties:
+ level:
+ nullable: true
+ type: string
+ role:
+ nullable: true
+ type: string
+ type:
+ nullable: true
+ type: string
+ user:
+ nullable: true
+ type: string
+ type: object
+ seccompProfile:
+ nullable: true
+ properties:
+ localhostProfile:
+ nullable: true
+ type: string
+ type:
+ nullable: true
+ type: string
+ type: object
+ windowsOptions:
+ nullable: true
+ properties:
+ gmsaCredentialSpec:
+ nullable: true
+ type: string
+ gmsaCredentialSpecName:
+ nullable: true
+ type: string
+ hostProcess:
+ nullable: true
+ type: boolean
+ runAsUserName:
+ nullable: true
+ type: string
+ type: object
+ type: object
+ volumes:
+ items:
+ properties:
+ destination:
+ nullable: true
+ type: string
+ name:
+ nullable: true
+ type: string
+ source:
+ nullable: true
+ type: string
+ type: object
+ nullable: true
+ type: array
+ type: object
+ secrets:
+ items:
+ properties:
+ ignoreUpdates:
+ type: boolean
+ name:
+ nullable: true
+ type: string
+ path:
+ nullable: true
+ type: string
+ type: object
+ nullable: true
+ type: array
+ serviceAccountName:
+ nullable: true
+ type: string
+ tolerations:
+ items:
+ properties:
+ effect:
+ nullable: true
+ type: string
+ key:
+ nullable: true
+ type: string
+ operator:
+ nullable: true
+ type: string
+ tolerationSeconds:
+ nullable: true
+ type: integer
+ value:
+ nullable: true
+ type: string
+ type: object
+ nullable: true
+ type: array
+ upgrade:
+ nullable: true
+ properties:
+ args:
+ items:
+ nullable: true
+ type: string
+ nullable: true
+ type: array
+ command:
+ items:
+ nullable: true
+ type: string
+ nullable: true
+ type: array
+ envFrom:
+ items:
+ properties:
+ configMapRef:
+ nullable: true
+ properties:
+ name:
+ nullable: true
+ type: string
+ optional:
+ nullable: true
+ type: boolean
+ type: object
+ prefix:
+ nullable: true
+ type: string
+ secretRef:
+ nullable: true
+ properties:
+ name:
+ nullable: true
+ type: string
+ optional:
+ nullable: true
+ type: boolean
+ type: object
+ type: object
+ nullable: true
+ type: array
+ envs:
+ items:
+ properties:
+ name:
+ nullable: true
+ type: string
+ value:
+ nullable: true
+ type: string
+ valueFrom:
+ nullable: true
+ properties:
+ configMapKeyRef:
+ nullable: true
+ properties:
+ key:
+ nullable: true
+ type: string
+ name:
+ nullable: true
+ type: string
+ optional:
+ nullable: true
+ type: boolean
+ type: object
+ fieldRef:
+ nullable: true
+ properties:
+ apiVersion:
+ nullable: true
+ type: string
+ fieldPath:
+ nullable: true
+ type: string
+ type: object
+ resourceFieldRef:
+ nullable: true
+ properties:
+ containerName:
+ nullable: true
+ type: string
+ divisor:
+ nullable: true
+ type: string
+ resource:
+ nullable: true
+ type: string
+ type: object
+ secretKeyRef:
+ nullable: true
+ properties:
+ key:
+ nullable: true
+ type: string
+ name:
+ nullable: true
+ type: string
+ optional:
+ nullable: true
+ type: boolean
+ type: object
+ type: object
+ type: object
+ nullable: true
+ type: array
+ image:
+ nullable: true
+ type: string
+ securityContext:
+ nullable: true
+ properties:
+ allowPrivilegeEscalation:
+ nullable: true
+ type: boolean
+ capabilities:
+ nullable: true
+ properties:
+ add:
+ items:
+ nullable: true
+ type: string
+ nullable: true
+ type: array
+ drop:
+ items:
+ nullable: true
+ type: string
+ nullable: true
+ type: array
+ type: object
+ privileged:
+ nullable: true
+ type: boolean
+ procMount:
+ nullable: true
+ type: string
+ readOnlyRootFilesystem:
+ nullable: true
+ type: boolean
+ runAsGroup:
+ nullable: true
+ type: integer
+ runAsNonRoot:
+ nullable: true
+ type: boolean
+ runAsUser:
+ nullable: true
+ type: integer
+ seLinuxOptions:
+ nullable: true
+ properties:
+ level:
+ nullable: true
+ type: string
+ role:
+ nullable: true
+ type: string
+ type:
+ nullable: true
+ type: string
+ user:
+ nullable: true
+ type: string
+ type: object
+ seccompProfile:
+ nullable: true
+ properties:
+ localhostProfile:
+ nullable: true
+ type: string
+ type:
+ nullable: true
+ type: string
+ type: object
+ windowsOptions:
+ nullable: true
+ properties:
+ gmsaCredentialSpec:
+ nullable: true
+ type: string
+ gmsaCredentialSpecName:
+ nullable: true
+ type: string
+ hostProcess:
+ nullable: true
+ type: boolean
+ runAsUserName:
+ nullable: true
+ type: string
+ type: object
+ type: object
+ volumes:
+ items:
+ properties:
+ destination:
+ nullable: true
+ type: string
+ name:
+ nullable: true
+ type: string
+ source:
+ nullable: true
+ type: string
+ type: object
+ nullable: true
+ type: array
+ type: object
+ version:
+ nullable: true
+ type: string
+ required:
+ - upgrade
+ type: object
+ status:
+ properties:
+ applying:
+ items:
+ nullable: true
+ type: string
+ nullable: true
+ type: array
+ conditions:
+ items:
+ properties:
+ lastTransitionTime:
+ nullable: true
+ type: string
+ lastUpdateTime:
+ nullable: true
+ type: string
+ message:
+ nullable: true
+ type: string
+ reason:
+ nullable: true
+ type: string
+ status:
+ nullable: true
+ type: string
+ type:
+ nullable: true
+ type: string
+ type: object
+ nullable: true
+ type: array
+ latestHash:
+ nullable: true
+ type: string
+ latestVersion:
+ nullable: true
+ type: string
+ type: object
+ type: object
+ served: true
+ storage: true
+ subresources:
+ status: {}
diff --git a/bootstrap/system-upgrades/deployment.yaml b/bootstrap/system-upgrades/deployment.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b98168734ccece0796260df97022ba5fd59bde16
--- /dev/null
+++ b/bootstrap/system-upgrades/deployment.yaml
@@ -0,0 +1,69 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: system-upgrade-controller
+spec:
+ selector:
+ matchLabels:
+ upgrade.cattle.io/controller: system-upgrade-controller
+ template:
+ metadata:
+ labels:
+ upgrade.cattle.io/controller: system-upgrade-controller
+ spec:
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: node-role.kubernetes.io/control-plane
+ operator: Exists
+ containers:
+ - env:
+ - name: SYSTEM_UPGRADE_CONTROLLER_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.labels['upgrade.cattle.io/controller']
+ - name: SYSTEM_UPGRADE_CONTROLLER_NAMESPACE
+ valueFrom:
+ fieldRef:
+ fieldPath: metadata.namespace
+ envFrom:
+ - configMapRef:
+ name: default-controller-env
+ image: docker.io/rancher/system-upgrade-controller:v0.13.2
+ imagePullPolicy: IfNotPresent
+ name: system-upgrade-controller
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ runAsGroup: 65534
+ runAsNonRoot: true
+ runAsUser: 65534
+ seccompProfile:
+ type: RuntimeDefault
+ volumeMounts:
+ - mountPath: /tmp
+ name: tmp
+ serviceAccountName: system-upgrade
+ tolerations:
+ - key: CriticalAddonsOnly
+ operator: Exists
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/master
+ operator: Exists
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/controlplane
+ operator: Exists
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/control-plane
+ operator: Exists
+ - effect: NoExecute
+ key: node-role.kubernetes.io/etcd
+ operator: Exists
+ volumes:
+ - emptyDir: {}
+ name: tmp
diff --git a/bootstrap/system-upgrades/kustomization.yaml b/bootstrap/system-upgrades/kustomization.yaml
index b47809282b4ffa29d72ce071b892e4224c4f26a2..a2e71ed1c57e0cdc66f33b6322625074d438329f 100644
--- a/bootstrap/system-upgrades/kustomization.yaml
+++ b/bootstrap/system-upgrades/kustomization.yaml
@@ -2,14 +2,26 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: system-upgrade
resources:
- - https://git.shivering-isles.com/github-mirror/rancher/system-upgrade-controller/-/raw/v0.10.0/manifests/system-upgrade-controller.yaml
- - ../../shared/networkpolicies/allow-from-same-namespace.yaml
-patches:
- - patch: |
- - op: replace
- path: /spec/template/spec/affinity/nodeAffinity/requiredDuringSchedulingIgnoredDuringExecution/nodeSelectorTerms/0/matchExpressions/0/key
- value: node-role.kubernetes.io/control-plane
- target:
- kind: Deployment
- name: system-upgrade-controller
- namespace: system-upgrade
+ - crd.yaml
+ - namespace.yaml
+ - serviceaccount.yaml
+ - clusterrole.yaml
+ - clusterrolebinding.yaml
+ - deployment.yaml
+
+commonLabels:
+ app.kubernetes.io/name: system-upgrade-controller
+ app.kubernetes.io/instance: system-upgrade-controller
+
+configMapGenerator:
+- name: default-controller-env
+ literals:
+ - SYSTEM_UPGRADE_CONTROLLER_DEBUG=false
+ - SYSTEM_UPGRADE_CONTROLLER_THREADS=2
+ - SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS=900
+ - SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT=99
+ - SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY=IfNotPresent
+ - SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE=docker.io/rancher/kubectl:v1.25.4
+ - SYSTEM_UPGRADE_JOB_PRIVILEGED=true
+ - SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH=900
+ - SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL=15m
diff --git a/bootstrap/system-upgrades/namespace.yaml b/bootstrap/system-upgrades/namespace.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..423c189323c6bb91d67447d6a61e0c07d5818ed9
--- /dev/null
+++ b/bootstrap/system-upgrades/namespace.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ labels:
+ pod-security.kubernetes.io/audit: privileged
+ pod-security.kubernetes.io/enforce: privileged
+ pod-security.kubernetes.io/warn: privileged
+ pod-security.kubernetes.io/audit-version: v1.28
+ pod-security.kubernetes.io/enforce-version: v1.28
+ pod-security.kubernetes.io/warn-version: v1.28
+ name: system-upgrade
\ No newline at end of file
diff --git a/bootstrap/system-upgrades/serviceaccount.yaml b/bootstrap/system-upgrades/serviceaccount.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..fbc97293c378ca15f0f0b3af792e309e5771981a
--- /dev/null
+++ b/bootstrap/system-upgrades/serviceaccount.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: system-upgrade
\ No newline at end of file