feat: implement SUC for talos (#1246)

* feat: implement SUC for talos

Signed-off-by: Devin Buhl <[email protected]>

* fix: double ---

Signed-off-by: Devin Buhl <[email protected]>

* fix: update formatting

Signed-off-by: Devin Buhl <[email protected]>

* fix: address PR comments

Signed-off-by: Devin Buhl <[email protected]>

---------

Signed-off-by: Devin Buhl <[email protected]>

bootstrap/templates/kubernetes/apps/tools/kustomization.yaml.j2

@@ -5,6 +5,6 @@ resources:
   - ./namespace.yaml
   - ./descheduler/ks.yaml
   - ./reloader/ks.yaml
-  #% if bootstrap_distribution in ['k3s'] and addon_system_upgrade_controller.enabled %#
+  #% if bootstrap_distribution in ['k3s', 'talos'] and addon_system_upgrade_controller.enabled %#
   - ./system-upgrade-controller/ks.yaml
   #% endif %#

bootstrap/templates/kubernetes/apps/tools/system-upgrade-controller/.mjfilter.py

@@ -1 +1 @@
-main = lambda data: data.get("bootstrap_distribution") in ['k3s'] and data.get("addon_system_upgrade_controller", {}).get("enabled", False) == True
+main = lambda data: data.get("bootstrap_distribution") in ['k3s', 'talos'] and data.get("addon_system_upgrade_controller", {}).get("enabled", False) == True

bootstrap/templates/kubernetes/apps/tools/system-upgrade-controller/app/rbac.yaml.j2

@@ -11,3 +11,13 @@ subjects:
   - kind: ServiceAccount
     name: system-upgrade
     namespace: tools
+#% if bootstrap_distribution in ['talos'] %#
+---
+apiVersion: talos.dev/v1alpha1
+kind: ServiceAccount
+metadata:
+  name: talos
+spec:
+  roles:
+    - os:admin
+#% endif %#

bootstrap/templates/kubernetes/apps/tools/system-upgrade-controller/plans/k3s.yaml.j2

@@ -0,0 +1,54 @@
+#% if bootstrap_distribution in ['k3s'] %#
+---
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: controllers
+spec:
+  # renovate: datasource=github-releases depName=k3s-io/k3s
+  version: "v1.29.0+k3s1"
+  upgrade:
+    image: rancher/k3s-upgrade
+  serviceAccountName: system-upgrade
+  concurrency: 1
+  cordon: true
+  nodeSelector:
+    matchExpressions:
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+  tolerations:
+    - effect: NoSchedule
+      operator: Exists
+    - effect: NoExecute
+      operator: Exists
+    - key: node-role.kubernetes.io/control-plane
+      effect: NoSchedule
+      operator: Exists
+    - key: node-role.kubernetes.io/master
+      effect: NoSchedule
+      operator: Exists
+    - key: node-role.kubernetes.io/etcd
+      effect: NoExecute
+      operator: Exists
+    - key: CriticalAddonsOnly
+      operator: Exists
+---
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: workers
+spec:
+  # renovate: datasource=github-releases depName=k3s-io/k3s
+  version: "v1.29.0+k3s1"
+  serviceAccountName: system-upgrade
+  concurrency: 1
+  nodeSelector:
+    matchExpressions:
+      - key: node-role.kubernetes.io/control-plane
+        operator: DoesNotExist
+  prepare:
+    image: rancher/k3s-upgrade
+    args: ["prepare", "server"]
+  upgrade:
+    image: rancher/k3s-upgrade
+#% endif %#

bootstrap/templates/kubernetes/apps/tools/system-upgrade-controller/plans/kustomization.yaml.j2

@@ -2,5 +2,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ./server.yaml
-  - ./agent.yaml
+  #% if bootstrap_distribution in ['k3s'] %#
+  - ./k3s.yaml
+  #% elif bootstrap_distribution in ['talos'] %#
+  - ./talos.yaml
+  #% endif %#

bootstrap/templates/kubernetes/apps/tools/system-upgrade-controller/plans/talos.yaml.j2

@@ -0,0 +1,93 @@
+#% if bootstrap_distribution in ['talos'] %#
+---
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: kubernetes
+spec:
+  # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
+  version: v1.29.1
+  serviceAccountName: system-upgrade
+  secrets:
+    - name: talos
+      path: /var/run/secrets/talos.dev
+      ignoreUpdates: true
+  concurrency: 1
+  exclusive: true
+  nodeSelector:
+    matchExpressions:
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+  prepare: &prepare
+    image: ghcr.io/siderolabs/talosctl:v1.6.3
+    envs:
+      - name: NODE_IP
+        valueFrom:
+          fieldRef:
+            fieldPath: status.hostIP
+    args:
+      - --nodes=$(NODE_IP)
+      - health
+      - --server=false
+  upgrade:
+    <<: *prepare
+    args:
+      - --nodes=$(NODE_IP)
+      - upgrade-k8s
+      - --to=$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
+---
+apiVersion: upgrade.cattle.io/v1
+kind: Plan
+metadata:
+  name: talos
+spec:
+  # renovate: datasource=docker depName=ghcr.io/siderolabs/installer
+  version: v1.6.3
+  serviceAccountName: system-upgrade
+  secrets:
+    - name: talos
+      path: /var/run/secrets/talos.dev
+      ignoreUpdates: true
+  concurrency: 1
+  exclusive: true
+  nodeSelector:
+    matchExpressions:
+      - key: kubernetes.io/os
+        operator: In
+        values:
+          - linux
+  tolerations:
+    - key: CriticalAddonsOnly
+      operator: Exists
+    - key: node-role.kubernetes.io/master
+      operator: Exists
+      effect: NoSchedule
+    - key: node-role.kubernetes.io/controlplane
+      operator: Exists
+      effect: NoSchedule
+    - key: node-role.kubernetes.io/control-plane
+      operator: Exists
+      effect: NoSchedule
+    - key: node-role.kubernetes.io/etcd
+      operator: Exists
+      effect: NoSchedule
+  prepare: &prepare
+    image: ghcr.io/siderolabs/talosctl
+    envs:
+      - name: NODE_IP
+        valueFrom:
+          fieldRef:
+            fieldPath: status.hostIP
+    args:
+      - --nodes=$(NODE_IP)
+      - health
+      - --server=false
+  upgrade:
+    <<: *prepare
+    args:
+      - --nodes=$(NODE_IP)
+      - upgrade
+      - --image=factory.talos.dev/installer/#{ addon_system_upgrade_controller.talos_schematic_id|default('df491c50a5acc05b977ef00c32050e1ceb0df746e40b33c643ac8a9bfb7c7263', true) }#:$(SYSTEM_UPGRADE_PLAN_LATEST_VERSION)
+      - --preserve=true
+      - --wait=false
+#% endif %#

bootstrap/vars/addons.sample.yaml

@@ -29,16 +29,16 @@ addon_weave_gitops:
 
 # https://github.com/rancher/system-upgrade-controller
 addon_system_upgrade_controller:
-  # IMPORTANT: Only enable this if you also track the version of k3s in the
-  #   ansible configuration files. Running ansible against an already provisioned
-  #   cluster with this enabled might cause your cluster to be downgraded.
-  # NOTE: If bootstrap_distribution is set to k0s or talos this will be ignored.
+  # NOTE: If bootstrap_distribution is set to k0s this will be ignored.
   enabled: false
+  # IMPORTANT: For talos, head over to https://factory.talos.dev/ and
+  #   generate a schematic ID based on your System Extension requirements
+  # talos_schematic_id: df491c50a5acc05b977ef00c32050e1ceb0df746e40b33c643ac8a9bfb7c7263
 
 # https://github.com/morphy2k/rss-forwarder
 addon_discord_template_notifier:
   # Will post commits from the template repository to the specified discord channel
-  # so it's easier to keep track of changes.
+  #   so it's easier to keep track of changes.
   enabled: false
   # webhook_url: # Required: Discord webhook url