Unattended upgrades addon

.golangci.yml

@@ -42,7 +42,7 @@ linters-settings:
   govet:
     check-shadowing: true
   goimports:
-    local-prefixes: github.com/kubermatic
+    local-prefixes: k8c.io/kubeone
 
 issues:
   exclude-rules:

addons/unattended-upgrades/README.md

@@ -0,0 +1,41 @@
+# Unattended Upgrades
+
+This addon will automate upgrading system packages of the distro of your choice.
+
+## Requirements
+
+Since KubeOne 1.3+ we automatically label control-plane nodes with
+`v1.kubeone.io/operating-system` and worker nodes with
+`v1.machine-controller.kubermatic.io/operating-system` and use those labels as
+nodeAffinity in this addon manifests.
+
+## What's included
+
+This addon provides bunch of DaemonSets and operators:
+
+* **Debian/Ubuntu**
+  DaemonSet that will install `unattended-upgrades`
+* **RHEL/CentOS**
+  DaemonSet that will install and configure `yum-cron`/`dnf-automatic`
+* **Debian/Ubuntu/RHEL/CentOS**
+  [Kured](https://github.com/weaveworks/kured) (DaemonSet and operator) that
+  will orchestrate node rebootes in case when it's required (kernel upgrades)
+* **Flatcar Linux**
+  [Flatcar Linux Update Operator](https://github.com/kinvolk/flatcar-linux-update-operator)
+
+## Deployment instructions
+
+Copy files from this directory to your configured addons directory.
+
+In `kubeone.yaml` config:
+```yaml
+addons:
+  enable: true
+  path: "./addons"
+```
+
+## Information about permissions
+
+Since daemonSets provided by this addon are making changes on the nodes
+themselves they require elevated permissions like full root access to the host
+machine.

addons/unattended-upgrades/apt.yaml

@@ -0,0 +1,57 @@
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: unattended-upgrades-install
+  namespace: kube-system
+spec:
+  selector:
+    matchLabels:
+      name: unattended-upgrades-install
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        name: unattended-upgrades-install
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+            - matchExpressions:
+              - key: v1.machine-controller.kubermatic.io/operating-system
+                operator: In
+                values:
+                - ubuntu
+            - matchExpressions:
+              - key: v1.kubeone.io/operating-system
+                operator: In
+                values:
+                - ubuntu
+                - debian
+      tolerations:
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+      hostPID: true
+      containers:
+      - name: "unattended-upgrades-install"
+        image: "alpine:3.12.4"
+        securityContext:
+          privileged: true
+        command:
+        - /bin/sh
+        - -c
+        - |
+          set -xeuo pipefail
+          apk add --no-cache bash util-linux
+          nsenter -t 1 -m -u -i -n -p -- bash -c "${STARTUP_SCRIPT}"
+          sleep inf
+        env:
+        - name: STARTUP_SCRIPT
+          value: |
+            set -xeuo pipefail
+            export DEBIAN_FRONTEND=noninteractive
+            apt-get install -y --no-install-recommends \
+              apt-utils \
+              unattended-upgrades