From 626aa76a72eddaa13ef6dd56481e77d30dcbf9bd Mon Sep 17 00:00:00 2001
From: nicholasSSUSE <nicholas.paolillo@suse.com>
Date: Sun, 27 Oct 2024 22:49:53 -0300
Subject: [PATCH] forward-port system-upgrade-controller 103.0.2+up0.6.1

---
 ...tem-upgrade-controller-103.0.2+up0.6.1.tgz | Bin 0 -> 2137 bytes
 .../103.0.2+up0.6.1/Chart.yaml                |  18 +++++
 .../103.0.2+up0.6.1/templates/_helpers.tpl    |   9 +++
 .../templates/clusterrolebinding.yaml         |  12 +++
 .../103.0.2+up0.6.1/templates/configmap.yaml  |  16 ++++
 .../103.0.2+up0.6.1/templates/deployment.yaml |  69 ++++++++++++++++++
 .../103.0.2+up0.6.1/templates/psp.yaml        |  51 +++++++++++++
 .../templates/serviceaccount.yaml             |   5 ++
 .../103.0.2+up0.6.1/values.yaml               |  15 ++++
 index.yaml                                    |  22 ++++++
 release.yaml                                  |   2 +
 11 files changed, 219 insertions(+)
 create mode 100644 assets/system-upgrade-controller/system-upgrade-controller-103.0.2+up0.6.1.tgz
 create mode 100644 charts/system-upgrade-controller/103.0.2+up0.6.1/Chart.yaml
 create mode 100644 charts/system-upgrade-controller/103.0.2+up0.6.1/templates/_helpers.tpl
 create mode 100644 charts/system-upgrade-controller/103.0.2+up0.6.1/templates/clusterrolebinding.yaml
 create mode 100644 charts/system-upgrade-controller/103.0.2+up0.6.1/templates/configmap.yaml
 create mode 100644 charts/system-upgrade-controller/103.0.2+up0.6.1/templates/deployment.yaml
 create mode 100644 charts/system-upgrade-controller/103.0.2+up0.6.1/templates/psp.yaml
 create mode 100644 charts/system-upgrade-controller/103.0.2+up0.6.1/templates/serviceaccount.yaml
 create mode 100644 charts/system-upgrade-controller/103.0.2+up0.6.1/values.yaml

diff --git a/assets/system-upgrade-controller/system-upgrade-controller-103.0.2+up0.6.1.tgz b/assets/system-upgrade-controller/system-upgrade-controller-103.0.2+up0.6.1.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..7d41e76d26a5eca5f8558b127e0b9095d75d2a0a
GIT binary patch
literal 2137
zcmV-f2&VTRiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PI?AZ{j-kpV#>m7JvOU((ERLhqg1(-jyiOUhbt70j)Gzt&m9$
z;H_i(+72^pZ@>F0Pe5o0l$mMw-sQXjl4Jjl?epk^S}F~`8Hkz09+)m?T5?K3mYZ`d
zwY9`PefN!I+qQjPuScJ@ZEt^8>bCu^Qa?XGyQrL3>u2xm%6YAJ{tnsS3Va9!N@MxX
z{${N0#r;7DGsZR6gfrzB2)S5e%4e2~wWeSZUUorhG9}<SNMh#BLFTf}iRS@xP)W-G
zO1Uf#!34|&NJThv(EGptgeq3GX4$5V{uX}y6n=f5JCtD`l)x@HD1K<hdYjA4m4hf@
z!Pnfk0;Es0GFM!G{X&?>zo=a9WXV~vtJcRv>Z(;Bv;+!Rff)+#pq++hU_tKF=@%6P
z3$gxbTa}tsH#|_TBtl0IuYrNY6p26zt^lp4LYgBVKR^P8C@g@YKzLY#3STnrfwGJ_
z4<(vwEtFF(&xoD}6U*g(y4-RitQ)!jRi02jDSNOm7gg(HIeD1w%tKA3i;_lo#P@k8
z{NC8N3yKHQ1?3p#j}UBieigfB*;e&0fv~M}t75#h{k=8q_Wuh^15n>10POMqcJ2IP
z+y9^27bpM!8Z@JPf@$LVHHGjSO3btcQyfq|fEiI*E*(@VMQ?=?F&jd_@Pvl3A$0qO
z5s$lzm8rSXrI4HWc$UmAL2yMh52xHR>>S4sj?j3vc7~CcaWy?))`W9oj>sX^{^!kp
zMZ4`^gD+?pILhNWPytd|S{&sH_S*l&R{mGDFHZU2>(Jw4`2$)I-$4pAni2|nDc~nR
z+!l8Z4*F1jdNPd1M-zE4B@9q0R++IEdxx=1+(QYOPfrmenIh{xjvldlNt2>nx3U^0
zBw>1rO8>9QrK2VQs$lh_w3Y{$_w4&y@B4oX9b*434U`5cIfV&f9$~YWWd-}}zkXKV
zvj1AuuAJ=uHE6T=kQ3}$IM8!0$-kqT(0cf&!ct~YF&+r>9Mp_eVZbR|#;RcWps|NF
z4x@0K<QHW5p$-jT8uDU6t|bpd0j`12GuRbMqLn80e8LPBO#TI~j*3__88rmCATBgq
zmj_HoNx;4;B<0C1HsAWJegqw4|C~+9%*W!$VqlN`S1T81TlQb6p4lh+e+}BYd`QeK
zI`A7Ta*TVY!kDp|7zGBD&NTcy9JO!8cm3-@qtzZaZ+oM`ZMWMVj9cx?yK4tMKCTjg
z9VJBzCczB-j*=_{m8O^~D52lcZvoeUo}LPEMn4bQjn?oGq|sag_S7a;wHW7@+skpI
zIqKZE$E|jw)$R1!<6*mb+baV6g-;r;CJSf*_9$U61edcc?kC&ck9^r^{(5_LHSTt9
zI-^3oOYA=I>9k9HqBAg`_M>!e8rSV{|E}8|_iwwM=I27BPFSY(14{dx5_h=?)|vLW
z?n_X>^nTc1?=IWTQ8$K<AX7J0ke6EM>1ji_q$sqa+R<8<jp*sg*~zByY^PBDLFc~H
zZC|%rg`3cqWI-s*z}sAZbYHr6-J?-ARiSa?YSbQ#uR6WX@aICn(Wsj!QDdq>UJ*vr
z{6+fI?>2hj`F1<K>v5+yY7g!k-QAddirIiuO4zK!G{^;}n{bsgKLhut45)uFIwbyk
zAShq@z>aJO?TP>OTJ>4{ub<aX@&7ewGyY>C)H>B~txo+VSwK<vR|4E{3I!Bg&1HOV
z=VR^8yLbXrrMHU7w3}V1^<82icB-_=)Ejb#L^CKy<DmaT3|vqO%O%nr;RPoi@+2lK
zzCBIW84{jO2_t&B24&oX#<QmgN%$=w61-L*37ZYwIe0<jNoS0&9=E@O8$@lOjgj%3
z!(>-SAbpj69hOAVHn+bD2}-5izHKtm11ud>3PYb{ph3m`v{DW)LR^5v;W45f*BzG2
z6E_j^uwuM*?=2-EVG8o7eK3>3z+Bjd+`s%}@!?jQVVP=WcOf}`Q&7wxXFcoP$lZ#f
zjWE|;(=~koGMj4$Rc!mUmgwWKpnj9JX--3ktk~uTaQiD!I@J@EDeQX()buFol48O@
zW&jSk4~Qx5G#r<4?x-yGWuV2wRvBqV!gZ4Epv}~JgAdr^N^(DYUM6zWqA$6h$<o2a
z-v-JyLOjRrqO8}rX&X7J^<3JJrUa;$D{JzukM-PH#Q-aI{{MJi<n-VF^9YfL{YLW#
z%DoDw8~h7S10QZe?N|A`4B9o7qT4Pa91+i72JM!&InvSE7X>5NZ(})fEb2M@oU3?z
zW@52h7QGbUpcau)R9ilS$jS)5(90H)4thLY?!SNz$^V5q_U139efNKMef$33uGrO6
z{{I?O*slu@KI!m>p=PsI5K)XNFDetzI4v3a+#7-$NTQc<40=)JkfzO;QvPLiS<+T6
zra1oRQ}ic;gaN!J7I;D^(IoXiCTceN<KgGw`11C4WW-LV2l@+_53A9UBkHs=zdQZr
z>bF>3)2trJfHl;ef}~=R0R;yQ!iNpEj0&1AVZqm3Zv!DHgoPBQQO85=V4SMBA(H<#
z<7-V+`cN`V(=?86;JoN^S14hGA|(x$w0W~~{br&O$zL(ze{+SI*#<{(nw1X9OzEja
zpQ70b#2MfM<Ya>_Q1FdgaZE2O-jeUv&ngDW>u*JH(JmZ@okenzEE>mIv~se=dfF^M
z^~(R$bV&TqD$2`Kfqnh|%2{nI{#R?2)BWG8P;UQkt8xCFuK(V8sV6$oiB5E)4f;<2
P00960H2ZIR05$*s%l0J@

literal 0
HcmV?d00001

diff --git a/charts/system-upgrade-controller/103.0.2+up0.6.1/Chart.yaml b/charts/system-upgrade-controller/103.0.2+up0.6.1/Chart.yaml
new file mode 100644
index 0000000000..ff09d5fd56
--- /dev/null
+++ b/charts/system-upgrade-controller/103.0.2+up0.6.1/Chart.yaml
@@ -0,0 +1,18 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0'
+  catalog.cattle.io/namespace: cattle-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+  catalog.cattle.io/release-name: system-upgrade-controller
+apiVersion: v1
+appVersion: v0.13.4
+description: General purpose controller to make system level updates to nodes.
+home: https://github.com/rancher/system-charts/blob/dev-v2.8/charts/rancher-k3s-upgrader
+kubeVersion: '>= 1.23.0-0'
+name: system-upgrade-controller
+sources:
+- https://github.com/rancher/system-charts/blob/dev-v2.8/charts/rancher-k3s-upgrader
+version: 103.0.2+up0.6.1
diff --git a/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/_helpers.tpl b/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/_helpers.tpl
new file mode 100644
index 0000000000..67a534eb7b
--- /dev/null
+++ b/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/_helpers.tpl
@@ -0,0 +1,9 @@
+{{/* vim: set filetype=mustache: */}}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
diff --git a/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/clusterrolebinding.yaml b/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000000..f2a09949d5
--- /dev/null
+++ b/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/clusterrolebinding.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name:  system-upgrade-controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: system-upgrade-controller
+    namespace: cattle-system
diff --git a/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/configmap.yaml b/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/configmap.yaml
new file mode 100644
index 0000000000..7619c39744
--- /dev/null
+++ b/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/configmap.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: system-upgrade-controller-config
+  namespace: cattle-system
+data:
+  SYSTEM_UPGRADE_CONTROLLER_DEBUG: {{ .Values.systemUpgradeControllerDebug | default "false" | quote }}
+  SYSTEM_UPGRADE_CONTROLLER_THREADS: {{ .Values.systemUpgradeControllerThreads | default "2" | quote }}
+  SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: {{ .Values.systemUpgradeJobActiveDeadlineSeconds | default "900" | quote }}
+  SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: {{ .Values.systemUpgradeJobBackoffLimit | default "99" | quote }}
+  SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: {{ .Values.systemUpgradeJobImagePullPolicy | default "IfNotPresent" | quote }}
+  SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: {{ template "system_default_registry" . }}{{ .Values.kubectl.image.repository }}:{{ .Values.kubectl.image.tag }}
+  SYSTEM_UPGRADE_JOB_PRIVILEGED: {{ .Values.systemUpgradeJobPrivileged | default "true" | quote }}
+  SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: {{ .Values.systemUpgradeJobTTLSecondsAfterFinish | default "900" | quote }}
+  SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: {{ .Values.systemUpgradePlanRollingInterval | default "15m" | quote }}
+
diff --git a/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/deployment.yaml b/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/deployment.yaml
new file mode 100644
index 0000000000..cfc27992eb
--- /dev/null
+++ b/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/deployment.yaml
@@ -0,0 +1,69 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: system-upgrade-controller
+  namespace: cattle-system
+spec:
+  selector:
+    matchLabels:
+      upgrade.cattle.io/controller: system-upgrade-controller
+  template:
+    metadata:
+      labels:
+        upgrade.cattle.io/controller: system-upgrade-controller # necessary to avoid drain
+    spec:
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: "kubernetes.io/os"
+                    operator: NotIn
+                    values:
+                      - windows
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - preference:
+              matchExpressions:
+                - key: node-role.kubernetes.io/control-plane
+                  operator: In
+                  values:
+                    - "true"
+            weight: 100
+          - preference:
+              matchExpressions:
+                - key: node-role.kubernetes.io/master
+                  operator: In
+                  values:
+                    - "true"
+            weight: 100
+      tolerations:
+        - operator: Exists
+      serviceAccountName: system-upgrade-controller
+      containers:
+        - name: system-upgrade-controller
+          image: {{ template "system_default_registry" . }}{{ .Values.systemUpgradeController.image.repository }}:{{ .Values.systemUpgradeController.image.tag }}
+          imagePullPolicy: IfNotPresent
+          envFrom:
+            - configMapRef:
+                name: system-upgrade-controller-config
+          env:
+            - name: SYSTEM_UPGRADE_CONTROLLER_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.labels['upgrade.cattle.io/controller']
+            - name: SYSTEM_UPGRADE_CONTROLLER_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+          volumeMounts:
+            - name: etc-ssl
+              mountPath: /etc/ssl
+            - name: tmp
+              mountPath: /tmp
+      volumes:
+        - name: etc-ssl
+          hostPath:
+            path: /etc/ssl
+            type: Directory
+        - name: tmp
+          emptyDir: {}
diff --git a/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/psp.yaml b/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/psp.yaml
new file mode 100644
index 0000000000..ca87b996cb
--- /dev/null
+++ b/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/psp.yaml
@@ -0,0 +1,51 @@
+{{- if .Values.global.cattle.psp.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: system-upgrade-controller
+spec:
+  allowPrivilegeEscalation: true
+  allowedCapabilities:
+    - CAP_SYS_BOOT
+  hostNetwork: true
+  hostPID: true
+  hostIPC: true
+  privileged: true
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  volumes:
+    - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system-upgrade-controller-psp
+rules:
+  - apiGroups:
+      - policy
+    resourceNames:
+      - system-upgrade-controller
+    resources:
+      - podsecuritypolicies
+    verbs:
+      - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name:  system-upgrade-controller-psp
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system-upgrade-controller-psp
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: system:serviceaccounts:cattle-system
+{{- end }}
diff --git a/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/serviceaccount.yaml b/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..b6cdcf48b3
--- /dev/null
+++ b/charts/system-upgrade-controller/103.0.2+up0.6.1/templates/serviceaccount.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: system-upgrade-controller
+  namespace: cattle-system
diff --git a/charts/system-upgrade-controller/103.0.2+up0.6.1/values.yaml b/charts/system-upgrade-controller/103.0.2+up0.6.1/values.yaml
new file mode 100644
index 0000000000..9ac4c2ef62
--- /dev/null
+++ b/charts/system-upgrade-controller/103.0.2+up0.6.1/values.yaml
@@ -0,0 +1,15 @@
+global:
+  cattle:
+    systemDefaultRegistry: ""
+    psp:
+      enabled: true
+
+systemUpgradeController:
+  image:
+    repository: rancher/system-upgrade-controller
+    tag: v0.13.4
+
+kubectl:
+  image:
+    repository: rancher/kubectl
+    tag: v1.23.3
diff --git a/index.yaml b/index.yaml
index 1091c5c781..2da786b5e9 100755
--- a/index.yaml
+++ b/index.yaml
@@ -17888,6 +17888,28 @@ entries:
     urls:
     - assets/system-upgrade-controller/system-upgrade-controller-104.0.0+up0.7.0.tgz
     version: 104.0.0+up0.7.0
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.29.0-0'
+      catalog.cattle.io/namespace: cattle-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+      catalog.cattle.io/release-name: system-upgrade-controller
+    apiVersion: v1
+    appVersion: v0.13.4
+    created: "2024-10-27T22:49:52.017623489-03:00"
+    description: General purpose controller to make system level updates to nodes.
+    digest: c0450afb46c0f28e17a41f7ca6f31b1798f6333c6116f866758ed78893552b70
+    home: https://github.com/rancher/system-charts/blob/dev-v2.8/charts/rancher-k3s-upgrader
+    kubeVersion: '>= 1.23.0-0'
+    name: system-upgrade-controller
+    sources:
+    - https://github.com/rancher/system-charts/blob/dev-v2.8/charts/rancher-k3s-upgrader
+    urls:
+    - assets/system-upgrade-controller/system-upgrade-controller-103.0.2+up0.6.1.tgz
+    version: 103.0.2+up0.6.1
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"
diff --git a/release.yaml b/release.yaml
index f4be464d5d..4b2ba6ea7c 100644
--- a/release.yaml
+++ b/release.yaml
@@ -153,3 +153,5 @@ sriov-crd:
   - 104.3.0+up1.3.0
 sriov:
   - 104.3.0+up1.3.0
+system-upgrade-controller:
+  - 103.0.2+up0.6.1