[release/v1.8] Add an option to disable Flatcar auto-upgrades (#3393)

* Add an option to disable Flatcar auto-upgrades

Signed-off-by: Marko Mudrinić <[email protected]>

* Add an option to disable Flatcar auto-upgrades on Equinix

Signed-off-by: Marko Mudrinić <[email protected]>

---------

Signed-off-by: Marko Mudrinić <[email protected]>

Author: xmudrii

examples/terraform/aws/README.md

@@ -71,6 +71,7 @@ No modules.
 | <a name="input_control_plane_type"></a> [control\_plane\_type](#input\_control\_plane\_type) | AWS instance type | `string` | `"t3.medium"` | no |
 | <a name="input_control_plane_vm_count"></a> [control\_plane\_vm\_count](#input\_control\_plane\_vm\_count) | number of control plane instances | `number` | `3` | no |
 | <a name="input_control_plane_volume_size"></a> [control\_plane\_volume\_size](#input\_control\_plane\_volume\_size) | Size of the EBS volume, in Gb | `number` | `100` | no |
+| <a name="input_disable_auto_update"></a> [disable\_auto\_update](#input\_disable\_auto\_update) | Disable automatic flatcar updates (and reboot) | `bool` | `false` | no |
 | <a name="input_disable_kubeapi_loadbalancer"></a> [disable\_kubeapi\_loadbalancer](#input\_disable\_kubeapi\_loadbalancer) | E2E tests specific variable to disable usage of any loadbalancer in front of kubeapi-server | `bool` | `false` | no |
 | <a name="input_initial_machinedeployment_operating_system_profile"></a> [initial\_machinedeployment\_operating\_system\_profile](#input\_initial\_machinedeployment\_operating\_system\_profile) | Name of operating system profile for MachineDeployments, only applicable if operating-system-manager addon is enabled.<br>If not specified default is used based on the OS specified for workers. | `string` | `""` | no |
 | <a name="input_initial_machinedeployment_replicas"></a> [initial\_machinedeployment\_replicas](#input\_initial\_machinedeployment\_replicas) | number of replicas per MachineDeployment | `number` | `1` | no |

examples/terraform/aws/main.tf

@@ -307,6 +307,8 @@ resource "aws_instance" "control_plane" {
     http_put_response_hop_limit = var.control_plane_http_put_max_hops
   }
 
+  user_data = var.disable_auto_update ? file("./userdata_flatcar_upgrades.json") : null
+
   tags = tomap({
     "Name"                   = "${var.cluster_name}-cp-${count.index + 1}",
     (local.kube_cluster_tag) = "shared",
@@ -334,6 +336,8 @@ resource "aws_instance" "static_workers1" {
     http_put_response_hop_limit = var.static_workers_http_put_max_hops
   }
 
+  user_data = var.disable_auto_update ? file("./userdata_flatcar_upgrades.json") : null
+
   tags = tomap({
     "Name"                   = "${var.cluster_name}-workers1-${count.index + 1}",
     (local.kube_cluster_tag) = "shared",
@@ -356,6 +360,8 @@ resource "aws_instance" "bastion" {
     volume_size = 100
   }
 
+  user_data = var.disable_auto_update ? file("./userdata_flatcar_upgrades.json") : null
+
   tags = tomap({
     "Cluster"                = var.cluster_name,
     "Name"                   = "${var.cluster_name}-bastion",

examples/terraform/aws/output.tf

@@ -96,6 +96,8 @@ output "kubeone_workers" {
         operatingSystem = local.worker_os
         operatingSystemSpec = {
           distUpgradeOnBoot   = false
+          disableAutoUpdate   = var.disable_auto_update
+          disableLocksmithD   = var.disable_auto_update
           provisioningUtility = var.provisioning_utility
         }
         labels = {
@@ -156,6 +158,8 @@ output "kubeone_workers" {
         operatingSystem = local.worker_os
         operatingSystemSpec = {
           distUpgradeOnBoot   = false
+          disableAutoUpdate   = var.disable_auto_update
+          disableLocksmithD   = var.disable_auto_update
           provisioningUtility = var.provisioning_utility
         }
         labels = {
@@ -216,6 +220,8 @@ output "kubeone_workers" {
         operatingSystem = local.worker_os
         operatingSystemSpec = {
           distUpgradeOnBoot   = false
+          disableAutoUpdate   = var.disable_auto_update
+          disableLocksmithD   = var.disable_auto_update
           provisioningUtility = var.provisioning_utility
         }
         labels = {

examples/terraform/aws/userdata_flatcar_upgrades.json

@@ -0,0 +1 @@
+{"ignition":{"version":"3.3.0"},"storage":{"files":[{"overwrite":true,"path":"/etc/flatcar/update.conf","contents":{"compression":"","source":"data:,SERVER%3Ddisabled%0A"},"mode":420}]}}

examples/terraform/aws/variables.tf

@@ -313,3 +313,9 @@ Name of operating system profile for MachineDeployments, only applicable if oper
 If not specified default is used based on the OS specified for workers.
 EOF
 }
+
+variable "disable_auto_update" {
+  description = "Disable automatic flatcar updates (and reboot)"
+  type        = bool
+  default     = false
+}

examples/terraform/azure/cloud-config.tftpl

@@ -1,7 +1,10 @@
-#cloud-config
 %{ if os == "rhel" }
+#cloud-config
 rh_subscription:
   username: ${rhsm_username}
   password: '${rhsm_password}'
   auto-attach: false
 %{ endif }
+%{ if disable_auto_update }
+{"ignition":{"version":"3.3.0"},"storage":{"files":[{"overwrite":true,"path":"/etc/flatcar/update.conf","contents":{"compression":"","source":"data:,SERVER%3Ddisabled%0A"},"mode":420}]}}
+%{ endif }

examples/terraform/azure/main.tf

@@ -288,11 +288,12 @@ resource "azurerm_virtual_machine" "control_plane" {
   os_profile {
     computer_name  = "${var.cluster_name}-cp-${count.index}"
     admin_username = local.ssh_username
-    custom_data = templatefile("./cloud-config.tftpl", {
-      os            = var.os
-      rhsm_username = var.rhsm_username
-      rhsm_password = var.rhsm_password
-    })
+    custom_data = base64encode(trimspace(templatefile("./cloud-config.tftpl", {
+      os                  = var.os
+      rhsm_username       = var.rhsm_username
+      rhsm_password       = var.rhsm_password
+      disable_auto_update = var.disable_auto_update
+    })))
   }
 
   os_profile_linux_config {

examples/terraform/azure/output.tf

@@ -63,6 +63,7 @@ output "kubeone_workers" {
         operatingSystemSpec = {
           distUpgradeOnBoot               = false
           disableAutoUpdate               = var.disable_auto_update
+          disableLocksmithD               = var.disable_auto_update
           rhelSubscriptionManagerUser     = var.rhsm_username
           rhelSubscriptionManagerPassword = var.rhsm_password
           rhsmOfflineToken                = var.rhsm_offline_token

examples/terraform/equinixmetal/README.md

@@ -51,6 +51,7 @@ No modules.
 | <a name="input_control_plane_operating_system"></a> [control\_plane\_operating\_system](#input\_control\_plane\_operating\_system) | Image to use for control plane provisioning | `string` | `""` | no |
 | <a name="input_control_plane_vm_count"></a> [control\_plane\_vm\_count](#input\_control\_plane\_vm\_count) | number of control plane instances | `number` | `3` | no |
 | <a name="input_device_type"></a> [device\_type](#input\_device\_type) | type (size) of the device | `string` | `"m3.small.x86"` | no |
+| <a name="input_disable_auto_update"></a> [disable\_auto\_update](#input\_disable\_auto\_update) | Disable automatic flatcar updates (and reboot) | `bool` | `false` | no |
 | <a name="input_image_references"></a> [image\_references](#input\_image\_references) | map with images | <pre>map(object({<br>    image_name   = string<br>    ssh_username = string<br>    worker_os    = string<br>  }))</pre> | <pre>{<br>  "centos": {<br>    "image_name": "centos_7",<br>    "ssh_username": "root",<br>    "worker_os": "centos"<br>  },<br>  "flatcar": {<br>    "image_name": "flatcar_stable",<br>    "ssh_username": "core",<br>    "worker_os": "flatcar"<br>  },<br>  "rockylinux": {<br>    "image_name": "rocky_8",<br>    "ssh_username": "root",<br>    "worker_os": "rockylinux"<br>  },<br>  "ubuntu": {<br>    "image_name": "ubuntu_22_04",<br>    "ssh_username": "root",<br>    "worker_os": "ubuntu"<br>  }<br>}</pre> | no |
 | <a name="input_initial_machinedeployment_operating_system_profile"></a> [initial\_machinedeployment\_operating\_system\_profile](#input\_initial\_machinedeployment\_operating\_system\_profile) | Name of operating system profile for MachineDeployments, only applicable if operating-system-manager addon is enabled.<br>If not specified, the default value will be added by machine-controller addon. | `string` | `""` | no |
 | <a name="input_initial_machinedeployment_replicas"></a> [initial\_machinedeployment\_replicas](#input\_initial\_machinedeployment\_replicas) | Number of replicas per MachineDeployment | `number` | `2` | no |

examples/terraform/equinixmetal/main.tf

@@ -43,6 +43,8 @@ resource "metal_device" "control_plane" {
   billing_cycle    = "hourly"
   project_id       = var.project_id
   tags             = [local.kube_cluster_tag]
+
+  user_data = var.disable_auto_update ? file("./userdata_flatcar_upgrades.json") : null
 }
 
 resource "metal_device" "lb" {
@@ -56,6 +58,8 @@ resource "metal_device" "lb" {
   project_id       = var.project_id
   tags             = [local.kube_cluster_tag]
 
+  user_data = var.disable_auto_update ? file("./userdata_flatcar_upgrades.json") : null
+
   connection {
     type = "ssh"
     host = self.access_public_ipv4

examples/terraform/equinixmetal/output.tf

@@ -60,6 +60,8 @@ output "kubeone_workers" {
         operatingSystem = local.worker_os
         operatingSystemSpec = {
           distUpgradeOnBoot = false
+          disableAutoUpdate = var.disable_auto_update
+          disableLocksmithD = var.disable_auto_update
         }
         # nodeAnnotations are applied on resulting Node objects
         # nodeAnnotations = {

examples/terraform/equinixmetal/userdata_flatcar_upgrades.json

@@ -0,0 +1 @@
+{"ignition":{"version":"3.3.0"},"storage":{"files":[{"overwrite":true,"path":"/etc/flatcar/update.conf","contents":{"compression":"","source":"data:,SERVER%3Ddisabled%0A"},"mode":420}]}}

examples/terraform/equinixmetal/variables.tf

@@ -199,3 +199,9 @@ Name of operating system profile for MachineDeployments, only applicable if oper
 If not specified, the default value will be added by machine-controller addon.
 EOF
 }
+
+variable "disable_auto_update" {
+  description = "Disable automatic flatcar updates (and reboot)"
+  type        = bool
+  default     = false
+}

examples/terraform/openstack/README.md

@@ -73,6 +73,7 @@ No modules.
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the cluster | `string` | n/a | yes |
 | <a name="input_control_plane_flavor"></a> [control\_plane\_flavor](#input\_control\_plane\_flavor) | OpenStack instance flavor for the control plane nodes | `string` | `"m1.small"` | no |
 | <a name="input_control_plane_vm_count"></a> [control\_plane\_vm\_count](#input\_control\_plane\_vm\_count) | number of control plane instances | `number` | `3` | no |
+| <a name="input_disable_auto_update"></a> [disable\_auto\_update](#input\_disable\_auto\_update) | Disable automatic flatcar updates (and reboot) | `bool` | `false` | no |
 | <a name="input_external_network_name"></a> [external\_network\_name](#input\_external\_network\_name) | OpenStack external network name | `string` | n/a | yes |
 | <a name="input_image"></a> [image](#input\_image) | image name to use | `string` | `""` | no |
 | <a name="input_image_properties_query"></a> [image\_properties\_query](#input\_image\_properties\_query) | in absence of var.image, this will be used to query API for the image | `map(any)` | <pre>{<br>  "os_distro": "ubuntu",<br>  "os_version": "22.04"<br>}</pre> | no |

examples/terraform/openstack/bastion.tf

@@ -32,6 +32,10 @@ resource "openstack_compute_instance_v2" "bastion" {
   key_pair        = openstack_compute_keypair_v2.deployer.name
   security_groups = [openstack_networking_secgroup_v2.securitygroup.name]
 
+  user_data = var.disable_auto_update ? templatefile("./userdata_flatcar_upgrades.json", {
+    ssh_key = trimspace(file(pathexpand(var.ssh_public_key_file)))
+  }) : null
+
   network {
     port = openstack_networking_port_v2.bastion.id
   }

examples/terraform/openstack/control_plane.tf

@@ -36,6 +36,10 @@ resource "openstack_compute_instance_v2" "control_plane" {
   key_pair        = openstack_compute_keypair_v2.deployer.name
   security_groups = [openstack_networking_secgroup_v2.securitygroup.name]
 
+  user_data = var.disable_auto_update ? templatefile("./userdata_flatcar_upgrades.json", {
+    ssh_key = trimspace(file(pathexpand(var.ssh_public_key_file)))
+  }) : null
+
   network {
     port = element(openstack_networking_port_v2.control_plane[*].id, count.index)
   }

examples/terraform/openstack/output.tf

@@ -72,6 +72,8 @@ output "kubeone_workers" {
         operatingSystem = var.worker_os
         operatingSystemSpec = {
           distUpgradeOnBoot = false
+          disableAutoUpdate = var.disable_auto_update
+          disableLocksmithD = var.disable_auto_update
         }
         # nodeAnnotations are applied on resulting Node objects
         # nodeAnnotations = {

examples/terraform/openstack/userdata_flatcar_upgrades.json

@@ -0,0 +1 @@
+{"ignition":{"version":"3.3.0"},"passwd":{"users":[{"name":"core","sshAuthorizedKeys":["${ssh_key}"]}]},"storage":{"files":[{"overwrite":true,"path":"/etc/flatcar/update.conf","contents":{"compression":"","source":"data:,SERVER%3Ddisabled%0A"},"mode":420}]}}

examples/terraform/openstack/variables.tf

@@ -190,3 +190,9 @@ Name of operating system profile for MachineDeployments, only applicable if oper
 If not specified, the default value will be added by machine-controller addon.
 EOF
 }
+
+variable "disable_auto_update" {
+  description = "Disable automatic flatcar updates (and reboot)"
+  type        = bool
+  default     = false
+}

examples/terraform/vsphere_flatcar/README.md

@@ -79,6 +79,7 @@ No modules.
 | <a name="input_datastore_cluster_name"></a> [datastore\_cluster\_name](#input\_datastore\_cluster\_name) | datastore cluster name | `string` | `""` | no |
 | <a name="input_datastore_name"></a> [datastore\_name](#input\_datastore\_name) | datastore name | `string` | `"datastore1"` | no |
 | <a name="input_dc_name"></a> [dc\_name](#input\_dc\_name) | datacenter name | `string` | `"dc-1"` | no |
+| <a name="input_disable_auto_update"></a> [disable\_auto\_update](#input\_disable\_auto\_update) | Disable automatic flatcar updates (and reboot) | `bool` | `false` | no |
 | <a name="input_disk_size"></a> [disk\_size](#input\_disk\_size) | disk size | `number` | `50` | no |
 | <a name="input_folder_name"></a> [folder\_name](#input\_folder\_name) | folder name | `string` | `"kubeone"` | no |
 | <a name="input_initial_machinedeployment_operating_system_profile"></a> [initial\_machinedeployment\_operating\_system\_profile](#input\_initial\_machinedeployment\_operating\_system\_profile) | Name of operating system profile for MachineDeployments, only applicable if operating-system-manager addon is enabled.<br>If not specified, the default value will be added by machine-controller addon. | `string` | `""` | no |

examples/terraform/vsphere_flatcar/main.tf

@@ -116,16 +116,27 @@ resource "vsphere_virtual_machine" "control_plane" {
           ]
         },
         storage = {
-          files = [
-            {
-              filesystem = "root"
-              path       = "/etc/hostname"
-              mode       = 420
-              contents = {
-                source = "data:,${local.hostnames[count.index]}"
+          files = concat(
+            [
+              {
+                filesystem = "root"
+                path       = "/etc/hostname"
+                mode       = 420
+                contents = {
+                  source = "data:,${local.hostnames[count.index]}"
+                }
               }
-            }
-          ]
+            ], var.disable_auto_update ?
+            [
+              {
+                filesystem = "root"
+                path       = "/etc/flatcar/update.conf"
+                mode       = 420
+                contents = {
+                  source = "data:,SERVER%3Ddisabled%0A"
+                }
+              }
+          ] : [])
         },
         passwd = {
           users = [

examples/terraform/vsphere_flatcar/outputs.tf

@@ -64,6 +64,8 @@ output "kubeone_workers" {
         operatingSystem = var.worker_os
         operatingSystemSpec = {
           distUpgradeOnBoot = false
+          disableAutoUpdate = var.disable_auto_update
+          disableLocksmithD = var.disable_auto_update
         }
         # nodeAnnotations are applied on resulting Node objects
         # nodeAnnotations = {

examples/terraform/vsphere_flatcar/variables.tf

@@ -233,3 +233,9 @@ variable "is_vsphere_enterprise_plus_license" {
   type        = bool
   default     = true
 }
+
+variable "disable_auto_update" {
+  description = "Disable automatic flatcar updates (and reboot)"
+  type        = bool
+  default     = false
+}

test/e2e/testdata/openstack_flatcar.tfvars

@@ -5,3 +5,4 @@ image                 = "kubeone-e2e-flatcar"
 worker_os             = "flatcar"
 ssh_username          = "core"
 bastion_user          = "core"
+disable_auto_update   = true

test/e2e/tests_definitions.go

@@ -157,6 +157,7 @@ var (
 				path:    "../../examples/terraform/aws",
 				varFile: "testdata/aws_medium.tfvars",
 				vars: []string{
+					"disable_auto_update=true",
 					"os=flatcar",
 				},
 			},
@@ -199,6 +200,7 @@ var (
 				path:    "../../examples/terraform/aws",
 				varFile: "testdata/aws_medium.tfvars",
 				vars: []string{
+					"disable_auto_update=true",
 					"os=flatcar",
 					"worker_deploy_ssh_key=false",
 				},
@@ -632,6 +634,7 @@ var (
 			terraform: terraformBin{
 				path: "../../examples/terraform/equinixmetal",
 				vars: []string{
+					"disable_auto_update=true",
 					"os=flatcar",
 				},
 			},
@@ -652,9 +655,8 @@ var (
 			terraform: terraformBin{
 				path: "../../../kubeone-stable/examples/terraform/equinixmetal",
 				vars: []string{
-					"control_plane_operating_system=flatcar_stable",
-					"worker_os=flatcar",
-					"ssh_username=core",
+					"disable_auto_update=true",
+					"os=flatcar",
 				},
 			},
 			protokol: protokolBin{
@@ -1015,6 +1017,7 @@ var (
 				path:    "../../examples/terraform/vsphere_flatcar",
 				varFile: "testdata/vsphere.tfvars",
 				vars: []string{
+					"disable_auto_update=true",
 					"template_name=kkp-flatcar-stable",
 				},
 			},