This message was deleted.
# rke2a
adamant-kite-43734
05/04/2022, 2:39 PMThis message was deleted.
f
faint-airport-83518
05/04/2022, 2:39 PMfaint-airport-83518
05/04/2022, 2:57 PMoh, I think I understand
we just need to grab this container and add it to a plan every time we want to update
g
gray-lawyer-73831
05/04/2022, 3:10 PMYep exactly! Or you can upgrade based on channel, but doing that you’d want to have an automated solution to pull the rke2-upgrade containers into your private registry as well, otherwise the upgrade will of course fail with the image not being able to pull
f
faint-airport-83518
05/04/2022, 3:35 PMgot it, thanks.
Do you know if nodes need to reboot after being "upgraded"? We're running in an azure vmscaleset - essentially an aws autoscaling group equiv.
Just trying to weigh our options on what's least painful to maintain
some kind of ansible/bash script to drain + kill vms or to implement this
g
gray-lawyer-73831
05/04/2022, 3:36 PMNope, just the rke2 process needs to be restarted (which, if you are using automated upgrade, it will handle all that for you).
f
faint-airport-83518
05/04/2022, 3:37 PMHow about any complications with SELinux? Or we should be good to go with the rke2-selinux package?
g
gray-lawyer-73831
05/04/2022, 3:38 PMshould be good to go with the rke2-selinux package
f
faint-airport-83518
05/04/2022, 3:38 PMalright, I'll give it a shot. appreciate it.
👍 1
faint-airport-83518
05/04/2022, 5:38 PMg
gray-lawyer-73831
05/04/2022, 5:39 PMf
faint-airport-83518
05/04/2022, 5:43 PMKind of a stupid side question.. what's the difference between v1.21,1.22,1.23?
faint-airport-83518
05/04/2022, 5:44 PMcorrelation to k8s version, I'm guessing?
faint-airport-83518
05/04/2022, 5:46 PMyeah, that was a dumb question heh
g
gray-lawyer-73831
05/04/2022, 5:46 PMcorrelation to k8s version, I’m guessing?Yep! 😄
f
faint-airport-83518
05/05/2022, 5:19 PMHey - so I got this thing deployed in my airgap and all my images mirrored... plans deployed etc. but it doesn't look like it's doing anything?
faint-airport-83518
05/05/2022, 5:20 PMI see this env var that I kustomized in -
SYSTEM_UPGRADE_JOB_KUBECTL_IMAGEg
gray-lawyer-73831
05/05/2022, 5:20 PMwhat’s your current rke2 version, and what version or channel do you have in your plan?
f
faint-airport-83518
05/05/2022, 5:22 PM Copy code
apiVersion: <http://kustomize.toolkit.fluxcd.io/v1beta1|kustomize.toolkit.fluxcd.io/v1beta1>
kind: Kustomization
metadata:
name: rke2-system-upgrade-controller
namespace: bigbang
spec:
interval: 1m
sourceRef:
kind: GitRepository
name: rke2-system-upgrade-controller-repo
path: .
prune: true
images:
- name: rancher/system-upgrade-controller
newName: private.registry.internal/rancher/system-upgrade-controller
newTag: v0.9.1
patches:
- patch: |-
apiVersion: v1
kind: ConfigMap
metadata:
name: default-controller-env
data:
SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: private.registry.internal/rancher/kubectl:v1.23.6
target:
kind: ConfigMap
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: system-upgrade-controller
namespace: system-upgrade
spec:
template:
spec:
imagePullSecrets:
- name: private-registry
target:
kind: Deploymentfaint-airport-83518
05/05/2022, 5:23 PMI have the images airgapped with those tags.. and it's mirroed correctly, etc, the deployment is deployed
faint-airport-83518
05/05/2022, 5:23 PMmy plan:
faint-airport-83518
05/05/2022, 5:23 PMmy plan is also kustomized in -
Copy code
patches:
- target:
kind: Plan
patch: |-
apiVersion: <http://upgrade.cattle.io/v1|upgrade.cattle.io/v1>
kind: Plan
metadata:
name: whatever
spec:
version: v1.22.9-rke2r1faint-airport-83518
05/05/2022, 5:23 PMI'm just using the default and patching in the versions
g
gray-lawyer-73831
05/05/2022, 5:24 PMso, from the initial thing you posted, do you have a namespace
system-upgradesystem-upgrade-controllerf
faint-airport-83518
05/05/2022, 5:24 PMyeah
g
gray-lawyer-73831
05/05/2022, 5:24 PMand what’s the current rke2 version running in the cluster?
f
faint-airport-83518
05/05/2022, 5:25 PMv1.22.6+rke2r1
faint-airport-83518
05/05/2022, 5:25 PMI may need to update the image paths in my plans now that I'm looking at it..
👍 1
faint-airport-83518
05/05/2022, 5:26 PMI'm guessing I'll need image pull secrets too?
g
gray-lawyer-73831
05/05/2022, 5:26 PMYeah so you have the prereqs, next is just making sure the Plan is up to snuff
f
faint-airport-83518
05/05/2022, 5:26 PM Copy code
# Server plan
apiVersion: <http://upgrade.cattle.io/v1|upgrade.cattle.io/v1>
kind: Plan
metadata:
name: server-plan
namespace: system-upgrade
labels:
rke2-upgrade: server
spec:
concurrency: 1
nodeSelector:
matchExpressions:
- {key: rke2-upgrade, operator: Exists}
- {key: rke2-upgrade, operator: NotIn, values: ["disabled", "false"]}
# When using k8s version 1.19 or older, swap control-plane with master
- {key: <http://node-role.kubernetes.io/control-plane|node-role.kubernetes.io/control-plane>, operator: In, values: ["true"]}
serviceAccountName: system-upgrade
cordon: true
# drain:
# force: true
upgrade:
image: rancher/rke2-upgrade
version: v1.23.1+rke2r2
---
# Agent plan
apiVersion: <http://upgrade.cattle.io/v1|upgrade.cattle.io/v1>
kind: Plan
metadata:
name: agent-plan
namespace: system-upgrade
labels:
rke2-upgrade: agent
spec:
concurrency: 1
nodeSelector:
matchExpressions:
- {key: rke2-upgrade, operator: Exists}
- {key: rke2-upgrade, operator: NotIn, values: ["disabled", "false"]}
# When using k8s version 1.19 or older, swap control-plane with master
- {key: <http://node-role.kubernetes.io/control-plane|node-role.kubernetes.io/control-plane>, operator: NotIn, values: ["true"]}
prepare:
args:
- prepare
- server-plan
image: rancher/rke2-upgrade
serviceAccountName: system-upgrade
cordon: true
drain:
force: true
upgrade:
image: rancher/rke2-upgrade
version: v1.23.1+rke2r2faint-airport-83518
05/05/2022, 5:26 PMI have this I'm just kustomizing over it
g
gray-lawyer-73831
05/05/2022, 5:26 PMYou might yeah, but if all the images necessary for v1.22.9 are present in your private registry then you might not
f
faint-airport-83518
05/05/2022, 5:27 PMwell, uhh
faint-airport-83518
05/05/2022, 5:27 PMis there anywhere in here I can fit in some secrets?
faint-airport-83518
05/05/2022, 5:27 PM( if needed)
faint-airport-83518
05/05/2022, 5:27 PMnot totally sure what a plan does tbh
g
gray-lawyer-73831
05/05/2022, 5:30 PMI don’t think there’s anywhere to put in secrets actually
f
faint-airport-83518
05/05/2022, 5:30 PMfudge
g
gray-lawyer-73831
05/05/2022, 5:30 PMbut that shouldn’t block anything
gray-lawyer-73831
05/05/2022, 5:30 PMthe Plans tell system-upgrade-controller what to do
f
faint-airport-83518
05/05/2022, 5:31 PMalright, cool I wasn't sure if it was trying to do some other pod standup or something
faint-airport-83518
05/05/2022, 5:31 PMhow about this other rancher/kubectl container?
g
gray-lawyer-73831
05/05/2022, 5:31 PMWhen it works, it will create Jobs (which will create pods) to upgrade
gray-lawyer-73831
05/05/2022, 5:32 PMin my plans, I don’t mess with the kubectl version at all, but you should be able to adjust it as you’ve done. I think that is used in the jobs that get deployed
gray-lawyer-73831
05/05/2022, 5:32 PMbut my knowledge in this area is a little bit fuzzy
gray-lawyer-73831
05/05/2022, 5:32 PMhere are known working plans though (not necessarily for airgap, but should be the same):
Copy code
apiVersion: <http://upgrade.cattle.io/v1|upgrade.cattle.io/v1>
kind: Plan
metadata:
name: rke2-server
namespace: system-upgrade
labels:
rke2-upgrade: server
spec:
concurrency: 1
version: v1.22.8-rke2r1
nodeSelector:
matchExpressions:
- {key: <http://node-role.kubernetes.io/master|node-role.kubernetes.io/master>, operator: In, values: ["true"]}
serviceAccountName: system-upgrade
cordon: true
#drain:
# force: true
upgrade:
image: rancher/rke2-upgrade
---
apiVersion: <http://upgrade.cattle.io/v1|upgrade.cattle.io/v1>
kind: Plan
metadata:
name: rke2-agent
namespace: system-upgrade
labels:
rke2-upgrade: agent
spec:
concurrency: 2
version: v1.22.8-rke2r1
nodeSelector:
matchExpressions:
- {key: <http://node-role.kubernetes.io/master|node-role.kubernetes.io/master>, operator: NotIn, values: ["true"]}
serviceAccountName: system-upgrade
prepare:
image: rancher/rke2-upgrade
args: ["prepare", "rke2-server"]
drain:
force: true
upgrade:
image: rancher/rke2-upgradef
faint-airport-83518
05/05/2022, 5:32 PMso I kustoized our image path over this ->
Copy code
---
apiVersion: v1
kind: ConfigMap
metadata:
name: default-controller-env
namespace: system-upgrade
data:
SYSTEM_UPGRADE_CONTROLLER_DEBUG: "false"
SYSTEM_UPGRADE_CONTROLLER_THREADS: "2"
SYSTEM_UPGRADE_JOB_ACTIVE_DEADLINE_SECONDS: "900"
SYSTEM_UPGRADE_JOB_BACKOFF_LIMIT: "99"
SYSTEM_UPGRADE_JOB_IMAGE_PULL_POLICY: "Always"
SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: "rancher/kubectl:v1.21.9"
SYSTEM_UPGRADE_JOB_PRIVILEGED: "true"
SYSTEM_UPGRADE_JOB_TTL_SECONDS_AFTER_FINISH: "900"
SYSTEM_UPGRADE_PLAN_POLLING_INTERVAL: "15m"faint-airport-83518
05/05/2022, 5:32 PMjust all of our images usually need a secret to be pulled
g
gray-lawyer-73831
05/05/2022, 5:33 PMYour best bet is checking throughout https://github.com/rancher/system-upgrade-controller to see if there is some imagepullsecret support
gray-lawyer-73831
05/05/2022, 5:34 PMhttps://github.com/rancher/system-upgrade-controller/blob/aa0f2bb8dd88d45716c3215d590aec8f8777e5c8/examples/suse/sles.yaml which it looks like there might be!
f
faint-airport-83518
05/05/2022, 5:36 PMahh so that's like a uh, host volume secret mount or something
g
gray-lawyer-73831
05/05/2022, 5:37 PMf
faint-airport-83518
05/05/2022, 5:37 PMI was more so looking at this configmap
https://github.com/rancher/system-upgrade-controller/blob/master/manifests/system-upgrade-controller.yaml#L25-L39
g
gray-lawyer-73831
05/05/2022, 5:37 PMairgap of course always makes things more complicated, and to be honest, it’s probably safer in airgap to do what I call a “manual upgrade”
gray-lawyer-73831
05/05/2022, 5:38 PMbecause there could be cases where you don’t have the images necessary for an upgrade, and then these automated upgrades try to pull anyway, and end up breaking your cluster
f
faint-airport-83518
05/05/2022, 5:38 PMhaven't had time to learn go yet heh
g
gray-lawyer-73831
05/05/2022, 5:39 PMyeah that configmap controls the system-upgrade-controller deployment, which is the brains (the controller) behind how it applies the plans to upgrade your cluster
f
faint-airport-83518
05/05/2022, 5:40 PMfaint-airport-83518
05/05/2022, 5:40 PMI THINK.. i need a secret in here somewhere so something can spin up a pod with this container?
faint-airport-83518
05/05/2022, 5:45 PMKubectlImageimagePullSecretsg
gray-lawyer-73831
05/05/2022, 5:48 PMIt’s possible that doesn’t exist and would need an enhancement to system-upgrade-controller in general. It wouldn’t hurt if you want to create an issue in that repo with the details of what you think you’d need, and if it does exist, someone with more knowledge of this than me can respond and hopefully point you in the right direction. Or if it doesn’t, it can get added and supported eventually 🙂
f
faint-airport-83518
05/05/2022, 5:50 PMcool - thanks for poking around for me. I'll try to put one in. Just didn't know what I was looking at/for tbh :^)
g
gray-lawyer-73831
05/05/2022, 5:50 PMSorry I’m not much help here! It’s fun debugging this stuff though. Thank you!
f
faint-airport-83518
05/05/2022, 5:56 PMit's weird, I think everything is deployed.. it's just not doing anything lol
faint-airport-83518
05/05/2022, 5:57 PMfrom the rancher/system-upgrade-controller:v0.9.1 pod:
Copy code
│
│ system-upgrade-controller-5bd59b74fc-hnqn6 W0505 17:56:39.022311 1 client_config.go:552] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work. │
│ system-upgrade-controller-5bd59b74fc-hnqn6 time="2022-05-05T17:56:39Z" level=info msg="Applying CRD <http://plans.upgrade.cattle.io|plans.upgrade.cattle.io>" │
│ system-upgrade-controller-5bd59b74fc-hnqn6 time="2022-05-05T17:56:40Z" level=info msg="Starting /v1, Kind=Node controller" │
│ system-upgrade-controller-5bd59b74fc-hnqn6 time="2022-05-05T17:56:40Z" level=info msg="Starting /v1, Kind=Secret controller" │
│ system-upgrade-controller-5bd59b74fc-hnqn6 time="2022-05-05T17:56:40Z" level=info msg="Starting batch/v1, Kind=Job controller" │
│ system-upgrade-controller-5bd59b74fc-hnqn6 time="2022-05-05T17:56:40Z" level=info msg="Starting <http://upgrade.cattle.io/v1|upgrade.cattle.io/v1>, Kind=Plan controller" │
│g
gray-lawyer-73831
05/05/2022, 5:57 PMI’d try to minimize your plans, maybe only give it a server plan for now. When those are applied and it is a new version and working, you should see jobs/pods created
gray-lawyer-73831
05/05/2022, 5:57 PMspecifically minimize the nodeSelector in there
f
faint-airport-83518
05/05/2022, 6:01 PMokay - i'll try to pull off. those two rke2-upgrade labels? what should put them there though (normally)?
Copy code
# Server plan
apiVersion: <http://upgrade.cattle.io/v1|upgrade.cattle.io/v1>
kind: Plan
metadata:
name: server-plan
namespace: system-upgrade
labels:
rke2-upgrade: server
spec:
concurrency: 1
nodeSelector:
matchExpressions:
- {key: rke2-upgrade, operator: Exists}
- {key: rke2-upgrade, operator: NotIn, values: ["disabled", "false"]}
# When using k8s version 1.19 or older, swap control-plane with master
- {key: <http://node-role.kubernetes.io/control-plane|node-role.kubernetes.io/control-plane>, operator: In, values: ["true"]}
serviceAccountName: system-upgrade
cordon: true
# drain:
# force: true
upgrade:
image: rancher/rke2-upgrade
version: v1.23.1+rke2r2g
gray-lawyer-73831
05/05/2022, 6:02 PM Copy code
# Server plan
apiVersion: <http://upgrade.cattle.io/v1|upgrade.cattle.io/v1>
kind: Plan
metadata:
name: server-plan
namespace: system-upgrade
labels:
rke2-upgrade: server
spec:
concurrency: 1
nodeSelector:
matchExpressions:
- {key: <http://node-role.kubernetes.io/control-plane|node-role.kubernetes.io/control-plane>, operator: In, values: ["true"]}
serviceAccountName: system-upgrade
cordon: true
# drain:
# force: true
upgrade:
image: rancher/rke2-upgrade
version: v1.23.1-rke2r2gray-lawyer-73831
05/05/2022, 6:02 PMTry that
gray-lawyer-73831
05/05/2022, 6:02 PMI think I see the issue
gray-lawyer-73831
05/05/2022, 6:02 PMthe
versiongray-lawyer-73831
05/05/2022, 6:02 PMit should be a dash instead of a plus
f
faint-airport-83518
05/05/2022, 6:03 PMI pulled that from here btw
https://docs.rke2.io/upgrade/automated_upgrade/#configure-plans
faint-airport-83518
05/05/2022, 6:03 PM🤪
faint-airport-83518
05/05/2022, 6:04 PMhey I'm getting some errors from OPA gatekeeper blocking some stuff, that's progress
🎉 1
faint-airport-83518
05/05/2022, 6:04 PMtime to go create some new exceptions..weee
g
gray-lawyer-73831
05/05/2022, 6:06 PMgray-lawyer-73831
05/05/2022, 6:06 PM😄
f
faint-airport-83518
05/05/2022, 6:12 PMI see a job
🦜 1
faint-airport-83518
05/05/2022, 6:15 PMyeah in the job container spec it's referencing my airgapped
Copy code
- name: SYSTEM_UPGRADE_PLAN_LATEST_VERSION
value: v1.22.9-rke2r1
image: private.registry/rancher/rke2-upgrade:v1.22.9-rke2r1
imagePullPolicy: Always
name: upgradeg
gray-lawyer-73831
05/05/2022, 6:48 PMyou don’t see any pods created? yeah probably stuck from something.. maybe those secrets here too 🤔
f
faint-airport-83518
05/05/2022, 6:56 PMyeah I look at the job and there's no pods in there
faint-airport-83518
05/05/2022, 7:00 PMhold on... OPA gatekeeper was blocking privileged containers even through my wildcard exceptions...
faint-airport-83518
05/05/2022, 7:01 PM Copy code
│ Events: │
│ Type Reason Age From Message │
│ ---- ------ ---- ---- ------- │
│ Warning FailedScheduling 113s default-scheduler 0/7 nodes are available: 3 node(s) had taint {CriticalAddonsOnly: true}, that the pod didn't tolerate, 4 node(s) didn't match Pod's node affinity/selector. │
│ Warning FailedScheduling 52s default-scheduler 0/7 nodes are available: 3 node(s) had taint {CriticalAddonsOnly: true}, that the pod didn't tolerate, 4 node(s) didn't match Pod's node affinity/selector.faint-airport-83518
05/05/2022, 7:01 PMahhh super close
🙏 1
faint-airport-83518
05/05/2022, 7:03 PMI think those taints are part of our RKE2 deployment... I don't remember why..
faint-airport-83518
05/05/2022, 7:08 PMalright, hopefully I can add a toleration to this thing
faint-airport-83518
05/05/2022, 7:25 PMahhh!!!!
faint-airport-83518
05/05/2022, 7:27 PMI got past gatekeeper + taints and tolerations
Copy code
Events: │
│ Type Reason Age From Message │
│ ---- ------ ---- ---- ------- │
│ Normal Scheduled 66s default-scheduler Successfully assigned system-upgrade/apply-server-plan-on-vm-gvzonecil2zackrke2server000002--1-6qvnr to vm-gvzonecil2zackrke2server000002 │
│ Normal Pulling 25s (x3 over 67s) kubelet Pulling image "private.registry/rancher/kubectl:v1.23.6" │
│ Warning Failed 24s (x3 over 66s) kubelet Failed to pull image "private.registry/rancher/kubectl:v1.23.6": rpc error: code = Unknown desc = failed to pull and unpack image "private.registry/rancher/kubectl:v1.23.6": failed to resolve reference "private.registry/rancher/kub │
│ ectl:v1.23.6": pulling from host zarf.c1.internal failed with status code [manifests v1.23.6]: 401 Unauthorized │
│ Warning Failed 24s (x3 over 66s) kubelet Error: ErrImagePull │
│ Normal BackOff 13s (x3 over 66s) kubelet Back-off pulling image "private.registry/rancher/kubectl:v1.23.6" │
│ Warning Failed 13s (x3 over 66s) kubelet Error: ImagePullBackOff │
│faint-airport-83518
05/05/2022, 7:28 PMI'm mirroring -> private.registry to zarf.c1.internal
faint-airport-83518
05/05/2022, 7:28 PMjust need those imagePullSecrets
g
gray-lawyer-73831
05/05/2022, 7:29 PMYou might be able to edit the job directly and add those! Also, maybe putting the credentials in registries.yaml to avoid messing around with imagepullsecrets entirely
f
faint-airport-83518
05/05/2022, 8:23 PMI added the credentials to registries.yaml on one of nodes and it upgrades
faint-airport-83518
05/05/2022, 8:24 PMonly problem is it's a pain because the registry creds are randomly generated after the rke2 cluster is up and running heh
faint-airport-83518
05/05/2022, 8:24 PMwe need to figure out a way to generate the secrets and have our private registry use them..
g
gray-lawyer-73831
05/05/2022, 8:26 PMAhh interesting setup! So you bring the cluster up using the tarball then I assume, and then run a private registry within the cluster itself?
f
faint-airport-83518
05/05/2022, 8:27 PMusing a tool called zarf which packages up all of our artifacts and hosts them in a docker registry and gitea server
faint-airport-83518
05/05/2022, 8:27 PMso it's a fat tarball with everything that we can bring into an airgap
g
gray-lawyer-73831
05/05/2022, 8:28 PMmakes sense. So it’s much easier to just use imagepullsecrets for everything then and ensure to include that in the manifests
gray-lawyer-73831
05/05/2022, 8:29 PMokay for one of the nodes that hasn’t upgraded yet, are you able to edit the job directly and add the imagepullsecrets?
gray-lawyer-73831
05/05/2022, 8:30 PMor maybe just the pod
f
faint-airport-83518
05/05/2022, 8:30 PMon the job? let me try
faint-airport-83518
05/05/2022, 8:42 PMI can't change it on the pod because you can't change a pod spec for imagePullSecrets
Copy code
# pods "apply-server-plan-on-vm-gvzonecil2zackrke2server000000--1-h4pnm" was not valid:
# * spec: Forbidden: pod updates may not change fields other than `spec.containers[*].image`, `spec.initContainers[*].image`, `spec.activeDeadlineSeconds`, `spec.tolerations` (only additions to existing tolerations) or `spec.terminationGracePeriodSeconds` (allow it to be set to 1 if it was previously negative)
# core.PodSpec{
# ... // 11 identical fields
# NodeName: "vm-gvzonecil2zackrke2server000000",
# SecurityContext: &{HostNetwork: true, HostPID: true, HostIPC: true},
# - ImagePullSecrets: []core.LocalObjectReference{{Name: "private-registry"}},
# + ImagePullSecrets: nil,
# Hostname: "",
# Subdomain: "",
# ... // 14 identical fields
# }
#rke2🤦 1
g
gray-lawyer-73831
05/05/2022, 8:43 PMright
f
faint-airport-83518
05/05/2022, 8:43 PMand I can't change the job
faint-airport-83518
05/05/2022, 8:43 PMand I can't have the plan put it in the job
g
gray-lawyer-73831
05/05/2022, 8:44 PMdarn, okay. I’m going to do some internal snooping around to see if there’s a way. Would you create an issue in system-upgrade-controller repo as well? I think this is something that we don’t currently have but clearly it could be nice to include
f
faint-airport-83518
05/05/2022, 8:45 PMyeah I don't think it should be a heavy lift to add it to the job templating for the pod spec
💯 1
faint-airport-83518
05/05/2022, 8:45 PMnot that I'm a go developer
g
gray-lawyer-73831
05/05/2022, 8:46 PMIt shouldn’t be, but I can’t guarantee that it’ll get completed at all or at least anytime soon since there are always a lot of other priorities going on, but let’s see what we can do! 💪 Thank you for debugging on this too, and I’m glad we found something that works even if it’s a pain right now
gray-lawyer-73831
05/05/2022, 8:52 PMhey
gray-lawyer-73831
05/05/2022, 8:52 PMhttps://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#add-imagepullsecrets-to-a-service-account this might be a better approach
f
faint-airport-83518
05/05/2022, 9:05 PMhuh
faint-airport-83518
05/05/2022, 9:05 PMinteresting
faint-airport-83518
05/05/2022, 9:05 PMcan I kustomize that in?
faint-airport-83518
05/05/2022, 9:08 PMI'm afk a bit - will try later for surs
g
gray-lawyer-73831
05/05/2022, 9:19 PMI think you probably can, but I’ve never done that before so I’m not sure! I asked someone a lot smarter than me and he pointed me there 🙂
f
faint-airport-83518
05/05/2022, 9:42 PMdamn, that worked
faint-airport-83518
05/05/2022, 9:42 PMnice
g
gray-lawyer-73831
05/05/2022, 9:42 PMbeautiful
f
faint-airport-83518
05/05/2022, 9:42 PM Copy code
apiVersion: <http://kustomize.toolkit.fluxcd.io/v1beta1|kustomize.toolkit.fluxcd.io/v1beta1>
kind: Kustomization
metadata:
name: rke2-system-upgrade-controller
namespace: bigbang
spec:
interval: 1m
sourceRef:
kind: GitRepository
name: rke2-system-upgrade-controller-repo
path: .
prune: true
images:
- name: rancher/system-upgrade-controller
newName: private.registry/rancher/system-upgrade-controller
newTag: v0.9.1
patches:
- patch: |-
apiVersion: v1
kind: ConfigMap
metadata:
name: default-controller-env
data:
SYSTEM_UPGRADE_JOB_KUBECTL_IMAGE: private.registry/rancher/kubectl:v1.22.6
target:
kind: ConfigMap
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: system-upgrade-controller
namespace: system-upgrade
spec:
template:
spec:
imagePullSecrets:
- name: private-registry
target:
kind: Deployment
- patch: |-
apiVersion: v1
kind: ServiceAccount
metadata:
name: system-upgrade
namespace: system-upgrade
imagePullSecrets:
- name: private-registry
target:
kind: ServiceAccountfaint-airport-83518
05/05/2022, 9:43 PMthanks for helping me out man
faint-airport-83518
05/05/2022, 9:43 PMstill going to keep the issue up, but this is totally workable compared to shoving it into registries.yaml for us
g
gray-lawyer-73831
05/05/2022, 9:47 PMYeah I’m glad we got something going! I’ll comment on the issue that doing this works too 🙂
f
faint-airport-83518
05/06/2022, 2:29 PMso now that I got this thing working.. I'm getting a lot of errors on my worker nodes upgrading regarding not being able to evict pods.. so looking into that now
Copy code
│ drain evicting pod logging/logging-ek-es-master-0 │
│ drain evicting pod istio-system/passthrough-ingressgateway-7879ff64db-kh86m │
│ drain evicting pod gatekeeper-system/gatekeeper-controller-manager-5bd878c895-4sbrp │
│ drain error when evicting pods/"passthrough-ingressgateway-7879ff64db-kh86m" -n "istio-system" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget. │
│ drain error when evicting pods/"gatekeeper-controller-manager-5bd878c895-4sbrp" -n "gatekeeper-system" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget. │
│ drain error when evicting pods/"logging-ek-es-master-0" -n "logging" (will retry after 5s): Cannot evict pod as it would violate the pod's disruption budget.faint-airport-83518
05/06/2022, 4:35 PMa bunch of my operators/helm charts had pod disruption budgets - so we are scaling up 🙂
💪 1
2 Views