bottlerocket host update api integration

Adds support for updating via the Bottlerocket Update API.
The new platform is used if the node is labeled
bottlerocket.aws/updater-interface-version=2.0.0

deploy/update-operator-api.yaml

@@ -0,0 +1,193 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bottlerocket
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: bottlerocket-update-operator-controller
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  # Allow the controller to remove Pods running on the Nodes that are updating.
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: bottlerocket-update-operator-controller
+subjects:
+  - kind: ServiceAccount
+    name: update-operator-controller
+    namespace: bottlerocket
+roleRef:
+  kind: ClusterRole
+  name: bottlerocket-update-operator-controller
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: bottlerocket-update-operator-agent
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: bottlerocket-update-operator-agent
+subjects:
+  - kind: ServiceAccount
+    name: update-operator-agent
+    namespace: bottlerocket
+roleRef:
+  kind: ClusterRole
+  name: bottlerocket-update-operator-agent
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: update-operator-controller
+  namespace: bottlerocket
+  annotations:
+    kubernetes.io/service-account.name: update-operator-controller
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: update-operator-agent
+  namespace: bottlerocket
+  annotations:
+    kubernetes.io/service-account.name: update-operator-agent
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: update-operator-controller
+  namespace: bottlerocket
+  labels:
+    update-operator: controller
+spec:
+  replicas: 1
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 100%
+  selector:
+    matchLabels:
+      update-operator: controller
+  template:
+    metadata:
+      namespace: bottlerocket
+      labels:
+        update-operator: controller
+    spec:
+      serviceAccountName: update-operator-controller
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: bottlerocket.aws/updater-interface-version
+                    operator: Exists
+                  - key: "kubernetes.io/os"
+                    operator: In
+                    values:
+                      - linux
+                  - key: "kubernetes.io/arch"
+                    operator: In
+                    values:
+                      - amd64
+        # Avoid update-operator's Agent Pods if possible.
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 10
+              podAffinityTerm:
+                topologyKey: bottlerocket.aws/updater-interface-version
+                labelSelector:
+                  matchExpressions:
+                    - key: update-operator
+                      operator: In
+                      values: ["agent"]
+      containers:
+      - name: controller
+        image: "328549459982.dkr.ecr.us-west-2.amazonaws.com/bottlerocket-update-operator:v0.1.4"
+        imagePullPolicy: Always
+        args:
+          - -controller
+          - -debug
+          - -nodeName
+          - $(NODE_NAME)
+        env:
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: update-operator-agent
+  namespace: bottlerocket
+  labels:
+    update-operator: agent
+spec:
+  selector:
+    matchLabels:
+      update-operator: agent
+  template:
+    metadata:
+      labels:
+        update-operator: agent
+    spec:
+      serviceAccountName: update-operator-agent
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: bottlerocket.aws/updater-interface-version
+                    operator: Exists
+                  - key: "kubernetes.io/os"
+                    operator: In
+                    values:
+                      - linux
+                  - key: "kubernetes.io/arch"
+                    operator: In
+                    values:
+                      - amd64
+      hostPID: true
+      containers:
+        - name: agent
+          image: "328549459982.dkr.ecr.us-west-2.amazonaws.com/bottlerocket-update-operator:v0.1.4"
+          imagePullPolicy: Always
+          args:
+            - -agent
+            - -debug
+            - -nodeName
+            - $(NODE_NAME)
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          resources:
+            limits:
+              memory: 600Mi
+            requests:
+              cpu: 100m
+              memory: 600Mi
+          volumeMounts:
+            - name: bottlerocket-api-socket
+              mountPath: /run/api.sock
+      volumes:
+        - name: bottlerocket-api-socket
+          hostPath:
+            path: /run/api.sock
+            type: Socket

deploy/update-operator-updog.yaml

@@ -0,0 +1,198 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bottlerocket
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: bottlerocket-update-operator-controller
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  # Allow the controller to remove Pods running on the Nodes that are updating.
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: bottlerocket-update-operator-controller
+subjects:
+  - kind: ServiceAccount
+    name: update-operator-controller
+    namespace: bottlerocket
+roleRef:
+  kind: ClusterRole
+  name: bottlerocket-update-operator-controller
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: bottlerocket-update-operator-agent
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: bottlerocket-update-operator-agent
+subjects:
+  - kind: ServiceAccount
+    name: update-operator-agent
+    namespace: bottlerocket
+roleRef:
+  kind: ClusterRole
+  name: bottlerocket-update-operator-agent
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: update-operator-controller
+  namespace: bottlerocket
+  annotations:
+    kubernetes.io/service-account.name: update-operator-controller
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: update-operator-agent
+  namespace: bottlerocket
+  annotations:
+    kubernetes.io/service-account.name: update-operator-agent
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: update-operator-controller
+  namespace: bottlerocket
+  labels:
+    update-operator: controller
+spec:
+  replicas: 1
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 100%
+  selector:
+    matchLabels:
+      update-operator: controller
+  template:
+    metadata:
+      namespace: bottlerocket
+      labels:
+        update-operator: controller
+    spec:
+      serviceAccountName: update-operator-controller
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: bottlerocket.aws/updater-interface-version
+                    operator: Exists
+                  - key: "kubernetes.io/os"
+                    operator: In
+                    values:
+                      - linux
+                  - key: "kubernetes.io/arch"
+                    operator: In
+                    values:
+                      - amd64
+        # Avoid update-operator's Agent Pods if possible.
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 10
+              podAffinityTerm:
+                topologyKey: bottlerocket.aws/updater-interface-version
+                labelSelector:
+                  matchExpressions:
+                    - key: update-operator
+                      operator: In
+                      values: ["agent"]
+      containers:
+      - name: controller
+        image: "328549459982.dkr.ecr.us-west-2.amazonaws.com/bottlerocket-update-operator:v0.1.3"
+        imagePullPolicy: Always
+        args:
+          - -controller
+          - -debug
+          - -nodeName
+          - $(NODE_NAME)
+        env:
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: update-operator-agent
+  namespace: bottlerocket
+  labels:
+    update-operator: agent
+spec:
+  selector:
+    matchLabels:
+      update-operator: agent
+  template:
+    metadata:
+      labels:
+        update-operator: agent
+    spec:
+      serviceAccountName: update-operator-agent
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: bottlerocket.aws/updater-interface-version
+                    operator: Exists
+                  - key: "kubernetes.io/os"
+                    operator: In
+                    values:
+                      - linux
+                  - key: "kubernetes.io/arch"
+                    operator: In
+                    values:
+                      - amd64
+      hostPID: true
+      containers:
+        - name: agent
+          image: "328549459982.dkr.ecr.us-west-2.amazonaws.com/bottlerocket-update-operator:v0.1.3"
+          imagePullPolicy: Always
+          # XXX: tty required to exec binaries that use `simplelog` until https://github.com/bottlerocket-os/bottlerocket/issues/576 is resolved.
+          tty: true
+          args:
+            - -agent
+            - -debug
+            - -nodeName
+            - $(NODE_NAME)
+          env:
+            - name: NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          securityContext:
+            # Required for executing OS update operations.
+            privileged: true
+          resources:
+            limits:
+              memory: 600Mi
+            requests:
+              cpu: 100m
+              memory: 600Mi
+          volumeMounts:
+            - name: rootfs
+              mountPath: /.bottlerocket/rootfs
+      volumes:
+        - name: rootfs
+          hostPath:
+            path: /
+            type: Directory