From 22f6741a8d4c102009014207cbcfbf3f6c5083fd Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Mon, 29 Apr 2024 20:05:48 +0900
Subject: [PATCH] brightbox: Align K8s systemd-sysext usage with CAPO

When the condition fails we don't want to propagate this to the unit in
the post update action.
Sync this with the files from CAPO which also prevents major updates.
---
 brightbox/compute.tf                             | 2 ++
 brightbox/server-configs/control-plane.yaml.tmpl | 9 ++++++---
 brightbox/server-configs/worker.yaml.tmpl        | 9 ++++++---
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/brightbox/compute.tf b/brightbox/compute.tf
index 86238d7..4f594be 100644
--- a/brightbox/compute.tf
+++ b/brightbox/compute.tf
@@ -28,6 +28,7 @@ data "ct_config" "config-control-plane" {
   strict = true
   content = templatefile("${path.module}/server-configs/control-plane.yaml.tmpl", {
     kubernetes_version = var.kubernetes_version
+    kubernetes_minor   = join(" ", [split(".", var.kubernetes_version)[0], split(".", var.kubernetes_version)[1]])
   })
   snippets = [
     data.template_file.core_user.rendered
@@ -38,6 +39,7 @@ data "ct_config" "config-worker" {
   strict = true
   content = templatefile("${path.module}/server-configs/worker.yaml.tmpl", {
     kubernetes_version = var.kubernetes_version
+    kubernetes_minor   = join(" ", [split(".", var.kubernetes_version)[0], split(".", var.kubernetes_version)[1]])
     control_plane_ip   = brightbox_cloudip.control-plane.public_ipv4
   })
 }
diff --git a/brightbox/server-configs/control-plane.yaml.tmpl b/brightbox/server-configs/control-plane.yaml.tmpl
index 69cf900..496f6f6 100644
--- a/brightbox/server-configs/control-plane.yaml.tmpl
+++ b/brightbox/server-configs/control-plane.yaml.tmpl
@@ -7,9 +7,9 @@ storage:
       path: /etc/extensions/kubernetes.raw
       hard: false
   files:
-    - path: /etc/sysupdate.kubernetes.d/kubernetes.conf
+    - path: /etc/sysupdate.kubernetes.d/kubernetes-${kubernetes_minor}.conf
       contents:
-        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/kubernetes.conf
+        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/kubernetes-${kubernetes_minor}.conf
     - path: /etc/sysupdate.d/noop.conf
       contents:
         source: https://github.com/flatcar/sysext-bakery/releases/download/latest/noop.conf
@@ -28,7 +28,10 @@ systemd:
             ExecStartPre=/usr/bin/sh -c "readlink --canonicalize /etc/extensions/kubernetes.raw > /tmp/kubernetes"
             ExecStartPre=/usr/lib/systemd/systemd-sysupdate -C kubernetes update
             ExecStartPost=/usr/bin/sh -c "readlink --canonicalize /etc/extensions/kubernetes.raw > /tmp/kubernetes-new"
-            ExecStartPost=/usr/bin/sh -c "[[ $(cat /tmp/kubernetes) != $(cat /tmp/kubernetes-new) ]] && touch /run/reboot-required"
+            ExecStartPost=/usr/bin/sh -c "if ! cmp --silent /tmp/kubernetes /tmp/kubernetes-new; then touch /run/reboot-required; fi"
+    - name: locksmithd.service
+      # NOTE: To coordinate the node reboot in this context, we recommend to use Kured.
+      mask: true
     - name: kubeadm.service
       enabled: true
       contents: |
diff --git a/brightbox/server-configs/worker.yaml.tmpl b/brightbox/server-configs/worker.yaml.tmpl
index dea71e7..9f864ad 100644
--- a/brightbox/server-configs/worker.yaml.tmpl
+++ b/brightbox/server-configs/worker.yaml.tmpl
@@ -7,9 +7,9 @@ storage:
       path: /etc/extensions/kubernetes.raw
       hard: false
   files:
-    - path: /etc/sysupdate.kubernetes.d/kubernetes.conf
+    - path: /etc/sysupdate.kubernetes.d/kubernetes-${kubernetes_minor}.conf
       contents:
-        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/kubernetes.conf
+        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/kubernetes-${kubernetes_minor}.conf
     - path: /etc/sysupdate.d/noop.conf
       contents:
         source: https://github.com/flatcar/sysext-bakery/releases/download/latest/noop.conf
@@ -28,7 +28,10 @@ systemd:
             ExecStartPre=/usr/bin/sh -c "readlink --canonicalize /etc/extensions/kubernetes.raw > /tmp/kubernetes"
             ExecStartPre=/usr/lib/systemd/systemd-sysupdate -C kubernetes update
             ExecStartPost=/usr/bin/sh -c "readlink --canonicalize /etc/extensions/kubernetes.raw > /tmp/kubernetes-new"
-            ExecStartPost=/usr/bin/sh -c "[[ $(cat /tmp/kubernetes) != $(cat /tmp/kubernetes-new) ]] && touch /run/reboot-required"
+            ExecStartPost=/usr/bin/sh -c "if ! cmp --silent /tmp/kubernetes /tmp/kubernetes-new; then touch /run/reboot-required; fi"
+    - name: locksmithd.service
+      # NOTE: To coordinate the node reboot in this context, we recommend to use Kured.
+      mask: true
     - name: kubeadm.service
       enabled: true
       contents: |