From 3fded98d28841465e3a0f6cb79fb531b77b2652d Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Mon, 29 Apr 2024 20:05:48 +0900
Subject: [PATCH 1/2] brightbox: Align K8s systemd-sysext usage with CAPO

When the condition fails we don't want to propagate this to the unit in
the post update action.
Sync this with the files from CAPO which also prevents major updates.
---
 brightbox/compute.tf                             | 2 ++
 brightbox/server-configs/control-plane.yaml.tmpl | 9 ++++++---
 brightbox/server-configs/worker.yaml.tmpl        | 9 ++++++---
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/brightbox/compute.tf b/brightbox/compute.tf
index 86238d7..eb88ae9 100644
--- a/brightbox/compute.tf
+++ b/brightbox/compute.tf
@@ -28,6 +28,7 @@ data "ct_config" "config-control-plane" {
   strict = true
   content = templatefile("${path.module}/server-configs/control-plane.yaml.tmpl", {
     kubernetes_version = var.kubernetes_version
+    kubernetes_minor   = join(".", [split(".", var.kubernetes_version)[0], split(".", var.kubernetes_version)[1]])
   })
   snippets = [
     data.template_file.core_user.rendered
@@ -38,6 +39,7 @@ data "ct_config" "config-worker" {
   strict = true
   content = templatefile("${path.module}/server-configs/worker.yaml.tmpl", {
     kubernetes_version = var.kubernetes_version
+    kubernetes_minor   = join(".", [split(".", var.kubernetes_version)[0], split(".", var.kubernetes_version)[1]])
     control_plane_ip   = brightbox_cloudip.control-plane.public_ipv4
   })
 }
diff --git a/brightbox/server-configs/control-plane.yaml.tmpl b/brightbox/server-configs/control-plane.yaml.tmpl
index 69cf900..496f6f6 100644
--- a/brightbox/server-configs/control-plane.yaml.tmpl
+++ b/brightbox/server-configs/control-plane.yaml.tmpl
@@ -7,9 +7,9 @@ storage:
       path: /etc/extensions/kubernetes.raw
       hard: false
   files:
-    - path: /etc/sysupdate.kubernetes.d/kubernetes.conf
+    - path: /etc/sysupdate.kubernetes.d/kubernetes-${kubernetes_minor}.conf
       contents:
-        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/kubernetes.conf
+        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/kubernetes-${kubernetes_minor}.conf
     - path: /etc/sysupdate.d/noop.conf
       contents:
         source: https://github.com/flatcar/sysext-bakery/releases/download/latest/noop.conf
@@ -28,7 +28,10 @@ systemd:
             ExecStartPre=/usr/bin/sh -c "readlink --canonicalize /etc/extensions/kubernetes.raw > /tmp/kubernetes"
             ExecStartPre=/usr/lib/systemd/systemd-sysupdate -C kubernetes update
             ExecStartPost=/usr/bin/sh -c "readlink --canonicalize /etc/extensions/kubernetes.raw > /tmp/kubernetes-new"
-            ExecStartPost=/usr/bin/sh -c "[[ $(cat /tmp/kubernetes) != $(cat /tmp/kubernetes-new) ]] && touch /run/reboot-required"
+            ExecStartPost=/usr/bin/sh -c "if ! cmp --silent /tmp/kubernetes /tmp/kubernetes-new; then touch /run/reboot-required; fi"
+    - name: locksmithd.service
+      # NOTE: To coordinate the node reboot in this context, we recommend to use Kured.
+      mask: true
     - name: kubeadm.service
       enabled: true
       contents: |
diff --git a/brightbox/server-configs/worker.yaml.tmpl b/brightbox/server-configs/worker.yaml.tmpl
index dea71e7..9f864ad 100644
--- a/brightbox/server-configs/worker.yaml.tmpl
+++ b/brightbox/server-configs/worker.yaml.tmpl
@@ -7,9 +7,9 @@ storage:
       path: /etc/extensions/kubernetes.raw
       hard: false
   files:
-    - path: /etc/sysupdate.kubernetes.d/kubernetes.conf
+    - path: /etc/sysupdate.kubernetes.d/kubernetes-${kubernetes_minor}.conf
       contents:
-        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/kubernetes.conf
+        source: https://github.com/flatcar/sysext-bakery/releases/download/latest/kubernetes-${kubernetes_minor}.conf
     - path: /etc/sysupdate.d/noop.conf
       contents:
         source: https://github.com/flatcar/sysext-bakery/releases/download/latest/noop.conf
@@ -28,7 +28,10 @@ systemd:
             ExecStartPre=/usr/bin/sh -c "readlink --canonicalize /etc/extensions/kubernetes.raw > /tmp/kubernetes"
             ExecStartPre=/usr/lib/systemd/systemd-sysupdate -C kubernetes update
             ExecStartPost=/usr/bin/sh -c "readlink --canonicalize /etc/extensions/kubernetes.raw > /tmp/kubernetes-new"
-            ExecStartPost=/usr/bin/sh -c "[[ $(cat /tmp/kubernetes) != $(cat /tmp/kubernetes-new) ]] && touch /run/reboot-required"
+            ExecStartPost=/usr/bin/sh -c "if ! cmp --silent /tmp/kubernetes /tmp/kubernetes-new; then touch /run/reboot-required; fi"
+    - name: locksmithd.service
+      # NOTE: To coordinate the node reboot in this context, we recommend to use Kured.
+      mask: true
     - name: kubeadm.service
       enabled: true
       contents: |

From bb5fe5908de800642be62944470b4ee774708354 Mon Sep 17 00:00:00 2001
From: Kai Lueke <kailuke@microsoft.com>
Date: Mon, 29 Apr 2024 22:08:03 +0900
Subject: [PATCH 2/2] brightbox: Fix Terraform 14 incompatibility

---
 brightbox/variables.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/brightbox/variables.tf b/brightbox/variables.tf
index ae565a0..4af3b7a 100644
--- a/brightbox/variables.tf
+++ b/brightbox/variables.tf
@@ -11,7 +11,7 @@ variable "release_channel" {
 
   validation {
     condition     = contains(["lts", "stable", "beta", "alpha"], var.release_channel)
-    error_message = "release_channel must be lts, stable, beta, or alpha."
+    error_message = "The variable 'release_channel' must be lts, stable, beta, or alpha."
   }
 }