os-upgrade-fetch.yaml

# SUC Plan related to upgrading/migrating the operating system of control-plane nodes
apiVersion: upgrade.cattle.io/v1
kind: Plan
metadata:
  name: os-upgrade-demo
  namespace: cattle-system
spec:
  concurrency: 1
  # Override the default SUC set value of 900 with something that will
  # give the enough time to the control-plane plan to finish 
  jobActiveDeadlineSecs: 43200
  nodeSelector:
    matchExpressions:
      # will trigger upgrade for any node containing the 'node-role.kubernetes.io/control-plane' label
      - {key: node-role.kubernetes.io/control-plane, operator: In, values: ["true"]}
  tolerations:
  - key: "CriticalAddonsOnly"
    operator: "Equal"
    value: "true"
    effect: "NoExecute"
  - key: "node-role.kubernetes.io/control-plane"
    operator: "Equal"
    effect: "NoSchedule"
  - key: "node-role.kubernetes.io/etcd"
    operator: "Equal"
    effect: "NoExecute"
  serviceAccountName: system-upgrade-controller
  secrets:
    - name: os-upgrade-script
      path: /host/run/system-upgrade/secrets/os-upgrade-script
  cordon: false
  version: "3.2.3"
  upgrade:
    image: registry.opensuse.org/opensuse/bci/bci-minimal:20250505.0
    command: ["chroot", "/host"]
    args: ["sh", "/run/system-upgrade/secrets/os-upgrade-script/upgrade.sh"]

---
# Secret containing the script that is used by the 
# SUC Plans for operating system migration/upgrade
apiVersion: v1
kind: Secret
metadata:
  name: os-upgrade-script
  namespace: cattle-system
type: Opaque
stringData:
  upgrade.sh: |
    #!/bin/sh
    
    OS_UPGRADED_PLACEHOLDER_PATH="/etc/os-upgrade-successful"

    if [ -f ${OS_UPGRADED_PLACEHOLDER_PATH} ]; then
        # Due to the nature of how SUC handles OS upgrades,
        # the OS upgrade pod will be restarted after an OS reboot.
        # Within the new Pod we only need to check whether the upgrade
        # has been done. This is done by checking for the '/run/os-upgrade-successful'
        # file which will only be present on the system if a successful upgrade
        # of the OS has taken place.
        echo "Upgrade has already been done. Exiting.."
        touch /etc/os-upgrade-demo-marker-2
        rm ${OS_UPGRADED_PLACEHOLDER_PATH}
        exit 0
    fi

    cleanupService(){
        rm ${1}
        systemctl daemon-reload
    }

    executeUpgrade(){
        EXEC_START="ExecStart=/usr/sbin/transactional-update pull"
        SERVICE_NAME="os-pkg-update.service"

        UPDATE_SERVICE_PATH=/etc/systemd/system/${SERVICE_NAME}

        # Make sure that even after a non-zero exit of the script
        # we will do a cleanup of the service
        trap "cleanupService ${UPDATE_SERVICE_PATH}" EXIT
        
        touch /etc/os-upgrade-demo-marker-1
        echo "Creating ${SERVICE_NAME}..."
        cat <<EOF > ${UPDATE_SERVICE_PATH}
    [Unit]
    Description=SUSE Edge Fetch Upgrade Service
    ConditionACPower=true
    Wants=network.target
    After=network.target

    [Service]
    Type=oneshot
    IOSchedulingClass=best-effort
    IOSchedulingPriority=7
    ${EXEC_START}
    EOF

        echo "Starting ${SERVICE_NAME}..."
        systemctl start ${SERVICE_NAME} &

        BACKGROUND_PROC_PID=$!
        tail --pid ${BACKGROUND_PROC_PID} -f /var/log/transactional-update.log

        # Waits for the background process with pid to finish and propagates its exit code to '$?'
        wait ${BACKGROUND_PROC_PID}

        # Get exit code of backgroup process 
        BACKGROUND_PROC_EXIT=$?
        if [ ${BACKGROUND_PROC_EXIT} -ne 0 ]; then
            exit ${BACKGROUND_PROC_EXIT}
        fi
    }

    executeUpgradeFetch