adelorenzo/kubesolo-os
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases 4 Wiki Activity
Files
dfed6ddba88c463e7302c4ff36997dcfad089907
kubesolo-os/cloud-init/examples/full-config.yaml
Adolfo Delorenzo dfed6ddba8
Some checks failed
ARM64 Build / Build generic ARM64 disk image (push) Failing after 3s
Details
CI / Go Tests (push) Successful in 1m23s
Details
CI / Shellcheck (push) Successful in 46s
Details
CI / Build Go Binaries (amd64, linux, linux-amd64) (push) Successful in 1m32s
Details
CI / Build Go Binaries (arm64, linux, linux-arm64) (push) Successful in 1m15s
Details
feat(update): channels, maintenance windows, min-version gate 
Phase 6 of v0.3. The update agent now refuses to apply artifacts whose
channel doesn't match local policy, whose architecture differs from the
running host, or whose min_compatible_version is above the current
version. It also refuses to apply outside a configured maintenance window
unless --force is given.

New package update/pkg/config:
- config.Load parses /etc/kubesolo/update.conf (key=value, # comments,
  unknown keys ignored). Missing file is fine — fresh systems before
  cloud-init has run.
- ParseWindow handles "HH:MM-HH:MM" plus the wrapping midnight case
  (e.g. "23:00-01:00"). Empty input -> AlwaysOpen (no constraint).
  Degenerate zero-length windows never match.
- CompareVersions does a simple 3-component semver compare with the 'v'
  prefix optional and pre-release suffix ignored.
- 14 unit tests total.

update/pkg/image/image.UpdateMetadata gains three optional fields:
- channel ("stable", "beta", ...)
- min_compatible_version (refuse upgrade if current < this)
- architecture ("amd64", "arm64", ...)

update/cmd/opts.go reads update.conf and merges it into opts; explicit
--server / --channel / --pubkey / --maintenance-window CLI flags override
the file. New --force, --conf, --channel, --maintenance-window flags.
Precedence: CLI > config file > package defaults.

update/cmd/apply.go gains four gates in order:
1. Maintenance window — checked locally before any HTTP work; skipped
   with --force.
2. Channel — refused if metadata.channel doesn't match opts.Channel.
3. Architecture — refused if metadata.architecture != runtime.GOARCH.
4. Min compatible version — refused if FromVersion < min_compatible.
All gate failures transition state to Failed with a clear LastError.

cloud-init gains a top-level updates: block (Server, Channel,
MaintenanceWindow, PubKey). cloud-init.ApplyUpdates writes
/etc/kubesolo/update.conf from those fields on first boot. Empty block
leaves any existing file alone (so hand-edited update.conf survives a
reboot without cloud-init re-applying). 4 new tests cover empty / all /
partial / parent-dir-creation cases. full-config.yaml example updated.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 18:21:46 -06:00

75 lines
2.7 KiB
YAML
Raw Blame History

# KubeSolo OS Cloud-Init — Full Configuration Reference
# Shows ALL supported KubeSolo parameters.
# Place at: /mnt/data/etc-kubesolo/cloud-init.yaml (on data partition)
# Or pass via boot param: kubesolo.cloudinit=/path/to/this.yaml
hostname: kubesolo-edge-01
network:
mode: dhcp
# interface: eth0 # Optional: specify interface (auto-detected if omitted)
# dns: # Optional: override DHCP-provided DNS
# - 8.8.8.8
kubesolo:
# Enable local-path-provisioner for persistent volumes (default: true)
local-storage: true
# Shared path for local-path-provisioner storage
local-storage-shared-path: "/mnt/shared"
# Extra SANs for API server TLS certificate
apiserver-extra-sans:
- kubesolo-edge-01.local
- 192.168.1.100
# Enable verbose debug logging
debug: false
# Enable Go pprof profiling server
pprof-server: false
# Portainer Edge Agent connection (alternative to portainer.edge-agent section)
# These generate --portainer-edge-id, --portainer-edge-key, --portainer-edge-async
# CLI flags for KubeSolo's built-in Edge Agent support.
portainer-edge-id: "your-edge-id"
portainer-edge-key: "your-edge-key"
portainer-edge-async: true
# KubeSolo v1.1.4+: skip the edge-optimised overrides and use upstream
# Kubernetes defaults. Useful for CI and high-spec machines. Default off.
full: false
# KubeSolo v1.1.5+: disable IPv6 throughout the cluster. Default off.
disable-ipv6: false
# KubeSolo v1.1.5+: detect SQLite WAL corruption at startup and recover
# from unclean shutdowns (e.g. power loss). Recommended ON for edge
# appliances that may lose power.
db-wal-repair: true
# Arbitrary extra flags passed directly to the KubeSolo binary
# extra-flags: "--disable traefik --disable servicelb"
# Update agent settings (written to /etc/kubesolo/update.conf on first boot).
# Omit any subfield to leave the corresponding default in place.
updates:
# Update server URL — HTTPS for the JSON+blob protocol, or an OCI registry
# reference (e.g. ghcr.io/portainer/kubesolo-os) when OCI distribution
# lands in v0.3.
server: "https://updates.kubesolo.example.com"
# Channel to track. "stable" is the default; "beta"/"edge" expose
# pre-release artifacts. The agent refuses to apply metadata whose
# channel doesn't match.
channel: "stable"
# Maintenance window (local time, HH:MM-HH:MM, wrapping midnight OK).
# `apply` refuses to run outside this window unless --force is passed.
# Leave empty (or omit) to allow updates at any time.
maintenance_window: "03:00-05:00"
# Path to Ed25519 public key for signature verification. Omit to disable
# signature verification (NOT recommended for production fleets).
# pubkey: "/etc/kubesolo/update-pubkey.hex"
Reference in New Issue View Git Blame Copy Permalink