From ef6c0de9ac454d254276ff095b4dda3f4c92b4a3 Mon Sep 17 00:00:00 2001
From: Chris Werner Rau <cwr@teuto.net>
Date: Wed, 23 Aug 2023 10:57:22 +0200
Subject: [PATCH] feat(t8s-cluster/management-cluster): validate new k8s
 version before upgrade

---
 .../management-cluster/check-k8s-version.yaml | 49 +++++++++++++++++++
 charts/t8s-cluster/values.schema.json         | 10 ++++
 charts/t8s-cluster/values.yaml                |  5 ++
 3 files changed, 64 insertions(+)
 create mode 100644 charts/t8s-cluster/templates/management-cluster/check-k8s-version.yaml

diff --git a/charts/t8s-cluster/templates/management-cluster/check-k8s-version.yaml b/charts/t8s-cluster/templates/management-cluster/check-k8s-version.yaml
new file mode 100644
index 000000000..b43952eff
--- /dev/null
+++ b/charts/t8s-cluster/templates/management-cluster/check-k8s-version.yaml
@@ -0,0 +1,49 @@
+{{- $cluster := include (print $.Template.BasePath "/management-cluster/cluster.yaml") . | fromYaml }}
+{{- $existingCluster := lookup $cluster.apiVersion $cluster.kind $cluster.metadata.namespace $cluster.metadata.name }}
+{{/* Should always pass, just doesn't work for local diffs 😥 */}}
+{{- if $existingCluster }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: check-k8s-version
+  namespace: {{ .Release.Namespace }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: pre-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+spec:
+  backoffLimit: 0
+  template:
+    spec:
+      restartPolicy: Never
+      automountServiceAccountToken: false
+      securityContext:
+        runAsNonRoot: true
+        runAsGroup: 1000
+        runAsUser: 1000
+        fsGroup: 1000
+      containers:
+        - name: check-k8s-version
+          image: {{ include "common.images.image" (dict "imageRoot" .Values.global.semver.image "global" .Values.global) }}
+          {{- if .Values.global.semver.image.digest }}
+          imagePullPolicy: IfNotPresent
+          {{- else }}
+          imagePullPolicy: Always
+          {{- end }}
+          securityContext:
+            readOnlyRootFilesystem: true
+            privileged: false
+            capabilities:
+              drop:
+                - ALL
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
+          command:
+            - semver
+            - --range
+            - '>={{ $existingCluster.spec.version }}'
+            {{- with .Values.version }}
+            - {{ printf "v%d.%d.%d" (.major | int) (.minor | int) (.patch | int) }}
+            {{- end }}
+{{- end }}
diff --git a/charts/t8s-cluster/values.schema.json b/charts/t8s-cluster/values.schema.json
index ecbd7d577..4aa21b293 100644
--- a/charts/t8s-cluster/values.schema.json
+++ b/charts/t8s-cluster/values.schema.json
@@ -46,6 +46,16 @@
           },
           "additionalProperties": false
         },
+        "semver": {
+          "type": "object",
+          "description": "Image with `semver` binary",
+          "properties": {
+            "image": {
+              "$ref": "#/$defs/image"
+            }
+          },
+          "additionalProperties": false
+        },
         "injectedCertificateAuthorities": {
           "type": "string"
         },
diff --git a/charts/t8s-cluster/values.yaml b/charts/t8s-cluster/values.yaml
index 8ca215609..b594f9406 100644
--- a/charts/t8s-cluster/values.yaml
+++ b/charts/t8s-cluster/values.yaml
@@ -15,6 +15,11 @@ global:
       registry: docker.io
       repository: bitnami/kubectl
       tag: 1.27.4
+  semver:
+    image:
+      registry: docker.io
+      repository: alpine/semver
+      tag: 7.5.4
   injectedCertificateAuthorities: ""
   kubeletExtraConfig:
     # This is only used when using 1.27 or later