From c58b8d5df1e737d712084f2511c31c8311307edf Mon Sep 17 00:00:00 2001
From: Ciprian Hacman <ciprian.hacman@sematext.com>
Date: Thu, 27 Feb 2020 06:47:04 +0200
Subject: [PATCH] Install packages updates during bootstrap

---
 docs/getting_started/arguments.md       | 2 ++
 upup/pkg/fi/nodeup/nodetasks/package.go | 8 ++++++--
 upup/pkg/fi/nodeup/tags/tags.go         | 6 ++++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/docs/getting_started/arguments.md b/docs/getting_started/arguments.md
index ab8163d608..4c6826df02 100644
--- a/docs/getting_started/arguments.md
+++ b/docs/getting_started/arguments.md
@@ -62,6 +62,8 @@ Values:
 
 * unset means to use the default policy, which is currently to apply OS security updates unless they require a reboot
 
+Required packages are also updated during bootstrapping if the value is not set. 
+
 ## out
 
 `out` determines the directory into which Kops will write the target output for Terraform and CloudFormation.  It defaults to `out/terraform` and `out/cloudformation` respectively.
diff --git a/upup/pkg/fi/nodeup/nodetasks/package.go b/upup/pkg/fi/nodeup/nodetasks/package.go
index 8e5badf6cc..e87c5f0554 100644
--- a/upup/pkg/fi/nodeup/nodetasks/package.go
+++ b/upup/pkg/fi/nodeup/nodetasks/package.go
@@ -216,7 +216,9 @@ func (e *Package) findDpkg(c *fi.Context) (*Package, error) {
 		}
 	}
 
-	if !installed {
+	target := c.Target.(*local.LocalTarget)
+	updates := target.HasTag(tags.TagUpdatePolicyAuto)
+	if !updates && !installed {
 		return nil, nil
 	}
 
@@ -264,7 +266,9 @@ func (e *Package) findYum(c *fi.Context) (*Package, error) {
 		healthy = fi.Bool(true)
 	}
 
-	if !installed {
+	target := c.Target.(*local.LocalTarget)
+	updates := target.HasTag(tags.TagUpdatePolicyAuto)
+	if !updates && !installed {
 		return nil, nil
 	}
 
diff --git a/upup/pkg/fi/nodeup/tags/tags.go b/upup/pkg/fi/nodeup/tags/tags.go
index fb59e7f995..59f1cd5247 100644
--- a/upup/pkg/fi/nodeup/tags/tags.go
+++ b/upup/pkg/fi/nodeup/tags/tags.go
@@ -25,6 +25,12 @@ const (
 	TagOSRHEL8        = "_rhel8"
 
 	TagSystemd = "_systemd"
+
+	// Nodes with the "_automatic_upgrade" tag automatically update installed packages
+	// during bootstrapping and daily for security updates (unless this update would require
+	// a node reboot). To disable automatic node package updates, set:
+	// `Cluster.Spec.UpdatePolicy = external`
+	TagUpdatePolicyAuto = "_automatic_upgrades"
 )
 
 type HasTags interface {