2019-01-09 16:54:15 +00:00
|
|
|
package server
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"fmt"
|
2021-02-01 19:11:17 +00:00
|
|
|
"net"
|
2019-01-09 16:54:15 +00:00
|
|
|
"os"
|
|
|
|
"path/filepath"
|
2019-01-22 21:14:58 +00:00
|
|
|
"strings"
|
2021-02-12 15:35:57 +00:00
|
|
|
"time"
|
2019-01-09 16:54:15 +00:00
|
|
|
|
2019-03-07 03:49:17 +00:00
|
|
|
systemd "github.com/coreos/go-systemd/daemon"
|
2020-07-27 19:09:21 +00:00
|
|
|
"github.com/erikdubbelboer/gspt"
|
2023-12-06 00:25:49 +00:00
|
|
|
"github.com/gorilla/mux"
|
2022-03-02 23:47:27 +00:00
|
|
|
"github.com/k3s-io/k3s/pkg/agent"
|
|
|
|
"github.com/k3s-io/k3s/pkg/agent/loadbalancer"
|
|
|
|
"github.com/k3s-io/k3s/pkg/cli/cmds"
|
|
|
|
"github.com/k3s-io/k3s/pkg/clientaccess"
|
|
|
|
"github.com/k3s-io/k3s/pkg/daemons/config"
|
|
|
|
"github.com/k3s-io/k3s/pkg/datadir"
|
|
|
|
"github.com/k3s-io/k3s/pkg/etcd"
|
|
|
|
"github.com/k3s-io/k3s/pkg/rootless"
|
|
|
|
"github.com/k3s-io/k3s/pkg/server"
|
2023-12-06 00:25:49 +00:00
|
|
|
"github.com/k3s-io/k3s/pkg/spegel"
|
2022-03-02 23:47:27 +00:00
|
|
|
"github.com/k3s-io/k3s/pkg/util"
|
|
|
|
"github.com/k3s-io/k3s/pkg/version"
|
2022-09-01 17:20:32 +00:00
|
|
|
"github.com/k3s-io/k3s/pkg/vpn"
|
2019-03-04 05:25:02 +00:00
|
|
|
"github.com/pkg/errors"
|
2019-05-09 22:05:51 +00:00
|
|
|
"github.com/rancher/wrangler/pkg/signals"
|
2019-01-09 16:54:15 +00:00
|
|
|
"github.com/sirupsen/logrus"
|
2020-08-29 19:46:55 +00:00
|
|
|
"github.com/urfave/cli"
|
2021-02-01 19:11:17 +00:00
|
|
|
utilnet "k8s.io/apimachinery/pkg/util/net"
|
2023-12-06 00:25:49 +00:00
|
|
|
"k8s.io/apiserver/pkg/authentication/authenticator"
|
2020-05-06 17:43:15 +00:00
|
|
|
kubeapiserverflag "k8s.io/component-base/cli/flag"
|
2023-08-22 21:09:31 +00:00
|
|
|
"k8s.io/kubernetes/pkg/controlplane/apiserver/options"
|
2021-04-21 22:56:20 +00:00
|
|
|
utilsnet "k8s.io/utils/net"
|
2019-01-22 21:14:58 +00:00
|
|
|
|
2019-05-15 23:05:24 +00:00
|
|
|
_ "github.com/go-sql-driver/mysql" // ensure we have mysql
|
|
|
|
_ "github.com/lib/pq" // ensure we have postgres
|
|
|
|
_ "github.com/mattn/go-sqlite3" // ensure we have sqlite
|
2019-01-09 16:54:15 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
func Run(app *cli.Context) error {
|
2021-03-11 18:39:00 +00:00
|
|
|
return run(app, &cmds.ServerConfig, server.CustomControllers{}, server.CustomControllers{})
|
2019-01-09 16:54:15 +00:00
|
|
|
}
|
|
|
|
|
2021-03-11 18:39:00 +00:00
|
|
|
func RunWithControllers(app *cli.Context, leaderControllers server.CustomControllers, controllers server.CustomControllers) error {
|
|
|
|
return run(app, &cmds.ServerConfig, leaderControllers, controllers)
|
|
|
|
}
|
|
|
|
|
|
|
|
func run(app *cli.Context, cfg *cmds.Server, leaderControllers server.CustomControllers, controllers server.CustomControllers) error {
|
2019-03-04 05:25:02 +00:00
|
|
|
var (
|
|
|
|
err error
|
|
|
|
)
|
2023-12-14 00:44:58 +00:00
|
|
|
// Validate build env
|
|
|
|
cmds.MustValidateGolang()
|
2019-03-04 05:25:02 +00:00
|
|
|
|
2020-07-27 19:09:21 +00:00
|
|
|
// hide process arguments from ps output, since they may contain
|
|
|
|
// database credentials or other secrets.
|
|
|
|
gspt.SetProcTitle(os.Args[0] + " server")
|
|
|
|
|
2022-01-12 19:20:01 +00:00
|
|
|
// If the agent is enabled, evacuate cgroup v2 before doing anything else that may fork.
|
|
|
|
// If the agent is disabled, we don't need to bother doing this as it is only the kubelet
|
|
|
|
// that cares about cgroups.
|
|
|
|
if !cfg.DisableAgent {
|
|
|
|
if err := cmds.EvacuateCgroup2(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2021-09-27 19:44:11 +00:00
|
|
|
}
|
|
|
|
|
2021-10-08 19:47:20 +00:00
|
|
|
// Initialize logging, and subprocess reaping if necessary.
|
|
|
|
// Log output redirection and subprocess reaping both require forking.
|
2021-09-27 19:44:11 +00:00
|
|
|
if err := cmds.InitLogging(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2019-03-08 22:47:44 +00:00
|
|
|
if !cfg.DisableAgent && os.Getuid() != 0 && !cfg.Rootless {
|
2022-11-15 08:44:35 +00:00
|
|
|
return fmt.Errorf("server must run as root, or with --rootless and/or --disable-agent")
|
2019-01-09 16:54:15 +00:00
|
|
|
}
|
|
|
|
|
2019-03-08 22:47:44 +00:00
|
|
|
if cfg.Rootless {
|
|
|
|
dataDir, err := datadir.LocalHome(cfg.DataDir, true)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
cfg.DataDir = dataDir
|
2022-02-15 00:34:49 +00:00
|
|
|
if !cfg.DisableAgent {
|
2022-11-15 08:10:12 +00:00
|
|
|
dualNode, err := utilsnet.IsDualStackIPStrings(cmds.AgentConfig.NodeIP)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
if err := rootless.Rootless(dataDir, dualNode); err != nil {
|
2022-02-15 00:34:49 +00:00
|
|
|
return err
|
|
|
|
}
|
2019-03-08 22:47:44 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-09-01 17:20:32 +00:00
|
|
|
if cmds.AgentConfig.VPNAuthFile != "" {
|
|
|
|
cmds.AgentConfig.VPNAuth, err = util.ReadFile(cmds.AgentConfig.VPNAuthFile)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Starts the VPN in the server if config was set up
|
|
|
|
if cmds.AgentConfig.VPNAuth != "" {
|
|
|
|
err := vpn.StartVPN(cmds.AgentConfig.VPNAuth)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-02-21 18:26:13 +00:00
|
|
|
containerRuntimeReady := make(chan struct{})
|
2021-10-12 06:13:10 +00:00
|
|
|
|
2019-01-09 16:54:15 +00:00
|
|
|
serverConfig := server.Config{}
|
2019-10-28 05:43:11 +00:00
|
|
|
serverConfig.DisableAgent = cfg.DisableAgent
|
2024-02-21 18:26:13 +00:00
|
|
|
serverConfig.ControlConfig.Runtime = config.NewRuntime(containerRuntimeReady)
|
2019-10-27 05:53:25 +00:00
|
|
|
serverConfig.ControlConfig.Token = cfg.Token
|
|
|
|
serverConfig.ControlConfig.AgentToken = cfg.AgentToken
|
|
|
|
serverConfig.ControlConfig.JoinURL = cfg.ServerURL
|
|
|
|
if cfg.AgentTokenFile != "" {
|
2022-09-01 17:20:32 +00:00
|
|
|
serverConfig.ControlConfig.AgentToken, err = util.ReadFile(cfg.AgentTokenFile)
|
2019-10-27 05:53:25 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if cfg.TokenFile != "" {
|
2022-09-01 17:20:32 +00:00
|
|
|
serverConfig.ControlConfig.Token, err = util.ReadFile(cfg.TokenFile)
|
2019-10-27 05:53:25 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2019-01-09 16:54:15 +00:00
|
|
|
serverConfig.ControlConfig.DataDir = cfg.DataDir
|
2019-01-22 21:14:58 +00:00
|
|
|
serverConfig.ControlConfig.KubeConfigOutput = cfg.KubeConfigOutput
|
|
|
|
serverConfig.ControlConfig.KubeConfigMode = cfg.KubeConfigMode
|
2023-06-28 15:31:58 +00:00
|
|
|
serverConfig.ControlConfig.HelmJobImage = cfg.HelmJobImage
|
2022-09-29 20:16:33 +00:00
|
|
|
serverConfig.ControlConfig.Rootless = cfg.Rootless
|
|
|
|
serverConfig.ControlConfig.ServiceLBNamespace = cfg.ServiceLBNamespace
|
2023-05-02 16:55:48 +00:00
|
|
|
serverConfig.ControlConfig.SANs = util.SplitStringSlice(cfg.TLSSan)
|
2023-08-28 20:39:21 +00:00
|
|
|
serverConfig.ControlConfig.SANSecurity = cfg.TLSSanSecurity
|
2019-10-27 05:53:25 +00:00
|
|
|
serverConfig.ControlConfig.BindAddress = cfg.BindAddress
|
2020-04-28 22:00:30 +00:00
|
|
|
serverConfig.ControlConfig.SupervisorPort = cfg.SupervisorPort
|
2019-05-29 18:53:51 +00:00
|
|
|
serverConfig.ControlConfig.HTTPSPort = cfg.HTTPSPort
|
2020-04-28 22:00:30 +00:00
|
|
|
serverConfig.ControlConfig.APIServerPort = cfg.APIServerPort
|
|
|
|
serverConfig.ControlConfig.APIServerBindAddress = cfg.APIServerBindAddress
|
2022-06-14 05:06:55 +00:00
|
|
|
serverConfig.ControlConfig.EnablePProf = cfg.EnablePProf
|
2019-04-05 00:43:00 +00:00
|
|
|
serverConfig.ControlConfig.ExtraAPIArgs = cfg.ExtraAPIArgs
|
|
|
|
serverConfig.ControlConfig.ExtraControllerArgs = cfg.ExtraControllerArgs
|
2021-11-12 05:03:15 +00:00
|
|
|
serverConfig.ControlConfig.ExtraEtcdArgs = cfg.ExtraEtcdArgs
|
2019-04-05 00:43:00 +00:00
|
|
|
serverConfig.ControlConfig.ExtraSchedulerAPIArgs = cfg.ExtraSchedulerArgs
|
2019-04-12 06:06:35 +00:00
|
|
|
serverConfig.ControlConfig.ClusterDomain = cfg.ClusterDomain
|
2024-02-02 21:10:05 +00:00
|
|
|
serverConfig.ControlConfig.Datastore.NotifyInterval = 5 * time.Second
|
2019-11-16 00:12:27 +00:00
|
|
|
serverConfig.ControlConfig.Datastore.Endpoint = cfg.DatastoreEndpoint
|
2021-08-30 20:43:25 +00:00
|
|
|
serverConfig.ControlConfig.Datastore.BackendTLSConfig.CAFile = cfg.DatastoreCAFile
|
|
|
|
serverConfig.ControlConfig.Datastore.BackendTLSConfig.CertFile = cfg.DatastoreCertFile
|
|
|
|
serverConfig.ControlConfig.Datastore.BackendTLSConfig.KeyFile = cfg.DatastoreKeyFile
|
2019-05-29 18:53:51 +00:00
|
|
|
serverConfig.ControlConfig.AdvertiseIP = cfg.AdvertiseIP
|
|
|
|
serverConfig.ControlConfig.AdvertisePort = cfg.AdvertisePort
|
2019-09-03 23:41:54 +00:00
|
|
|
serverConfig.ControlConfig.FlannelBackend = cfg.FlannelBackend
|
2022-01-14 15:54:55 +00:00
|
|
|
serverConfig.ControlConfig.FlannelIPv6Masq = cfg.FlannelIPv6Masq
|
2022-10-22 00:22:01 +00:00
|
|
|
serverConfig.ControlConfig.FlannelExternalIP = cfg.FlannelExternalIP
|
2022-05-17 19:25:43 +00:00
|
|
|
serverConfig.ControlConfig.EgressSelectorMode = cfg.EgressSelectorMode
|
2019-10-15 21:17:26 +00:00
|
|
|
serverConfig.ControlConfig.ExtraCloudControllerArgs = cfg.ExtraCloudControllerArgs
|
|
|
|
serverConfig.ControlConfig.DisableCCM = cfg.DisableCCM
|
2019-10-17 21:46:15 +00:00
|
|
|
serverConfig.ControlConfig.DisableNPC = cfg.DisableNPC
|
2021-06-25 18:54:36 +00:00
|
|
|
serverConfig.ControlConfig.DisableHelmController = cfg.DisableHelmController
|
2020-04-27 16:31:25 +00:00
|
|
|
serverConfig.ControlConfig.DisableKubeProxy = cfg.DisableKubeProxy
|
2021-02-12 15:35:57 +00:00
|
|
|
serverConfig.ControlConfig.DisableETCD = cfg.DisableETCD
|
|
|
|
serverConfig.ControlConfig.DisableAPIServer = cfg.DisableAPIServer
|
|
|
|
serverConfig.ControlConfig.DisableScheduler = cfg.DisableScheduler
|
|
|
|
serverConfig.ControlConfig.DisableControllerManager = cfg.DisableControllerManager
|
2023-12-05 18:30:38 +00:00
|
|
|
serverConfig.ControlConfig.EmbeddedRegistry = cfg.EmbeddedRegistry
|
2019-10-27 05:53:25 +00:00
|
|
|
serverConfig.ControlConfig.ClusterInit = cfg.ClusterInit
|
2019-12-12 22:41:10 +00:00
|
|
|
serverConfig.ControlConfig.EncryptSecrets = cfg.EncryptSecrets
|
2021-07-09 17:22:49 +00:00
|
|
|
serverConfig.ControlConfig.EtcdExposeMetrics = cfg.EtcdExposeMetrics
|
|
|
|
serverConfig.ControlConfig.EtcdDisableSnapshots = cfg.EtcdDisableSnapshots
|
2023-12-19 03:14:02 +00:00
|
|
|
serverConfig.ControlConfig.VLevel = cmds.LogConfig.VLevel
|
|
|
|
serverConfig.ControlConfig.VModule = cmds.LogConfig.VModule
|
2021-06-04 16:18:16 +00:00
|
|
|
|
2023-08-10 15:23:10 +00:00
|
|
|
if !cfg.EtcdDisableSnapshots || cfg.ClusterReset {
|
2022-07-09 01:27:05 +00:00
|
|
|
serverConfig.ControlConfig.EtcdSnapshotCompress = cfg.EtcdSnapshotCompress
|
2021-07-09 17:22:49 +00:00
|
|
|
serverConfig.ControlConfig.EtcdSnapshotName = cfg.EtcdSnapshotName
|
|
|
|
serverConfig.ControlConfig.EtcdSnapshotCron = cfg.EtcdSnapshotCron
|
|
|
|
serverConfig.ControlConfig.EtcdSnapshotDir = cfg.EtcdSnapshotDir
|
|
|
|
serverConfig.ControlConfig.EtcdSnapshotRetention = cfg.EtcdSnapshotRetention
|
|
|
|
serverConfig.ControlConfig.EtcdS3 = cfg.EtcdS3
|
|
|
|
serverConfig.ControlConfig.EtcdS3Endpoint = cfg.EtcdS3Endpoint
|
|
|
|
serverConfig.ControlConfig.EtcdS3EndpointCA = cfg.EtcdS3EndpointCA
|
|
|
|
serverConfig.ControlConfig.EtcdS3SkipSSLVerify = cfg.EtcdS3SkipSSLVerify
|
|
|
|
serverConfig.ControlConfig.EtcdS3AccessKey = cfg.EtcdS3AccessKey
|
|
|
|
serverConfig.ControlConfig.EtcdS3SecretKey = cfg.EtcdS3SecretKey
|
|
|
|
serverConfig.ControlConfig.EtcdS3BucketName = cfg.EtcdS3BucketName
|
|
|
|
serverConfig.ControlConfig.EtcdS3Region = cfg.EtcdS3Region
|
|
|
|
serverConfig.ControlConfig.EtcdS3Folder = cfg.EtcdS3Folder
|
2021-09-05 15:56:15 +00:00
|
|
|
serverConfig.ControlConfig.EtcdS3Insecure = cfg.EtcdS3Insecure
|
2021-10-15 17:24:14 +00:00
|
|
|
serverConfig.ControlConfig.EtcdS3Timeout = cfg.EtcdS3Timeout
|
2021-07-09 17:22:49 +00:00
|
|
|
} else {
|
2021-06-04 16:18:16 +00:00
|
|
|
logrus.Info("ETCD snapshots are disabled")
|
|
|
|
}
|
Galal hussein etcd backup restore (#2154)
* Add etcd snapshot and restore
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* fix error logs
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* goimports
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* fix flag describtion
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Add disable snapshot and retention
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* use creation time for snapshot retention
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* unexport method, update var name
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* adjust snapshot flags
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update var name, string concat
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* revert previous change, create constants
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* updates
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* type assertion error checking
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* pr remediation
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* pr remediation
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* pr remediation
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* pr remediation
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* pr remediation
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* updates
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* updates
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* simplify logic, remove unneeded function
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update flags
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update flags
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* add comment
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* exit on restore completion, update flag names, move retention check
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* exit on restore completion, update flag names, move retention check
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* exit on restore completion, update flag names, move retention check
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update disable snapshots flag and field names
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* move function
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update field names
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update var and field names
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update var and field names
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update defaultSnapshotIntervalMinutes to 12 like rke
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update directory perms
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update etc-snapshot-dir usage
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update interval to 12 hours
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* fix usage typo
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* add cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* add cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* add cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update deps target to work, add build/data target for creation, and generate
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* remove dead make targets
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* error handling, cluster reset functionality
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* error handling, cluster reset functionality
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* remove intermediate dapper file
Signed-off-by: Brian Downs <brian.downs@gmail.com>
Co-authored-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2020-08-28 23:57:40 +00:00
|
|
|
|
|
|
|
if cfg.ClusterResetRestorePath != "" && !cfg.ClusterReset {
|
2021-04-21 22:56:20 +00:00
|
|
|
return errors.New("invalid flag use; --cluster-reset required with --cluster-reset-restore-path")
|
Galal hussein etcd backup restore (#2154)
* Add etcd snapshot and restore
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* fix error logs
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* goimports
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* fix flag describtion
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Add disable snapshot and retention
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* use creation time for snapshot retention
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* unexport method, update var name
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* adjust snapshot flags
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update var name, string concat
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* revert previous change, create constants
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* updates
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* type assertion error checking
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* pr remediation
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* pr remediation
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* pr remediation
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* pr remediation
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* pr remediation
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* updates
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* updates
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* simplify logic, remove unneeded function
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update flags
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update flags
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* add comment
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* exit on restore completion, update flag names, move retention check
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* exit on restore completion, update flag names, move retention check
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* exit on restore completion, update flag names, move retention check
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update disable snapshots flag and field names
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* move function
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update field names
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update var and field names
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update var and field names
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update defaultSnapshotIntervalMinutes to 12 like rke
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update directory perms
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update etc-snapshot-dir usage
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update interval to 12 hours
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* fix usage typo
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* add cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* add cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* add cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update deps target to work, add build/data target for creation, and generate
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* remove dead make targets
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* error handling, cluster reset functionality
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* error handling, cluster reset functionality
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* remove intermediate dapper file
Signed-off-by: Brian Downs <brian.downs@gmail.com>
Co-authored-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2020-08-28 23:57:40 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
serverConfig.ControlConfig.ClusterReset = cfg.ClusterReset
|
|
|
|
serverConfig.ControlConfig.ClusterResetRestorePath = cfg.ClusterResetRestorePath
|
2021-05-10 22:58:41 +00:00
|
|
|
serverConfig.ControlConfig.SystemDefaultRegistry = cfg.SystemDefaultRegistry
|
2019-05-29 18:53:51 +00:00
|
|
|
|
2020-04-28 22:00:30 +00:00
|
|
|
if serverConfig.ControlConfig.SupervisorPort == 0 {
|
|
|
|
serverConfig.ControlConfig.SupervisorPort = serverConfig.ControlConfig.HTTPSPort
|
|
|
|
}
|
|
|
|
|
2021-03-06 10:29:57 +00:00
|
|
|
if serverConfig.ControlConfig.DisableETCD && serverConfig.ControlConfig.JoinURL == "" {
|
2021-04-21 22:56:20 +00:00
|
|
|
return errors.New("invalid flag use; --server is required with --disable-etcd")
|
2021-03-06 10:29:57 +00:00
|
|
|
}
|
|
|
|
|
2021-02-12 15:35:57 +00:00
|
|
|
if serverConfig.ControlConfig.DisableAPIServer {
|
2021-03-06 10:29:57 +00:00
|
|
|
// Servers without a local apiserver need to connect to the apiserver via the proxy load-balancer.
|
|
|
|
serverConfig.ControlConfig.APIServerPort = cmds.AgentConfig.LBServerPort
|
|
|
|
// If the supervisor and externally-facing apiserver are not on the same port, the proxy will
|
|
|
|
// have a separate load-balancer for the apiserver that we need to use instead.
|
2021-02-12 15:35:57 +00:00
|
|
|
if serverConfig.ControlConfig.SupervisorPort != serverConfig.ControlConfig.HTTPSPort {
|
2021-03-06 10:29:57 +00:00
|
|
|
serverConfig.ControlConfig.APIServerPort = cmds.AgentConfig.LBServerPort - 1
|
2021-02-12 15:35:57 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-04-21 22:56:20 +00:00
|
|
|
if cmds.AgentConfig.FlannelIface != "" && len(cmds.AgentConfig.NodeIP) == 0 {
|
2023-09-26 09:09:03 +00:00
|
|
|
ip, err := util.GetIPFromInterface(cmds.AgentConfig.FlannelIface)
|
2023-09-13 13:55:43 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
cmds.AgentConfig.NodeIP.Set(ip)
|
2019-07-08 23:02:06 +00:00
|
|
|
}
|
2021-04-21 22:56:20 +00:00
|
|
|
|
|
|
|
if serverConfig.ControlConfig.PrivateIP == "" && len(cmds.AgentConfig.NodeIP) != 0 {
|
2023-01-30 21:05:07 +00:00
|
|
|
serverConfig.ControlConfig.PrivateIP = util.GetFirstValidIPString(cmds.AgentConfig.NodeIP)
|
2020-10-28 19:55:10 +00:00
|
|
|
}
|
2021-04-21 22:56:20 +00:00
|
|
|
|
2023-07-21 08:55:14 +00:00
|
|
|
// Ensure that we add the localhost name/ip and node name/ip to the SAN list. This list is shared by the
|
|
|
|
// certs for the supervisor, kube-apiserver cert, and etcd. DNS entries for the in-cluster kubernetes
|
|
|
|
// service endpoint are added later when the certificates are created.
|
|
|
|
nodeName, nodeIPs, err := util.GetHostnameAndIPs(cmds.AgentConfig.NodeName, cmds.AgentConfig.NodeIP)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
serverConfig.ControlConfig.ServerNodeName = nodeName
|
|
|
|
serverConfig.ControlConfig.SANs = append(serverConfig.ControlConfig.SANs, "127.0.0.1", "::1", "localhost", nodeName)
|
|
|
|
for _, ip := range nodeIPs {
|
|
|
|
serverConfig.ControlConfig.SANs = append(serverConfig.ControlConfig.SANs, ip.String())
|
|
|
|
}
|
|
|
|
|
2022-09-01 17:20:32 +00:00
|
|
|
// if not set, try setting advertise-ip from agent VPN
|
|
|
|
if cmds.AgentConfig.VPNAuth != "" {
|
|
|
|
vpnInfo, err := vpn.GetVPNInfo(cmds.AgentConfig.VPNAuth)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2023-07-21 08:55:14 +00:00
|
|
|
|
2023-06-29 14:23:14 +00:00
|
|
|
// If we are in ipv6-only mode, we should pass the ipv6 address. Otherwise, ipv4
|
2023-10-03 10:28:13 +00:00
|
|
|
if utilsnet.IsIPv6(nodeIPs[0]) {
|
2023-06-29 14:23:14 +00:00
|
|
|
if vpnInfo.IPv6Address != nil {
|
2023-07-21 08:55:14 +00:00
|
|
|
logrus.Infof("Changed advertise-address to %v due to VPN", vpnInfo.IPv6Address)
|
2023-06-29 14:23:14 +00:00
|
|
|
if serverConfig.ControlConfig.AdvertiseIP != "" {
|
|
|
|
logrus.Warn("Conflict in the config detected. VPN integration overwrites advertise-address but the config is setting the advertise-address parameter")
|
|
|
|
}
|
|
|
|
serverConfig.ControlConfig.AdvertiseIP = vpnInfo.IPv6Address.String()
|
|
|
|
} else {
|
|
|
|
return errors.New("tailscale does not provide an ipv6 address")
|
|
|
|
}
|
|
|
|
} else {
|
2023-07-21 08:55:14 +00:00
|
|
|
// We are in dual-stack or ipv4-only mode
|
2023-06-29 14:23:14 +00:00
|
|
|
if vpnInfo.IPv4Address != nil {
|
2023-07-21 08:55:14 +00:00
|
|
|
logrus.Infof("Changed advertise-address to %v due to VPN", vpnInfo.IPv4Address)
|
2023-06-29 14:23:14 +00:00
|
|
|
if serverConfig.ControlConfig.AdvertiseIP != "" {
|
|
|
|
logrus.Warn("Conflict in the config detected. VPN integration overwrites advertise-address but the config is setting the advertise-address parameter")
|
|
|
|
}
|
|
|
|
serverConfig.ControlConfig.AdvertiseIP = vpnInfo.IPv4Address.String()
|
|
|
|
} else {
|
|
|
|
return errors.New("tailscale does not provide an ipv4 address")
|
2022-09-01 17:20:32 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
logrus.Warn("Etcd IP (PrivateIP) remains the local IP. Running etcd traffic over VPN is not recommended due to performance issues")
|
|
|
|
} else {
|
2021-04-21 22:56:20 +00:00
|
|
|
|
2022-09-01 17:20:32 +00:00
|
|
|
// if not set, try setting advertise-ip from agent node-external-ip
|
|
|
|
if serverConfig.ControlConfig.AdvertiseIP == "" && len(cmds.AgentConfig.NodeExternalIP) != 0 {
|
|
|
|
serverConfig.ControlConfig.AdvertiseIP = util.GetFirstValidIPString(cmds.AgentConfig.NodeExternalIP)
|
|
|
|
}
|
|
|
|
|
|
|
|
// if not set, try setting advertise-ip from agent node-ip
|
|
|
|
if serverConfig.ControlConfig.AdvertiseIP == "" && len(cmds.AgentConfig.NodeIP) != 0 {
|
|
|
|
serverConfig.ControlConfig.AdvertiseIP = util.GetFirstValidIPString(cmds.AgentConfig.NodeIP)
|
|
|
|
}
|
2019-05-29 18:53:51 +00:00
|
|
|
}
|
2021-04-21 22:56:20 +00:00
|
|
|
|
|
|
|
// if we ended up with any advertise-ips, ensure they're added to the SAN list;
|
|
|
|
// note that kube-apiserver does not support dual-stack advertise-ip as of 1.21.0:
|
|
|
|
/// https://github.com/kubernetes/kubeadm/issues/1612#issuecomment-772583989
|
2019-05-29 18:53:51 +00:00
|
|
|
if serverConfig.ControlConfig.AdvertiseIP != "" {
|
2019-10-27 05:53:25 +00:00
|
|
|
serverConfig.ControlConfig.SANs = append(serverConfig.ControlConfig.SANs, serverConfig.ControlConfig.AdvertiseIP)
|
2019-05-29 18:53:51 +00:00
|
|
|
}
|
2019-01-09 16:54:15 +00:00
|
|
|
|
2023-09-21 13:39:05 +00:00
|
|
|
// configure ClusterIPRanges. Use default 10.42.0.0/16 or fd00:42::/56 if user did not set it
|
|
|
|
_, defaultClusterCIDR, defaultServiceCIDR, _ := util.GetDefaultAddresses(nodeIPs[0])
|
2021-04-21 22:56:20 +00:00
|
|
|
if len(cmds.ServerConfig.ClusterCIDR) == 0 {
|
2023-09-21 13:39:05 +00:00
|
|
|
cmds.ServerConfig.ClusterCIDR.Set(defaultClusterCIDR)
|
2021-04-21 22:56:20 +00:00
|
|
|
}
|
2023-05-02 16:55:48 +00:00
|
|
|
for _, cidr := range util.SplitStringSlice(cmds.ServerConfig.ClusterCIDR) {
|
|
|
|
_, parsed, err := net.ParseCIDR(cidr)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "invalid cluster-cidr %s", cidr)
|
2021-04-21 22:56:20 +00:00
|
|
|
}
|
2023-05-02 16:55:48 +00:00
|
|
|
serverConfig.ControlConfig.ClusterIPRanges = append(serverConfig.ControlConfig.ClusterIPRanges, parsed)
|
2021-04-21 22:56:20 +00:00
|
|
|
}
|
|
|
|
|
2023-09-21 13:39:05 +00:00
|
|
|
// set ClusterIPRange to the first address (first defined IPFamily is preferred)
|
|
|
|
serverConfig.ControlConfig.ClusterIPRange = serverConfig.ControlConfig.ClusterIPRanges[0]
|
2021-04-21 22:56:20 +00:00
|
|
|
|
2023-09-21 13:39:05 +00:00
|
|
|
// configure ServiceIPRanges. Use default 10.43.0.0/16 or fd00:43::/112 if user did not set it
|
2021-04-21 22:56:20 +00:00
|
|
|
if len(cmds.ServerConfig.ServiceCIDR) == 0 {
|
2023-09-21 13:39:05 +00:00
|
|
|
cmds.ServerConfig.ServiceCIDR.Set(defaultServiceCIDR)
|
2021-04-21 22:56:20 +00:00
|
|
|
}
|
2023-05-02 16:55:48 +00:00
|
|
|
for _, cidr := range util.SplitStringSlice(cmds.ServerConfig.ServiceCIDR) {
|
|
|
|
_, parsed, err := net.ParseCIDR(cidr)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrapf(err, "invalid service-cidr %s", cidr)
|
2021-04-21 22:56:20 +00:00
|
|
|
}
|
2023-05-02 16:55:48 +00:00
|
|
|
serverConfig.ControlConfig.ServiceIPRanges = append(serverConfig.ControlConfig.ServiceIPRanges, parsed)
|
2021-04-21 22:56:20 +00:00
|
|
|
}
|
|
|
|
|
2023-09-21 13:39:05 +00:00
|
|
|
// set ServiceIPRange to the first address (first defined IPFamily is preferred)
|
|
|
|
serverConfig.ControlConfig.ServiceIPRange = serverConfig.ControlConfig.ServiceIPRanges[0]
|
2019-03-06 18:41:07 +00:00
|
|
|
|
2021-02-01 19:11:17 +00:00
|
|
|
serverConfig.ControlConfig.ServiceNodePortRange, err = utilnet.ParsePortRange(cfg.ServiceNodePortRange)
|
|
|
|
if err != nil {
|
2021-04-21 22:56:20 +00:00
|
|
|
return errors.Wrapf(err, "invalid port range %s", cfg.ServiceNodePortRange)
|
2021-02-01 19:11:17 +00:00
|
|
|
}
|
|
|
|
|
2021-04-21 22:56:20 +00:00
|
|
|
// the apiserver service does not yet support dual-stack operation
|
2023-08-22 21:09:31 +00:00
|
|
|
_, apiServerServiceIP, err := options.ServiceIPRange(*serverConfig.ControlConfig.ServiceIPRanges[0])
|
2019-05-29 18:53:51 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2019-10-27 05:53:25 +00:00
|
|
|
serverConfig.ControlConfig.SANs = append(serverConfig.ControlConfig.SANs, apiServerServiceIP.String())
|
2019-05-29 18:53:51 +00:00
|
|
|
|
2021-04-21 22:56:20 +00:00
|
|
|
// If cluster-dns CLI arg is not set, we set ClusterDNS address to be the first IPv4 ServiceCIDR network + 10,
|
2019-03-06 18:41:07 +00:00
|
|
|
// i.e. when you set service-cidr to 192.168.0.0/16 and don't provide cluster-dns, it will be set to 192.168.0.10
|
2021-11-10 19:23:05 +00:00
|
|
|
// If there are no IPv4 ServiceCIDRs, an IPv6 ServiceCIDRs will be used.
|
|
|
|
// If neither of IPv4 or IPv6 are found an error is raised.
|
2021-04-21 22:56:20 +00:00
|
|
|
if len(cmds.ServerConfig.ClusterDNS) == 0 {
|
2023-09-20 10:00:31 +00:00
|
|
|
for _, svcCIDR := range serverConfig.ControlConfig.ServiceIPRanges {
|
|
|
|
clusterDNS, err := utilsnet.GetIndexedIP(svcCIDR, 10)
|
|
|
|
if err != nil {
|
|
|
|
return errors.Wrap(err, "cannot configure default cluster-dns address")
|
|
|
|
}
|
|
|
|
serverConfig.ControlConfig.ClusterDNSs = append(serverConfig.ControlConfig.ClusterDNSs, clusterDNS)
|
2021-04-21 22:56:20 +00:00
|
|
|
}
|
2019-03-06 18:41:07 +00:00
|
|
|
} else {
|
2023-05-02 16:55:48 +00:00
|
|
|
for _, ip := range util.SplitStringSlice(cmds.ServerConfig.ClusterDNS) {
|
|
|
|
parsed := net.ParseIP(ip)
|
|
|
|
if parsed == nil {
|
|
|
|
return fmt.Errorf("invalid cluster-dns address %s", ip)
|
2021-04-21 22:56:20 +00:00
|
|
|
}
|
2023-05-02 16:55:48 +00:00
|
|
|
serverConfig.ControlConfig.ClusterDNSs = append(serverConfig.ControlConfig.ClusterDNSs, parsed)
|
2021-04-21 22:56:20 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-09-21 13:39:05 +00:00
|
|
|
serverConfig.ControlConfig.ClusterDNS = serverConfig.ControlConfig.ClusterDNSs[0]
|
2023-09-20 10:00:31 +00:00
|
|
|
|
2021-04-21 22:56:20 +00:00
|
|
|
if err := validateNetworkConfiguration(serverConfig); err != nil {
|
|
|
|
return err
|
2019-03-06 18:41:07 +00:00
|
|
|
}
|
|
|
|
|
2019-09-27 00:18:37 +00:00
|
|
|
if cfg.DefaultLocalStoragePath == "" {
|
|
|
|
dataDir, err := datadir.LocalHome(cfg.DataDir, false)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
serverConfig.ControlConfig.DefaultLocalStoragePath = filepath.Join(dataDir, "/storage")
|
|
|
|
} else {
|
|
|
|
serverConfig.ControlConfig.DefaultLocalStoragePath = cfg.DefaultLocalStoragePath
|
|
|
|
}
|
|
|
|
|
2020-01-29 23:40:49 +00:00
|
|
|
serverConfig.ControlConfig.Skips = map[string]bool{}
|
|
|
|
serverConfig.ControlConfig.Disables = map[string]bool{}
|
2023-05-02 16:55:48 +00:00
|
|
|
for _, disable := range util.SplitStringSlice(app.StringSlice("disable")) {
|
|
|
|
disable = strings.TrimSpace(disable)
|
|
|
|
serverConfig.ControlConfig.Skips[disable] = true
|
|
|
|
serverConfig.ControlConfig.Disables[disable] = true
|
2020-01-29 23:40:49 +00:00
|
|
|
}
|
|
|
|
if serverConfig.ControlConfig.Skips["servicelb"] {
|
2022-09-29 20:16:33 +00:00
|
|
|
serverConfig.ControlConfig.DisableServiceLB = true
|
2019-01-22 21:14:58 +00:00
|
|
|
}
|
|
|
|
|
2022-09-29 20:50:05 +00:00
|
|
|
if serverConfig.ControlConfig.DisableCCM && serverConfig.ControlConfig.DisableServiceLB {
|
2020-04-29 06:08:22 +00:00
|
|
|
serverConfig.ControlConfig.Skips["ccm"] = true
|
|
|
|
serverConfig.ControlConfig.Disables["ccm"] = true
|
|
|
|
}
|
|
|
|
|
2023-01-12 01:40:22 +00:00
|
|
|
tlsMinVersionArg := getArgValueFromList("tls-min-version", serverConfig.ControlConfig.ExtraAPIArgs)
|
2020-08-18 23:44:10 +00:00
|
|
|
serverConfig.ControlConfig.TLSMinVersion, err = kubeapiserverflag.TLSVersion(tlsMinVersionArg)
|
2020-05-06 17:43:15 +00:00
|
|
|
if err != nil {
|
2021-04-21 22:56:20 +00:00
|
|
|
return errors.Wrap(err, "invalid tls-min-version")
|
2020-05-06 17:43:15 +00:00
|
|
|
}
|
|
|
|
|
2020-08-19 21:30:53 +00:00
|
|
|
serverConfig.StartupHooks = append(serverConfig.StartupHooks, cfg.StartupHooks...)
|
2020-08-19 20:30:51 +00:00
|
|
|
|
2021-03-11 18:39:00 +00:00
|
|
|
serverConfig.LeaderControllers = append(serverConfig.LeaderControllers, leaderControllers...)
|
|
|
|
serverConfig.Controllers = append(serverConfig.Controllers, controllers...)
|
|
|
|
|
2020-05-13 13:34:45 +00:00
|
|
|
// TLS config based on mozilla ssl-config generator
|
|
|
|
// https://ssl-config.mozilla.org/#server=golang&version=1.13.6&config=intermediate&guideline=5.4
|
|
|
|
// Need to disable the TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Cipher for TLS1.2
|
2023-01-12 01:40:22 +00:00
|
|
|
tlsCipherSuitesArg := getArgValueFromList("tls-cipher-suites", serverConfig.ControlConfig.ExtraAPIArgs)
|
2020-08-18 23:44:10 +00:00
|
|
|
tlsCipherSuites := strings.Split(tlsCipherSuitesArg, ",")
|
|
|
|
for i := range tlsCipherSuites {
|
|
|
|
tlsCipherSuites[i] = strings.TrimSpace(tlsCipherSuites[i])
|
|
|
|
}
|
|
|
|
if len(tlsCipherSuites) == 0 || tlsCipherSuites[0] == "" {
|
|
|
|
tlsCipherSuites = []string{
|
2020-05-13 13:34:45 +00:00
|
|
|
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
|
|
|
|
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
|
|
|
|
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
|
|
|
|
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
|
|
|
|
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
|
|
|
|
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
|
2020-05-06 17:43:15 +00:00
|
|
|
}
|
2023-01-12 01:40:22 +00:00
|
|
|
serverConfig.ControlConfig.ExtraAPIArgs = append(serverConfig.ControlConfig.ExtraAPIArgs, "tls-cipher-suites="+strings.Join(tlsCipherSuites, ","))
|
2020-05-06 17:43:15 +00:00
|
|
|
}
|
2020-08-18 23:44:10 +00:00
|
|
|
serverConfig.ControlConfig.TLSCipherSuites, err = kubeapiserverflag.TLSCipherSuites(tlsCipherSuites)
|
2020-05-13 13:34:45 +00:00
|
|
|
if err != nil {
|
2021-04-21 22:56:20 +00:00
|
|
|
return errors.Wrap(err, "invalid tls-cipher-suites")
|
2020-05-13 13:34:45 +00:00
|
|
|
}
|
2020-05-06 17:43:15 +00:00
|
|
|
|
2022-04-27 20:44:15 +00:00
|
|
|
// If performing a cluster reset, make sure control-plane components are
|
|
|
|
// disabled so we only perform a reset or restore and bail out.
|
|
|
|
if cfg.ClusterReset {
|
2022-01-12 00:59:41 +00:00
|
|
|
serverConfig.ControlConfig.ClusterInit = true
|
|
|
|
serverConfig.ControlConfig.DisableAPIServer = true
|
|
|
|
serverConfig.ControlConfig.DisableControllerManager = true
|
|
|
|
serverConfig.ControlConfig.DisableScheduler = true
|
|
|
|
serverConfig.ControlConfig.DisableCCM = true
|
2024-01-16 22:43:08 +00:00
|
|
|
serverConfig.ControlConfig.DisableServiceLB = true
|
2022-01-12 00:59:41 +00:00
|
|
|
|
2022-04-27 20:44:15 +00:00
|
|
|
// If the supervisor and apiserver are on the same port, everything is running embedded
|
|
|
|
// and we don't need the kubelet or containerd up to perform a cluster reset.
|
|
|
|
if serverConfig.ControlConfig.SupervisorPort == serverConfig.ControlConfig.HTTPSPort {
|
|
|
|
cfg.DisableAgent = true
|
|
|
|
}
|
|
|
|
|
2023-09-26 14:00:37 +00:00
|
|
|
// If the user uses the cluster-reset argument in a cluster that has a ServerURL, we must return an error
|
|
|
|
// to remove the server flag on the configuration or in the cli
|
|
|
|
if serverConfig.ControlConfig.JoinURL != "" {
|
|
|
|
return errors.New("cannot perform cluster-reset while server URL is set - remove server from configuration before resetting")
|
|
|
|
}
|
|
|
|
|
2022-01-12 00:59:41 +00:00
|
|
|
dataDir, err := datadir.LocalHome(cfg.DataDir, false)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
// delete local loadbalancers state for apiserver and supervisor servers
|
|
|
|
loadbalancer.ResetLoadBalancer(filepath.Join(dataDir, "agent"), loadbalancer.SupervisorServiceName)
|
|
|
|
loadbalancer.ResetLoadBalancer(filepath.Join(dataDir, "agent"), loadbalancer.APIServerServiceName)
|
|
|
|
|
2022-04-27 20:44:15 +00:00
|
|
|
if cfg.ClusterResetRestorePath != "" {
|
|
|
|
// at this point we're doing a restore. Check to see if we've
|
|
|
|
// passed in a token and if not, check if the token file exists.
|
|
|
|
// If it doesn't, return an error indicating the token is necessary.
|
|
|
|
if cfg.Token == "" {
|
|
|
|
tokenFile := filepath.Join(dataDir, "server", "token")
|
|
|
|
if _, err := os.Stat(tokenFile); err != nil {
|
|
|
|
if os.IsNotExist(err) {
|
|
|
|
return errors.New(tokenFile + " does not exist, please pass --token to complete the restoration")
|
|
|
|
}
|
2022-01-12 00:59:41 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-09-21 16:56:03 +00:00
|
|
|
logrus.Info("Starting " + version.Program + " " + app.App.Version)
|
2019-03-07 03:49:17 +00:00
|
|
|
|
2021-08-03 17:53:21 +00:00
|
|
|
notifySocket := os.Getenv("NOTIFY_SOCKET")
|
2022-06-15 16:00:52 +00:00
|
|
|
os.Unsetenv("NOTIFY_SOCKET")
|
2021-08-03 17:53:21 +00:00
|
|
|
|
2021-11-08 15:32:43 +00:00
|
|
|
ctx := signals.SetupSignalContext()
|
2021-02-12 15:35:57 +00:00
|
|
|
|
2021-07-28 20:56:59 +00:00
|
|
|
if err := server.StartServer(ctx, &serverConfig, cfg); err != nil {
|
2019-01-09 16:54:15 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
2023-06-05 21:15:17 +00:00
|
|
|
go cmds.WriteCoverage(ctx)
|
|
|
|
|
2020-04-28 22:44:05 +00:00
|
|
|
go func() {
|
2021-03-01 21:50:50 +00:00
|
|
|
if !serverConfig.ControlConfig.DisableAPIServer {
|
|
|
|
<-serverConfig.ControlConfig.Runtime.APIServerReady
|
|
|
|
logrus.Info("Kube API server is now running")
|
2022-06-15 16:00:52 +00:00
|
|
|
serverConfig.ControlConfig.Runtime.StartupHooksWg.Wait()
|
|
|
|
}
|
|
|
|
if !serverConfig.ControlConfig.DisableETCD {
|
2021-03-01 21:50:50 +00:00
|
|
|
<-serverConfig.ControlConfig.Runtime.ETCDReady
|
|
|
|
logrus.Info("ETCD server is now running")
|
|
|
|
}
|
2021-06-15 11:20:26 +00:00
|
|
|
|
2020-09-21 16:56:03 +00:00
|
|
|
logrus.Info(version.Program + " is up and running")
|
2022-06-15 16:00:52 +00:00
|
|
|
os.Setenv("NOTIFY_SOCKET", notifySocket)
|
|
|
|
systemd.SdNotify(true, "READY=1\n")
|
2020-04-28 22:44:05 +00:00
|
|
|
}()
|
2019-02-08 04:12:49 +00:00
|
|
|
|
2022-07-21 21:40:09 +00:00
|
|
|
url := fmt.Sprintf("https://%s:%d", serverConfig.ControlConfig.BindAddressOrLoopback(false, true), serverConfig.ControlConfig.SupervisorPort)
|
2021-06-22 20:42:34 +00:00
|
|
|
token, err := clientaccess.FormatToken(serverConfig.ControlConfig.Runtime.AgentToken, serverConfig.ControlConfig.Runtime.ServerCA)
|
2019-10-27 05:53:25 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2019-01-09 16:54:15 +00:00
|
|
|
|
|
|
|
agentConfig := cmds.AgentConfig
|
2024-02-21 18:26:13 +00:00
|
|
|
agentConfig.ContainerRuntimeReady = containerRuntimeReady
|
2020-09-01 17:43:19 +00:00
|
|
|
agentConfig.Debug = app.GlobalBool("debug")
|
2019-01-22 21:14:58 +00:00
|
|
|
agentConfig.DataDir = filepath.Dir(serverConfig.ControlConfig.DataDir)
|
2019-01-09 16:54:15 +00:00
|
|
|
agentConfig.ServerURL = url
|
|
|
|
agentConfig.Token = token
|
2021-02-12 15:35:57 +00:00
|
|
|
agentConfig.DisableLoadBalancer = !serverConfig.ControlConfig.DisableAPIServer
|
2022-09-29 20:16:33 +00:00
|
|
|
agentConfig.DisableServiceLB = serverConfig.ControlConfig.DisableServiceLB
|
2021-02-12 15:35:57 +00:00
|
|
|
agentConfig.ETCDAgent = serverConfig.ControlConfig.DisableAPIServer
|
2021-05-05 15:40:04 +00:00
|
|
|
agentConfig.ClusterReset = serverConfig.ControlConfig.ClusterReset
|
2019-10-19 10:18:51 +00:00
|
|
|
agentConfig.Rootless = cfg.Rootless
|
2021-02-12 15:35:57 +00:00
|
|
|
|
2019-10-19 10:18:51 +00:00
|
|
|
if agentConfig.Rootless {
|
|
|
|
// let agent specify Rootless kubelet flags, but not unshare twice
|
|
|
|
agentConfig.RootlessAlreadyUnshared = true
|
|
|
|
}
|
2019-01-09 16:54:15 +00:00
|
|
|
|
2021-02-12 15:35:57 +00:00
|
|
|
if serverConfig.ControlConfig.DisableAPIServer {
|
2022-03-24 19:23:59 +00:00
|
|
|
if cfg.ServerURL == "" {
|
|
|
|
// If this node is the initial member of the cluster and is not hosting an apiserver,
|
|
|
|
// always bootstrap the agent off local supervisor, and go through the process of reading
|
|
|
|
// apiserver endpoints from etcd and blocking further startup until one is available.
|
|
|
|
// This ensures that we don't end up in a chicken-and-egg situation on cluster restarts,
|
|
|
|
// where the loadbalancer is routing traffic to existing apiservers, but the apiservers
|
|
|
|
// are non-functional because they're waiting for us to start etcd.
|
|
|
|
loadbalancer.ResetLoadBalancer(filepath.Join(agentConfig.DataDir, "agent"), loadbalancer.SupervisorServiceName)
|
|
|
|
} else {
|
|
|
|
// If this is a secondary member of the cluster and is not hosting an apiserver,
|
|
|
|
// bootstrap the agent off the existing supervisor, instead of bootstrapping locally.
|
2022-02-16 22:19:58 +00:00
|
|
|
agentConfig.ServerURL = cfg.ServerURL
|
|
|
|
}
|
2021-02-12 15:35:57 +00:00
|
|
|
// initialize the apiAddress Channel for receiving the api address from etcd
|
2022-02-16 22:19:58 +00:00
|
|
|
agentConfig.APIAddressCh = make(chan []string)
|
|
|
|
go getAPIAddressFromEtcd(ctx, serverConfig, agentConfig)
|
2021-02-12 15:35:57 +00:00
|
|
|
}
|
2022-02-15 00:34:49 +00:00
|
|
|
|
|
|
|
if cfg.DisableAgent {
|
|
|
|
agentConfig.ContainerRuntimeEndpoint = "/dev/null"
|
|
|
|
return agent.RunStandalone(ctx, agentConfig)
|
|
|
|
}
|
|
|
|
|
2023-12-06 00:25:49 +00:00
|
|
|
if cfg.EmbeddedRegistry {
|
|
|
|
conf := spegel.DefaultRegistry
|
|
|
|
conf.Bootstrapper = spegel.NewChainingBootstrapper(
|
|
|
|
spegel.NewServerBootstrapper(&serverConfig.ControlConfig),
|
|
|
|
spegel.NewAgentBootstrapper(cfg.ServerURL, token, agentConfig.DataDir),
|
|
|
|
spegel.NewSelfBootstrapper(),
|
|
|
|
)
|
|
|
|
conf.HandlerFunc = func(_ *spegel.Config, router *mux.Router) error {
|
|
|
|
router.NotFoundHandler = serverConfig.ControlConfig.Runtime.Handler
|
|
|
|
serverConfig.ControlConfig.Runtime.Handler = router
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
conf.AuthFunc = func() authenticator.Request {
|
|
|
|
return serverConfig.ControlConfig.Runtime.Authenticator
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-01-09 16:54:15 +00:00
|
|
|
return agent.Run(ctx, agentConfig)
|
|
|
|
}
|
2019-01-31 23:57:40 +00:00
|
|
|
|
2021-04-21 22:56:20 +00:00
|
|
|
// validateNetworkConfig ensures that the network configuration values make sense.
|
|
|
|
func validateNetworkConfiguration(serverConfig server.Config) error {
|
2022-05-17 19:25:43 +00:00
|
|
|
switch serverConfig.ControlConfig.EgressSelectorMode {
|
2023-04-20 22:02:04 +00:00
|
|
|
case config.EgressSelectorModeCluster, config.EgressSelectorModePod:
|
|
|
|
case config.EgressSelectorModeAgent, config.EgressSelectorModeDisabled:
|
|
|
|
if serverConfig.DisableAgent {
|
|
|
|
logrus.Warn("Webhooks and apiserver aggregation may not function properly without an agent; please set egress-selector-mode to 'cluster' or 'pod'")
|
|
|
|
}
|
2022-05-17 19:25:43 +00:00
|
|
|
default:
|
|
|
|
return fmt.Errorf("invalid egress-selector-mode %s", serverConfig.ControlConfig.EgressSelectorMode)
|
|
|
|
}
|
|
|
|
|
2021-04-21 22:56:20 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2020-05-06 17:43:15 +00:00
|
|
|
func getArgValueFromList(searchArg string, argList []string) string {
|
|
|
|
var value string
|
|
|
|
for _, arg := range argList {
|
|
|
|
splitArg := strings.SplitN(arg, "=", 2)
|
|
|
|
if splitArg[0] == searchArg {
|
|
|
|
value = splitArg[1]
|
|
|
|
// break if we found our value
|
|
|
|
break
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return value
|
|
|
|
}
|
2021-02-12 15:35:57 +00:00
|
|
|
|
2022-02-16 22:19:58 +00:00
|
|
|
func getAPIAddressFromEtcd(ctx context.Context, serverConfig server.Config, agentConfig cmds.Agent) {
|
|
|
|
defer close(agentConfig.APIAddressCh)
|
|
|
|
for {
|
|
|
|
toCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
|
|
|
|
defer cancel()
|
|
|
|
serverAddresses, err := etcd.GetAPIServerURLsFromETCD(toCtx, &serverConfig.ControlConfig)
|
|
|
|
if err == nil && len(serverAddresses) > 0 {
|
|
|
|
agentConfig.APIAddressCh <- serverAddresses
|
2021-02-12 15:35:57 +00:00
|
|
|
break
|
|
|
|
}
|
2022-02-16 22:19:58 +00:00
|
|
|
if !errors.Is(err, etcd.ErrAddressNotSet) {
|
|
|
|
logrus.Warnf("Failed to get apiserver address from etcd: %v", err)
|
|
|
|
}
|
|
|
|
<-toCtx.Done()
|
2021-02-12 15:35:57 +00:00
|
|
|
}
|
|
|
|
}
|