Commit Graph

3268 Commits (118acabec28c3f290b324f56ac8170dd2de60997)

Author SHA1 Message Date
Brad Davidson 612473755d Add ADR
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-30 18:15:11 -07:00
Brad Davidson 7b61aacb56 Fix test file list
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-30 18:15:11 -07:00
Brad Davidson 64a5f58f1e Create new kubeconfig for supervisor use
Only actual admin actions should use the admin kubeconfig; everything done by the supervisor/deploy/helm controllers will now use a distinct account for audit purposes.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-30 18:15:11 -07:00
Brad Davidson 8748813a61 Use distinct clients for supervisor, deploy, and helm controllers
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-30 18:15:11 -07:00
Brad Davidson e9958cf070 Bump metrics-server to v0.6.3 and update tls-cipher-suites
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-30 17:44:06 -07:00
Brad Davidson 93279d2f59 Bump klipper-lb to v0.4.4
Fixes issue with localhost access to ServiceLB when
ExternalTrafficPolicy=Local

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-30 17:38:59 -07:00
Andrew Roffey 0485a56f33 allow coredns override extensions
Signed-off-by: Andrew Roffey <andrew@roffey.au>
2023-05-30 17:24:00 -07:00
Brian Downs 85e10cf9d2
update channels (#7634) 2023-05-30 16:05:46 -07:00
Hussein Galal 9543470eb7
Add el9 selinux rpm (#7635)
* Add el9 to the install script

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add rocky-9 install test to test el9 selinux

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add rocky-9 install test to test el9 selinux to workflow

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Use el8 for fedora 37

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add a warning to reboot in coreos systems

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* remove k3s-selinux module in case of upgrade in el9

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Check for available container-selinux and k3s-selinux

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* extend selinux upgrade to sle distros

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* create /var/lib/rpm-state in sle systems

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* nit fix

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* extend selinux upgrade to sle distros

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

---------

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2023-05-31 01:51:23 +03:00
Manuel Buil d1b0254b91 Update flannel version
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-05-30 10:41:15 +02:00
Hussein Galal 213d7ad499
Revert "Add el9 selinux rpm (#7443)" (#7608)
This reverts commit d55ec08675.

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2023-05-25 16:41:05 +03:00
Hussein Galal d55ec08675
Add el9 selinux rpm (#7443)
* Add el9 to the install script

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add rocky-9 install test to test el9 selinux

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add rocky-9 install test to test el9 selinux to workflow

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Use el8 for fedora 37

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add a warning to reboot in coreos systems

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* remove k3s-selinux module in case of upgrade in el9

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Check for available container-selinux and k3s-selinux

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* extend selinux upgrade to sle distros

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* create /var/lib/rpm-state in sle systems

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* nit fix

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

---------

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2023-05-25 02:52:07 +03:00
Brad Davidson fe554fe703 Pin emicklei/go-restful to v3.9.0
Fix regression in legacy API prefix, until upstream pulls in support for MergePathStrategy from https://github.com/emicklei/go-restful/pull/523

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-23 18:01:19 -07:00
Roberto Bonafiglia 91c5e0d75a Fix iptables rules clean during upgrade
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-05-22 20:17:59 +02:00
Brian Downs d069a85fcc
Update to v1.27.2-k3s1 (#7575) 2023-05-18 10:24:04 -07:00
Manuel Buil cdcd4a9000
Merge pull request #7567 from manuelbuil/master
Add '-all' flag to apply to inactive systemd units
2023-05-17 18:48:54 +02:00
Manuel Buil 290f67c939 Add '-all' flag to apply to inactive units
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-05-17 12:24:23 +02:00
dependabot[bot] 2b24c9917c
Bump alpine from 3.17 to 3.18 in /conformance (#7551)
Bumps alpine from 3.17 to 3.18.

---
updated-dependencies:
- dependency-name: alpine
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-15 15:14:29 -04:00
dependabot[bot] 266926693a
Bump alpine from 3.17 to 3.18 in /package (#7550)
Bumps alpine from 3.17 to 3.18.

---
updated-dependencies:
- dependency-name: alpine
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2023-05-15 15:14:08 -04:00
Manuel Buil 10fb39ae60
Merge pull request #7539 from manuelbuil/addLogsKubeRouter
Wrap error stating that it is coming from netpol
2023-05-15 09:40:49 +02:00
Esteban Esquivel Alvarado 9bcfac8b88
Add Rotation certification Check (#7097)
* Add Certification Test to Validate Cluster

Signed-off-by: est-suse <esteban.esquivel@suse.com>

* Fix to stop/start for k3s certificate rotation

Signed-off-by: Derek Nola <derek.nola@suse.com>

---------

Signed-off-by: est-suse <esteban.esquivel@suse.com>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: est-suse <esteban.esquivel@suse.com>
Co-authored-by: Derek Nola <derek.nola@suse.com>
2023-05-12 10:36:41 -07:00
Manuel Buil 4aafff0219 Wrap error stating that it is coming from netpol
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-05-12 19:33:25 +02:00
Brad Davidson cbe8d33c93 Bump containerd/runc to v1.7.1-k3s1/v1.1.7
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-11 13:32:38 -07:00
Brad Davidson 8f450bafe1 Bump helm-controller version for repo auth/ca support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-10 14:57:37 -07:00
Chris Wayne 06296815e6
Adding PITS and Getdeck Beiboot as adopters thanks to Schille and Miworfi for the additions (#7524)
Signed-off-by: Chris Wayne <cwayne18@gmail.com>
2023-05-10 11:54:01 -07:00
Brad Davidson 607cbf0ad6 Bump containerd to v1.7.0 and move back into multicall binary
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-10 08:34:03 -07:00
thomasferrandiz b4bc57d049
Merge pull request #7303 from thomasferrandiz/netpol-log-level
ensure that klog verbosity is set to the same level as logrus
2023-05-10 15:01:06 +02:00
Brad Davidson 239021e759 Consistently use constant-time comparison of password hashes
As per https://github.com/golang/go/issues/47001 even subtle.ConstantTimeCompare should never be used with variable-length inputs, as it will return 0 if the lengths do not match. Switch to consistently using constant-time comparisons of hashes for password checks to avoid any possible side-channel leaks that could be combined with other vectors to discover password lengths.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-09 13:54:50 -07:00
Roberto Bonafiglia 9ec1789c21 Bump kube-router version to fix a bug when a port name is used
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-05-09 18:21:29 +02:00
Derek Nola c6dc789e25
Add support for `-cover` + integration test code coverage (#7415)
* Add support for -cover in k3s server
* Update codecov reporting
* Sigterm in StopK3sServer
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-05-08 12:46:51 -07:00
Ian Cardoso 3982213f06
add kube-* server flags integration tests (#7416)
This commit adds SearchK3sLog function to find specific strings in integration tests log file and also removes FindStringInCmdAsync function since it was not being used.

Signed-off-by: Ian Cardoso <osodracnai@gmail.com>
2023-05-08 05:25:47 -03:00
Brad Davidson b32bf49541 Bump kine to v0.10.1
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-05 15:54:19 -07:00
Brad Davidson c98137ddca Fix token startup test
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-05 15:52:12 -07:00
Brad Davidson cf9ebb3259 Fail to validate server tokens that use bootstrap id/secret format
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-05 12:24:35 -07:00
Derek Nola 7175ebe2be
E2E: Startup test cleanup + RunCommand Enhancement (#7388)
* Add beforesuite to startup
* Reduce timeouts for startup
* Fix cleanup + set kubeconfig

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-05-05 11:00:47 -07:00
Matt Trachier bbb8ee0b2d
Add dependabot label and reviewer (#7423)
Signed-off-by: Matt Trachier <matttrach@gmail.com>
2023-05-05 09:30:51 -05:00
Manuel Buil eb83af0de4
Merge pull request #7422 from manuelbuil/modify-utils
Migrate netutil methods into /util/net.go
2023-05-05 07:17:41 +02:00
Brad Davidson cedefeff24 Bump cni plugins to v1.2.0-k3s1
Also add bandwidth and firewall plugins. The bandwidth plugin is
automatically registered with the appropriate capability, but the
firewall plugin must be configured by the user if they want to use it.

Ref: https://www.cni.dev/plugins/current/meta/firewall/

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-04 13:58:42 -07:00
Boleyn Su a736b4b1b9
local-storage: Fix permission (#7217)
* local-storage: Fix permission

/var/lib/rancher/k3s/storage/ should be 700
/var/lib/rancher/k3s/storage/* should be 777

Fixes #2348

Signed-off-by: Boleyn Su <boleyn.su@gmail.com>

* Fix pod command field type

* Fix to int test

Signed-off-by: Derek Nola <derek.nola@suse.com>

---------

Signed-off-by: Boleyn Su <boleyn.su@gmail.com>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Brad Davidson <brad@oatmail.org>
Co-authored-by: Derek Nola <derek.nola@suse.com>
2023-05-04 10:43:54 -07:00
Manuel Buil 437ad128c7 Migrate netutil methods into /utils/net.go
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-05-04 16:49:16 +02:00
Derek Nola e1d4cff14c
Enable FindString to search dotD config files (#7323)
* Enable FindString to search dotD config files
* Address multiple arg cases

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-05-02 11:18:23 -07:00
Derek Nola 132b41c3bf
Add v1.27 channel (#7387)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-05-02 09:57:47 -07:00
Derek Nola d5f560360e
Handle multiple arguments with StringSlice flags (#7380)
* Add helper function for multiple arguments in stringslice

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Cleanup server setup with util function

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-05-02 09:55:48 -07:00
github-actions[bot] a3ddff2f29 chore: Bump Trivy version
Made with ❤️️ by updatecli
2023-05-01 12:34:37 -07:00
Brad Davidson e61fde93c1 Fix MemberList error handling and incorrect etcd-arg passthrough
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 22:04:30 -07:00
Brad Davidson 91afb38799 Retry cluster join on "too many learners" error
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 11:28:33 -07:00
Brad Davidson f1b6a3549c Fix stack log on panic
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 11:24:34 -07:00
Brad Davidson c44d33d29b Fix race condition in tunnel server startup
Several places in the code used a 5-second retry loop to wait on
Runtime.Core to be set. This caused a race condition where OnChange
handlers could be added after the Wrangler shared informers were already
started. When this happened, the handlers were never called because the
shared informers they relied upon were not started.

Fix that by requiring anything that waits on Runtime.Core to run from a
cluster controller startup hook that is guaranteed to be called before
the shared informers are started, instead of just firing it off in a
goroutine that retries until it is set.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 11:24:34 -07:00
Brad Davidson 1ca035accc Add e2e test for --disable-agent
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 11:24:34 -07:00
Brad Davidson 31a6386994 Improve egress selector handling on agentless servers
Don't set up the agent tunnel authorizer on agentless servers, and warn when agentless servers won't have a way to reach in-cluster endpoints.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 11:24:34 -07:00