github/k3s - k3s - https://git.xinac.net

Commit Graph

Author	SHA1	Message	Date
Derek Nola	59e0761043	Use higher QPS for secrets reencryption (#10571 ) * Use higher QPS for secrets reencryption Signed-off-by: Derek Nola <derek.nola@suse.com>	4 months ago
Brad Davidson	eb8bd15889	Ensure remotedialer kubelet connections use kubelet bind address Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	5 months ago
Brad Davidson	f8e0648304	Convert remaining http handlers over to use util.SendError Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	6 months ago
Brad Davidson	37f97b33c9	Add support for svclb pod PriorityClassName Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	6 months ago
Hussein Galal	144f5ad333	Kubernetes V1.30.0-k3s1 (#10063 ) * kubernetes 1.30.0-k3s1 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update go version to v1.22.2 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * update dynamiclistener and helm-controller Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * update go in go.mod to 1.22.2 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * update go in Dockerfiles Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * update cri-dockerd Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Add proctitle package with linux and windows constraints Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * go mod tidy Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Fixing setproctitle function Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * update dynamiclistener to v0.6.0-rc1 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> --------- Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>	7 months ago
Vitor Savian	5d69d6e782	Add tls for kine Signed-off-by: Vitor Savian <vitor.savian@suse.com> Bump kine Signed-off-by: Vitor Savian <vitor.savian@suse.com> Add integration tests for kine with tls Signed-off-by: Vitor Savian <vitor.savian@suse.com>	8 months ago
Brad Davidson	7a2a2d075c	Move error response generation code into util Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	8 months ago
Derek Nola	fa11850563	Readd `k3s secrets-encrypt rotate-keys` with correct support for KMSv2 GA (#9340 ) * Reorder copy order for caching * Enable longer http timeout requests Signed-off-by: Derek Nola <derek.nola@suse.com> * Setup reencrypt controller to run on all apiserver nodes * Fix reencryption for disabling secrets encryption, reenable drone tests	10 months ago
Hussein Galal	9411196406	Update flannel to v0.24.0 and remove multiclustercidr flag (#9075 ) * update flannel to v0.24.0 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * remove multiclustercidr flag Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> --------- Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>	11 months ago
Hussein Galal	7101af36bb	Update Kubernetes to v1.29.0+k3s1 (#9052 ) * Update to v1.29.0 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update to v1.29.0 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update go to 1.21.5 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * update golangci-lint Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * update flannel to 0.23.0-k3s1 This update uses k3s' fork of flannel to allow the removal of multicluster cidr flag logic from the code Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * fix flannel calls Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * update cri-tools to version v1.29.0-k3s1 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Remove GOEXPERIMENT=nounified from arm builds Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Skip golangci-lint Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Fix setup logging with newer go version Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Move logging flags to components arguments Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * add sysctl commands to the test script Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update scripts/test Signed-off-by: Brad Davidson <brad@oatmail.org> * disable secretsencryption tests Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> --------- Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> Signed-off-by: Brad Davidson <brad@oatmail.org> Co-authored-by: Brad Davidson <brad@oatmail.org>	11 months ago
Brad Davidson	231cb6ed20	Remove GA feature-gates (#8970 ) Remove KubeletCredentialProviders and JobTrackingWithFinalizers feature-gates, both of which are GA and cannot be disabled. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	12 months ago
Brad Davidson	7ecd5874d2	Skip initial datastore reconcile during cluster-reset Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	b8dc95539b	Fix CloudDualStackNodeIPs feature-gate inconsistency Enable the feature-gate for both kubelet and cloud-controller-manager. Enabling it on only one side breaks RKE2, where feature-gates are not shared due to running in different processes. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Derek Nola	dface01de8	Server Token Rotation (#8265 ) * Consolidate NewCertCommands * Add support for user defined new token * Add E2E testlets Signed-off-by: Derek Nola <derek.nola@suse.com> * Ensure agent token also changes Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Manuel Buil	e82b37640a	Network defaults are duplicated, remove one Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Johnatas	6330a5b49c	Update to v1.28.2 and go v1.20.8 (#8364 ) * Update to v1.28.2 Signed-off-by: Johnatas <johnatasr@hotmail.com> * Bump containerd and stargz versions Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Print message on upgrade fail Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Send Bad Gateway instead of Service Unavailable when tunnel dial fails Works around new handling for Service Unavailable by apiserver aggregation added in kubernetes/kubernetes#119870 Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Add 60 seconds to server upgrade wait to account for delays in apiserver readiness Also change cleanup helper to ensure upgrade test doesn't pollute the images for the rest of the tests. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> --------- Signed-off-by: Johnatas <johnatasr@hotmail.com> Signed-off-by: Brad Davidson <brad.davidson@rancher.com> Co-authored-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Derek Nola	42c2ac95e2	CLI + Backend for Secrets Encryption v3 Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Derek Nola	b967f92785	Replace os.Write with AtomicWrite function Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Hussein Galal	af50e1b096	Update to v1.28.0-k3s1 (#8199 ) * Update to v1.28.0 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update golang to v1.20.7 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * more changes Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * update wrangler Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * update wrangler Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * fix nodepassword test Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * fix nodepassword test Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * disable CGO before running golangci-lint Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * execlude CGO Enabled checks Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Ignore reapply change error with logging Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update google api client Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> --------- Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>	1 year ago
Brad Davidson	f21ae1d949	Make apiserver egress args conditional on egress-selector-mode Only configure enable-aggregator-routing and egress-selector-config-file if required by egress-selector-mode. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Derek Nola	be44243353	Adjust default kubeconfig file permissions (#7978 ) * Adjust default kubeconfig permissions Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Bartosz Lenart	34617390d0	Generation of certificates and keys for etcd gated if etcd is disabled. (#6998 ) Problem: When support for etcd was added in `3957142`, generation of certificates and keys for etcd was not gated behind use of managed etcd. Keys are generated and distributed across servers even if managed etcd is not enabled. Solution: Allow generation of certificates and keys only if managed etc is enabled. Check config.DisableETCD flag. Signed-off-by: Bartossh <lenartconsulting@gmail.com>	1 year ago
Manuel Buil	869e030bdd	VPN PoC Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Brad Davidson	64a5f58f1e	Create new kubeconfig for supervisor use Only actual admin actions should use the admin kubeconfig; everything done by the supervisor/deploy/helm controllers will now use a distinct account for audit purposes. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Derek Nola	d5f560360e	Handle multiple arguments with StringSlice flags (#7380 ) * Add helper function for multiple arguments in stringslice Signed-off-by: Derek Nola <derek.nola@suse.com> * Cleanup server setup with util function Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Brad Davidson	c44d33d29b	Fix race condition in tunnel server startup Several places in the code used a 5-second retry loop to wait on Runtime.Core to be set. This caused a race condition where OnChange handlers could be added after the Wrangler shared informers were already started. When this happened, the handlers were never called because the shared informers they relied upon were not started. Fix that by requiring anything that waits on Runtime.Core to run from a cluster controller startup hook that is guaranteed to be called before the shared informers are started, instead of just firing it off in a goroutine that retries until it is set. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Roberto Bonafiglia	15ee88964b	Added multiClusterCidr feature Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>	2 years ago
Brad Davidson	977a85559e	Add support for cross-signing new certs during ca rotation We need to send the full chain in order for cross-signing to work properly during switchover to a new root. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	373df1c8b0	Add support for `k3s token` command Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	58d40327b4	Fix CA cert hash for root certs Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	0919ec6755	Ensure cluster-signing CA files contain only a single CA cert Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	369b81b45e	Honor Service ExternalTrafficPolicy Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	e08a662509	Disable CCM metrics port when legacy CCM functionality is disabled Prevents port conflicts on upgrade for users that have deployed other cloud controllers. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Manuel Buil	557fcd28d5	Change the priority of address types depending on flannel-external-ip Signed-off-by: Manuel Buil <mbuil@suse.com>	2 years ago
Brad Davidson	269563e4d2	Check for RBAC before starting tunnel controllers Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Derek Nola	06d81cb936	Replace deprecated ioutil package (#6230 ) * Replace ioutil package * check integration test null pointer * Remove rotate retries Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Brad Davidson	b411864be5	Handle custom kubelet port in agent tunnel The kubelet port can be overridden by users; we shouldn't assume its always 10250 Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	11072e2516	Fix occasional "TLS handshake error" in apiserver network proxy. We should be reading from the hijacked bufio.ReaderWriter instead of directly from the net.Conn. There is a race condition where the underlying http handler may consume bytes from the hijacked request stream, if it comes in the same packet as the CONNECT header. These bytes are left in the buffered reader, which we were not using. This was causing us to occasionally drop a few bytes from the start of the tunneled connection's client data stream. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	d963cb2f70	Disable cloud-node and cloud-node-lifecycle if CCM is disabled If CCM and ServiceLB are both disabled, don't run the cloud-controller-manager at all; this should provide the same CLI flag behavior as previous releases, and not create problems when users disable the CCM but still want ServiceLB. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	0b96ca92bc	Move servicelb into cloudprovider LoadBalancer interface Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	5eaa0a9422	Replace getLocalhostIP with Loopback helper method Requires tweaking existing method signature to allow specifying whether or not IPv6 addresses should be return URL-safe. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	84fb8787f2	Add service-cluster-ip-range to controller-manager args Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	afee83dda2	Bump remotedialer Includes fix for recently identified memory leak. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	ff6c233e41	Fix egress selector proxy/bind-address support Use same kubelet-preferred-address-types setting as RKE2 to improve reliability of the egress selector when using a HTTP proxy. Also, use BindAddressOrLoopback to ensure that the correct supervisor address is used when --bind-address is set. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	b550e1183a	Remove control-plane egress context and fix agent mode. The control-plane context handles requests outside the cluster and should not be sent to the proxy. In agent mode, we don't watch pods and just direct-dial any request for a non-node address, which is the original behavior. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	d3242bea3c	Refactor egress-selector pods mode to watch pods Watching pods appears to be the most reliable way to ensure that the proxy routes and authorizes connections. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	9d7230496d	Add support for configuring the EgressSelector mode Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	0710a7198a	Remove deprecated flags from cloud-controller-manager Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	703779c32f	Remove deprecated flags from kube-apiserver Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	ce5b9347c9	Replace DefaultProxyDialerFn dialer injection with EgressSelector support Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago

1 2 3 4

183 Commits (38e8b01b8f9bb6709df90ac5839e4579115664a7)