3f79b28922
Update to v1.24.13-k3s1 ( #7284 )
2023-04-13 13:50:59 -07:00
61aef1cc48
Update install script to clean iptables rules before start
...
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-04-12 22:34:10 +02:00
99c61de027
Update kube-router to insert iptables rules right after kubernetes ones
...
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-04-12 22:34:10 +02:00
a6bd15fb71
[release-1.24] Update klipper lb and helm-controller ( #7241 )
...
* Update klipper lb and helm-controller
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* update klipper helm image
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
---------
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2023-04-06 22:43:30 +02:00
e8ec681cea
Updated kube-route version to move the iptables ACCEPT default rule at the end of the chain
...
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-04-06 11:10:04 +02:00
09d13d2962
Lock bootstrap data with empty key to prevent conflicts
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit d95980bba3
2023-04-05 16:29:31 -07:00
e8408f3af7
Debounce kubernetes service endpoint updates
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 2992477c4b
2023-04-05 16:29:31 -07:00
ab6c64342c
Fix tests to not hide failure location in dummp assert functions
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit ece4d8e45c
2023-04-05 16:29:31 -07:00
01253a5b84
Fix issue with stale connections to removed LB server
...
Track LB connections through each server so that they can be closed when it is removed.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit e54ceaa497
2023-04-05 16:29:31 -07:00
5f4ab136bf
Update remotedialer to silence errors when disconnecting
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 5dece799df
2023-04-05 16:29:31 -07:00
447c5aec76
go generate
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit d388b82d25
2023-04-05 16:29:31 -07:00
b6a11bf2df
Ensure that loopback is used for the advertised address when resetting
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit de80c07053
2023-04-05 16:29:31 -07:00
4864ecd4aa
Ensure that loopback is used for the advertised address when resetting
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit b010db0cff
2023-04-05 16:29:31 -07:00
95ea7c74f7
Bump runc to v1.1.5
...
Addresses GHSA-m8cg-xc2p-r3fc GHSA-vpvm-3wq2-2wvm GHSA-g2j6-57v7-gm8c
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 877247a691
2023-04-05 16:29:31 -07:00
c313b5b70c
Bump Local Path Provisioner version ( #7167 )
...
* chore: Bump Local Path Provisioner version
* go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
(cherry picked from commit cee3ddbc4a
2023-04-05 16:29:31 -07:00
53e5d566b5
Remove deprecated nodeSelector label beta.kubernetes.io/os ( #6970 ) ( #7122 )
...
* Remove deprecated nodeSelector label beta.kubernetes.io/os
Problem:
The nodeSelector label beta.kubernetes.io/os in the CoreDNS deployment was deprecated in 1.14 and will likely be removed soon
Solution:
Change the nodeSelector to remove the beta
Signed-off-by: Dan Mills <evilhamsterman@gmail.com>
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
Co-authored-by: Daniel Mills <evilhamsterman@users.noreply.github.com>
2023-04-04 21:04:08 +02:00
8995df02b3
[Release-1.24] Enhance `check-config` ( #7165 )
...
* Add missing kernel config checks (#6946 )
Add additional kernel config checks for NETFILTER_XT_MATCH_COMMENT and
NETFILTER_XT_MATCH_MULTIPORT as they are both required to run k3s.
Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
* Enhance `k3s check-config` (#7091 )
* Move CONFIG_CGROUP_PIDS to Required
Signed-off-by: Derek Nola <derek.nola@suse.com>
---------
Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Richard Steinmetz <richard@steinmetz.cloud>
2023-03-29 12:15:34 -07:00
57e8adb524
Update to v1.24.12-k3s1 ( #7105 )
2023-03-17 14:21:56 -07:00
7fee87d976
Adds a warning about editing to the containerd config.toml file ( #7076 )
...
* Add a warning to the config.toml file
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Brad Davidson <brad@oatmail.org>
2023-03-14 09:33:21 -07:00
41c24b6a88
Add support for cross-signing new certs during ca rotation
...
We need to send the full chain in order for cross-signing to work
properly during switchover to a new root.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-03-13 20:08:26 -07:00
ca5746785c
Update/rename certs.sh; add default cert rotation script
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-03-13 20:08:26 -07:00
9360022bbe
Wait for kubelet to update the Ready status before reading port
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-03-13 20:07:34 -07:00
abda53075e
Wait for kubelet port to be ready before setting
...
Signed-off-by: Daishan Peng <daishan@acorn.io>
2023-03-13 20:07:34 -07:00
0cf6b03d07
Add dependabot ( #7046 )
...
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-03-13 09:40:16 -07:00
b2ae48984f
[Release-1.24] Bump various dependencies for CVEs ( #7042 )
...
* Match golang.org/x/net with flannel version
* Match golang.org/x/sys with containerd version
* Update wrangler to 1.1.1
* Update gax-go to v2.1.1
* Isolate E2E terraform dependencies
* Bump containerd
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-03-13 09:36:32 -07:00
cabeae0619
[Release 1.24] Update flannel and kube-router ( #7063 )
...
* Update kube-router version to fix iptables rules
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
* Update Flannel to v0.21.3
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
---------
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-03-10 20:32:08 -08:00
c14436a9ec
Update to v1.24.11-k3s1 ( #7009 )
...
* Update to v1.24.11
* the go version will be updated to match upstream in dockerfiles and gh workflows
---------
Signed-off-by: matttrach <matttrach@gmail.com>
2023-03-01 14:41:08 -06:00
4c03ae0af9
Bump kine to v0.9.9
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-23 17:19:43 -08:00
0f6e4dcee0
Add test for filterByIPFamily
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-21 14:14:15 -08:00
3709e8386c
Fix ServiceLB dual-stack ingress IP listing
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-21 14:14:15 -08:00
74ed4bef61
Improve default umask for certs.sh
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-14 13:19:22 -08:00
ecb5f5a2b5
Fix CACertPath stripping trailing path components
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-14 13:19:22 -08:00
8ae390ff82
Fix etcd member deletion
...
Turns out etcd-only nodes were never running **any** of the controllers,
so allowing multiple controllers didn't really fix things.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-14 13:19:22 -08:00
77dbe648ad
Allow for multiple sets of leader-elected controllers
...
Addresses an issue where etcd controllers did not run on etcd-only nodes
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-10 12:26:09 -08:00
dd71479e67
Update flannel to v0.21.1
...
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-02-10 20:07:50 +01:00
c87d62490f
Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent
...
Signed-off-by: Paul Donohue <git@PaulSD.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-10 09:43:58 -08:00
7ab75db48a
Wait for server to become ready before creating token
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-10 09:34:10 -08:00
9f4a477c8c
Add CI test
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit b43dd7746d
2023-02-10 09:34:10 -08:00
82a0c4e1f4
Add ADR
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit c900089e88
2023-02-10 09:34:10 -08:00
478dae4d3d
Ensure that node exists when using node auth
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 87f9c4ab11
2023-02-10 09:34:10 -08:00
73460e28bf
Add support for kubeadm token and client certificate auth
...
Allow bootstrapping with kubeadm bootstrap token strings or existing
Kubelet certs. This allows agents to join the cluster using kubeadm
bootstrap tokens, as created with the `k3s token create` command.
When the token expires or is deleted, agents can successfully restart by
authenticating with their kubelet certificate via node authentication.
If the token is gone and the node is deleted from the cluster, node auth
will fail and they will be prevented from rejoining the cluster until
provided with a valid token.
Servers still must be bootstrapped with the static cluster token, as
they will need to know it to decrypt the bootstrap data.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 992e64993d
2023-02-10 09:34:10 -08:00
f4fc44ec4a
Add support for `k3s token` command
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 373df1c8b0
2023-02-10 09:34:10 -08:00
a2e8484e67
Add e2e tests for CA cert rotation
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit be7f751863
2023-02-10 09:34:10 -08:00
0d9825aaf7
Add basic test for custom CA certs
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 8a6404f97c
2023-02-10 09:34:10 -08:00
f1577befd0
Clarify ADR based on design review feedback
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 9b6b72941f
2023-02-10 09:34:10 -08:00
c169c9cf20
Add ADR
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit f13768c247
2023-02-10 09:34:10 -08:00
6ae3370e28
Add `certificate rotate-ca` to write updated CA certs to datastore
...
This command must be run on a server while the service is running. After this command completes, all the servers in the cluster should be restarted to load the new CA files.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 215fb157ff
2023-02-10 09:34:10 -08:00
b88c3b8c95
Add utility functions for getting kubernetes client
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 3c324335b2
2023-02-10 09:34:10 -08:00
631847536c
Fix CA cert hash for root certs
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 58d40327b4
2023-02-10 09:34:10 -08:00
e62b921b4f
Ensure cluster-signing CA files contain only a single CA cert
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 0919ec6755
2023-02-10 09:34:10 -08:00
Brian Downs