github/k3s - k3s - https://git.xinac.net

Commit Graph

Author	SHA1	Message	Date
Brad Davidson	ac44d6a5cf	Add nonroot-devices flag to agent CLI Add new flag that is passed through to the device_ownership_from_security_context parameter in the containerd CRI config. This is not possible to change without providing a complete custom containerd.toml template so we should add a flag for it. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `56fb3b0991`) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 weeks ago
Brad Davidson	e2aca9ccae	Fix rotateca validation failures when not touching default self-signed CAs Also silences warnings about bootstrap fields that are not intended to be handled by CA rotation Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `fe3324cb84`) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 months ago
Brad Davidson	69775ef6cc	Fix IPv6 primary node-ip handling I should have caught `[]string{cfg.NodeIP}[0]` and `[]string{envInfo.NodeIP.String()}[0]` in code review... Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 months ago
Brad Davidson	409fec9778	Add etcd s3 config secret implementation * Move snapshot structs and functions into pkg/etcd/snapshot * Move s3 client code and functions into pkg/etcd/s3 * Refactor pkg/etcd to track snapshot and s3 moves * Add support for reading s3 client config from secret * Add minio client cache, since S3 client configuration can now be changed at runtime by modifying the secret, and don't want to have to create a new minio client every time we read config. * Add tests for pkg/etcd/s3 Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `c36db53e54`) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 months ago
Brad Davidson	8c67a3091e	Ensure remotedialer kubelet connections use kubelet bind address Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `eb8bd15889`) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 months ago
Brad Davidson	dd86a0581f	Fix agent supervisor port using apiserver port instead Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	6 months ago
Katherine Door	a29d5552c5	Add write-kubeconfig-group flag to server (#9233 ) * Add write-kubeconfig-group flag to server * update kubectl unable to read config message for kubeconfig mode/group Signed-off-by: Katherine Pata <me@kitty.sh> (cherry picked from commit `7a0ea3c953`) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	6 months ago
Brad Davidson	0d867fb35a	Convert remaining http handlers over to use util.SendError Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `f8e0648304`) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	6 months ago
Brad Davidson	7ace0d9142	Refactor supervisor listener startup and add metrics * Refactor agent supervisor listener startup and authn/authz to use upstream auth delegators to perform for SubjectAccessReview for access to metrics. * Convert spegel and pprof handlers over to new structure. * Promote bind-address to agent flag to allow setting supervisor bind address for both agent and server. * Promote enable-pprof to agent flag to allow profiling agents. Access to the pprof endpoint now requires client cert auth, similar to the spegel registry api endpoint. * Add prometheus metrics handler. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `ff679fb3ab`) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	6 months ago
Brad Davidson	69fe646818	Add support for svclb pod PriorityClassName Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `37f97b33c9`) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	6 months ago
Brad Davidson	ba01c47611	Fix etcd snapshot reconcile for agentless nodes Disable cleanup of orphaned snapshots and patching of node annotations if running agentless Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `edb0440017`)	8 months ago
Brad Davidson	2ca497e02a	Move error response generation code into util Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `7a2a2d075c`)	8 months ago
Vitor Savian	70bd37793f	Add tls for kine * Bump kine * Add integration tests for kine with tls Signed-off-by: Vitor Savian <vitor.savian@suse.com>	8 months ago
Derek Nola	9c0e5a5ff8	Rename AgentReady to ContainerRuntimeReady for better clarity Signed-off-by: Derek Nola <derek.nola@suse.com>	9 months ago
Derek Nola	80baec697f	Restore original order of agent startup functions Signed-off-by: Derek Nola <derek.nola@suse.com>	9 months ago
Brad Davidson	3d0674ad1c	Bump kine and set NotifyInterval to what the apiserver expects Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `de825845b2`) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	10 months ago
Harrison Affel	a922a0e340	allow executors to define containerd and docker behavior Signed-off-by: Harrison Affel <harrisonaffel@gmail.com>	10 months ago
Hussein Galal	034ee89344	Update flannel to v0.24.0 and remove multiclustercidr flag (#9075 ) * update flannel to v0.24.0 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * remove multiclustercidr flag Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> --------- Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>	10 months ago
Brad Davidson	190864259e	Consistently handle component exit on shutdown Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	10 months ago
Brad Davidson	f3c6250b28	Add embedded registry implementation Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `37e9b87f62`) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	11 months ago
Brad Davidson	ef4e7ae143	Add server CLI flag and config fields for embedded registry Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `ef90da5c6e`) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	11 months ago
Brad Davidson	a62ee4fd0d	Move registries.yaml load into agent config Moving it into config.Agent so that we can use or modify it outside the context of containerd setup Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `16d29398ad`) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	11 months ago
Brad Davidson	fa798ba272	Add support for containerd cri registry config_path Render cri registry mirrors.x.endpoints and configs.x.tls into config_path; keep using mirrors.x.rewrites and configs.x.auth those do not yet have an equivalent in the new format. The new config file format allows disabling containerd's fallback to the default endpoint when using mirror endpoints; a new CLI flag is added to control that behavior. This also re-shares some code that was unnecessarily split into parallel implementations for linux/windows versions. There is probably more work to be done on this front but it's a good start. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `c45524e662`) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	11 months ago
Brad Davidson	a503d13591	Remove GA feature-gates (#8970 ) Remove KubeletCredentialProviders and JobTrackingWithFinalizers feature-gates, both of which are GA and cannot be disabled. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> (cherry picked from commit `231cb6ed20`) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	11 months ago
Vitor Savian	03532f7c0b	Added runtime classes for crun/wasm/nvidia Signed-off-by: Vitor Savian <vitor.savian@suse.com> Added default runtime flag Signed-off-by: Vitor Savian <vitor.savian@suse.com>	12 months ago
Brad Davidson	7ecd5874d2	Skip initial datastore reconcile during cluster-reset Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Oliver Larsson	30c8ad926d	QoS-class resource configuration Problem: Configuring qos-class features in containerd requres a custom containerd configuration template. Solution: Look for configuration files in default locations and configure containerd to use them if they exist. Signed-off-by: Oliver Larsson <larsson.e.oliver@gmail.com>	1 year ago
Brad Davidson	b8dc95539b	Fix CloudDualStackNodeIPs feature-gate inconsistency Enable the feature-gate for both kubelet and cloud-controller-manager. Enabling it on only one side breaks RKE2, where feature-gates are not shared due to running in different processes. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Sean Yen	0c9bf36fe0	[K3s][Windows Port] Build script, multi-call binary, and Flannel (#7259 ) * initial windows port. Signed-off-by: Sean Yen <seanyen@microsoft.com> Signed-off-by: Derek Nola <derek.nola@suse.com> Co-authored-by: Derek Nola <derek.nola@suse.com> Co-authored-by: Wei Ran <weiran@microsoft.com>	1 year ago
Roberto Bonafiglia	1ffb4603cd	Use IPv6 in case is the first configured IP with dualstack Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>	1 year ago
Brad Davidson	7464007037	Store extra metadata and cluster ID for snapshots Write the extra metadata both locally and to S3. These files are placed such that they will not be used by older versions of K3s that do not make use of them. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Derek Nola	dface01de8	Server Token Rotation (#8265 ) * Consolidate NewCertCommands * Add support for user defined new token * Add E2E testlets Signed-off-by: Derek Nola <derek.nola@suse.com> * Ensure agent token also changes Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Manuel Buil	e82b37640a	Network defaults are duplicated, remove one Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Manuel Buil	f2c7117374	Take IPFamily precedence based on order Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Edgar Lee	fe18b1fce9	Add --image-service-endpoint flag (#8279 ) * Add --image-service-endpoint flag Problem: External container runtime can be set but image service endpoint is unchanged and also is not exposed as a flag. This is useful for using containerd snapshotters outside of the ones that have built-in support like stargz-snapshotter. Solution: Add a flag --image-service-endpoint and also default image service endpoint to container runtime endpoint if set. Signed-off-by: Edgar Lee <edgarhinshunlee@gmail.com>	1 year ago
Brad Davidson	8c73fd670b	Disable HTTP on main etcd client port Fixes performance issue under load, ref: https://github.com/etcd-io/etcd/issues/15402 and https://github.com/kubernetes/kubernetes/pull/118460 Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Johnatas	6330a5b49c	Update to v1.28.2 and go v1.20.8 (#8364 ) * Update to v1.28.2 Signed-off-by: Johnatas <johnatasr@hotmail.com> * Bump containerd and stargz versions Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Print message on upgrade fail Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Send Bad Gateway instead of Service Unavailable when tunnel dial fails Works around new handling for Service Unavailable by apiserver aggregation added in kubernetes/kubernetes#119870 Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Add 60 seconds to server upgrade wait to account for delays in apiserver readiness Also change cleanup helper to ensure upgrade test doesn't pollute the images for the rest of the tests. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> --------- Signed-off-by: Johnatas <johnatasr@hotmail.com> Signed-off-by: Brad Davidson <brad.davidson@rancher.com> Co-authored-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	cba9f0d142	Add new CLI flag to disable TLS SAN CN filtering Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Derek Nola	42c2ac95e2	CLI + Backend for Secrets Encryption v3 Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Derek Nola	b967f92785	Replace os.Write with AtomicWrite function Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Derek Nola	ced330c66a	[v1.28] CLI Removal for v1.28.0 (#8203 ) * Remove deprecated flannel ipsec Signed-off-by: Derek Nola <derek.nola@suse.com> * Remove multipart backend Signed-off-by: Derek Nola <derek.nola@suse.com> * Fix secrets-encryption integration test flakiness Signed-off-by: Derek Nola <derek.nola@suse.com> --------- Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Hussein Galal	af50e1b096	Update to v1.28.0-k3s1 (#8199 ) * Update to v1.28.0 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update golang to v1.20.7 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * more changes Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * update wrangler Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * update wrangler Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * fix nodepassword test Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * fix nodepassword test Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * disable CGO before running golangci-lint Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * execlude CGO Enabled checks Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Ignore reapply change error with logging Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update google api client Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> --------- Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>	1 year ago
Brad Davidson	f21ae1d949	Make apiserver egress args conditional on egress-selector-mode Only configure enable-aggregator-routing and egress-selector-config-file if required by egress-selector-mode. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Derek Nola	be44243353	Adjust default kubeconfig file permissions (#7978 ) * Adjust default kubeconfig permissions Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Bartosz Lenart	34617390d0	Generation of certificates and keys for etcd gated if etcd is disabled. (#6998 ) Problem: When support for etcd was added in `3957142`, generation of certificates and keys for etcd was not gated behind use of managed etcd. Keys are generated and distributed across servers even if managed etcd is not enabled. Solution: Allow generation of certificates and keys only if managed etc is enabled. Check config.DisableETCD flag. Signed-off-by: Bartossh <lenartconsulting@gmail.com>	1 year ago
Vitor Savian	0809187cff	Adding cli to custom klipper helm image (#7682 ) Adding cli to custom klipper helm image Signed-off-by: Vitor Savian <vitor.savian@suse.com>	1 year ago
guoguangwu	2215870d5d	chore: pkg imported more than once Signed-off-by: guoguangwu <guoguangwu@magic-shield.com>	1 year ago
Manuel Buil	869e030bdd	VPN PoC Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Brad Davidson	45d8c1a1a2	Soft-fail on node password verification if the secret cannot be created Allows nodes to join the cluster during a webhook outage. This also enhances auditability by creating Kubernetes events for the deferred verification. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	64a5f58f1e	Create new kubeconfig for supervisor use Only actual admin actions should use the admin kubeconfig; everything done by the supervisor/deploy/helm controllers will now use a distinct account for audit purposes. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago

1 2 3 4 5 ...

360 Commits (46fbfb7ee74f7e1047e75de8d731f20120bf3cc2)