As per https://github.com/golang/go/issues/47001 even subtle.ConstantTimeCompare should never be used with variable-length inputs, as it will return 0 if the lengths do not match. Switch to consistently using constant-time comparisons of hashes for password checks to avoid any possible side-channel leaks that could be combined with other vectors to discover password lengths.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 239021e759)
Also add bandwidth and firewall plugins. The bandwidth plugin is
automatically registered with the appropriate capability, but the
firewall plugin must be configured by the user if they want to use it.
Ref: https://www.cni.dev/plugins/current/meta/firewall/
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit cedefeff24)
Several places in the code used a 5-second retry loop to wait on
Runtime.Core to be set. This caused a race condition where OnChange
handlers could be added after the Wrangler shared informers were already
started. When this happened, the handlers were never called because the
shared informers they relied upon were not started.
Fix that by requiring anything that waits on Runtime.Core to run from a
cluster controller startup hook that is guaranteed to be called before
the shared informers are started, instead of just firing it off in a
goroutine that retries until it is set.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit c44d33d29b)
Don't set up the agent tunnel authorizer on agentless servers, and warn when agentless servers won't have a way to reach in-cluster endpoints.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 31a6386994)
Fixes an issue where CRDs were being created without schema, allowing
resources with invalid content to be created, later stalling the
controller ListWatch event channel when the invalid resources could not
be deserialized.
This also requires moving Addon GVK tracking from a status field to
an annotation, as the GroupVersionKind type has special handling
internal to Kubernetes that prevents it from being serialized to the CRD
when schema validation is enabled.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit ad41fb8c96)
This commit adds SearchK3sLog function to find specific strings in integration tests log file and also removes FindStringInCmdAsync function since it was not being used.
Signed-off-by: Ian Cardoso <osodracnai@gmail.com>
(cherry picked from commit 3982213f06)
Signed-off-by: Ian Cardoso <osodracnai@gmail.com>
* Handle multiple arguments with StringSlice flags (#7380)
* Add helper function for multiple arguments in stringslice
* Cleanup server setup with util function
Signed-off-by: Derek Nola <derek.nola@suse.com>
* Enable FindString to search dotD config files (#7323)
* Enable FindString to search dotD config files
* Address multiple arg cases
Signed-off-by: Derek Nola <derek.nola@suse.com>
This adds integration tests for the following flags: "--etcd-snapshot-name","--etcd-snapshot-dir","--etcd-snapshot-retention","--etcd-snapshot-schedule-cron" and "--etcd-snapshot-compress". It also refactors K3sStartServer to stop applying strings.Fields() into inputArgs, so it can accept arguments that have space in their definition.
Signed-off-by: Ian Cardoso <osodracnai@gmail.com>
(cherry picked from commit 1ac03aad43)
Track LB connections through each server so that they can be closed when it is removed.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit e54ceaa497)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Remove deprecated nodeSelector label beta.kubernetes.io/os
Problem:
The nodeSelector label beta.kubernetes.io/os in the CoreDNS deployment was deprecated in 1.14 and will likely be removed soon
Solution:
Change the nodeSelector to remove the beta
Signed-off-by: Dan Mills <evilhamsterman@gmail.com>
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
Co-authored-by: Daniel Mills <evilhamsterman@users.noreply.github.com>
* Add missing kernel config checks (#6946)
Add additional kernel config checks for NETFILTER_XT_MATCH_COMMENT and
NETFILTER_XT_MATCH_MULTIPORT as they are both required to run k3s.
Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
* Enhance `k3s check-config` (#7091)
* Move CONFIG_CGROUP_PIDS to Required
Signed-off-by: Derek Nola <derek.nola@suse.com>
---------
Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Richard Steinmetz <richard@steinmetz.cloud>
We need to send the full chain in order for cross-signing to work
properly during switchover to a new root.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Brad Davidson