Commit Graph

1770 Commits (5bf4d9f687879b2200a62f71d7c0edb3a67836ef)

Author SHA1 Message Date
Brian Downs 80e4baf525 add hidden attribute to disable flags
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-04-13 14:30:47 -07:00
Brian Downs 18cd9886b1
Merge pull request #3180 from briandowns/security-issue-584
add etcd s3 secret and access key flags to secret data
2021-04-12 15:41:09 -07:00
Brian Downs d9381b84ad add etcd s3 secret and access key flags and env vars to secret data
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-04-12 14:47:16 -07:00
Brad Davidson 503d6813bb Add gzip and zst airgap artifacts
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-09 16:57:59 -07:00
Brian Downs 693c5290b1
Update CoreDNS to version 1.8.3. (#3168)
* update CoreDNS to 1.8.3

Rerun go generate and update the CoreDNS RBAC
2021-04-09 16:47:16 -07:00
Brian Downs ad4f04d2fc
Merge pull request #3155 from briandowns/rke2-issue-856
remove hidden attribute from cluster flags and related code
2021-04-09 12:55:27 -07:00
Erik Wilson a884f78d40
Merge pull request #3008 from erikwilson/update-traefik-v2.4.6
k3s v1.21 - Bump traefik to v2.4.8
2021-04-08 19:01:09 -07:00
Erik Wilson f004d54883 Fix up vagrant provision scripts
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2021-04-08 17:42:58 -07:00
Erik Wilson 9a53fca872 Bump traefik to v2.4.8
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2021-04-08 17:42:58 -07:00
Brad Davidson 58e93feda6
Fix CI failures non-deterministic traefik chart repackaging (#3165)
* Fix CI failures non-deterministic traefik chart repackaging
* Update generated bindata

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-08 15:33:15 -07:00
Brian Downs 4a49b9e40b delete nocluster file and remove build tag
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-04-07 12:16:28 -07:00
Brian Downs 3ed9b0a997 remove hidden attribute from cluster flags and related code
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-04-07 11:36:02 -07:00
David Nuzik a3ec5904ec
Merge pull request #3136 from davidnuzik/make-v1.20.5-stable
Make v1.20.5+k3s1 stable
2021-04-01 17:59:09 -07:00
David Nuzik bc5ecc1a24 Make v1.20.5+k3s1 stable
Signed-off-by: David Nuzik <david.nuzik@rancher.com>
2021-04-01 17:18:41 -07:00
Xiao Deshi cfe7e0c734 remove duplicated func GetAddresses
refactor tunnel.go and controller.go, remove duplicated lines.

Signed-off-by: Xiao Deshi <xiaods@gmail.com>
2021-03-31 14:23:05 -07:00
Jacob Blain Christen 93b18b343a Update to Kubernetes v1.20.5 (#3094)
* Update to Kubernetes v1.20.5
* vendor: bumps for some containerd deps
* go: bump to 1.16.2 for arm

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
(cherry picked from commit 355fff3017)
2021-03-31 14:18:41 -07:00
Frederic Crozat e856ee0e4e Replace which with command -v (#3125)
Remove dependency on which binary, use shell internal equivalent.

Signed-off-by: Frederic Crozat <fcrozat@suse.com>
2021-03-31 14:16:32 -07:00
Akihiro Suda cb73461a5b AkihiroSuda/containerd-fuse-overlayfs -> containerd/fuse-overlayfs-snapshotter
The repo has been moved.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-24 10:34:34 -07:00
Akihiro Suda e672c988e4 rootless: allow kernel.dmesg_restrict=1
When `/dev/kmsg` is unreadable due to sysctl value `kernel.dmesg_restrict=1`,
bind-mount `/dev/null` into `/dev/kmsg`

Fix issue 3011

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-24 01:03:14 -07:00
Akihiro Suda 6e8284e3d4 rootless: enable resource limitation (requires cgroup v2, systemd)
Now rootless mode can be used with cgroup v2 resource limitations.
A pod is executed in a cgroup like "/user.slice/user-1001.slice/user@1001.service/k3s-rootless.service/kubepods/podd0eb6921-c81a-4214-b36c-d3b9bb212fac/63b5a253a1fd4627da16bfce9bec58d72144cf30fe833e0ca9a6d60ebf837475".

This is accomplished by running `kubelet` in a cgroup namespace, and enabling `cgroupfs` driver for the cgroup hierarchy delegated by systemd.

To enable cgroup v2 resource limitation, `k3s server --rootless` needs to be launched as `systemctl --user` service.
Please see the comment lines in `k3s-rootless.service` for the usage.

Running `k3s server --rootless` via a terminal is not supported.
When it really needs to be launched via a terminal, `systemd-run --user -p Delegate --tty` needs to be prepended to create a systemd scope.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-24 00:37:30 -07:00
Akihiro Suda 11ef43011a bump up RootlessKit
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-24 00:37:30 -07:00
Brian Downs 9bae285bfd
Merge pull request #3091 from briandowns/put_etcd_save_in_goroutine
put etcd bootstrap save call in goroutine and update comment
2021-03-17 15:51:17 -07:00
Jacob Blain Christen 59a39e9a3b
containerd: v1.4.4-k3s1 (#3090)
Addresses k3s-io/k3s#3066 and CVE-2021-21334

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2021-03-17 14:38:42 -07:00
Brian Downs 400a632666 put etcd bootstrap save call in goroutine and update comment
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-03-17 14:33:00 -07:00
Martin Norrsken 989b21a0da Remove unit files after disabling, instead of before
Signed-off-by: Martin Norrsken <martin.norrsken@gmail.com>
2021-03-17 10:08:50 -07:00
Hussein Galal 73df65d93a
remove etcd data dir when etcd is disabled (#3059)
* remove etcd data dir when etcd is disabled

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix comment

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* use debug instead of info logs

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-03-16 18:14:43 +02:00
Jacob Blain Christen 618b0f98bf
registry mirror repository rewrites (#3064)
Support repository regex rewrite rules when fetching image content.

Example configuration:
```yaml
# /etc/rancher/k3s/registries.yaml
mirrors:
  "docker.io":
    endpoint:
    - "https://registry-1.docker.io/v2"
    rewrite:
      "^library/alpine$": "my-org/alpine"
```

This will instruct k3s containerd to fetch content for `alpine` images
from `docker.io/my-org/alpine` instead of the default
`docker.io/library/alpine` locations.

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2021-03-15 16:17:27 -07:00
Brian Downs 7c99f8645d
Have Bootstrap Data Stored in etcd at Completed Start (#3038)
* have state stored in etcd at completed start and remove unneeded code
2021-03-11 13:07:40 -07:00
Chris Kim 69f96d6225
Define a Controllers and LeaderControllers on the server config (#3043)
Signed-off-by: Chris Kim <oats87g@gmail.com>
2021-03-11 10:39:00 -08:00
Brad Davidson 8ace8975d2 Don't start up multiple apiserver load balancers
get() is called in a loop until client configuration is successfully
retrieved. Each iteration will try to configure the apiserver proxy,
which will in turn create a new load balancer. Skip creating a new
load balancer if we already have one.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-08 17:05:25 -08:00
Brad Davidson c0d129003b Handle loadbalancer port in TIME_WAIT
If the port wanted by the client load balancer is in TIME_WAIT, startup
will fail. Set SO_REUSEPORT so that it can be listened on again
immediately.

The configurable Listen call wants a context, so plumb that through as
well.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-08 17:05:25 -08:00
Brad Davidson 7cdfaad6ce
Always use static ports for client load-balancers (#3026)
* Always use static ports for the load-balancers

This fixes an issue where RKE2 kube-proxy daemonset pods were failing to
communicate with the apiserver when RKE2 was restarted because the
load-balancer used a different port every time it started up.

This also changes the apiserver load-balancer port to be 1 below the
supervisor port instead of 1 above it. This makes the apiserver port
consistent at 6443 across servers and agents on RKE2.

Additional fixes below were required to successfully test and use this change
on etcd-only nodes.

* Actually add lb-server-port flag to CLI
* Fix nil pointer when starting server with --disable-etcd but no --server
* Don't try to use full URI as initial load-balancer endpoint
* Fix etcd load-balancer pool updates
* Update dynamiclistener to fix cert updates on etcd-only nodes
* Handle recursive initial server URL in load balancer
* Don't run the deploy controller on etcd-only nodes
2021-03-06 02:29:57 -08:00
David Nuzik 58a2870e3b
Merge pull request #3002 from davidnuzik/docs-housekeeping
Docs housekeeping
2021-03-05 09:35:53 -07:00
David Nuzik c171d4bb07 Update GITHUB_URL
Signed-off-by: David Nuzik <david.nuzik@rancher.com>
2021-03-05 09:34:18 -07:00
David Nuzik 4816d54caa Update .md files with url and email corrections
* BUILDING.md
* CODE_OF_CONDUCT.md
* CONTRIBUTING.md
* MAINTAINERS
* README.md

Signed-off-by: David Nuzik <david.nuzik@rancher.com>
2021-03-05 09:34:18 -07:00
Hussein Galal c26b737b24
Mark disable components flags as experimental (#3018)
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-03-05 00:05:20 +02:00
Brian Downs 4d1f9eda9d
Etcd Snapshot/Restore to/from S3 Compatible Backends (#2902)
* Add functionality for etcd snapshot/restore to and from S3 compatible backends.
* Update etcd restore functionality to extract and write certificates and configs from snapshot.
2021-03-03 11:14:12 -07:00
Hussein Galal 1bf04b6a50
Merge pull request #3003 from galal-hussein/fix_etcd_only_nodes
Fix etcd only nodes
2021-03-02 02:16:02 +02:00
Brad Davidson 66b9e9c4c8 Suppress test failure due to incompatible server
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-01 14:23:59 -08:00
Brad Davidson 4fb073e799 Log clearer error on startup if NPC cannot be started
Servers should always be upgraded before agents, but generally this
isn't required because things are compatible between versions. In this
case we're OK with failing closed if the user upgrades out of order, but
we should give a clearer message about what steps are required to fix
the issue.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-01 14:23:59 -08:00
Brad Davidson 7734015db7 Add script to test server/agent version compatibility
We have had a couple issues with newer agents not working with old
servers or vice versa. Add a CI test to test variations on
uplevel/downlevel server/agent against latest, stable, and the previous
branch.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-01 14:23:59 -08:00
galal-hussein ef999f0b4f change error to warn when removing self from etcd members
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-03-02 00:19:57 +02:00
Erik Wilson 669d0c0e31
Merge pull request #2910 from erikwilson/traefik-v2
Traefik v2 integration
2021-03-01 15:18:46 -07:00
galal-hussein 885b7391a2 update dynamiclistener
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-03-01 23:51:07 +02:00
galal-hussein d6124981d5 remove etcd member if disable etcd is passed
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-03-01 23:50:50 +02:00
Erik Wilson 4e5218b62c
Apply suggestions from code review
Logging cleanup

Co-authored-by: Brad Davidson <brad@oatmail.org>
2021-03-01 10:44:24 -07:00
Erik Wilson 4aac6b6bd0
Update to Traefik 2.4.2 and combine manifests 2021-03-01 10:44:24 -07:00
Erik Wilson 54a35505f0
Remove Traefik v1 migration 2021-03-01 10:44:24 -07:00
Chin-Ya Huang cc96f8140a
Allow download traefik static file and rename
Allow writing static files regardless of the version.

Signed-off-by: Chin-Ya Huang <chin-ya.huang@suse.com>
2021-03-01 10:44:24 -07:00
Chin-Ya Huang 10e0328977
Traefik v2 integration
K3s upgrade via watch over file change of static file and manifest
and triggers helm-controller for change. It seems reasonable to
only allow upgrade traefik v1->v2 when there is no existing custom
traefik HelmChartConfig in the cluster to avoid any
incompatibility.

Here also separate the CRDs and put them into a different chart
to support CRD upgrade.

Signed-off-by: Chin-Ya Huang <chin-ya.huang@suse.com>
2021-03-01 10:44:23 -07:00