Commit Graph

1366 Commits (8262c02cdda5d394e5967c885a830c29b5f96490)

Author SHA1 Message Date
Derek Nola af8f101bdc
Mark secrets-encryption flag as GA (#6582)
* Mark secrets-encrypt flag as GA

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-12-01 08:50:51 -08:00
Brad Davidson 915c7719fe go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-11-30 15:09:32 -08:00
Brad Davidson 1eeea5c81f go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-11-30 15:09:32 -08:00
Brad Davidson e08a662509 Disable CCM metrics port when legacy CCM functionality is disabled
Prevents port conflicts on upgrade for users that have deployed other cloud controllers.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-11-30 15:08:31 -08:00
Brad Davidson a07bb555ba Bump klipper-helm and klipper-lb versions
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-11-23 14:55:59 -08:00
Derek Nola 614da78e43
Add `prefer-bundled-bin` as an agent flag (#6545)
* Add prefer-bundled-bin as an agent flag
* Add E2E test for prefer-bundled-bin

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-11-22 13:43:16 -08:00
Manuel Buil 1beecb2e2d
Merge pull request #6531 from manuelbuil/fixLogs
Fix log for flannelExternalIP use case
2022-11-22 16:54:26 +01:00
Manuel Buil 483e29e783 Remove stuff which belongs in the windows executor implementation
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-11-22 12:32:13 +01:00
Brad Davidson 9ff0943d56 Address nits from self-review
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-11-21 15:23:30 -08:00
Brad Davidson 56bf7d6ad3 Allow agent to run rootless
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-11-21 15:23:30 -08:00
Brad Davidson 6f2b21c5cd Add rootless IPv6 support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-11-21 15:23:30 -08:00
Brad Davidson c02dceb7ad Make rootless settings configurable
Add enivironment variables for port-driver, cidr, mtu, and disable-host-loopback settings. Since rootless is still experimental, I don't think they deserve full CLI flag status.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-11-21 15:23:30 -08:00
Brad Davidson 73171ff20a go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-11-21 13:44:54 -08:00
Derek Nola 0f52088cd3
Add new `prefer-bundled-bin` experimental flag (#6420)
* initial prefer-bundled-bin ci change
* Add startup testlet
* Convert parsing to pflag library
* Fix code validation
* go mod tidy

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-11-21 13:01:36 -08:00
Manuel Buil 5188443988 Fix log for flannelExternalIP use case
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-11-21 17:10:35 +01:00
Manuel Buil e41e4010e5 Revert "Remove stuff which belongs in the windows executor implementation"
This reverts commit 1bc0684fb7.

Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-11-15 21:40:42 +01:00
Manuel Buil 9419b1a936
Merge pull request #6492 from manuelbuil/removeWinStuff
Remove stuff which belongs in the windows executor implementation
2022-11-15 12:07:17 +01:00
Brad Davidson adb820d859 Bump traefik chart to 19.0.4 to fix kubernetes version check
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-11-14 13:42:24 -08:00
Manuel Buil 1bc0684fb7 Remove stuff which belongs in the windows executor implementation
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-11-14 15:52:04 +01:00
Derek Nola 13c633da12
Add Secrets Encryption to CriticalArgs (#6409)
* Add EncryptSecrets to Critical Control Args
* use deep comparison to extract differences

Signed-off-by: Derek Nola <derek.nola@suse.com>

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-11-04 10:35:29 -07:00
Manuel Buil 861f8ed8f8
Merge pull request #6386 from manuelbuil/changeAddrTypesMetricsServer
Change addr types in metrics server
2022-11-04 11:11:21 +01:00
thomasferrandiz b7d217dbf3
Merge pull request #6405 from thomasferrandiz/log-kube-router-version
log kube-router version when starting netpol controller
2022-11-04 11:07:37 +01:00
Manuel Buil 8aff25e192
Merge pull request #6403 from manuelbuil/logsFlannelExternalIP
Avoid wrong config for `flannel-external-ip` and add warning if unencrypted backend
2022-11-04 09:47:30 +01:00
Manuel Buil 557fcd28d5 Change the priority of address types depending on flannel-external-ip
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-11-04 09:02:39 +01:00
Manuel Buil 1682172ac1 Add some helping logs to avoid wrong configs
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-11-03 18:09:17 +01:00
Roberto Bonafiglia 87c7ea81f0 Updated flannel version to 0.20.1
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-11-03 17:49:26 +01:00
Thomas Ferrandiz 68ac954489 log kube-router version when starting netpol controller
Signed-off-by: Thomas Ferrandiz <thomas.ferrandiz@suse.com>
2022-11-03 12:26:50 +01:00
Brad Davidson d7dbf69f7f go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-11-02 11:29:05 -07:00
iyear 3aae7b8783 Fix incorrect defer usage
Problem:
Using defer inside a loop can lead to resource leaks

Solution:
Judge newer file in the separate function

Signed-off-by: iyear <ljyngup@gmail.com>
2022-11-01 16:23:25 -07:00
Brad Davidson cb86d2c1f0 Bump traefik to v2.9.4 / chart v18.3.0
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-11-01 16:05:45 -07:00
Petri Kivikangas 6156059136 Convert containerd config.toml.tmpl Linux template to v2 syntax
Signed-off-by: Petri Kivikangas <36138+Kitanotori@users.noreply.github.com>
2022-10-27 16:55:03 -07:00
Brad Davidson 76729d813b Set default kubeletPort
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-26 15:08:13 -07:00
Brad Davidson 269563e4d2 Check for RBAC before starting tunnel controllers
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-26 15:08:13 -07:00
Brad Davidson 68a56ff8d8 Add GVK lookup to deploy controller
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-26 15:08:13 -07:00
Brad Davidson 8d28a38a18 Update helm-controller to pull in refactor
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-26 15:03:13 -07:00
Brad Davidson 16a8b6d6f1 Bump Traefik helm chart to v18.0.0
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-26 13:38:13 -07:00
Brad Davidson f2585c1671 Add --flannel-external-ip flag
Using the node external IP address for all CNI traffic is a breaking change from previous versions; we should make it an opt-in for distributed clusters instead of default behavior.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-24 10:10:49 -07:00
Brad Davidson e8c250b8dc Fix RBAC to allow removal of legacy finalizer
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-20 16:12:28 -07:00
Brad Davidson 3c0cd6f2dc Return ProviderID in URI format
The InstancesV1 interface handled this for us by combining the ProviderName and InstanceID values; the new interface requires us to do it manually

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-17 11:05:09 -07:00
Brad Davidson f25419ca2c Add ServiceAccount for svclb pods
For 1.24 and earlier, the svclb pods need a ServiceAccount so that we can allow their sysctls in PSPs

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-10 17:40:39 -07:00
Derek Nola 06d81cb936
Replace deprecated ioutil package (#6230)
* Replace ioutil package
* check integration test null pointer
* Remove rotate retries

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-10-07 17:36:57 -07:00
Brad Davidson 25e83cfa4f Bump traefik to 2.9.1 / chart 12.0.0
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-06 16:20:21 -07:00
Brad Davidson b411864be5 Handle custom kubelet port in agent tunnel
The kubelet port can be overridden by users; we shouldn't assume its always 10250

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-05 21:10:38 -07:00
Brad Davidson 11072e2516 Fix occasional "TLS handshake error" in apiserver network proxy.
We should be reading from the hijacked bufio.ReaderWriter instead of
directly from the net.Conn. There is a race condition where the
underlying http handler may consume bytes from the hijacked request
stream, if it comes in the same packet as the CONNECT header. These
bytes are left in the buffered reader, which we were not using. This was
causing us to occasionally drop a few bytes from the start of the
tunneled connection's client data stream.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-05 21:10:38 -07:00
Brad Davidson f633732d80 Use structured logging instead of logrus for event recorders
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-04 10:26:17 -07:00
Brad Davidson d963cb2f70 Disable cloud-node and cloud-node-lifecycle if CCM is disabled
If CCM and ServiceLB are both disabled, don't run the cloud-controller-manager at all;
this should provide the same CLI flag behavior as previous releases, and not create
problems when users disable the CCM but still want ServiceLB.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-09-30 08:17:20 -07:00
Brad Davidson 0b96ca92bc Move servicelb into cloudprovider LoadBalancer interface
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-09-30 08:17:20 -07:00
Brad Davidson a15e7e8b68 Move DisableServiceLB/Rootless/ServiceLBNamespace into config.Control
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-09-30 08:17:20 -07:00
Brad Davidson 063039471c Implement InstancesV2 instead of Instances
... and drop legacy ClusterID support.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-09-30 08:17:20 -07:00
Brad Davidson 6e97bddc04 Bump metrics-server to v0.6.1
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-09-29 15:49:29 -07:00
Manuel Buil 5164cf5345 Add flannel-external-ip when there is a k3s node-external-ip
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-09-26 16:24:00 +02:00
Roberto Bonafiglia 26e9405767 Added warning message for flannel backend additional options deprecation
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-09-09 20:04:04 +02:00
Derek Nola 1d46841d80 Fix deprecation message
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-09-09 09:07:40 -07:00
Derek Nola cd49101fc8
Convert deprecated flags to fatal errors for v1.25 (#6069)
* Replace warning with fatal errors.
* Group system-default-registry under (agent/runtime)

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-09-01 09:33:59 -07:00
Hussein Galal ba62c79f9b
Update to v1.25.0-k3s1 (#6040)
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2022-08-27 03:33:13 +02:00
Brad Davidson 7d6982d1fa Export agent.NetworkName for Windows
Was made private in 4aca21a1f1 as there was no comment as to why it was exported.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-08-23 15:10:57 -07:00
Brad Davidson 3e394f8ec5 The Windows kubelet does not accept cadvisor flags
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-08-23 15:10:57 -07:00
Derek Nola 035c03cfaa
Remove codespell from Drone, add to GH Actions (#6004)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-08-18 09:21:56 -07:00
Roberto Bonafiglia a30971efaa Updated flannel to v0.19.1
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-08-08 09:57:56 +02:00
Brad Davidson 4aca21a1f1 Add cri-dockerd support as backend for --docker flag
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-08-05 02:39:25 -07:00
Brad Davidson b1fa63dfb7 Revert "Remove --docker/dockershim support"
This reverts commit 4a3d283bc1.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-08-05 02:39:25 -07:00
Brad Davidson cf66559940 Print stack on panic
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-08-05 02:39:25 -07:00
Roberto Bonafiglia abdf0c7319 Fix comments and add check in case of IPv6 only node
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-08-04 09:54:45 +02:00
Roberto Bonafiglia d90ba30353 Added NodeIP autodect in case of dualstack connection
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-08-04 09:54:45 +02:00
Derek Nola 1c17f05b8e
Fix secrets reencryption for 8K+ secrets (#5936)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-08-02 14:08:06 -07:00
Derek Nola 118a68c913
Updates to CLI flag grouping + deprecated flag warnings. (#5937)
* Consolidate data dir flag
* Group cluster flags together
* Reorder and group agent flags
* Add additional info around vmodule flag
* Hide deprecated flags, and add warning about their removal

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-08-02 13:51:16 -07:00
Vladimir Kochnev 13af0b1d88 Save agent token to /var/lib/rancher/k3s/server/agent-token
Having separate tokens for server and agent nodes is a nice feature.

However, passing server's plain `K3S_AGENT_TOKEN` value
to `k3s agent --token` without CA hash is insecure when CA is
self-signed, and k3s warns about it in the logs:

```
Cluster CA certificate is not trusted by the host CA bundle, but the token does not include a CA hash.
Use the full token from the server's node-token file to enable Cluster CA validation.
```

Okay so I need CA hash but where should I get it?

This commit attempts to fix this issue by saving agent token value to
`agent-token` file with CA hash appended.

Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
2022-08-01 14:11:50 -07:00
Derek Nola 4c0bc8c046
Update etcd error to match correct url (#5909)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-07-29 09:40:53 -07:00
Brad Davidson db2ba7b61d Don't enable unprivileged ports and icmp on old kernels
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-28 14:33:20 -07:00
Brad Davidson 5eaa0a9422 Replace getLocalhostIP with Loopback helper method
Requires tweaking existing method signature to allow specifying whether or not IPv6 addresses should be return URL-safe.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-21 16:51:57 -07:00
Brad Davidson 84fb8787f2 Add service-cluster-ip-range to controller-manager args
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-21 16:51:57 -07:00
Brad Davidson bd5fdfce33 Fix server systemd detection
* Use INVOCATION_ID to detect execution under systemd, since as of a9b5a1933f NOTIFY_SOCKET is now cleared by the server code.
* Set the unit type to notify by default for both server and agent, which is what Rancher-managed installs have done for a while.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-21 13:42:20 -07:00
Brad Davidson 1674b9d640 Raise etcd connection test timeout to 30 seconds
Addressess issue where the compact may take more than 10 seconds on slower disks. These disks probably aren't really suitable for etcd, but apparently run fine otherwise.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-21 13:23:19 -07:00
Brad Davidson ffe72eecc4 Address issues with etcd snapshots
* Increase the default snapshot timeout. The timeout is not currently
  configurable from Rancher, and larger clusters are frequently seeing
  uploads fail at 30 seconds.
* Enable compression for scheduled snapshots if enabled on the
  command-line. The CLI flag was not being passed into the etcd config.
* Only set the S3 content-type to application/zip if the file is zipped.
* Don't run more than one snapshot at once, to prevent misconfigured
  etcd snapshot cron schedules from stacking up.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-12 14:41:38 -07:00
Brad Davidson 167ed19d22 Fix deletion of svclb DaemonSet when Service is deleted
87e1806697 removed the OwnerReferences
field from the DaemonSet, which makes sense since the Service may now be
in a different namespace than the DaemonSet and cross-namespace owner
references are not supported.  Unfortunately, we were relying on
garbage collection to delete the DameonSet, so this started leaving
orphaned DaemonSets when Services were deleted.

We don't want to add an a Service OnRemove handler, since this will add
finalizers to all Services, not just LoadBalancers services, causing
conformance tests to fail. Instead, manage our own finalizers, and
restore the DaemonSet removal Event that was removed by the same commit.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-12 12:27:55 -07:00
Brad Davidson fc1c100ffd Remove legacy bidirectional datastore sync code
Since #4438 removed 2-way sync and treats any changed+newer files on disk as an error, we no longer need to determine if files are newer on disk/db or if there is a conflicting mix of both. Any changed+newer file is an error, unless we're doing a cluster reset in which case everything is unconditionally replaced.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-12 12:10:30 -07:00
Brad Davidson 83420ef78e Fix fatal error when reconciling bootstrap data
Properly skip restoring bootstrap data for files that don't have a path
set because the feature that would set it isn't enabled.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-12 12:10:30 -07:00
Brad Davidson d2089872bb Fix issue with containerd stats missing from cadvisor metrics
cadvisor still doesn't pull stats via CRI yet, so we have to continue to use the deprecated arg.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-08 11:03:02 -07:00
Brad Davidson afee83dda2 Bump remotedialer
Includes fix for recently identified memory leak.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-07 12:22:37 -07:00
Brad Davidson 961c8274a9 Don't crash when service IPFamiliyPolicy is not set
Service.Spec.IPFamilyPolicy may be a nil pointer on freshly upgraded clusters.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-01 00:07:50 -07:00
Brad Davidson ff6c233e41 Fix egress selector proxy/bind-address support
Use same kubelet-preferred-address-types setting as RKE2 to improve reliability of the egress selector when using a HTTP proxy. Also, use BindAddressOrLoopback to ensure that the correct supervisor address is used when --bind-address is set.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-01 00:07:35 -07:00
Brad Davidson 96162c07c5 Handle egress-selector-mode change during upgrade
Properly handle unset egress-selector-mode from existing servers during cluster upgrade.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-30 11:57:41 -07:00
Olli Janatuinen 2968a83bc0 containerd: Enable enable_unprivileged_ports and enable_unprivileged_icmp by default
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2022-06-15 14:49:51 -07:00
Brad Davidson 6fad63583b Only listen on loopback when resetting
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-15 11:25:54 -07:00
Brad Davidson 3399afed83 Ensure that CONTAINERD_ variables are not shadowed by later entries
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-15 10:58:12 -07:00
Brad Davidson fb0a342a20 Sanitize filenames for use in configmap keys
If the user points S3 backups at a bucket containing other files, those
file names may not be valid configmap keys.

For example, RKE1 generates backup files with names like
`s3-c-zrjnb-rs-6hxpk_2022-05-05T12:05:15Z.zip`; the semicolons in the
timestamp portion of the name are not allowed for use in configmap keys.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-15 10:54:26 -07:00
Derek Nola a9b5a1933f
Delay service readiness until after startuphooks have finished (#5649)
* Move startup hooks wg into a runtime pointer, check before notifying systemd
* Switch default systemd notification to server
* Add 1 sec delay to allow etcd to write to disk
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-06-15 09:00:52 -07:00
Roberto Bonafiglia a693071c74
Merge pull request #5552 from sjoerdsimons/sjoerd/flannel-wireguard-mode
Add cli flag for flannel wireguard mode
2022-06-15 14:28:21 +02:00
Darren Shepherd e6009b1edf Introduce servicelb-namespace parameter
This parameter controls which namespace the klipper-lb pods will be create.
It defaults to kube-system so that k3s does not by default create a new
namespace. It can be changed if users wish to isolate the pods and apply
some policy to them.

Signed-off-by: Darren Shepherd <darren@acorn.io>
2022-06-14 15:48:58 -07:00
Darren Shepherd f4cc1b8788 Move all klipper-lb daemonset to common namespace for PodSecurity
The baseline PodSecurity profile will reject klipper-lb pods from running.
Since klipper-lb pods are put in the same namespace as the Service this
means users can not use PodSecurity baseline profile in combination with
the k3s servicelb.

The solution is to move all klipper-lb pods to a klipper-lb-system where
the security policy of the klipper-lb pods can be different an uniformly
managed.

Signed-off-by: Darren Shepherd <darren@acorn.io>
2022-06-14 15:48:58 -07:00
Manuel Buil d4522de06a
Merge pull request #5656 from manuelbuil/AddFlannelCniConfFile
Add FlannelCNIConf flag
2022-06-14 10:23:51 +02:00
Igor 2999289e68
add support for pprof server (#5527)
Signed-off-by: igor <igor@igor.io>
2022-06-13 22:06:55 -07:00
Brad Davidson 0581808f5c Set default egress-selector-mode to agent
... until QA flakes can be addressed.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-10 10:14:15 -07:00
Brad Davidson b550e1183a Remove control-plane egress context and fix agent mode.
The control-plane context handles requests outside the cluster and
should not be sent to the proxy.

In agent mode, we don't watch pods and just direct-dial any request for
a non-node address, which is the original behavior.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-10 10:14:15 -07:00
Brad Davidson d3242bea3c Refactor egress-selector pods mode to watch pods
Watching pods appears to be the most reliable way to ensure that the
proxy routes and authorizes connections.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-08 09:34:53 -07:00
Manuel Buil c705d34804 Add FlannelConfCNI flag
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-06-08 11:03:17 +02:00
Sjoerd Simons 8643576985 Add ability to pass configuration options to flannel backend
Allow the flannel backend to be specified as
backend=option=val,option2=val2 to select a given backend with extra options.

In particular this adds the following options to wireguard-native
backend:
* Mode - flannel wireguard tunnel mode
* PersistentKeepaliveInterval- wireguard persistent keepalive interval

Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>
2022-06-07 20:13:28 +02:00
Brad Davidson 491aa11e10 Revert "Give kubelet the node-ip value (#5579)"
This reverts commit aa9065749c.

Setting dual-stack node-ip does not work when --cloud-provider is set
to anything, including 'external'. Just set node-ip to the first IP, and
let the cloud provider add the other address.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-02 17:36:55 -07:00
Brad Davidson 29397b4e68 Re-add --cloud-provider=external kubelet arg
The cloud-provider arg is deprecated and cannot be set to anything other than external, but must still be used or node addresses are not set properly.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-01 14:23:53 -07:00
Brad Davidson 9d7230496d Add support for configuring the EgressSelector mode
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-18 13:26:10 -07:00
Manuel Buil aa9065749c
Give kubelet the node-ip value (#5579)
* Give kubelet all node-ips

Signed-off-by: Manuel Buil <mbuil@suse.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-18 13:21:15 -07:00
Donnie Adams c38a8c3b43
Remove objects when removed from manifests (#5560)
* Remove objects when removed from manifests

If a user puts a file in /var/lib/rancher/k3s/server/manifests/ then the
objects contained therein are deployed to the cluster. If the objects
are removed from that file, they are not removed from the cluster.

This change tracks the GVKs in the files and will remove objects when
there are removed from the cluster.

Signed-off-by: Donnie Adams <donnie.adams@suse.com>
2022-05-18 11:05:03 -07:00
Brad Davidson 4a3d283bc1 Remove --docker/dockershim support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-11 14:39:07 -07:00
Brad Davidson 360f18d1cf Always set pod-infra-container-image to protect it from image GC
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-11 14:39:07 -07:00
Brad Davidson 0710a7198a Remove deprecated flags from cloud-controller-manager
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-11 14:39:07 -07:00
Brad Davidson 703779c32f Remove deprecated flags from kube-apiserver
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-11 14:39:07 -07:00
Brad Davidson 551f2fa00a Remove deprecated flags from kubelet
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-11 14:39:07 -07:00
Brad Davidson c8447dca56 Bump golang to 1.18.1
Also update all use of 'go get' => 'go install', update CI tooling for
1.18 compatibility, and gofmt everything so lint passes.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-11 14:39:07 -07:00
Brad Davidson e6385b2341 Update CNI version in config file
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-11 14:39:07 -07:00
Manuel Buil a3b35d21e9 Add "ipFamilyPolicy: PreferDualStack" to have dual-stack ingress support
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-05-04 17:32:34 +02:00
Brad Davidson 1d4f995edd Move auto-generated resolv.conf out of /tmp to prevent accidental cleanup
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-03 20:33:32 -07:00
Manuel Buil 314e3f56dc Check if user has a correct cluster-cidr and service-cidr config
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-05-03 11:01:30 +02:00
Brad Davidson ce5b9347c9 Replace DefaultProxyDialerFn dialer injection with EgressSelector support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 17:54:36 -07:00
Brad Davidson e763fadbba Ensure that WaitForAPIServerReady always re-dials through the loadbalancer
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 14:47:30 -07:00
Brad Davidson d93b750326 Don't start embedded kubelet until after apiserver is up
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 14:47:30 -07:00
Derek Nola 3e5561daca
Add new `k3s completion` command for shell completion (#5461)
* Add shell completion CLI 
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-04-29 12:53:34 -07:00
Brad Davidson 13ca10664f Use ListWatch helpers instead of bare List/Watch
Reduces code complexity a bit and ensures we don't  have to handle closed watch channels on our own

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 12:24:12 -07:00
Michal Rostecki 5f2a4d4209 server: Allow to enable network policies with IPv6-only
After previous changes, network policies are working on IPv6-only
installations.

Signed-off-by: Michal Rostecki <vadorovsky@gmail.com>
2022-04-29 10:51:38 -07:00
Michal Rostecki c0045f415b agent(netpol): Explicitly enable IPv4 when necessary
Before this change, kube-router was always assuming that IPv4 is
enabled, which is not the case in IPv6-only clusters. To enable network
policies in IPv6-only, we need to explicitly let kube-router know when
to disable IPv4.

Signed-off-by: Michal Rostecki <vadorovsky@gmail.com>
2022-04-29 10:51:38 -07:00
Brad Davidson 3d01ca1309 Make supervisor errors parsable by Kubernetes client libs
This gives nicer errors from Kubernetes components during startup, and
reduces LOC a bit by using the upstream responsewriters module instead
of writing the headers and body by hand.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 09:23:37 -07:00
Brad Davidson a69d635c9b Drop unnecessary intermediate variable
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 09:22:57 -07:00
Brad Davidson 333311c7ee Add systemd cgroup controller support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 09:22:57 -07:00
Brad Davidson 418c3fa858
Fix issue with datastore corruption on cluster-reset (#5515)
* Bump etcd to v3.5.4-k3s1
* Fix issue with datastore corruption on cluster-reset
* Disable unnecessary components during cluster reset

Disable control-plane components and the tunnel setup during
cluster-reset, even when not doing a restore. This reduces the amount of
log clutter during cluster reset/restore, making any errors encountered
more obvious.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-27 13:44:15 -07:00
Derek Nola 3d425e5d20
Secrets Encryption: Add RetryOnConflict around updating nodes (#5495)
* Add RetryOnConflict around updating nodes

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-04-22 16:32:10 -07:00
Brad Davidson f2ceeb01d9
Fix issue with long-running apiserver endpoints watch (#5478)
Use ListWatch helpers to retry when the watch channel is closed.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-21 09:24:34 -07:00
Derek Nola 93f9562272
Update Kubernetes to v1.23.6 (#5477)
* Go generate
* Update tags to k3s-io for v1.23.6

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-04-21 08:53:26 -07:00
Manuel Buil 6a8de31a92
Fix default ipv6 cidr (#5467)
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-04-20 08:41:41 -07:00
Sakala Venkata Krishna Rohit 3e3549e45c
Add s390x arch support for k3s (#5018)
* Update docs to include s390x arch

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Add s390x drone pipeline

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Install trivy linux arch only for amd64

This is done so that trivy is not installed for s390x arch

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Add s390x arch if condition for Dockerfile.test

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Add s390x arch in install script

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Add s390x GOARCH in build script

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Add SUFFIX s390x in scripts

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Skip image scan for s390x arch

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Update klipper-lb to version v0.3.5

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Update traefik version to v2.6.2

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Update registry to v2.8.1 in tests which supports s390x

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Skip compact tests for s390x arch

This is done because compact test require a previous k3s version which supports s390x and it is not available

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>
2022-04-15 09:41:40 -07:00
Brad Davidson 7760e2177a Bump etcd to 3.5.3-k3s1
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:53:18 -07:00
Brad Davidson b12cd62935 Move IPv4/v6 selection into helpers
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Brad Davidson 7e447692c5 Fix issue with RKE2 servers hanging on listing apiserver addresses
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Brad Davidson 5b2c14b123 Print a helpful error when trying to join additional servers but etcd is not in use
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Brad Davidson 99851b0f84 Use core constants for cert user/group values
Also update cert gen to ensure leaf certs are regenerated if other key fields change.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Terry Cain b6e71ef990 Added support for repeated extra arguments
Problem:
Specifying extra arguments for the API server for example is not supported as
the arguments get stored in a map before being passed to the API server.

Solution:
Updated the GetArgs function to store the arguments in a map that can have
multiple values. Some more logic is added so that repeated extra arguments
retain their order when sorted whilst overall the arguments can still be
sorted for improved readability when logged.

Support has been added for prefixing and suffixing default argument values
by using -= and += when specifying extra arguments.

Signed-off-by: Terry Cain <terry@terrys-home.co.uk>
2022-04-14 13:59:57 -07:00
Roberto Bonafiglia e4d2824fb6
Merge pull request #5420 from rbrtbnfgl/etcd-default-endpoint
Added default endpoint for IPv6
2022-04-14 18:50:12 +02:00
Roberto Bonafiglia 9c9adda61b Added default endpoint for IPv6
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-04-14 09:58:40 +02:00
Roberto Bonafiglia dfb779d09d
Merge pull request #5422 from rbrtbnfgl/fix-flannel-backend-help
Fixed flannel backend helper text
2022-04-14 09:06:40 +02:00
Dirk Müller fa0fa8b1d0 Update golangci-lint to 1.45.2
This requires a further set of gofmt -s improvements to the
code, but nothing major. golangci-lint 1.45.2 brings golang 1.18
support which might be needed in the future.

Signed-off-by: Dirk Müller <dirk@dmllr.de>
2022-04-13 14:48:42 -07:00
Roberto Bonafiglia 8767395d40 Fixed flannel backend helper text
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-04-13 09:38:22 +02:00
Deshi Xiao c1095dd015
fix: non-idiomatic returning of boolean expression (#5343)
should use 'return disables[baseName]' instead of 'if disables[baseName] { return true }; return false'

Signed-off-by: Deshi Xiao <xiaods@gmail.com>
2022-04-11 12:46:29 -07:00
Roberto Bonafiglia 2037e9179a
Merge pull request #5391 from rbrtbnfgl/wireguard-update
Add wireguard native flannel backend
2022-04-08 09:13:04 +02:00
Brad Davidson f37e7565b8 Move the apiserver addresses controller into the etcd package
This controller only needs to run when using managed etcd, so move it in
with the rest of the etcd stuff. This change also modifies the
controller to only watch the Kubernetes service endpoint, instead of
watching all endpoints in the entire cluster.

Fixes an error message revealed by use of a newer grpc client in
Kubernetes 1.24, which logs an error when the Put to etcd failed because
kine doesn't support the etcd Put operation. The controller shouldn't
have been running without etcd in the first place.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-07 11:28:15 -07:00
Roberto Bonafiglia f04c602c07 Updated wireguard-native options and added log message
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-04-07 19:31:21 +02:00
Roberto Bonafiglia 47abaf362e Added new flannel backend to use wireguard from flannel
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-04-07 19:31:13 +02:00
Brad Davidson 2a429aac65 Fix crash on early snapshot
Don't attempt to retrieve snapshot metadata configmap if the apiserver
isn't available. This could be triggered if the cron expression caused a
snapshot to be triggered before the apiserver is up.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-07 09:23:34 -07:00
Michal Rostecki 9350016de8
Merge pull request #5387 from vadorovsky/kube-router-dual-stack
netpol: Add dual-stack support
2022-04-07 11:24:38 +02:00
Brad Davidson 0bf7c09569 Don't print password conversion rate
Avoids divide-by-zero when the password file is empty

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-06 15:55:45 -07:00
Brad Davidson 49544e0d49 Allow agents to query non-apiserver supervisors for apiserver endpoints
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-06 13:03:14 -07:00
Brad Davidson af0b496ef3 Add client certificate authentication support to core Authenticator
This is required to make the websocket tunnel server functional on
etcd-only nodes, and will save some code on the RKE2 side once pulled
through.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-06 13:03:14 -07:00
Brad Davidson e7437d4ad8 Redact datastore and etcd snapshot config from serialization
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-06 13:03:14 -07:00
Michal Rostecki c707948adf netpol: Add dual-stack support
This change allows to define two cluster CIDRs for compatibility with
Kubernetes dual-stuck, with an assumption that two CIDRs are usually
IPv4 and IPv6.

It does that by levearaging changes in out kube-router fork, with the
following downstream release:

https://github.com/k3s-io/kube-router/releases/tag/v1.3.2%2Bk3s

Signed-off-by: Michal Rostecki <vadorovsky@gmail.com>
2022-04-06 14:43:09 +02:00
Euan Kemp c2e846dc16 Allow using flannel wireguard backend in a custom config
Ideally we'd have fully fleshed out support for it (i.e. #5011), but
that's a potentially breaking change and taking a little while to merge.

This is a much simpler change which won't break anything, but will allow
a "Type": "wireguard" reference in the "--flannel-conf" custom config
file to work.

Signed-off-by: Euan Kemp <euank@euank.com>
2022-04-05 09:44:26 -07:00
Roberto Bonafiglia 4afeb9c5c7
Merge pull request #5325 from rbrtbnfgl/fix-etcd-ipv6-url
Fixed etcd URL in case of IPv6 address
2022-04-05 09:55:42 +02:00
Roberto Bonafiglia 0746dde758 Fixed http URL on etcd
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-31 14:24:59 +02:00
Roberto Bonafiglia 06c779c57d Fixed loadbalancer in case of IPv6 addresses
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-31 11:49:30 +02:00
Roberto Bonafiglia b66974145c Fixed etcd register
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-30 18:23:30 +02:00
Luther Monson 313aaca547
Merge pull request #5361 from luthermonson/fix-containerd-npipe
[master] Wrap containerd.New
2022-03-30 07:35:50 -07:00
Roberto Bonafiglia e29771b9ff Fixed client URL
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-30 10:59:39 +02:00
Brad Davidson 62cc1ed24f Skip setting up client tls when etcd server does not have tls enabled
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-30 01:03:41 -07:00
Luther Monson 13191da58a add a wrapper around the containerd.New call to fix and pass the proper npipe connector
Signed-off-by: Luther Monson <luther.monson@gmail.com>
2022-03-29 18:06:48 -07:00
Roberto Bonafiglia dda409b041 Updated localhost address on IPv6 only setup
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-29 09:35:54 +02:00
Brad Davidson 1339626a5b Defragment etcd datastore before clearing alarms
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-28 09:27:59 -07:00
Brad Davidson e811689df9 Fix etcd-only secrets encryption rotation
Improve feedback when running secrets-encrypt commands on etcd-only nodes, and
allow etcd-only nodes to properly restart when effecting rotation.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-25 10:40:58 -07:00
Brad Davidson d25ae8fbc2 Properly attach secrets-encrypt events to the node resource
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-23 16:01:21 -07:00
Brad Davidson 965d0a08ef Fix log spam due to servicelb event recorder namespace conflict
Don't hardcode the event namespace when creating event recorders; some controllers want to create events in other namespaces.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-23 16:01:21 -07:00
Brad Davidson 714979bf6a Ensure that apiserver ready channel checks re-dial every time
Closing idle connections isn't guaranteed to close out a pooled connection to a
loadbalancer endpoint that has been removed. Instead, ensure that requests used
to wait for the apiserver to become ready aren't reused.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-23 13:21:58 -07:00
Roberto Bonafiglia 2285aa699b Fixed etcd URL in case of IPv6 address
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-23 15:35:51 +01:00
Brad Davidson df94b3729f go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-18 14:51:57 -07:00
Brad Davidson 38706eeec0 Defer ensuring node passwords on etcd-only nodes during initial cluster bootstrap
This allows secondary etcd nodes to bootstrap the kubelet before an
apiserver joins the cluster. Rancher waits for all the etcd nodes to
come up before adding the control-plane nodes, so this needs to be
handled properly.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-18 10:58:37 -07:00
Brad Davidson 3cebde924b Handle empty entries in bootstrap path map
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-17 13:42:27 -07:00
Brad Davidson a93b9b6d53 Update helm-controller
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-16 23:49:14 -07:00
Brad Davidson 66e350ea88 Track upstream changes to kubectl command execution
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-16 17:19:18 -07:00
Brad Davidson 078da46532 Close additional leaked GPRC clients
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-15 18:07:55 -07:00
Derek Nola 1f7abe5dbb
Testing directory and documentation rework. (#5256)
* Removed vagrant folder
* Fix comments around E2E ENVs
* Eliminate testutil folder
* Convert flock integration test to unit test
* Point to other READMEs

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-03-15 10:29:56 -07:00
Roberto Bonafiglia ff85faa7de Changed ipv6 config on flannel setup
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-09 12:30:33 +01:00
Roberto Bonafiglia 073f155fc4 Added ipv6 only support with flannel
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-09 09:35:01 +01:00
Roberto Bonafiglia 93346904cf
Merge pull request #5215 from rbrtbnfgl/flannel_0.17
Flannel 0.17
2022-03-09 08:51:10 +01:00
Brian Downs 8083ef5824
fix function arg call (#5234) 2022-03-08 17:00:57 -07:00
Brad Davidson 003e094b45
Populate EtcdConfig in runtime from datastore when etcd is disabled (#5222)
Fixes issue with secrets-encrypt rotate not having any etcd endpoints
available on nodes without a local etcd server.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-08 09:04:31 -08:00
Roberto Bonafiglia 3fabc0703b
Merge pull request #4450 from olljanat/support-ipv6-only
Add partial support for IPv6 only mode
2022-03-08 11:38:52 +01:00
Roberto Bonafiglia f3d81544b1 Fixed log in case of ipv6 only config
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-08 09:42:25 +01:00
Roberto Bonafiglia 0c83f50c4c Added switch case to check netMode
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-08 09:34:25 +01:00
Roberto Bonafiglia 2c39febdd2 Fixed in case of empty address
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-07 14:09:29 +01:00
Roberto Bonafiglia d7d4c891e2 Updated flannel to 0.17
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-07 14:09:05 +01:00
Brad Davidson 44c53743dd Support MixedProtocolLBService and clean up Daemonsets on type change.
Also add event support to increase visibility of change events.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-03 15:30:04 -08:00
Luther Monson 9a849b1bb7
[master] changing package to k3s-io (#4846)
* changing package to k3s-io

Signed-off-by: Luther Monson <luther.monson@gmail.com>

Co-authored-by: Derek Nola <derek.nola@suse.com>
2022-03-02 15:47:27 -08:00
robertlestak a82ac4fdc7 servicelb pool selector
adds a new optional node label
"svccontroller.k3s.cattle.io/lbpool=<pool>" that can be set on nodes.
ServiceType: LoadBalancer services can then specify a matching label,
which will schedule the DaemonSet only on specified nodes. This allows
operators to specify different pools of nodes that can serve different
LoadBalancer services on the same ports.

Signed-off-by: robertlestak <robert.lestak@umusic.com>
2022-03-02 15:10:41 -08:00
Brad Davidson f090bf2d5e Bootstrap the executor even when the agent is disabled
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-02 02:47:54 -08:00
Brad Davidson a7878db17f Fix etcd-snapshot commands by making setup more consistent.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-01 20:25:20 -08:00
Brad Davidson 9a48086524 Ignore cluster membership errors when reconciling from temp etcd
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-01 20:25:20 -08:00
Brad Davidson e4846c92b4 Move temporary etcd startup into etcd module
Reuse the existing etcd library code to start up the temporary etcd
server for bootstrap reconcile. This allows us to do proper
health-checking of the datastore on startup, including handling of
alarms.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-01 20:25:20 -08:00
Brad Davidson 555087b9b8 Add function to clear local alarms on etcd startup
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-01 11:56:52 -08:00
Kamil Madac 333248466b
Add http/2 support to API server (#5149)
fix issue #5148

Signed-off-by: Kamil Madac <kamil.madac@gmail.com>
2022-03-01 11:27:52 -08:00
Brad Davidson 5014c9e0e8 Fix adding etcd-only node to existing cluster
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-02-28 19:56:08 -08:00
Brad Davidson a1b800f0bf Remove unnecessary copies of etcdconfig struct
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-02-28 12:05:16 -08:00
Brad Davidson 2989b8b2c5 Remove unnecessary copies of runtime struct
Several types contained redundant references to ControlRuntime data. Switch to consistently accessing this via config.Runtime instead.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-02-28 12:05:16 -08:00
Brad Davidson 54bb65064e Fix cluster bootstrap test
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-02-28 12:05:16 -08:00
Derek Nola a698ece9c5
Add `--json` flag for `k3s secrets-encrypt status` (#5127)
* Add json flag for secrets-encrypt status

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-02-28 09:14:32 -08:00
Brian Downs 40a46e1412
add ability to specify etcd snapshot list output format (#5132) 2022-02-25 14:00:00 -07:00
Derek Nola 142eed1a9f
Create encryption hash file if it doesn't exist (#5140)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-02-25 08:43:03 -08:00
Hussein Galal 43b1cb4820
Update to V1.23.4 k3s1 (#5135)
* Update to v1.23.4

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Upgrade treafik to 2.6.1

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Upgrade treafik to 2.6.1

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Upgrade treafik image in image-list

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Update kubernetes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2022-02-22 18:57:22 +02:00
Manuel Buil 062fe63dd1 Fix annoying netpol log
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-02-10 20:01:27 +01:00
Olli Janatuinen 966f4d6a01 Add support for IPv6 only mode
Automatically switch to IPv6 only mode if first node-ip is IPv6 address

Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2022-02-10 20:34:59 +02:00
Derek Nola e28be2912c
Migrate Ginkgo testing framework to V2, consolidate integration tests (#5097)
* Upgrade and convert ginkgo from v1 to v2
* Move all integration tests into integration folder
* Update TESTING.md

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-02-09 08:22:53 -08:00
Hussein Galal 13728058a4
Add k3s etcd restoration integration test (#5014)
* Add k3s etcd restoration test

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix tests and rebase

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Reorganizing the tests

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fixing comments

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix etcd restore

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* dont check for errors when restoring

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* use eventually to test for restoration

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix tests

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix golint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2022-02-08 21:24:34 +02:00
Manuel Buil 773c2a4184
Merge pull request #5079 from manuelbuil/michalsPR
netpol: Use kube-router as a library
2022-02-07 19:18:15 +01:00
Michal Rostecki 4fed9f4052 netpol: Use kube-router as a library
Before this change, we were copying a part of kube-router code to
pkg/agent/netpol directory with modifications, from which the biggest
one was consumption of k3s node config instead of kube-router config.

However, that approach made it hard to follow new upstream versions.
It's possible to use kube-router as a library, so it seems like a better
way to do that.

Instead of modifying kube-router network policy controller to comsume
k3s configuration, this change just converts k3s node config into
kube-router config. All the functionality of kube-router except netpol
is still disabled.

Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-02-07 10:54:08 +01:00
Derek Nola 4f36c82ff7
Check for `--kubeconfig` flag with embedded `kubectl` (#5064)
* Check for kubeconfig flag

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-02-03 09:00:24 -08:00
Ankur Gupta df4147cd57
Update legacy-unknown-cert and legacy-unknown-key (#5057)
Signed-off-by: Ankur Gupta <ankur.gupta130887@gmail.com>
2022-02-02 09:15:41 -08:00
Derek Nola d583a99f62
Add server flag to access nonlocal/nondefault k3s server (#5016)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-01-27 10:53:38 -08:00
Brad Davidson bc7635f01f Move containerd wait into exported function
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-25 13:09:30 -08:00
Roberto Bonafiglia bb856c67dc
Merge pull request #4952 from rbrtbnfgl/ipv6-nat
Add IPv6 NAT
2022-01-19 08:44:57 +01:00
Brad Davidson a094dee7dd Update packaged components
Update images and manifests/charts for coredns, local-path-provisioner, traefik, and pause

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-18 16:40:00 -08:00
Brad Davidson 27fe2c3c1b go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-18 11:01:49 -08:00
Roberto Bonafiglia 8eded2749a Added debug log for IPv6 Masquerading rule
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@gmail.com>
2022-01-17 10:20:12 +01:00
Brad Davidson b1e0f4c8fc Skip CGroup v2 evac when agent is disabled
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-14 13:24:44 -08:00
Roberto Bonafiglia 111c1669fc Added flannel-ipv6-masq flag to enable IPv6 nat
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@gmail.com>
2022-01-14 18:35:37 +01:00
Roberto Bonafiglia 2253f64b2a Added iptables masquerade rules for ipv6 on flannel
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@gmail.com>
2022-01-14 18:35:37 +01:00
Brian Downs effcb15adb
Adds the ability to compress etcd snapshots (#4866) 2022-01-14 10:31:22 -07:00
Derek Nola 48ffed3852
Enable logging on all subcommands (#4921)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-01-12 14:00:40 -08:00
Brad Davidson a0cadcd343 Move ClusterResetRestore handling ControlConfig setup
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-12 10:46:10 -08:00
Brad Davidson 5ca206ad3b Fix handling of agent-token fallback to token
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-07 09:56:37 -08:00
Brad Davidson e7464a17f7 Fix use of agent creds for secrets-encrypt and config validate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-06 12:55:18 -08:00
Lordran 31f1a00b6f
Fix a typo: advertise-up -> advertise-ip (#4827)
Signed-off-by: 胥朝阳 <xuzhaoyang@91cyt.com>
2022-01-06 08:52:07 -08:00
Derek Nola 2ac8df3602
Integration tests utilities improvements (#4832)
* Remove sudo commands from integration tests

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Added cleanup fucntion

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Implement better int cleanup

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Rename test utils

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Enable K3sCmd to be a single string

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Removed parsePod function

Signed-off-by: Derek Nola <derek.nola@suse.com>

* codespell

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Revert startup timeout

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Reorder sonobuoy tests, drop concurrent tests to 3

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Disable etcd

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Skip parallel testing for etcd

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-01-06 08:05:56 -08:00
Luther Monson 66eeabbdfc linter doesn't actually run on windows, found these while getting it running on a windows machine
Signed-off-by: Luther Monson <luther.monson@gmail.com>
2021-12-28 20:44:21 -07:00
Derek Nola ff49dcf71e Export default parser
Signed-off-by: Derek Nola <derek.nola@suse.com>
(cherry picked from commit 9cc930e4a3)
2021-12-22 16:06:55 -08:00
Brad Davidson 87395e32d6 Update modules for Kubernetes v1.23
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-12-22 10:47:38 -08:00
Manuel Buil 30c701f5de
Merge pull request #4796 from manuelbuil/flannel-logrus
Move flannel logs to logrus
2021-12-22 10:33:43 +01:00
Brad Davidson a5c6e6a68a Fix panic checking name of uninitialized etcd member
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-12-21 23:38:20 -08:00
Luther Monson 02f862da5f
Merge pull request #4791 from luthermonson/vendor-rm
[master] Remove the Vendor Directory
2021-12-21 15:07:55 -07:00
Brian Downs 3ae550ae51
Update bootstrap logic to output all changed files on disk (#4800) 2021-12-21 14:28:32 -07:00
Luther Monson e6cf8f5982 code changes to drop the vendor dir
Signed-off-by: Luther Monson <luther.monson@gmail.com>
2021-12-21 14:23:38 -07:00
Manuel Buil 4eb282edac Move flannel logs to logrus
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-12-21 14:34:51 +01:00
Hussein Galal 2e91913f54
Close agentReady channel only in k3s (#4792)
* Close agentReady channel only in k3s

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* codespell check

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-12-21 00:22:49 +02:00
Brad Davidson 8ad7d141e8 Close etcd clients to avoid leaking GRPC connections
If you don't explicitly close the etcd client when you're done with it,
the GRPC connection hangs around in the background. Normally this is
harmelss, but in the case of the temporary etcd we start up on 2399 to
reconcile bootstrap data, the client will start logging errors
afterwards when the server goes away.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-12-17 23:55:17 -08:00
Manuel Buil 588d15db8f Remove Disables, Skips and DisableKubeProxy from the comparing configs
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-12-17 19:04:38 +01:00
Brad Davidson 6f4217a340 Build standalone containerd
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-12-16 12:00:15 -08:00
Derek Nola 17eebe0563
Fix cold boot and reconcilation on secondary servers (#4747)
* Enable reconcilation on secondary servers

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Remove unused code

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Attempt to reconcile with datastore first

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Added warning on failure

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Update warning

Signed-off-by: Derek Nola <derek.nola@suse.com>

* golangci-lint fix

Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-12-15 15:38:50 -08:00
Hussein Galal d71b335871
Fix snapshot restoration on fresh nodes (#4737)
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-12-14 02:04:39 +02:00
Brian Downs bf4e037fcf
Resolve Bootstrap Migration Edge Case (#4730) 2021-12-13 13:02:30 -07:00
Brian Downs a6fe2c0bc5
Resolve restore bootstrap (#4704) 2021-12-09 14:54:27 -07:00
Brad Davidson a70487d5ae Update wharfie usage in windows code path
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-12-09 13:16:22 -08:00
Hussein Galal 3985fd0e26
[master] Add validation to certificate rotation (#4692)
* Add validation to certificate rotation

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add validation to certificate rotation

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-12-09 18:57:13 +02:00
Manuel Buil 1e0696628e
Merge pull request #4581 from manuelbuil/checking-HA-parameters
Verify new control plane nodes joining the cluster share the same config as cluster members
2021-12-08 10:49:28 +01:00
Alexey Medvedchikov 8f389ab030
Include node-external-ip in serving-kubelet.crt SANs (#4620)
* Include node-external-ip in serving-kubelet.crt SANs

Signed-off-by: Alexey Medvedchikov <alexeymedvedchikov@improbable.io>
2021-12-07 15:42:40 -08:00
Derek Nola bcb662926d
Secrets-encryption rotation (#4372)
* Regular CLI framework for encrypt commands
* New secrets-encryption feature
* New integration test
* fixes for flaky integration test CI
* Fix to bootstrap on restart of existing nodes
* Consolidate event recorder

Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-12-07 14:31:32 -08:00
Manuel Buil 1b3187ea07 Check HA network parameters
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-12-07 23:09:05 +01:00
Brad Davidson 7d3447ceff Bump wharfie to v0.5.1 and use shared decompression code
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-12-07 12:50:57 -08:00
Hussein Galal 77fd3e99ec
Add cert rotation command (#4495)
* Add cert rotation command

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* add function to check for dynamic listener file

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* Add dynamiclistener cert rotation support

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fixes to the cert rotation

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix ci tests

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fixes to certificate rotation command

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

Co-authored-by: Brian Downs <brian.downs@gmail.com>
2021-12-02 23:19:16 +02:00
Manuel Buil 8141a933b0
Merge pull request #4550 from manuelbuil/improve_flannel_logging
Improve flannel code and logging
2021-12-01 18:22:23 +01:00
Derek Nola d05c334a78
Improved cleanup for etcd unit test (#4537)
* Improved cleanup for etcd unit test

Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-11-29 14:46:58 -08:00
Chris Kim ae4a1a144a
etcd snapshot functionality enhancements (#4453)
Signed-off-by: Chris Kim <oats87g@gmail.com>
2021-11-29 10:30:04 -08:00
Brad Davidson 0c1f816f24 go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-11-23 16:38:55 -08:00
Manuel Buil 7685da3e24 Improve flannel logging
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-11-22 21:51:52 +01:00
Hussein Galal 03485632ea
Fix regression with cluster reset (#4521)
* Fix regression with cluster reset

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* typo

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-11-17 23:22:18 +02:00
Derek Nola ef263bd2b0
Improved regex for double equals arguments (#4505)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-11-16 11:16:13 -08:00
Derek Nola 535a919635
Removed value from warning about skipping flags (#4491)
* Enabled skipping of unkown flags from config in parser
* Added new unit test, expanded existing
* Add warning back in, without value

Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-11-15 13:17:10 -07:00
Chris Kim f18b3252c0
[master] Add etcd extra args support for K3s (#4463)
* Add etcd extra args support for K3s

Signed-off-by: Chris Kim <oats87g@gmail.com>

* Add etcd custom argument integration test

Signed-off-by: Chris Kim <oats87g@gmail.com>

* go generate

Signed-off-by: Chris Kim <oats87g@gmail.com>
2021-11-11 21:03:15 -08:00
Thorsten Klein 41ff19de71 Feature: Add CoreDNS Customization Options
Problem:
Before, to customize CoreDNS, one had to edit the default configmap,
which gets re-written on every K3s server restart.

Solution:
Mount an additional coredns-custom configmap into the CoreDNS container
and import overrides and additional server blocks from the included
files.

Signed-off-by: Thorsten Klein <iwilltry42@gmail.com>
2021-11-11 18:41:22 -08:00
Derek Nola 4b57951fb0
Fix to allow etcd-snapshot to use config file with flags that are only used with k3s server. (#4464)
* Enabled skipping of unknown flags from config in parser
* Added new unit test, expanded existing

Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-11-11 16:01:23 -08:00
Brad Davidson 5ab6d21a7d
Increase agent's apiserver ready timeout (#4454)
Since we now start the server's agent sooner and in the background, we
may need to wait longer than 30 seconds for the apiserver to become
ready on downstream projects such as RKE2.

Since this essentially just serves as an analogue for the server's
apiReady channel, there's little danger in setting it to something
relatively high.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-11-11 14:01:49 -07:00
Brad Davidson bc7cdc78ca go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-11-10 17:36:01 -08:00
Manuel Buil 8271d98a76
Merge pull request #4437 from manuelbuil/fix_svclb_ipv6_rh
Allow svclb pod to enable ipv6 forwarding
2021-11-10 19:08:40 +01:00
Manuel Buil 5d168a1d59 Allow svclb pod to enable ipv6 forwarding
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-11-10 18:20:03 +01:00
Brian Downs adaeae351c
update bootstrap logic (#4438)
* update bootstrap logic resolving a startup bug and account for etcd
2021-11-10 05:33:42 -07:00
Derek Nola 7bd65047c3
Match to last After keyword for parser (#4383)
* Made parser able to skip over subcommands
* Edge case coverage, reworked regex with groups
Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-11-08 10:54:48 -08:00
Luther Monson 36c6634cce
[master] updating to new signals package in wrangler (#4399)
* updating to new signals package in wrangler

Signed-off-by: Luther Monson <luther.monson@gmail.com>
2021-11-08 08:32:43 -07:00
Brad Davidson f7dcc139ff Bump klipper-lb image for arm fix
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-11-02 18:55:09 -07:00
Deshi Xiao f1622129e4 refactor: Use plain channel send or receive
fix issue #4369

should use a simple channel send/receive instead of select with a single
case

Signed-off-by: Deshi Xiao <xiaods@gmail.com>
2021-11-01 15:00:49 -07:00
Brad Davidson f9f1cabe9c Fix log/reap reexec
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-11-01 14:24:14 -07:00
Jacob Blain Christen 702fe24afe
containerd/cri: enable the btrfs snapshotter (#4316)
* vendor: btrfs
* enable the btrfs snapshotter
* testing: snapshotter/btrfs

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2021-10-29 23:31:33 -07:00
Brad Davidson 3da1bb3af2 Fix other uses of NewForConfigOrDie in contexts where we could return err
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-29 15:18:14 -07:00
Brad Davidson 5acd0b9008 Watch the local Node object instead of get/sleep looping
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-29 15:18:14 -07:00
Brad Davidson 3fe460d080 Block scheduler startup on untainted node when using embedded CCM
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-29 15:18:14 -07:00
Derek Nola 7c3f21e581
K3s Integration test fixes (#4341)
* Move tests into sub folders
* Updated documentation
* Prevent infinite loop is user has not made k3s

Signed-off-by: dereknola <derek.nola@suse.com>
2021-10-28 12:35:28 -07:00
galal-hussein ab3d25a2c5 Update peer address when running cluster-reset
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-10-25 15:43:27 -07:00
Brian Downs 0a0b915921
reset buffer after use (#4279) 2021-10-22 15:56:01 -07:00
Derek Nola 918945da45
Added configuration input to etcd-snapshot (#4280)
Signed-off-by: dereknola <derek.nola@suse.com>
2021-10-22 12:03:32 -07:00
Brian Downs e11a4bf8bb
set duration to second (#4231) 2021-10-15 16:46:39 -07:00
Brian Downs 0452f017c1
Add etcd s3 timeout (#4207) 2021-10-15 10:24:14 -07:00
Brian Downs 34080b23b1
Copy old bootstrap buffer data for use during migration (#4215) 2021-10-15 10:17:29 -07:00
Manuel Buil dbc14b8990 Fix race condition in cloud provider
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-10-15 13:28:32 +02:00
Brad Davidson 5a923ab8dc Add containerd ready channel to delay etcd node join
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-14 14:03:52 -07:00
Hussein Galal b282528ee2
Display cluster tls error only in debug mode (#4124)
* Display cluster tls error only in debug mode

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-10-13 00:00:28 +02:00
Brad Davidson dc18ef2e51 Refactor log and reaper exec to omit MAINPID
Using MAINPID breaks systemd's exit detection, as it stops watching the
original pid, but is unable to watch the new pid as it is not a child
of systemd itself. The best we can do is just notify when execing the child
process.

We also need to consolidate forking into a sigle place so that we don't
end up with multiple levels of child processes if both redirecting log
output and reaping child processes.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-12 13:35:10 -07:00
Derek Nola feec44572d
Improve error message when using a "K10" prefixed token (#4180)
* Add new error message with a K10 prefixed secret token

Signed-off-by: dereknola <derek.nola@suse.com>
2021-10-11 10:00:22 -07:00
Brian Downs ac7a8d89c6
Add ability to reconcile bootstrap data between datastore and disk (#3398) 2021-10-07 12:47:00 -07:00
Derek Nola b6919adf62
Add "etcd-" prefix to etcd-snapshot commands as aliases (#4161)
* Add "etcd-" prefix to etcd-snapshot commands as alias

Signed-off-by: dereknola <derek.nola@suse.com>
2021-10-06 14:20:22 -07:00
Manuel Buil 635f790eb4
Merge pull request #4114 from manuelbuil/lb-controller-dual-stack
Dual-stack support in serviceLB controller
2021-10-06 16:08:10 +02:00
Manuel Buil 00cf4578ec Dual-stack support LB controller
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-10-06 11:06:20 +02:00
Marc Bachmann 9b35734e1a Add topologySpreadConstraints to support scaling of coredns
Signed-off-by: Marc Bachmann <marc.brookman@gmail.com>
2021-10-05 11:52:44 -07:00
Brad Davidson 12e675e2cc Don't evacuate the root cgroup when rootless
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-01 16:18:12 -07:00
Brad Davidson 5d1a37ee32 Send MAINPID to systemd when reexecing for logfile output
This allows the new process to notify systemd when it is ready.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-29 11:41:09 -07:00
Brad Davidson a16105b348 Properly handle operation as init process
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-28 11:05:34 -07:00
Brian Downs f4cea90cb9
set transport to skip verify if se skip flag passed (#4102) 2021-09-28 10:13:50 -07:00
Manuel Buil 87524a7ac7 Enable the inheritance of settings for ipv6
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-09-28 09:42:08 +02:00
Michal Rostecki 47676eff78
Merge pull request #4080 from manuelbuil/update_klipperlb2
Use the new klipper-lb image that has newer go and Alpine versions
2021-09-27 10:11:52 +02:00
Brad Davidson 73e21e739f Drop broken SupportNoneCgroupDriver support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-23 16:12:51 -07:00
Manuel Buil b99b943c17 Use the new klipper-lb image that has newer go and Alpine versions
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-09-22 09:23:38 +02:00
Brad Davidson 28be0de4e8 Revert "Use the newer klipper-lb image"
This reverts commit 1d21491094.
2021-09-20 13:19:38 -07:00
Brad Davidson 64b502e92c Disable automounting service account token in servicelb pods
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-17 15:52:44 -07:00
Hussein Galal 7826407a2e
Make sure there are no duplicates in etcd member list (#4025)
* Make sure there are no duplicates in etcd member list

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix node names with hyphens

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* use full server name for etcd node name

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-09-18 00:51:18 +02:00
Manuel Buil 1d21491094 Use the newer klipper-lb image
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-09-17 15:42:48 -07:00
Brad Davidson 753e11ee3c Enable JobTrackingWithFinalizers FeatureGate
Works around issue with Job controller not tracking job pods that
are in CrashloopBackoff during upgrade from 1.21 to 1.22.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-17 11:26:45 -07:00
Derek Nola eda65b19d9
Remove expiremental from cluster commands (#4024)
Signed-off-by: dereknola <derek.nola@suse.com>
2021-09-15 16:41:50 -07:00
Joe Kralicky debb508643
Nvidia container runtime discovery in containerd config template (#3890)
* Update the default containerd config template with support for adding extra container runtimes. Add logic to discover nvidia container runtimes installed via the the gpu operator or package manager.

Signed-off-by: Joe Kralicky <joe.kralicky@suse.com>
2021-09-15 14:31:11 -07:00
Brad Davidson 086ca8ba6a Fix premature etcd shutdown when joining an existing cluster
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-15 10:35:07 -07:00
Manuel Buil 60cd86bc42
Merge pull request #3906 from manuelbuil/dual-stack
Add dual-stack support on flannel
2021-09-15 18:48:10 +02:00
Brad Davidson 85e11c47d1 Add StargzSupported stub for Windows
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-15 09:45:57 -07:00
Chris Kim acf9036b63
No-op when etcd member was already removed and use existing name for etcd controller (#4014)
Signed-off-by: Chris Kim <oats87g@gmail.com>
2021-09-15 08:41:30 -07:00
Manuel Buil 9fcd79baae Add tests to the dual-stack PR and enable dual-stack with flannel backend
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-09-15 14:11:54 +02:00
Manuel Buil 681058bb40 Add dual-stack support
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-09-15 11:44:48 +02:00
Brad Davidson b72306ce3d Return the error since it just gets logged and retried anyways
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-14 16:41:27 -07:00
Brad Davidson 5986898419 Use SubjectAccessReview to validate CCM RBAC
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-14 16:41:27 -07:00
Brad Davidson dc556cbb72 Set controller authn/authz kubeconfigs
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-14 16:41:27 -07:00
Brad Davidson 199424b608 Pass context into all Executor functions
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-14 16:41:27 -07:00
Chris Kim 928b8531c3
[master] Add `etcd-member-management` controller to K3s (#4001)
* Initial leader elected etcd member management controller
* Bump etcd to v3.5.0-k3s2

Signed-off-by: Chris Kim <oats87g@gmail.com>
2021-09-14 08:20:38 -07:00
Brad Davidson 57377d2cd4 Minor cleanup on cribbed function
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-10 17:04:15 -07:00
Brad Davidson 3449d5b9f9 Wait for apiserver readyz instead of healthz
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-10 17:04:15 -07:00
Brad Davidson b4d8c641c6 Add exposed metrics listener instead of replacing loopback listener
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-10 09:39:39 -07:00
Brad Davidson 29c8b238e5 Replace klog with non-exiting fork
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-10 09:36:16 -07:00
Brad Davidson 90960ebf4e SupportPodPidsLimit is locked to true of 1.20, making pids cgroup support mandatory
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-09 11:49:53 -07:00
Darren Shepherd 741ba95b04 Migrate sqlite data to etcd when initializing the cluster
Signed-off-by: Darren Shepherd <darren@rancher.com>
2021-09-09 10:24:02 -07:00
Devin Buhl a1ec43e0b7
feat: add option to disable s3 over https
Signed-off-by: Devin Buhl <devin.kray@gmail.com>
2021-09-05 12:03:49 -04:00
Kohei Tokunaga 8b857eef9c
Ship Stargz Snapshotter (#2936)
* Ship Stargz Snapshotter

Signed-off-by: ktock <ktokunaga.mail@gmail.com>

* Bump github.com/containerd/stargz-snapshotter to v0.8.0

Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
2021-09-01 16:27:42 -07:00
Brad Davidson cf12a13175 Add missing node name entry to apiserver SAN list
Also honor node-ip when adding the node address to the SAN list, instead
of hardcoding the autodetected IP address.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-01 13:22:32 -07:00
Brad Davidson b8add39b07 Bump kine for metrics/tls changes
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-01 01:51:30 -07:00
Hussein Galal 933052a02c
Fix condition for adding kubernetes endpoints (#3941)
* Fix condition for adding kubernetes endpoints

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix condition for adding kubernetes endpoints

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-08-31 00:57:17 +02:00
Derek Nola 60297a1bbe
Creation of K3s integration test Sonobuoy plugin (#3931)
* Added test runner and build files
* Changes to int test to output junit results.
* Updated documentation, removed comments

Signed-off-by: dereknola <derek.nola@suse.com>
2021-08-30 08:27:59 -07:00
Brad Davidson 2a68c7c8a4 Fix issue where addon checksum was never stored
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-27 10:26:13 -07:00
Manuel Buil 2e5c9e5cad
Merge pull request #3916 from manuelbuil/net_v6
Add functions to separate ipv4 and ipv6 CIDRs
2021-08-27 18:57:54 +02:00
Manuel Buil 96dcef478a Add functions to separate ipv4 from ipv6 functions
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-08-27 10:14:39 +02:00
Derek Nola 114b30277f
Redux: Enable K3s integration test to run on existing cluster (#3905)
* Made it possible to run int tests on existing cluster

Signed-off-by: dereknola <derek.nola@suse.com>
2021-08-26 16:26:19 -07:00
Akihiro Suda 331c6fed71 Remove runtime V1 (`containerd-shim`)
Fix issue 3105

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-08-26 11:50:33 -07:00
Akihiro Suda 176451f4ea
Fix rootless regression in 1.22 (Set KubeletInUserNamespace gate) (#3901)
Fix issue 3900

Kubernetes 1.22 requires `KuebletInUserNamespace` feature gate to be set for rootless:
https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/#userns-the-hard-way

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-08-24 08:27:17 -07:00
Derek Nola 66dacc6ee0
Revert "Enable K3s integration test to run on existing cluster (#3892)" (#3899)
This reverts commit 703b5af950.
2021-08-24 07:26:14 -07:00
Derek Nola 703b5af950
Enable K3s integration test to run on existing cluster (#3892)
* Made it possible to run int tests on existing cluster

Signed-off-by: dereknola <derek.nola@suse.com>
2021-08-23 12:12:03 -07:00
Brad Davidson e95b75409a Fix lint failures
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson a5355f0827 Replace dropped v1beta1 APIs with v1
Requires updating traefik as well to drop deprecated types.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson dc14f370c4 Update wrangler to v0.8.5
Required to support apiextensions.v1 as v1beta1 has been deleted. Also
update helm-controller and dynamiclistener to track wrangler versions.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson c434db7cc6 Wrap errors in runControllers for additional context
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson 422d266da2 Disable deprecated insecure port
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson 641ab26fde Update containerd to 1.5
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson 872855015c Update etcd to v3.5.0
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson e204d863a5 Update Kubernetes to v1.22.1
* Update Kubernetes to v1.22.1
* Update dependent modules to track with upstream

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Derek Nola ed5991f13b
K3s Flock Integration Test (#3887)
* Upgraded flock with shared and integration test.

Signed-off-by: dereknola <derek.nola@suse.com>

Co-authored-by: Brian Downs <brian.downs@gmail.com>
2021-08-20 12:34:22 -07:00
Hussein Galal e322924781
Reset load balancer state during restoraion (#3877)
* Reset load balancer state during restoraion

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Reset load balancer state during restoraion

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-08-18 01:02:30 +02:00
Malte Starostik b23955e835
Fix URL pruning when joining an etcd member (#3832)
* Fix URL pruning when joining an etcd member

Problem:
Existing member clientURLs were checked if they contain the joining
node's IP. In some edge cases this would prune valid URLs when the
joining IP is a substring match of the only existing member's IP.
Because of this, it was impossible to e.g. join 10.0.0.2 to an existing
node that has an IP of 10.0.0.2X or 10.0.0.2XX:

level=fatal msg="starting kubernetes: preparing server: start managed database:
joining etcd cluster: etcdclient: no available endpoints"

Solution:
Fixed by properly parsing the URLs and comparing the IPs for equality
instead of substring match.

Signed-off-by: Malte Starostik <info@stellaware.de>
2021-08-12 15:59:04 -07:00
Derek Nola a1e36153f9
Added locking system for integration tests (#3820)
* Added locking system for integration tests
Signed-off-by: dereknola <derek.nola@suse.com>
2021-08-10 16:22:12 -07:00