Commit Graph

426 Commits (984151745723c9aad95161fdd7cd466d8bc219d6)

Author SHA1 Message Date
Brad Davidson 5c99bdd9bd Pin images instead of locking layers with lease
Layer leases never did what we wanted anyways, and this is the new approved interface for ensuring that images do not get GCd

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-09 15:23:05 -08:00
Manuel Buil 6330e26bb3 Wait for taint to be gone in the node before starting the netpol controller
Signed-off-by: Manuel Buil <mbuil@suse.com>
2024-01-08 12:04:18 +01:00
Lex Rivera 5fe074b540
Add more paths to crun runtime detection (#9086)
* add usr/local paths for crun detection

Signed-off-by: Lex Rivera <me@lex.io>
2024-01-04 16:51:13 -08:00
Brad Davidson c45524e662 Add support for containerd cri registry config_path
Render cri registry mirrors.x.endpoints and configs.x.tls into config_path; keep
using mirrors.x.rewrites and configs.x.auth those do not yet have an
equivalent in the new format.

The new config file format allows disabling containerd's fallback to the
default endpoint when using mirror endpoints; a new CLI flag is added to
control that behavior.

This also re-shares some code that was unnecessarily split into parallel
implementations for linux/windows versions. There is probably more work
to be done on this front but it's a good start.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-04 16:50:26 -08:00
Brad Davidson db7091b3f6 Handle logging flags when parsing kube-proxy args
Also adds a test to ensure this continues to work.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-04 16:23:03 -08:00
Pierre bbd68f3a50
Rebase & Squash (#9070)
Signed-off-by: Yodo <pierre@azmed.co>
2024-01-02 12:05:36 -08:00
Hussein Galal 9411196406
Update flannel to v0.24.0 and remove multiclustercidr flag (#9075)
* update flannel to v0.24.0

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* remove multiclustercidr flag

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

---------

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2023-12-20 00:25:38 +02:00
Hussein Galal 7101af36bb
Update Kubernetes to v1.29.0+k3s1 (#9052)
* Update to v1.29.0

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Update to v1.29.0

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Update go to 1.21.5

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* update golangci-lint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* update flannel to 0.23.0-k3s1

This update uses k3s' fork of flannel to allow the removal of
multicluster cidr flag logic from the code

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix flannel calls

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* update cri-tools to version v1.29.0-k3s1

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Remove GOEXPERIMENT=nounified from arm builds

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Skip golangci-lint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix setup logging with newer go version

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Move logging flags to components arguments

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* add sysctl commands to the test script

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Update scripts/test

Signed-off-by: Brad Davidson <brad@oatmail.org>

* disable secretsencryption tests

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

---------

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
Signed-off-by: Brad Davidson <brad@oatmail.org>
Co-authored-by: Brad Davidson <brad@oatmail.org>
2023-12-19 05:14:02 +02:00
Vitor Savian 03532f7c0b Added runtime classes for crun/wasm/nvidia
Signed-off-by: Vitor Savian <vitor.savian@suse.com>

Added default runtime flag

Signed-off-by: Vitor Savian <vitor.savian@suse.com>
2023-12-08 15:49:28 -03:00
Brad Davidson 6c544a4679 Add jitter to client config retry
Also:
* Replaces labeled for/continue RETRY loops with wait helpers for improved readability
* Pulls secrets and nodes from cache for node password verification
* Migrate nodepassword tests to wrangler mocks for better code reuse

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-11-16 09:53:28 -08:00
Oliver Larsson 30c8ad926d QoS-class resource configuration
Problem:
Configuring qos-class features in containerd requres a custom containerd configuration template.

Solution:
Look for configuration files in default locations and configure containerd to use them if they exist.

Signed-off-by: Oliver Larsson <larsson.e.oliver@gmail.com>
2023-11-14 15:53:14 -08:00
Manuel Buil 8f7a8b23b7 Improve dualStack log
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-11-14 10:50:37 +01:00
Flavio Castelli ba5fcf13fc
Wasm shims and runtimes detection
Create a generic helper function that finds extra containerd runtimes.
The code was originally inside of the nvidia container discovery file.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>

Discover the containerd shims based on runwasi that are already
available on the node.

The runtimes could have been installed either by a package manager or by
the kwasm operator.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>

The containerd configuration on a Linux system now handles the nvidia
and the WebAssembly runtimes.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>

---------

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
2023-11-13 14:43:41 -08:00
Texot f575a05be2
fix: Access outer scope .SystemdCgroup (#8761)
Signed-off-by: Texot <tete1030@gmail.com>
2023-11-02 10:47:16 -07:00
Sean Yen 0c9bf36fe0
[K3s][Windows Port] Build script, multi-call binary, and Flannel (#7259)
* initial windows port.

Signed-off-by: Sean Yen <seanyen@microsoft.com>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Wei Ran <weiran@microsoft.com>
2023-10-16 14:53:09 -04:00
Roberto Bonafiglia 1ffb4603cd Use IPv6 in case is the first configured IP with dualstack
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-10-13 10:23:31 +02:00
Roberto Bonafiglia ced25af5b1 Fixed tailscale node IP dualstack mode in case of IPv4 only node
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-10-09 15:17:33 +02:00
Manuel Buil f2c7117374 Take IPFamily precedence based on order
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-09-29 11:04:15 +02:00
Brad Davidson 0e5c760625 Pass SystemdCgroup setting through to nvidia runtime options
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-09-27 13:30:26 -07:00
Edgar Lee fe18b1fce9
Add --image-service-endpoint flag (#8279)
* Add --image-service-endpoint flag

Problem:
External container runtime can be set but image service endpoint is unchanged
and also is not exposed as a flag. This is useful for using containerd
snapshotters outside of the ones that have built-in support like
stargz-snapshotter.

Solution:
Add a flag --image-service-endpoint and also default image service endpoint to
container runtime endpoint if set.

Signed-off-by: Edgar Lee <edgarhinshunlee@gmail.com>
2023-09-27 13:20:50 -07:00
Manuel Buil cae8b2b626
Merge pull request #8346 from manuelbuil/interfaceLogs
Include the interface name in the error message
2023-09-25 16:50:01 +02:00
Manuel Buil 3194dc7367
Merge pull request #8284 from manuelbuil/improveFlannelLogging
Add context to flannel errors
2023-09-25 08:20:33 +02:00
Manuel Buil 8c197bdce4 Include the interface name in the error message
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-09-25 07:55:49 +02:00
Manuel Buil 66cb1064d1 Add context to flannel errors
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-09-07 14:09:22 +02:00
Manuel Buil d3f7632463 Fix error reporting
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-08-31 17:20:14 +02:00
Derek Nola ced330c66a
[v1.28] CLI Removal for v1.28.0 (#8203)
* Remove deprecated flannel ipsec

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Remove multipart backend

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Fix secrets-encryption integration test flakiness

Signed-off-by: Derek Nola <derek.nola@suse.com>

---------

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-08-24 22:09:13 -07:00
Manuel Buil 8c38d1169d
Merge pull request #8077 from manuelbuil/fixTailscale
Fix tailscale bug with ip modes
2023-08-02 11:42:20 +02:00
Derek Nola 46cbbab263
Consolidate CopyFile functions (#8079)
* Consolidate CopyFile function

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Copy to File, not destination folder

Signed-off-by: Derek Nola <derek.nola@suse.com>

---------

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-08-01 08:55:34 -07:00
Manuel Buil 59eec78c62 Fix tailscale bug with ip modes
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-08-01 09:43:25 +02:00
Simon Kirsten 546dc247a0
Add support for `{{ template "base" . }}` in etc/containerd/config.toml.tmpl (#7991)
Signed-off-by: Simon Kirsten <simonkirsten24@gmail.com>
2023-07-31 16:36:23 -04:00
Denys Smirnov b9a2bf11ee Support setting control server URL for Tailscale.
This change enables the use of Headscale - open source implementation of the Tailscale control server.

Signed-off-by: Denys Smirnov <dennwc@pm.me>
2023-07-07 10:49:01 +03:00
Manuel Buil 6c44b06e0a
Merge pull request #7838 from manuelbuil/ipv4ipv6tailscale
Check if we are on ipv4, ipv6 or dualStack when doing tailscale
2023-07-06 11:11:26 +02:00
Manuel Buil bca0adbca8 Fix code spell check
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-07-04 13:02:06 +02:00
Brad Davidson 7f50b40cfe Fall back to basic/bearer auth when node identity auth is rejected
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-07-03 16:20:50 -07:00
Manuel Buil f21a01474d Check if we are on ipv4, ipv6 or dualStack when doing tailscale
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-07-03 10:48:59 +02:00
guoguangwu 2215870d5d chore: pkg imported more than once
Signed-off-by: guoguangwu <guoguangwu@magic-shield.com>
2023-06-26 16:58:11 -07:00
Manuel Buil 869e030bdd VPN PoC
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-06-09 12:39:33 +02:00
Manuel Buil 4aafff0219 Wrap error stating that it is coming from netpol
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-05-12 19:33:25 +02:00
Brad Davidson cedefeff24 Bump cni plugins to v1.2.0-k3s1
Also add bandwidth and firewall plugins. The bandwidth plugin is
automatically registered with the appropriate capability, but the
firewall plugin must be configured by the user if they want to use it.

Ref: https://www.cni.dev/plugins/current/meta/firewall/

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-04 13:58:42 -07:00
Brad Davidson f1b6a3549c Fix stack log on panic
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 11:24:34 -07:00
Brad Davidson 31a6386994 Improve egress selector handling on agentless servers
Don't set up the agent tunnel authorizer on agentless servers, and warn when agentless servers won't have a way to reach in-cluster endpoints.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 11:24:34 -07:00
Derek Nola 944f811dc5
v1.27.1 CLI Deprecation (#7311)
* Remove Flannel Wireguard
* Remove etcd-snapshot (implicit save)
* Convert ipsec and multiple backend to fatal

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-04-19 12:02:05 -07:00
Roberto Bonafiglia 3e3512bdae Updated kube-route version to move the iptables ACCEPT default rule at the end of the chain
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-04-06 09:55:34 +02:00
Brad Davidson 2992477c4b Debounce kubernetes service endpoint updates
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-04 12:02:22 -07:00
Brad Davidson ece4d8e45c Fix tests to not hide failure location in dummp assert functions
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-04 12:02:22 -07:00
Brad Davidson e54ceaa497 Fix issue with stale connections to removed LB server
Track LB connections through each server so that they can be closed when it is removed.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-04 12:02:22 -07:00
Roberto Bonafiglia 15ee88964b Added multiClusterCidr feature
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-03-14 18:30:52 +01:00
Daishan Peng b7f90f389c
Wait for kubelet port to be ready before setting (#7041)
* Wait for kubelet port to be ready before setting
* Wait for kubelet to update the Ready status before reading port

Signed-off-by: Daishan Peng <daishan@acorn.io>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
2023-03-13 13:48:02 -07:00
Derek Nola d218068f34
Adds a warning about editing to the containerd config.toml file (#7057)
* Add a warning to the config.toml file

Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Brad Davidson <brad@oatmail.org>
2023-03-13 13:42:17 -07:00
Roberto Bonafiglia e098b99bfa
Update flannel and kube-router (#7039)
* Update kube-router version to fix iptables rules

Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>

* Update Flannel to v0.21.3

Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>

---------

Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-03-10 19:57:16 -08:00
Roberto Bonafiglia b8e69712a3 Updated flannel version to v0.21.0
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-02-10 23:03:10 +01:00
Paul Donohue 290d7e8fd1 Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent
Signed-off-by: Paul Donohue <git@PaulSD.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-10 09:43:34 -08:00
Brad Davidson 992e64993d Add support for kubeadm token and client certificate auth
Allow bootstrapping with kubeadm bootstrap token strings or existing
Kubelet certs. This allows agents to join the cluster using kubeadm
bootstrap tokens, as created with the `k3s token create` command.

When the token expires or is deleted, agents can successfully restart by
authenticating with their kubelet certificate via node authentication.
If the token is gone and the node is deleted from the cluster, node auth
will fail and they will be prevented from rejoining the cluster until
provided with a valid token.

Servers still must be bootstrapped with the static cluster token, as
they will need to know it to decrypt the bootstrap data.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-07 14:55:04 -08:00
Brad Davidson 3c324335b2 Add utility functions for getting kubernetes client
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-06 15:09:31 -08:00
Derek Nola 0d4caf4e24
Wait for cri-dockerd socket (#6812)
* Wait for cri-dockerd socket
* Consolidate cri utility functions

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-01-27 13:16:59 -08:00
Brad Davidson 3cb6fa5cc7 Set cri-dockerd version at build time
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-01-26 14:32:28 -08:00
Brad Davidson 89f7062431 Add build tag to disable cri-dockerd
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-01-26 14:29:18 -08:00
Brad Davidson f54b5e4fa0 Fix CI tests
* General cleanup of test-helpers functions to address CI failures
* Install awscli in test image
* Log containerd output to file even when running with --debug

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-01-13 17:22:25 -08:00
Brad Davidson 0c9b43746b Preload iptable_filter/ip6table_filter
ServiceLB now requires this module, but it will not get autoloaded by the kubelet if the host is using nftables.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-12-13 12:51:00 -08:00
Hussein Galal f8b661d590
Update to v1.26.0-k3s1 (#6370)
* Update to v1.26.0-alpha.2

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* go generate

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Default CURRENT_VERSION to VERSION_TAG for alpha versions

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* remove containerd package

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Update k8s to v1.26.0-rc.0-k3s1 cri-tools cri-dockerd and cadvisor

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* replace cri-api reference to the new api

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* go mod tidy

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix version script to allow rc and alphas

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix version script to allow rc and alphas

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix version script to allow rc and alphas

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Update to Kubernetes 1.26.0-rc.1

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Undo helm-controller pin

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Bump containerd to -k3s2 for stargz fix

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* DevicePlugins featuregate is locked to on

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Bump kine for DeleteRange fix

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Update to v1.26.0-k3s1

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* go mod tidy

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Bring back snapshotter checks and update golang to 1.19.4

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix windows containerd snapshotter checks

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
2022-12-10 01:42:15 +02:00
Derek Nola d723775792
Remove deprecated flags in v1.26 (#6574)
* Remove NoFlannel
* Remove cluster-secret
* Remove no-deploy
* Remove disable-selinux
* Convert wireguard to fatal error
* Remove reference to no-op K3S_CLUSTER_SECRET

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-12-05 14:01:01 -08:00
Brad Davidson 2835368ecb Bump k3s-root and remove embedded strongswan support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-12-01 12:40:40 -08:00
Manuel Buil 1beecb2e2d
Merge pull request #6531 from manuelbuil/fixLogs
Fix log for flannelExternalIP use case
2022-11-22 16:54:26 +01:00
Brad Davidson 6f2b21c5cd Add rootless IPv6 support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-11-21 15:23:30 -08:00
Manuel Buil 5188443988 Fix log for flannelExternalIP use case
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-11-21 17:10:35 +01:00
thomasferrandiz b7d217dbf3
Merge pull request #6405 from thomasferrandiz/log-kube-router-version
log kube-router version when starting netpol controller
2022-11-04 11:07:37 +01:00
Manuel Buil 8aff25e192
Merge pull request #6403 from manuelbuil/logsFlannelExternalIP
Avoid wrong config for `flannel-external-ip` and add warning if unencrypted backend
2022-11-04 09:47:30 +01:00
Manuel Buil 1682172ac1 Add some helping logs to avoid wrong configs
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-11-03 18:09:17 +01:00
Roberto Bonafiglia 87c7ea81f0 Updated flannel version to 0.20.1
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-11-03 17:49:26 +01:00
Thomas Ferrandiz 68ac954489 log kube-router version when starting netpol controller
Signed-off-by: Thomas Ferrandiz <thomas.ferrandiz@suse.com>
2022-11-03 12:26:50 +01:00
Petri Kivikangas 6156059136 Convert containerd config.toml.tmpl Linux template to v2 syntax
Signed-off-by: Petri Kivikangas <36138+Kitanotori@users.noreply.github.com>
2022-10-27 16:55:03 -07:00
Brad Davidson 76729d813b Set default kubeletPort
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-26 15:08:13 -07:00
Brad Davidson 269563e4d2 Check for RBAC before starting tunnel controllers
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-26 15:08:13 -07:00
Brad Davidson f2585c1671 Add --flannel-external-ip flag
Using the node external IP address for all CNI traffic is a breaking change from previous versions; we should make it an opt-in for distributed clusters instead of default behavior.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-24 10:10:49 -07:00
Derek Nola 06d81cb936
Replace deprecated ioutil package (#6230)
* Replace ioutil package
* check integration test null pointer
* Remove rotate retries

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-10-07 17:36:57 -07:00
Brad Davidson b411864be5 Handle custom kubelet port in agent tunnel
The kubelet port can be overridden by users; we shouldn't assume its always 10250

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-05 21:10:38 -07:00
Manuel Buil 5164cf5345 Add flannel-external-ip when there is a k3s node-external-ip
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-09-26 16:24:00 +02:00
Roberto Bonafiglia 26e9405767 Added warning message for flannel backend additional options deprecation
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-09-09 20:04:04 +02:00
Derek Nola cd49101fc8
Convert deprecated flags to fatal errors for v1.25 (#6069)
* Replace warning with fatal errors.
* Group system-default-registry under (agent/runtime)

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-09-01 09:33:59 -07:00
Roberto Bonafiglia a30971efaa Updated flannel to v0.19.1
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-08-08 09:57:56 +02:00
Brad Davidson 4aca21a1f1 Add cri-dockerd support as backend for --docker flag
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-08-05 02:39:25 -07:00
Brad Davidson b1fa63dfb7 Revert "Remove --docker/dockershim support"
This reverts commit 4a3d283bc1.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-08-05 02:39:25 -07:00
Roberto Bonafiglia d90ba30353 Added NodeIP autodect in case of dualstack connection
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-08-04 09:54:45 +02:00
Derek Nola 118a68c913
Updates to CLI flag grouping + deprecated flag warnings. (#5937)
* Consolidate data dir flag
* Group cluster flags together
* Reorder and group agent flags
* Add additional info around vmodule flag
* Hide deprecated flags, and add warning about their removal

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-08-02 13:51:16 -07:00
Brad Davidson db2ba7b61d Don't enable unprivileged ports and icmp on old kernels
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-28 14:33:20 -07:00
Brad Davidson bd5fdfce33 Fix server systemd detection
* Use INVOCATION_ID to detect execution under systemd, since as of a9b5a1933f NOTIFY_SOCKET is now cleared by the server code.
* Set the unit type to notify by default for both server and agent, which is what Rancher-managed installs have done for a while.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-21 13:42:20 -07:00
Brad Davidson afee83dda2 Bump remotedialer
Includes fix for recently identified memory leak.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-07 12:22:37 -07:00
Olli Janatuinen 2968a83bc0 containerd: Enable enable_unprivileged_ports and enable_unprivileged_icmp by default
Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2022-06-15 14:49:51 -07:00
Brad Davidson 3399afed83 Ensure that CONTAINERD_ variables are not shadowed by later entries
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-15 10:58:12 -07:00
Derek Nola a9b5a1933f
Delay service readiness until after startuphooks have finished (#5649)
* Move startup hooks wg into a runtime pointer, check before notifying systemd
* Switch default systemd notification to server
* Add 1 sec delay to allow etcd to write to disk
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-06-15 09:00:52 -07:00
Roberto Bonafiglia a693071c74
Merge pull request #5552 from sjoerdsimons/sjoerd/flannel-wireguard-mode
Add cli flag for flannel wireguard mode
2022-06-15 14:28:21 +02:00
Manuel Buil d4522de06a
Merge pull request #5656 from manuelbuil/AddFlannelCniConfFile
Add FlannelCNIConf flag
2022-06-14 10:23:51 +02:00
Brad Davidson b550e1183a Remove control-plane egress context and fix agent mode.
The control-plane context handles requests outside the cluster and
should not be sent to the proxy.

In agent mode, we don't watch pods and just direct-dial any request for
a non-node address, which is the original behavior.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-10 10:14:15 -07:00
Brad Davidson d3242bea3c Refactor egress-selector pods mode to watch pods
Watching pods appears to be the most reliable way to ensure that the
proxy routes and authorizes connections.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-08 09:34:53 -07:00
Manuel Buil c705d34804 Add FlannelConfCNI flag
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-06-08 11:03:17 +02:00
Sjoerd Simons 8643576985 Add ability to pass configuration options to flannel backend
Allow the flannel backend to be specified as
backend=option=val,option2=val2 to select a given backend with extra options.

In particular this adds the following options to wireguard-native
backend:
* Mode - flannel wireguard tunnel mode
* PersistentKeepaliveInterval- wireguard persistent keepalive interval

Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>
2022-06-07 20:13:28 +02:00
Brad Davidson 9d7230496d Add support for configuring the EgressSelector mode
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-18 13:26:10 -07:00
Brad Davidson 4a3d283bc1 Remove --docker/dockershim support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-11 14:39:07 -07:00
Brad Davidson c8447dca56 Bump golang to 1.18.1
Also update all use of 'go get' => 'go install', update CI tooling for
1.18 compatibility, and gofmt everything so lint passes.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-11 14:39:07 -07:00
Brad Davidson e6385b2341 Update CNI version in config file
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-11 14:39:07 -07:00