Commit Graph

3267 Commits (984151745723c9aad95161fdd7cd466d8bc219d6)

Author SHA1 Message Date
Manuel Buil 6a8de31a92
Fix default ipv6 cidr (#5467)
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-04-20 08:41:41 -07:00
Derek Nola 3307d53f8f
E2E Validation Improvements (#5444)
* Add basic none option EXTERNAL_DB, uses internal sqlite

* Move to Leap as default

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-04-18 09:41:43 -07:00
Sakala Venkata Krishna Rohit 3e3549e45c
Add s390x arch support for k3s (#5018)
* Update docs to include s390x arch

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Add s390x drone pipeline

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Install trivy linux arch only for amd64

This is done so that trivy is not installed for s390x arch

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Add s390x arch if condition for Dockerfile.test

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Add s390x arch in install script

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Add s390x GOARCH in build script

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Add SUFFIX s390x in scripts

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Skip image scan for s390x arch

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Update klipper-lb to version v0.3.5

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Update traefik version to v2.6.2

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Update registry to v2.8.1 in tests which supports s390x

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>

* Skip compact tests for s390x arch

This is done because compact test require a previous k3s version which supports s390x and it is not available

Signed-off-by: Venkata Krishna Rohit Sakala <rohitsakala@gmail.com>
2022-04-15 09:41:40 -07:00
Brad Davidson 7760e2177a Bump etcd to 3.5.3-k3s1
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:53:18 -07:00
Brad Davidson b12cd62935 Move IPv4/v6 selection into helpers
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Brad Davidson 7e447692c5 Fix issue with RKE2 servers hanging on listing apiserver addresses
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Brad Davidson 5b2c14b123 Print a helpful error when trying to join additional servers but etcd is not in use
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Brad Davidson 99851b0f84 Use core constants for cert user/group values
Also update cert gen to ensure leaf certs are regenerated if other key fields change.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Brad Davidson f4336186f3 Bump containerd to v1.5.11-k3s1
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-14 15:13:31 -07:00
Derek Nola 809f0cf05b
Added option to deploy hardened k3s (#5415)
Added option to deploy hardened k3s

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-04-14 15:00:48 -07:00
Terry Cain b6e71ef990 Added support for repeated extra arguments
Problem:
Specifying extra arguments for the API server for example is not supported as
the arguments get stored in a map before being passed to the API server.

Solution:
Updated the GetArgs function to store the arguments in a map that can have
multiple values. Some more logic is added so that repeated extra arguments
retain their order when sorted whilst overall the arguments can still be
sorted for improved readability when logged.

Support has been added for prefixing and suffixing default argument values
by using -= and += when specifying extra arguments.

Signed-off-by: Terry Cain <terry@terrys-home.co.uk>
2022-04-14 13:59:57 -07:00
Dirk Mueller 9d2281a8db
update sonobuoy to 0.56.4 (#5419)
This appears to be fixing the CI testing in local testing.

Signed-off-by: Dirk Müller <dirk@dmllr.de>
2022-04-14 13:29:47 -07:00
Derek Nola 3bd7cdfa1b
Bump Reencryption Test timeout, improve comments (#5431)
* Bump timeout, improve comments

Signed-off-by: Derek Nola <derek.nola@suse.com>

* codespell

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-04-14 11:46:37 -07:00
Roberto Bonafiglia e4d2824fb6
Merge pull request #5420 from rbrtbnfgl/etcd-default-endpoint
Added default endpoint for IPv6
2022-04-14 18:50:12 +02:00
Roberto Bonafiglia 9c9adda61b Added default endpoint for IPv6
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-04-14 09:58:40 +02:00
Roberto Bonafiglia dfb779d09d
Merge pull request #5422 from rbrtbnfgl/fix-flannel-backend-help
Fixed flannel backend helper text
2022-04-14 09:06:40 +02:00
Dirk Müller fa0fa8b1d0 Update golangci-lint to 1.45.2
This requires a further set of gofmt -s improvements to the
code, but nothing major. golangci-lint 1.45.2 brings golang 1.18
support which might be needed in the future.

Signed-off-by: Dirk Müller <dirk@dmllr.de>
2022-04-13 14:48:42 -07:00
ShylajaDevadiga 5cb4894a50
fixes and updates to jenkinsfile (#5370)
Signed-off-by: Shylaja Devadiga <shylaja.devadiga@suse.com>
Signed-off-by: Shylaja Devadiga <shylaja@rancher.com>
2022-04-13 08:55:05 -07:00
Roberto Bonafiglia 8767395d40 Fixed flannel backend helper text
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-04-13 09:38:22 +02:00
Dirk Müller 6f8f6bb200 update trivy to 0.25.3
Signed-off-by: Dirk Müller <dirk@dmllr.de>
2022-04-12 14:21:53 -07:00
Deshi Xiao c1095dd015
fix: non-idiomatic returning of boolean expression (#5343)
should use 'return disables[baseName]' instead of 'if disables[baseName] { return true }; return false'

Signed-off-by: Deshi Xiao <xiaods@gmail.com>
2022-04-11 12:46:29 -07:00
Hussein Galal 483eadb59a
Add certificate rotation integration tests (#5393)
* Add certificate rotation integration tests

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix data dir in cert rotation

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix comments

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix comments

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2022-04-08 20:03:31 +02:00
Manuel Buil dcab6f14a4
Merge pull request #5398 from manuelbuil/update_helm_controller
Update helm-controller version
2022-04-08 15:06:43 +02:00
Manuel Buil 5a024cb91d Update helm-controller version
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-04-08 12:01:42 +02:00
Roberto Bonafiglia 2037e9179a
Merge pull request #5391 from rbrtbnfgl/wireguard-update
Add wireguard native flannel backend
2022-04-08 09:13:04 +02:00
Brad Davidson f37e7565b8 Move the apiserver addresses controller into the etcd package
This controller only needs to run when using managed etcd, so move it in
with the rest of the etcd stuff. This change also modifies the
controller to only watch the Kubernetes service endpoint, instead of
watching all endpoints in the entire cluster.

Fixes an error message revealed by use of a newer grpc client in
Kubernetes 1.24, which logs an error when the Put to etcd failed because
kine doesn't support the etcd Put operation. The controller shouldn't
have been running without etcd in the first place.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-07 11:28:15 -07:00
Roberto Bonafiglia f04c602c07 Updated wireguard-native options and added log message
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-04-07 19:31:21 +02:00
Roberto Bonafiglia 47abaf362e Added new flannel backend to use wireguard from flannel
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-04-07 19:31:13 +02:00
Brad Davidson 2a429aac65 Fix crash on early snapshot
Don't attempt to retrieve snapshot metadata configmap if the apiserver
isn't available. This could be triggered if the cron expression caused a
snapshot to be triggered before the apiserver is up.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-07 09:23:34 -07:00
Michal Rostecki 9350016de8
Merge pull request #5387 from vadorovsky/kube-router-dual-stack
netpol: Add dual-stack support
2022-04-07 11:24:38 +02:00
Brad Davidson 0bf7c09569 Don't print password conversion rate
Avoids divide-by-zero when the password file is empty

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-06 15:55:45 -07:00
Brad Davidson 49544e0d49 Allow agents to query non-apiserver supervisors for apiserver endpoints
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-06 13:03:14 -07:00
Brad Davidson af0b496ef3 Add client certificate authentication support to core Authenticator
This is required to make the websocket tunnel server functional on
etcd-only nodes, and will save some code on the RKE2 side once pulled
through.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-06 13:03:14 -07:00
Brad Davidson e7437d4ad8 Redact datastore and etcd snapshot config from serialization
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-06 13:03:14 -07:00
Michal Rostecki c707948adf netpol: Add dual-stack support
This change allows to define two cluster CIDRs for compatibility with
Kubernetes dual-stuck, with an assumption that two CIDRs are usually
IPv4 and IPv6.

It does that by levearaging changes in out kube-router fork, with the
following downstream release:

https://github.com/k3s-io/kube-router/releases/tag/v1.3.2%2Bk3s

Signed-off-by: Michal Rostecki <vadorovsky@gmail.com>
2022-04-06 14:43:09 +02:00
Euan Kemp c2e846dc16 Allow using flannel wireguard backend in a custom config
Ideally we'd have fully fleshed out support for it (i.e. #5011), but
that's a potentially breaking change and taking a little while to merge.

This is a much simpler change which won't break anything, but will allow
a "Type": "wireguard" reference in the "--flannel-conf" custom config
file to work.

Signed-off-by: Euan Kemp <euank@euank.com>
2022-04-05 09:44:26 -07:00
Roberto Bonafiglia 4afeb9c5c7
Merge pull request #5325 from rbrtbnfgl/fix-etcd-ipv6-url
Fixed etcd URL in case of IPv6 address
2022-04-05 09:55:42 +02:00
Roberto Bonafiglia 0746dde758 Fixed http URL on etcd
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-31 14:24:59 +02:00
Roberto Bonafiglia 06c779c57d Fixed loadbalancer in case of IPv6 addresses
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-31 11:49:30 +02:00
Roberto Bonafiglia b66974145c Fixed etcd register
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-30 18:23:30 +02:00
Luther Monson 313aaca547
Merge pull request #5361 from luthermonson/fix-containerd-npipe
[master] Wrap containerd.New
2022-03-30 07:35:50 -07:00
Roberto Bonafiglia e29771b9ff Fixed client URL
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-30 10:59:39 +02:00
Brad Davidson 62cc1ed24f Skip setting up client tls when etcd server does not have tls enabled
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-30 01:03:41 -07:00
Luther Monson 13191da58a add a wrapper around the containerd.New call to fix and pass the proper npipe connector
Signed-off-by: Luther Monson <luther.monson@gmail.com>
2022-03-29 18:06:48 -07:00
Roberto Bonafiglia dda409b041 Updated localhost address on IPv6 only setup
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-29 09:35:54 +02:00
Brad Davidson 1339626a5b Defragment etcd datastore before clearing alarms
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-28 09:27:59 -07:00
Brad Davidson e811689df9 Fix etcd-only secrets encryption rotation
Improve feedback when running secrets-encrypt commands on etcd-only nodes, and
allow etcd-only nodes to properly restart when effecting rotation.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-25 10:40:58 -07:00
Michal Rostecki dd541e8557
Merge pull request #5315 from vadorovsky/vagrant-ipv6
vagrant: Enable IPv6 and IP forwarding, set NFS options
2022-03-25 12:52:53 +01:00
Brad Davidson d25ae8fbc2 Properly attach secrets-encrypt events to the node resource
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-23 16:01:21 -07:00
Brad Davidson 965d0a08ef Fix log spam due to servicelb event recorder namespace conflict
Don't hardcode the event namespace when creating event recorders; some controllers want to create events in other namespaces.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-23 16:01:21 -07:00