Commit Graph

1435 Commits (9bd48b1a3f26eeb20582f4c5bd26aa53ec55939d)

Author SHA1 Message Date
Brad Davidson f2961fb5d2 Add workaround for containerd hosts.toml bug
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-04-03 20:47:54 -07:00
Brad Davidson 7f659759dd Add certificate expiry check and warnings
* Add ADR
* Add `k3s certificate check` command.
* Add periodic check and events when certs are about to expire.
* Add metrics for certificate validity remaining, labeled by cert subject

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-28 12:05:21 -07:00
Derek Nola 6a42c6fcfe
Remove old pinned dependencies (#9806)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2024-03-28 10:09:48 -07:00
Derek Nola 14f54d0b26
Transition from deprecated pointer library to ptr (#9801)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2024-03-28 10:07:02 -07:00
Vitor Savian 5d69d6e782 Add tls for kine
Signed-off-by: Vitor Savian <vitor.savian@suse.com>

Bump kine

Signed-off-by: Vitor Savian <vitor.savian@suse.com>

Add integration tests for kine with tls

Signed-off-by: Vitor Savian <vitor.savian@suse.com>
2024-03-28 11:12:07 -03:00
Brad Davidson c51d7bfbd1 Add health-check support to loadbalancer
* Adds support for health-checking loadbalancer servers. If a
  health-check fails when dialing, all existing connections to the
  server will be closed.
* Wires up a remotedialer tunnel connectivity check as the health check
  for supervisor/apiserver connections.
* Wires up a simple ping request to the supervisor port as the health
  check for etcd connections.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-27 16:50:27 -07:00
Brad Davidson edb0440017 Fix etcd snapshot reconcile for agentless nodes
Disable cleanup of orphaned snapshots and patching of node annotations if running agentless

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-27 16:44:36 -07:00
Vitor Savian 3f649e3bcb Add a new error when kine is with disable apiserver or disable etcd
Signed-off-by: Vitor Savian <vitor.savian@suse.com>
2024-03-27 10:59:34 -03:00
Brad Davidson f099bfa508 Fix error when image has already been pulled
CRI and containerd APIs disagree about the registry names - CRI supports
index.docker.io as an alias for docker.io, while containerd does not.
Use the actual stored RepoTag to determine what image to ask containerd for.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-26 16:19:40 -07:00
Brad Davidson 65cd606832 Respect cloud-provider fields set by kubelet
Don't clobber the providerID field and instance-type/region/zone labels if provided by the kubelet. This allows the user to set these to the correct values when using the embedded CCM in a real cloud environment.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-26 16:18:34 -07:00
Brad Davidson d7cdbb7d4d Send error response if member list cannot be retrieved
Prevents joining nodes from being stuck with bad initial member list if there is a transient failure, or if they try to join themselves

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-26 15:17:15 -07:00
Brad Davidson 7a2a2d075c Move error response generation code into util
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-26 15:17:15 -07:00
Brad Davidson bba3e3c66b Fix wildcard entry upstream fallback
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-12 23:31:16 -07:00
Brad Davidson fe2ca9ecf1 Warn and suppress duplicate registry mirror endpoints
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-07 16:30:06 -08:00
Brad Davidson 2a091a693a Bump metrics-server to v0.7.0
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-07 12:45:29 -08:00
Roberto Bonafiglia 88c431aea5 Adjust first node-ip based on configured clusterCIDR
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2024-03-06 11:10:41 +01:00
Vitor Savian 59c724f7a6 Fix wildcard with embbeded registry test
Signed-off-by: Vitor Savian <vitor.savian@suse.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-05 14:38:36 -08:00
Flavio Castelli 64e4f0e6e7 fix: use correct wasm shims names
Fix the wasm shim detection and the containerd configuration generation.

Prior to this commit, the binary and the `RuntimeType` values were not
correct.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
2024-03-05 13:12:08 -08:00
Brad Davidson 091a5c8965 Don't register embedded registry address as an upstream registry
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-04 15:11:26 -08:00
Brad Davidson b5a4846e9d Remove filtering of wildcard mirror entry
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-04 15:11:26 -08:00
Brad Davidson 84a071a81e Add env var to allow spegel mirroring of `latest` tag
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-04 15:11:26 -08:00
Philip Laine 26feb25c40 Bump spegel to v0.0.18-k3s4
Signed-off-by: Philip Laine <philip.laine@gmail.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-04 15:11:26 -08:00
Brad Davidson 0b3593205a Move snapshot-retention to EtcdSnapshotFlags in order to support loading from config
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-04 12:09:29 -08:00
Brad Davidson 3576ed4327 Clean up snapshotDir create/exists logic
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-04 12:09:29 -08:00
Brad Davidson b164d7a270 Fix additional corner cases in registries handling
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-04 11:59:33 -08:00
Brad Davidson 82432a2df7 Fix issue with etcd node name missing hostname
* Set ServerNodeName in snapshot CLI setup
* Raise errer if ServerNodeName ends up empty some other way
* Fix status controller to use etcd node name annotation instead of prefix checking

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-01 13:52:53 -08:00
Brad Davidson 513c3416e7 Tweak netpol node wait logs
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-01 12:01:34 -08:00
Brad Davidson be569f65a9 Fix NodeHosts on dual-stack clusters
* Add both dual-stack addresses to the node hosts file
* Add hostname to hosts file as alias for node name to ensure consistent resolution

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-03-01 11:59:59 -08:00
Edgar Lee 8c83b5e0f3 Rootless mode also bind service nodePort to host for LoadBalancer type
Signed-off-by: Edgar Lee <edgarhinshunlee@gmail.com>
2024-03-01 10:43:19 -08:00
Manuel Buil 3b4f13f28d Update klipper-lb image version
Signed-off-by: Manuel Buil <mbuil@suse.com>
2024-03-01 11:28:12 +01:00
Brad Davidson 86f102134e Fix netpol startup when flannel is disabled
Don't break out of the poll loop if we can't get the node, RBAC might not be ready yet.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-02-26 14:58:48 -08:00
Derek Nola fae41a8b2a Rename AgentReady to ContainerRuntimeReady for better clarity
Signed-off-by: Derek Nola <derek.nola@suse.com>
2024-02-21 12:21:19 -08:00
Derek Nola 91cc2feed2 Restore original order of agent startup functions
Signed-off-by: Derek Nola <derek.nola@suse.com>
2024-02-21 12:21:19 -08:00
Brad Davidson de825845b2 Bump kine and set NotifyInterval to what the apiserver expects
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-02-09 14:22:38 -08:00
Edgar Lee 0ac4c6a056 Expose rootless containerd socket directories for external access
Signed-off-by: Edgar Lee <edgarhinshunlee@gmail.com>
2024-02-09 14:22:03 -08:00
Edgar Lee 14c6c63b30 Expose rootless state dir under ~/.rancher/k3s/rootless
Signed-off-by: Edgar Lee <edgarhinshunlee@gmail.com>
2024-02-09 14:21:52 -08:00
Oleg Matskiv e3b237fc35 Don't verify the node password if the local host is not running an agent
Signed-off-by: Oleg Matskiv <oleg.matskiv@gmail.com>
2024-02-09 14:21:43 -08:00
Derek Nola fa11850563
Readd `k3s secrets-encrypt rotate-keys` with correct support for KMSv2 GA (#9340)
* Reorder copy order for caching
* Enable longer http timeout requests

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Setup reencrypt controller to run on all apiserver nodes
* Fix reencryption for disabling secrets encryption, reenable drone tests
2024-02-09 11:37:37 -08:00
Oliver Larsson cfc3a124ee
[Testing]: Test_UnitApplyContainerdQoSClassConfigFileIfPresent (Created) (#8945)
Problem:
Function not tested.

Solution:
Unit test added.

Signed-off-by: Oliver Larsson <larsson.e.oliver@gmail.com>
2024-02-09 11:28:06 -08:00
Harrison Affel a36cc736bc allow executors to define containerd and docker behavior
Signed-off-by: Harrison Affel <harrisonaffel@gmail.com>
2024-02-09 15:51:35 -03:00
Brad Davidson 753c00f30c Consistently handle component exit on shutdown
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-02-07 10:23:54 -08:00
Vitor Savian e9cec46a23 Runtimes refactor using exec.LookPath
Signed-off-by: Vitor Savian <vitor.savian@suse.com>
2024-02-07 15:06:16 -03:00
Vitor Savian f9ee66f4d8 Changed how lastHeartBeatTime works in the etcd condition
Signed-off-by: Vitor Savian <vitor.savian@suse.com>
2024-02-07 15:05:33 -03:00
Brad Davidson 8224a3a7f6 Fix ipv6 endpoint address selection for on-demand snapshots
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-02-06 18:02:36 -08:00
Brad Davidson 888f866dae Fix issue with coredns node hosts controller
The nodes controller was reading from the configmaps cache, but doesn't add any handlers, so if no other controller added configmap handlers, the cache would remain empty.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-02-06 18:02:06 -08:00
Brad Davidson 6ec1926f88 Add check for etcd-snapshot-dir and fix panic in Walk
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-02-06 17:47:33 -08:00
Brad Davidson 82e3c32c9f Retry startup snapshot reconcile
The reconcile may run before the kubelet has created the node object; retry until it succeeds

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-02-06 17:46:24 -08:00
Brad Davidson 4005600d4e Fix excessive retry on snapshot reconcile
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-02-06 17:46:24 -08:00
github-actions[bot] f249fcc2f1
Bump Local Path Provisioner version (#8953)
* chore: Bump Local Path Provisioner version
---------

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
2024-02-06 16:57:07 -06:00
Brad Davidson c635818956 Bump runc and helm-controller versions
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-02-01 18:51:51 -08:00
Brad Davidson 97a22632b9 gofmt config_test.go
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-02-01 18:51:51 -08:00
Brad Davidson 29848dea3d Fix issues with certs.d template generation
* Fix issue with bare host or IP as endpoint
* Fix issue with localhost registries not defaulting to http.
* Move the registry template prep to a separate function,
  and adds tests of that function so that we can ensure we're
  generating the correct content.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-02-01 12:09:13 -08:00
Vitor Savian 9a70021a9e Error getting node in setEtcdStatusCondition
Signed-off-by: Vitor Savian <vitor.savian@suse.com>

Added retry and changed nodes for

Signed-off-by: Vitor Savian <vitor.savian@suse.com>
2024-01-11 22:06:36 -03:00
Brad Davidson c87e6e5f7e Move proxy dialer out of init() and fix crash
* Fixes issue where proxy support only honored server address via K3S_URL, not CLI or config.
* Fixes crash when agent proxy is enabled, but proxy env vars do not return a proxy URL for the server address (server URL is in NO_PROXY list).
* Adds tests

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-11 16:12:15 -08:00
Brad Davidson 76fa022045 Enable network policy controller metrics
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-11 10:19:39 -08:00
Brad Davidson 37e9b87f62 Add embedded registry implementation
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-09 15:23:05 -08:00
Brad Davidson ef90da5c6e Add server CLI flag and config fields for embedded registry
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-09 15:23:05 -08:00
Brad Davidson 77846d63c1 Propagate errors up from config.Get
Fixes crash when killing agent while waiting for config from server

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-09 15:23:05 -08:00
Brad Davidson 16d29398ad Move registries.yaml load into agent config
Moving it into config.Agent so that we can use or modify it outside the context of containerd setup

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-09 15:23:05 -08:00
Brad Davidson 5c99bdd9bd Pin images instead of locking layers with lease
Layer leases never did what we wanted anyways, and this is the new approved interface for ensuring that images do not get GCd

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-09 15:23:05 -08:00
Vitor Savian 4a92ced8ee Handle etcd status condition when cluster reset and disable etcd
Signed-off-by: Vitor Savian <vitor.savian@suse.com>

Set condition if node is unhealthy

Signed-off-by: Vitor Savian <vitor.savian@suse.com>
2024-01-09 11:20:41 -03:00
Aofei Sheng 8d2c40cdac
Use `ipFamilyPolicy: RequireDualStack` for dual-stack kube-dns (#8984)
Signed-off-by: Aofei Sheng <aofei@aofeisheng.com>
2024-01-09 00:44:03 +02:00
Manuel Buil 6330e26bb3 Wait for taint to be gone in the node before starting the netpol controller
Signed-off-by: Manuel Buil <mbuil@suse.com>
2024-01-08 12:04:18 +01:00
Brad Davidson b297996b92 Add runtime checking of golang version
Forces other groups packaging k3s to intentionally choose to build k3s with an unvalidated golang version

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-04 17:22:46 -08:00
Lex Rivera 5fe074b540
Add more paths to crun runtime detection (#9086)
* add usr/local paths for crun detection

Signed-off-by: Lex Rivera <me@lex.io>
2024-01-04 16:51:13 -08:00
Brad Davidson c45524e662 Add support for containerd cri registry config_path
Render cri registry mirrors.x.endpoints and configs.x.tls into config_path; keep
using mirrors.x.rewrites and configs.x.auth those do not yet have an
equivalent in the new format.

The new config file format allows disabling containerd's fallback to the
default endpoint when using mirror endpoints; a new CLI flag is added to
control that behavior.

This also re-shares some code that was unnecessarily split into parallel
implementations for linux/windows versions. There is probably more work
to be done on this front but it's a good start.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-04 16:50:26 -08:00
Brad Davidson 319dca3e82 Fix nil map in full snapshot configmap reconcile
If a full reconcile wins the race against sync of an individual snapshot resource, or someone intentionally deletes the configmap, the data map could be nil and cause a crash.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-04 16:49:58 -08:00
Brad Davidson db7091b3f6 Handle logging flags when parsing kube-proxy args
Also adds a test to ensure this continues to work.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-04 16:23:03 -08:00
Brad Davidson 1e663622d2 Fix the OTHER log message that prints the wrong variable
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-04 15:23:39 -08:00
Brad Davidson a27d660a24 Add ServiceLB support for PodHostIPs FeatureGate
If the feature-gate is enabled, use status.hostIPs for dual-stack externalTrafficPolicy=Local support

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2024-01-02 16:00:09 -08:00
Derek Nola aca1c2fd11
Add a retry around updating a secrets-encrypt node annotations (#9039)
* Add a retry around updating a se node annotations

Signed-off-by: Derek Nola <derek.nola@suse.com>
2024-01-02 12:21:37 -08:00
Pierre bbd68f3a50
Rebase & Squash (#9070)
Signed-off-by: Yodo <pierre@azmed.co>
2024-01-02 12:05:36 -08:00
Derek Nola 3190a5faa2
Remove rotate-keys subcommand (#9079)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-12-20 12:26:41 -08:00
Hussein Galal 9411196406
Update flannel to v0.24.0 and remove multiclustercidr flag (#9075)
* update flannel to v0.24.0

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* remove multiclustercidr flag

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

---------

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2023-12-20 00:25:38 +02:00
Hussein Galal 7101af36bb
Update Kubernetes to v1.29.0+k3s1 (#9052)
* Update to v1.29.0

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Update to v1.29.0

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Update go to 1.21.5

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* update golangci-lint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* update flannel to 0.23.0-k3s1

This update uses k3s' fork of flannel to allow the removal of
multicluster cidr flag logic from the code

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix flannel calls

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* update cri-tools to version v1.29.0-k3s1

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Remove GOEXPERIMENT=nounified from arm builds

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Skip golangci-lint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix setup logging with newer go version

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Move logging flags to components arguments

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* add sysctl commands to the test script

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Update scripts/test

Signed-off-by: Brad Davidson <brad@oatmail.org>

* disable secretsencryption tests

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

---------

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
Signed-off-by: Brad Davidson <brad@oatmail.org>
Co-authored-by: Brad Davidson <brad@oatmail.org>
2023-12-19 05:14:02 +02:00
Brad Davidson 231cb6ed20
Remove GA feature-gates (#8970)
Remove KubeletCredentialProviders and JobTrackingWithFinalizers feature-gates, both of which are GA and cannot be disabled.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-12-14 22:57:24 +02:00
Brad Davidson 08509a2a90 Allow setting default-runtime on servers
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-12-08 18:18:08 -08:00
Brad Davidson b9c288f702 Bump containerd/runc to v1.7.10-k3s1/v1.1.10
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-12-08 18:17:19 -08:00
Vitor Savian 03532f7c0b Added runtime classes for crun/wasm/nvidia
Signed-off-by: Vitor Savian <vitor.savian@suse.com>

Added default runtime flag

Signed-off-by: Vitor Savian <vitor.savian@suse.com>
2023-12-08 15:49:28 -03:00
Brad Davidson 6d3a92a658 Print key instead of file path in snapshot metadata log message
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-11-21 14:03:27 -08:00
Brad Davidson b23e70d519 Don't apply s3 retention if S3 client failed to initialize
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-11-21 14:03:27 -08:00
Brad Davidson a92c4a0f17 Don't request metadata when listing objects
While some implementations may support it, it appears that most don't,
and some may in fact return an error if it is requested.

We already stat the object to get the metadata anyway, so this was
unnecessary if harmless on most implementations.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-11-21 14:03:27 -08:00
Brad Davidson 1e0a7044cf Reorder snapshot configmap reconcile to reduce log spew during initial startup
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-11-17 10:09:01 -08:00
Vitor Savian e53c189587
Handle nil pointer when runtime core is not ready in etcd
Signed-off-by: Vitor <vitor.savian@suse.com>
2023-11-16 15:58:42 -08:00
Brad Davidson 6c544a4679 Add jitter to client config retry
Also:
* Replaces labeled for/continue RETRY loops with wait helpers for improved readability
* Pulls secrets and nodes from cache for node password verification
* Migrate nodepassword tests to wrangler mocks for better code reuse

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-11-16 09:53:28 -08:00
Harsimran Singh Maan abc2efdd57
Disable helm CRD installation for disable-helm-controller (#8702)
* Disable helm CRD installation for disable-helm-controller
    The NewContext package requires config as input which would
    require all third-party callers to update when the new go module
    is published.
    
    This change only affects the behaviour of installation of helm
    CRDs. Existing helm crds installed in a cluster would not be removed
    when disable-helm-controller flag is set on the server.
    
    Addresses #8701
* address review comments
* remove redundant check

Signed-off-by: Harsimran Singh Maan <maan.harry@gmail.com>
2023-11-15 14:35:31 -08:00
Jason Costello 07ee854914
Tweaked order of ingress IPs in ServiceLB (#8711)
* Tweaked order of ingress IPs in ServiceLB
    Previously, ingress IPs were only string-sorted when returned
    Sorted by IP family and string-sorted in each family as part of
    filterByIPFamily method
* Update pkg/cloudprovider/servicelb.go
* Formatting

Signed-off-by: Jason Costello <jason@hazy.com>
Co-authored-by: Brad Davidson <brad@oatmail.org>
2023-11-15 14:33:31 -08:00
Brad Davidson 7ecd5874d2 Skip initial datastore reconcile during cluster-reset
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-11-15 14:31:44 -08:00
Brad Davidson 2088218c5f Fix issue with snapshot metadata configmap
Omit snapshot list configmap entries for snapshots without extra metadata; reduce log level of warnings about missing s3 metadata files.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-11-15 14:25:28 -08:00
chenk008 b47cbbfd42
add agent flag disable-apiserver-lb (#8717)
* add node flag disable-agent-lb
* add agent flag disable-apiserver-lb

Co-authored-by: Brad Davidson <brad@oatmail.org>
Signed-off-by: chenk008 <kongchen28@gmail.com>
2023-11-14 15:54:32 -08:00
Oliver Larsson 30c8ad926d QoS-class resource configuration
Problem:
Configuring qos-class features in containerd requres a custom containerd configuration template.

Solution:
Look for configuration files in default locations and configure containerd to use them if they exist.

Signed-off-by: Oliver Larsson <larsson.e.oliver@gmail.com>
2023-11-14 15:53:14 -08:00
Manuel Buil 8f7a8b23b7 Improve dualStack log
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-11-14 10:50:37 +01:00
Hussein Galal f5920d7864
Add warning for multiclustercidr flag (#8758)
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2023-11-14 01:27:52 +02:00
Flavio Castelli ba5fcf13fc
Wasm shims and runtimes detection
Create a generic helper function that finds extra containerd runtimes.
The code was originally inside of the nvidia container discovery file.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>

Discover the containerd shims based on runwasi that are already
available on the node.

The runtimes could have been installed either by a package manager or by
the kwasm operator.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>

The containerd configuration on a Linux system now handles the nvidia
and the WebAssembly runtimes.

Signed-off-by: Flavio Castelli <fcastelli@suse.com>

---------

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
2023-11-13 14:43:41 -08:00
Vitor Savian c5cd7b3d65
Added etcd status condition
Signed-off-by: Vitor <vitor.savian@suse.com>
2023-11-13 06:39:24 -08:00
Hussein Galal 9e13aad4a8
Update traefik to fix registry value (#8792)
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2023-11-06 23:37:21 +02:00
Hussein Galal 1ae053d944
Upgrade traefik chart to v25.0.0 (#8771)
* Upgrade traefik chart to v25.0.0

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* go generate

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

---------

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2023-11-03 01:55:03 +02:00
Texot f575a05be2
fix: Access outer scope .SystemdCgroup (#8761)
Signed-off-by: Texot <tete1030@gmail.com>
2023-11-02 10:47:16 -07:00
Brad Davidson 49411e7084 Don't try to read token hash and cluster id during cluster-reset
These fields are only necessary when saving snapshots to S3, and will block restoration if attempted

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-27 15:06:29 -07:00
Brad Davidson 5b6b9685e9 Manually requeue configmap reconcile when no nodes have reconciled snapshots
Silences error message from lasso - this is a normal startup condition
when no snapshots exist so we shouldn't log nasty looking errors.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-18 15:09:25 -07:00
Brad Davidson 3db1d33282 Re-enable etcd endpoint auto-sync
Removing this in 002e6c43ee regressed
control-plane-only nodes, as we rely on the etcd client to update its
endpoint list internally so that we can use it to sync the load-balancer
address list.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-18 08:33:03 -07:00
Brad Davidson b8dc95539b Fix CloudDualStackNodeIPs feature-gate inconsistency
Enable the feature-gate for both kubelet and cloud-controller-manager. Enabling it on only one side breaks RKE2, where feature-gates are not shared due to running in different processes.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-17 10:40:12 -07:00
Sean Yen 0c9bf36fe0
[K3s][Windows Port] Build script, multi-call binary, and Flannel (#7259)
* initial windows port.

Signed-off-by: Sean Yen <seanyen@microsoft.com>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Wei Ran <weiran@microsoft.com>
2023-10-16 14:53:09 -04:00
Derek Nola aaf8409096
Use version.Program not K3s in log (#8653)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-10-16 11:02:12 -07:00
Brad Davidson 9597ea1183 Start etcd client before ensuring self removal
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-13 23:24:16 -07:00
Brad Davidson 3abc8b82ed Bump traefik, golang.org/x/net, google.golang.org/grpc
Fixes exposure to CVE-2023-39325

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-13 09:45:54 -07:00
Roberto Bonafiglia 1ffb4603cd Use IPv6 in case is the first configured IP with dualstack
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-10-13 10:23:31 +02:00
Brad Davidson d885162967 Add server token hash to CR and S3
This required pulling the token hash stuff out of the cluster package, into util.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-12 15:04:45 -07:00
Brad Davidson 550ab36ab7 Switch to managing ETCDSnapshotFile resources
Reconcile snapshot CRs instead of ConfigMap; manage ConfigMap downstream from CR list

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-12 15:04:45 -07:00
Brad Davidson 5cd4f69bfa Move snapshot delete into local/s3 functions
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-12 15:04:45 -07:00
Brad Davidson a15b804e00 Sort snapshots by time and key in tabwriter output
Fixes snapshot list coming out in non-deterministic order

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-12 15:04:45 -07:00
Brad Davidson 7464007037 Store extra metadata and cluster ID for snapshots
Write the extra metadata both locally and to S3. These files are placed such that they will not be used by older versions of K3s that do not make use of them.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-12 15:04:45 -07:00
Brad Davidson 80f909d0ca Move s3 snapshot list functionality to s3.go
Also, don't list ONLY s3 snapshots if S3 is enabled.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-12 15:04:45 -07:00
Brad Davidson 8d47645312 Consistently set snapshotFile timestamp
Attempt to use timestamp from creation or filename instead of file/object modification times

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-12 15:04:45 -07:00
Brad Davidson f1afe153a3 Tidy s3 upload functions
Consistently refer to object keys as such, simplify error handling.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-12 15:04:45 -07:00
Brad Davidson 2b0e2e8ada Elide old snapshot data when apiserver rejects configmap with ErrRequestEntityTooLarge
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-12 15:04:45 -07:00
Brad Davidson 676b00aa0e Move etcd snapshot code into separate file
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-12 15:04:45 -07:00
Brad Davidson 500744bb94 Add new CRD for etcd snapshots
Also adds a hack go script to print the embedded CRDs, for developer use.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-12 15:04:45 -07:00
Brad Davidson 9bb1ce1253 Bump busybox to v1.36.1
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-10-12 15:00:45 -07:00
Derek Nola dface01de8
Server Token Rotation (#8265)
* Consolidate NewCertCommands
* Add support for user defined new token
* Add E2E testlets

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Ensure agent token also changes

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-10-09 10:58:49 -07:00
Roberto Bonafiglia ced25af5b1 Fixed tailscale node IP dualstack mode in case of IPv4 only node
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-10-09 15:17:33 +02:00
Manuel Buil e82b37640a Network defaults are duplicated, remove one
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-10-02 17:21:59 +02:00
Manuel Buil f2c7117374 Take IPFamily precedence based on order
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-09-29 11:04:15 +02:00
Manuel Buil 0b23a478cf ipFamilyPolicy:PreferDualStack for coredns and metrics-server
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-09-29 10:10:43 +02:00
Brad Davidson 0e5c760625 Pass SystemdCgroup setting through to nvidia runtime options
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-09-27 13:30:26 -07:00
Edgar Lee fe18b1fce9
Add --image-service-endpoint flag (#8279)
* Add --image-service-endpoint flag

Problem:
External container runtime can be set but image service endpoint is unchanged
and also is not exposed as a flag. This is useful for using containerd
snapshotters outside of the ones that have built-in support like
stargz-snapshotter.

Solution:
Add a flag --image-service-endpoint and also default image service endpoint to
container runtime endpoint if set.

Signed-off-by: Edgar Lee <edgarhinshunlee@gmail.com>
2023-09-27 13:20:50 -07:00
Manuel Buil 2a9e8e68d5
Merge pull request #8354 from manuelbuil/vpnExtraParams
Add extraArgs to vpn provider
2023-09-27 11:34:29 +02:00
Manuel Buil 4dd45b3142
Merge pull request #8439 from manuelbuil/fixGofmt
Fix gofmt error
2023-09-26 19:14:07 +02:00
Vitor Savian b6ab24c4fd
Added error when cluster reset while using server flag
Signed-off-by: Vitor Savian <vitor.savian@suse.com>
2023-09-26 11:00:37 -03:00
Manuel Buil 172a7f1d1a Fix gofmt error
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-09-26 11:09:03 +02:00
Brad Davidson 8705a88bf4 Clear remove annotations on cluster reset; refuse to delete last member from cluster
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-09-25 11:54:23 -07:00
Brad Davidson 002e6c43ee Reorganize Driver interface and etcd driver to avoid passing context and config into most calls
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-09-25 11:54:23 -07:00
Brad Davidson 890645924f Don't export functions not needed outside the etcd package
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-09-25 11:54:23 -07:00
Brad Davidson a3c52d60a5 Skip creating CRDs and setting up event recorder for CLI controller context
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-09-25 11:54:23 -07:00
Brad Davidson 391e61bd72 Use admin kubeconfig instead of supervisor for etcd snapshot CLI
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-09-25 11:54:23 -07:00
Brad Davidson 8c73fd670b Disable HTTP on main etcd client port
Fixes performance issue under load, ref: https://github.com/etcd-io/etcd/issues/15402 and https://github.com/kubernetes/kubernetes/pull/118460

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-09-25 08:29:57 -07:00
Manuel Buil 12459fca97 Add extraArgs to tailscale
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-09-25 17:04:50 +02:00
Manuel Buil cae8b2b626
Merge pull request #8346 from manuelbuil/interfaceLogs
Include the interface name in the error message
2023-09-25 16:50:01 +02:00
Manuel Buil 3194dc7367
Merge pull request #8284 from manuelbuil/improveFlannelLogging
Add context to flannel errors
2023-09-25 08:20:33 +02:00
Manuel Buil 8c197bdce4 Include the interface name in the error message
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-09-25 07:55:49 +02:00
Manuel Buil 8146041185
Merge pull request #8250 from manuelbuil/fixWinError
Fix error reporting
2023-09-22 18:42:54 +02:00
Johnatas 6330a5b49c
Update to v1.28.2 and go v1.20.8 (#8364)
* Update to v1.28.2

Signed-off-by: Johnatas <johnatasr@hotmail.com>

* Bump containerd and stargz versions

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Print message on upgrade fail

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Send Bad Gateway instead of Service Unavailable when tunnel dial fails

Works around new handling for Service Unavailable by apiserver aggregation added in kubernetes/kubernetes#119870

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Add 60 seconds to server upgrade wait to account for delays in apiserver readiness

Also change cleanup helper to ensure upgrade test doesn't pollute the
images for the rest of the tests.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

---------

Signed-off-by: Johnatas <johnatasr@hotmail.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
2023-09-19 10:18:47 -03:00
Manuel Buil 66cb1064d1 Add context to flannel errors
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-09-07 14:09:22 +02:00
Manuel Buil d3f7632463 Fix error reporting
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-08-31 17:20:14 +02:00
Brad Davidson 0d23cfe038 Add RWMutex to address controller
Fixes race condition when address map is updated by multiple goroutines

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-08-29 20:52:37 -07:00
Brad Davidson cba9f0d142 Add new CLI flag to disable TLS SAN CN filtering
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-08-29 08:33:45 -07:00
Derek Nola 2cb7023660 Use already imported semver, bump kine
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-08-25 14:17:00 -06:00
Derek Nola f2d0c5409a Add check for support on cp nodes
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-08-25 14:17:00 -06:00
Derek Nola 51f1a5a0ab Review comments and fixes
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-08-25 14:17:00 -06:00
Derek Nola 42c2ac95e2 CLI + Backend for Secrets Encryption v3
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-08-25 14:17:00 -06:00