github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
2,805 Commits
32 Branches
881 Tags
633 MiB
Commit Graph

1183 Commits (ab464cab61e15e2a207e8f59c06a6f0c85fd7063)

Author SHA1 Message Date
Brad Davidson 34d8b325f1 Bump busybox to v1.36.1 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 9bb1ce1253)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2023-10-13 12:28:56 -07:00
Brad Davidson 11bc2c29f6 Pass SystemdCgroup setting through to nvidia runtime options 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 0e5c760625)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2023-10-13 12:28:56 -07:00
Brad Davidson babe286e20 Disable HTTP on main etcd client port 
Fixes performance issue under load, ref: https://github.com/etcd-io/etcd/issues/15402 and https://github.com/kubernetes/kubernetes/pull/118460

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 8c73fd670b)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2023-10-13 12:28:56 -07:00
Roberto Bonafiglia 722fca3b82 Use IPv6 in case is the first configured IP with dualstack 
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
 2023-10-13 10:25:34 +02:00
Derek Nola 0816812c99
[Release-1.25] Clear remove annotations on cluster reset (#8589) 
* Use admin kubeconfig instead of supervisor for etcd snapshot CLI

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Skip creating CRDs and setting up event recorder for CLI controller context

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Don't export functions not needed outside the etcd package

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Reorganize Driver interface and etcd driver to avoid passing context and config into most calls

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Clear remove annotations on cluster reset; refuse to delete last member from cluster

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

---------

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
 2023-10-12 08:11:34 -07:00
Derek Nola 6afee00eaf
Server Token Rotation (#8578) 
* Consolidate NewCertCommands
* Add support for user defined new token
* Add E2E testlets
* Ensure agent token also changes

Signed-off-by: Derek Nola <derek.nola@suse.com>
 2023-10-10 09:45:27 -07:00
Roberto Bonafiglia 07646f6877 Fixed tailscale node IP dualstack mode in case of IPv4 only node 
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
 2023-10-10 10:38:14 +02:00
Manuel Buil 67380ddb01 Network defaults are duplicated, remove one 
Signed-off-by: Manuel Buil <mbuil@suse.com>
 2023-10-04 08:25:25 +02:00
Manuel Buil 7e1e1867d4 Take IPFamily precedence based on order 
Signed-off-by: Manuel Buil <mbuil@suse.com>
 2023-10-02 18:40:56 +02:00
Manuel Buil 6f550cd9a1 ipFamilyPolicy:PreferDualStack for coredns and metrics-server 
Signed-off-by: Manuel Buil <mbuil@suse.com>
 2023-10-02 11:35:15 +02:00
Manuel Buil 00cc29ba27
Merge pull request #8466 from manuelbuil/vpnExtraArgs125 
[Release-1.25] Add extraArgs to tailscale
 2023-09-28 10:06:03 +02:00
Vitor Savian 940bbd19bb
Added error when cluster reset while using server flag 
Signed-off-by: Vitor Savian <vitor.savian@suse.com>
 2023-09-27 16:42:23 -03:00
Manuel Buil 221fdd60c4 Add extraArgs to tailscale 
Signed-off-by: Manuel Buil <mbuil@suse.com>
 2023-09-27 11:39:08 +02:00
Manuel Buil c4e30c6f11 Include the interface name in the error message 
Signed-off-by: Manuel Buil <mbuil@suse.com>
 2023-09-26 11:08:14 +02:00
Manuel Buil b5dc298552
Merge pull request #8421 from manuelbuil/flannelErrors125 
[Release 1.25] Add context to flannel errors
 2023-09-25 16:33:21 +02:00
Manuel Buil 51969e6e7c Add context to flannel errors 
Signed-off-by: Manuel Buil <mbuil@suse.com>
 2023-09-25 08:28:57 +02:00
Manuel Buil c3d9410216 Fix error reporting 
Signed-off-by: Manuel Buil <mbuil@suse.com>
 2023-09-22 19:05:26 +02:00
Brad Davidson 622f183730 Send Bad Gateway instead of Service Unavailable when tunnel dial fails 
Works around new handling for Service Unavailable by apiserver aggregation added in kubernetes/kubernetes#119870

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2023-09-19 10:56:55 -07:00
Brad Davidson 8fcbc2bc85 Add RWMutex to address controller 
Fixes race condition when address map is updated by multiple goroutines

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 0d23cfe038)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2023-08-30 01:35:07 -07:00
Brad Davidson 8d84d1581e Add new CLI flag to enable TLS SAN CN filtering 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2023-08-29 08:35:21 -07:00
Brad Davidson 4b4de04f0b Bump dynamiclistener for init deadlock fix 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 66bae3e326)
 2023-08-16 14:37:34 -07:00
Vitor ce85b98858 Fixed the etcd retention to delete orphaned snapshots based on the date 
Signed-off-by: Vitor <vitor.savian@suse.com>
 2023-08-15 12:41:06 -03:00
Vitor Savian 5a2506145e Fix for cluster-reset backup from s3 when etcd snapshots are disabled (#8155) 
* Fixed when the user disable the etcd snapshots, but want to backup from s3

Signed-off-by: Vitor <vitor.savian@suse.com>
 2023-08-10 16:10:23 -03:00
Ian Cardoso 8e945c53e7 fix for etcd-snapshot delete with --etcd-s3 flag (#8110) 
k3s etcd-snapshot save --etcd-s3 ... is creating a local snapshot and uploading it to s3 while k3s etcd-snapshot delete --etcd-s3 ... was deleting the snapshot only on s3 buckets, this commit change the behavior of delete to do it locally and on s3

Signed-off-by: Ian Cardoso <osodracnai@gmail.com>
(cherry picked from commit e551308db8)
 2023-08-04 19:20:33 -07:00
Brad Davidson ddbe499d9a Add FilterCN function to prevent SAN Stuffing 
Wire up a node watch to collect addresses of server nodes, to prevent adding unauthorized SANs to the dynamiclistener cert.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit aa76942d0f)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2023-08-04 16:08:16 -07:00
Brad Davidson 4c6f7bfb08 Make apiserver egress args conditional on egress-selector-mode 
Only configure enable-aggregator-routing and egress-selector-config-file
if required by egress-selector-mode.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit f21ae1d949)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2023-08-04 16:08:16 -07:00
Simon Kirsten 739141a79b Add support for `{{ template "base" . }}` in etc/containerd/config.toml.tmpl (#7991) 
Signed-off-by: Simon Kirsten <simonkirsten24@gmail.com>
(cherry picked from commit 546dc247a0)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2023-08-04 16:08:16 -07:00
Derek Nola ba8cb071e7
[Release-1.25] August Test Backports (#8127) 
* Unit test for MustFindString (#8013)
* Consolidate CopyFile functions (#8079)
* Remove unnecessary E2E envs
* Cleanup unnecessary "sudo" in commands
* Add additonal s3 coverage clause

Signed-off-by: Derek Nola <derek.nola@suse.com>
 2023-08-04 11:38:23 -07:00
Vitor 00df50ded1 Fixed the etcd retention to delete orphaned snapshots 
Signed-off-by: Vitor <vitor.savian@suse.com>
 2023-08-04 10:34:08 -03:00
Manuel Buil 5164dc185a Fix tailscale bug with ip modes 
Signed-off-by: Manuel Buil <mbuil@suse.com>
 2023-08-02 11:43:42 +02:00
Derek Nola f7ab577cfa
Adjust default kubeconfig file permissions (#7984) 
* Adjust default kubeconfig permissions

Signed-off-by: Derek Nola <derek.nola@suse.com>
 2023-07-15 08:46:08 -07:00
Derek Nola a268ab4058
Generation of certificates and keys for etcd gated if etcd is disabled.(#7945) 
Problem:
When support for etcd was added in 3957142, generation of certificates and keys for etcd was not gated behind use of managed etcd.
Keys are generated and distributed across servers even if managed etcd is not enabled.

Solution:
Allow generation of certificates and keys only if managed etc is enabled. Check config.DisableETCD flag.

Signed-off-by: Bartossh <lenartconsulting@gmail.com>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Bartosz Lenart <lenart.consulting@gmail.com>
 2023-07-11 14:18:53 -07:00
Vitor Savian e8a4961732 Adding cli to custom klipper helm image (#7682) 
Adding cli to custom klipper helm image

Signed-off-by: Vitor Savian <vitor.savian@suse.com>
(cherry picked from commit 0809187cff)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2023-07-07 16:28:16 -07:00
Brad Davidson 696a642d1d Fall back to basic/bearer auth when node identity auth is rejected 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 7f50b40cfe)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2023-07-07 14:12:02 -07:00
LeiLei 5e3c63718d Add `--data-dir` to the `k3s certificate rotate-ca` cli (#7791) 
Need to add a cli flag for this. Also, should probably have config file loading support for the certificate commands.

Signed-off-by: leilei.zhai <leilei.zhai@qingteng.cn>
(cherry picked from commit 72d50b1f7c)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2023-07-07 14:12:02 -07:00
Derek Nola c850132b5f
Fix rootless node password (#7900) 
Signed-off-by: Derek Nola <derek.nola@suse.com>
 2023-07-07 11:03:14 -07:00
Denys Smirnov f1a4b9f6cb Support setting control server URL for Tailscale. 
This change enables the use of Headscale - open source implementation of the Tailscale control server.

Signed-off-by: Denys Smirnov <dennwc@pm.me>
 2023-07-07 12:31:19 +02:00
Manuel Buil 647539920b Check if we are on ipv4, ipv6 or dualStack when doing tailscale 
Signed-off-by: Manuel Buil <mbuil@suse.com>
 2023-07-06 11:13:11 +02:00
Derek Nola e1a315189b
Allow k3s to customize apiServerPort on helm-controller (#7873) 
Signed-off-by: Daishan Peng <daishan@acorn.io>
Co-authored-by: Daishan Peng <daishan@acorn.io>
 2023-07-05 11:56:58 -07:00
Manuel Buil 7d3319908f
Merge pull request #7860 from manuelbuil/fixSpell125 
[Release 1.25] Fix code spell check
 2023-07-05 10:37:51 +02:00
Manuel Buil 5a7f40dba3 Fix code spell check 
Signed-off-by: Manuel Buil <mbuil@suse.com>
 2023-07-04 15:53:34 +02:00
Manuel Buil 382fe9599f Remove file_windows.go 
Signed-off-by: Manuel Buil <mbuil@suse.com>
 2023-07-04 12:47:05 +02:00
Manuel Buil 8626667494 Fix the error report 
Signed-off-by: Manuel Buil <mbuil@suse.com>
 2023-06-14 19:17:48 +02:00
Brad Davidson 03e3324902 Enable containerd aufs/devmapper/zfs snapshotter plugins 
These were unintentionally dropped when moving containerd back into the main multicall binary

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit e5e1a674ce)
 2023-06-12 10:53:26 -07:00
Brad Davidson a645d3caf2 Improve error response logging 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 5170bc5a04)
 2023-06-12 10:53:26 -07:00
Brad Davidson 3596d1891b Soft-fail on node password verification if the secret cannot be created 
Allows nodes to join the cluster during a webhook outage. This also
enhances auditability by creating Kubernetes events for the deferred
verification.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 45d8c1a1a2)
 2023-06-12 10:53:26 -07:00
Yuxing Deng b36b0c4c88 Make LB image configurable when compiling k3s 
It is no way we can configure the lb image because it is a const value.
It would be better that we make it variable value and we can override
the value like the `helm-controller` job image when compiling k3s/rke2

Signed-off-by: Yuxing Deng <jxfa0043379@hotmail.com>
(cherry picked from commit b64a226ebd)
 2023-06-12 10:53:26 -07:00
Brad Davidson 29bc03305a Create new kubeconfig for supervisor use 
Only actual admin actions should use the admin kubeconfig; everything done by the supervisor/deploy/helm controllers will now use a distinct account for audit purposes.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 64a5f58f1e)
 2023-06-12 10:53:26 -07:00
Brad Davidson ac6966145c Use distinct clients for supervisor, deploy, and helm controllers 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 8748813a61)
 2023-06-12 10:53:26 -07:00
Brad Davidson 17c534022e Bump metrics-server to v0.6.3 and update tls-cipher-suites 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit e9958cf070)
 2023-06-12 10:53:26 -07:00