Commit Graph

141 Commits (b8f101fd892b200054f61bd9f92401f92b1389a1)

Author SHA1 Message Date
Brad Davidson dc14f370c4 Update wrangler to v0.8.5
Required to support apiextensions.v1 as v1beta1 has been deleted. Also
update helm-controller and dynamiclistener to track wrangler versions.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson 422d266da2 Disable deprecated insecure port
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Jamie Phillips fc19b805d5
Added logic to strip any existing hyphens before processing the args. (#3662)
Updated the logic to handle if extra args are passed with existing hyphens in the arg. The test was updated to add the additional case of having pre-existing hyphens. The method name was also refactored based on previous feedback.
2021-07-28 13:04:19 -07:00
Derek Nola c833183517
Add unit tests for pkg/etcd (#3549)
* Created new etcd unit tests and testing support file

Signed-off-by: dereknola <derek.nola@suse.com>
2021-07-01 16:08:35 -07:00
Chris Kim 04398a2582
Move cloud-controller-manager into an embedded executor (#3525)
* Move cloud-controller-manager into an embedded executor
* Import K3s cloud provider and clean up imports

Signed-off-by: Chris Kim <oats87g@gmail.com>
2021-06-29 07:28:38 -07:00
Derek Nola 4b2ab8b515
Renamed client-cloud-controller crt and key (#3470)
Signed-off-by: dereknola <derek.nola@suse.com>
2021-06-16 13:54:35 -07:00
Derek Nola 664a98919b
Fix RBAC cloud-controller-manager name 3308 (#3388)
* Changed cloud-controller-manager user name in ccm.yaml

Signed-off-by: dereknola <derek.nola@suse.com>

* Changed RBAC name in server.go

Signed-off-by: dereknola <derek.nola@suse.com>

* Changed "k3s" string prefix to version.Program to prevent static hardcoding

Signed-off-by: dereknola <derek.nola@suse.com>

* Changed user in ccm.yaml to k3s-cloud-controller-manager

Signed-off-by: dereknola <derek.nola@suse.com>
2021-06-02 14:50:11 -07:00
Siegfried Weber e77fd18270 Sign CSRs for kubelet-serving with the server CA
Problem:
Only the client CA is passed to the kube-controller-manager and
therefore CSRs with the signer name "kubernetes.io/kubelet-serving" are
signed with the client CA. Serving certificates must be signed with the
server CA otherwise e.g. "kubectl logs" fails with the error message
"x509: certificate signed by unknown authority".

Solution:
Instead of providing only one CA via the kube-controller-manager
parameter "--cluster-signing-cert-file", the corresponding CA for every
signer is set with the parameters
"--cluster-signing-kube-apiserver-client-cert-file",
"--cluster-signing-kubelet-client-cert-file",
"--cluster-signing-kubelet-serving-cert-file", and
"--cluster-signing-legacy-unknown-cert-file".

Signed-off-by: Siegfried Weber <mail@siegfriedweber.net>
2021-05-05 15:59:57 -07:00
Brad Davidson 3cb4ca4b35 Use same SANs on ServingKubeAPICert as dynamiclistener
The kube-apiserver cert should have the same SANs in the same order,
excluding the extra user-configured SANs since this will only be used
in-cluster.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-28 09:58:19 -07:00
Brad Davidson 2705431d96
Add support for dual-stack Pod/Service CIDRs and node IP addresses (#3212)
* Add support for dual-stack cluster/service CIDRs and node addresses

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-21 15:56:20 -07:00
Brad Davidson 601c4984f5 Fix service-account-issuer
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-14 14:51:42 -07:00
Brad Davidson e8381db778 Update Kubernetes to v1.21.0
* Update Kubernetes to v1.21.0
* Update to golang v1.16.2
* Update dependent modules to track with upstream
* Switch to upstream flannel
* Track changes to upstream cloud-controller-manager and FeatureGates

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-14 14:51:42 -07:00
Brian Downs 4d1f9eda9d
Etcd Snapshot/Restore to/from S3 Compatible Backends (#2902)
* Add functionality for etcd snapshot/restore to and from S3 compatible backends.
* Update etcd restore functionality to extract and write certificates and configs from snapshot.
2021-03-03 11:14:12 -07:00
Hussein Galal 5749f66aa3
Add disable flags for control components (#2900)
* Add disable flags to control components

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* golint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fixes to disable flags

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add comments to functions

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix joining problem

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* golint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix ticker

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix role labels

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-02-12 17:35:57 +02:00
Brad Davidson 07256cf7ab Add ServiceIPRange and ServiceNodePortRange to agent config
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-03 10:41:51 -08:00
Brad Davidson c5aad1b5ed Disable the ServiceAccountIssuerDiscovery feature-gate.
We're not setting ``--service-account-issuer` to a https URL, which causes an
error message at startup when the feature gate is enabled. From the
docs on that flag:

> If this option is not a valid URI per the OpenID Discovery 1.0 spec, the
> ServiceAccountIssuerDiscovery feature will remain disabled, even if the
> feature gate is set to true. It is highly recommended that this value
> comply with the OpenID spec:
> https://openid.net/specs/openid-connect-discovery-1_0.html. In practice,
> this means that service-account-issuer must be an https URL. It is also
> highly recommended that this URL be capable of serving OpenID discovery
> documents at {service-account-issuer}/.well-known/openid-configuration.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-12-08 22:51:34 -08:00
Brad Davidson c6950d2cb0 Update Kubernetes to v1.20.0-k3s1
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-12-08 22:51:34 -08:00
Brad Davidson 58b5b21f0d Don't pass cloud-provider flag to controller-manager
As per documentation, the cloud-provider flag should not be passed to
controller-manager when using cloud-controller. However, the legacy
cloud-related controllers still need to be explicitly disabled to
prevent errors from being logged.

Fixing this also prevents controller-manager from creating the
cloud-controller-manager service account that needed extra RBAC.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-09 13:55:09 -08:00
Brad Davidson f50e3140f9 Disable configure-cloud-routes and external service/route programming support when using k3s stub cloud controller
Resolves warning 3 from #2471

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-05 15:51:10 -08:00
Brad Davidson 31575e407a Add Cluster ID support to k3s stub cloud controller
Resolves warning 2 from #2471.

As per https://github.com/kubernetes/cloud-provider/issues/12 the
ClusterID requirement was never really followed through on, so the
flag is probably going to be removed in the future.

One side-effect of this is that the core k8s cloud-controller-manager
also wants to watch nodes, and needs RBAC to do so.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-05 15:51:10 -08:00
Brad Davidson 8c6d3567fe Rename k3s-controller based on the build-time program name
Since we're replacing the k3s rolebindings.yaml in rke2, we should allow
renaming this so that we can use the white-labeled name downstream.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-16 10:53:07 -07:00
Erik Wilson c5dc09159f
Move basic authentication to k3s 2020-08-28 17:18:34 -07:00
Brad Davidson b1d017f892 Update dynamiclistener
Second round of fixes for #1621

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-08-18 10:38:47 -07:00
Euan Kemp 4808c4e7d5 Listen insecurely on localhost only
Before this change, k3s configured the scheduler and controller's
insecure ports to listen on 0.0.0.0. Those ports include pprof, which
provides a DoS vector at the very least.

These ports are only enabled for componentstatus checks in the first
place, and componentstatus is hardcoded to only do the check on
localhost anyway (see
https://github.com/kubernetes/kubernetes/blob/v1.18.2/pkg/registry/core/rest/storage_core.go#L341-L344),
so there shouldn't be any downside to switching them to listen only on
localhost.
2020-08-05 10:28:11 -07:00
Brian Downs ebac755da1 add profiling flag with default value of false
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-07-10 13:08:04 -07:00
Brandon Davidson 538842ffdc
Merge pull request #1768 from brandond/fix_1764
Configure default signer implementation to use ClientCA instead of ServerCA
2020-07-07 16:52:14 -07:00
Brian Downs 7f4f237575
added profile = false args to api, controllerManager, and scheduler (#1891) 2020-06-12 21:09:41 +02:00
Darren Shepherd 6b5b69378f Add embedded etcd support
This is replaces dqlite with etcd.  The each same UX of dqlite is
followed so there is no change to the CLI args for this.
2020-06-06 16:39:41 -07:00
Darren Shepherd 39571424dd Generate etcd certificates 2020-06-06 16:39:41 -07:00
Darren Shepherd a18d387390 Refactor clustered DB framework 2020-06-06 16:39:41 -07:00
Darren Shepherd 7e59c0801e Make program name a variable to be changed at compile time 2020-06-06 16:39:41 -07:00
Darren Shepherd cb4b34763e
Merge pull request #1759 from ibuildthecloud/background
Start kube-apiserver in the background
2020-05-06 21:50:48 -07:00
Darren Shepherd e5fe184a44
Merge pull request #1757 from ibuildthecloud/separate-port
Add supervisor port
2020-05-06 21:32:45 -07:00
Darren Shepherd 072396f774 Start kube-apiserver in the background
In rke2 everything is a static pod so this causes a chicken and egg situation
in which we need the kubelet running before the kube-apiserver can be
launched.  By starting the apiserver in the background this allows us to
do this odd bootstrapping.
2020-05-06 21:17:23 -07:00
Brad Davidson 71561ecda2 Use ClientCA for the signer controller 2020-05-06 16:51:35 -07:00
Darren Shepherd 2f5ee914f9 Add supervisor port
In k3s today the kubernetes API and the /v1-k3s API are combined into
one http server.  In rke2 we are running unmodified, non-embedded Kubernetes
and as such it is preferred to run k8s and the /v1-k3s API on different
ports.  The /v1-k3s API port is called the SupervisorPort in the code.

To support this separation of ports a new shim was added on the client in
then pkg/agent/proxy package that will launch two load balancers instead
of just one load balancer.  One load balancer for 6443 and the other
for 9345 (which is the supervisor port).
2020-05-05 15:54:51 -07:00
Darren Shepherd afd6f6d7e7 Encapsulate execution logic
This moves all the calls to cobra root commands to one package
so that we can change the behavior of running components as embedded
or external.
2020-05-05 15:34:32 -07:00
Darren Shepherd 3c8e0b4157 No longer use basic auth for default admin account 2020-04-28 16:01:33 -07:00
Knic Knic 44b8af097c fix usage of path instead of filepath 2020-04-25 00:29:18 -07:00
Erik Wilson 1a2690d7be
Merge pull request #1192 from galal-hussein/add_encryption_config
Add secret encryption config
2020-01-27 13:59:09 -07:00
galal-hussein 388cd9c4e8 Add secret encryption configuration 2019-12-23 13:16:27 +02:00
Darren Shepherd 4acaa0740d Small dqlite fixes 2019-12-16 11:45:01 -07:00
Erik Wilson 76281bf731 Update k3s for k8s 1.17.0 2019-12-15 23:28:19 -07:00
galal-hussein 99b8222e8d Change storage to datastore 2019-11-15 21:52:07 -07:00
Darren Shepherd 77703b90ff Don't ever change 10252/10251 ports
Kubernetes componentstatus check is hardcoded to 10252 and 10251
so we should never change these ports.  If you do componentstatus
will return error.
2019-11-13 18:20:57 -07:00
Darren Shepherd 0ae20eb7a3 Support both http and db based bootstrap 2019-11-12 01:12:24 +00:00
Darren Shepherd 29b270dce6 Wait for apiserver to be health, not just running 2019-11-12 01:09:33 +00:00
Darren Shepherd 91cacb3a14 Fix server join issues 2019-11-08 21:35:58 +00:00
Erik Wilson 01f6e0e64e Add context to server daemon functions that wait 2019-11-05 11:06:07 -07:00
larmog 7aa3d08385 Wait for api-server to report version after starting 2019-11-05 11:05:22 -07:00
Darren Shepherd ba240d0611 Refactor tokens, bootstrap, and cli args 2019-10-30 19:06:49 -07:00
galal-hussein d2c1f66496 Add k3s cloud provider 2019-10-16 21:13:15 +02:00
galal-hussein 436ff4ef63 fix cert rotation function 2019-10-10 03:35:32 +02:00
galal-hussein 2dc5ba5bae Add certificate rotation 2019-09-30 18:34:58 +02:00
Erik Wilson 959acf9c92 Add --flannel-backend flag 2019-09-27 18:26:39 -07:00
Darren Shepherd 36ca606073
Merge pull request #793 from yamt/noderestriction
Add back NodeRestriction
2019-09-07 12:07:01 -07:00
YAMAMOTO Takashi 9cf80eacd9 Add back NodeRestriction
It has been removed as a part of #764 for no obvious reasons.

Fix #791
2019-09-05 15:47:46 +09:00
Erik Wilson 197985c673 Add --kubelet-certificate-authority flag 2019-09-02 10:49:23 -07:00
Darren Shepherd f57dd13774 Default kube-apiserver to httpsport + 1 2019-08-28 20:53:38 -07:00
Darren Shepherd 9c8b95be9d Drop unneeded prometheus imports 2019-08-28 20:53:37 -07:00
Darren Shepherd a51a2eaaad Add anonymous-auth=false and remove NodeRestriction 2019-08-28 20:53:37 -07:00
Erik Wilson 5679cfafaf
Merge pull request #707 from ibuildthecloud/pr683
Integrate Kine
2019-08-26 09:25:37 -07:00
Erik Wilson e6067314c9 Localhost -> 127.0.0.1 2019-08-22 11:56:00 -07:00
galal-hussein 1ae0c540d7 Refactor bootstrap, move kine startup code to kine, integrate kine 2019-08-22 09:14:43 -07:00
YAMAMOTO Takashi dc4ebd4c67 Remove agent proxy config which is no longer used 2019-07-17 18:05:16 +09:00
Erik Wilson ad11ba583f Use watch-cache for kvsql 2019-07-07 14:43:43 -07:00
Erik Wilson 11a4c71f28 Use watch-cache for etcd3 backend 2019-07-01 14:09:25 -07:00
Erik Wilson 24b73403c7 Cleanup bootstrap 2019-06-30 12:39:54 -07:00
galal-hussein 28d9d83be2 Add k3s HA bootstrap 2019-06-27 21:00:43 +02:00
Erik Wilson 7090a7d551 Move node password to separate file 2019-06-25 15:04:04 -07:00
Erik Wilson 93f6690f26 Graceful upgrade token to server CA 2019-06-25 15:04:04 -07:00
Erik Wilson 2c9444399b Refactor certs 2019-06-25 15:04:04 -07:00
galal-hussein 17d8708ca5 Add storage backend flags 2019-06-12 00:48:47 +02:00
Erik Wilson 199f673676
Merge pull request #479 from galal-hussein/add_storage_backend_options
Add MySQL and Postgress support
2019-05-28 16:57:38 -07:00
Darren Shepherd c0702b0492 Port to wrangler 2019-05-26 22:28:50 -07:00
galal-hussein e9cd8adbf6 Add Storage endpoint option 2019-05-16 01:05:24 +02:00
Erik Wilson d5ce19caae Force upgrade of token node cert 2019-05-02 16:22:42 -07:00
Erik Wilson c9941895d6 Bind kubelet to all interfaces and use webhook auth 2019-04-26 15:02:30 -07:00
Erik Wilson c48739206a Enable aggregation layer
Configure kube-apiserver, kubelets, and kube-proxy for use with
aggregation layer in order for metrics-server deployment to function
correctly.
2019-04-11 22:43:31 +00:00
galal-hussein 7794528aa1 Add extra flags for server and agent components 2019-04-09 08:20:38 +02:00
Darren Shepherd 3c7e103085 Updates for k8s 1.14 2019-04-08 22:50:59 -07:00
galal-hussein e8c5b2498c Change address to bind-address for scheduler and api 2019-03-31 14:55:56 +02:00
Thorsten Schifferdecker 2c398c5d5f Update server.go
fallback to the old --address part and enable the non-tls port to make healthz happy
2019-03-04 10:07:30 -07:00
Thorsten Schifferdecker 35cfc717d3 fix missing "," 2019-03-04 10:07:30 -07:00
Thorsten Schifferdecker ee2fffb0ca make the controller-manager and scheduler usable for the
componentstatus.
Fixes #126

Signed-off-by: Thorsten Schifferdecker <schifferdecker@b1-systems.de>
2019-03-04 10:07:30 -07:00
Darren Shepherd 828ce5a24a Disable watch caching, not needed for sqlite 2019-02-22 19:58:42 -07:00
Darren Shepherd 5e1ce4aa42 Cache self-signed loopback cert on startup 2019-02-07 21:45:31 -07:00
Darren Shepherd af96c908da Disable proxy hostname checks 2019-02-07 21:45:31 -07:00
Darren Shepherd 287e0f44c9 Prepare for initial release 2019-01-22 14:20:29 -07:00
Darren Shepherd 62c62cc7b4 Continued refactoring 2019-01-11 21:52:30 -07:00
Darren Shepherd 9bb7c27c62 Initial Commit 2019-01-01 01:23:01 -07:00