Commit Graph

1434 Commits (b93fd98a1c733b61ac515e07f4abcaf27d2f6b7f)

Author SHA1 Message Date
Brad Davidson 99851b0f84 Use core constants for cert user/group values
Also update cert gen to ensure leaf certs are regenerated if other key fields change.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Terry Cain b6e71ef990 Added support for repeated extra arguments
Problem:
Specifying extra arguments for the API server for example is not supported as
the arguments get stored in a map before being passed to the API server.

Solution:
Updated the GetArgs function to store the arguments in a map that can have
multiple values. Some more logic is added so that repeated extra arguments
retain their order when sorted whilst overall the arguments can still be
sorted for improved readability when logged.

Support has been added for prefixing and suffixing default argument values
by using -= and += when specifying extra arguments.

Signed-off-by: Terry Cain <terry@terrys-home.co.uk>
2022-04-14 13:59:57 -07:00
Roberto Bonafiglia e4d2824fb6
Merge pull request #5420 from rbrtbnfgl/etcd-default-endpoint
Added default endpoint for IPv6
2022-04-14 18:50:12 +02:00
Roberto Bonafiglia 9c9adda61b Added default endpoint for IPv6
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-04-14 09:58:40 +02:00
Roberto Bonafiglia dfb779d09d
Merge pull request #5422 from rbrtbnfgl/fix-flannel-backend-help
Fixed flannel backend helper text
2022-04-14 09:06:40 +02:00
Dirk Müller fa0fa8b1d0 Update golangci-lint to 1.45.2
This requires a further set of gofmt -s improvements to the
code, but nothing major. golangci-lint 1.45.2 brings golang 1.18
support which might be needed in the future.

Signed-off-by: Dirk Müller <dirk@dmllr.de>
2022-04-13 14:48:42 -07:00
Roberto Bonafiglia 8767395d40 Fixed flannel backend helper text
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-04-13 09:38:22 +02:00
Deshi Xiao c1095dd015
fix: non-idiomatic returning of boolean expression (#5343)
should use 'return disables[baseName]' instead of 'if disables[baseName] { return true }; return false'

Signed-off-by: Deshi Xiao <xiaods@gmail.com>
2022-04-11 12:46:29 -07:00
Roberto Bonafiglia 2037e9179a
Merge pull request #5391 from rbrtbnfgl/wireguard-update
Add wireguard native flannel backend
2022-04-08 09:13:04 +02:00
Brad Davidson f37e7565b8 Move the apiserver addresses controller into the etcd package
This controller only needs to run when using managed etcd, so move it in
with the rest of the etcd stuff. This change also modifies the
controller to only watch the Kubernetes service endpoint, instead of
watching all endpoints in the entire cluster.

Fixes an error message revealed by use of a newer grpc client in
Kubernetes 1.24, which logs an error when the Put to etcd failed because
kine doesn't support the etcd Put operation. The controller shouldn't
have been running without etcd in the first place.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-07 11:28:15 -07:00
Roberto Bonafiglia f04c602c07 Updated wireguard-native options and added log message
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-04-07 19:31:21 +02:00
Roberto Bonafiglia 47abaf362e Added new flannel backend to use wireguard from flannel
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-04-07 19:31:13 +02:00
Brad Davidson 2a429aac65 Fix crash on early snapshot
Don't attempt to retrieve snapshot metadata configmap if the apiserver
isn't available. This could be triggered if the cron expression caused a
snapshot to be triggered before the apiserver is up.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-07 09:23:34 -07:00
Michal Rostecki 9350016de8
Merge pull request #5387 from vadorovsky/kube-router-dual-stack
netpol: Add dual-stack support
2022-04-07 11:24:38 +02:00
Brad Davidson 0bf7c09569 Don't print password conversion rate
Avoids divide-by-zero when the password file is empty

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-06 15:55:45 -07:00
Brad Davidson 49544e0d49 Allow agents to query non-apiserver supervisors for apiserver endpoints
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-06 13:03:14 -07:00
Brad Davidson af0b496ef3 Add client certificate authentication support to core Authenticator
This is required to make the websocket tunnel server functional on
etcd-only nodes, and will save some code on the RKE2 side once pulled
through.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-06 13:03:14 -07:00
Brad Davidson e7437d4ad8 Redact datastore and etcd snapshot config from serialization
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-06 13:03:14 -07:00
Michal Rostecki c707948adf netpol: Add dual-stack support
This change allows to define two cluster CIDRs for compatibility with
Kubernetes dual-stuck, with an assumption that two CIDRs are usually
IPv4 and IPv6.

It does that by levearaging changes in out kube-router fork, with the
following downstream release:

https://github.com/k3s-io/kube-router/releases/tag/v1.3.2%2Bk3s

Signed-off-by: Michal Rostecki <vadorovsky@gmail.com>
2022-04-06 14:43:09 +02:00
Euan Kemp c2e846dc16 Allow using flannel wireguard backend in a custom config
Ideally we'd have fully fleshed out support for it (i.e. #5011), but
that's a potentially breaking change and taking a little while to merge.

This is a much simpler change which won't break anything, but will allow
a "Type": "wireguard" reference in the "--flannel-conf" custom config
file to work.

Signed-off-by: Euan Kemp <euank@euank.com>
2022-04-05 09:44:26 -07:00
Roberto Bonafiglia 4afeb9c5c7
Merge pull request #5325 from rbrtbnfgl/fix-etcd-ipv6-url
Fixed etcd URL in case of IPv6 address
2022-04-05 09:55:42 +02:00
Roberto Bonafiglia 0746dde758 Fixed http URL on etcd
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-31 14:24:59 +02:00
Roberto Bonafiglia 06c779c57d Fixed loadbalancer in case of IPv6 addresses
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-31 11:49:30 +02:00
Roberto Bonafiglia b66974145c Fixed etcd register
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-30 18:23:30 +02:00
Luther Monson 313aaca547
Merge pull request #5361 from luthermonson/fix-containerd-npipe
[master] Wrap containerd.New
2022-03-30 07:35:50 -07:00
Roberto Bonafiglia e29771b9ff Fixed client URL
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-30 10:59:39 +02:00
Brad Davidson 62cc1ed24f Skip setting up client tls when etcd server does not have tls enabled
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-30 01:03:41 -07:00
Luther Monson 13191da58a add a wrapper around the containerd.New call to fix and pass the proper npipe connector
Signed-off-by: Luther Monson <luther.monson@gmail.com>
2022-03-29 18:06:48 -07:00
Roberto Bonafiglia dda409b041 Updated localhost address on IPv6 only setup
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-29 09:35:54 +02:00
Brad Davidson 1339626a5b Defragment etcd datastore before clearing alarms
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-28 09:27:59 -07:00
Brad Davidson e811689df9 Fix etcd-only secrets encryption rotation
Improve feedback when running secrets-encrypt commands on etcd-only nodes, and
allow etcd-only nodes to properly restart when effecting rotation.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-25 10:40:58 -07:00
Brad Davidson d25ae8fbc2 Properly attach secrets-encrypt events to the node resource
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-23 16:01:21 -07:00
Brad Davidson 965d0a08ef Fix log spam due to servicelb event recorder namespace conflict
Don't hardcode the event namespace when creating event recorders; some controllers want to create events in other namespaces.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-23 16:01:21 -07:00
Brad Davidson 714979bf6a Ensure that apiserver ready channel checks re-dial every time
Closing idle connections isn't guaranteed to close out a pooled connection to a
loadbalancer endpoint that has been removed. Instead, ensure that requests used
to wait for the apiserver to become ready aren't reused.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-23 13:21:58 -07:00
Roberto Bonafiglia 2285aa699b Fixed etcd URL in case of IPv6 address
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-23 15:35:51 +01:00
Brad Davidson df94b3729f go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-18 14:51:57 -07:00
Brad Davidson 38706eeec0 Defer ensuring node passwords on etcd-only nodes during initial cluster bootstrap
This allows secondary etcd nodes to bootstrap the kubelet before an
apiserver joins the cluster. Rancher waits for all the etcd nodes to
come up before adding the control-plane nodes, so this needs to be
handled properly.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-18 10:58:37 -07:00
Brad Davidson 3cebde924b Handle empty entries in bootstrap path map
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-17 13:42:27 -07:00
Brad Davidson a93b9b6d53 Update helm-controller
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-16 23:49:14 -07:00
Brad Davidson 66e350ea88 Track upstream changes to kubectl command execution
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-16 17:19:18 -07:00
Brad Davidson 078da46532 Close additional leaked GPRC clients
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-15 18:07:55 -07:00
Derek Nola 1f7abe5dbb
Testing directory and documentation rework. (#5256)
* Removed vagrant folder
* Fix comments around E2E ENVs
* Eliminate testutil folder
* Convert flock integration test to unit test
* Point to other READMEs

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-03-15 10:29:56 -07:00
Roberto Bonafiglia ff85faa7de Changed ipv6 config on flannel setup
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-09 12:30:33 +01:00
Roberto Bonafiglia 073f155fc4 Added ipv6 only support with flannel
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-09 09:35:01 +01:00
Roberto Bonafiglia 93346904cf
Merge pull request #5215 from rbrtbnfgl/flannel_0.17
Flannel 0.17
2022-03-09 08:51:10 +01:00
Brian Downs 8083ef5824
fix function arg call (#5234) 2022-03-08 17:00:57 -07:00
Brad Davidson 003e094b45
Populate EtcdConfig in runtime from datastore when etcd is disabled (#5222)
Fixes issue with secrets-encrypt rotate not having any etcd endpoints
available on nodes without a local etcd server.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-08 09:04:31 -08:00
Roberto Bonafiglia 3fabc0703b
Merge pull request #4450 from olljanat/support-ipv6-only
Add partial support for IPv6 only mode
2022-03-08 11:38:52 +01:00
Roberto Bonafiglia f3d81544b1 Fixed log in case of ipv6 only config
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-08 09:42:25 +01:00
Roberto Bonafiglia 0c83f50c4c Added switch case to check netMode
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-08 09:34:25 +01:00
Roberto Bonafiglia 2c39febdd2 Fixed in case of empty address
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-07 14:09:29 +01:00
Roberto Bonafiglia d7d4c891e2 Updated flannel to 0.17
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-07 14:09:05 +01:00
Brad Davidson 44c53743dd Support MixedProtocolLBService and clean up Daemonsets on type change.
Also add event support to increase visibility of change events.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-03 15:30:04 -08:00
Luther Monson 9a849b1bb7
[master] changing package to k3s-io (#4846)
* changing package to k3s-io

Signed-off-by: Luther Monson <luther.monson@gmail.com>

Co-authored-by: Derek Nola <derek.nola@suse.com>
2022-03-02 15:47:27 -08:00
robertlestak a82ac4fdc7 servicelb pool selector
adds a new optional node label
"svccontroller.k3s.cattle.io/lbpool=<pool>" that can be set on nodes.
ServiceType: LoadBalancer services can then specify a matching label,
which will schedule the DaemonSet only on specified nodes. This allows
operators to specify different pools of nodes that can serve different
LoadBalancer services on the same ports.

Signed-off-by: robertlestak <robert.lestak@umusic.com>
2022-03-02 15:10:41 -08:00
Brad Davidson f090bf2d5e Bootstrap the executor even when the agent is disabled
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-02 02:47:54 -08:00
Brad Davidson a7878db17f Fix etcd-snapshot commands by making setup more consistent.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-01 20:25:20 -08:00
Brad Davidson 9a48086524 Ignore cluster membership errors when reconciling from temp etcd
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-01 20:25:20 -08:00
Brad Davidson e4846c92b4 Move temporary etcd startup into etcd module
Reuse the existing etcd library code to start up the temporary etcd
server for bootstrap reconcile. This allows us to do proper
health-checking of the datastore on startup, including handling of
alarms.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-01 20:25:20 -08:00
Brad Davidson 555087b9b8 Add function to clear local alarms on etcd startup
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-01 11:56:52 -08:00
Kamil Madac 333248466b
Add http/2 support to API server (#5149)
fix issue #5148

Signed-off-by: Kamil Madac <kamil.madac@gmail.com>
2022-03-01 11:27:52 -08:00
Brad Davidson 5014c9e0e8 Fix adding etcd-only node to existing cluster
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-02-28 19:56:08 -08:00
Brad Davidson a1b800f0bf Remove unnecessary copies of etcdconfig struct
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-02-28 12:05:16 -08:00
Brad Davidson 2989b8b2c5 Remove unnecessary copies of runtime struct
Several types contained redundant references to ControlRuntime data. Switch to consistently accessing this via config.Runtime instead.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-02-28 12:05:16 -08:00
Brad Davidson 54bb65064e Fix cluster bootstrap test
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-02-28 12:05:16 -08:00
Derek Nola a698ece9c5
Add `--json` flag for `k3s secrets-encrypt status` (#5127)
* Add json flag for secrets-encrypt status

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-02-28 09:14:32 -08:00
Brian Downs 40a46e1412
add ability to specify etcd snapshot list output format (#5132) 2022-02-25 14:00:00 -07:00
Derek Nola 142eed1a9f
Create encryption hash file if it doesn't exist (#5140)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-02-25 08:43:03 -08:00
Hussein Galal 43b1cb4820
Update to V1.23.4 k3s1 (#5135)
* Update to v1.23.4

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Upgrade treafik to 2.6.1

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Upgrade treafik to 2.6.1

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Upgrade treafik image in image-list

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Update kubernetes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2022-02-22 18:57:22 +02:00
Manuel Buil 062fe63dd1 Fix annoying netpol log
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-02-10 20:01:27 +01:00
Olli Janatuinen 966f4d6a01 Add support for IPv6 only mode
Automatically switch to IPv6 only mode if first node-ip is IPv6 address

Signed-off-by: Olli Janatuinen <olli.janatuinen@gmail.com>
2022-02-10 20:34:59 +02:00
Derek Nola e28be2912c
Migrate Ginkgo testing framework to V2, consolidate integration tests (#5097)
* Upgrade and convert ginkgo from v1 to v2
* Move all integration tests into integration folder
* Update TESTING.md

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-02-09 08:22:53 -08:00
Hussein Galal 13728058a4
Add k3s etcd restoration integration test (#5014)
* Add k3s etcd restoration test

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix tests and rebase

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Reorganizing the tests

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fixing comments

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix etcd restore

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* dont check for errors when restoring

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* use eventually to test for restoration

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix tests

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix golint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2022-02-08 21:24:34 +02:00
Manuel Buil 773c2a4184
Merge pull request #5079 from manuelbuil/michalsPR
netpol: Use kube-router as a library
2022-02-07 19:18:15 +01:00
Michal Rostecki 4fed9f4052 netpol: Use kube-router as a library
Before this change, we were copying a part of kube-router code to
pkg/agent/netpol directory with modifications, from which the biggest
one was consumption of k3s node config instead of kube-router config.

However, that approach made it hard to follow new upstream versions.
It's possible to use kube-router as a library, so it seems like a better
way to do that.

Instead of modifying kube-router network policy controller to comsume
k3s configuration, this change just converts k3s node config into
kube-router config. All the functionality of kube-router except netpol
is still disabled.

Signed-off-by: Michal Rostecki <mrostecki@opensuse.org>
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-02-07 10:54:08 +01:00
Derek Nola 4f36c82ff7
Check for `--kubeconfig` flag with embedded `kubectl` (#5064)
* Check for kubeconfig flag

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-02-03 09:00:24 -08:00
Ankur Gupta df4147cd57
Update legacy-unknown-cert and legacy-unknown-key (#5057)
Signed-off-by: Ankur Gupta <ankur.gupta130887@gmail.com>
2022-02-02 09:15:41 -08:00
Derek Nola d583a99f62
Add server flag to access nonlocal/nondefault k3s server (#5016)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-01-27 10:53:38 -08:00
Brad Davidson bc7635f01f Move containerd wait into exported function
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-25 13:09:30 -08:00
Roberto Bonafiglia bb856c67dc
Merge pull request #4952 from rbrtbnfgl/ipv6-nat
Add IPv6 NAT
2022-01-19 08:44:57 +01:00
Brad Davidson a094dee7dd Update packaged components
Update images and manifests/charts for coredns, local-path-provisioner, traefik, and pause

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-18 16:40:00 -08:00
Brad Davidson 27fe2c3c1b go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-18 11:01:49 -08:00
Roberto Bonafiglia 8eded2749a Added debug log for IPv6 Masquerading rule
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@gmail.com>
2022-01-17 10:20:12 +01:00
Brad Davidson b1e0f4c8fc Skip CGroup v2 evac when agent is disabled
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-14 13:24:44 -08:00
Roberto Bonafiglia 111c1669fc Added flannel-ipv6-masq flag to enable IPv6 nat
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@gmail.com>
2022-01-14 18:35:37 +01:00
Roberto Bonafiglia 2253f64b2a Added iptables masquerade rules for ipv6 on flannel
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@gmail.com>
2022-01-14 18:35:37 +01:00
Brian Downs effcb15adb
Adds the ability to compress etcd snapshots (#4866) 2022-01-14 10:31:22 -07:00
Derek Nola 48ffed3852
Enable logging on all subcommands (#4921)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-01-12 14:00:40 -08:00
Brad Davidson a0cadcd343 Move ClusterResetRestore handling ControlConfig setup
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-12 10:46:10 -08:00
Brad Davidson 5ca206ad3b Fix handling of agent-token fallback to token
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-07 09:56:37 -08:00
Brad Davidson e7464a17f7 Fix use of agent creds for secrets-encrypt and config validate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-06 12:55:18 -08:00
Lordran 31f1a00b6f
Fix a typo: advertise-up -> advertise-ip (#4827)
Signed-off-by: 胥朝阳 <xuzhaoyang@91cyt.com>
2022-01-06 08:52:07 -08:00
Derek Nola 2ac8df3602
Integration tests utilities improvements (#4832)
* Remove sudo commands from integration tests

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Added cleanup fucntion

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Implement better int cleanup

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Rename test utils

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Enable K3sCmd to be a single string

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Removed parsePod function

Signed-off-by: Derek Nola <derek.nola@suse.com>

* codespell

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Revert startup timeout

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Reorder sonobuoy tests, drop concurrent tests to 3

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Disable etcd

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Skip parallel testing for etcd

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-01-06 08:05:56 -08:00
Luther Monson 66eeabbdfc linter doesn't actually run on windows, found these while getting it running on a windows machine
Signed-off-by: Luther Monson <luther.monson@gmail.com>
2021-12-28 20:44:21 -07:00
Derek Nola ff49dcf71e Export default parser
Signed-off-by: Derek Nola <derek.nola@suse.com>
(cherry picked from commit 9cc930e4a3)
2021-12-22 16:06:55 -08:00
Brad Davidson 87395e32d6 Update modules for Kubernetes v1.23
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-12-22 10:47:38 -08:00
Manuel Buil 30c701f5de
Merge pull request #4796 from manuelbuil/flannel-logrus
Move flannel logs to logrus
2021-12-22 10:33:43 +01:00
Brad Davidson a5c6e6a68a Fix panic checking name of uninitialized etcd member
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-12-21 23:38:20 -08:00
Luther Monson 02f862da5f
Merge pull request #4791 from luthermonson/vendor-rm
[master] Remove the Vendor Directory
2021-12-21 15:07:55 -07:00
Brian Downs 3ae550ae51
Update bootstrap logic to output all changed files on disk (#4800) 2021-12-21 14:28:32 -07:00
Luther Monson e6cf8f5982 code changes to drop the vendor dir
Signed-off-by: Luther Monson <luther.monson@gmail.com>
2021-12-21 14:23:38 -07:00
Manuel Buil 4eb282edac Move flannel logs to logrus
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-12-21 14:34:51 +01:00
Hussein Galal 2e91913f54
Close agentReady channel only in k3s (#4792)
* Close agentReady channel only in k3s

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* codespell check

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-12-21 00:22:49 +02:00
Brad Davidson 8ad7d141e8 Close etcd clients to avoid leaking GRPC connections
If you don't explicitly close the etcd client when you're done with it,
the GRPC connection hangs around in the background. Normally this is
harmelss, but in the case of the temporary etcd we start up on 2399 to
reconcile bootstrap data, the client will start logging errors
afterwards when the server goes away.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-12-17 23:55:17 -08:00
Manuel Buil 588d15db8f Remove Disables, Skips and DisableKubeProxy from the comparing configs
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-12-17 19:04:38 +01:00
Brad Davidson 6f4217a340 Build standalone containerd
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-12-16 12:00:15 -08:00
Derek Nola 17eebe0563
Fix cold boot and reconcilation on secondary servers (#4747)
* Enable reconcilation on secondary servers

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Remove unused code

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Attempt to reconcile with datastore first

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Added warning on failure

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Update warning

Signed-off-by: Derek Nola <derek.nola@suse.com>

* golangci-lint fix

Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-12-15 15:38:50 -08:00
Hussein Galal d71b335871
Fix snapshot restoration on fresh nodes (#4737)
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-12-14 02:04:39 +02:00
Brian Downs bf4e037fcf
Resolve Bootstrap Migration Edge Case (#4730) 2021-12-13 13:02:30 -07:00
Brian Downs a6fe2c0bc5
Resolve restore bootstrap (#4704) 2021-12-09 14:54:27 -07:00
Brad Davidson a70487d5ae Update wharfie usage in windows code path
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-12-09 13:16:22 -08:00
Hussein Galal 3985fd0e26
[master] Add validation to certificate rotation (#4692)
* Add validation to certificate rotation

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add validation to certificate rotation

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-12-09 18:57:13 +02:00
Manuel Buil 1e0696628e
Merge pull request #4581 from manuelbuil/checking-HA-parameters
Verify new control plane nodes joining the cluster share the same config as cluster members
2021-12-08 10:49:28 +01:00
Alexey Medvedchikov 8f389ab030
Include node-external-ip in serving-kubelet.crt SANs (#4620)
* Include node-external-ip in serving-kubelet.crt SANs

Signed-off-by: Alexey Medvedchikov <alexeymedvedchikov@improbable.io>
2021-12-07 15:42:40 -08:00
Derek Nola bcb662926d
Secrets-encryption rotation (#4372)
* Regular CLI framework for encrypt commands
* New secrets-encryption feature
* New integration test
* fixes for flaky integration test CI
* Fix to bootstrap on restart of existing nodes
* Consolidate event recorder

Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-12-07 14:31:32 -08:00
Manuel Buil 1b3187ea07 Check HA network parameters
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-12-07 23:09:05 +01:00
Brad Davidson 7d3447ceff Bump wharfie to v0.5.1 and use shared decompression code
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-12-07 12:50:57 -08:00
Hussein Galal 77fd3e99ec
Add cert rotation command (#4495)
* Add cert rotation command

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* add function to check for dynamic listener file

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* Add dynamiclistener cert rotation support

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fixes to the cert rotation

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix ci tests

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fixes to certificate rotation command

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

Co-authored-by: Brian Downs <brian.downs@gmail.com>
2021-12-02 23:19:16 +02:00
Manuel Buil 8141a933b0
Merge pull request #4550 from manuelbuil/improve_flannel_logging
Improve flannel code and logging
2021-12-01 18:22:23 +01:00
Derek Nola d05c334a78
Improved cleanup for etcd unit test (#4537)
* Improved cleanup for etcd unit test

Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-11-29 14:46:58 -08:00
Chris Kim ae4a1a144a
etcd snapshot functionality enhancements (#4453)
Signed-off-by: Chris Kim <oats87g@gmail.com>
2021-11-29 10:30:04 -08:00
Brad Davidson 0c1f816f24 go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-11-23 16:38:55 -08:00
Manuel Buil 7685da3e24 Improve flannel logging
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-11-22 21:51:52 +01:00
Hussein Galal 03485632ea
Fix regression with cluster reset (#4521)
* Fix regression with cluster reset

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* typo

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-11-17 23:22:18 +02:00
Derek Nola ef263bd2b0
Improved regex for double equals arguments (#4505)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-11-16 11:16:13 -08:00
Derek Nola 535a919635
Removed value from warning about skipping flags (#4491)
* Enabled skipping of unkown flags from config in parser
* Added new unit test, expanded existing
* Add warning back in, without value

Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-11-15 13:17:10 -07:00
Chris Kim f18b3252c0
[master] Add etcd extra args support for K3s (#4463)
* Add etcd extra args support for K3s

Signed-off-by: Chris Kim <oats87g@gmail.com>

* Add etcd custom argument integration test

Signed-off-by: Chris Kim <oats87g@gmail.com>

* go generate

Signed-off-by: Chris Kim <oats87g@gmail.com>
2021-11-11 21:03:15 -08:00
Thorsten Klein 41ff19de71 Feature: Add CoreDNS Customization Options
Problem:
Before, to customize CoreDNS, one had to edit the default configmap,
which gets re-written on every K3s server restart.

Solution:
Mount an additional coredns-custom configmap into the CoreDNS container
and import overrides and additional server blocks from the included
files.

Signed-off-by: Thorsten Klein <iwilltry42@gmail.com>
2021-11-11 18:41:22 -08:00
Derek Nola 4b57951fb0
Fix to allow etcd-snapshot to use config file with flags that are only used with k3s server. (#4464)
* Enabled skipping of unknown flags from config in parser
* Added new unit test, expanded existing

Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-11-11 16:01:23 -08:00
Brad Davidson 5ab6d21a7d
Increase agent's apiserver ready timeout (#4454)
Since we now start the server's agent sooner and in the background, we
may need to wait longer than 30 seconds for the apiserver to become
ready on downstream projects such as RKE2.

Since this essentially just serves as an analogue for the server's
apiReady channel, there's little danger in setting it to something
relatively high.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-11-11 14:01:49 -07:00
Brad Davidson bc7cdc78ca go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-11-10 17:36:01 -08:00
Manuel Buil 8271d98a76
Merge pull request #4437 from manuelbuil/fix_svclb_ipv6_rh
Allow svclb pod to enable ipv6 forwarding
2021-11-10 19:08:40 +01:00
Manuel Buil 5d168a1d59 Allow svclb pod to enable ipv6 forwarding
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-11-10 18:20:03 +01:00
Brian Downs adaeae351c
update bootstrap logic (#4438)
* update bootstrap logic resolving a startup bug and account for etcd
2021-11-10 05:33:42 -07:00
Derek Nola 7bd65047c3
Match to last After keyword for parser (#4383)
* Made parser able to skip over subcommands
* Edge case coverage, reworked regex with groups
Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-11-08 10:54:48 -08:00
Luther Monson 36c6634cce
[master] updating to new signals package in wrangler (#4399)
* updating to new signals package in wrangler

Signed-off-by: Luther Monson <luther.monson@gmail.com>
2021-11-08 08:32:43 -07:00
Brad Davidson f7dcc139ff Bump klipper-lb image for arm fix
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-11-02 18:55:09 -07:00
Deshi Xiao f1622129e4 refactor: Use plain channel send or receive
fix issue #4369

should use a simple channel send/receive instead of select with a single
case

Signed-off-by: Deshi Xiao <xiaods@gmail.com>
2021-11-01 15:00:49 -07:00
Brad Davidson f9f1cabe9c Fix log/reap reexec
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-11-01 14:24:14 -07:00
Jacob Blain Christen 702fe24afe
containerd/cri: enable the btrfs snapshotter (#4316)
* vendor: btrfs
* enable the btrfs snapshotter
* testing: snapshotter/btrfs

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2021-10-29 23:31:33 -07:00
Brad Davidson 3da1bb3af2 Fix other uses of NewForConfigOrDie in contexts where we could return err
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-29 15:18:14 -07:00
Brad Davidson 5acd0b9008 Watch the local Node object instead of get/sleep looping
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-29 15:18:14 -07:00
Brad Davidson 3fe460d080 Block scheduler startup on untainted node when using embedded CCM
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-29 15:18:14 -07:00
Derek Nola 7c3f21e581
K3s Integration test fixes (#4341)
* Move tests into sub folders
* Updated documentation
* Prevent infinite loop is user has not made k3s

Signed-off-by: dereknola <derek.nola@suse.com>
2021-10-28 12:35:28 -07:00
galal-hussein ab3d25a2c5 Update peer address when running cluster-reset
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-10-25 15:43:27 -07:00
Brian Downs 0a0b915921
reset buffer after use (#4279) 2021-10-22 15:56:01 -07:00
Derek Nola 918945da45
Added configuration input to etcd-snapshot (#4280)
Signed-off-by: dereknola <derek.nola@suse.com>
2021-10-22 12:03:32 -07:00
Brian Downs e11a4bf8bb
set duration to second (#4231) 2021-10-15 16:46:39 -07:00
Brian Downs 0452f017c1
Add etcd s3 timeout (#4207) 2021-10-15 10:24:14 -07:00
Brian Downs 34080b23b1
Copy old bootstrap buffer data for use during migration (#4215) 2021-10-15 10:17:29 -07:00
Manuel Buil dbc14b8990 Fix race condition in cloud provider
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-10-15 13:28:32 +02:00
Brad Davidson 5a923ab8dc Add containerd ready channel to delay etcd node join
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-14 14:03:52 -07:00
Hussein Galal b282528ee2
Display cluster tls error only in debug mode (#4124)
* Display cluster tls error only in debug mode

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-10-13 00:00:28 +02:00
Brad Davidson dc18ef2e51 Refactor log and reaper exec to omit MAINPID
Using MAINPID breaks systemd's exit detection, as it stops watching the
original pid, but is unable to watch the new pid as it is not a child
of systemd itself. The best we can do is just notify when execing the child
process.

We also need to consolidate forking into a sigle place so that we don't
end up with multiple levels of child processes if both redirecting log
output and reaping child processes.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-12 13:35:10 -07:00
Derek Nola feec44572d
Improve error message when using a "K10" prefixed token (#4180)
* Add new error message with a K10 prefixed secret token

Signed-off-by: dereknola <derek.nola@suse.com>
2021-10-11 10:00:22 -07:00
Brian Downs ac7a8d89c6
Add ability to reconcile bootstrap data between datastore and disk (#3398) 2021-10-07 12:47:00 -07:00
Derek Nola b6919adf62
Add "etcd-" prefix to etcd-snapshot commands as aliases (#4161)
* Add "etcd-" prefix to etcd-snapshot commands as alias

Signed-off-by: dereknola <derek.nola@suse.com>
2021-10-06 14:20:22 -07:00
Manuel Buil 635f790eb4
Merge pull request #4114 from manuelbuil/lb-controller-dual-stack
Dual-stack support in serviceLB controller
2021-10-06 16:08:10 +02:00
Manuel Buil 00cf4578ec Dual-stack support LB controller
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-10-06 11:06:20 +02:00
Marc Bachmann 9b35734e1a Add topologySpreadConstraints to support scaling of coredns
Signed-off-by: Marc Bachmann <marc.brookman@gmail.com>
2021-10-05 11:52:44 -07:00
Brad Davidson 12e675e2cc Don't evacuate the root cgroup when rootless
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-01 16:18:12 -07:00
Brad Davidson 5d1a37ee32 Send MAINPID to systemd when reexecing for logfile output
This allows the new process to notify systemd when it is ready.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-29 11:41:09 -07:00
Brad Davidson a16105b348 Properly handle operation as init process
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-28 11:05:34 -07:00
Brian Downs f4cea90cb9
set transport to skip verify if se skip flag passed (#4102) 2021-09-28 10:13:50 -07:00
Manuel Buil 87524a7ac7 Enable the inheritance of settings for ipv6
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-09-28 09:42:08 +02:00
Michal Rostecki 47676eff78
Merge pull request #4080 from manuelbuil/update_klipperlb2
Use the new klipper-lb image that has newer go and Alpine versions
2021-09-27 10:11:52 +02:00
Brad Davidson 73e21e739f Drop broken SupportNoneCgroupDriver support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-23 16:12:51 -07:00
Manuel Buil b99b943c17 Use the new klipper-lb image that has newer go and Alpine versions
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-09-22 09:23:38 +02:00
Brad Davidson 28be0de4e8 Revert "Use the newer klipper-lb image"
This reverts commit 1d21491094.
2021-09-20 13:19:38 -07:00
Brad Davidson 64b502e92c Disable automounting service account token in servicelb pods
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-17 15:52:44 -07:00
Hussein Galal 7826407a2e
Make sure there are no duplicates in etcd member list (#4025)
* Make sure there are no duplicates in etcd member list

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix node names with hyphens

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* use full server name for etcd node name

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-09-18 00:51:18 +02:00
Manuel Buil 1d21491094 Use the newer klipper-lb image
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-09-17 15:42:48 -07:00
Brad Davidson 753e11ee3c Enable JobTrackingWithFinalizers FeatureGate
Works around issue with Job controller not tracking job pods that
are in CrashloopBackoff during upgrade from 1.21 to 1.22.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-17 11:26:45 -07:00
Derek Nola eda65b19d9
Remove expiremental from cluster commands (#4024)
Signed-off-by: dereknola <derek.nola@suse.com>
2021-09-15 16:41:50 -07:00
Joe Kralicky debb508643
Nvidia container runtime discovery in containerd config template (#3890)
* Update the default containerd config template with support for adding extra container runtimes. Add logic to discover nvidia container runtimes installed via the the gpu operator or package manager.

Signed-off-by: Joe Kralicky <joe.kralicky@suse.com>
2021-09-15 14:31:11 -07:00
Brad Davidson 086ca8ba6a Fix premature etcd shutdown when joining an existing cluster
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-15 10:35:07 -07:00
Manuel Buil 60cd86bc42
Merge pull request #3906 from manuelbuil/dual-stack
Add dual-stack support on flannel
2021-09-15 18:48:10 +02:00
Brad Davidson 85e11c47d1 Add StargzSupported stub for Windows
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-15 09:45:57 -07:00
Chris Kim acf9036b63
No-op when etcd member was already removed and use existing name for etcd controller (#4014)
Signed-off-by: Chris Kim <oats87g@gmail.com>
2021-09-15 08:41:30 -07:00
Manuel Buil 9fcd79baae Add tests to the dual-stack PR and enable dual-stack with flannel backend
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-09-15 14:11:54 +02:00
Manuel Buil 681058bb40 Add dual-stack support
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-09-15 11:44:48 +02:00
Brad Davidson b72306ce3d Return the error since it just gets logged and retried anyways
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-14 16:41:27 -07:00
Brad Davidson 5986898419 Use SubjectAccessReview to validate CCM RBAC
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-14 16:41:27 -07:00
Brad Davidson dc556cbb72 Set controller authn/authz kubeconfigs
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-14 16:41:27 -07:00
Brad Davidson 199424b608 Pass context into all Executor functions
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-14 16:41:27 -07:00
Chris Kim 928b8531c3
[master] Add `etcd-member-management` controller to K3s (#4001)
* Initial leader elected etcd member management controller
* Bump etcd to v3.5.0-k3s2

Signed-off-by: Chris Kim <oats87g@gmail.com>
2021-09-14 08:20:38 -07:00
Brad Davidson 57377d2cd4 Minor cleanup on cribbed function
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-10 17:04:15 -07:00
Brad Davidson 3449d5b9f9 Wait for apiserver readyz instead of healthz
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-10 17:04:15 -07:00
Brad Davidson b4d8c641c6 Add exposed metrics listener instead of replacing loopback listener
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-10 09:39:39 -07:00
Brad Davidson 29c8b238e5 Replace klog with non-exiting fork
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-10 09:36:16 -07:00
Brad Davidson 90960ebf4e SupportPodPidsLimit is locked to true of 1.20, making pids cgroup support mandatory
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-09 11:49:53 -07:00
Darren Shepherd 741ba95b04 Migrate sqlite data to etcd when initializing the cluster
Signed-off-by: Darren Shepherd <darren@rancher.com>
2021-09-09 10:24:02 -07:00
Devin Buhl a1ec43e0b7
feat: add option to disable s3 over https
Signed-off-by: Devin Buhl <devin.kray@gmail.com>
2021-09-05 12:03:49 -04:00
Kohei Tokunaga 8b857eef9c
Ship Stargz Snapshotter (#2936)
* Ship Stargz Snapshotter

Signed-off-by: ktock <ktokunaga.mail@gmail.com>

* Bump github.com/containerd/stargz-snapshotter to v0.8.0

Signed-off-by: Kohei Tokunaga <ktokunaga.mail@gmail.com>
2021-09-01 16:27:42 -07:00
Brad Davidson cf12a13175 Add missing node name entry to apiserver SAN list
Also honor node-ip when adding the node address to the SAN list, instead
of hardcoding the autodetected IP address.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-01 13:22:32 -07:00
Brad Davidson b8add39b07 Bump kine for metrics/tls changes
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-01 01:51:30 -07:00
Hussein Galal 933052a02c
Fix condition for adding kubernetes endpoints (#3941)
* Fix condition for adding kubernetes endpoints

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix condition for adding kubernetes endpoints

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-08-31 00:57:17 +02:00
Derek Nola 60297a1bbe
Creation of K3s integration test Sonobuoy plugin (#3931)
* Added test runner and build files
* Changes to int test to output junit results.
* Updated documentation, removed comments

Signed-off-by: dereknola <derek.nola@suse.com>
2021-08-30 08:27:59 -07:00
Brad Davidson 2a68c7c8a4 Fix issue where addon checksum was never stored
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-27 10:26:13 -07:00
Manuel Buil 2e5c9e5cad
Merge pull request #3916 from manuelbuil/net_v6
Add functions to separate ipv4 and ipv6 CIDRs
2021-08-27 18:57:54 +02:00
Manuel Buil 96dcef478a Add functions to separate ipv4 from ipv6 functions
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-08-27 10:14:39 +02:00
Derek Nola 114b30277f
Redux: Enable K3s integration test to run on existing cluster (#3905)
* Made it possible to run int tests on existing cluster

Signed-off-by: dereknola <derek.nola@suse.com>
2021-08-26 16:26:19 -07:00
Akihiro Suda 331c6fed71 Remove runtime V1 (`containerd-shim`)
Fix issue 3105

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-08-26 11:50:33 -07:00
Akihiro Suda 176451f4ea
Fix rootless regression in 1.22 (Set KubeletInUserNamespace gate) (#3901)
Fix issue 3900

Kubernetes 1.22 requires `KuebletInUserNamespace` feature gate to be set for rootless:
https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/#userns-the-hard-way

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-08-24 08:27:17 -07:00
Derek Nola 66dacc6ee0
Revert "Enable K3s integration test to run on existing cluster (#3892)" (#3899)
This reverts commit 703b5af950.
2021-08-24 07:26:14 -07:00
Derek Nola 703b5af950
Enable K3s integration test to run on existing cluster (#3892)
* Made it possible to run int tests on existing cluster

Signed-off-by: dereknola <derek.nola@suse.com>
2021-08-23 12:12:03 -07:00
Brad Davidson e95b75409a Fix lint failures
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson a5355f0827 Replace dropped v1beta1 APIs with v1
Requires updating traefik as well to drop deprecated types.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson dc14f370c4 Update wrangler to v0.8.5
Required to support apiextensions.v1 as v1beta1 has been deleted. Also
update helm-controller and dynamiclistener to track wrangler versions.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson c434db7cc6 Wrap errors in runControllers for additional context
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson 422d266da2 Disable deprecated insecure port
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson 641ab26fde Update containerd to 1.5
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson 872855015c Update etcd to v3.5.0
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson e204d863a5 Update Kubernetes to v1.22.1
* Update Kubernetes to v1.22.1
* Update dependent modules to track with upstream

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Derek Nola ed5991f13b
K3s Flock Integration Test (#3887)
* Upgraded flock with shared and integration test.

Signed-off-by: dereknola <derek.nola@suse.com>

Co-authored-by: Brian Downs <brian.downs@gmail.com>
2021-08-20 12:34:22 -07:00
Hussein Galal e322924781
Reset load balancer state during restoraion (#3877)
* Reset load balancer state during restoraion

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Reset load balancer state during restoraion

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-08-18 01:02:30 +02:00
Malte Starostik b23955e835
Fix URL pruning when joining an etcd member (#3832)
* Fix URL pruning when joining an etcd member

Problem:
Existing member clientURLs were checked if they contain the joining
node's IP. In some edge cases this would prune valid URLs when the
joining IP is a substring match of the only existing member's IP.
Because of this, it was impossible to e.g. join 10.0.0.2 to an existing
node that has an IP of 10.0.0.2X or 10.0.0.2XX:

level=fatal msg="starting kubernetes: preparing server: start managed database:
joining etcd cluster: etcdclient: no available endpoints"

Solution:
Fixed by properly parsing the URLs and comparing the IPs for equality
instead of substring match.

Signed-off-by: Malte Starostik <info@stellaware.de>
2021-08-12 15:59:04 -07:00
Derek Nola a1e36153f9
Added locking system for integration tests (#3820)
* Added locking system for integration tests
Signed-off-by: dereknola <derek.nola@suse.com>
2021-08-10 16:22:12 -07:00
Jamie Phillips ae909c73e5 Updated the code to use GetNetworkByName and tweaked logic.
Updated the method being called and tweaked the logic.

Signed-off-by: Jamie Phillips <jamie.phillips@suse.com>
2021-08-10 13:53:08 -07:00
Derek Nola 4cc781b5e3
Moved testing utils into tests directory. Improved gotests template. (#3805)
* Moved testing utils into tests directory. Improved gotests template.
* Updated cgroups2 with util folder rename

Signed-off-by: dereknola <derek.nola@suse.com>
2021-08-10 11:13:26 -07:00
Brian Downs dcf0657b20
account for an s3 folder when listing objects (#3807)
* account for an s3 folder when listing objects
2021-08-09 16:14:41 -07:00
Derek Nola b4eca61aeb
Prevent snapshot commands from creating empty snapshot directory (#3783)
Signed-off-by: dereknola <derek.nola@suse.com>
2021-08-09 09:04:18 -07:00
Jiaqi Luo 3b01157a3a
Use New Image Names (#3749)
* switch image names to the ones with the prefix mirrored
* bump rancher/mirrored-coredns-coredns to 1.8.4

Signed-off-by: Jiaqi Luo <6218999+jiaqiluo@users.noreply.github.com>
2021-08-06 16:14:58 -07:00
Hussein Galal bc96ffb5f3
Fix Node stuck at deletion (#3771)
* fix Node stuck at deletion

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix Node stuck at deletion

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-08-05 22:32:01 +02:00
Brad Davidson dfd4e42e57 Wrap context with lease before importing images
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-04 10:22:19 -07:00
Hussein Galal 2069cdf4ee
Fix initial start of etcd only nodes (#3748)
* Fix initial start of etcd only nodes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-08-03 19:53:21 +02:00
Ryan Sanna 429af17e4d update rancher/local-path-provisioner to v0.0.20
Signed-off-by: Ryan Sanna <ryansann@umich.edu>
2021-08-02 12:25:47 -07:00
Brad Davidson 5ab3590d9b Improve config retrieval messages
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-07-30 12:26:50 -07:00
Brad Davidson 869b98bc4c Sync DisableKubeProxy into control struct
Sync DisableKubeProxy from cfg into control before sending control to clients,
as it may have been modified by a startup hook.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-07-30 12:26:50 -07:00
Hussein Galal b1b5f72dc3
Notify systemd for etcd only node (#3732)
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-07-29 23:42:19 +02:00
Jamie Phillips 7704fb6ee5
Exporting the AddFeatureGate function and adding a unit test for it. (#3661) 2021-07-28 13:04:42 -07:00
Jamie Phillips fc19b805d5
Added logic to strip any existing hyphens before processing the args. (#3662)
Updated the logic to handle if extra args are passed with existing hyphens in the arg. The test was updated to add the additional case of having pre-existing hyphens. The method name was also refactored based on previous feedback.
2021-07-28 13:04:19 -07:00
Derek Nola a1d7a62493
Fix to allow non-root users access to storage volumes. (#3714)
* Fix to prevent non-root users from accessing storage directory, while allowing non-root users access to subdirectories.

Signed-off-by: dereknola <derek.nola@suse.com>

* Added integration test

Signed-off-by: dereknola <derek.nola@suse.com>
2021-07-28 10:25:34 -07:00
Brad Davidson 90445bd581
Wait until server is ready before configuring kube-proxy (#3716)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-07-27 14:56:05 -07:00
Derek Nola 21c8a33647
Introduction of Integration Tests (#3695)
* Commit of new etcd snapshot integration tests.
* Updated integration github action to not run on doc changes.
* Update Drone runner to only run unit tests

Signed-off-by: dereknola <derek.nola@suse.com>
2021-07-26 09:59:33 -07:00
galal-hussein 20a48734c2 more fixes
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-07-21 22:42:05 +02:00
galal-hussein 7ebcc4b134 more fixes
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-07-21 22:39:44 +02:00
galal-hussein b4401296ec replace error with warn in delete
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-07-21 22:18:56 +02:00
galal-hussein 2f82bfcf67 fix warning msg
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-07-21 22:05:43 +02:00
galal-hussein b377839148 migrate old token key format
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-07-21 20:59:57 +02:00
galal-hussein 997ed7b9b4 simplifying the code
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-07-21 19:56:19 +02:00
galal-hussein ad17292fa8 migrate empty string key properly
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-07-21 19:21:38 +02:00
galal-hussein a65e5b6466 Fix multiple bootstrap keys found
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-07-21 02:50:42 +02:00
Luther Monson 37fcb61f5e move go routines for api server ready beneath wait group
Signed-off-by: Luther Monson <luther.monson@gmail.com>
2021-07-20 17:36:34 -07:00
Luther Monson 18bc98f60c
adding startup hooks args to access to Disables and Skips (#3674)
Signed-off-by: Luther Monson <luther.monson@gmail.com>
2021-07-20 05:24:52 +02:00
Derek Nola bba49ea447
Fix to allow prune to correctly cleanup custom named snapshots (#3649)
Signed-off-by: dereknola <derek.nola@suse.com>
2021-07-19 14:30:57 -07:00
Jamie Phillips aef8a6aafd
Adding support for waitgroup to the Startuphooks (#3654)
The startup hooks where executing after the deploy controller. We needed the deploy controller to wait until the startup hooks had completed.
2021-07-15 19:28:47 -07:00
Hussein Galal a939decf01
fix a runtime core panic (#3627)
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-07-13 23:33:07 +02:00
Derek Nola 55fe4ff5b0
Convert existing unit tests to standard layout (#3621)
* Converted parser_test.go, scrypt_test.go, types_test.go, nodeconfig_test.go

Signed-off-by: dereknola <derek.nola@suse.com>
2021-07-13 10:44:11 -07:00
Brian Downs 238dc2086e
prevent snapshot save when snapshots are disabled (#3475)
* prevent snapshot save when snapshots are disabled
2021-07-09 10:22:49 -07:00
William Zhang a4c992ce52 🐳 burp to inetaf/tcpproxy
Problem:
    tcpproxy repository has been moved out of the github.com/google org to github.com/inetaf.

    Solution:
    Switch to the new repo.
    FYI: https://godoc.org/inet.af/tcpproxy/

Signed-off-by: William Zhang <warmchang@outlook.com>
2021-07-08 16:58:09 -07:00
Chris Kim ada145641c
Update etcd snapshot error message to be more informative when etcd database is not found (#3568)
Signed-off-by: Chris Kim <oats87g@gmail.com>
2021-07-07 16:01:50 -07:00
Jamie Phillips a62d143936 Fixing various bugs related to windows.
This changes the crictl template for issues with the socket information. It also addresses a typo in the socket address. Last it makes tweaks to configuration that aren't required or had incorrect logic.

Signed-off-by: Jamie Phillips <jamie.phillips@suse.com>


spelling
2021-07-07 15:50:34 -07:00
Derek Nola 73df2d806b
Update embedded kube-router (#3557)
* Update embedded kube-router

Signed-off-by: dereknola <derek.nola@suse.com>
2021-07-07 08:46:10 -07:00
Deshi Xiao 77fcf2dfc5 missing build tag for windows
Signed-off-by: Deshi Xiao <xiaods@gmail.com>
2021-07-05 22:30:54 +08:00
Derek Nola c833183517
Add unit tests for pkg/etcd (#3549)
* Created new etcd unit tests and testing support file

Signed-off-by: dereknola <derek.nola@suse.com>
2021-07-01 16:08:35 -07:00
Brad Davidson cbfe673c43 Fix spelling to satisfy codespell check
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-07-01 13:29:03 -07:00
Brad Davidson cbacd7107e Allow passing targeted environment variables to containerd
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-07-01 13:29:03 -07:00
Hussein Galal f5fbb9a9a8
Export cli server flags and etcd restoration functions (#3527)
* Export cli server flags and etfd restoration functions

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* export S3

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-06-30 22:29:03 +02:00
Brad Davidson 246b378a27 Bump kine to resolve race condition and unrevisioned delete
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-06-30 09:54:46 -07:00
Derek Nola 3e1693bc97
Changes local storage pods to have 700 permissions (#3537)
* Changes local storage pods to have 700 permissions

Signed-off-by: dereknola <derek.nola@suse.com>
2021-06-29 13:58:12 -07:00
Chris Kim 04398a2582
Move cloud-controller-manager into an embedded executor (#3525)
* Move cloud-controller-manager into an embedded executor
* Import K3s cloud provider and clean up imports

Signed-off-by: Chris Kim <oats87g@gmail.com>
2021-06-29 07:28:38 -07:00
Joe Kralicky a84c75af62 Adds a command-line flag '--disable-helm-controller' that will disable
the server's built-in helm controller.

Problem:
Testing installation and uninstallation of the Helm Controller on k3s is
not possible if the Helm Controller is baked into the k3s server.

Solution:
The Helm Controller can optionally be disabled, which will allow users
to manage its installation manually.

Signed-off-by: Joe Kralicky <joe.kralicky@suse.com>
2021-06-25 14:54:36 -04:00
Jamie Phillips 82394d7d36 Basic windows agent that will join a cluster without CNI.
Signed-off-by: Jamie Phillips <jamie.phillips@suse.com>
2021-06-23 09:07:50 -07:00
Hussein Galal 136dddca11
Fix storing bootstrap data with empty token string (#3422)
* Fix storing bootstrap data with empty token string

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* delete node password secret after restoration

fixes to bootstrap key

vendor update

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix comment

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix typo

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* typos

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Removing dynamic listener file after restoration

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* go mod tidy

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-06-22 22:42:34 +02:00
Derek Nola 4b2ab8b515
Renamed client-cloud-controller crt and key (#3470)
Signed-off-by: dereknola <derek.nola@suse.com>
2021-06-16 13:54:35 -07:00
Derek Nola ef23c6c548
Redux: Change containerd image leases from context lifespan to permanent (#3464)
* Changed containerd image licenses from context lifespan to permanent. Delete any existing licenses owned by k3s on server startup

Signed-off-by: dereknola <derek.nola@suse.com>
2021-06-16 12:11:10 -07:00
Derek Nola b74c499709
Revert "Change containerd image leases from 24h to permanent (#3452)" (#3461)
This reverts commit 86b3ba8dba.
2021-06-15 14:56:14 -07:00
Derek Nola 86b3ba8dba
Change containerd image leases from 24h to permanent (#3452)
* Changed containerd image licenses from 24h to permanent. Delete any existing licenses on server startup

Signed-off-by: dereknola <derek.nola@suse.com>
2021-06-15 11:42:52 -07:00
Brian Downs 88f95ec409
Send systemd notifications for both server and agent (#3430)
* update agent to sent systemd notify after everything starts
2021-06-15 04:20:26 -07:00
Brad Davidson a7d1159ba6 Emit events for AddOn lifecycle
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-06-11 14:00:27 -07:00
Brad Davidson ea2cd6d727 Add comments, clean up imports and function names
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-06-11 14:00:27 -07:00
Brad Davidson 6e48ca9b53 Tidy up function calls with many args
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-06-11 14:00:27 -07:00
Brad Davidson 6ef000091a Add nodename to UA string for deploy controller
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-06-10 17:05:52 -07:00
Brad Davidson f6cec4e75d Add kubernetes.default.svc to serving certs
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-06-08 12:55:20 -07:00
Manuel Buil 243fd14cf1 Change Replace with ReplaceAll function
strings has a specific function to replace all matches. We should use that one instead of strings.Replace(string, old, new string, -1)

Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-06-07 09:52:26 +02:00
Brian Downs afd506a595 fix possible race where bootstrap data might not save
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-06-04 15:05:47 -07:00
Brian Downs 2682183773 add log message indicating etcd snapshots are disabled
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-06-04 09:18:16 -07:00
Derek Nola 664a98919b
Fix RBAC cloud-controller-manager name 3308 (#3388)
* Changed cloud-controller-manager user name in ccm.yaml

Signed-off-by: dereknola <derek.nola@suse.com>

* Changed RBAC name in server.go

Signed-off-by: dereknola <derek.nola@suse.com>

* Changed "k3s" string prefix to version.Program to prevent static hardcoding

Signed-off-by: dereknola <derek.nola@suse.com>

* Changed user in ccm.yaml to k3s-cloud-controller-manager

Signed-off-by: dereknola <derek.nola@suse.com>
2021-06-02 14:50:11 -07:00
Manuel Buil 5153088286
Merge pull request #3385 from manuelbuil/wireguard-fix
Move wireguard's privatekey to flannel config directory
2021-06-02 09:44:27 +02:00
Manuel Buil 1576030d6b Add a path for wireguard's privatekey
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-06-01 21:54:17 +02:00
Jamie Phillips 7345ac35ae
Initial windows support for agent (#3375)
Signed-off-by: Jamie Phillips <jamie.phillips@suse.com>
2021-06-01 12:29:46 -07:00
Brian Downs ecbf17e2ed move object channel defer close to goroutine
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-05-18 19:58:30 -07:00
Brian Downs 254b52077e add retention default and wire in s3 prune
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-05-18 13:57:40 -07:00
Brad Davidson 7e175e8ad4 Handle conntrack-related sysctls in supervisor agent setup
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-05-18 13:40:44 -07:00
Brian Downs e8ecc00fc8 add etcd snapshot save subcommand
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-05-17 10:55:13 -07:00
Brian Downs 6ee28214fa
Add the ability to prune etcd snapshots (#3310)
* add prune subcommand to force rentention policy enforcement
2021-05-13 13:36:33 -07:00
Brad Davidson 079620ded0 Fix passthrough of SystemDefaultRegistry from server config
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-05-13 02:18:09 -07:00
MonzElmasry 24474c5734
change --disable-apiserver flag
Signed-off-by: MonzElmasry <menna.elmasry@rancher.com>
2021-05-13 00:00:11 +02:00
Brad Davidson e10524a6b1 Add executor.Bootstrap hook for pre-execution setup
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-05-11 18:46:15 -07:00
Brian Downs bcd8b67db4
Add the ability to list etcd snapshots (#3303)
* add ability to list local and s3 etcd snapshots
2021-05-11 16:59:33 -07:00
Brad Davidson 02a5bee62f
Add system-default-registry support and remove shared code (#3285)
* Move registries.yaml handling out to rancher/wharfie
* Add system-default-registry support
* Add CLI support for kubelet image credential providers

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-05-10 15:58:41 -07:00
Hussein Galal 948295e8e8
Fix cluster restoration in rke2 (#3295)
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-05-11 00:06:33 +02:00
Brad Davidson fc037e87f8 Use config file values in node-args annotation
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-05-10 14:08:02 -07:00
Brian Downs e998cd110d
Add the ability to delete an etcd snapshot locally or from S3 (#3277)
* Add the ability to delete a given set of etcd snapshots from the CLI for locally stored and S3 store snapshots.
2021-05-07 16:10:04 -07:00
Siegfried Weber e77fd18270 Sign CSRs for kubelet-serving with the server CA
Problem:
Only the client CA is passed to the kube-controller-manager and
therefore CSRs with the signer name "kubernetes.io/kubelet-serving" are
signed with the client CA. Serving certificates must be signed with the
server CA otherwise e.g. "kubectl logs" fails with the error message
"x509: certificate signed by unknown authority".

Solution:
Instead of providing only one CA via the kube-controller-manager
parameter "--cluster-signing-cert-file", the corresponding CA for every
signer is set with the parameters
"--cluster-signing-kube-apiserver-client-cert-file",
"--cluster-signing-kubelet-client-cert-file",
"--cluster-signing-kubelet-serving-cert-file", and
"--cluster-signing-legacy-unknown-cert-file".

Signed-off-by: Siegfried Weber <mail@siegfriedweber.net>
2021-05-05 15:59:57 -07:00
Hussein Galal f410fc7d1e
Invoke cluster reset function when only reset flag is passed (#3276)
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-05-05 17:40:04 +02:00
Brian Downs beb0d8397a reference node name when needed
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-05-04 10:03:28 -07:00
Brian Downs c5ad71ce0b
Collect and Store etcd Snapshots and Metadata (#3239)
* Add the ability to store local etcd snapshots and etcd snapshots stored in an S3 compatible object store in a ConfigMap.
2021-04-30 18:26:39 -07:00
Hussein Galal 2db3bf7a89
Export CriConnection function (#3225)
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-04-29 22:11:19 +02:00
Brad Davidson 3cb4ca4b35 Use same SANs on ServingKubeAPICert as dynamiclistener
The kube-apiserver cert should have the same SANs in the same order,
excluding the extra user-configured SANs since this will only be used
in-cluster.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-28 09:58:19 -07:00
Darren Shepherd 8f1a20c0d3 Add ability to append to slice during config file merge
If key ends in "+" the value of the key is appended to previous
values found.  If values are string instead of a slice they are
automatically converted to a slice of one string.

Signed-off-by: Darren Shepherd <darren@rancher.com>
2021-04-27 15:59:03 -07:00
Brad Davidson 2705431d96
Add support for dual-stack Pod/Service CIDRs and node IP addresses (#3212)
* Add support for dual-stack cluster/service CIDRs and node addresses

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-21 15:56:20 -07:00
Darren Shepherd a0a1071aa5
Support .d directory for k3s config file (#3162)
Configuration will be loaded from config.yaml and then config.yaml.d/*.(yaml|yml) in
alphanumeric order.  The merging is done by just taking the last value of
a key found, so LIFO for keys.  Slices are not merged but replaced.

Signed-off-by: Darren Shepherd <darren@rancher.com>
2021-04-15 11:29:24 -07:00
Brad Davidson 601c4984f5 Fix service-account-issuer
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-14 14:51:42 -07:00
Brad Davidson e8381db778 Update Kubernetes to v1.21.0
* Update Kubernetes to v1.21.0
* Update to golang v1.16.2
* Update dependent modules to track with upstream
* Switch to upstream flannel
* Track changes to upstream cloud-controller-manager and FeatureGates

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-14 14:51:42 -07:00
Brian Downs 66ed6efd57 Resolve local retention issue when S3 in use.
Remove early return preventing local retention policy to be enforced
resulting in N number of snapshots being stored.

Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-04-14 10:40:08 -07:00
Brian Downs 80e4baf525 add hidden attribute to disable flags
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-04-13 14:30:47 -07:00
Brian Downs d9381b84ad add etcd s3 secret and access key flags and env vars to secret data
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-04-12 14:47:16 -07:00
Brian Downs 693c5290b1
Update CoreDNS to version 1.8.3. (#3168)
* update CoreDNS to 1.8.3

Rerun go generate and update the CoreDNS RBAC
2021-04-09 16:47:16 -07:00
Brian Downs ad4f04d2fc
Merge pull request #3155 from briandowns/rke2-issue-856
remove hidden attribute from cluster flags and related code
2021-04-09 12:55:27 -07:00
Erik Wilson 9a53fca872 Bump traefik to v2.4.8
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2021-04-08 17:42:58 -07:00
Brad Davidson 58e93feda6
Fix CI failures non-deterministic traefik chart repackaging (#3165)
* Fix CI failures non-deterministic traefik chart repackaging
* Update generated bindata

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-08 15:33:15 -07:00
Brian Downs 4a49b9e40b delete nocluster file and remove build tag
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-04-07 12:16:28 -07:00
Brian Downs 3ed9b0a997 remove hidden attribute from cluster flags and related code
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-04-07 11:36:02 -07:00
Xiao Deshi cfe7e0c734 remove duplicated func GetAddresses
refactor tunnel.go and controller.go, remove duplicated lines.

Signed-off-by: Xiao Deshi <xiaods@gmail.com>
2021-03-31 14:23:05 -07:00
Akihiro Suda cb73461a5b AkihiroSuda/containerd-fuse-overlayfs -> containerd/fuse-overlayfs-snapshotter
The repo has been moved.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-24 10:34:34 -07:00
Akihiro Suda e672c988e4 rootless: allow kernel.dmesg_restrict=1
When `/dev/kmsg` is unreadable due to sysctl value `kernel.dmesg_restrict=1`,
bind-mount `/dev/null` into `/dev/kmsg`

Fix issue 3011

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-24 01:03:14 -07:00
Akihiro Suda 6e8284e3d4 rootless: enable resource limitation (requires cgroup v2, systemd)
Now rootless mode can be used with cgroup v2 resource limitations.
A pod is executed in a cgroup like "/user.slice/user-1001.slice/user@1001.service/k3s-rootless.service/kubepods/podd0eb6921-c81a-4214-b36c-d3b9bb212fac/63b5a253a1fd4627da16bfce9bec58d72144cf30fe833e0ca9a6d60ebf837475".

This is accomplished by running `kubelet` in a cgroup namespace, and enabling `cgroupfs` driver for the cgroup hierarchy delegated by systemd.

To enable cgroup v2 resource limitation, `k3s server --rootless` needs to be launched as `systemctl --user` service.
Please see the comment lines in `k3s-rootless.service` for the usage.

Running `k3s server --rootless` via a terminal is not supported.
When it really needs to be launched via a terminal, `systemd-run --user -p Delegate --tty` needs to be prepended to create a systemd scope.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-24 00:37:30 -07:00
Akihiro Suda 11ef43011a bump up RootlessKit
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-24 00:37:30 -07:00
Brian Downs 400a632666 put etcd bootstrap save call in goroutine and update comment
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2021-03-17 14:33:00 -07:00
Hussein Galal 73df65d93a
remove etcd data dir when etcd is disabled (#3059)
* remove etcd data dir when etcd is disabled

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix comment

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* use debug instead of info logs

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-03-16 18:14:43 +02:00
Jacob Blain Christen 618b0f98bf
registry mirror repository rewrites (#3064)
Support repository regex rewrite rules when fetching image content.

Example configuration:
```yaml
# /etc/rancher/k3s/registries.yaml
mirrors:
  "docker.io":
    endpoint:
    - "https://registry-1.docker.io/v2"
    rewrite:
      "^library/alpine$": "my-org/alpine"
```

This will instruct k3s containerd to fetch content for `alpine` images
from `docker.io/my-org/alpine` instead of the default
`docker.io/library/alpine` locations.

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2021-03-15 16:17:27 -07:00
Brian Downs 7c99f8645d
Have Bootstrap Data Stored in etcd at Completed Start (#3038)
* have state stored in etcd at completed start and remove unneeded code
2021-03-11 13:07:40 -07:00
Chris Kim 69f96d6225
Define a Controllers and LeaderControllers on the server config (#3043)
Signed-off-by: Chris Kim <oats87g@gmail.com>
2021-03-11 10:39:00 -08:00
Brad Davidson 8ace8975d2 Don't start up multiple apiserver load balancers
get() is called in a loop until client configuration is successfully
retrieved. Each iteration will try to configure the apiserver proxy,
which will in turn create a new load balancer. Skip creating a new
load balancer if we already have one.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-08 17:05:25 -08:00
Brad Davidson c0d129003b Handle loadbalancer port in TIME_WAIT
If the port wanted by the client load balancer is in TIME_WAIT, startup
will fail. Set SO_REUSEPORT so that it can be listened on again
immediately.

The configurable Listen call wants a context, so plumb that through as
well.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-08 17:05:25 -08:00
Brad Davidson 7cdfaad6ce
Always use static ports for client load-balancers (#3026)
* Always use static ports for the load-balancers

This fixes an issue where RKE2 kube-proxy daemonset pods were failing to
communicate with the apiserver when RKE2 was restarted because the
load-balancer used a different port every time it started up.

This also changes the apiserver load-balancer port to be 1 below the
supervisor port instead of 1 above it. This makes the apiserver port
consistent at 6443 across servers and agents on RKE2.

Additional fixes below were required to successfully test and use this change
on etcd-only nodes.

* Actually add lb-server-port flag to CLI
* Fix nil pointer when starting server with --disable-etcd but no --server
* Don't try to use full URI as initial load-balancer endpoint
* Fix etcd load-balancer pool updates
* Update dynamiclistener to fix cert updates on etcd-only nodes
* Handle recursive initial server URL in load balancer
* Don't run the deploy controller on etcd-only nodes
2021-03-06 02:29:57 -08:00
Hussein Galal c26b737b24
Mark disable components flags as experimental (#3018)
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-03-05 00:05:20 +02:00
Brian Downs 4d1f9eda9d
Etcd Snapshot/Restore to/from S3 Compatible Backends (#2902)
* Add functionality for etcd snapshot/restore to and from S3 compatible backends.
* Update etcd restore functionality to extract and write certificates and configs from snapshot.
2021-03-03 11:14:12 -07:00
Hussein Galal 1bf04b6a50
Merge pull request #3003 from galal-hussein/fix_etcd_only_nodes
Fix etcd only nodes
2021-03-02 02:16:02 +02:00
Brad Davidson 4fb073e799 Log clearer error on startup if NPC cannot be started
Servers should always be upgraded before agents, but generally this
isn't required because things are compatible between versions. In this
case we're OK with failing closed if the user upgrades out of order, but
we should give a clearer message about what steps are required to fix
the issue.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-01 14:23:59 -08:00
galal-hussein ef999f0b4f change error to warn when removing self from etcd members
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-03-02 00:19:57 +02:00
galal-hussein d6124981d5 remove etcd member if disable etcd is passed
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-03-01 23:50:50 +02:00
Erik Wilson 4e5218b62c
Apply suggestions from code review
Logging cleanup

Co-authored-by: Brad Davidson <brad@oatmail.org>
2021-03-01 10:44:24 -07:00
Erik Wilson 4aac6b6bd0
Update to Traefik 2.4.2 and combine manifests 2021-03-01 10:44:24 -07:00
Erik Wilson 54a35505f0
Remove Traefik v1 migration 2021-03-01 10:44:24 -07:00
Chin-Ya Huang cc96f8140a
Allow download traefik static file and rename
Allow writing static files regardless of the version.

Signed-off-by: Chin-Ya Huang <chin-ya.huang@suse.com>
2021-03-01 10:44:24 -07:00
Chin-Ya Huang 10e0328977
Traefik v2 integration
K3s upgrade via watch over file change of static file and manifest
and triggers helm-controller for change. It seems reasonable to
only allow upgrade traefik v1->v2 when there is no existing custom
traefik HelmChartConfig in the cluster to avoid any
incompatibility.

Here also separate the CRDs and put them into a different chart
to support CRD upgrade.

Signed-off-by: Chin-Ya Huang <chin-ya.huang@suse.com>
2021-03-01 10:44:23 -07:00
Brad Davidson f970e49b7d Wait for apiserver to become healthy before starting agent controllers
It is possible that the apiserver may serve read requests but not allow
writes yet, in which case flannel will crash on startup when trying to
configure the subnet manager.

Fix this by waiting for the apiserver to become fully ready before
starting flannel and the network policy controller.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-26 19:28:53 -08:00
Brad Davidson 9b39c1c117 Hide the airgap-extra-registry flag
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-26 16:08:49 -08:00
Brad Davidson 88dd601941 Limit zstd decoder memory
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-17 11:48:03 -08:00
Brad Davidson ae5b93a264 Use HasSuffixI utility function
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-17 11:48:03 -08:00
Brad Davidson ec661c67d7 Add support for retagging images on load from tarball
Adds support for retagging images to appear to have been sourced from
one or more additional registries as they are imported from the tarball.
This is intended to support RKE2 use cases with system-default-registry
where the images need to appear to have been pulled from a registry
other than docker.io.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-17 11:48:03 -08:00
Hussein Galal 5749f66aa3
Add disable flags for control components (#2900)
* Add disable flags to control components

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* golint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fixes to disable flags

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add comments to functions

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix joining problem

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* golint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix ticker

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix role labels

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-02-12 17:35:57 +02:00
Brian Downs 21d1690d5d
update usage text (#2926)
update to the --cluster-init usage flag to indicate it's for Etcd
2021-02-10 15:54:04 -07:00
Brad Davidson 6e768c301e Use appropriate response codes for authn/authz failures
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-09 16:28:20 -08:00
Brad Davidson 374271e9a0
Collect IPs from all pods before deciding to use internal or external addresses (#2909)
* Collect IPs from all pods before deciding to use internal or external addresses

@Taloth correctly noted that the code that iterates over ServiceLB pods
to collect IP addresses was failing to add additional internal IPs once
the map contained ANY entry from a previous node. This may date back to
when ServiceLB used a Deployment instead of a DaemonSet, so there was
only ever a single pod.

The new behavior is to collect all internal and external IPs, and then
construct the address list of a single type - external if there are any,
otherwise internal.

https://github.com/k3s-io/k3s/issues/1652#issuecomment-774497788

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Co-authored-by: Brian Downs <brian.downs@gmail.com>
2021-02-09 16:26:57 -08:00
Brad Davidson e06119729b
Improve handling of comounted cpu,cpuacct controllers (#2911)
* Improve handling of comounted cpu,cpuacct controllers

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-09 16:12:58 -08:00
Brad Davidson ad5e504cf0
Allow joining clusters when the server CA is trusted by the OS CA bundle (#2743)
* Add tests to clientaccess/token
* Fix issues in clientaccess/token identified by tests
* Update tests to close coverage gaps
* Remove redundant check turned up by code coverage reports
* Add warnings if CA hash will not be validated

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-08 22:28:57 -08:00
Brad Davidson 6c472b5942 Use zstd instead of gzip for embedded tarball
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-08 21:08:35 -08:00
Brad Davidson c5e2676d5c
Update local-path-provisioner and helper busybox (#2885)
* Update local-path-provisioner and helper busybox

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-04 10:49:25 -08:00
Brad Davidson 65c78cc397 Replace options.KubeRouterConfig with config.Node and remove metrics/waitgroup stuff
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-03 10:41:51 -08:00
Brad Davidson 07256cf7ab Add ServiceIPRange and ServiceNodePortRange to agent config
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-03 10:41:51 -08:00
Brad Davidson 95a1a86847 Spell check upstream code
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-03 10:41:51 -08:00
Brad Davidson 29483d0651 Initial update of netpol and utils from upstream
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-03 10:41:51 -08:00
Akihiro Suda f3c41b7650 fix cgroup2 support
Fix issue 900

cgroup2 support was introduced in PR 2584, but got broken in f3de60ff31

It was failing with "F1210 19:13:37.305388    4955 server.go:181] cannot set feature gate SupportPodPidsLimit to false, feature is locked to true"

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-01-25 22:45:07 -08:00
Akihiro Suda 728ebcc027 rootless: remove rootful /run/{netns,containerd} symlinks
Since a recent commit, rootless mode was failing with the following errors:

```
E0122 22:59:47.615567      21 kuberuntime_manager.go:755] createPodSandbox for pod "helm-install-traefik-wf8lc_kube-system(9de0a1b2-e2a2-4ea5-8fb6-22c9272a182f)" failed: rpc error: code = Unknown desc = failed to create network namespace for sandbox "285ab835609387f82d304bac1fefa5fb2a6c49a542a9921995d0c35d33c683d5": failed to setup netns: open /var/run/netns/cni-c628a228-651e-e03e-d27d-bb5e87281846: permission denied
...
E0122 23:31:34.027814      21 pod_workers.go:191] Error syncing pod 1a77d21f-ff3d-4475-9749-224229ddc31a ("coredns-854c77959c-w4d7g_kube-system(1a77d21f-ff3d-4475-9749-224229ddc31a)"), skipping: failed to "CreatePodSandbox" for "coredns-854c77959c-w4d7g_kube-system(1a77d21f-ff3d-4475-9749-224229ddc31a)" with CreatePodSandboxError: "CreatePodSandbox for pod \"coredns-854c77959c-w4d7g_kube-system(1a77d21f-ff3d-4475-9749-224229ddc31a)\" failed: rpc error: code = Unknown desc = failed to create containerd task: io.containerd.runc.v2: create new shim socket: listen unix /run/containerd/s/8f0e40e11a69738407f1ebaf31ced3f08c29bb62022058813314fb004f93c422: bind: permission denied\n: exit status 1: unknown"
```

Remove symlinks to /run/{netns,containerd} so that rootless mode can create their own /run/{netns,containerd}.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-01-22 19:51:43 -08:00
Brad Davidson 071de833ae Fix typo in field tag
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-01-22 19:38:37 -08:00
Brad Davidson 8011697175 Only container-runtime-endpoint wants RuntimeSocket path as URI
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-01-22 18:56:30 -08:00
Yuriy 06fda7accf
Add functionality to bind custom IP address for Etcd metrics endpoint (#2750)
* Add functionality to bind custom IP address for Etcd metrics endpoint

Signed-off-by: yuriydzobak <yurii.dzobak@lotusflare.com>
2021-01-22 17:40:48 -08:00
Brad Davidson f152f656a0
Replace k3s cloud provider wrangler controller with core node informer (#2843)
* Replace k3s cloud provider wrangler controller with core node informer

Upstream k8s has exposed an interface for cloud providers to access the
cloud controller manager's node cache and shared informer since
Kubernetes 1.9. This is used by all the other in-tree cloud providers;
we should use it too instead of running a dedicated wrangler controller.

Doing so also appears to fix an intermittent issue with the uninitialized
taint not getting cleared on nodes in CI.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-01-22 16:59:48 -08:00
Brian Downs 13229019f8
Add ability to perform an etcd on-demand snapshot via cli (#2819)
* add ability to perform an etcd on-demand snapshot via cli
2021-01-21 14:09:15 -07:00
Waqar Ahmed 3ea696815b Do not validate snapshotter argument if docker is enabled
Problem:
While using ZFS on debian and K3s with docker, I am unable to get k3s working as the snapshotter value is being validated and the validation fails.

Solution:
We should not validate snapshotter value if we are using docker as it's a no-op in that case.

Signed-off-by: Waqar Ahmed <waqarahmedjoyia@live.com>
2021-01-20 12:25:28 -08:00
Erik Wilson c71060f288
Merge pull request #2744 from erikwilson/rke2-node-password-bootstrap
Bootstrap node password with local file
2021-01-11 09:51:30 -07:00
MonzElmasry 86f68d5d62
change etcd dir permission if it exists
Signed-off-by: MonzElmasry <menna.elmasry@rancher.com>
2021-01-08 23:47:36 +02:00
Erik Wilson 4245fd7b67 Return http.StatusOK instead of 0
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2020-12-23 16:55:47 -07:00
Erik Wilson 2fb411fc83 Fix spelling mistake
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2020-12-23 15:08:07 -07:00
Erik Wilson 09eb44ba53 Bootstrap node password with local file
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2020-12-23 15:08:06 -07:00
JenTing Hsiao 57041f0239
Add codespell CI test and fix codespell error (#2740)
* Add codespell CI test
* Fix codespell error
2020-12-22 12:35:58 -08:00
Brad Davidson 8936cf577f Bump coredns to 1.8.0
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-12-17 15:20:19 -08:00
Chris Kim 332fd73d46
Add support for both config-file and data-dir at a global level in the self-extracting wrapper for K3s (#2594)
* Add support for both config-file and data-dir at a global level in the self-extracting wrapper for K3s

Signed-off-by: Chris Kim <oats87g@gmail.com>
2020-12-16 09:27:57 -08:00
Erik Wilson 1230d7b7df Fix HA server initialization
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2020-12-15 16:08:28 -08:00
Brad Davidson 8e4d3e645b Restore legacy master role for etcd nodes
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-12-15 15:15:46 -08:00
Chris Kim 61ef2ce95e use version.Program
Signed-off-by: Chris Kim <oats87g@gmail.com>
2020-12-09 12:34:13 -08:00
Chris Kim 48925fcb88
Simplify checkCgroups function call
Co-authored-by: Brian Downs <brian.downs@gmail.com>
2020-12-09 11:59:54 -08:00
Chris Kim a3f87a81bd Independently set kubelet-cgroups and runtime-cgroups, and detect if we are running under a systemd scope
Signed-off-by: Chris Kim <oats87g@gmail.com>
2020-12-09 11:39:33 -08:00
Brad Davidson c5aad1b5ed Disable the ServiceAccountIssuerDiscovery feature-gate.
We're not setting ``--service-account-issuer` to a https URL, which causes an
error message at startup when the feature gate is enabled. From the
docs on that flag:

> If this option is not a valid URI per the OpenID Discovery 1.0 spec, the
> ServiceAccountIssuerDiscovery feature will remain disabled, even if the
> feature gate is set to true. It is highly recommended that this value
> comply with the OpenID spec:
> https://openid.net/specs/openid-connect-discovery-1_0.html. In practice,
> this means that service-account-issuer must be an https URL. It is also
> highly recommended that this URL be capable of serving OpenID discovery
> documents at {service-account-issuer}/.well-known/openid-configuration.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-12-08 22:51:34 -08:00
Brad Davidson 63f2211b31 deprecate the "node-role.kubernetes.io/master" label / taint
Related to https://github.com/kubernetes/kubernetes/pull/95382

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-12-08 22:51:34 -08:00
Brad Davidson c6950d2cb0 Update Kubernetes to v1.20.0-k3s1
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-12-08 22:51:34 -08:00
Brad Davidson cd27c6fcbe Bump coredns to 1.7.1
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-12-08 15:58:17 -08:00
Erik Wilson 0ae7f2d5ae
Merge pull request #2407 from erikwilson/node-passwd-cleanup
Use secrets for node-passwd entries
2020-12-08 16:25:13 -07:00
Chris Kim 3d1e40eaa3 Handle the case when systemd lives under `/init.scope`
Signed-off-by: Chris Kim <oats87g@gmail.com>
2020-12-08 10:26:54 -08:00
Chris Kim e71e11fed0
Merge pull request #2642 from Oats87/issues/k3s/2548-cgroup
Set a cgroup if containerized
2020-12-08 10:05:21 -08:00
Chris Kim f3de60ff31 When there is a defined cgroup for PID 1, assume we are containerized and set a root
Signed-off-by: Chris Kim <oats87g@gmail.com>
2020-12-07 13:15:15 -08:00
Hussein Galal fadc5a8057
Add tombstone file to etcd and catch errc etcd channel (#2592)
* Add tombstone file to embedded etcd

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* go mod update

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more changes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* gofmt and goimports

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* go mod update

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* go lint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* go lint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* go mod tidy

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2020-12-07 22:30:44 +02:00
Chin-Ya Huang 3f0f2b342e Show go version when executes with --version.
Signed-off-by: Chin-Ya Huang <chin-ya.huang@suse.com>
2020-12-04 12:51:15 -08:00
transhapHigsn 87a43c69e1 Problem: CoreDNS getting preempted by other pods
Solution: Set priorityClassName to system-node-critical of traefik, metrics-server, local storage and coredns deployment
Signed-off-by: transhapHigsn <fet.prashantsingh@gmail.com>
2020-12-04 12:50:12 -08:00
Akihiro Suda eb72d509ce pkg/agent/config: validate containerd snapshotter value
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-12-01 11:00:00 -08:00
Akihiro Suda 05f6255437 add fuse-overlayfs snapshotter (mainly for rootless mode)
Ubuntu and Debian kernels support mounting real overlayfs inside userns,
but the vanilla kernel still does not allow it.

OTOH fuse-overlayfs can be mounted inside userns with the vanilla kernel (>= 4.18).

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-12-01 11:00:00 -08:00
Akihiro Suda 43f7eaedf8 rootless: fix "stat /run/user/1000: no such file or directory" on `kubectl run`
k3s was mounting a tmpfs on `/run` by itself, so it was hiding RootlessKit's `/run`.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-12-01 10:31:21 -08:00
Akihiro Suda 67410d2757 rootless: validate sysctl before starting up
Fix #2420

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-12-01 09:21:39 -08:00
Jacob Blain Christen 3647654fe4
[migration k3s-io] update helm-controller dependency (#2569)
rancher/helm-controller ➡️ k3s-io/helm-controller

Part of https://github.com/rancher/k3s/issues/2189

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2020-12-01 08:59:10 -07:00
Akihiro Suda 0b45e32486 Support cgroup v2
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-11-30 22:57:37 -08:00
Jacob Blain Christen 36230daa86
[migration k3s-io] update kine dependency (#2568)
rancher/kine ➡️ k3s-io/kine

Part of https://github.com/rancher/k3s/issues/2189

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2020-11-30 16:45:22 -07:00
Brad Davidson b873d3a03b Explicitly set agent paths within --data-dir
Removing the cfg.DataDir mutation in 3e4fd7b did not break anything, but
did change some paths in unwanted ways. Rather than mutating the
user-supplied command-line flags, explicitly specify the agent
subdirectory as needed.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-11 09:26:41 -08:00
Brad Davidson 58b5b21f0d Don't pass cloud-provider flag to controller-manager
As per documentation, the cloud-provider flag should not be passed to
controller-manager when using cloud-controller. However, the legacy
cloud-related controllers still need to be explicitly disabled to
prevent errors from being logged.

Fixing this also prevents controller-manager from creating the
cloud-controller-manager service account that needed extra RBAC.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-09 13:55:09 -08:00
Brad Davidson 3e4fd7b41f Respect --data-dir path for crictl.yaml
Related to rancher/rke2#474

Note that anyone who customizes the data-dir path will have to set
CRI_CONFIG_FILE to the correct path when using the wrapped binaries
(crictl, etc). This is better than dropping files in the incorrect
location.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-05 15:51:10 -08:00
Brad Davidson f50e3140f9 Disable configure-cloud-routes and external service/route programming support when using k3s stub cloud controller
Resolves warning 3 from #2471

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-05 15:51:10 -08:00
Brad Davidson 31575e407a Add Cluster ID support to k3s stub cloud controller
Resolves warning 2 from #2471.

As per https://github.com/kubernetes/cloud-provider/issues/12 the
ClusterID requirement was never really followed through on, so the
flag is probably going to be removed in the future.

One side-effect of this is that the core k8s cloud-controller-manager
also wants to watch nodes, and needs RBAC to do so.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-05 15:51:10 -08:00
Brad Davidson 5b318d093f Fix containerd sock path warning
Resolves warning 1 from #2471

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-05 15:51:10 -08:00
Brad Davidson d1424626ac Disable containerd experimental snapshot labels
Related to #2455 and containerd/containerd#4684

These were not meant to be enabled by default, break images with many
layers, and will be disabled by default on the next containerd release.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-05 15:51:10 -08:00
Erik Wilson 992ca52c31
Enable go test in ci 2020-11-05 09:48:53 -07:00
Erik Wilson 92d04355f4
Use secrets for node-passwd entries and cleanup 2020-11-05 09:48:53 -07:00
Brad Davidson 3b8ec74049 Update disables list when building with no_stage
The --disable/--no-deploy flags actually turn off some built-in
controllers, in addition to preventing manifests from getting loaded.
Make it clear which controllers can still be disabled even when the
packaged components are ommited by the no_stage build tag.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-04 13:39:45 -08:00
Menna Elmasry 523ccaf3f2
Merge pull request #2448 from MonzElmasry/new_b
Make etcd use node private ip
2020-10-29 00:23:56 +02:00
MonzElmasry e8436cc76b
Make etcd use node private ip
Signed-off-by: MonzElmasry <menna.elmasry@rancher.com>
2020-10-28 23:45:24 +02:00
Chris Kim 7b8a147a1b
Merge pull request #2408 from Oats87/rpm-install-selinux
Add auto-install capability to install.sh for k3s-selinux
2020-10-28 14:24:09 -04:00
Hussein Galal fcd18d1b6e
skip node delete from removed member (#2413)
* skip node delete from removed member

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* use grpc errors

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* go imports

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* exit if node is the etcd that being removed

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2020-10-28 18:32:51 +02:00
Chris Kim 96fc4c4b21 Add iptable_nat to modprobe list
Signed-off-by: Chris Kim <oats87g@gmail.com>
2020-10-27 14:22:14 -04:00
Brad Davidson de18528412
Make etcd voting members responsible for managing learners (#2399)
* Set etcd timeouts using values from k8s instead of etcdctl
  Fix for one of the warnings from #2303
* Use etcd zap logger instead of deprecated capsnlog
  Fix for one of the warnings from #2303
* Remove member self-promotion code paths
* Add learner promotion tracking code
* Fix RaftAppliedIndex progress check
* Remove ErrGRPCKeyNotFound check
  This is not used by v3 API - it just returns a response with 0 KVs.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-10-27 11:06:26 -07:00
Erik Wilson 6b11d86037
Merge pull request #2377 from erikwilson/no-proxy-fix
Use no_proxy env, add .svc and cluster domains
2020-10-12 13:46:22 -07:00
Erik Wilson 56e077eb29
Use no_proxy env, add .svc and cluster domains 2020-10-12 11:02:07 -07:00
Erik Wilson 114b5ccad1
Merge pull request #2363 from erikwilson/netpol-informers
Add event handlers to network policy controller
2020-10-12 08:53:39 -07:00
Erik Wilson e26e333b7e
Add network policy controller CacheSyncOrTimeout 2020-10-07 12:35:44 -07:00
Erik Wilson 045cd49ab5
Add event handlers to network policy controller 2020-10-07 12:10:27 -07:00
Erik Wilson ce0da0a0f4
Add file verification for data directory 2020-10-06 10:29:27 -07:00
Erik Wilson 66d29148f7
Add Release function for flock 2020-10-06 10:29:27 -07:00
Erik Wilson 360d82d20e
Add flock from k8s.io/kubernetes/pkg/util/flock 2020-10-06 10:29:26 -07:00
Brad Davidson c3c983198f Add temporary fix for issue with interrupted etcd promote
This is a minimal fix for https://github.com/rancher/rke2/issues/392

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-30 11:45:58 -07:00
Hussein Galal 373449ec0a
Allow for multiple etcd snapshot restoration (#2307)
* add reset tmp file

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* go imports

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix multiple lines string

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix typo

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* use resetFile function

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2020-09-30 02:53:31 +02:00
Brad Davidson 8262e23169
Revert removal of EndpointName hooks (#2319)
* Revert "Remove dead EndpointName code"
    This reverts commit 8025da5a8d.
* Fix docstrings based on proper understanding of use
2020-09-28 18:13:55 -07:00
Brad Davidson 360b0f1ee5 Add timeout to clientaccess http client
The default http client does not have an overall request timeout, so
connections to misbehaving or unavailable servers can stall for an
excessive amount of time. At the moment, just attempting to join
an unavailable cluster takes 2 minutes and 40 seconds to timeout.

Resolve that by setting a reasonable request timeout.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-27 03:26:27 -07:00
Brad Davidson cdfc6cfa1a Split clientaccess token/kubeconfig code
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-27 03:26:27 -07:00
Brad Davidson 45dd4afe50 Simplify token parsing
Improves readability, reduces round-trips to the join server to validate certs.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-27 03:26:24 -07:00
Brad Davidson 9074da7405 Fix misc nits and missing/unused imports
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-27 03:10:00 -07:00
Brad Davidson 703ba5cde7 Add a bunch of doc comments
Also change identical error messages to clarify where problems are
occurring.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-27 03:10:00 -07:00
Brad Davidson ae916c2dec Use const for kube-system namespace
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-27 03:10:00 -07:00
Brad Davidson f59e8fc21b Fix etcd directory permissions
Silences warning on startup about insecure directory permissions

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-27 03:10:00 -07:00
Brad Davidson ee99660a96 Rename etcd directory helpers to reduce confusion about which datadir we're talking about
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-27 03:10:00 -07:00
Brad Davidson 8025da5a8d Remove dead EndpointName code
According to @galal-hussein this is dead code that was probably brought
over from Kine. I certainly couldn't figure out what it is supposed to
be doing.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-27 03:10:00 -07:00
Brad Davidson 97eb28a01a Remove unnecessary listener arg from managed DB setup
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-27 03:09:45 -07:00
Brad Davidson a3bbd58f37 Fix managed etcd cold startup deadlock issue #2249
We should ignore --token and --server if the managed database is initialized,
just like we ignore --cluster-init. If the user wants to join a new
cluster, or rejoin a cluster after --cluster-reset, they need to delete
the database. This a cleaner way to prevent deadlocking on quorum loss,
and removes the requirement that the target of the --server argument
must be online before already joined nodes can start.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-27 02:44:49 -07:00
Brad Davidson 42bba04651
Skip etcd snapshots if the local endpoint is still a learner (#2295)
* Don't take snapshots if the local endpoint is still a learner
* Configure timeouts for etcd client dialer
2020-09-21 20:23:18 -07:00
Brian Downs ba70c41cce
Initial Logging Output Update (#2246)
This attempts to update logging statements to make them consistent
through out the code base. It also adds additional context to messages
where possible, simplifies messages, and updates level where necessary.
2020-09-21 09:56:03 -07:00
Hussein Galal 46fe57d7e9
reset etcd name on cluster reset (#2284)
* reset etcd name on cluster reset

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* gofmt

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2020-09-19 03:09:36 +02:00
Brad Davidson 8c6d3567fe Rename k3s-controller based on the build-time program name
Since we're replacing the k3s rolebindings.yaml in rke2, we should allow
renaming this so that we can use the white-labeled name downstream.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-16 10:53:07 -07:00
Brad Davidson ae5519c047
Use rancher-mirrored busybox for local-path-provisioner (#2257)
Related to #1908

Will be fixed upstream by
https://github.com/rancher/local-path-provisioner/pull/135/ but we're
not going to update the LPP image right now since it's undergoing some
changes that we don't want to pick up at the moment.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-15 18:02:51 -07:00
Erik Wilson a08e998bc5 Import containerd images with all platforms
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-14 20:44:58 -07:00
Brad Davidson fcaeebaa18 Add support for disabling all staged content
This reduces the binary footprint for downstream users that won't use
these files anyway.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-14 14:21:37 -07:00
Menna Elmasry edb3e5b7a7
Add error logger to http server (#2242)
* add error logger to http server

Signed-off-by: MonzElmasry <menna.elmasry@rancher.com>
2020-09-14 23:14:30 +02:00
Brian Downs 15d7b61939 Merge remote-tracking branch 'upstream/master' into issue-112 2020-09-04 14:41:42 -07:00
Brian Downs 4c3ec907ab
remove k8s daemon config from setup hook in favor of specific fields from the config (#2206)
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-09-04 09:30:36 -07:00
Brian Downs bb8e5374ea conform to repo conventions
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-09-03 18:48:30 -07:00
Brian Downs 898cbeb9b6 Merge remote-tracking branch 'upstream/master' into issue-112 2020-09-03 17:26:48 -07:00
Darren Shepherd 289ba8df6a All arguments should be of the form --k=v so that bool flags will work
Previously a bool flag would be rendered as --flag false for `flag: false`
which is invalid and results in the opposite of what you'd expect.

Signed-off-by: Darren Shepherd <darren@rancher.com>
2020-09-03 16:25:35 -07:00
Darren Shepherd 64ae6affc5 Missing registering debug/config flags on server subcommand
Signed-off-by: Darren Shepherd <darren@rancher.com>
2020-09-03 13:19:25 -07:00
Brian Downs 00831f9bc8 use version.Program
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-09-03 08:51:17 -07:00
Brian Downs 301fb73952 add node ip to the request header for cert gen
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-09-02 19:15:09 -07:00
Craig Jellick 53b3d0fc56
Merge pull request #2180 from ibuildthecloud/configfile
Go back to urfave v1
2020-09-02 11:05:19 -07:00
Brad Davidson a3e9d31e6c
Merge pull request #2097 from iwilltry42/registry-insecure-skip-verify
Feature: add insecure_skip_verify field to registry config template
2020-09-01 15:58:26 -07:00
Darren Shepherd 551a1842ad
Update pkg/cli/cmds/config.go
Co-authored-by: Jacob Blain Christen <dweomer5@gmail.com>
2020-09-01 10:43:28 -07:00
Darren Shepherd 7657ed2e13
Update pkg/cli/server/server.go
Co-authored-by: Jacob Blain Christen <dweomer5@gmail.com>
2020-09-01 10:43:19 -07:00
Darren Shepherd 21d21ddd4d Add config file support independent of CLI framework
Signed-off-by: Darren Shepherd <darren@rancher.com>
2020-08-29 21:44:13 -07:00
Darren Shepherd ae5c585050 Revert "Add config file support"
This reverts commit e1dc3451bc.

Signed-off-by: Darren Shepherd <darren@rancher.com>
2020-08-29 21:44:07 -07:00
Erik Wilson 447097a597
Merge pull request #2098 from erikwilson/k8s-1.19
Update to k8s 1.19
2020-08-28 18:22:15 -07:00
Erik Wilson c5dc09159f
Move basic authentication to k3s 2020-08-28 17:18:34 -07:00
Erik Wilson 57fc0c9c87
Fix up authenticator 2020-08-28 17:18:34 -07:00
Erik Wilson acc42874d8
Add k8s.io/apiserver/plugins/pkg/authenticator from release-1.18 2020-08-28 17:18:34 -07:00
Erik Wilson 837a943234
Update for k8s 1.19 2020-08-28 17:18:34 -07:00
Erik Wilson daa4beb22c
Update go.mod for k8s 1.19 2020-08-28 17:18:31 -07:00
Erik Wilson 720197b9b1
Fix linting issues 2020-08-28 17:18:29 -07:00
Brian Downs 866dc94cea
Galal hussein etcd backup restore (#2154)
* Add etcd snapshot and restore

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix error logs

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* goimports

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix flag describtion

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add disable snapshot and retention

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* use creation time for snapshot retention

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* unexport method, update var name

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* adjust snapshot flags

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update var name, string concat

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* revert previous change, create constants

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* updates

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* type assertion error checking

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* pr remediation

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* pr remediation

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* pr remediation

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* pr remediation

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* pr remediation

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* updates

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* updates

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* simplify logic, remove unneeded function

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update flags

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update flags

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* add comment

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* exit on restore completion, update flag names, move retention check

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* exit on restore completion, update flag names, move retention check

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* exit on restore completion, update flag names, move retention check

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update disable snapshots flag and field names

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* move function

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update field names

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update var and field names

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update var and field names

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update defaultSnapshotIntervalMinutes to 12 like rke

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update directory perms

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update etc-snapshot-dir usage

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update interval to 12 hours

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* fix usage typo

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* add cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* add cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* add cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update deps target to work, add build/data target for creation, and generate

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* remove dead make targets

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* error handling, cluster reset functionality

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* error handling, cluster reset functionality

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* remove intermediate dapper file

Signed-off-by: Brian Downs <brian.downs@gmail.com>

Co-authored-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2020-08-28 16:57:40 -07:00
Frederick F. Kautz IV cdce2b7e9a
Add support for compressed images when pre-loading images (#2165)
* Add support for compressed images when pre-loading images

Signed-off-by: Frederick F. Kautz IV <fkautz@alumni.cmu.edu>

* attempting to fix vendor source being dirty

Signed-off-by: Frederick F. Kautz IV <fkautz@alumni.cmu.edu>

* fixing file extension for .tar.lz4

Signed-off-by: Frederick F. Kautz IV <fkautz@alumni.cmu.edu>
2020-08-28 12:27:01 -07:00
Brad Davidson c4ac620b8b
Merge pull request #2159 from brandond/config_file_rename
Rename flags.conf to config.yaml
2020-08-25 21:43:48 -07:00
Brad Davidson b4d81a9e33 Remove lingering references to dqlite
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-08-24 17:09:19 -07:00
Brad Davidson 43fcc5ddcb Rename flags.conf => config.yaml
Related to https://github.com/rancher/rke2/issues/150

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-08-24 14:56:30 -07:00
Brad Davidson c980fa68a0
Update helm-controller for HelmChartConfig CRD (#2114)
* Update helm-controller for HelmChartConfig CRD

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-08-20 14:23:50 -07:00
Brian Downs 324bb55986 add ctx to hook, handle hook errors
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-08-19 16:54:58 -07:00
Brian Downs fa2c1422b3 change name of variable
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-08-19 14:30:53 -07:00
Brian Downs a4b2953017 add setup hook capabilities for rke2
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-08-19 13:42:45 -07:00
Brad Davidson 79c499f0e0 Fix handling of TLS configuration args
Also fixes an unrelated error formatting issue turned up while testing.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-08-18 16:44:10 -07:00
Brad Davidson b1d017f892 Update dynamiclistener
Second round of fixes for #1621

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-08-18 10:38:47 -07:00
Jacob Blain Christen e2089bea18
cli: add --selinux flag to agent/server sub-cmds (#2111)
* cli: add --selinux flag to agent/server sub-cmds

Introduces --selinux flag to affirmatively enable SELinux in containerd.
Deprecates --disable-selinux flag which now defaults to true which
auto-detection of SELinux configuration for containerd is no longer
supported.  Specifying both --selinux and --disable-selinux will result
in an error message encouraging you to pick a side.

* Update pkg/agent/containerd/containerd.go

update log warning message about enabled selinux host but disabled runtime

Co-authored-by: Brad Davidson <brad@oatmail.org>
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2020-08-11 16:17:32 -07:00
Jacob Blain Christen 97ff5affab
Merge pull request #2065 from dweomer/containerd/v1.3.6-selinux
updated containerd/cri selinux support
2020-08-07 11:09:28 -07:00
Thorsten Klein cf8c101b70
registry template: add insecure_skip_verify field
Signed-off-by: Thorsten Klein <iwilltry42@gmail.com>
2020-08-06 08:02:08 +02:00
Brad Davidson 3f2551ec05
Merge pull request #1848 from euank/insecure-on-lo
Listen insecurely on localhost only
2020-08-05 10:55:09 -07:00
Euan Kemp 4808c4e7d5 Listen insecurely on localhost only
Before this change, k3s configured the scheduler and controller's
insecure ports to listen on 0.0.0.0. Those ports include pprof, which
provides a DoS vector at the very least.

These ports are only enabled for componentstatus checks in the first
place, and componentstatus is hardcoded to only do the check on
localhost anyway (see
https://github.com/kubernetes/kubernetes/blob/v1.18.2/pkg/registry/core/rest/storage_core.go#L341-L344),
so there shouldn't be any downside to switching them to listen only on
localhost.
2020-08-05 10:28:11 -07:00
Akihiro Suda a70cdac356
update rootlesskit to v0.10.0
Fix intermittent "Connection reset by peer" error during port forwarding

https://github.com/rootless-containers/rootlesskit/issues/153

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-08-05 18:22:05 +09:00
Brad Davidson 3e8141dc65 Update dynamiclistener
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-08-04 13:05:37 -07:00
Hussein Galal 169ee63907
Add etcd members as learners (#2066)
* Add etcd members as learners

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Ignore errors in promote member

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2020-07-29 22:52:49 +02:00
Brad Davidson 1eec7348a5 Call setproctitle to conceal node args in ps output
This is related to #2014.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-07-28 15:49:49 -07:00
Jacob Blain Christen 371bee82f9 containerd: bump to v1.3.6
Remove $NOTIFY_SOCKET, if present, from env when invoking containerd to
prevent gratuitous notifications sent to systemd.

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2020-07-27 14:41:52 -07:00
Brad Davidson dfd0f9d1a6 Correctly report and propagate kubeconfig write failures
As seen in issues such as #15 #155 #518 #570 there are situations where
k3s will fail to write the kubeconfig file, but reports that it wrote it
anyway as the success message is printed unconditionally. Also, secondary
actions like setting file mode and creating a symlink are also attempted
even if the file was not created.

This change skips attempting additional actions, and propagates the
failure back upwards.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-07-24 12:07:32 -07:00
Brad Davidson 9da8dc4f61 Update coredns version to 1.6.9 for master
Needed for #1844

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-07-21 11:06:44 -07:00
Brian Downs 5a81fdbdc5 update cis flag implementation to propogate the rest of the way through to kubelet
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-07-20 16:31:56 -07:00
Jason e3f8789114
Add containerd snapshotter flag (#1991)
* Add containerd snapshotter flag

Signed-off-by: Jason-ZW <zhenyang@rancher.com>

* Fix CamelCase nit and option description

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Jason-ZW <zhenyang@rancher.com>

Co-authored-by: Brad Davidson <brad@oatmail.org>
2020-07-18 01:16:23 +02:00
Brian Downs abb2d9aad1 add flag usage
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-07-14 15:55:18 -07:00
Brian Downs 57a6319fac add protect-kernel-defaults to kubelet
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-07-14 15:46:10 -07:00
Erik Wilson 66a8c2ad7f
Merge pull request #1899 from erikwilson/config-file
Add config file support
2020-07-14 08:41:45 -07:00
Brian Downs ebac755da1 add profiling flag with default value of false
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-07-10 13:08:04 -07:00
Erik Wilson e1dc3451bc
Add config file support 2020-07-10 10:34:00 -07:00
Brian Downs 99a8bca522 remove hard coded value
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-07-09 11:20:06 -07:00
Brandon Davidson 538842ffdc
Merge pull request #1768 from brandond/fix_1764
Configure default signer implementation to use ClientCA instead of ServerCA
2020-07-07 16:52:14 -07:00
Erik Wilson 0d6a2bfb0b
Merge pull request #1974 from mschneider82/patch-1
fixed panic in network_policy_controller
2020-07-01 09:48:00 -07:00
Erik Wilson 42f0b95ac5
Merge pull request #1800 from niusmallnan/dev
Add retry backoff for starting network-policy controller
2020-07-01 09:47:21 -07:00
niusmallnan d713683614 Add retry backoff for starting network-policy controller
Signed-off-by: niusmallnan <niusmallnan@gmail.com>
2020-06-30 09:25:09 +08:00
Matthias Schneider 56a083c812 fixed panic in network_policy_controller
I have rebooted a newly created k3s etcd cluster and this panic was triggered:

    ```
    k3s[948]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x45f2945]
    k3s[948]: goroutine 1 [running]:
    k3s[948]: github.com/rancher/k3s/pkg/agent/netpol.NewNetworkPolicyController(0xc00159e180, 0x61b4a60, 0xc006294000, 0xdf8475800, 0xc011d9a360, 0xc, 0x0, 0xc00bf545b8, 0x2b2edbc)
    k3s[948]:         /home/x/git/k3s/pkg/agent/netpol/network_policy_controller.go:1698 +0x275
    ```

Signed-off-by: Matthias Schneider <ms@wck.biz>
2020-06-29 20:49:24 +02:00
Jacob Blain Christen 3197d206ce
Merge pull request #1892 from dweomer/servicelb/node-role
servicelb: fix ineffective toleration
2020-06-26 13:55:57 -07:00
Brian Downs 58aae57e12 set environment variable and create config for crictl
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-06-24 14:26:44 -07:00
Brian Downs 63dbf806df create symlink from docker sock to where crictl in k3s is looking for the sock to use
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-06-23 18:42:45 -07:00
Hussein Galal f5ee757b86
Add cluster dns configmap (#1785) 2020-06-22 23:06:01 +02:00
Brian Downs 7f4f237575
added profile = false args to api, controllerManager, and scheduler (#1891) 2020-06-12 21:09:41 +02:00
Jacob Blain Christen 1ed12cffa0 servicelb: fix ineffective toleration
noderole.kubernetes.io/master -> node-role.kubernetes.io/master
2020-06-11 14:39:12 -07:00
galal-hussein c580a8b528 Add heartbeat interval and election timeout 2020-06-06 16:39:42 -07:00
Darren Shepherd 6b5b69378f Add embedded etcd support
This is replaces dqlite with etcd.  The each same UX of dqlite is
followed so there is no change to the CLI args for this.
2020-06-06 16:39:41 -07:00
Darren Shepherd 39571424dd Generate etcd certificates 2020-06-06 16:39:41 -07:00
Darren Shepherd a18d387390 Refactor clustered DB framework 2020-06-06 16:39:41 -07:00
Darren Shepherd 4317a91b96 Delete dqlite 2020-06-06 16:39:41 -07:00
Darren Shepherd 7e59c0801e Make program name a variable to be changed at compile time 2020-06-06 16:39:41 -07:00
Taeho Kim 3d59a85dae Upgrade local-path-storage to v0.0.14 2020-06-02 13:47:37 +00:00
Erik Wilson 43b9bf2e50
Merge pull request #1795 from StateFarmIns/support_for_setting_default_ssl_ciphers
Feature Request #1741: Update to set default CipherSuites
2020-05-15 09:41:37 -07:00
Erik Wilson d10d6f7fb3
Merge pull request #1762 from consideRatio/coredns-readinessprobe
coredns: readiness- and livenessProbe tweaks (~15s -> ~3s startup)
2020-05-15 09:40:54 -07:00
Chuck Schweizer 19c34bd12d Update to set default CipherSuites
The default CipherSuites need to be set to disable the insecure TLS 1.2 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 Cipher
2020-05-13 08:34:45 -05:00
Chuck Schweizer ca9c9c2e1e Adding support for TLS MinVersion and CipherSuites
This will watch for the following kube-apiserver-arg variables and apply
them to the k3s kube-apiserver https listener.

  --kube-apiserver-arg=tls-cipher-suites=XXXXXXX
  --kube-apiserver-arg=tls-min-version=XXXXXXX
2020-05-07 09:27:09 -05:00
Erik Sundell 27ae2fb9c8 coredns: go generate 2020-05-07 16:21:46 +02:00
Darren Shepherd cb4b34763e
Merge pull request #1759 from ibuildthecloud/background
Start kube-apiserver in the background
2020-05-06 21:50:48 -07:00
Darren Shepherd e5fe184a44
Merge pull request #1757 from ibuildthecloud/separate-port
Add supervisor port
2020-05-06 21:32:45 -07:00
Darren Shepherd 072396f774 Start kube-apiserver in the background
In rke2 everything is a static pod so this causes a chicken and egg situation
in which we need the kubelet running before the kube-apiserver can be
launched.  By starting the apiserver in the background this allows us to
do this odd bootstrapping.
2020-05-06 21:17:23 -07:00
Brad Davidson 71561ecda2 Use ClientCA for the signer controller 2020-05-06 16:51:35 -07:00
Darren Shepherd f38082673d
Merge pull request #1753 from ibuildthecloud/prepull
Support prepulling images on start
2020-05-05 22:11:52 -07:00
Darren Shepherd 74bcf4da0b
Merge pull request #1756 from ibuildthecloud/less-logging
Only echo Waiting for kubelet every 30 seconds
2020-05-05 22:07:50 -07:00
Darren Shepherd 2f5ee914f9 Add supervisor port
In k3s today the kubernetes API and the /v1-k3s API are combined into
one http server.  In rke2 we are running unmodified, non-embedded Kubernetes
and as such it is preferred to run k8s and the /v1-k3s API on different
ports.  The /v1-k3s API port is called the SupervisorPort in the code.

To support this separation of ports a new shim was added on the client in
then pkg/agent/proxy package that will launch two load balancers instead
of just one load balancer.  One load balancer for 6443 and the other
for 9345 (which is the supervisor port).
2020-05-05 15:54:51 -07:00
Darren Shepherd afd6f6d7e7 Encapsulate execution logic
This moves all the calls to cobra root commands to one package
so that we can change the behavior of running components as embedded
or external.
2020-05-05 15:34:32 -07:00
Darren Shepherd 61ba9171ce Only echo Waiting for kubelet every 30 seconds
Don't print a message every second while we are waiting for the
kubelet to report Ready.
2020-05-05 15:23:18 -07:00
Darren Shepherd 1d05e99769
Merge pull request #1752 from ibuildthecloud/disable-ccm
Don't write ccm.yaml if --disable-cloud-controller is set
2020-05-05 15:11:10 -07:00
Darren Shepherd 6932d03bb4 Support prepulling images on start
In the agent/images folder if a .txt file is found it is assumed to
be a line separated list of image names to pull on start.
2020-05-05 14:45:39 -07:00
Darren Shepherd 70ddc799bd
Merge pull request #1691 from ibuildthecloud/staticpod
Suppport static pods at ${datadir}/agent/staticpods
2020-05-05 14:35:45 -07:00
Darren Shepherd 341895c322 Don't write ccm.yaml if --disable-cloud-controller is set 2020-05-05 13:01:52 -07:00
Darren Shepherd 8c7fbe3dde Suppport static pods at ${datadir}/agent/pod-manifests 2020-05-05 12:43:47 -07:00
Erik Wilson 39c3854648
Merge pull request #1720 from ilknarf/master
remove redundant Sprintf
2020-05-04 20:50:58 -07:00
Erik Wilson c71561129e
Merge pull request #1716 from ibuildthecloud/debugpublic
Make debug variable public to be used by wrapper programs
2020-05-04 20:50:36 -07:00
Erik Wilson c941e1d0bb
Merge pull request #1695 from ibuildthecloud/kubeproxy
Add ability to disable kubeproxy
2020-05-04 20:26:22 -07:00
Erik Wilson df1725cb06
Merge pull request #1694 from ibuildthecloud/inittwice
Allow InitLogging to be called twice
2020-05-04 20:22:04 -07:00
Erik Wilson 2fb5bad3e8
Merge pull request #1704 from ibuildthecloud/x509-admin
No longer use basic auth for default admin account
2020-05-04 20:21:12 -07:00
Erik Wilson 21eabd902b
Merge pull request #1693 from ibuildthecloud/disableditem
Move disabled items to a const to keep more consistency
2020-05-04 20:16:42 -07:00
Erik Wilson 21266bab7e
Merge pull request #1692 from ibuildthecloud/err
Check for error on mkdir
2020-05-04 20:16:20 -07:00
Erik Wilson ed8cd9250b
Merge pull request #1690 from ibuildthecloud/flannel
Only need to resolve the path of host-local if Flannel is enabled
2020-05-04 20:15:59 -07:00
Erik Wilson 47bb0939e6
Merge pull request #1611 from Dirbaio/master
Correctly quote auth strings in containerd config. For #1610
2020-05-04 19:27:17 -07:00
Frank a18d94e5f9 remove redundant Sprintf 2020-04-30 10:48:12 -05:00
Darren Shepherd 56770ff2cc Make debug variable public to be used by wrapper programs 2020-04-29 11:37:59 -07:00
Darren Shepherd 3c8e0b4157 No longer use basic auth for default admin account 2020-04-28 16:01:33 -07:00
Darren Shepherd 5715e1ba0d Add ability to disable kubeproxy 2020-04-27 11:24:00 -07:00
Darren Shepherd 7920fa48c9 Only need to resolve the path of host-local if Flannel is enabled 2020-04-27 11:17:41 -07:00
Darren Shepherd 8cc9efdf7c Allow InitLogging to be called twice
This makes it a bit easier to embed k3s into another go program
2020-04-27 11:16:08 -07:00
Darren Shepherd 8b8af94eb2 Move disabled items to a const to keep more consistency
This also help when embedding k3s because we can programmitically know
all the components to disable.
2020-04-27 11:15:35 -07:00
Darren Shepherd c25f1ab1b6 Check for error on mkdir 2020-04-27 11:14:21 -07:00
Darren Shepherd 130e6e31a1
Merge pull request #1664 from KnicKnic/windows-18-build
fix build windows v1.18
2020-04-27 09:23:32 -07:00
Darren Shepherd e4f87f51e2
Merge pull request #1681 from KnicKnic/fix_file_paths
fix usage of path instead of filepath
2020-04-27 09:21:48 -07:00
Darren Shepherd 7d06d2ccc1
Merge pull request #1653 from KnicKnic/enable_agent_windows
enable agent to start on windows
2020-04-27 09:05:12 -07:00