Before this change, kube-router was always assuming that IPv4 is
enabled, which is not the case in IPv6-only clusters. To enable network
policies in IPv6-only, we need to explicitly let kube-router know when
to disable IPv4.
Signed-off-by: Michal Rostecki <vadorovsky@gmail.com>
Having separate tokens for server and agent nodes is a nice feature.
However, passing server's plain `K3S_AGENT_TOKEN` value
to `k3s agent --token` without CA hash is insecure when CA is
self-signed, and k3s warns about it in the logs:
```
Cluster CA certificate is not trusted by the host CA bundle, but the token does not include a CA hash.
Use the full token from the server's node-token file to enable Cluster CA validation.
```
Okay so I need CA hash but where should I get it?
This commit attempts to fix this issue by saving agent token value to
`agent-token` file with CA hash appended.
Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
(cherry picked from commit 13af0b1d88)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Requires tweaking existing method signature to allow specifying whether or not IPv6 addresses should be return URL-safe.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 5eaa0a9422)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Use INVOCATION_ID to detect execution under systemd, since as of a9b5a1933f NOTIFY_SOCKET is now cleared by the server code.
* Set the unit type to notify by default for both server and agent, which is what Rancher-managed installs have done for a while.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit bd5fdfce33)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Addressess issue where the compact may take more than 10 seconds on slower disks. These disks probably aren't really suitable for etcd, but apparently run fine otherwise.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 1674b9d640)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
This avoids an issue with u-root 7.0.0 which has been retracted by the
author:
$ go list -u -m all
$ go list -m: github.com/u-root/u-root@v7.0.0+incompatible: retracted by module author: Published v7 too early (before migrating to go modules)
Signed-off-by: Dirk Müller <dirk@dmllr.de>
(cherry picked from commit 93ca992cdb)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Increase the default snapshot timeout. The timeout is not currently
configurable from Rancher, and larger clusters are frequently seeing
uploads fail at 30 seconds.
* Enable compression for scheduled snapshots if enabled on the
command-line. The CLI flag was not being passed into the etcd config.
* Only set the S3 content-type to application/zip if the file is zipped.
* Don't run more than one snapshot at once, to prevent misconfigured
etcd snapshot cron schedules from stacking up.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Since #4438 removed 2-way sync and treats any changed+newer files on disk as an error, we no longer need to determine if files are newer on disk/db or if there is a conflicting mix of both. Any changed+newer file is an error, unless we're doing a cluster reset in which case everything is unconditionally replaced.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Properly skip restoring bootstrap data for files that don't have a path
set because the feature that would set it isn't enabled.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Use same kubelet-preferred-address-types setting as RKE2 to improve reliability of the egress selector when using a HTTP proxy. Also, use BindAddressOrLoopback to ensure that the correct supervisor address is used when --bind-address is set.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Testing directory rework
* New cert rotation test
* Remove unnecessary e2e go.mod
* Move cgroup and install tests out of the vagrant directory
* Remove unit test from Drone
Signed-off-by: Derek Nola <derek.nola@suse.com>
Allow the flannel backend to be specified as
backend=option=val,option2=val2 to select a given backend with extra options.
In particular this adds the following options to wireguard-native
backend:
* Mode - flannel wireguard tunnel mode
* PersistentKeepaliveInterval- wireguard persistent keepalive interval
Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>
* Move startup hooks wg into a runtime pointer, check before notifying systemd
* Switch default systemd notification to server
* Add 1 sec delay to allow etcd to write to disk
Signed-off-by: Derek Nola <derek.nola@suse.com>
If the user points S3 backups at a bucket containing other files, those
file names may not be valid configmap keys.
For example, RKE1 generates backup files with names like
`s3-c-zrjnb-rs-6hxpk_2022-05-05T12:05:15Z.zip`; the semicolons in the
timestamp portion of the name are not allowed for use in configmap keys.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
From https://github.com/urfave/cli/pull/1383 :
> This removes the resulting binary dependency on cpuguy83/md2man and
> russross/blackfriday (and a few more packages imported by those),
> which saves more than 400 KB (more than 300 KB
> once stripped) from the resulting binary.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Integration Test: Startup (#5630)
* New startup integration test
* Add testing section to PR template
* Move helper functions to direct k8s client calls
Signed-off-by: Derek Nola <derek.nola@suse.com>
* E2E Improvements and groundwork for test-pad tool (#5593)
* Add rancher install sript, taints to cp/etcd roles
* Revert back to generic/ubuntu2004, libvirt networking is unreliable on opensuse
* Added support for alpine
* Rancher deployment script
* Refactor installType into function
* Cleanup splitserver test
Signed-off-by: Derek Nola <derek.nola@suse.com>
* E2E: Dualstack test (#5617)
* E2E dualstack test
* Improve testing documentation
Signed-off-by: Derek Nola <derek.nola@suse.com>
* Fix import
Signed-off-by: Derek Nola <derek.nola@suse.com>
Signed-off-by: igor <igor@igor.io>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Igor <igorwwwwwwwwwwwwwwwwwwww@users.noreply.github.com>
The control-plane context handles requests outside the cluster and
should not be sent to the proxy.
In agent mode, we don't watch pods and just direct-dial any request for
a non-node address, which is the original behavior.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Watching pods appears to be the most reliable way to ensure that the
proxy routes and authorizes connections.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Roberto Bonafiglia