github/k3s - k3s - https://git.xinac.net

Commit Graph

Author	SHA1	Message	Date
galal-hussein	6635503c7a	kubernetes 1.30.0-k3s1 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>	7 months ago
Brad Davidson	08f1022663	Don't log 'apiserver disabled' error sent by etcd-only nodes Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	8 months ago
Brad Davidson	fe465cc832	Move etcd snapshot management CLI to request/response Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	8 months ago
Brad Davidson	7a2a2d075c	Move error response generation code into util Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	8 months ago
Oleg Matskiv	e3b237fc35	Don't verify the node password if the local host is not running an agent Signed-off-by: Oleg Matskiv <oleg.matskiv@gmail.com>	10 months ago
Brad Davidson	6c544a4679	Add jitter to client config retry Also: * Replaces labeled for/continue RETRY loops with wait helpers for improved readability * Pulls secrets and nodes from cache for node password verification * Migrate nodepassword tests to wrangler mocks for better code reuse Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Derek Nola	dface01de8	Server Token Rotation (#8265 ) * Consolidate NewCertCommands * Add support for user defined new token * Add E2E testlets Signed-off-by: Derek Nola <derek.nola@suse.com> * Ensure agent token also changes Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Derek Nola	8405813c12	Fix rootless node password (#7887 ) Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Brad Davidson	5170bc5a04	Improve error response logging Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	45d8c1a1a2	Soft-fail on node password verification if the secret cannot be created Allows nodes to join the cluster during a webhook outage. This also enhances auditability by creating Kubernetes events for the deferred verification. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	239021e759	Consistently use constant-time comparison of password hashes As per https://github.com/golang/go/issues/47001 even subtle.ConstantTimeCompare should never be used with variable-length inputs, as it will return 0 if the lengths do not match. Switch to consistently using constant-time comparisons of hashes for password checks to avoid any possible side-channel leaks that could be combined with other vectors to discover password lengths. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	977a85559e	Add support for cross-signing new certs during ca rotation We need to send the full chain in order for cross-signing to work properly during switchover to a new root. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	87f9c4ab11	Ensure that node exists when using node auth Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	373df1c8b0	Add support for `k3s token` command Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	215fb157ff	Add `certificate rotate-ca` to write updated CA certs to datastore This command must be run on a server while the service is running. After this command completes, all the servers in the cluster should be restarted to load the new CA files. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Derek Nola	06d81cb936	Replace deprecated ioutil package (#6230 ) * Replace ioutil package * check integration test null pointer * Remove rotate retries Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Brad Davidson	a15e7e8b68	Move DisableServiceLB/Rootless/ServiceLBNamespace into config.Control Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	ce5b9347c9	Replace DefaultProxyDialerFn dialer injection with EgressSelector support Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	3d01ca1309	Make supervisor errors parsable by Kubernetes client libs This gives nicer errors from Kubernetes components during startup, and reduces LOC a bit by using the upstream responsewriters module instead of writing the headers and body by hand. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	5b2c14b123	Print a helpful error when trying to join additional servers but etcd is not in use Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	99851b0f84	Use core constants for cert user/group values Also update cert gen to ensure leaf certs are regenerated if other key fields change. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	49544e0d49	Allow agents to query non-apiserver supervisors for apiserver endpoints Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	38706eeec0	Defer ensuring node passwords on etcd-only nodes during initial cluster bootstrap This allows secondary etcd nodes to bootstrap the kubelet before an apiserver joins the cluster. Rancher waits for all the etcd nodes to come up before adding the control-plane nodes, so this needs to be handled properly. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Luther Monson	9a849b1bb7	[master] changing package to k3s-io (#4846 ) * changing package to k3s-io Signed-off-by: Luther Monson <luther.monson@gmail.com> Co-authored-by: Derek Nola <derek.nola@suse.com>	3 years ago
Brad Davidson	5014c9e0e8	Fix adding etcd-only node to existing cluster Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	e7464a17f7	Fix use of agent creds for secrets-encrypt and config validate Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Derek Nola	bcb662926d	Secrets-encryption rotation (#4372 ) * Regular CLI framework for encrypt commands * New secrets-encryption feature * New integration test * fixes for flaky integration test CI * Fix to bootstrap on restart of existing nodes * Consolidate event recorder Signed-off-by: Derek Nola <derek.nola@suse.com>	3 years ago
Brad Davidson	5a923ab8dc	Add containerd ready channel to delay etcd node join Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	dc14f370c4	Update wrangler to v0.8.5 Required to support apiextensions.v1 as v1beta1 has been deleted. Also update helm-controller and dynamiclistener to track wrangler versions. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	869b98bc4c	Sync DisableKubeProxy into control struct Sync DisableKubeProxy from cfg into control before sending control to clients, as it may have been modified by a startup hook. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	90445bd581	Wait until server is ready before configuring kube-proxy (#3716 ) Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	2705431d96	Add support for dual-stack Pod/Service CIDRs and node IP addresses (#3212 ) * Add support for dual-stack cluster/service CIDRs and node addresses Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 years ago
Erik Wilson	4245fd7b67	Return http.StatusOK instead of 0 Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>	4 years ago
Erik Wilson	2fb411fc83	Fix spelling mistake Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>	4 years ago
Erik Wilson	09eb44ba53	Bootstrap node password with local file Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>	4 years ago
Erik Wilson	1230d7b7df	Fix HA server initialization Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>	4 years ago
Erik Wilson	92d04355f4	Use secrets for node-passwd entries and cleanup	4 years ago
Brian Downs	bb8e5374ea	conform to repo conventions Signed-off-by: Brian Downs <brian.downs@gmail.com>	4 years ago
Brian Downs	00831f9bc8	use version.Program Signed-off-by: Brian Downs <brian.downs@gmail.com>	4 years ago
Brian Downs	301fb73952	add node ip to the request header for cert gen Signed-off-by: Brian Downs <brian.downs@gmail.com>	4 years ago
Darren Shepherd	7e59c0801e	Make program name a variable to be changed at compile time	5 years ago
Darren Shepherd	ff34c5c5cf	Download cert/key to agent with single HTTP request Since generated cert/keys are stored locally, each server has a different copy. In a HA setup we need to ensure we download the cert and key from the same server so we combined HTTP requests to do that.	5 years ago
Darren Shepherd	0ae20eb7a3	Support both http and db based bootstrap	5 years ago
Darren Shepherd	e2431bdf9d	Add dqlite support	5 years ago
Darren Shepherd	ba240d0611	Refactor tokens, bootstrap, and cli args	5 years ago
Darren Shepherd	f0382329a5	Drop openapi hack	5 years ago
Erik Wilson	fdb997b4ee	Fix missing early returns on routes	5 years ago
Erik Wilson	7090a7d551	Move node password to separate file	6 years ago
Erik Wilson	2c9444399b	Refactor certs	6 years ago
Darren Shepherd	c0702b0492	Port to wrangler	6 years ago

1 2

57 Commits (bf6e8742415b718d78ccc7ebe8eb4525169680dd)