540d19b097
[release-1.25] Update klipper lb and helm-controller ( #7240 )
...
* Update klipper lb and helm-controller
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* update klipper helm image
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
---------
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2023-04-06 22:17:21 +02:00
af81ed062a
Updated kube-route version to move the iptables ACCEPT default rule at the end of the chain
...
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-04-06 09:57:18 +02:00
355ddda647
Lock bootstrap data with empty key to prevent conflicts
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit d95980bba3
2023-04-05 16:29:13 -07:00
64709f401d
Debounce kubernetes service endpoint updates
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 2992477c4b
2023-04-05 16:29:13 -07:00
7036323cd7
Fix tests to not hide failure location in dummp assert functions
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit ece4d8e45c
2023-04-05 16:29:13 -07:00
5fc65fcda7
Fix issue with stale connections to removed LB server
...
Track LB connections through each server so that they can be closed when it is removed.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit e54ceaa497
2023-04-05 16:29:13 -07:00
50f46016da
Update remotedialer to silence errors when disconnecting
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 5dece799df
2023-04-05 16:29:13 -07:00
66dd02cbcc
go generate
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit d388b82d25
2023-04-05 16:29:13 -07:00
7686c73624
Ensure that loopback is used for the advertised address when resetting
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit de80c07053
2023-04-05 16:29:13 -07:00
45670c8ae4
Ensure that loopback is used for the advertised address when resetting
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit b010db0cff
2023-04-05 16:29:13 -07:00
e81356a287
Bump runc to v1.1.5
...
Addresses GHSA-m8cg-xc2p-r3fc GHSA-vpvm-3wq2-2wvm GHSA-g2j6-57v7-gm8c
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 877247a691
2023-04-05 16:29:13 -07:00
88d5a723ce
Bump Local Path Provisioner version ( #7167 )
...
* chore: Bump Local Path Provisioner version
* go generate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
(cherry picked from commit cee3ddbc4a
2023-04-05 16:29:13 -07:00
c25f611eed
Remove deprecated nodeSelector label beta.kubernetes.io/os ( #6970 ) ( #7121 )
...
* Remove deprecated nodeSelector label beta.kubernetes.io/os
Problem:
The nodeSelector label beta.kubernetes.io/os in the CoreDNS deployment was deprecated in 1.14 and will likely be removed soon
Solution:
Change the nodeSelector to remove the beta
Signed-off-by: Dan Mills <evilhamsterman@gmail.com>
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
Co-authored-by: Daniel Mills <evilhamsterman@users.noreply.github.com>
2023-04-04 21:04:18 +02:00
9e22489daf
[Release-1.25] Enhance `check-config` ( #7164 )
...
* Add missing kernel config checks (#6946 )
Add additional kernel config checks for NETFILTER_XT_MATCH_COMMENT and
NETFILTER_XT_MATCH_MULTIPORT as they are both required to run k3s.
Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
* Enhance `k3s check-config` (#7091 )
* Move CONFIG_CGROUP_PIDS to Required
Signed-off-by: Derek Nola <derek.nola@suse.com>
---------
Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Richard Steinmetz <richard@steinmetz.cloud>
2023-03-29 12:15:38 -07:00
6c5ac02248
Update flannel to fix NAT issue with old iptables version
...
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-03-22 18:15:47 +01:00
46fd19b30e
Update to v1.25.8-k3s1 ( #7106 )
2023-03-17 15:28:28 -07:00
37a26379d5
Add support for cross-signing new certs during ca rotation
...
We need to send the full chain in order for cross-signing to work
properly during switchover to a new root.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-03-13 20:04:11 -07:00
27f032ddb9
Update/rename certs.sh; add default cert rotation script
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-03-13 20:04:11 -07:00
a6cac3e9e7
Adds a warning about editing to the containerd config.toml file ( #7075 )
...
* Add a warning to the config.toml file
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Brad Davidson <brad@oatmail.org>
2023-03-13 15:33:20 -07:00
7a7304e3d3
Wait for kubelet to update the Ready status before reading port
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-03-13 14:30:11 -07:00
0369a5a6a4
Wait for kubelet port to be ready before setting
...
Signed-off-by: Daishan Peng <daishan@acorn.io>
2023-03-13 14:30:11 -07:00
c904d97363
[Release-1.25] Enable dependabot ( #7045 )
...
* Enable dependabot on 1.25
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-03-13 09:38:26 -07:00
6728824743
[Release-1.25] Bump various dependencies for CVEs ( #7043 )
...
* Match flannel for x/net
* Match containerd for x/sys
* Update replace for go-gax
* Isolate e2e terraform depedencies
* Bump containerd
* Bump wrangler to 1.1.1
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-03-13 09:36:59 -07:00
f5d1f976d3
[Release 1.25] Update flannel and kube-router ( #7061 )
...
* Update kube-router version to fix iptables rules
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
* Update Flannel to v0.21.3
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
---------
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-03-10 20:31:52 -08:00
f7c20e237d
Update to v1.25.7-k3s1 ( #7010 )
...
* Update to v1.25.7
* update gh workflows and docker files to proper go version
---------
Signed-off-by: matttrach <matttrach@gmail.com>
2023-03-01 15:29:10 -06:00
8f6997883d
Bump kine to v0.9.9
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-23 17:19:31 -08:00
27b5441c96
Add test for filterByIPFamily
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-21 14:13:34 -08:00
0a2bdfdd7a
Fix ServiceLB dual-stack ingress IP listing
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-21 14:13:34 -08:00
97100de8d0
Improve default umask for certs.sh
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-14 13:18:12 -08:00
c3fbb30c2e
Fix CACertPath stripping trailing path components
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-14 13:18:12 -08:00
4e03608119
Fix etcd member deletion
...
Turns out etcd-only nodes were never running **any** of the controllers,
so allowing multiple controllers didn't really fix things.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-14 13:18:12 -08:00
14f2226b67
Allow for multiple sets of leader-elected controllers
...
Addresses an issue where etcd controllers did not run on etcd-only nodes
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-10 11:35:29 -08:00
e5e85b1723
Update flannel to v0.21.1
...
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-02-10 18:53:15 +01:00
dda9e48dfc
Updated flannel version to v0.21.0
...
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-02-10 18:53:15 +01:00
0ba4732c1f
Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent
...
Signed-off-by: Paul Donohue <git@PaulSD.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-10 09:43:53 -08:00
a2521856f5
Wait for server to become ready before creating token
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-10 09:33:55 -08:00
d06052880e
Add CI test
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit b43dd7746d
2023-02-10 09:33:55 -08:00
af26f1816c
Add ADR
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit c900089e88
2023-02-10 09:33:55 -08:00
33c6488bbc
Ensure that node exists when using node auth
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 87f9c4ab11
2023-02-10 09:33:55 -08:00
ade6203aad
Add support for kubeadm token and client certificate auth
...
Allow bootstrapping with kubeadm bootstrap token strings or existing
Kubelet certs. This allows agents to join the cluster using kubeadm
bootstrap tokens, as created with the `k3s token create` command.
When the token expires or is deleted, agents can successfully restart by
authenticating with their kubelet certificate via node authentication.
If the token is gone and the node is deleted from the cluster, node auth
will fail and they will be prevented from rejoining the cluster until
provided with a valid token.
Servers still must be bootstrapped with the static cluster token, as
they will need to know it to decrypt the bootstrap data.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 992e64993d
2023-02-10 09:33:55 -08:00
97c506cc65
Add support for `k3s token` command
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 373df1c8b0
2023-02-10 09:33:55 -08:00
ced164c080
Add e2e tests for CA cert rotation
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit be7f751863
2023-02-10 09:33:55 -08:00
af753a8700
Add basic test for custom CA certs
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 8a6404f97c
2023-02-10 09:33:55 -08:00
9fe00c8ecb
Clarify ADR based on design review feedback
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 9b6b72941f
2023-02-10 09:33:55 -08:00
5eb1e7e1b9
Add ADR
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit f13768c247
2023-02-10 09:33:55 -08:00
5eac6f977c
Add `certificate rotate-ca` to write updated CA certs to datastore
...
This command must be run on a server while the service is running. After this command completes, all the servers in the cluster should be restarted to load the new CA files.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 215fb157ff
2023-02-10 09:33:55 -08:00
03fd2f278a
Add utility functions for getting kubernetes client
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 3c324335b2
2023-02-10 09:33:55 -08:00
4a28be3c57
Fix CA cert hash for root certs
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 58d40327b4
2023-02-10 09:33:55 -08:00
7fce823e82
Ensure cluster-signing CA files contain only a single CA cert
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 0919ec6755
2023-02-10 09:33:55 -08:00
c47f12354c
Add example certificate generation script
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 1ec242d816
2023-02-10 09:33:55 -08:00
Hussein Galal