github/k3s - k3s - https://git.xinac.net

Commit Graph

Author	SHA1	Message	Date
Brad Davidson	3abc8b82ed	Bump traefik, golang.org/x/net, google.golang.org/grpc Fixes exposure to CVE-2023-39325 Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Roberto Bonafiglia	1ffb4603cd	Use IPv6 in case is the first configured IP with dualstack Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>	1 year ago
Brad Davidson	d885162967	Add server token hash to CR and S3 This required pulling the token hash stuff out of the cluster package, into util. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	550ab36ab7	Switch to managing ETCDSnapshotFile resources Reconcile snapshot CRs instead of ConfigMap; manage ConfigMap downstream from CR list Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	5cd4f69bfa	Move snapshot delete into local/s3 functions Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	a15b804e00	Sort snapshots by time and key in tabwriter output Fixes snapshot list coming out in non-deterministic order Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	7464007037	Store extra metadata and cluster ID for snapshots Write the extra metadata both locally and to S3. These files are placed such that they will not be used by older versions of K3s that do not make use of them. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	80f909d0ca	Move s3 snapshot list functionality to s3.go Also, don't list ONLY s3 snapshots if S3 is enabled. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	8d47645312	Consistently set snapshotFile timestamp Attempt to use timestamp from creation or filename instead of file/object modification times Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	f1afe153a3	Tidy s3 upload functions Consistently refer to object keys as such, simplify error handling. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	2b0e2e8ada	Elide old snapshot data when apiserver rejects configmap with ErrRequestEntityTooLarge Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	676b00aa0e	Move etcd snapshot code into separate file Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	500744bb94	Add new CRD for etcd snapshots Also adds a hack go script to print the embedded CRDs, for developer use. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	9bb1ce1253	Bump busybox to v1.36.1 Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Derek Nola	dface01de8	Server Token Rotation (#8265 ) * Consolidate NewCertCommands * Add support for user defined new token * Add E2E testlets Signed-off-by: Derek Nola <derek.nola@suse.com> * Ensure agent token also changes Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Roberto Bonafiglia	ced25af5b1	Fixed tailscale node IP dualstack mode in case of IPv4 only node Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>	1 year ago
Manuel Buil	e82b37640a	Network defaults are duplicated, remove one Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Manuel Buil	f2c7117374	Take IPFamily precedence based on order Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Manuel Buil	0b23a478cf	ipFamilyPolicy:PreferDualStack for coredns and metrics-server Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Brad Davidson	0e5c760625	Pass SystemdCgroup setting through to nvidia runtime options Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Edgar Lee	fe18b1fce9	Add --image-service-endpoint flag (#8279 ) * Add --image-service-endpoint flag Problem: External container runtime can be set but image service endpoint is unchanged and also is not exposed as a flag. This is useful for using containerd snapshotters outside of the ones that have built-in support like stargz-snapshotter. Solution: Add a flag --image-service-endpoint and also default image service endpoint to container runtime endpoint if set. Signed-off-by: Edgar Lee <edgarhinshunlee@gmail.com>	1 year ago
Manuel Buil	2a9e8e68d5	Merge pull request #8354 from manuelbuil/vpnExtraParams Add extraArgs to vpn provider	1 year ago
Manuel Buil	4dd45b3142	Merge pull request #8439 from manuelbuil/fixGofmt Fix gofmt error	1 year ago
Vitor Savian	b6ab24c4fd	Added error when cluster reset while using server flag Signed-off-by: Vitor Savian <vitor.savian@suse.com>	1 year ago
Manuel Buil	172a7f1d1a	Fix gofmt error Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Brad Davidson	8705a88bf4	Clear remove annotations on cluster reset; refuse to delete last member from cluster Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	002e6c43ee	Reorganize Driver interface and etcd driver to avoid passing context and config into most calls Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	890645924f	Don't export functions not needed outside the etcd package Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	a3c52d60a5	Skip creating CRDs and setting up event recorder for CLI controller context Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	391e61bd72	Use admin kubeconfig instead of supervisor for etcd snapshot CLI Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	8c73fd670b	Disable HTTP on main etcd client port Fixes performance issue under load, ref: https://github.com/etcd-io/etcd/issues/15402 and https://github.com/kubernetes/kubernetes/pull/118460 Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Manuel Buil	12459fca97	Add extraArgs to tailscale Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Manuel Buil	cae8b2b626	Merge pull request #8346 from manuelbuil/interfaceLogs Include the interface name in the error message	1 year ago
Manuel Buil	3194dc7367	Merge pull request #8284 from manuelbuil/improveFlannelLogging Add context to flannel errors	1 year ago
Manuel Buil	8c197bdce4	Include the interface name in the error message Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Manuel Buil	8146041185	Merge pull request #8250 from manuelbuil/fixWinError Fix error reporting	1 year ago
Johnatas	6330a5b49c	Update to v1.28.2 and go v1.20.8 (#8364 ) * Update to v1.28.2 Signed-off-by: Johnatas <johnatasr@hotmail.com> * Bump containerd and stargz versions Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Print message on upgrade fail Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Send Bad Gateway instead of Service Unavailable when tunnel dial fails Works around new handling for Service Unavailable by apiserver aggregation added in kubernetes/kubernetes#119870 Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Add 60 seconds to server upgrade wait to account for delays in apiserver readiness Also change cleanup helper to ensure upgrade test doesn't pollute the images for the rest of the tests. Signed-off-by: Brad Davidson <brad.davidson@rancher.com> --------- Signed-off-by: Johnatas <johnatasr@hotmail.com> Signed-off-by: Brad Davidson <brad.davidson@rancher.com> Co-authored-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Manuel Buil	66cb1064d1	Add context to flannel errors Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Manuel Buil	d3f7632463	Fix error reporting Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Brad Davidson	0d23cfe038	Add RWMutex to address controller Fixes race condition when address map is updated by multiple goroutines Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	cba9f0d142	Add new CLI flag to disable TLS SAN CN filtering Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Derek Nola	2cb7023660	Use already imported semver, bump kine Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Derek Nola	f2d0c5409a	Add check for support on cp nodes Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Derek Nola	51f1a5a0ab	Review comments and fixes Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Derek Nola	42c2ac95e2	CLI + Backend for Secrets Encryption v3 Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Derek Nola	b967f92785	Replace os.Write with AtomicWrite function Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Derek Nola	ced330c66a	[v1.28] CLI Removal for v1.28.0 (#8203 ) * Remove deprecated flannel ipsec Signed-off-by: Derek Nola <derek.nola@suse.com> * Remove multipart backend Signed-off-by: Derek Nola <derek.nola@suse.com> * Fix secrets-encryption integration test flakiness Signed-off-by: Derek Nola <derek.nola@suse.com> --------- Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Hussein Galal	af50e1b096	Update to v1.28.0-k3s1 (#8199 ) * Update to v1.28.0 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update golang to v1.20.7 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * more changes Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * update wrangler Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * update wrangler Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * fix nodepassword test Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * fix nodepassword test Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * disable CGO before running golangci-lint Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * execlude CGO Enabled checks Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Ignore reapply change error with logging Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update google api client Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> --------- Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>	1 year ago
Brad Davidson	66bae3e326	Bump dynamiclistener for init deadlock fix Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Vitor Savian	e83b1ba4aa	Fixed the etcd retention to delete orphaned snapshots based on the date (#8177 ) * Fix retention using name instead of date Signed-off-by: Vitor <vitor.savian@suse.com>	1 year ago
Vitor Savian	c97211866a	Fix for cluster-reset backup from s3 when etcd snapshots are disabled (#8155 ) * Fixed when the user disable the etcd snapshots, but want to backup from s3 Signed-off-by: Vitor <vitor.savian@suse.com>	1 year ago
Ian Cardoso	e551308db8	fix for etcd-snapshot delete with --etcd-s3 flag (#8110 ) k3s etcd-snapshot save --etcd-s3 ... is creating a local snapshot and uploading it to s3 while k3s etcd-snapshot delete --etcd-s3 ... was deleting the snapshot only on s3 buckets, this commit change the behavior of delete to do it locally and on s3 Signed-off-by: Ian Cardoso <osodracnai@gmail.com>	1 year ago
Vitor Savian	ca7aeed090	Etcd snapshots retention when node name changes (#8099 ) Fixed the etcd retention to delete orphaned snapshots Signed-off-by: Vitor <vitor.savian@suse.com>	1 year ago
Brad Davidson	aa76942d0f	Add FilterCN function to prevent SAN Stuffing Wire up a node watch to collect addresses of server nodes, to prevent adding unauthorized SANs to the dynamiclistener cert. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Manuel Buil	8c38d1169d	Merge pull request #8077 from manuelbuil/fixTailscale Fix tailscale bug with ip modes	1 year ago
Derek Nola	46cbbab263	Consolidate CopyFile functions (#8079 ) * Consolidate CopyFile function Signed-off-by: Derek Nola <derek.nola@suse.com> * Copy to File, not destination folder Signed-off-by: Derek Nola <derek.nola@suse.com> --------- Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Manuel Buil	59eec78c62	Fix tailscale bug with ip modes Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Brad Davidson	f21ae1d949	Make apiserver egress args conditional on egress-selector-mode Only configure enable-aggregator-routing and egress-selector-config-file if required by egress-selector-mode. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Simon Kirsten	546dc247a0	Add support for `{{ template "base" . }}` in etc/containerd/config.toml.tmpl (#7991 ) Signed-off-by: Simon Kirsten <simonkirsten24@gmail.com>	1 year ago
Derek Nola	6d360e6473	Unit test for MustFindString (#8013 ) Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Derek Nola	be44243353	Adjust default kubeconfig file permissions (#7978 ) * Adjust default kubeconfig permissions Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Derek Nola	0b18a65d4f	Revert "Warn that v1.28 will deprecate reencrypt/prepare (#7848 )" This reverts commit `4ab01f3941`. Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Bartosz Lenart	34617390d0	Generation of certificates and keys for etcd gated if etcd is disabled. (#6998 ) Problem: When support for etcd was added in `3957142`, generation of certificates and keys for etcd was not gated behind use of managed etcd. Keys are generated and distributed across servers even if managed etcd is not enabled. Solution: Allow generation of certificates and keys only if managed etc is enabled. Check config.DisableETCD flag. Signed-off-by: Bartossh <lenartconsulting@gmail.com>	1 year ago
Derek Nola	8405813c12	Fix rootless node password (#7887 ) Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Denys Smirnov	b9a2bf11ee	Support setting control server URL for Tailscale. This change enables the use of Headscale - open source implementation of the Tailscale control server. Signed-off-by: Denys Smirnov <dennwc@pm.me>	1 year ago
Derek Nola	4ab01f3941	Warn that v1.28 will deprecate reencrypt/prepare (#7848 ) * Warn that v1.28 will deprecate reencrypt/prepare Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Manuel Buil	6c44b06e0a	Merge pull request #7838 from manuelbuil/ipv4ipv6tailscale Check if we are on ipv4, ipv6 or dualStack when doing tailscale	1 year ago
Manuel Buil	bca0adbca8	Fix code spell check Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Manuel Buil	9c48d10eba	Merge pull request #7845 from manuelbuil/removeWinFile Remove file_windows.go	1 year ago
Brad Davidson	7f50b40cfe	Fall back to basic/bearer auth when node identity auth is rejected Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Daishan Peng	ce3443ddf6	Allow k3s to customize apiServerPort on helm-controller Signed-off-by: Daishan Peng <daishan@acorn.io>	1 year ago
LeiLei	72d50b1f7c	Add `--data-dir` to the `k3s certificate rotate-ca` cli (#7791 ) Need to add a cli flag for this. Also, should probably have config file loading support for the certificate commands. Signed-off-by: leilei.zhai <leilei.zhai@qingteng.cn>	1 year ago
Manuel Buil	d593c83603	Remove file_windows.go Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Manuel Buil	f21a01474d	Check if we are on ipv4, ipv6 or dualStack when doing tailscale Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Vitor Savian	0809187cff	Adding cli to custom klipper helm image (#7682 ) Adding cli to custom klipper helm image Signed-off-by: Vitor Savian <vitor.savian@suse.com>	1 year ago
guoguangwu	2215870d5d	chore: pkg imported more than once Signed-off-by: guoguangwu <guoguangwu@magic-shield.com>	1 year ago
Manuel Buil	43611bb5ad	Fix the error report Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Manuel Buil	268c9a7684	Merge pull request #7352 from manuelbuil/vpnintegrations-afterparental Integrate tailscale into k3s	1 year ago
Manuel Buil	869e030bdd	VPN PoC Signed-off-by: Manuel Buil <mbuil@suse.com>	1 year ago
Derek Nola	dc6c569b98	Shortcircuit commands with version or help flags (#7683 ) * Shortcircuit search with help and version flag Signed-off-by: Derek Nola <derek.nola@suse.com> * Keep functions seperate Signed-off-by: Derek Nola <derek.nola@suse.com> --------- Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Brad Davidson	e5e1a674ce	Enable containerd aufs/devmapper/zfs snapshotter plugins These were unintentionally dropped when moving containerd back into the main multicall binary Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	5170bc5a04	Improve error response logging Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Brad Davidson	45d8c1a1a2	Soft-fail on node password verification if the secret cannot be created Allows nodes to join the cluster during a webhook outage. This also enhances auditability by creating Kubernetes events for the deferred verification. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	1 year ago
Derek Nola	b0188f5a13	Test Coverage Reports for E2E tests (#7526 ) * Move coverage writer into agent and server * Add coverage report to E2E PR tests * Add codecov upload to drone Signed-off-by: Derek Nola <derek.nola@suse.com>	1 year ago
Yuxing Deng	b64a226ebd	Make LB image configurable when compiling k3s It is no way we can configure the lb image because it is a const value. It would be better that we make it variable value and we can override the value like the `helm-controller` job image when compiling k3s/rke2 Signed-off-by: Yuxing Deng <jxfa0043379@hotmail.com>	2 years ago
Brad Davidson	64a5f58f1e	Create new kubeconfig for supervisor use Only actual admin actions should use the admin kubeconfig; everything done by the supervisor/deploy/helm controllers will now use a distinct account for audit purposes. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	8748813a61	Use distinct clients for supervisor, deploy, and helm controllers Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	e9958cf070	Bump metrics-server to v0.6.3 and update tls-cipher-suites Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	93279d2f59	Bump klipper-lb to v0.4.4 Fixes issue with localhost access to ServiceLB when ExternalTrafficPolicy=Local Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Andrew Roffey	0485a56f33	allow coredns override extensions Signed-off-by: Andrew Roffey <andrew@roffey.au>	2 years ago
Manuel Buil	4aafff0219	Wrap error stating that it is coming from netpol Signed-off-by: Manuel Buil <mbuil@suse.com>	2 years ago
Brad Davidson	8f450bafe1	Bump helm-controller version for repo auth/ca support Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	607cbf0ad6	Bump containerd to v1.7.0 and move back into multicall binary Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
thomasferrandiz	b4bc57d049	Merge pull request #7303 from thomasferrandiz/netpol-log-level ensure that klog verbosity is set to the same level as logrus	2 years ago
Brad Davidson	239021e759	Consistently use constant-time comparison of password hashes As per https://github.com/golang/go/issues/47001 even subtle.ConstantTimeCompare should never be used with variable-length inputs, as it will return 0 if the lengths do not match. Switch to consistently using constant-time comparisons of hashes for password checks to avoid any possible side-channel leaks that could be combined with other vectors to discover password lengths. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Derek Nola	c6dc789e25	Add support for `-cover` + integration test code coverage (#7415 ) * Add support for -cover in k3s server * Update codecov reporting * Sigterm in StopK3sServer Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Brad Davidson	cf9ebb3259	Fail to validate server tokens that use bootstrap id/secret format Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Manuel Buil	eb83af0de4	Merge pull request #7422 from manuelbuil/modify-utils Migrate netutil methods into /util/net.go	2 years ago
Brad Davidson	cedefeff24	Bump cni plugins to v1.2.0-k3s1 Also add bandwidth and firewall plugins. The bandwidth plugin is automatically registered with the appropriate capability, but the firewall plugin must be configured by the user if they want to use it. Ref: https://www.cni.dev/plugins/current/meta/firewall/ Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Boleyn Su	a736b4b1b9	local-storage: Fix permission (#7217 ) * local-storage: Fix permission /var/lib/rancher/k3s/storage/ should be 700 /var/lib/rancher/k3s/storage/* should be 777 Fixes #2348 Signed-off-by: Boleyn Su <boleyn.su@gmail.com> * Fix pod command field type * Fix to int test Signed-off-by: Derek Nola <derek.nola@suse.com> --------- Signed-off-by: Boleyn Su <boleyn.su@gmail.com> Signed-off-by: Derek Nola <derek.nola@suse.com> Co-authored-by: Brad Davidson <brad@oatmail.org> Co-authored-by: Derek Nola <derek.nola@suse.com>	2 years ago
Manuel Buil	437ad128c7	Migrate netutil methods into /utils/net.go Signed-off-by: Manuel Buil <mbuil@suse.com>	2 years ago
Derek Nola	e1d4cff14c	Enable FindString to search dotD config files (#7323 ) * Enable FindString to search dotD config files * Address multiple arg cases Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Derek Nola	d5f560360e	Handle multiple arguments with StringSlice flags (#7380 ) * Add helper function for multiple arguments in stringslice Signed-off-by: Derek Nola <derek.nola@suse.com> * Cleanup server setup with util function Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Brad Davidson	e61fde93c1	Fix MemberList error handling and incorrect etcd-arg passthrough Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	91afb38799	Retry cluster join on "too many learners" error Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	f1b6a3549c	Fix stack log on panic Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	c44d33d29b	Fix race condition in tunnel server startup Several places in the code used a 5-second retry loop to wait on Runtime.Core to be set. This caused a race condition where OnChange handlers could be added after the Wrangler shared informers were already started. When this happened, the handlers were never called because the shared informers they relied upon were not started. Fix that by requiring anything that waits on Runtime.Core to run from a cluster controller startup hook that is guaranteed to be called before the shared informers are started, instead of just firing it off in a goroutine that retries until it is set. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	31a6386994	Improve egress selector handling on agentless servers Don't set up the agent tunnel authorizer on agentless servers, and warn when agentless servers won't have a way to reach in-cluster endpoints. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	0247794aa9	go generate Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	ad41fb8c96	Create CRDs with schema Fixes an issue where CRDs were being created without schema, allowing resources with invalid content to be created, later stalling the controller ListWatch event channel when the invalid resources could not be deserialized. This also requires moving Addon GVK tracking from a status field to an annotation, as the GroupVersionKind type has special handling internal to Kubernetes that prevents it from being serialized to the CRD when schema validation is enabled. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Derek Nola	bc5b42c279	Cleanup help messages (#7369 ) Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Thomas Ferrandiz	66fcca66cb	ensure that klog verbosity is set to the same level as logrus by repeatedly settting it every second during k3s startup Signed-off-by: Thomas Ferrandiz <thomas.ferrandiz@suse.com>	2 years ago
Derek Nola	944f811dc5	v1.27.1 CLI Deprecation (#7311 ) * Remove Flannel Wireguard * Remove etcd-snapshot (implicit save) * Convert ipsec and multiple backend to fatal Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Derek Nola	f2bde63eea	Kubernetes v1.27.1 (#7271 ) * Bump go version to 1.20.3 to match upstream * Bump cri-dockerd * Bump golanci-lint * go generate * Bump selinux in cgroup test * Bump to v1.27.1 tags * Release documentation improvements * Only run upgrade e2e test on PR Signed-off-by: Derek Nola <derek.nola@suse.com> Signed-off-by: Brad Davidson <brad.davidson@rancher.com> Co-authored-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Hussein Galal	30638072c9	Update klipper lb to v0.4.2 (#7210 ) * Update klipper lb to v0.4.2 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update klipper lb to v0.4.3 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update klipper lb to v0.4.3 in airgap list Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> --------- Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>	2 years ago
Roberto Bonafiglia	3e3512bdae	Updated kube-route version to move the iptables ACCEPT default rule at the end of the chain Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>	2 years ago
Brad Davidson	d95980bba3	Lock bootstrap data with empty key to prevent conflicts Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	2992477c4b	Debounce kubernetes service endpoint updates Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	ece4d8e45c	Fix tests to not hide failure location in dummp assert functions Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	e54ceaa497	Fix issue with stale connections to removed LB server Track LB connections through each server so that they can be closed when it is removed. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	d388b82d25	go generate Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	b010db0cff	Ensure that loopback is used for the advertised address when resetting Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	cee3ddbc4a	Bump Local Path Provisioner version (#7167 ) * chore: Bump Local Path Provisioner version * go generate Signed-off-by: Brad Davidson <brad.davidson@rancher.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>	2 years ago
Roberto Bonafiglia	15ee88964b	Added multiClusterCidr feature Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>	2 years ago
Daniel Mills	822ee79eb8	Remove deprecated nodeSelector label beta.kubernetes.io/os (#6970 ) * Remove deprecated nodeSelector label beta.kubernetes.io/os Problem: The nodeSelector label beta.kubernetes.io/os in the CoreDNS deployment was deprecated in 1.14 and will likely be removed soon Solution: Change the nodeSelector to remove the beta Signed-off-by: Dan Mills <evilhamsterman@gmail.com>	2 years ago
Brad Davidson	977a85559e	Add support for cross-signing new certs during ca rotation We need to send the full chain in order for cross-signing to work properly during switchover to a new root. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Daishan Peng	b7f90f389c	Wait for kubelet port to be ready before setting (#7041 ) * Wait for kubelet port to be ready before setting * Wait for kubelet to update the Ready status before reading port Signed-off-by: Daishan Peng <daishan@acorn.io> Signed-off-by: Brad Davidson <brad.davidson@rancher.com> Co-authored-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Derek Nola	d218068f34	Adds a warning about editing to the containerd config.toml file (#7057 ) * Add a warning to the config.toml file Signed-off-by: Derek Nola <derek.nola@suse.com> Co-authored-by: Brad Davidson <brad@oatmail.org>	2 years ago
Roberto Bonafiglia	e098b99bfa	Update flannel and kube-router (#7039 ) * Update kube-router version to fix iptables rules Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com> * Update Flannel to v0.21.3 Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com> --------- Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>	2 years ago
Brad Davidson	cbe4bcfeee	Add test for filterByIPFamily Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	cc333d8d0c	Fix ServiceLB dual-stack ingress IP listing Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	23d98cec22	Fix CACertPath stripping trailing path components Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	0c302f4341	Fix etcd member deletion Turns out etcd-only nodes were never running any of the controllers, so allowing multiple controllers didn't really fix things. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Roberto Bonafiglia	b8e69712a3	Updated flannel version to v0.21.0 Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>	2 years ago
Brad Davidson	3d146d2f1b	Allow for multiple sets of leader-elected controllers Addresses an issue where etcd controllers did not run on etcd-only nodes Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Paul Donohue	290d7e8fd1	Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent Signed-off-by: Paul Donohue <git@PaulSD.com> Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	ddcc4d4034	go generate Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	c6d0afd0cb	Check for existing resources before creating them Prevents errors when starting with fail-closed webhooks Also, use panic instead of Fatalf so that the CloudControllerManager rescue can handle the error Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	32d62c5786	Use default address family when adding kubernetes service address to SAN list Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Byron Ruth	a92f163c9d	Add NATS to the list of supported data stores (#6876 ) Signed-off-by: Byron Ruth <byron@nats.io>	2 years ago
Brad Davidson	87f9c4ab11	Ensure that node exists when using node auth Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	992e64993d	Add support for kubeadm token and client certificate auth Allow bootstrapping with kubeadm bootstrap token strings or existing Kubelet certs. This allows agents to join the cluster using kubeadm bootstrap tokens, as created with the `k3s token create` command. When the token expires or is deleted, agents can successfully restart by authenticating with their kubelet certificate via node authentication. If the token is gone and the node is deleted from the cluster, node auth will fail and they will be prevented from rejoining the cluster until provided with a valid token. Servers still must be bootstrapped with the static cluster token, as they will need to know it to decrypt the bootstrap data. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	373df1c8b0	Add support for `k3s token` command Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Derek Nola	7d49202721	Ignore value conflicts when reencrypting secrets (#6850 ) * Ignore conflict secrets Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Brad Davidson	215fb157ff	Add `certificate rotate-ca` to write updated CA certs to datastore This command must be run on a server while the service is running. After this command completes, all the servers in the cluster should be restarted to load the new CA files. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	3c324335b2	Add utility functions for getting kubernetes client Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	58d40327b4	Fix CA cert hash for root certs Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	0919ec6755	Ensure cluster-signing CA files contain only a single CA cert Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Derek Nola	32086717fc	Ensure flag type consistency (#6852 ) * Convert all flags to pointers for consistency Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Akos Elek	9fcc7c0db8	Fix cronjob example (#6707 ) Related PR: https://github.com/rancher/rke2-docs/pull/38 Signed-off-by: Akos Elek <akose73@tazerve.hu>	2 years ago
Derek Nola	0d4caf4e24	Wait for cri-dockerd socket (#6812 ) * Wait for cri-dockerd socket * Consolidate cri utility functions Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Brad Davidson	1c6fde9a52	go generate Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	369b81b45e	Honor Service ExternalTrafficPolicy Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	3cb6fa5cc7	Set cri-dockerd version at build time Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	89f7062431	Add build tag to disable cri-dockerd Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	f54b5e4fa0	Fix CI tests * General cleanup of test-helpers functions to address CI failures * Install awscli in test image * Log containerd output to file even when running with --debug Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Silvio Moioli	23c1040adb	Bugfix: do not break cert-manager when pprof is enabled (#6635 ) Signed-off-by: Silvio Moioli <silvio@moioli.net>	2 years ago
Brad Davidson	8340b54309	Pass through default tls-cipher-suites Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	a298bfdb18	Add jitter to scheduled snapshots and retry harder on conflicts Also ensure that the snapshot job does not attempt to trigger multiple concurrent runs, as this is not supported. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	0c9b43746b	Preload iptable_filter/ip6table_filter ServiceLB now requires this module, but it will not get autoloaded by the kubelet if the host is using nftables. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Hussein Galal	f8b661d590	Update to v1.26.0-k3s1 (#6370 ) * Update to v1.26.0-alpha.2 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * go generate Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Default CURRENT_VERSION to VERSION_TAG for alpha versions Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * remove containerd package Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update k8s to v1.26.0-rc.0-k3s1 cri-tools cri-dockerd and cadvisor Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * replace cri-api reference to the new api Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * go mod tidy Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Fix version script to allow rc and alphas Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Fix version script to allow rc and alphas Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Fix version script to allow rc and alphas Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Update to Kubernetes 1.26.0-rc.1 Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Undo helm-controller pin Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Bump containerd to -k3s2 for stargz fix Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * DevicePlugins featuregate is locked to on Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Bump kine for DeleteRange fix Signed-off-by: Brad Davidson <brad.davidson@rancher.com> * Update to v1.26.0-k3s1 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * go mod tidy Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Bring back snapshotter checks and update golang to 1.19.4 Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * fix windows containerd snapshotter checks Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> Signed-off-by: Brad Davidson <brad.davidson@rancher.com> Co-authored-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Derek Nola	b5d39df929	Deprecation of `etcd-snapshot` command in v1.26 (#6575 ) * Consolidate etcd snapshot commands * Consolidate secrets encryption commands * Move etcd-snapshot to fatal error stage. Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Derek Nola	d723775792	Remove deprecated flags in v1.26 (#6574 ) * Remove NoFlannel * Remove cluster-secret * Remove no-deploy * Remove disable-selinux * Convert wireguard to fatal error * Remove reference to no-op K3S_CLUSTER_SECRET Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Brad Davidson	2835368ecb	Bump k3s-root and remove embedded strongswan support Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Derek Nola	af8f101bdc	Mark secrets-encryption flag as GA (#6582 ) * Mark secrets-encrypt flag as GA Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Brad Davidson	915c7719fe	go generate Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	1eeea5c81f	go generate Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	e08a662509	Disable CCM metrics port when legacy CCM functionality is disabled Prevents port conflicts on upgrade for users that have deployed other cloud controllers. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	a07bb555ba	Bump klipper-helm and klipper-lb versions Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Derek Nola	614da78e43	Add `prefer-bundled-bin` as an agent flag (#6545 ) * Add prefer-bundled-bin as an agent flag * Add E2E test for prefer-bundled-bin Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Manuel Buil	1beecb2e2d	Merge pull request #6531 from manuelbuil/fixLogs Fix log for flannelExternalIP use case	2 years ago
Manuel Buil	483e29e783	Remove stuff which belongs in the windows executor implementation Signed-off-by: Manuel Buil <mbuil@suse.com>	2 years ago
Brad Davidson	9ff0943d56	Address nits from self-review Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	56bf7d6ad3	Allow agent to run rootless Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	6f2b21c5cd	Add rootless IPv6 support Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	c02dceb7ad	Make rootless settings configurable Add enivironment variables for port-driver, cidr, mtu, and disable-host-loopback settings. Since rootless is still experimental, I don't think they deserve full CLI flag status. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	73171ff20a	go generate Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Derek Nola	0f52088cd3	Add new `prefer-bundled-bin` experimental flag (#6420 ) * initial prefer-bundled-bin ci change * Add startup testlet * Convert parsing to pflag library * Fix code validation * go mod tidy Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Manuel Buil	5188443988	Fix log for flannelExternalIP use case Signed-off-by: Manuel Buil <mbuil@suse.com>	2 years ago
Manuel Buil	e41e4010e5	Revert "Remove stuff which belongs in the windows executor implementation" This reverts commit `1bc0684fb7`. Signed-off-by: Manuel Buil <mbuil@suse.com>	2 years ago
Manuel Buil	9419b1a936	Merge pull request #6492 from manuelbuil/removeWinStuff Remove stuff which belongs in the windows executor implementation	2 years ago
Brad Davidson	adb820d859	Bump traefik chart to 19.0.4 to fix kubernetes version check Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Manuel Buil	1bc0684fb7	Remove stuff which belongs in the windows executor implementation Signed-off-by: Manuel Buil <mbuil@suse.com>	2 years ago
Derek Nola	13c633da12	Add Secrets Encryption to CriticalArgs (#6409 ) * Add EncryptSecrets to Critical Control Args * use deep comparison to extract differences Signed-off-by: Derek Nola <derek.nola@suse.com> Signed-off-by: Derek Nola <derek.nola@suse.com>	2 years ago
Manuel Buil	861f8ed8f8	Merge pull request #6386 from manuelbuil/changeAddrTypesMetricsServer Change addr types in metrics server	2 years ago
thomasferrandiz	b7d217dbf3	Merge pull request #6405 from thomasferrandiz/log-kube-router-version log kube-router version when starting netpol controller	2 years ago
Manuel Buil	8aff25e192	Merge pull request #6403 from manuelbuil/logsFlannelExternalIP Avoid wrong config for `flannel-external-ip` and add warning if unencrypted backend	2 years ago
Manuel Buil	557fcd28d5	Change the priority of address types depending on flannel-external-ip Signed-off-by: Manuel Buil <mbuil@suse.com>	2 years ago
Manuel Buil	1682172ac1	Add some helping logs to avoid wrong configs Signed-off-by: Manuel Buil <mbuil@suse.com>	2 years ago
Roberto Bonafiglia	87c7ea81f0	Updated flannel version to 0.20.1 Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>	2 years ago
Thomas Ferrandiz	68ac954489	log kube-router version when starting netpol controller Signed-off-by: Thomas Ferrandiz <thomas.ferrandiz@suse.com>	2 years ago
Brad Davidson	d7dbf69f7f	go generate Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
iyear	3aae7b8783	Fix incorrect defer usage Problem: Using defer inside a loop can lead to resource leaks Solution: Judge newer file in the separate function Signed-off-by: iyear <ljyngup@gmail.com>	2 years ago
Brad Davidson	cb86d2c1f0	Bump traefik to v2.9.4 / chart v18.3.0 Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Petri Kivikangas	6156059136	Convert containerd config.toml.tmpl Linux template to v2 syntax Signed-off-by: Petri Kivikangas <36138+Kitanotori@users.noreply.github.com>	2 years ago
Brad Davidson	76729d813b	Set default kubeletPort Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	269563e4d2	Check for RBAC before starting tunnel controllers Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	68a56ff8d8	Add GVK lookup to deploy controller Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	8d28a38a18	Update helm-controller to pull in refactor Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago
Brad Davidson	16a8b6d6f1	Bump Traefik helm chart to v18.0.0 Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	2 years ago

... 2 3 4 5 6 ...

1380 Commits (d1709d60ce98da6e15d8427bc984cd87dfec20c6)