Restricting deferred node password validation to only requests from the local node is not possible without breaking split-role cluster cold start. There are too many cases where node password secrets may not yet be available due to the apiserver not being up.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Add "k3s certificate check" clause for better test coverage
Signed-off-by: Derek Nola <derek.nola@suse.com>
* Add table support to cert check
Signed-off-by: Derek Nola <derek.nola@suse.com>
---------
Signed-off-by: Derek Nola <derek.nola@suse.com>
Make this field an interface instead of pointer to allow mocking. Not sure why wrangler has a type that returns an interface instead of just making it an interface itself. Wrangler in general is hard to mock for testing.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit e6327652f0)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Clients now generate keys client-side and send CSRs. If the server is down-level and sends a cert+key instead of just responding with a cert signed with the client's public key, we use the key from the server instead.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit caeebc52b7)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
The servers package, and router.go in particular, had become quite
large. Address this by moving some things out to separate packages:
* http request handlers all move to pkg/server/handlers.
* node password bootstrap auth handler goes into pkg/nodepassword with
the other nodepassword code.
While we're at it, also be more consistent about calling variables that
hold a config.Control struct or reference `control` instead of `config` or `server`.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 2e4e7cf2c1)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Add flags supervisor and apiserver ports and bind address so that we can add an e2e to cover supervisor and apiserver on separate ports, as used by rke2
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit e143e0fa12)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Fix issue where rke2 tunnel was trying to connect to apiserver port instead of supervisor
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 5a5b136151)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
None of these fields or functions are used in k3s or rke2
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit f2f57b4a4b)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Add missing default OS for split server test
* Launch go routine and return for k3s secrets-encrypt reencrypt
---------
Signed-off-by: Derek Nola <derek.nola@suse.com>
The loadbalancer should only fail over to the default server if all other server have failed, and it should force fail-back to a preferred server as soon as one passes health checks.
The loadbalancer tests have been improved to ensure that this occurs.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
This fixes: 'error: no Auth Provider found for name "oidc"' when trying to run any subcommands in kubectl that require a valid server login.
Signed-off-by: Ludo Stellingwerff <ludo.stellingwerff@gmail.com>
(cherry picked from commit 2441e46950)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
External CLI actions cannot short-circuit on --help or --version, so we
cannot skip loading the config file if these flags are present when
running these wrapped commands. The behavior of just returning the
override flag name instead of the requested flag value was breaking
data-dir lookup when running wrapped commands.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit ff5c633fe7)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Add new flag that is passed through to the device_ownership_from_security_context parameter in the containerd CRI config. This is not possible to change without providing a complete custom containerd.toml template so we should add a flag for it.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 56fb3b0991)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Use clientv3.NewCtxClient instead of New to avoid automatic retry of all RPCs
* Only timeout status requests; allow defrag and alarm clear requests to run to completion.
* Only clear alarms on the local cluster member, not ALL cluster members
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 095e34d816)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Fix Github Actions for Ubuntu-24.04 (#11112)
* Fix vagrant/libvirt composite action for ubuntu-24.04
* Don't ignore changes to internal actions
* Fix unit tests for ubuntu 24.04, new lsof version
* Pin os version for unit and E2E workflows
Signed-off-by: Derek Nola <derek.nola@suse.com>
* Pin vagrant to older version to avoid known issue 13527
Signed-off-by: Derek Nola <derek.nola@suse.com>
---------
Signed-off-by: Derek Nola <derek.nola@suse.com>
Made with ❤️️ by updatecli
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit c00af8e95e)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Brad Davidson