Commit Graph

34 Commits (f9ee66f4d85007701c2bb2ac0163f0dbab88aa32)

Author SHA1 Message Date
Derek Nola dface01de8
Server Token Rotation (#8265)
* Consolidate NewCertCommands
* Add support for user defined new token
* Add E2E testlets

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Ensure agent token also changes

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-10-09 10:58:49 -07:00
Derek Nola b967f92785 Replace os.Write with AtomicWrite function
Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-08-25 14:17:00 -06:00
Derek Nola be44243353
Adjust default kubeconfig file permissions (#7978)
* Adjust default kubeconfig permissions

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-07-14 15:00:27 -07:00
Bartosz Lenart 34617390d0
Generation of certificates and keys for etcd gated if etcd is disabled. (#6998)
Problem:
When support for etcd was added in 3957142, generation of certificates and keys for etcd was not gated behind use of managed etcd.
Keys are generated and distributed across servers even if managed etcd is not enabled.

Solution:
Allow generation of certificates and keys only if managed etc is enabled. Check config.DisableETCD flag.

Signed-off-by: Bartossh <lenartconsulting@gmail.com>
2023-07-11 10:24:35 -07:00
Manuel Buil 869e030bdd VPN PoC
Signed-off-by: Manuel Buil <mbuil@suse.com>
2023-06-09 12:39:33 +02:00
Brad Davidson 64a5f58f1e Create new kubeconfig for supervisor use
Only actual admin actions should use the admin kubeconfig; everything done by the supervisor/deploy/helm controllers will now use a distinct account for audit purposes.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-05-30 18:15:11 -07:00
Derek Nola d5f560360e
Handle multiple arguments with StringSlice flags (#7380)
* Add helper function for multiple arguments in stringslice

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Cleanup server setup with util function

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-05-02 09:55:48 -07:00
Brad Davidson 977a85559e Add support for cross-signing new certs during ca rotation
We need to send the full chain in order for cross-signing to work
properly during switchover to a new root.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-03-13 16:56:28 -07:00
Brad Davidson 58d40327b4 Fix CA cert hash for root certs
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-06 15:09:31 -08:00
Brad Davidson 0919ec6755 Ensure cluster-signing CA files contain only a single CA cert
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-06 15:09:31 -08:00
Derek Nola 06d81cb936
Replace deprecated ioutil package (#6230)
* Replace ioutil package
* check integration test null pointer
* Remove rotate retries

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-10-07 17:36:57 -07:00
Brad Davidson d963cb2f70 Disable cloud-node and cloud-node-lifecycle if CCM is disabled
If CCM and ServiceLB are both disabled, don't run the cloud-controller-manager at all;
this should provide the same CLI flag behavior as previous releases, and not create
problems when users disable the CCM but still want ServiceLB.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-09-30 08:17:20 -07:00
Brad Davidson 0b96ca92bc Move servicelb into cloudprovider LoadBalancer interface
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-09-30 08:17:20 -07:00
Brad Davidson 5eaa0a9422 Replace getLocalhostIP with Loopback helper method
Requires tweaking existing method signature to allow specifying whether or not IPv6 addresses should be return URL-safe.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-21 16:51:57 -07:00
Brad Davidson ff6c233e41 Fix egress selector proxy/bind-address support
Use same kubelet-preferred-address-types setting as RKE2 to improve reliability of the egress selector when using a HTTP proxy. Also, use BindAddressOrLoopback to ensure that the correct supervisor address is used when --bind-address is set.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-01 00:07:35 -07:00
Brad Davidson b550e1183a Remove control-plane egress context and fix agent mode.
The control-plane context handles requests outside the cluster and
should not be sent to the proxy.

In agent mode, we don't watch pods and just direct-dial any request for
a non-node address, which is the original behavior.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-10 10:14:15 -07:00
Brad Davidson 9d7230496d Add support for configuring the EgressSelector mode
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-18 13:26:10 -07:00
Brad Davidson ce5b9347c9 Replace DefaultProxyDialerFn dialer injection with EgressSelector support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 17:54:36 -07:00
Brad Davidson b12cd62935 Move IPv4/v6 selection into helpers
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Brad Davidson 99851b0f84 Use core constants for cert user/group values
Also update cert gen to ensure leaf certs are regenerated if other key fields change.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Roberto Bonafiglia e29771b9ff Fixed client URL
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-30 10:59:39 +02:00
Roberto Bonafiglia dda409b041 Updated localhost address on IPv6 only setup
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-29 09:35:54 +02:00
Luther Monson 9a849b1bb7
[master] changing package to k3s-io (#4846)
* changing package to k3s-io

Signed-off-by: Luther Monson <luther.monson@gmail.com>

Co-authored-by: Derek Nola <derek.nola@suse.com>
2022-03-02 15:47:27 -08:00
Brad Davidson 2989b8b2c5 Remove unnecessary copies of runtime struct
Several types contained redundant references to ControlRuntime data. Switch to consistently accessing this via config.Runtime instead.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-02-28 12:05:16 -08:00
Derek Nola 142eed1a9f
Create encryption hash file if it doesn't exist (#5140)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-02-25 08:43:03 -08:00
Derek Nola bcb662926d
Secrets-encryption rotation (#4372)
* Regular CLI framework for encrypt commands
* New secrets-encryption feature
* New integration test
* fixes for flaky integration test CI
* Fix to bootstrap on restart of existing nodes
* Consolidate event recorder

Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-12-07 14:31:32 -08:00
Brian Downs ac7a8d89c6
Add ability to reconcile bootstrap data between datastore and disk (#3398) 2021-10-07 12:47:00 -07:00
Brad Davidson cf12a13175 Add missing node name entry to apiserver SAN list
Also honor node-ip when adding the node address to the SAN list, instead
of hardcoding the autodetected IP address.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-01 13:22:32 -07:00
Brad Davidson e95b75409a Fix lint failures
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Derek Nola c833183517
Add unit tests for pkg/etcd (#3549)
* Created new etcd unit tests and testing support file

Signed-off-by: dereknola <derek.nola@suse.com>
2021-07-01 16:08:35 -07:00
Brad Davidson f6cec4e75d Add kubernetes.default.svc to serving certs
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-06-08 12:55:20 -07:00
Derek Nola 664a98919b
Fix RBAC cloud-controller-manager name 3308 (#3388)
* Changed cloud-controller-manager user name in ccm.yaml

Signed-off-by: dereknola <derek.nola@suse.com>

* Changed RBAC name in server.go

Signed-off-by: dereknola <derek.nola@suse.com>

* Changed "k3s" string prefix to version.Program to prevent static hardcoding

Signed-off-by: dereknola <derek.nola@suse.com>

* Changed user in ccm.yaml to k3s-cloud-controller-manager

Signed-off-by: dereknola <derek.nola@suse.com>
2021-06-02 14:50:11 -07:00
Brad Davidson 3cb4ca4b35 Use same SANs on ServingKubeAPICert as dynamiclistener
The kube-apiserver cert should have the same SANs in the same order,
excluding the extra user-configured SANs since this will only be used
in-cluster.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-28 09:58:19 -07:00
Brian Downs 4d1f9eda9d
Etcd Snapshot/Restore to/from S3 Compatible Backends (#2902)
* Add functionality for etcd snapshot/restore to and from S3 compatible backends.
* Update etcd restore functionality to extract and write certificates and configs from snapshot.
2021-03-03 11:14:12 -07:00