github/k3s - k3s - https://git.xinac.net

Commit Graph

Author	SHA1	Message	Date
Roberto Bonafiglia	e29771b9ff	Fixed client URL Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>	3 years ago
Roberto Bonafiglia	dda409b041	Updated localhost address on IPv6 only setup Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>	3 years ago
Brad Davidson	714979bf6a	Ensure that apiserver ready channel checks re-dial every time Closing idle connections isn't guaranteed to close out a pooled connection to a loadbalancer endpoint that has been removed. Instead, ensure that requests used to wait for the apiserver to become ready aren't reused. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Luther Monson	9a849b1bb7	[master] changing package to k3s-io (#4846 ) * changing package to k3s-io Signed-off-by: Luther Monson <luther.monson@gmail.com> Co-authored-by: Derek Nola <derek.nola@suse.com>	3 years ago
Brad Davidson	5014c9e0e8	Fix adding etcd-only node to existing cluster Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	a1b800f0bf	Remove unnecessary copies of etcdconfig struct Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	2989b8b2c5	Remove unnecessary copies of runtime struct Several types contained redundant references to ControlRuntime data. Switch to consistently accessing this via config.Runtime instead. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Derek Nola	142eed1a9f	Create encryption hash file if it doesn't exist (#5140 ) Signed-off-by: Derek Nola <derek.nola@suse.com>	3 years ago
Ankur Gupta	df4147cd57	Update legacy-unknown-cert and legacy-unknown-key (#5057 ) Signed-off-by: Ankur Gupta <ankur.gupta130887@gmail.com>	3 years ago
Derek Nola	bcb662926d	Secrets-encryption rotation (#4372 ) * Regular CLI framework for encrypt commands * New secrets-encryption feature * New integration test * fixes for flaky integration test CI * Fix to bootstrap on restart of existing nodes * Consolidate event recorder Signed-off-by: Derek Nola <derek.nola@suse.com>	3 years ago
Brad Davidson	5ab6d21a7d	Increase agent's apiserver ready timeout (#4454 ) Since we now start the server's agent sooner and in the background, we may need to wait longer than 30 seconds for the apiserver to become ready on downstream projects such as RKE2. Since this essentially just serves as an analogue for the server's apiReady channel, there's little danger in setting it to something relatively high. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brian Downs	adaeae351c	update bootstrap logic (#4438 ) * update bootstrap logic resolving a startup bug and account for etcd	3 years ago
Brad Davidson	3da1bb3af2	Fix other uses of NewForConfigOrDie in contexts where we could return err Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	5a923ab8dc	Add containerd ready channel to delay etcd node join Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brian Downs	ac7a8d89c6	Add ability to reconcile bootstrap data between datastore and disk (#3398 )	3 years ago
Brad Davidson	753e11ee3c	Enable JobTrackingWithFinalizers FeatureGate Works around issue with Job controller not tracking job pods that are in CrashloopBackoff during upgrade from 1.21 to 1.22. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	b72306ce3d	Return the error since it just gets logged and retried anyways Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	5986898419	Use SubjectAccessReview to validate CCM RBAC Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	dc556cbb72	Set controller authn/authz kubeconfigs Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	199424b608	Pass context into all Executor functions Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	3449d5b9f9	Wait for apiserver readyz instead of healthz Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	cf12a13175	Add missing node name entry to apiserver SAN list Also honor node-ip when adding the node address to the SAN list, instead of hardcoding the autodetected IP address. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	b8add39b07	Bump kine for metrics/tls changes Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	e95b75409a	Fix lint failures Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	dc14f370c4	Update wrangler to v0.8.5 Required to support apiextensions.v1 as v1beta1 has been deleted. Also update helm-controller and dynamiclistener to track wrangler versions. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Brad Davidson	422d266da2	Disable deprecated insecure port Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	3 years ago
Jamie Phillips	fc19b805d5	Added logic to strip any existing hyphens before processing the args. (#3662 ) Updated the logic to handle if extra args are passed with existing hyphens in the arg. The test was updated to add the additional case of having pre-existing hyphens. The method name was also refactored based on previous feedback.	3 years ago
Derek Nola	c833183517	Add unit tests for pkg/etcd (#3549 ) * Created new etcd unit tests and testing support file Signed-off-by: dereknola <derek.nola@suse.com>	3 years ago
Chris Kim	04398a2582	Move cloud-controller-manager into an embedded executor (#3525 ) * Move cloud-controller-manager into an embedded executor * Import K3s cloud provider and clean up imports Signed-off-by: Chris Kim <oats87g@gmail.com>	3 years ago
Derek Nola	4b2ab8b515	Renamed client-cloud-controller crt and key (#3470 ) Signed-off-by: dereknola <derek.nola@suse.com>	3 years ago
Brad Davidson	f6cec4e75d	Add kubernetes.default.svc to serving certs Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 years ago
Derek Nola	664a98919b	Fix RBAC cloud-controller-manager name 3308 (#3388 ) * Changed cloud-controller-manager user name in ccm.yaml Signed-off-by: dereknola <derek.nola@suse.com> * Changed RBAC name in server.go Signed-off-by: dereknola <derek.nola@suse.com> * Changed "k3s" string prefix to version.Program to prevent static hardcoding Signed-off-by: dereknola <derek.nola@suse.com> * Changed user in ccm.yaml to k3s-cloud-controller-manager Signed-off-by: dereknola <derek.nola@suse.com>	4 years ago
Siegfried Weber	e77fd18270	Sign CSRs for kubelet-serving with the server CA Problem: Only the client CA is passed to the kube-controller-manager and therefore CSRs with the signer name "kubernetes.io/kubelet-serving" are signed with the client CA. Serving certificates must be signed with the server CA otherwise e.g. "kubectl logs" fails with the error message "x509: certificate signed by unknown authority". Solution: Instead of providing only one CA via the kube-controller-manager parameter "--cluster-signing-cert-file", the corresponding CA for every signer is set with the parameters "--cluster-signing-kube-apiserver-client-cert-file", "--cluster-signing-kubelet-client-cert-file", "--cluster-signing-kubelet-serving-cert-file", and "--cluster-signing-legacy-unknown-cert-file". Signed-off-by: Siegfried Weber <mail@siegfriedweber.net>	4 years ago
Brad Davidson	3cb4ca4b35	Use same SANs on ServingKubeAPICert as dynamiclistener The kube-apiserver cert should have the same SANs in the same order, excluding the extra user-configured SANs since this will only be used in-cluster. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 years ago
Brad Davidson	2705431d96	Add support for dual-stack Pod/Service CIDRs and node IP addresses (#3212 ) * Add support for dual-stack cluster/service CIDRs and node addresses Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 years ago
Brad Davidson	601c4984f5	Fix service-account-issuer Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 years ago
Brad Davidson	e8381db778	Update Kubernetes to v1.21.0 * Update Kubernetes to v1.21.0 * Update to golang v1.16.2 * Update dependent modules to track with upstream * Switch to upstream flannel * Track changes to upstream cloud-controller-manager and FeatureGates Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 years ago
Brian Downs	4d1f9eda9d	Etcd Snapshot/Restore to/from S3 Compatible Backends (#2902 ) * Add functionality for etcd snapshot/restore to and from S3 compatible backends. * Update etcd restore functionality to extract and write certificates and configs from snapshot.	4 years ago
Hussein Galal	5749f66aa3	Add disable flags for control components (#2900 ) * Add disable flags to control components Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * golint Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * more fixes Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * fixes to disable flags Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Add comments to functions Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * Fix joining problem Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * more fixes Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * golint Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * fix ticker Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * fix role labels Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com> * more fixes Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>	4 years ago
Brad Davidson	07256cf7ab	Add ServiceIPRange and ServiceNodePortRange to agent config Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 years ago
Brad Davidson	c5aad1b5ed	Disable the ServiceAccountIssuerDiscovery feature-gate. We're not setting ``--service-account-issuer` to a https URL, which causes an error message at startup when the feature gate is enabled. From the docs on that flag: > If this option is not a valid URI per the OpenID Discovery 1.0 spec, the > ServiceAccountIssuerDiscovery feature will remain disabled, even if the > feature gate is set to true. It is highly recommended that this value > comply with the OpenID spec: > https://openid.net/specs/openid-connect-discovery-1_0.html. In practice, > this means that service-account-issuer must be an https URL. It is also > highly recommended that this URL be capable of serving OpenID discovery > documents at {service-account-issuer}/.well-known/openid-configuration. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 years ago
Brad Davidson	c6950d2cb0	Update Kubernetes to v1.20.0-k3s1 Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 years ago
Brad Davidson	58b5b21f0d	Don't pass cloud-provider flag to controller-manager As per documentation, the cloud-provider flag should not be passed to controller-manager when using cloud-controller. However, the legacy cloud-related controllers still need to be explicitly disabled to prevent errors from being logged. Fixing this also prevents controller-manager from creating the cloud-controller-manager service account that needed extra RBAC. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 years ago
Brad Davidson	f50e3140f9	Disable configure-cloud-routes and external service/route programming support when using k3s stub cloud controller Resolves warning 3 from #2471 Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 years ago
Brad Davidson	31575e407a	Add Cluster ID support to k3s stub cloud controller Resolves warning 2 from #2471. As per https://github.com/kubernetes/cloud-provider/issues/12 the ClusterID requirement was never really followed through on, so the flag is probably going to be removed in the future. One side-effect of this is that the core k8s cloud-controller-manager also wants to watch nodes, and needs RBAC to do so. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 years ago
Brad Davidson	8c6d3567fe	Rename k3s-controller based on the build-time program name Since we're replacing the k3s rolebindings.yaml in rke2, we should allow renaming this so that we can use the white-labeled name downstream. Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 years ago
Erik Wilson	c5dc09159f	Move basic authentication to k3s	4 years ago
Brad Davidson	b1d017f892	Update dynamiclistener Second round of fixes for #1621 Signed-off-by: Brad Davidson <brad.davidson@rancher.com>	4 years ago
Euan Kemp	4808c4e7d5	Listen insecurely on localhost only Before this change, k3s configured the scheduler and controller's insecure ports to listen on 0.0.0.0. Those ports include pprof, which provides a DoS vector at the very least. These ports are only enabled for componentstatus checks in the first place, and componentstatus is hardcoded to only do the check on localhost anyway (see https://github.com/kubernetes/kubernetes/blob/v1.18.2/pkg/registry/core/rest/storage_core.go#L341-L344), so there shouldn't be any downside to switching them to listen only on localhost.	4 years ago
Brian Downs	ebac755da1	add profiling flag with default value of false Signed-off-by: Brian Downs <brian.downs@gmail.com>	4 years ago
Brandon Davidson	538842ffdc	Merge pull request #1768 from brandond/fix_1764 Configure default signer implementation to use ClientCA instead of ServerCA	4 years ago
Brian Downs	7f4f237575	added profile = false args to api, controllerManager, and scheduler (#1891 )	5 years ago
Darren Shepherd	6b5b69378f	Add embedded etcd support This is replaces dqlite with etcd. The each same UX of dqlite is followed so there is no change to the CLI args for this.	5 years ago
Darren Shepherd	39571424dd	Generate etcd certificates	5 years ago
Darren Shepherd	a18d387390	Refactor clustered DB framework	5 years ago
Darren Shepherd	7e59c0801e	Make program name a variable to be changed at compile time	5 years ago
Darren Shepherd	cb4b34763e	Merge pull request #1759 from ibuildthecloud/background Start kube-apiserver in the background	5 years ago
Darren Shepherd	e5fe184a44	Merge pull request #1757 from ibuildthecloud/separate-port Add supervisor port	5 years ago
Darren Shepherd	072396f774	Start kube-apiserver in the background In rke2 everything is a static pod so this causes a chicken and egg situation in which we need the kubelet running before the kube-apiserver can be launched. By starting the apiserver in the background this allows us to do this odd bootstrapping.	5 years ago
Brad Davidson	71561ecda2	Use ClientCA for the signer controller	5 years ago
Darren Shepherd	2f5ee914f9	Add supervisor port In k3s today the kubernetes API and the /v1-k3s API are combined into one http server. In rke2 we are running unmodified, non-embedded Kubernetes and as such it is preferred to run k8s and the /v1-k3s API on different ports. The /v1-k3s API port is called the SupervisorPort in the code. To support this separation of ports a new shim was added on the client in then pkg/agent/proxy package that will launch two load balancers instead of just one load balancer. One load balancer for 6443 and the other for 9345 (which is the supervisor port).	5 years ago
Darren Shepherd	afd6f6d7e7	Encapsulate execution logic This moves all the calls to cobra root commands to one package so that we can change the behavior of running components as embedded or external.	5 years ago
Darren Shepherd	3c8e0b4157	No longer use basic auth for default admin account	5 years ago
Knic Knic	44b8af097c	fix usage of path instead of filepath	5 years ago
Erik Wilson	3592d0bdd9	Merge pull request #1344 from ibuildthecloud/dialer-fallback If tunnel session does not exist fallback to default dialer	5 years ago
Erik Wilson	1a2690d7be	Merge pull request #1192 from galal-hussein/add_encryption_config Add secret encryption config	5 years ago
Darren Shepherd	3396a7b099	If tunnel session does not exist fallback to default dialer	5 years ago
galal-hussein	388cd9c4e8	Add secret encryption configuration	5 years ago
Darren Shepherd	4acaa0740d	Small dqlite fixes	5 years ago
Erik Wilson	76281bf731	Update k3s for k8s 1.17.0	5 years ago
galal-hussein	99b8222e8d	Change storage to datastore	5 years ago
Darren Shepherd	77703b90ff	Don't ever change 10252/10251 ports Kubernetes componentstatus check is hardcoded to 10252 and 10251 so we should never change these ports. If you do componentstatus will return error.	5 years ago
Darren Shepherd	0ae20eb7a3	Support both http and db based bootstrap	5 years ago
Darren Shepherd	29b270dce6	Wait for apiserver to be health, not just running	5 years ago
Darren Shepherd	91cacb3a14	Fix server join issues	5 years ago
Erik Wilson	01f6e0e64e	Add context to server daemon functions that wait	5 years ago
larmog	7aa3d08385	Wait for api-server to report version after starting	5 years ago
Darren Shepherd	ba240d0611	Refactor tokens, bootstrap, and cli args	5 years ago
galal-hussein	d2c1f66496	Add k3s cloud provider	5 years ago
galal-hussein	436ff4ef63	fix cert rotation function	5 years ago
galal-hussein	2dc5ba5bae	Add certificate rotation	5 years ago
Erik Wilson	959acf9c92	Add --flannel-backend flag	5 years ago
Darren Shepherd	36ca606073	Merge pull request #793 from yamt/noderestriction Add back NodeRestriction	5 years ago
YAMAMOTO Takashi	9cf80eacd9	Add back NodeRestriction It has been removed as a part of #764 for no obvious reasons. Fix #791	5 years ago
Erik Wilson	197985c673	Add --kubelet-certificate-authority flag	5 years ago
Darren Shepherd	f57dd13774	Default kube-apiserver to httpsport + 1	5 years ago
Darren Shepherd	9c8b95be9d	Drop unneeded prometheus imports	5 years ago
Darren Shepherd	a51a2eaaad	Add anonymous-auth=false and remove NodeRestriction	5 years ago
Erik Wilson	5679cfafaf	Merge pull request #707 from ibuildthecloud/pr683 Integrate Kine	5 years ago
Darren Shepherd	2cb6f52339	Disable storing bootstrap information by default	5 years ago
Erik Wilson	e6067314c9	Localhost -> 127.0.0.1	5 years ago
galal-hussein	1ae0c540d7	Refactor bootstrap, move kine startup code to kine, integrate kine	5 years ago
YAMAMOTO Takashi	d78701acb1	Fix bootstrap with non-tls etcd	5 years ago
Erik Wilson	1833b65fcd	Merge pull request #647 from yamt/remove-proxy-port Remove agent proxy config which is no longer used	5 years ago
Erik Wilson	2d32337334	Merge pull request #650 from erikwilson/update-bootstrap Bootstrap node key files & fix permissions	5 years ago
Erik Wilson	2f4d2838ea	Bootstrap node key files & fix permissions	5 years ago
YAMAMOTO Takashi	dc4ebd4c67	Remove agent proxy config which is no longer used	5 years ago
YAMAMOTO Takashi	f6a04ea995	Add a few comments in bootstrap.go	5 years ago
Erik Wilson	fdc1427317	Add more logs for bootstrap	5 years ago
Erik Wilson	e79fda96d2	Enforce explicit read or write for bootstrap	5 years ago

1 2 3 4

178 Commits (fe465cc83253fbc9139418f8a2a6254d24af1888)