Merge branch 'master' into joakimr-axis_markdown

2024-06-07 19:41:36 +00:00 · 2020-03-13 10:28:38 +01:00 · 2020-03-13 10:28:38 +01:00 · 9a3ba3383a
commit 9a3ba3383a
parent f50773df4d 65f7fbe5c3
24 changed files with 388 additions and 140 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -1,12 +1,7 @@
 ./bin
 ./etc
-./build/data
-./build/data.tar.gz
 ./pkg/data/zz_generated_bindata.go
-./package/data.tar.gz
 ./.vagrant
 ./.cache
 ./.dapper
-./data-dir
-./dist
 ./.trash-cache
--- a/.drone.yml
+++ b/.drone.yml
@ -59,6 +59,31 @@ steps:
    event:
    - tag

+- name: rpm-publish
+  image: centos:7
+  environment:
+    PRIVATE_KEY:
+      from_secret: private_key
+    PRIVATE_KEY_PASS_PHRASE:
+      from_secret: private_key_pass_phrase
+    AWS_S3_BUCKET:
+      from_secret: aws_s3_bucket
+    AWS_ACCESS_KEY_ID:
+      from_secret: aws_access_key_id
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: aws_secret_access_key
+  commands:
+  - scripts/provision/generic/centos7/yum-install-rpm-tools
+  - scripts/package-rpm
+  when:
+    instance:
+    - drone-publish.rancher.io
+    ref:
+    - refs/head/master
+    - refs/tags/*
+    event:
+    - tag
+
 - name: test
  image: rancher/dapper:v0.4.2
  secrets: [ gcloud_auth ]
@ -154,6 +179,31 @@ steps:
    event:
    - tag

+- name: rpm-publish
+  image: centos:7
+  environment:
+    PRIVATE_KEY:
+      from_secret: private_key
+    PRIVATE_KEY_PASS_PHRASE:
+      from_secret: private_key_pass_phrase
+    AWS_S3_BUCKET:
+      from_secret: aws_s3_bucket
+    AWS_ACCESS_KEY_ID:
+      from_secret: aws_access_key_id
+    AWS_SECRET_ACCESS_KEY:
+      from_secret: aws_secret_access_key
+  commands:
+  - scripts/provision/generic/centos7/yum-install-rpm-tools
+  - scripts/package-rpm
+  when:
+    instance:
+    - drone-publish.rancher.io
+    ref:
+    - refs/head/master
+    - refs/tags/*
+    event:
+    - tag
+
 - name: test
  image: rancher/dapper:v0.4.2
  secrets: [ gcloud_auth ]
@ -323,6 +373,6 @@ volumes:
  - name: docker
    host:
      path: /var/run/docker.sock
-      
+
 depends_on:
 - manifest
--- a/.gitignore
+++ b/.gitignore
@ -28,3 +28,4 @@ __pycache__
 /tests/.tox/
 /tests/.vscode
 /sonobuoy-output
+*.tmp
--- a/install.sh
+++ b/install.sh
@ -26,6 +26,9 @@ set -e
 #     If set to 'skip' will not create symlinks, 'force' will overwrite,
 #     default will symlink if command does not exist in path.
 #
+#   - INSTALL_K3S_SKIP_ENABLE
+#     If set to true will not enable or start k3s service.
+#
 #   - INSTALL_K3S_SKIP_START
 #     If set to true will not start k3s service.
 #
@ -166,11 +169,6 @@ setup_env() {
            ${invalid_chars}"
    fi

-    # --- set related files from system name ---
-    SERVICE_K3S=${SYSTEM_NAME}.service
-    UNINSTALL_K3S_SH=${SYSTEM_NAME}-uninstall.sh
-    KILLALL_K3S_SH=k3s-killall.sh
-
    # --- use sudo if we are not already root ---
    SUDO=sudo
    if [ $(id -u) -eq 0 ]; then
@ -202,6 +200,11 @@ setup_env() {
        SYSTEMD_DIR=/etc/systemd/system
    fi

+    # --- set related files from system name ---
+    SERVICE_K3S=${SYSTEM_NAME}.service
+    UNINSTALL_K3S_SH=${UNINSTALL_K3S_SH:-${BIN_DIR}/${SYSTEM_NAME}-uninstall.sh}
+    KILLALL_K3S_SH=${KILLALL_K3S_SH:-${BIN_DIR}/k3s-killall.sh}
+
    # --- use service or environment location depending on systemd/openrc ---
    if [ "${HAS_SYSTEMD}" = true ]; then
        FILE_K3S_SERVICE=${SYSTEMD_DIR}/${SERVICE_K3S}
@ -396,7 +399,7 @@ setup_binary() {
    $SUDO chown root:root ${TMP_BIN}
    $SUDO mv -f ${TMP_BIN} ${BIN_DIR}/k3s

-    if command -v getenforce > /dev/null 2>&1; then
+    if command -v getenforce >/dev/null 2>&1; then
        if [ "Disabled" != $(getenforce) ]; then
 	    info 'SELinux is enabled, setting permissions'
 	    if ! $SUDO semanage fcontext -l | grep "${BIN_DIR}/k3s" > /dev/null 2>&1; then
@ -439,7 +442,7 @@ create_symlinks() {

    for cmd in kubectl crictl ctr; do
        if [ ! -e ${BIN_DIR}/${cmd} ] || [ "${INSTALL_K3S_SYMLINK}" = force ]; then
-            which_cmd=$(which ${cmd} || true)
+            which_cmd=$(which ${cmd} 2>/dev/null || true)
            if [ -z "${which_cmd}" ] || [ "${INSTALL_K3S_SYMLINK}" = force ]; then
                info "Creating ${BIN_DIR}/${cmd} symlink to k3s"
                $SUDO ln -sf k3s ${BIN_DIR}/${cmd}
@ -455,13 +458,13 @@ create_symlinks() {
 # --- create killall script ---
 create_killall() {
    [ "${INSTALL_K3S_BIN_DIR_READ_ONLY}" = true ] && return
-    info "Creating killall script ${BIN_DIR}/${KILLALL_K3S_SH}"
-    $SUDO tee ${BIN_DIR}/${KILLALL_K3S_SH} >/dev/null << \EOF
+    info "Creating killall script ${KILLALL_K3S_SH}"
+    $SUDO tee ${KILLALL_K3S_SH} >/dev/null << \EOF
 #!/bin/sh
 [ $(id -u) -eq 0 ] || exec sudo $0 $@

 for bin in /var/lib/rancher/k3s/data/**/bin/; do
-    [ -d $bin ] && export PATH=$bin:$PATH
+    [ -d $bin ] && export PATH=$PATH:$bin:$bin/aux
 done

 set -x
@ -499,7 +502,7 @@ killtree() {
 }

 getshims() {
-    lsof | sed -e 's/^[^0-9]*//g; s/  */\t/g' | grep -w 'k3s/data/[^/]*/bin/containerd-shim' | cut -f1 | sort -n -u
+    ps -e -o pid= -o args= | sed -e 's/^ *//; s/\s\s*/\t/;' | grep -w 'k3s/data/[^/]*/bin/containerd-shim' | cut -f1
 }

 killtree $({ set +x; } 2>/dev/null; getshims; set -x)
@ -534,20 +537,20 @@ ip link delete flannel.1
 rm -rf /var/lib/cni/
 iptables-save | grep -v KUBE- | grep -v CNI- | iptables-restore
 EOF
-    $SUDO chmod 755 ${BIN_DIR}/${KILLALL_K3S_SH}
-    $SUDO chown root:root ${BIN_DIR}/${KILLALL_K3S_SH}
+    $SUDO chmod 755 ${KILLALL_K3S_SH}
+    $SUDO chown root:root ${KILLALL_K3S_SH}
 }

 # --- create uninstall script ---
 create_uninstall() {
    [ "${INSTALL_K3S_BIN_DIR_READ_ONLY}" = true ] && return
-    info "Creating uninstall script ${BIN_DIR}/${UNINSTALL_K3S_SH}"
-    $SUDO tee ${BIN_DIR}/${UNINSTALL_K3S_SH} >/dev/null << EOF
+    info "Creating uninstall script ${UNINSTALL_K3S_SH}"
+    $SUDO tee ${UNINSTALL_K3S_SH} >/dev/null << EOF
 #!/bin/sh
 set -x
 [ \$(id -u) -eq 0 ] || exec sudo \$0 \$@

-${BIN_DIR}/${KILLALL_K3S_SH}
+${KILLALL_K3S_SH}

 if which systemctl; then
    systemctl disable ${SYSTEM_NAME}
@ -562,7 +565,7 @@ rm -f ${FILE_K3S_SERVICE}
 rm -f ${FILE_K3S_ENV}

 remove_uninstall() {
-    rm -f ${BIN_DIR}/${UNINSTALL_K3S_SH}
+    rm -f ${UNINSTALL_K3S_SH}
 }
 trap remove_uninstall EXIT

@ -581,10 +584,10 @@ rm -rf /etc/rancher/k3s
 rm -rf /var/lib/rancher/k3s
 rm -rf /var/lib/kubelet
 rm -f ${BIN_DIR}/k3s
-rm -f ${BIN_DIR}/${KILLALL_K3S_SH}
+rm -f ${KILLALL_K3S_SH}
 EOF
-    $SUDO chmod 755 ${BIN_DIR}/${UNINSTALL_K3S_SH}
-    $SUDO chown root:root ${BIN_DIR}/${UNINSTALL_K3S_SH}
+    $SUDO chmod 755 ${UNINSTALL_K3S_SH}
+    $SUDO chown root:root ${UNINSTALL_K3S_SH}
 }

 # --- disable current service if loaded --
@ -718,6 +721,8 @@ openrc_start() {

 # --- startup systemd or openrc service ---
 service_enable_and_start() {
+    [ "${INSTALL_K3S_SKIP_ENABLE}" = true ] && return
+
    [ "${HAS_SYSTEMD}" = true ] && systemd_enable
    [ "${HAS_OPENRC}" = true ] && openrc_enable

--- a/manifests/nginx.yaml
+++ b/manifests/nginx.yaml
@ -1,14 +0,0 @@
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
-metadata:
-  name: nginx-ingress
-  namespace: kube-system
-spec:
-  chart: https://%{KUBERNETES_API}%/static/charts/nginx-ingress-1.33.0.tgz
-  set:
-    rbac.create: "true"
-    controller.service.enableHttps: "true"
-    controller.metrics.enabled: "true"
-    controller.publishService.enabled: "true"
-    controller.image.repository: "k3sio/nginx-ingress-controller"
-
--- a/manifests/traefik.yaml
+++ b/manifests/traefik.yaml
@ -0,0 +1,12 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  chart: https://%{KUBERNETES_API}%/static/charts/traefik-1.81.0.tgz
+  set:
+    rbac.enabled: "true"
+    ssl.enabled: "true"
+    metrics.prometheus.enabled: "true"
+    kubernetes.ingressEndpoint.useDefaultPublishedService: "true"
--- a/package/k3s.spec
+++ b/package/k3s.spec
@ -0,0 +1,57 @@
+# vim: sw=4:ts=4:et
+
+%define install_path  /usr/bin
+%define util_path     %{_datadir}/k3s
+%define install_sh    %{util_path}/.install.sh
+%define uninstall_sh  %{util_path}/.uninstall.sh
+
+Name:    k3s
+Version: %{k3s_version}
+Release: %{k3s_release}%{?dist}
+Summary: Lightweight Kubernetes
+
+Group:   System Environment/Base		
+License: ASL 2.0
+URL:     http://k3s.io
+
+BuildRequires: systemd
+Requires(post): k3s-selinux >= %{k3s_policyver}
+
+%description
+The certified Kubernetes distribution built for IoT & Edge computing.
+
+%install
+install -d %{buildroot}%{install_path}
+install dist/artifacts/%{k3s_binary} %{buildroot}%{install_path}/k3s
+install -d %{buildroot}%{util_path}
+install install.sh %{buildroot}%{install_sh}
+
+%post
+# do not run install script on upgrade
+echo post-install args: $@
+if [ $1 == 1 ]; then
+    INSTALL_K3S_BIN_DIR=%{install_path} \
+    INSTALL_K3S_SKIP_DOWNLOAD=true \
+    INSTALL_K3S_SKIP_ENABLE=true \
+    UNINSTALL_K3S_SH=%{uninstall_sh} \
+        %{install_sh}
+fi
+%systemd_post k3s.service
+exit 0
+
+%postun
+echo post-uninstall args: $@
+# do not run uninstall script on upgrade
+if [ $1 == 0 ]; then
+    %{uninstall_sh}
+    rm -rf %{util_path}
+fi
+exit 0
+
+%files
+%{install_path}/k3s
+%{install_sh}
+
+%changelog
+* Mon Mar 2 2020 Erik Wilson <erik@rancher.com> 0.1-1
+- Initial version
--- a/pkg/cli/cmds/server.go
+++ b/pkg/cli/cmds/server.go
@ -194,7 +194,7 @@ func NewServerCommand(action func(*cli.Context) error) cli.Command {
 			},
 			cli.StringSliceFlag{
 				Name:  "disable",
-				Usage: "(components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, nginx, local-storage, metrics-server)",
+				Usage: "(components) Do not deploy packaged components and delete any deployed components (valid items: coredns, servicelb, traefik, local-storage, metrics-server)",
 			},
 			cli.BoolFlag{
 				Name:        "disable-scheduler",
--- a/pkg/deploy/controller.go
+++ b/pkg/deploy/controller.go
@ -115,9 +115,6 @@ func (w *watcher) listFilesIn(base string, force bool) error {

 	var errs []error
 	for _, path := range keys {
-		if w.skipNginx(path) {
-			continue
-		}
 		if shouldDisableService(base, path, w.disables) {
 			if err := w.delete(path); err != nil {
 				errs = append(errs, errors2.Wrapf(err, "failed to delete %s", path))
@ -340,14 +337,3 @@ func shouldDisableService(base, fileName string, disables map[string]bool) bool
 	}
 	return false
 }
-
-func (w *watcher) skipNginx(path string) bool {
-	name := name(path)
-	if name == "nginx" {
-		addon, err := w.addonCache.Get(ns, "traefik")
-		if err == nil && addon != nil {
-			return true
-		}
-	}
-	return false
-}
--- a/pkg/deploy/zz_generated_bindata.go
+++ b/pkg/deploy/zz_generated_bindata.go
@ -10,8 +10,8 @@
 // manifests/metrics-server/metrics-server-deployment.yaml
 // manifests/metrics-server/metrics-server-service.yaml
 // manifests/metrics-server/resource-reader.yaml
-// manifests/nginx.yaml
 // manifests/rolebindings.yaml
+// manifests/traefik.yaml
 package deploy

 import (
@ -288,26 +288,6 @@ func metricsServerResourceReaderYaml() (*asset, error) {
 	return a, nil
 }

-var _nginxYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x74\x8f\x4f\x4b\x03\x41\x0c\x47\xef\xf3\x29\xc2\x42\x8f\x9d\xb5\xf4\x36\x37\x95\x42\x45\x10\xb1\xea\x55\xb2\xd3\xb0\x1b\x3a\x7f\x96\x24\x2d\x56\xf1\xbb\x4b\x4b\x41\x2a\xec\xf5\xc7\x7b\x2f\x04\x47\x7e\x27\x51\xae\x25\xc0\x40\x29\xfb\x88\x66\x89\x3c\xd7\xf6\xb0\x70\x3b\x2e\xdb\x00\x6b\x4a\xf9\x7e\x40\x31\x97\xc9\x70\x8b\x86\xc1\x01\x14\xcc\x14\xa0\xf4\x5c\x3e\xe7\x5c\x7a\x21\xd5\xcb\xaa\x23\x46\x0a\xb0\xdb\x77\x34\xd7\xa3\x1a\x65\xa7\x23\xc5\x93\x14\x4f\x99\x00\x83\xd9\xa8\xa1\x6d\x67\xdf\x8f\x6f\x77\xab\x97\xa7\xd5\xeb\x6a\xf3\x71\xfb\xfc\xf0\x33\x6b\xd5\xd0\x38\xb6\x67\x50\xdb\xab\xfc\x7c\xe1\x97\x4b\x7f\xe3\xad\xff\x72\x00\x4a\x76\x2a\x02\x48\x87\xd1\x47\x21\x34\x0a\xd0\x98\xec\xa9\x39\xef\xb1\x16\x93\x9a\x12\x89\x57\x92\x03\x47\xf2\x54\xb0\x4b\xb4\x3e\x5f\x9f\x40\x33\x99\x70\xd4\x0b\xba\x9d\xc2\xc6\x7d\x97\x58\x87\xcd\x55\x78\x92\xe6\x8c\x3d\x79\xa1\xb1\x2a\x5b\x95\x63\x80\x66\xb7\x54\xae\xff\xfe\xfb\x33\x1a\xe7\x7e\x03\x00\x00\xff\xff\xa9\xbf\x32\x74\x9a\x01\x00\x00")
-
-func nginxYamlBytes() ([]byte, error) {
-	return bindataRead(
-		_nginxYaml,
-		"nginx.yaml",
-	)
-}
-
-func nginxYaml() (*asset, error) {
-	bytes, err := nginxYamlBytes()
-	if err != nil {
-		return nil, err
-	}
-
-	info := bindataFileInfo{name: "nginx.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
-	a := &asset{bytes: bytes, info: info}
-	return a, nil
-}
-
 var _rolebindingsYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\xac\x92\x31\x6f\xe3\x30\x0c\x85\x77\xfd\x0a\x21\xbb\x72\x38\xdc\x72\xf0\xd8\x0e\xdd\x03\xb4\x3b\x6d\xb3\x09\x6b\x59\x14\x48\x2a\x41\xfb\xeb\x0b\xa7\x6e\x82\xa4\x76\x90\xb4\xdd\x24\x41\x7c\x1f\x1f\xf9\x20\xd3\x13\x8a\x12\xa7\xca\x4b\x0d\xcd\x12\x8a\x6d\x58\xe8\x0d\x8c\x38\x2d\xbb\xff\xba\x24\xfe\xb3\xfd\xeb\x3a\x4a\x6d\xe5\xef\x63\x51\x43\x59\x71\xc4\x3b\x4a\x2d\xa5\xb5\xeb\xd1\xa0\x05\x83\xca\x79\x9f\xa0\xc7\xca\x77\xa5\xc6\x00\x99\x14\x65\x8b\x12\x86\x6b\x44\x0b\xd0\xf6\x94\x9c\x70\xc4\x15\x3e\x0f\xbf\x21\xd3\x83\x70\xc9\x17\xc8\xce\xfb\x2f\xe0\x03\x47\x5f\xd5\xb0\xaf\x0e\xfa\x99\x46\x86\x96\xfa\x05\x1b\xd3\xca\x85\x9b\x20\x8f\x8a\x32\xe3\xc2\xb9\x10\x82\xfb\xfe\xb4\x26\xc6\xf4\xd9\xfe\x3f\x0d\x0d\x27\x13\x8e\x11\xc5\x49\x89\x78\xd2\xb8\x0e\x15\xc1\x2f\x16\xce\x7b\x41\xe5\x22\x0d\x8e\x6f\x89\x5b\x54\xe7\xfd\x16\xa5\x1e\x9f\xd6\x68\x57\xd6\x42\x8f\x9a\xa1\x39\x17\x88\xa4\xb6\x3f\xec\xc0\x9a\xcd\x84\x56\x42\xdb\xb1\x74\x94\xd6\xa3\xdf\x29\xf1\x8f\x3f\x99\x23\x35\x74\x33\x61\x42\x10\x53\x9b\x99\x92\xe9\xfe\x96\xb9\x9d\xd3\x1c\xfc\x1f\xb5\x7f\xb8\xb4\xf9\x88\xcf\xec\xee\xf7\xb3\x7d\x0a\x38\x06\x7b\xf0\x78\x1d\xe3\x2c\xdc\x97\x01\xef\x01\x00\x00\xff\xff\x46\xd3\x6d\x9d\x0f\x04\x00\x00")

 func rolebindingsYamlBytes() ([]byte, error) {
@ -328,6 +308,26 @@ func rolebindingsYaml() (*asset, error) {
 	return a, nil
 }

+var _traefikYaml = []byte("\x1f\x8b\x08\x00\x00\x00\x00\x00\x00\xff\x6c\x8f\xcd\x6a\xc3\x30\x10\x84\xef\x7e\x8a\x25\x90\x63\xe4\xe6\x56\x74\xeb\x8f\xa1\xa5\x50\x42\xd3\xf6\x5a\xd6\xf2\x24\x16\x91\x64\xa1\x5d\x05\xda\xd2\x77\x2f\x0e\x3e\xe6\xb8\x3b\x1f\x1f\x33\x9c\xfd\x27\x8a\xf8\x29\x59\x1a\x11\xa2\x71\xac\x1a\x60\xfc\xd4\x9e\xb7\xcd\xc9\xa7\xc1\xd2\x13\x42\x7c\x18\xb9\x68\x13\xa1\x3c\xb0\xb2\x6d\x88\x12\x47\x58\xd2\xc2\x38\xf8\xd3\x72\x4b\x66\x07\x4b\xa7\xda\x63\x23\xdf\xa2\x88\x8d\x64\xb8\x19\x77\xb3\xc0\xd2\xa8\x9a\xc5\xb6\xed\xfa\xf7\xe5\xe3\xbe\x7b\x7b\xed\xde\xbb\xfd\xd7\xdd\xee\xf9\x6f\xdd\x8a\xb2\x7a\xd7\x5e\x40\x69\x17\xf1\x66\x6b\x6e\xb7\xe6\xc6\xe8\xf1\xa7\x21\x12\xe8\xec\x22\x2a\x3d\x3b\x83\xc4\x7d\xc0\x60\x69\xa5\xa5\x62\x75\x09\x44\xc2\xd5\x7f\x84\x16\xef\xc4\xe4\x32\x45\xe8\x88\x2a\x57\xb1\xb9\x79\x49\x50\x88\xf1\xe9\x58\x20\xd2\xa5\x21\x4f\x3e\xa9\xa9\x82\x47\x1c\xb8\x06\xdd\xd5\x3e\x78\x19\x31\xec\x51\xce\x7e\x1e\xbc\x18\xfe\x03\x00\x00\xff\xff\xb5\x07\xd7\x40\x4d\x01\x00\x00")
+
+func traefikYamlBytes() ([]byte, error) {
+	return bindataRead(
+		_traefikYaml,
+		"traefik.yaml",
+	)
+}
+
+func traefikYaml() (*asset, error) {
+	bytes, err := traefikYamlBytes()
+	if err != nil {
+		return nil, err
+	}
+
+	info := bindataFileInfo{name: "traefik.yaml", size: 0, mode: os.FileMode(0), modTime: time.Unix(0, 0)}
+	a := &asset{bytes: bytes, info: info}
+	return a, nil
+}
+
 // Asset loads and returns the asset for the given name.
 // It returns an error if the asset could not be found or
 // could not be loaded.
@ -390,8 +390,8 @@ var _bindata = map[string]func() (*asset, error){
 	"metrics-server/metrics-server-deployment.yaml": metricsServerMetricsServerDeploymentYaml,
 	"metrics-server/metrics-server-service.yaml":    metricsServerMetricsServerServiceYaml,
 	"metrics-server/resource-reader.yaml":           metricsServerResourceReaderYaml,
-	"nginx.yaml":                                    nginxYaml,
 	"rolebindings.yaml":                             rolebindingsYaml,
+	"traefik.yaml":                                  traefikYaml,
 }

 // AssetDir returns the file names below a certain
@ -447,8 +447,8 @@ var _bintree = &bintree{nil, map[string]*bintree{
 		"metrics-server-service.yaml":    &bintree{metricsServerMetricsServerServiceYaml, map[string]*bintree{}},
 		"resource-reader.yaml":           &bintree{metricsServerResourceReaderYaml, map[string]*bintree{}},
 	}},
-	"nginx.yaml":        &bintree{nginxYaml, map[string]*bintree{}},
 	"rolebindings.yaml": &bintree{rolebindingsYaml, map[string]*bintree{}},
+	"traefik.yaml":      &bintree{traefikYaml, map[string]*bintree{}},
 }}

 // RestoreAsset restores an asset under the given directory
--- a/pkg/nodeconfig/nodeconfig.go
+++ b/pkg/nodeconfig/nodeconfig.go
@ -16,6 +16,7 @@ const (
 	NodeArgsAnnotation       = "k3s.io/node-args"
 	NodeEnvAnnotation        = "k3s.io/node-env"
 	NodeConfigHashAnnotation = "k3s.io/node-config-hash"
+	OmittedValue             = "********"
 )

 func getNodeArgs() (string, error) {
@ -31,7 +32,7 @@ func getNodeArgs() (string, error) {
 	for i, arg := range nodeArgsList {
 		if isSecret(arg) {
 			if i+1 < len(nodeArgsList) {
-				nodeArgsList[i+1] = ""
+				nodeArgsList[i+1] = OmittedValue
 			}
 		}
 	}
@ -52,7 +53,7 @@ func getNodeEnv() (string, error) {
 	}
 	for key := range k3sEnv {
 		if isSecret(key) {
-			k3sEnv[key] = ""
+			k3sEnv[key] = OmittedValue
 		}
 	}
 	k3sEnvJSON, err := json.Marshal(k3sEnv)
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@ -33,9 +33,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/net"
 )

-const (
-	MasterRoleLabelKey = "node-role.kubernetes.io/master"
-)
+const MasterRoleLabelKey = "node-role.kubernetes.io/master"

 func resolveDataDir(dataDir string) (string, error) {
 	dataDir, err := datadir.Resolve(dataDir)
--- a/pkg/static/zz_generated_bindata.go
+++ b/pkg/static/zz_generated_bindata.go
--- a/scripts/airgap/image-list.txt
+++ b/scripts/airgap/image-list.txt
@ -1,7 +1,7 @@
 docker.io/coredns/coredns:1.6.3
+docker.io/library/traefik:1.7.19
 docker.io/rancher/klipper-helm:v0.2.3
 docker.io/rancher/klipper-lb:v0.1.2
 docker.io/rancher/local-path-provisioner:v0.0.11
 docker.io/rancher/metrics-server:v0.3.6
 docker.io/rancher/pause:3.1
-docker.io/k3sio/nginx-ingress-controller:0.30.0
--- a/scripts/download
+++ b/scripts/download
@ -5,7 +5,7 @@ cd $(dirname $0)/..
 . ./scripts/version.sh

 ROOT_VERSION=v0.3.0
-NGINX_VERSION=1.33.0
+TRAEFIK_VERSION=1.81.0
 CHARTS_DIR=build/static/charts

 mkdir -p ${CHARTS_DIR}
@ -17,7 +17,7 @@ for target in iptables iptables-save iptables-restore ip6tables ip6tables-save i
 done
 mkdir -p bin/aux && rm bin/mount && ln -sf ../busybox bin/aux/mount

-NGINX_FILE=nginx-ingress-${NGINX_VERSION}.tgz
-curl -sfL https://kubernetes-charts.storage.googleapis.com/${NGINX_FILE} -o ${CHARTS_DIR}/${NGINX_FILE}
+TRAEFIK_FILE=traefik-${TRAEFIK_VERSION}.tgz
+curl -sfL https://kubernetes-charts.storage.googleapis.com/${TRAEFIK_FILE} -o ${CHARTS_DIR}/${TRAEFIK_FILE}

 cp scripts/wg-add.sh bin/aux/
--- a/scripts/package-airgap
+++ b/scripts/package-airgap
@ -7,4 +7,4 @@ cd $(dirname $0)/..

 images=$(cat scripts/airgap/image-list.txt)
 xargs -n1 docker pull <<< "${images}"
-docker save ${images} -o dist/artifacts/k3s-airgap-images-${ARCH}.tar
+docker save ${images} -o dist/artifacts/k3s-airgap-images-${ARCH}.tar 
--- a/scripts/package-rpm
+++ b/scripts/package-rpm
@ -0,0 +1,78 @@
+#!/bin/bash
+set -e -x
+
+cd $(dirname $0)/..
+
+ARCH=${DRONE_STAGE_ARCH:-$(arch)}
+. ./scripts/version.sh
+
+if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(\-[^\+]*)?\+k3s.+$ ]]; then
+  echo "k3s version $VERSION does not match regex for rpm upload"
+  exit 0
+fi
+
+TMPDIR=$(mktemp -d)
+cleanup() {
+  exit_code=$?
+  trap - EXIT INT
+  rm -rf ${TMPDIR}
+  exit ${exit_code}
+}
+trap cleanup EXIT INT
+
+export HOME=${TMPDIR}
+
+BIN_SUFFIX=""
+if [ ${ARCH} = aarch64 ] || [ ${ARCH} = arm64 ]; then
+    BIN_SUFFIX="-arm64"
+elif [ ${ARCH} = armv7l ] || [ ${ARCH} = arm ]; then
+    BIN_SUFFIX="-armhf"
+fi
+
+# capture version of k3s
+k3s_version=$(sed -E -e 's/^v([^-+]*).*$/\1/' <<< $VERSION)
+# capture pre-release and metadata information of k3s
+k3s_release=$(sed -E -e 's/\+k3s/+/; s/\+/-/g; s/^[^-]*//; s/^--/dev-/; s/-+/./g; s/^\.+//; s/\.+$//;' <<< $VERSION)
+# k3s-selinux policy version needed for functionality
+k3s_policyver=0.1-1
+
+rpmbuild \
+  --define "k3s_version ${k3s_version}" \
+  --define "k3s_release ${k3s_release}" \
+  --define "k3s_policyver ${k3s_policyver}" \
+  --define "k3s_binary k3s${BIN_SUFFIX}" \
+  --define "_sourcedir ${PWD}" \
+  --define "_specdir ${PWD}" \
+  --define "_builddir ${PWD}" \
+  --define "_srcrpmdir ${PWD}" \
+  --define "_rpmdir ${PWD}/dist/rpm" \
+  --define "_buildrootdir ${PWD}/.rpm-build" \
+  -bb package/k3s.spec
+
+if ! grep "BEGIN PGP PRIVATE KEY BLOCK" <<<"$PRIVATE_KEY"; then
+  echo "PRIVATE_KEY not defined, skipping rpm sign and upload"
+  exit 0
+fi
+
+cat <<\EOF >~/.rpmmacros 
+%_signature gpg
+%_gpg_name ci@rancher.com
+EOF
+gpg --import - <<<"$PRIVATE_KEY"
+
+expect <<EOF
+set timeout 60
+spawn sh -c "rpmsign --addsign dist/rpm/**/k3s-*.rpm"
+expect "Enter pass phrase:"
+send -- "$PRIVATE_KEY_PASS_PHRASE\r"
+expect eof
+lassign [wait] _ _ _ code
+exit \$code
+EOF
+
+if [ -z "$AWS_S3_BUCKET" ]; then
+  echo "AWS_S3_BUCKET skipping rpm upload"
+  exit 0
+fi
+
+rpm-s3 --bucket $AWS_S3_BUCKET dist/rpm/**/k3s-*.rpm
--- a/scripts/provision/generic/centos7/gen-gpg-keys
+++ b/scripts/provision/generic/centos7/gen-gpg-keys
@ -0,0 +1,37 @@
+#!/bin/bash
+
+set -e -x
+
+TMPDIR=$(mktemp -d)
+cleanup() {
+  exit_code=$?
+  trap - EXIT INT
+  rm -rf ${TMPDIR}
+  exit ${exit_code}
+}
+trap cleanup EXIT INT
+
+export HOME=${TMPDIR}
+
+gpg --batch --gen-key - <<EOF
+%echo Generating a default key
+Key-Type: default
+Subkey-Type: default
+Name-Real: Rancher
+Name-Comment: CI
+Name-Email: ci@rancher.com
+Expire-Date: 0
+
+# Key-Length: 4096
+# Subkey-Length: 4096
+Passphrase: $PRIVATE_KEY_PASS_PHRASE
+# %no-protection
+# %no-ask-passphrase
+
+# Do a commit here, so that we can later print "done" :-)
+%commit
+%echo done
+EOF
+
+gpg --armor --export ci@rancher.com >public.key
+gpg --armor --export-secret-key ci@rancher.com >private.key
--- a/scripts/provision/generic/centos7/yum-install-rpm-tools
+++ b/scripts/provision/generic/centos7/yum-install-rpm-tools
@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -e -x
+
+yum install -y git expect yum-utils rpm-build rpm-sign python-deltarpm epel-release
+yum install -y python2-pip
+pip install git+git://github.com/Voronenko/rpm-s3.git@5695c6ad9a08548141d3713328e1bd3f533d137e
--- a/scripts/provision/vagrant
+++ b/scripts/provision/vagrant
@ -42,9 +42,9 @@ rm -rf .cache/go-build || true

 # --- Set color prompt
 sed -i 's|:/bin/ash$|:/bin/bash|g' /etc/passwd
-cat <<EOF >/etc/profile.d/color.sh
+cat <<\EOF >/etc/profile.d/color.sh
 alias ls='ls --color=auto'
-export PS1='\033[31m[ \033[90m\D{%F %T}\033[31m ]\n\[\033[36m\]\u\[\033[m\]🐮\[\033[32m\]\h:\[\033[33;1m\]\w\[\033[m\]\$ '
+export PS1='\033[31m[ \033[90m\D{%F 🐮 %T}\033[31m ]\n\[\033[36m\]\u\[\033[m\]@\[\033[32m\]\h\[\033[35m\]:\[\033[33;1m\]\w\[\033[m\]\$ '
 EOF

 # --- Setup install script from docker run commands
@ -79,7 +79,6 @@ download_go() {
    curl -sL https://storage.googleapis.com/golang/go${goversion}.linux-${ARCH}.tar.gz | tar -xzf - -C /usr/local
 }

-
 # --- Utility function to download dqlite
 download_dqlite() {
    dqliteURL="https://github.com/$(grep dqlite-build Dockerfile.dapper | sed -e 's/^.*--from=\([^ ]*\).*$/\1/' -e 's|:|/releases/download/|')/dqlite-$ARCH.tgz"
@ -89,7 +88,7 @@ download_dqlite() {
    fi
    mkdir -p /usr/src/
    echo "Downloading DQLITE from $dqliteURL"
-    curl -sfL $dqliteURL -o /usr/src/dqlite.tgz
+    curl -sL $dqliteURL -o /usr/src/dqlite.tgz
 }

 # --- Run vagrant provision script if available
--- a/scripts/test
+++ b/scripts/test
@ -13,19 +13,18 @@ mkdir -p $artifacts

 # ---

+[ "$ARCH" = 'arm' ] && \
+  early-exit "Skipping sonobuoy, images not available for $ARCH."
+
 E2E_OUTPUT=$artifacts test-run-sonobuoy

 # ---

-if [ "$DRONE_BUILD_EVENT" = 'tag' ]; then
-  printf "\033[33mSkipping remaining tests on tag.\033[m\n"
-  exit 0
-fi
+[ "$DRONE_BUILD_EVENT" = 'tag' ] && \
+  early-exit 'Skipping remaining tests on tag.'

-if [ "$ARCH" != 'amd64' ]; then
-  printf "\033[33mSkipping remaining tests, images not available for $ARCH.\033[m\n"
-  exit 0
-fi
+[ "$ARCH" != 'amd64' ] && \
+  early-exit "Skipping remaining tests, images not available for $ARCH."

 # ---

--- a/scripts/test-helpers
+++ b/scripts/test-helpers
@ -437,6 +437,14 @@ export -f provision-cluster

 # ---

+early-exit() {
+    printf "\033[33m$1\033[m\n"
+    exit $2
+}
+export -f early-exit
+
+# ---
+
 run-test() {
    export PROVISION_LOCK=$(mktemp)
    ./scripts/test-runner $@ &
@ -454,27 +462,27 @@ export -f run-test
 # ---

 e2e-test() {
-  local label=$label
-  if [ -n "$LABEL_SUFFIX" ]; then
-    label="$label-$LABEL_SUFFIX"
-  fi
-  local logOutput=
-  if [ -n "$E2E_OUTPUT" ]; then
-    logOutput=$E2E_OUTPUT/$logName
-  fi
-  LABEL=$label LOG_OUTPUT=$logOutput run-test $@
+    local label=$label
+    if [ -n "$LABEL_SUFFIX" ]; then
+        label="$label-$LABEL_SUFFIX"
+    fi
+    local logOutput=
+    if [ -n "$E2E_OUTPUT" ]; then
+        logOutput=$E2E_OUTPUT/$logName
+    fi
+    LABEL=$label LOG_OUTPUT=$logOutput run-test $@
 }

 # ---

 run-e2e-tests() {
-  label=PARALLEL \
-      logName=e2e-STATUS-${ARCH}-parallel.log \
-      e2e-test ${sonobuoyParallelArgs[@]}
+    label=PARALLEL \
+        logName=e2e-STATUS-${ARCH}-parallel.log \
+        e2e-test ${sonobuoyParallelArgs[@]}

-  label=SERIAL \
-      logName=e2e-STATUS-${ARCH}-serial.log \
-      e2e-test ${sonobuoySerialArgs[@]}
+    label=SERIAL \
+        logName=e2e-STATUS-${ARCH}-serial.log \
+        e2e-test ${sonobuoySerialArgs[@]}
 }
 export -f run-e2e-tests

--- a/scripts/test-run-basics
+++ b/scripts/test-run-basics
@ -1,14 +1,38 @@
 #!/bin/bash

+all_services=(
+    coredns
+    local-path-provisioner
+    metrics-server
+    traefik
+)
+
 export NUM_SERVERS=1
 export NUM_AGENTS=1
-export SERVER_ARGS='--no-deploy=traefik,coredns,local-storage,metrics-server'
+export WAIT_SERVICES="${all_services[@]}"

 start-test() {
    docker exec $(cat $TEST_DIR/servers/1/metadata/name) check-config || true
    verify-valid-versions $(cat $TEST_DIR/servers/1/metadata/name)
+    verify-airgap-images $(cat $TEST_DIR/{servers,agents}/*/metadata/name)
 }
 export -f start-test

+# -- check for changes to the airgap image list
+verify-airgap-images() {
+    local airgap_image_list='scripts/airgap/image-list.txt'
+
+    for name in $@; do
+        docker exec $name crictl images -o json \
+            | jq -r '.images[].repoTags[0] | select(. != null)'
+    done | sort -u >$airgap_image_list.tmp
+
+    if ! diff $airgap_image_list{,.tmp}; then
+        echo '[ERROR] Failed airgap image check'
+        return 1
+    fi
+}
+export -f verify-airgap-images
+
 # --- create a basic cluster and check for valid versions
 LABEL=BASICS run-test
--- a/scripts/version.sh
+++ b/scripts/version.sh
@ -1,20 +1,25 @@
 #!/bin/bash

-TREE_STATE=clean
-if [ -n "$(git status --porcelain --untracked-files=no)" ]; then
-    DIRTY="-dirty"
-    TREE_STATE=dirty
-fi
-
-COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\  | head -1)
-if [ -z "${COMMIT}" ]; then
-  COMMIT=$(git rev-parse HEAD)
-fi
-
-GIT_TAG=${DRONE_TAG:-$(git tag -l --contains HEAD | head -n 1)}
-
-ARCH=$(go env GOARCH)
+ARCH=${ARCH:-$(go env GOARCH)}
 SUFFIX="-${ARCH}"
+GIT_TAG=$DRONE_TAG
+TREE_STATE=clean
+COMMIT=$DRONE_COMMIT
+
+if [ -d .git ]; then
+    if [ -z "$GIT_TAG" ]; then
+        GIT_TAG=$(git tag -l --contains HEAD | head -n 1)
+    fi
+    if [ -n "$(git status --porcelain --untracked-files=no)" ]; then
+        DIRTY="-dirty"
+        TREE_STATE=dirty
+    fi
+
+    COMMIT=$(git log -n3 --pretty=format:"%H %ae" | grep -v ' drone@localhost$' | cut -f1 -d\  | head -1)
+    if [ -z "${COMMIT}" ]; then
+    COMMIT=$(git rev-parse HEAD || true)
+    fi
+fi

 VERSION_CONTAINERD=$(grep github.com/containerd/containerd go.mod | head -n1 | awk '{print $4}')
 if [ -z "$VERSION_CONTAINERD" ]; then