Commit Graph

310 Commits

Author SHA1 Message Date
thomasferrandiz
b4bc57d049
Merge pull request #7303 from thomasferrandiz/netpol-log-level
ensure that klog verbosity is set to the same level as logrus
2023-05-10 15:01:06 +02:00
Derek Nola
d5f560360e
Handle multiple arguments with StringSlice flags (#7380)
* Add helper function for multiple arguments in stringslice

Signed-off-by: Derek Nola <derek.nola@suse.com>

* Cleanup server setup with util function

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-05-02 09:55:48 -07:00
Brad Davidson
f1b6a3549c Fix stack log on panic
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 11:24:34 -07:00
Brad Davidson
c44d33d29b Fix race condition in tunnel server startup
Several places in the code used a 5-second retry loop to wait on
Runtime.Core to be set. This caused a race condition where OnChange
handlers could be added after the Wrangler shared informers were already
started. When this happened, the handlers were never called because the
shared informers they relied upon were not started.

Fix that by requiring anything that waits on Runtime.Core to run from a
cluster controller startup hook that is guaranteed to be called before
the shared informers are started, instead of just firing it off in a
goroutine that retries until it is set.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-04-28 11:24:34 -07:00
Thomas Ferrandiz
66fcca66cb ensure that klog verbosity is set to the same level as logrus
by repeatedly settting it every second during k3s startup

Signed-off-by: Thomas Ferrandiz <thomas.ferrandiz@suse.com>
2023-04-24 18:08:55 +00:00
Derek Nola
944f811dc5
v1.27.1 CLI Deprecation (#7311)
* Remove Flannel Wireguard
* Remove etcd-snapshot (implicit save)
* Convert ipsec and multiple backend to fatal

Signed-off-by: Derek Nola <derek.nola@suse.com>
2023-04-19 12:02:05 -07:00
Roberto Bonafiglia
15ee88964b Added multiClusterCidr feature
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2023-03-14 18:30:52 +01:00
Brad Davidson
977a85559e Add support for cross-signing new certs during ca rotation
We need to send the full chain in order for cross-signing to work
properly during switchover to a new root.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-03-13 16:56:28 -07:00
Brad Davidson
0c302f4341 Fix etcd member deletion
Turns out etcd-only nodes were never running **any** of the controllers,
so allowing multiple controllers didn't really fix things.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-14 09:39:41 -08:00
Brad Davidson
3d146d2f1b Allow for multiple sets of leader-elected controllers
Addresses an issue where etcd controllers did not run on etcd-only nodes

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-10 10:46:48 -08:00
Brad Davidson
c6d0afd0cb Check for existing resources before creating them
Prevents errors when starting with fail-closed webhooks

Also, use panic instead of Fatalf so that the CloudControllerManager rescue can handle the error

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-09 15:20:49 -08:00
Brad Davidson
992e64993d Add support for kubeadm token and client certificate auth
Allow bootstrapping with kubeadm bootstrap token strings or existing
Kubelet certs. This allows agents to join the cluster using kubeadm
bootstrap tokens, as created with the `k3s token create` command.

When the token expires or is deleted, agents can successfully restart by
authenticating with their kubelet certificate via node authentication.
If the token is gone and the node is deleted from the cluster, node auth
will fail and they will be prevented from rejoining the cluster until
provided with a valid token.

Servers still must be bootstrapped with the static cluster token, as
they will need to know it to decrypt the bootstrap data.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-07 14:55:04 -08:00
Brad Davidson
373df1c8b0 Add support for k3s token command
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-07 14:55:04 -08:00
Brad Davidson
58d40327b4 Fix CA cert hash for root certs
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-06 15:09:31 -08:00
Brad Davidson
0919ec6755 Ensure cluster-signing CA files contain only a single CA cert
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-06 15:09:31 -08:00
Brad Davidson
369b81b45e Honor Service ExternalTrafficPolicy
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-01-27 12:09:18 -08:00
Brad Davidson
f54b5e4fa0 Fix CI tests
* General cleanup of test-helpers functions to address CI failures
* Install awscli in test image
* Log containerd output to file even when running with --debug

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-01-13 17:22:25 -08:00
Hussein Galal
f8b661d590
Update to v1.26.0-k3s1 (#6370)
* Update to v1.26.0-alpha.2

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* go generate

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Default CURRENT_VERSION to VERSION_TAG for alpha versions

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* remove containerd package

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Update k8s to v1.26.0-rc.0-k3s1 cri-tools cri-dockerd and cadvisor

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* replace cri-api reference to the new api

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* go mod tidy

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix version script to allow rc and alphas

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix version script to allow rc and alphas

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix version script to allow rc and alphas

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Update to Kubernetes 1.26.0-rc.1

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Undo helm-controller pin

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Bump containerd to -k3s2 for stargz fix

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* DevicePlugins featuregate is locked to on

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Bump kine for DeleteRange fix

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Update to v1.26.0-k3s1

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* go mod tidy

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Bring back snapshotter checks and update golang to 1.19.4

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix windows containerd snapshotter checks

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
2022-12-10 01:42:15 +02:00
Brad Davidson
2835368ecb Bump k3s-root and remove embedded strongswan support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-12-01 12:40:40 -08:00
Brad Davidson
e08a662509 Disable CCM metrics port when legacy CCM functionality is disabled
Prevents port conflicts on upgrade for users that have deployed other cloud controllers.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-11-30 15:08:31 -08:00
Manuel Buil
483e29e783 Remove stuff which belongs in the windows executor implementation
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-11-22 12:32:13 +01:00
Manuel Buil
e41e4010e5 Revert "Remove stuff which belongs in the windows executor implementation"
This reverts commit 1bc0684fb7.

Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-11-15 21:40:42 +01:00
Manuel Buil
1bc0684fb7 Remove stuff which belongs in the windows executor implementation
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-11-14 15:52:04 +01:00
Derek Nola
13c633da12
Add Secrets Encryption to CriticalArgs (#6409)
* Add EncryptSecrets to Critical Control Args
* use deep comparison to extract differences

Signed-off-by: Derek Nola <derek.nola@suse.com>

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-11-04 10:35:29 -07:00
Manuel Buil
557fcd28d5 Change the priority of address types depending on flannel-external-ip
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-11-04 09:02:39 +01:00
Brad Davidson
269563e4d2 Check for RBAC before starting tunnel controllers
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-26 15:08:13 -07:00
Brad Davidson
f2585c1671 Add --flannel-external-ip flag
Using the node external IP address for all CNI traffic is a breaking change from previous versions; we should make it an opt-in for distributed clusters instead of default behavior.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-24 10:10:49 -07:00
Derek Nola
06d81cb936
Replace deprecated ioutil package (#6230)
* Replace ioutil package
* check integration test null pointer
* Remove rotate retries

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-10-07 17:36:57 -07:00
Brad Davidson
b411864be5 Handle custom kubelet port in agent tunnel
The kubelet port can be overridden by users; we shouldn't assume its always 10250

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-05 21:10:38 -07:00
Brad Davidson
11072e2516 Fix occasional "TLS handshake error" in apiserver network proxy.
We should be reading from the hijacked bufio.ReaderWriter instead of
directly from the net.Conn. There is a race condition where the
underlying http handler may consume bytes from the hijacked request
stream, if it comes in the same packet as the CONNECT header. These
bytes are left in the buffered reader, which we were not using. This was
causing us to occasionally drop a few bytes from the start of the
tunneled connection's client data stream.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-10-05 21:10:38 -07:00
Brad Davidson
d963cb2f70 Disable cloud-node and cloud-node-lifecycle if CCM is disabled
If CCM and ServiceLB are both disabled, don't run the cloud-controller-manager at all;
this should provide the same CLI flag behavior as previous releases, and not create
problems when users disable the CCM but still want ServiceLB.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-09-30 08:17:20 -07:00
Brad Davidson
0b96ca92bc Move servicelb into cloudprovider LoadBalancer interface
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-09-30 08:17:20 -07:00
Brad Davidson
a15e7e8b68 Move DisableServiceLB/Rootless/ServiceLBNamespace into config.Control
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-09-30 08:17:20 -07:00
Brad Davidson
7d6982d1fa Export agent.NetworkName for Windows
Was made private in 4aca21a1f1 as there was no comment as to why it was exported.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-08-23 15:10:57 -07:00
Brad Davidson
3e394f8ec5 The Windows kubelet does not accept cadvisor flags
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-08-23 15:10:57 -07:00
Brad Davidson
4aca21a1f1 Add cri-dockerd support as backend for --docker flag
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-08-05 02:39:25 -07:00
Brad Davidson
b1fa63dfb7 Revert "Remove --docker/dockershim support"
This reverts commit 4a3d283bc1.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-08-05 02:39:25 -07:00
Brad Davidson
cf66559940 Print stack on panic
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-08-05 02:39:25 -07:00
Brad Davidson
5eaa0a9422 Replace getLocalhostIP with Loopback helper method
Requires tweaking existing method signature to allow specifying whether or not IPv6 addresses should be return URL-safe.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-21 16:51:57 -07:00
Brad Davidson
84fb8787f2 Add service-cluster-ip-range to controller-manager args
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-21 16:51:57 -07:00
Brad Davidson
d2089872bb Fix issue with containerd stats missing from cadvisor metrics
cadvisor still doesn't pull stats via CRI yet, so we have to continue to use the deprecated arg.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-08 11:03:02 -07:00
Brad Davidson
afee83dda2 Bump remotedialer
Includes fix for recently identified memory leak.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-07 12:22:37 -07:00
Brad Davidson
ff6c233e41 Fix egress selector proxy/bind-address support
Use same kubelet-preferred-address-types setting as RKE2 to improve reliability of the egress selector when using a HTTP proxy. Also, use BindAddressOrLoopback to ensure that the correct supervisor address is used when --bind-address is set.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-01 00:07:35 -07:00
Derek Nola
a9b5a1933f
Delay service readiness until after startuphooks have finished (#5649)
* Move startup hooks wg into a runtime pointer, check before notifying systemd
* Switch default systemd notification to server
* Add 1 sec delay to allow etcd to write to disk
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-06-15 09:00:52 -07:00
Manuel Buil
d4522de06a
Merge pull request #5656 from manuelbuil/AddFlannelCniConfFile
Add FlannelCNIConf flag
2022-06-14 10:23:51 +02:00
Igor
2999289e68
add support for pprof server (#5527)
Signed-off-by: igor <igor@igor.io>
2022-06-13 22:06:55 -07:00
Brad Davidson
b550e1183a Remove control-plane egress context and fix agent mode.
The control-plane context handles requests outside the cluster and
should not be sent to the proxy.

In agent mode, we don't watch pods and just direct-dial any request for
a non-node address, which is the original behavior.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-10 10:14:15 -07:00
Brad Davidson
d3242bea3c Refactor egress-selector pods mode to watch pods
Watching pods appears to be the most reliable way to ensure that the
proxy routes and authorizes connections.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-08 09:34:53 -07:00
Manuel Buil
c705d34804 Add FlannelConfCNI flag
Signed-off-by: Manuel Buil <mbuil@suse.com>
2022-06-08 11:03:17 +02:00
Brad Davidson
491aa11e10 Revert "Give kubelet the node-ip value (#5579)"
This reverts commit aa9065749c.

Setting dual-stack node-ip does not work when --cloud-provider is set
to anything, including 'external'. Just set node-ip to the first IP, and
let the cloud provider add the other address.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-02 17:36:55 -07:00