Commit Graph

27 Commits

Author SHA1 Message Date
Brad Davidson
977a85559e Add support for cross-signing new certs during ca rotation
We need to send the full chain in order for cross-signing to work
properly during switchover to a new root.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-03-13 16:56:28 -07:00
Brad Davidson
58d40327b4 Fix CA cert hash for root certs
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-06 15:09:31 -08:00
Brad Davidson
0919ec6755 Ensure cluster-signing CA files contain only a single CA cert
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-06 15:09:31 -08:00
Derek Nola
06d81cb936
Replace deprecated ioutil package (#6230)
* Replace ioutil package
* check integration test null pointer
* Remove rotate retries

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-10-07 17:36:57 -07:00
Brad Davidson
d963cb2f70 Disable cloud-node and cloud-node-lifecycle if CCM is disabled
If CCM and ServiceLB are both disabled, don't run the cloud-controller-manager at all;
this should provide the same CLI flag behavior as previous releases, and not create
problems when users disable the CCM but still want ServiceLB.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-09-30 08:17:20 -07:00
Brad Davidson
0b96ca92bc Move servicelb into cloudprovider LoadBalancer interface
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-09-30 08:17:20 -07:00
Brad Davidson
5eaa0a9422 Replace getLocalhostIP with Loopback helper method
Requires tweaking existing method signature to allow specifying whether or not IPv6 addresses should be return URL-safe.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-21 16:51:57 -07:00
Brad Davidson
ff6c233e41 Fix egress selector proxy/bind-address support
Use same kubelet-preferred-address-types setting as RKE2 to improve reliability of the egress selector when using a HTTP proxy. Also, use BindAddressOrLoopback to ensure that the correct supervisor address is used when --bind-address is set.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-07-01 00:07:35 -07:00
Brad Davidson
b550e1183a Remove control-plane egress context and fix agent mode.
The control-plane context handles requests outside the cluster and
should not be sent to the proxy.

In agent mode, we don't watch pods and just direct-dial any request for
a non-node address, which is the original behavior.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-06-10 10:14:15 -07:00
Brad Davidson
9d7230496d Add support for configuring the EgressSelector mode
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-05-18 13:26:10 -07:00
Brad Davidson
ce5b9347c9 Replace DefaultProxyDialerFn dialer injection with EgressSelector support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 17:54:36 -07:00
Brad Davidson
b12cd62935 Move IPv4/v6 selection into helpers
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Brad Davidson
99851b0f84 Use core constants for cert user/group values
Also update cert gen to ensure leaf certs are regenerated if other key fields change.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Roberto Bonafiglia
e29771b9ff Fixed client URL
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-30 10:59:39 +02:00
Roberto Bonafiglia
dda409b041 Updated localhost address on IPv6 only setup
Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>
2022-03-29 09:35:54 +02:00
Luther Monson
9a849b1bb7
[master] changing package to k3s-io (#4846)
* changing package to k3s-io

Signed-off-by: Luther Monson <luther.monson@gmail.com>

Co-authored-by: Derek Nola <derek.nola@suse.com>
2022-03-02 15:47:27 -08:00
Brad Davidson
2989b8b2c5 Remove unnecessary copies of runtime struct
Several types contained redundant references to ControlRuntime data. Switch to consistently accessing this via config.Runtime instead.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-02-28 12:05:16 -08:00
Derek Nola
142eed1a9f
Create encryption hash file if it doesn't exist (#5140)
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-02-25 08:43:03 -08:00
Derek Nola
bcb662926d
Secrets-encryption rotation (#4372)
* Regular CLI framework for encrypt commands
* New secrets-encryption feature
* New integration test
* fixes for flaky integration test CI
* Fix to bootstrap on restart of existing nodes
* Consolidate event recorder

Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-12-07 14:31:32 -08:00
Brian Downs
ac7a8d89c6
Add ability to reconcile bootstrap data between datastore and disk (#3398) 2021-10-07 12:47:00 -07:00
Brad Davidson
cf12a13175 Add missing node name entry to apiserver SAN list
Also honor node-ip when adding the node address to the SAN list, instead
of hardcoding the autodetected IP address.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-09-01 13:22:32 -07:00
Brad Davidson
e95b75409a Fix lint failures
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Derek Nola
c833183517
Add unit tests for pkg/etcd (#3549)
* Created new etcd unit tests and testing support file

Signed-off-by: dereknola <derek.nola@suse.com>
2021-07-01 16:08:35 -07:00
Brad Davidson
f6cec4e75d Add kubernetes.default.svc to serving certs
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-06-08 12:55:20 -07:00
Derek Nola
664a98919b
Fix RBAC cloud-controller-manager name 3308 (#3388)
* Changed cloud-controller-manager user name in ccm.yaml

Signed-off-by: dereknola <derek.nola@suse.com>

* Changed RBAC name in server.go

Signed-off-by: dereknola <derek.nola@suse.com>

* Changed "k3s" string prefix to version.Program to prevent static hardcoding

Signed-off-by: dereknola <derek.nola@suse.com>

* Changed user in ccm.yaml to k3s-cloud-controller-manager

Signed-off-by: dereknola <derek.nola@suse.com>
2021-06-02 14:50:11 -07:00
Brad Davidson
3cb4ca4b35 Use same SANs on ServingKubeAPICert as dynamiclistener
The kube-apiserver cert should have the same SANs in the same order,
excluding the extra user-configured SANs since this will only be used
in-cluster.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-28 09:58:19 -07:00
Brian Downs
4d1f9eda9d
Etcd Snapshot/Restore to/from S3 Compatible Backends (#2902)
* Add functionality for etcd snapshot/restore to and from S3 compatible backends.
* Update etcd restore functionality to extract and write certificates and configs from snapshot.
2021-03-03 11:14:12 -07:00