Commit Graph

46 Commits

Author SHA1 Message Date
Brad Davidson
977a85559e Add support for cross-signing new certs during ca rotation
We need to send the full chain in order for cross-signing to work
properly during switchover to a new root.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-03-13 16:56:28 -07:00
Brad Davidson
87f9c4ab11 Ensure that node exists when using node auth
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-07 14:55:04 -08:00
Brad Davidson
373df1c8b0 Add support for k3s token command
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-07 14:55:04 -08:00
Brad Davidson
215fb157ff Add certificate rotate-ca to write updated CA certs to datastore
This command must be run on a server while the service is running. After this command completes, all the servers in the cluster should be restarted to load the new CA files.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-06 15:09:31 -08:00
Derek Nola
06d81cb936
Replace deprecated ioutil package (#6230)
* Replace ioutil package
* check integration test null pointer
* Remove rotate retries

Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-10-07 17:36:57 -07:00
Brad Davidson
a15e7e8b68 Move DisableServiceLB/Rootless/ServiceLBNamespace into config.Control
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-09-30 08:17:20 -07:00
Brad Davidson
ce5b9347c9 Replace DefaultProxyDialerFn dialer injection with EgressSelector support
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 17:54:36 -07:00
Brad Davidson
3d01ca1309 Make supervisor errors parsable by Kubernetes client libs
This gives nicer errors from Kubernetes components during startup, and
reduces LOC a bit by using the upstream responsewriters module instead
of writing the headers and body by hand.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 09:23:37 -07:00
Brad Davidson
5b2c14b123 Print a helpful error when trying to join additional servers but etcd is not in use
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Brad Davidson
99851b0f84 Use core constants for cert user/group values
Also update cert gen to ensure leaf certs are regenerated if other key fields change.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Brad Davidson
49544e0d49 Allow agents to query non-apiserver supervisors for apiserver endpoints
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-06 13:03:14 -07:00
Brad Davidson
38706eeec0 Defer ensuring node passwords on etcd-only nodes during initial cluster bootstrap
This allows secondary etcd nodes to bootstrap the kubelet before an
apiserver joins the cluster. Rancher waits for all the etcd nodes to
come up before adding the control-plane nodes, so this needs to be
handled properly.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-18 10:58:37 -07:00
Luther Monson
9a849b1bb7
[master] changing package to k3s-io (#4846)
* changing package to k3s-io

Signed-off-by: Luther Monson <luther.monson@gmail.com>

Co-authored-by: Derek Nola <derek.nola@suse.com>
2022-03-02 15:47:27 -08:00
Brad Davidson
5014c9e0e8 Fix adding etcd-only node to existing cluster
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-02-28 19:56:08 -08:00
Brad Davidson
e7464a17f7 Fix use of agent creds for secrets-encrypt and config validate
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-06 12:55:18 -08:00
Derek Nola
bcb662926d
Secrets-encryption rotation (#4372)
* Regular CLI framework for encrypt commands
* New secrets-encryption feature
* New integration test
* fixes for flaky integration test CI
* Fix to bootstrap on restart of existing nodes
* Consolidate event recorder

Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-12-07 14:31:32 -08:00
Brad Davidson
5a923ab8dc Add containerd ready channel to delay etcd node join
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-14 14:03:52 -07:00
Brad Davidson
dc14f370c4 Update wrangler to v0.8.5
Required to support apiextensions.v1 as v1beta1 has been deleted. Also
update helm-controller and dynamiclistener to track wrangler versions.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson
869b98bc4c Sync DisableKubeProxy into control struct
Sync DisableKubeProxy from cfg into control before sending control to clients,
as it may have been modified by a startup hook.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-07-30 12:26:50 -07:00
Brad Davidson
90445bd581
Wait until server is ready before configuring kube-proxy (#3716)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-07-27 14:56:05 -07:00
Brad Davidson
2705431d96
Add support for dual-stack Pod/Service CIDRs and node IP addresses (#3212)
* Add support for dual-stack cluster/service CIDRs and node addresses

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-21 15:56:20 -07:00
Erik Wilson
4245fd7b67 Return http.StatusOK instead of 0
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2020-12-23 16:55:47 -07:00
Erik Wilson
2fb411fc83 Fix spelling mistake
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2020-12-23 15:08:07 -07:00
Erik Wilson
09eb44ba53 Bootstrap node password with local file
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2020-12-23 15:08:06 -07:00
Erik Wilson
1230d7b7df Fix HA server initialization
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2020-12-15 16:08:28 -08:00
Erik Wilson
92d04355f4
Use secrets for node-passwd entries and cleanup 2020-11-05 09:48:53 -07:00
Brian Downs
bb8e5374ea conform to repo conventions
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-09-03 18:48:30 -07:00
Brian Downs
00831f9bc8 use version.Program
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-09-03 08:51:17 -07:00
Brian Downs
301fb73952 add node ip to the request header for cert gen
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-09-02 19:15:09 -07:00
Darren Shepherd
7e59c0801e Make program name a variable to be changed at compile time 2020-06-06 16:39:41 -07:00
Darren Shepherd
ff34c5c5cf Download cert/key to agent with single HTTP request
Since generated cert/keys are stored locally, each server has a different
copy.  In a HA setup we need to ensure we download the cert and key from
the same server so we combined HTTP requests to do that.
2019-11-15 21:51:51 -07:00
Darren Shepherd
0ae20eb7a3 Support both http and db based bootstrap 2019-11-12 01:12:24 +00:00
Darren Shepherd
e2431bdf9d Add dqlite support 2019-11-10 03:49:56 +00:00
Darren Shepherd
ba240d0611 Refactor tokens, bootstrap, and cli args 2019-10-30 19:06:49 -07:00
Darren Shepherd
f0382329a5 Drop openapi hack 2019-08-28 20:53:39 -07:00
Erik Wilson
fdb997b4ee Fix missing early returns on routes 2019-07-30 15:44:34 -07:00
Erik Wilson
7090a7d551 Move node password to separate file 2019-06-25 15:04:04 -07:00
Erik Wilson
2c9444399b Refactor certs 2019-06-25 15:04:04 -07:00
Darren Shepherd
c0702b0492 Port to wrangler 2019-05-26 22:28:50 -07:00
Erik Wilson
e64c0298f2 Add cert per-node password authentication 2019-04-23 11:02:35 -07:00
Erik Wilson
1b2db423de Add node name to node cert generation 2019-04-19 18:20:34 +00:00
Erik Wilson
608f3a4e80 Serve static assets
Provide a static assets route for use with helm or other air-gap needs.
2019-03-20 00:24:27 +00:00
Darren Shepherd
1826084b24 Add ping handler 2019-02-04 16:47:53 -07:00
Darren Shepherd
1502ad2530 Package serialized version of openapi 2019-01-25 22:09:46 -07:00
Darren Shepherd
62c62cc7b4 Continued refactoring 2019-01-11 21:52:30 -07:00
Darren Shepherd
9bb7c27c62 Initial Commit 2019-01-01 01:23:01 -07:00