Brad Davidson
977a85559e
Add support for cross-signing new certs during ca rotation
...
We need to send the full chain in order for cross-signing to work
properly during switchover to a new root.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-03-13 16:56:28 -07:00
Brad Davidson
87f9c4ab11
Ensure that node exists when using node auth
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-07 14:55:04 -08:00
Brad Davidson
373df1c8b0
Add support for k3s token
command
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-07 14:55:04 -08:00
Brad Davidson
215fb157ff
Add certificate rotate-ca
to write updated CA certs to datastore
...
This command must be run on a server while the service is running. After this command completes, all the servers in the cluster should be restarted to load the new CA files.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2023-02-06 15:09:31 -08:00
Derek Nola
06d81cb936
Replace deprecated ioutil package ( #6230 )
...
* Replace ioutil package
* check integration test null pointer
* Remove rotate retries
Signed-off-by: Derek Nola <derek.nola@suse.com>
2022-10-07 17:36:57 -07:00
Brad Davidson
a15e7e8b68
Move DisableServiceLB/Rootless/ServiceLBNamespace into config.Control
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-09-30 08:17:20 -07:00
Brad Davidson
ce5b9347c9
Replace DefaultProxyDialerFn dialer injection with EgressSelector support
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 17:54:36 -07:00
Brad Davidson
3d01ca1309
Make supervisor errors parsable by Kubernetes client libs
...
This gives nicer errors from Kubernetes components during startup, and
reduces LOC a bit by using the upstream responsewriters module instead
of writing the headers and body by hand.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-29 09:23:37 -07:00
Brad Davidson
5b2c14b123
Print a helpful error when trying to join additional servers but etcd is not in use
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Brad Davidson
99851b0f84
Use core constants for cert user/group values
...
Also update cert gen to ensure leaf certs are regenerated if other key fields change.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-15 01:02:42 -07:00
Brad Davidson
49544e0d49
Allow agents to query non-apiserver supervisors for apiserver endpoints
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-04-06 13:03:14 -07:00
Brad Davidson
38706eeec0
Defer ensuring node passwords on etcd-only nodes during initial cluster bootstrap
...
This allows secondary etcd nodes to bootstrap the kubelet before an
apiserver joins the cluster. Rancher waits for all the etcd nodes to
come up before adding the control-plane nodes, so this needs to be
handled properly.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-03-18 10:58:37 -07:00
Luther Monson
9a849b1bb7
[master] changing package to k3s-io ( #4846 )
...
* changing package to k3s-io
Signed-off-by: Luther Monson <luther.monson@gmail.com>
Co-authored-by: Derek Nola <derek.nola@suse.com>
2022-03-02 15:47:27 -08:00
Brad Davidson
5014c9e0e8
Fix adding etcd-only node to existing cluster
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-02-28 19:56:08 -08:00
Brad Davidson
e7464a17f7
Fix use of agent creds for secrets-encrypt and config validate
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2022-01-06 12:55:18 -08:00
Derek Nola
bcb662926d
Secrets-encryption rotation ( #4372 )
...
* Regular CLI framework for encrypt commands
* New secrets-encryption feature
* New integration test
* fixes for flaky integration test CI
* Fix to bootstrap on restart of existing nodes
* Consolidate event recorder
Signed-off-by: Derek Nola <derek.nola@suse.com>
2021-12-07 14:31:32 -08:00
Brad Davidson
5a923ab8dc
Add containerd ready channel to delay etcd node join
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-10-14 14:03:52 -07:00
Brad Davidson
dc14f370c4
Update wrangler to v0.8.5
...
Required to support apiextensions.v1 as v1beta1 has been deleted. Also
update helm-controller and dynamiclistener to track wrangler versions.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-08-20 18:47:16 -07:00
Brad Davidson
869b98bc4c
Sync DisableKubeProxy into control struct
...
Sync DisableKubeProxy from cfg into control before sending control to clients,
as it may have been modified by a startup hook.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-07-30 12:26:50 -07:00
Brad Davidson
90445bd581
Wait until server is ready before configuring kube-proxy ( #3716 )
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-07-27 14:56:05 -07:00
Brad Davidson
2705431d96
Add support for dual-stack Pod/Service CIDRs and node IP addresses ( #3212 )
...
* Add support for dual-stack cluster/service CIDRs and node addresses
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-21 15:56:20 -07:00
Erik Wilson
4245fd7b67
Return http.StatusOK instead of 0
...
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2020-12-23 16:55:47 -07:00
Erik Wilson
2fb411fc83
Fix spelling mistake
...
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2020-12-23 15:08:07 -07:00
Erik Wilson
09eb44ba53
Bootstrap node password with local file
...
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2020-12-23 15:08:06 -07:00
Erik Wilson
1230d7b7df
Fix HA server initialization
...
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2020-12-15 16:08:28 -08:00
Erik Wilson
92d04355f4
Use secrets for node-passwd entries and cleanup
2020-11-05 09:48:53 -07:00
Brian Downs
bb8e5374ea
conform to repo conventions
...
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-09-03 18:48:30 -07:00
Brian Downs
00831f9bc8
use version.Program
...
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-09-03 08:51:17 -07:00
Brian Downs
301fb73952
add node ip to the request header for cert gen
...
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-09-02 19:15:09 -07:00
Darren Shepherd
7e59c0801e
Make program name a variable to be changed at compile time
2020-06-06 16:39:41 -07:00
Darren Shepherd
ff34c5c5cf
Download cert/key to agent with single HTTP request
...
Since generated cert/keys are stored locally, each server has a different
copy. In a HA setup we need to ensure we download the cert and key from
the same server so we combined HTTP requests to do that.
2019-11-15 21:51:51 -07:00
Darren Shepherd
0ae20eb7a3
Support both http and db based bootstrap
2019-11-12 01:12:24 +00:00
Darren Shepherd
e2431bdf9d
Add dqlite support
2019-11-10 03:49:56 +00:00
Darren Shepherd
ba240d0611
Refactor tokens, bootstrap, and cli args
2019-10-30 19:06:49 -07:00
Darren Shepherd
f0382329a5
Drop openapi hack
2019-08-28 20:53:39 -07:00
Erik Wilson
fdb997b4ee
Fix missing early returns on routes
2019-07-30 15:44:34 -07:00
Erik Wilson
7090a7d551
Move node password to separate file
2019-06-25 15:04:04 -07:00
Erik Wilson
2c9444399b
Refactor certs
2019-06-25 15:04:04 -07:00
Darren Shepherd
c0702b0492
Port to wrangler
2019-05-26 22:28:50 -07:00
Erik Wilson
e64c0298f2
Add cert per-node password authentication
2019-04-23 11:02:35 -07:00
Erik Wilson
1b2db423de
Add node name to node cert generation
2019-04-19 18:20:34 +00:00
Erik Wilson
608f3a4e80
Serve static assets
...
Provide a static assets route for use with helm or other air-gap needs.
2019-03-20 00:24:27 +00:00
Darren Shepherd
1826084b24
Add ping handler
2019-02-04 16:47:53 -07:00
Darren Shepherd
1502ad2530
Package serialized version of openapi
2019-01-25 22:09:46 -07:00
Darren Shepherd
62c62cc7b4
Continued refactoring
2019-01-11 21:52:30 -07:00
Darren Shepherd
9bb7c27c62
Initial Commit
2019-01-01 01:23:01 -07:00