The `continue` was incorrectly changed to `return` when converting the
loop to an inline function in 4974fc7c24
Also addresses unnecessary creation of a new kubernetes client every
time the promotion check runs.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Currently only waits on etcd and kine, as other components
are stateless and do not need to shut down cleanly.
Terminal but non-fatal errors now request shutdown via context
cancellation, instead of just logging a fatal error.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
When running K3s as a subprocess for reaping or logging purposes, properly wire up signals to send it SIGINT instead of just exiting immediately.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Fixes issue where member removal would be requeud until the node was deleted, or rejoined with a new name.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Wait for updated ready condition before starting netpol controller, to ensure that node IPs have been updated following a restart. The current checks only ensure that the taint is removed, which works for the initial join - but does not handle changing node IPs on restarts.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Raft is now an independent dependency, with a seperate release version
* errors moved into their own subpackage
* set a default WarningUnaryRequestDuration
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Michael Fritch <mfritch@suse.com>
Also cleans up some of the server.Context factory creation stuff to eliminate unused code paths and avoid registering the Helm controller when helm is disabled.
As of fe465cc832 we no longer call NewContext outside pkg/server, so the isServer bool flag to use the supervisor kubeconfig and create an event recorder is unnecessary.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Changes to how we bootstrap the agent and apiserver address list have
made this unnecessary since 5014c9e was merged, and it is creating
problems due to only etcd-only nodes not using their own config.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
The container runtime endpoint value is passed into cri-dockerd as the docker socket address, so we need to check for --docker BEFORE checking for non-nil --container-runtime-endpoint.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Move the `ipv4` and `ipv6` constants to their own constant
declaration. This ensures that the `iota` expression for the `ipv4`
constant evaluates to 0, not some arbitrary value. (`iota` evaluates
to N for the Nth constant in the constant declaration; see
<https://go.dev/ref/spec#Iota>.) This is also more idiomatic, which
improves readability.
Also switch from incremental integers to bit flags, and use bitwise
operators for checking. This is more idiomatic (the integer is
treated like a set of booleans), it avoids some code duplication, and
it is necessary to avoid ambiguity. Consider the following:
const (
ipv4 = iota
ipv6
)
In the above, `ipv4` would have the value 0 and `ipv6` would have the
value 1. This would make it impossible to distinguish an IPv6-only
stack from a dual-stack configuration because `ipv6` would equal
`ipv4 + ipv6`. With bit flags this problem doesn't exist.
And put the integer holding the bit flags in a custom type with
convenience methods to improve readability.
Signed-off-by: Richard Hansen <rhansen@rhansen.org>
Normally K3s will import all tarballs in the image dir on startup, and
re-import any tarballs that change while it is running.
This change allows users to opt into only importing tarballs that have
changed since they were last imported, even across restarts.
This behavior is opted into by touching a `.cache.json` file in the
images dir. This file is used to track the size and mtime of the image
files when they are imported.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Panic gets rescued by the http server, and was only visible when running in debug mode, but should be handled properly.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Avoids infinite recursion when the chain includes an agentBootstrapper with a server address that points back at this node (via join address loop or external LB)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Adds maximum in-flight request limits to agent join and p2p peer info
request request handlers.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
libp2p may make a large number of bootstrap calls during startup; serve nodes from cache to avoid excessive CPU usage.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
I assume this was a mistake when copying and the kubelet key should have been used here.
This bug was introduced in #11471.
Signed-off-by: Aaron Dewes <aaron@nirvati.org>
* chore: Bump Klipper Helm and Helm Controller version
Made with ❤️️ by updatecli
* chore: Bump Klipper Helm and Helm Controller version
Made with ❤️️ by updatecli
* Fix build
Signed-off-by: Derek Nola <derek.nola@suse.com>
---------
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Derek Nola <derek.nola@suse.com>
Addresses flakes in etcd CI due to the port still being in TIME_WAIT after the server is shut down between tests
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
- Add testlet for new provider switch
- Handle migration between providers
- Add exception for criticalcontrolargs
Signed-off-by: Derek Nola <derek.nola@suse.com>
Increase etcd shutdown delay to avoid "bind: address already in use" errors seen in CI. Also uses test TmpDir to ensure dir is cleaned up between tests.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Move arg-parsing helper functions into util, and use them to see if the user has set an authorization-config flag - and do not set authorization-mode if so.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Generate the mock executor with mockgen and convert existing uses of the mock executor to set it up properly.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
This eliminates the final channel that was being passed around in an internal struct. The ETCD management code passes in a func that can be polled until etcd is ready; the executor is responsible for polling this after etcd is started and closing the etcd ready channel at the correct time.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Move the container runtime ready channel into the executor interface, instead of passing it awkwardly between server and agent config structs
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Splits server startup into prepare/start phases. Server's agent is now
started after server is prepared, but before it is started. This allows
us to properly bootstrap the executor before starting server components,
and use the executor to provide a shared channel to wait on apiserver
readiness.
This allows us to replace four separate callers of WaitForAPIServerReady
with reads from a common ready channel.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Increases log verbosity but decreases polling frequency to avoid
spamming the console. It usually takes a couple seconds for the
apiserver to come up anyway.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Remove the AddOn last, after any resources it created in the cluster
have been deleted and the AddOn file is removed.
Signed-off-by: Robert Rose <robert.rose@mailbox.org>
* Bump rootlesskit tov 1.1.1, last of the v1 line
* Migrate to urfavecli v2
* Disable StringSlice seperattion
Signed-off-by: Derek Nola <derek.nola@suse.com>
We are not making use of the stack traces that these functions capture, so we should avoid using them as unnecessary overhead.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Fixes issue where CA rotation would fail on servers with join URL set due to using old data from disk on other server
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
RKE2 on Windows sets CNI bin dirs in node config even though embedded flannel is disabled (NoFlannel=true). We need to gate rendering this config on the vars being, set NOT on NoFlannel being false.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Ref: https://github.com/containerd/containerd/blob/release/2.0/docs/cri/config.md
Since this is a breaking change, add support for a new v3 template file. If no v3 template is present, fall back to checking for the legacy v2 template and render the old structure.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Netpol startup is skipped with a warning on linux if ipset support is missing, we should do the same on windows
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Also adds a CLI flag and fields for session token, which must be passed
alongside the access key and secret when using temporary credentials.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* chore: Bump Local Path Provisioner version
Made with ❤️️ by updatecli
* chore: Bump Local Path Provisioner version
Made with ❤️️ by updatecli
---------
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Restricting deferred node password validation to only requests from the local node is not possible without breaking split-role cluster cold start. There are too many cases where node password secrets may not yet be available due to the apiserver not being up.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Bump klipper-lb to v0.4.10
Bump klipper-helm to v0.9.4
Signed-off-by: Derek Nola <derek.nola@suse.com>
* Bump helm-controller
Signed-off-by: Derek Nola <derek.nola@suse.com>
---------
Signed-off-by: Derek Nola <derek.nola@suse.com>
The effective snapshot dir is "${data-dir}/server/db/snapshots". The
server segment is missing in the CLI-reported default path, potentially
misleading the user about the actual default snapshot destination.
Signed-off-by: Maja Bojarska <majabojarska98@gmail.com>
Only wait for k3s-controller RBAC when AuthorizeNodeWithSelectors blocks kubelet from listing nodes
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Make this field an interface instead of pointer to allow mocking. Not sure why wrangler has a type that returns an interface instead of just making it an interface itself. Wrangler in general is hard to mock for testing.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Clients now generate keys client-side and send CSRs. If the server is down-level and sends a cert+key instead of just responding with a cert signed with the client's public key, we use the key from the server instead.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
The servers package, and router.go in particular, had become quite
large. Address this by moving some things out to separate packages:
* http request handlers all move to pkg/server/handlers.
* node password bootstrap auth handler goes into pkg/nodepassword with
the other nodepassword code.
While we're at it, also be more consistent about calling variables that
hold a config.Control struct or reference `control` instead of `config` or `server`.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Add "k3s certificate check" clause for better test coverage
Signed-off-by: Derek Nola <derek.nola@suse.com>
* Add table support to cert check
Signed-off-by: Derek Nola <derek.nola@suse.com>
---------
Signed-off-by: Derek Nola <derek.nola@suse.com>
* Update libraries and codegen for k8s 1.32
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Fixes for 1.32
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
* Disable tests with down-rev agents
These are broken by AuthorizeNodeWithSelectors being on by default. All
agents must be upgraded to v1.32 or newer to work properly, until we
backport RBAC changes to older branches.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
---------
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>
Add flags supervisor and apiserver ports and bind address so that we can add an e2e to cover supervisor and apiserver on separate ports, as used by rke2
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
