Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.23] Backport fixes/bumps from master #5951

Merged
merged 8 commits into from
Aug 4, 2022
Merged

[release-1.23] Backport fixes/bumps from master #5951

merged 8 commits into from
Aug 4, 2022

Conversation

brandond
Copy link
Member

@brandond brandond commented Aug 3, 2022

Proposed Changes

Backport bugfixes from master for the August release cycle:

Types of Changes

backports

Verification

See linked issues

Testing

Linked Issues

  • TBD

User-Facing Change

Bumped minio-go to v7.0.33. This adds support for IMDSv2 credentials.
When set, the agent-token value is now written to `$datadir/server/agent-token`, in the same manner as the default (server) token is written to `$datadir/server/token`
Updated dynamiclistener to fix a regression that prevented certificate renewal from working properly.
The configured service CIDR is now passed to the Kubernetes controller-manager via the `--service-cluster-ip-range` flag. Previously this value was only passed to the apiserver.
Fixed a regression that caused systemd cgroup driver autoconfiguration to fail on server nodes.
The initial health-check time for the etcd datastore has been raised from 10 to 30 seconds.
Bumped rootlesskit to v1.0.1

Further Comments

@brandond brandond requested a review from a team as a code owner August 3, 2022 21:36
@brandond brandond force-pushed the 2022-08-backports_release-1.23 branch from f697802 to ad8dafb Compare August 4, 2022 07:01
dirkmueller and others added 8 commits August 4, 2022 00:01
@dirkmueller @brandond
update rootlesskit to 1.0.1
57e05e0 
This avoids an issue with u-root 7.0.0 which has been retracted by the
author:

  $ go list -u -m all
  $ go list -m: github.com/u-root/u-root@v7.0.0+incompatible: retracted by module author: Published v7 too early (before migrating to go modules)

Signed-off-by: Dirk Müller <dirk@dmllr.de>
(cherry picked from commit 93ca992)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Raise etcd connection test timeout to 30 seconds
87e2b50 
Addressess issue where the compact may take more than 10 seconds on slower disks. These disks probably aren't really suitable for etcd, but apparently run fine otherwise.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 1674b9d)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Fix server systemd detection
4378f41 
* Use INVOCATION_ID to detect execution under systemd, since as of a9b5a19 NOTIFY_SOCKET is now cleared by the server code.
* Set the unit type to notify by default for both server and agent, which is what Rancher-managed installs have done for a while.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit bd5fdfc)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Add service-cluster-ip-range to controller-manager args
52b7be6 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 84fb878)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Replace getLocalhostIP with Loopback helper method
1b55d7e 
Requires tweaking existing method signature to allow specifying whether or not IPv6 addresses should be return URL-safe.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 5eaa0a9)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Bump dynamiclistener to fix issue with cert expiration
d3b6b59 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 0490044)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@marshall-lee @brandond
Save agent token to /var/lib/rancher/k3s/server/agent-token
ac7800b 
Having separate tokens for server and agent nodes is a nice feature.

However, passing server's plain `K3S_AGENT_TOKEN` value
to `k3s agent --token` without CA hash is insecure when CA is
self-signed, and k3s warns about it in the logs:

```
Cluster CA certificate is not trusted by the host CA bundle, but the token does not include a CA hash.
Use the full token from the server's node-token file to enable Cluster CA validation.
```

Okay so I need CA hash but where should I get it?

This commit attempts to fix this issue by saving agent token value to
`agent-token` file with CA hash appended.

Signed-off-by: Vladimir Kochnev <hashtable@yandex.ru>
(cherry picked from commit 13af0b1)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Bump minio to v7.0.33
ad8dafb 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 4350834)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond
Copy link
Member Author

brandond commented Aug 4, 2022

s390x builder is out of disk space; merging

@brandond brandond merged commit a079a65 into k3s-io:release-1.23 Aug 4, 2022
@dereknola dereknola mentioned this pull request Aug 4, 2022
Merged
@eradnab eradnab mentioned this pull request Aug 18, 2022
Closed
1 task
@brandond brandond deleted the 2022-08-backports_release-1.23 branch June 6, 2024 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briandowns briandowns briandowns approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@brandond @briandowns @dirkmueller @marshall-lee