[release-1.24] Backport version bumps and bugfixes

[brandond]

Proposed Changes

Backport version bumps and bugfixes for the 2023-05 release:

• Bump helm-controller version for repo auth/ca support #7525
• Consistently use constant-time comparison of password hashes instead of bare password strings #7455
• Bump cni plugins to v1.2.0-k3s1 #7425
• Bump kine to v0.10.1 #7414
• Fix MemberList error handling and incorrect etcd-arg passthrough #7371
• Fix issues with --disable-agent and --egress-selector-mode=pod|cluster #7331
• Create CRDs with schema #7308
• Fail to validate server tokens that use bootstrap id/secret format #7389
• Improve error message when CLI wrapper Exec fails #7373
• Bump traefik to v2.9.10 / chart 21.2.0 #7324
• Bump k3s-root for aarch64 page size fix #7364
• Retry cluster join on "too many learners" error #7351

Types of Changes

Backports

Verification

See linked issues

Testing

Linked Issues

• [release-1.24] Bump helm-controller and klipper-helm for repo auth and CA improvements #7520
• [release-1.24] Potential misuse of linear-time or constant-time password comparisons #7479
• [release-1.24] Update CNI plugins version and add additional plugins from upstream #7482
• [release-1.24] Bump kine to v0.10.1 #7485
• [release-1.24] Multiple issues with temporary bootstrap etcd config #7488
• [release-1.24] --egress-selector-mode=cluster|pod are broken #7491
• [release-1.24] Servers run with --disable-agent still attempt to run agent tunnel authorizer #7494
• [release-1.24] Register K3s CRDs with schema #7497
• [release-1.24] Bootstrap of HA cluster fails with when agent bootstrap token used as server token  #7500
• [release-1.24] "FATA [0000] permission denied" when /var is mounted noexec #7503
• [release-1.24] Packaged Traefik 2.9.4 has incorrect access logs #7506
• [release-1.24] 16k kernel page builds to support Apple Silicon (ARM64)  #7509
• [release-1.24] k3s server exits instead of retrying when receiving "too many learners" error from etcd join #7512

User-Facing Change

* K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.
* K3s once again supports aarch64 nodes with page size > 4k
* The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0
* K3s now prints a more meaningful error when attempting to run from a filesystem mounted `noexec`.
* K3s now exits with a proper error message when the server token uses a bootstrap token `id.secret` format.
* Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content.
* Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component.
* Fixed an regression that prevented the pod and cluster egress-selector modes from working properly.
* K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes.
* K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster.
* The embedded kine version has been bumped to v0.10.1. This replaces the legacy `lib/pq` postgres driver with `pgx`.
* The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle.
* The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap.

Further Comments

[codecov]

Codecov Report

Patch coverage: 7.54% and project coverage change: +0.16 🎉

Comparison is base (2cb4eef) 9.92% compared to head (f165612) 10.09%.

Additional details and impacted files

@@               Coverage Diff                @@
##           release-1.24    #7516      +/-   ##
================================================
+ Coverage          9.92%   10.09%   +0.16%     
================================================
  Files               148      149       +1     
  Lines             10887    10742     -145     
================================================
+ Hits               1081     1084       +3     
+ Misses             9584     9435     -149     
- Partials            222      223       +1     

Flag	Coverage Δ
unittests	10.09% <7.54%> (+0.16%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/agent/cridockerd/cridockerd.go	0.00% <0.00%> (ø)
pkg/agent/flannel/setup.go	0.00% <ø> (ø)
pkg/agent/tunnel/tunnel.go	0.00% <0.00%> (ø)
pkg/apis/k3s.cattle.io/v1/zz_generated_deepcopy.go	0.00% <ø> (ø)
pkg/cli/server/server.go	0.00% <0.00%> (ø)
pkg/cluster/managed.go	0.00% <0.00%> (ø)
pkg/cluster/storage.go	0.00% <0.00%> (ø)
pkg/crd/crds.go	0.00% <0.00%> (ø)
pkg/daemons/control/tunnel.go	0.00% <0.00%> (ø)
pkg/daemons/executor/embed.go	2.08% <0.00%> (ø)
... and 15 more

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.