Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release-1.27] Backports for 2024-04 release cycle #9912

Merged
merged 16 commits into from
Apr 11, 2024
Merged

[release-1.27] Backports for 2024-04 release cycle #9912

merged 16 commits into from
Apr 11, 2024

Conversation

brandond
Copy link
Member

@brandond brandond commented Apr 10, 2024
edited
Loading

Proposed Changes

Backports:

Types of Changes

Verification

See linked issues

Testing

Linked Issues

User-Facing Change

Send error response if member list cannot be retrieved
The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels
Fix error when image has already been pulled
Add /etc/passwd and /etc/group to k3s docker image
Fix etcd snapshot reconcile for agentless servers 
Add health-check support to loadbalancer
Add certificate expiry check, events, and metrics
Add workaround for containerd hosts.toml bug when passing config for default registry endpoint
Add supervisor cert/key to rotate list
The embedded containerd has been bumped to v1.7.15
The embedded cri-dockerd has been bumped to v0.3.12
The `k3s etcd-snapshot` command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots.
Improve etcd load-balancer startup behavior
Actually fix agent certificate rotation
Traefik has been bumped to v2.10.7.
Traefik pod annotations are now set properly in the default chart values.
The system-default-registry value now supports RFC2732 IPv6 literals.
The local-path provisioner now defaults to creating `local` volumes, instead of `hostPath`.

Further Comments

@brandond
Move error response generation code into util
67befa8 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 7a2a2d0)
@brandond
Send error response if member list cannot be retrieved
bcab430 
Prevents joining nodes from being stuck with bad initial member list if there is a transient failure, or if they try to join themselves

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit d7cdbb7)
@brandond
Respect cloud-provider fields set by kubelet
437f85f 
Don't clobber the providerID field and instance-type/region/zone labels if provided by the kubelet. This allows the user to set these to the correct values when using the embedded CCM in a real cloud environment.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 65cd606)
@brandond
Fix error when image has already been pulled
741cf5a 
CRI and containerd APIs disagree about the registry names - CRI supports
index.docker.io as an alias for docker.io, while containerd does not.
Use the actual stored RepoTag to determine what image to ask containerd for.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit f099bfa)
@brandond
Add /etc/passwd and /etc/group to k3s docker image
12b2fd3 
Fixes `cannot find name for user ID 0: No such file or directory` errors when checking user info in docker image

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 7474a6f)
@brandond
Fix etcd snapshot reconcile for agentless nodes
acfa70d 
Disable cleanup of orphaned snapshots and patching of node annotations if running agentless

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit edb0440)
@brandond
Add health-check support to loadbalancer
5e4572e 
* Adds support for health-checking loadbalancer servers. If a
  health-check fails when dialing, all existing connections to the
  server will be closed.
* Wires up a remotedialer tunnel connectivity check as the health check
  for supervisor/apiserver connections.
* Wires up a simple ping request to the supervisor port as the health
  check for etcd connections.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit c51d7bf)
@brandond
Add certificate expiry check and warnings
5c96d67 
* Add ADR
* Add `k3s certificate check` command.
* Add periodic check and events when certs are about to expire.
* Add metrics for certificate validity remaining, labeled by cert subject

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 7f65975)
@brandond
Add workaround for containerd hosts.toml bug
a202cec 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit f2961fb)
@brandond
Add supervisor cert/key to rotate list
67819f7 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 60248c4)
@brandond brandond requested a review from a team as a code owner April 10, 2024 21:28
@brandond brandond force-pushed the 2024-04-backport_release-1.27 branch from aceda9e to 4cd9741 Compare April 10, 2024 22:06
matttrach
matttrach reviewed Apr 10, 2024
View reviewed changes
go.mod Outdated Show resolved Hide resolved
@codecov Codecov
Copy link

codecov bot commented Apr 10, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 23.37376% with 695 lines in your changes are missing coverage. Please review.

Project coverage is 35.56%. Comparing base (01461af) to head (2f2ccc9).

Files Patch % Lines
pkg/etcd/snapshot_handler.go 0.00% 127 Missing ⚠️
pkg/cli/etcdsnapshot/etcd_snapshot.go 0.00% 106 Missing ⚠️
pkg/etcd/snapshot.go 0.00% 81 Missing ⚠️
pkg/cli/cert/cert.go 0.00% 79 Missing ⚠️
pkg/etcd/etcd.go 2.17% 45 Missing ⚠️
pkg/util/apierrors.go 0.00% 45 Missing ⚠️
pkg/etcd/etcdproxy.go 0.00% 39 Missing ⚠️
pkg/clientaccess/token.go 20.51% 28 Missing and 3 partials ⚠️
pkg/certmonitor/certmonitor.go 70.49% 10 Missing and 8 partials ⚠️
pkg/agent/loadbalancer/servers.go 66.66% 9 Missing and 4 partials ⚠️
... and 17 more
Additional details and impacted files 
@@               Coverage Diff                @@
##           release-1.27    #9912      +/-   ##
================================================
- Coverage         38.58%   35.56%   -3.02%     
================================================
  Files               154      155       +1     
  Lines             15775    13769    -2006     
================================================
- Hits               6086     4897    -1189     
+ Misses             8614     7918     -696     
+ Partials           1075      954     -121
Flag Coverage Δ
e2etests 35.56% <23.37%> (-3.79%) ⬇️
unittests ?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@brandond
Bump containerd and cri-dockerd
417800a 
Bump containerd to v1.7.15
Bump cri-dockerd to v0.3.12

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 0792461)
@brandond
Move etcd snapshot management CLI to request/response
1daa530 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit fe465cc)
@brandond
Improve etcd load-balancer startup behavior
be56ade 
Prefer the address of the etcd member being joined, and seed the full address list immediately on startup.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 7d9abc9)
@brandond
Don't log 'apiserver disabled' error sent by etcd-only nodes
aec89c5 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 08f1022)
@brandond
Actually fix agent certificate rotation
4d81a72 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 4cc73b1)
@brandond brandond force-pushed the 2024-04-backport_release-1.27 branch from 4cd9741 to 4d81a72 Compare April 10, 2024 23:30
@brandond
Update packaged manifests
2f2ccc9 
* Update traefik chart to bump image tag and fix quoting
* Fix image quoting in flat manifests
* Update local-path-provisioner config to stop using deprecated hostpath volume type

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
@brandond brandond merged commit a302dae into k3s-io:release-1.27 Apr 11, 2024
27 checks passed
@brandond brandond deleted the 2024-04-backport_release-1.27 branch June 6, 2024 21:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@matttrach matttrach matttrach approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@brandond @matttrach