Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release-1.24] Backport version bumps and bugfixes #7516

Merged
merged 17 commits into from
May 10, 2023

Conversation

brandond
Copy link
Member

@brandond brandond commented May 10, 2023

Proposed Changes

Backport version bumps and bugfixes for the 2023-05 release:

Types of Changes

Backports

Verification

See linked issues

Testing

Linked Issues

User-Facing Change

* K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.
* K3s once again supports aarch64 nodes with page size > 4k
* The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0
* K3s now prints a more meaningful error when attempting to run from a filesystem mounted `noexec`.
* K3s now exits with a proper error message when the server token uses a bootstrap token `id.secret` format.
* Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content.
* Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component.
* Fixed an regression that prevented the pod and cluster egress-selector modes from working properly.
* K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes.
* K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster.
* The embedded kine version has been bumped to v0.10.1. This replaces the legacy `lib/pq` postgres driver with `pgx`.
* The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle.
* The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap.

Further Comments

brandond added 16 commits May 10, 2023 00:12
Fixes an issue where CRDs were being created without schema, allowing
resources with invalid content to be created, later stalling the
controller ListWatch event channel when the invalid resources could not
be deserialized.

This also requires moving Addon GVK tracking from a status field to
an annotation, as the GroupVersionKind type has special handling
internal to Kubernetes that prevents it from being serialized to the CRD
when schema validation is enabled.

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit ad41fb8)
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 9539147)
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 0bbc6ad)
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 0247794)
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 5348b5e)
Don't set up the agent tunnel authorizer on agentless servers, and warn when agentless servers won't have a way to reach in-cluster endpoints.

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 31a6386)
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 1ca035a)
Several places in the code used a 5-second retry loop to wait on
Runtime.Core to be set. This caused a race condition where OnChange
handlers could be added after the Wrangler shared informers were already
started. When this happened, the handlers were never called because the
shared informers they relied upon were not started.

Fix that by requiring anything that waits on Runtime.Core to run from a
cluster controller startup hook that is guaranteed to be called before
the shared informers are started, instead of just firing it off in a
goroutine that retries until it is set.

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit c44d33d)
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit f1b6a35)
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 91afb38)
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit e61fde9)
Also add bandwidth and firewall plugins. The bandwidth plugin is
automatically registered with the appropriate capability, but the
firewall plugin must be configured by the user if they want to use it.

Ref: https://www.cni.dev/plugins/current/meta/firewall/

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit cedefef)
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit cf9ebb3)
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit c98137d)
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit b32bf49)
As per golang/go#47001 even subtle.ConstantTimeCompare should never be used with variable-length inputs, as it will return 0 if the lengths do not match. Switch to consistently using constant-time comparisons of hashes for password checks to avoid any possible side-channel leaks that could be combined with other vectors to discover password lengths.

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 239021e)
@brandond brandond requested a review from a team as a code owner May 10, 2023 00:14
@codecov
Copy link

codecov bot commented May 10, 2023

Codecov Report

Patch coverage: 7.54% and project coverage change: +0.16 🎉

Comparison is base (2cb4eef) 9.92% compared to head (f165612) 10.09%.

Additional details and impacted files
@@               Coverage Diff                @@
##           release-1.24    #7516      +/-   ##
================================================
+ Coverage          9.92%   10.09%   +0.16%     
================================================
  Files               148      149       +1     
  Lines             10887    10742     -145     
================================================
+ Hits               1081     1084       +3     
+ Misses             9584     9435     -149     
- Partials            222      223       +1     
Flag Coverage Δ
unittests 10.09% <7.54%> (+0.16%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/agent/cridockerd/cridockerd.go 0.00% <0.00%> (ø)
pkg/agent/flannel/setup.go 0.00% <ø> (ø)
pkg/agent/tunnel/tunnel.go 0.00% <0.00%> (ø)
pkg/apis/k3s.cattle.io/v1/zz_generated_deepcopy.go 0.00% <ø> (ø)
pkg/cli/server/server.go 0.00% <0.00%> (ø)
pkg/cluster/managed.go 0.00% <0.00%> (ø)
pkg/cluster/storage.go 0.00% <0.00%> (ø)
pkg/crd/crds.go 0.00% <0.00%> (ø)
pkg/daemons/control/tunnel.go 0.00% <0.00%> (ø)
pkg/daemons/executor/embed.go 2.08% <0.00%> (ø)
... and 15 more

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@brandond brandond merged commit 8a2a111 into k3s-io:release-1.24 May 10, 2023
@brandond brandond deleted the 2023-05-backports_release-1.24 branch June 6, 2024 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants