backports: for Talos v1.7.0-beta.1 #8588
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Also add a note about how-to enable dns caching for k8s pods. Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com> (cherry picked from commit 5622f0e)
In Talos, kubelet (and kube-proxy) images use `iptables-wrapper` script to detect which version of `iptables` (legacy or NFT) to use. The script assumes that `kubelet` runs on the host, and uses whatever version of `iptables` which is being used by the host. In Talos, `kubelet` runs in a container which has same `iptables-wrapper` script, and it defaults to `legacy` mode in our case. We can't check the `kubelet` image, as it would affect all Talos version, so instead pre-create the chains/tables in `nftables` so that kubelet will pick up `nft` version of `iptables`, and `kube-proxy` will do the same. Without this fix, the problem arises from the mix of `nft` used by Talos for the firewall and Kubernetes world relying on `legacy` (`xtables`). Fixes siderolabs/kubelet#77 See https://github.com/kubernetes-sigs/iptables-wrappers/blob/e139a115350974aac8a82ec4b815d2845f86997e/iptables-wrapper-installer.sh#L102-L130 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit ff2c427)
Fixes siderolabs#8552 When `apid` notices update in the PKI, it flushes its client connections to other machines (used for proxying), as it might need to use new client certificate. While flushing, just calling `Close` might abort already running connections. So instead, try to close gracefully with a timeout when the connection is idle. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit 336e611)
Sort the pod names, so the check output doesn't re-print itself on no change to the list of pods. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit b0fdc3c)
Only the cert should be present on worker nodes, enforce this via validation. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit c6ad0fc)
This fixes an issue with a single controlplane cluster. Properly present all accepted CAs to the apiserver, in the test let the cluster fully recovery between two CA rotations performed. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit 9aa1e1b)
The log stream displayed in the dashboard was stopping to work when a node was rebooted. Rework the log data source to establish a per-node connection and use a retry loop to always reconnect until the dashboard is terminated. Print the connection errors in the log stream in red color. Closes siderolabs#8388. Signed-off-by: Utku Ozdemir <utku.ozdemir@siderolabs.com> (cherry picked from commit 3735add)
Previous approach relied on a field which is _only_ present if file-based PKI is passed in, and fails for e.g. Azure KMS. See siderolabs/image-factory#104 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit 909a580)
Fixes siderolabs#8572 This allows to use 1.7 machinery with future 1.8 (e.g. alpha) versions. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit 6fe91ad)
See siderolabs/extensions#355 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit c8f674b)
This shows up in image-factory tests, where multiple images are generated at once, and the global map write access panics. This was a bad idea in general to mutate global state on image generation. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit 145f240)
Optimize `DNSResolveCacheController` type, including `dns.Server` optimization for easy start/stop. This PR ensures that we delete server from runners on stop (even unexpected) and restart it properly. Also fixes incorrect assumption on unit-tests. Fixes siderolabs#8563 This PR also does those things: - Removes `utils.Runner` - Removes `ctxutil.MonitorFn` - Removes `dns.Runner` - Removes `network.dnsRunner` Signed-off-by: Dmitriy Matrenichev <dmitry.matrenichev@siderolabs.com> (cherry picked from commit ba7cdc8)
Fixes siderolabs#8558 Similar fix is done for other platforms, but not OpenStack. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit bfbd02a)
Updates to match 1.7.0-beta.1 release. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit 54dac5e)
See https://github.com/kubernetes/kubernetes/releases/tag/v1.30.0-rc.2 Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com> (cherry picked from commit ea5b3ff)
This is backports branch. Signed-off-by: Andrey Smirnov <andrey.smirnov@siderolabs.com>
utkuozdemir
approved these changes
Apr 12, 2024
|
/promote integration-provision |
|
/promote integration-misc |
|
/promote integration-images |
|
/promote integration-cilium |
|
/promote integration-extensions |
|
/promote e2e-aws |
|
/promote e2e-gcp |
|
/promote integration-qemu |
|
/promote integration-qemu-encrypted-vip |
|
/m |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PRs backported: