* Move startup hooks wg into a runtime pointer, check before notifying systemd
* Switch default systemd notification to server
* Add 1 sec delay to allow etcd to write to disk
Signed-off-by: Derek Nola <derek.nola@suse.com>

* Update to v1.21.12
Signed-off-by: Derek Nola <derek.nola@suse.com>

* Update tags to k3s-io for v1.21.12
Signed-off-by: Derek Nola <derek.nola@suse.com>

* Add RetryOnConflict around updating nodes
Signed-off-by: Derek Nola <derek.nola@suse.com>

Use ListWatch helpers to retry when the watch channel is closed.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 7e447692)

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 5b2c14b1)

Also update cert gen to ensure leaf certs are regenerated if other key fields change.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 99851b0f)

Avoids divide-by-zero when the password file is empty
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 0bf7c095)

This controller only needs to run when using managed etcd, so move it in
with the rest of the etcd stuff. This change also modifies the
controller to only watch the Kubernetes service endpoint, instead of
watching all endpoints in the entire cluster.

Fixes an error message revealed by use of a newer grpc client in
Kubernetes 1.24, which logs an error when the Put to etcd failed because
kine doesn't support the etcd Put operation. The controller shouldn't
have been running without etcd in the first place.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit f37e7565)

Don't attempt to retrieve snapshot metadata configmap if the apiserver
isn't available. This could be triggered if the cron expression caused a
snapshot to be triggered before the apiserver is up.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 2a429aac)

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 49544e0d)

This is required to make the websocket tunnel server functional on
etcd-only nodes, and will save some code on the RKE2 side once pulled
through.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit af0b496e)

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit e7437d4a)

(cherry picked from commit 0a5e0b6c)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

[engine-1.21] Wrap containerd.New

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Signed-off-by: Luther Monson <luther.monson@gmail.com>

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Improve feedback when running secrets-encrypt commands on etcd-only nodes, and
allow etcd-only nodes to properly restart when effecting rotation.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit e811689d)

Closing idle connections isn't guaranteed to close out a pooled connection to a
loadbalancer endpoint that has been removed. Instead, ensure that requests used
to wait for the apiserver to become ready aren't reused.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

This allows secondary etcd nodes to bootstrap the kubelet before an
apiserver joins the cluster. Rancher waits for all the etcd nodes to
come up before adding the control-plane nodes, so this needs to be
handled properly.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 38706eee)

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit a93b9b6d)

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit f090bf2d)

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit a7878db1)

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 9a480865)

Reuse the existing etcd library code to start up the temporary etcd
server for bootstrap reconcile. This allows us to do proper
health-checking of the datastore on startup, including handling of
alarms.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit e4846c92)

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 3531df3f)

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 555087b9)

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 5014c9e0)

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit a1b800f0)

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 54bb6506)

Several types contained redundant references to ControlRuntime data. Switch to consistently accessing this via config.Runtime instead.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 2989b8b2)

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Populate EtcdConfig in runtime from datastore when etcd is disabled (#5222)

Fixes issue with secrets-encrypt rotate not having any etcd endpoints
available on nodes without a local etcd server.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Revert naming to old Kine
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Brad Davidson <brad.davidson@rancher.com>

* Add json flag for secrets-encrypt status
Signed-off-by: Derek Nola <derek.nola@suse.com>