Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Some of the new node compat tests take a while before failing as
expected. We don't seem to need the additional time any longer to avoid
flakes, so turn it down a bit.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Update Kubernetes to v1.21.0
* Update to golang v1.16.2
* Update dependent modules to track with upstream
* Switch to upstream flannel
* Track changes to upstream cloud-controller-manager and FeatureGates
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Resolve local retention issue when S3 in use.

Remove early return preventing local retention policy to be enforced
resulting in N number of snapshots being stored.
Signed-off-by: Brian Downs <brian.downs@gmail.com>

Add hidden attribute to disable flags

Signed-off-by: Brian Downs <brian.downs@gmail.com>

add etcd s3 secret and access key flags to secret data

Signed-off-by: Brian Downs <brian.downs@gmail.com>

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* update CoreDNS to 1.8.3

Rerun go generate and update the CoreDNS RBAC

remove hidden attribute from cluster flags and related code

k3s v1.21 - Bump traefik to v2.4.8

Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>

Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>

* Fix CI failures non-deterministic traefik chart repackaging
* Update generated bindata
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Signed-off-by: Brian Downs <brian.downs@gmail.com>

Signed-off-by: Brian Downs <brian.downs@gmail.com>

Make v1.20.5+k3s1 stable

Signed-off-by: David Nuzik <david.nuzik@rancher.com>

refactor tunnel.go and controller.go, remove duplicated lines.
Signed-off-by: Xiao Deshi <xiaods@gmail.com>

* Update to Kubernetes v1.20.5
* vendor: bumps for some containerd deps
* go: bump to 1.16.2 for arm
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
(cherry picked from commit 355fff30)

Remove dependency on which binary, use shell internal equivalent.
Signed-off-by: Frederic Crozat <fcrozat@suse.com>

The repo has been moved.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

When `/dev/kmsg` is unreadable due to sysctl value `kernel.dmesg_restrict=1`,
bind-mount `/dev/null` into `/dev/kmsg`

Fix issue 3011
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

Now rootless mode can be used with cgroup v2 resource limitations.
A pod is executed in a cgroup like "/user.slice/user-1001.slice/user@1001.service/k3s-rootless.service/kubepods/podd0eb6921-c81a-4214-b36c-d3b9bb212fac/63b5a253a1fd4627da16bfce9bec58d72144cf30fe833e0ca9a6d60ebf837475".

This is accomplished by running `kubelet` in a cgroup namespace, and enabling `cgroupfs` driver for the cgroup hierarchy delegated by systemd.

To enable cgroup v2 resource limitation, `k3s server --rootless` needs to be launched as `systemctl --user` service.
Please see the comment lines in `k3s-rootless.service` for the usage.

Running `k3s server --rootless` via a terminal is not supported.
When it really needs to be launched via a terminal, `systemd-run --user -p Delegate --tty` needs to be prepended to create a systemd scope.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

put etcd bootstrap save call in goroutine and update comment

Addresses k3s-io/k3s#3066 and CVE-2021-21334
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>

Signed-off-by: Brian Downs <brian.downs@gmail.com>

Signed-off-by: Martin Norrsken <martin.norrsken@gmail.com>

* remove etcd data dir when etcd is disabled
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix comment
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* use debug instead of info logs
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

Support repository regex rewrite rules when fetching image content.

Example configuration:
```yaml
# /etc/rancher/k3s/registries.yaml
mirrors:
  "docker.io":
    endpoint:
    - "https://registry-1.docker.io/v2"
    rewrite:
      "^library/alpine$": "my-org/alpine"
```

This will instruct k3s containerd to fetch content for `alpine` images
from `docker.io/my-org/alpine` instead of the default
`docker.io/library/alpine` locations.
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>

* have state stored in etcd at completed start and remove unneeded code

Signed-off-by: Chris Kim <oats87g@gmail.com>

get() is called in a loop until client configuration is successfully
retrieved. Each iteration will try to configure the apiserver proxy,
which will in turn create a new load balancer. Skip creating a new
load balancer if we already have one.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

If the port wanted by the client load balancer is in TIME_WAIT, startup
will fail. Set SO_REUSEPORT so that it can be listened on again
immediately.

The configurable Listen call wants a context, so plumb that through as
well.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Always use static ports for the load-balancers

This fixes an issue where RKE2 kube-proxy daemonset pods were failing to
communicate with the apiserver when RKE2 was restarted because the
load-balancer used a different port every time it started up.

This also changes the apiserver load-balancer port to be 1 below the
supervisor port instead of 1 above it. This makes the apiserver port
consistent at 6443 across servers and agents on RKE2.

Additional fixes below were required to successfully test and use this change
on etcd-only nodes.

* Actually add lb-server-port flag to CLI
* Fix nil pointer when starting server with --disable-etcd but no --server
* Don't try to use full URI as initial load-balancer endpoint
* Fix etcd load-balancer pool updates
* Update dynamiclistener to fix cert updates on etcd-only nodes
* Handle recursive initial server URL in load balancer
* Don't run the deploy controller on etcd-only nodes

Docs housekeeping