Signed-off-by: Nikolai Shields <nikolai@nikolaishields.com>

* Increase the default snapshot timeout. The timeout is not currently
  configurable from Rancher, and larger clusters are frequently seeing
  uploads fail at 30 seconds.
* Enable compression for scheduled snapshots if enabled on the
  command-line. The CLI flag was not being passed into the etcd config.
* Only set the S3 content-type to application/zip if the file is zipped.
* Don't run more than one snapshot at once, to prevent misconfigured
  etcd snapshot cron schedules from stacking up.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Includes fix for ENOSYS/EPERM issue on s390x.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Includes fix for recently identified memory leak.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

87e1806697cd7dfffb7cb0de73c85e889365780d removed the OwnerReferences
field from the DaemonSet, which makes sense since the Service may now be
in a different namespace than the DaemonSet and cross-namespace owner
references are not supported.  Unfortunately, we were relying on
garbage collection to delete the DameonSet, so this started leaving
orphaned DaemonSets when Services were deleted.

We don't want to add an a Service OnRemove handler, since this will add
finalizers to all Services, not just LoadBalancers services, causing
conformance tests to fail. Instead, manage our own finalizers, and
restore the DaemonSet removal Event that was removed by the same commit.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Since #4438 removed 2-way sync and treats any changed+newer files on disk as an error, we no longer need to determine if files are newer on disk/db or if there is a conflicting mix of both. Any changed+newer file is an error, unless we're doing a cluster reset in which case everything is unconditionally replaced.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Properly skip restoring bootstrap data for files that don't have a path
set because the feature that would set it isn't enabled.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Service.Spec.IPFamilyPolicy may be a nil pointer on freshly upgraded clusters.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Use same kubelet-preferred-address-types setting as RKE2 to improve reliability of the egress selector when using a HTTP proxy. Also, use BindAddressOrLoopback to ensure that the correct supervisor address is used when --bind-address is set.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Properly handle unset egress-selector-mode from existing servers during cluster upgrade.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Signed-off-by: Derek Nola <derek.nola@suse.com>

Update to v1.23.8-k3s1

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

This parameter controls which namespace the klipper-lb pods will be create.
It defaults to kube-system so that k3s does not by default create a new
namespace. It can be changed if users wish to isolate the pods and apply
some policy to them.
Signed-off-by: Darren Shepherd <darren@acorn.io>
(cherry picked from commit e6009b1e)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

The baseline PodSecurity profile will reject klipper-lb pods from running.
Since klipper-lb pods are put in the same namespace as the Service this
means users can not use PodSecurity baseline profile in combination with
the k3s servicelb.

The solution is to move all klipper-lb pods to a klipper-lb-system where
the security policy of the klipper-lb pods can be different an uniformly
managed.
Signed-off-by: Darren Shepherd <darren@acorn.io>
(cherry picked from commit f4cc1b87)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

[Release 1.23] Flannel version update to 0.18.1 and added the ability to configure additional options for wireguard backend

Signed-off-by: Roberto Bonafiglia <roberto.bonafiglia@suse.com>

Allow the flannel backend to be specified as
backend=option=val,option2=val2 to select a given backend with extra options.

In particular this adds the following options to wireguard-native
backend:
* Mode - flannel wireguard tunnel mode
* PersistentKeepaliveInterval- wireguard persistent keepalive interval
Signed-off-by: Sjoerd Simons <sjoerd@collabora.com>

* Move startup hooks wg into a runtime pointer, check before notifying systemd
* Switch default systemd notification to server
* Add 1 sec delay to allow etcd to write to disk
Signed-off-by: Derek Nola <derek.nola@suse.com>

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

If the user points S3 backups at a bucket containing other files, those
file names may not be valid configmap keys.

For example, RKE1 generates backup files with names like
`s3-c-zrjnb-rs-6hxpk_2022-05-05T12:05:15Z.zip`; the semicolons in the
timestamp portion of the name are not allowed for use in configmap keys.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

From https://github.com/urfave/cli/pull/1383 :
> This removes the resulting binary dependency on cpuguy83/md2man and
> russross/blackfriday (and a few more packages imported by those),
> which saves more than 400 KB (more than 300 KB
> once stripped) from the resulting binary.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

[Release 1.23] Add FlannelConfCNI flag

[Release 1.23] Remove kube-ipvs0 interface when cleaning up

Signed-off-by: igor <igor@igor.io>
Signed-off-by: Derek Nola <derek.nola@suse.com>
Co-authored-by: Igor <igorwwwwwwwwwwwwwwwwwwww@users.noreply.github.com>

* Integration Test: Startup (#5630)

* New startup integration test
* Add testing section to PR template
* Move helper functions to direct k8s client calls
Signed-off-by: Derek Nola <derek.nola@suse.com>

* E2E Improvements and groundwork for test-pad tool (#5593)

* Add rancher install sript, taints to cp/etcd roles
* Revert back to generic/ubuntu2004, libvirt networking is unreliable on opensuse
* Added support for alpine
* Rancher deployment script
* Refactor installType into function
* Cleanup splitserver test
Signed-off-by: Derek Nola <derek.nola@suse.com>

* E2E: Dualstack test (#5617)

* E2E dualstack test
* Improve testing documentation
Signed-off-by: Derek Nola <derek.nola@suse.com>

Signed-off-by: Manuel Buil <mbuil@suse.com>

Signed-off-by: Manuel Buil <mbuil@suse.com>

... until QA flakes can be addressed.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

The control-plane context handles requests outside the cluster and
should not be sent to the proxy.

In agent mode, we don't watch pods and just direct-dial any request for
a non-node address, which is the original behavior.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Watching pods appears to be the most reliable way to ensure that the
proxy routes and authorizes connections.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 9d723049)

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
(cherry picked from commit 1ef34728)

* Remove objects when removed from manifests

If a user puts a file in /var/lib/rancher/k3s/server/manifests/ then the
objects contained therein are deployed to the cluster. If the objects
are removed from that file, they are not removed from the cluster.

This change tracks the GVKs in the files and will remove objects when
there are removed from the cluster.
Signed-off-by: Donnie Adams <donnie.adams@suse.com>
(cherry picked from commit c38a8c3b)
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>