Previously, we declared the Env slice with the size of the `c.Services.KubeAPI.ExtraEnv` field, which leads to empty strings at the beginning of the Env slice because we use Golang's append function to add new elements, and Docker is not happy with that.
We fix this issue by declaring the Env variable as an empty slice. We also enhance the `getUniqStringList` function to properly trim leading and trailing spaces in each element and to ignore empty strings. We add unit tests for the `getUniqStringList` function and update the integration tests.
A new environment variable RKE_ADMISSION_CONFIG_CHECKSUM whose value is the checksum of the content of the admission configuration file is added to the env list that is set in the `kube-apiserver` container configuration, so any changes in the admission configuration file will result in a change in the container's configuration. RKE will detect the changes during reconciliation and therefore restart the kube-apiserver container on all CP nodes. The upgrade cadence is thresholded by the upgrade strategy in the cluster.
This PR also drops the unnecessary appending of env var to the cluster object which shows in the cluster.rkestate file.
Signed-off-by: Jiaqi Luo <6218999+jiaqiluo@users.noreply.github.com>
A new environment variable RKE_ADMISSION_CONFIG_CHECKSUM whose value is the checksum of the content of the admission configuration file is added to the env list that is set in the `kube-apiserver` container configuration, so any changes in the admission configuration file will result in a change in the container's configuration. RKE will detect the changes during reconciliation and therefore restart the kube-apiserver container on all CP nodes. The upgrade cadence is thresholded by the upgrade strategy in the cluster.
This PR also drops the unnecessary appending of env var to the cluster object which shows in the cluster.rkestate file.
Signed-off-by: Jiaqi Luo <6218999+jiaqiluo@users.noreply.github.com>
rke stores auth info in /var/lib/kubelet/config.json but cri-dockerd
relies on k8.io credential provider which uses only default config
provider, this allows cri-dockerd to pull sandbox pause image using
private registry
controller manager must start with proper authorization and
authentication kubeconfig in args starting 1.22. k8s 1.22 has
disabled insecure serving for kube controller manager.
As this logic went, it would relabel /lib/modules, except on enterprise
linux and when SELinux is enabled (even just permisive).
Flatcar Container Linux defaults to SELinux on, but permisive, and
`/lib/modules/` is a symlink to the read-only `/usr`.
So `./rke up` would fail on attempting to relabel /usr.
The prior work around is to set `SELINUX=disable` in
/etc/selinux/config.
Signed-off-by: Vincent Batts <vbatts@kinvolk.io>
Problem: When building a hybrid cluster with windows nodes there is only
a single set of overrides you can use per service. This limits
configuring the node as service args and prefix_path sometimes need to
be specific for the different OS.
Solution: Add support for `win_` prefixed parameters for cluster level
`path_prefix` and service level `extra_args`, `extra_env` and
`extra_binds`. Params will work as before, passing in the non `win_`
prefixed params, IF you set the `win_` prefixed params it willy only use
those meaning you will need to duplicate the params in both config
sections of your rke cluster yaml.
