add etcd s3 secret and access key flags to secret data

Signed-off-by: Brian Downs <brian.downs@gmail.com>

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* update CoreDNS to 1.8.3

Rerun go generate and update the CoreDNS RBAC

remove hidden attribute from cluster flags and related code

k3s v1.21 - Bump traefik to v2.4.8

Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>

Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>

* Fix CI failures non-deterministic traefik chart repackaging
* Update generated bindata
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Signed-off-by: Brian Downs <brian.downs@gmail.com>

Signed-off-by: Brian Downs <brian.downs@gmail.com>

Make v1.20.5+k3s1 stable

Signed-off-by: David Nuzik <david.nuzik@rancher.com>

refactor tunnel.go and controller.go, remove duplicated lines.
Signed-off-by: Xiao Deshi <xiaods@gmail.com>

* Update to Kubernetes v1.20.5
* vendor: bumps for some containerd deps
* go: bump to 1.16.2 for arm
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
(cherry picked from commit 355fff3017b06cde44dbd879408a3a6826fa7125)

Remove dependency on which binary, use shell internal equivalent.
Signed-off-by: Frederic Crozat <fcrozat@suse.com>

The repo has been moved.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

When `/dev/kmsg` is unreadable due to sysctl value `kernel.dmesg_restrict=1`,
bind-mount `/dev/null` into `/dev/kmsg`

Fix issue 3011
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

Now rootless mode can be used with cgroup v2 resource limitations.
A pod is executed in a cgroup like "/user.slice/user-1001.slice/user@1001.service/k3s-rootless.service/kubepods/podd0eb6921-c81a-4214-b36c-d3b9bb212fac/63b5a253a1fd4627da16bfce9bec58d72144cf30fe833e0ca9a6d60ebf837475".

This is accomplished by running `kubelet` in a cgroup namespace, and enabling `cgroupfs` driver for the cgroup hierarchy delegated by systemd.

To enable cgroup v2 resource limitation, `k3s server --rootless` needs to be launched as `systemctl --user` service.
Please see the comment lines in `k3s-rootless.service` for the usage.

Running `k3s server --rootless` via a terminal is not supported.
When it really needs to be launched via a terminal, `systemd-run --user -p Delegate --tty` needs to be prepended to create a systemd scope.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

put etcd bootstrap save call in goroutine and update comment

Addresses k3s-io/k3s#3066 and CVE-2021-21334
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>

Signed-off-by: Brian Downs <brian.downs@gmail.com>

Signed-off-by: Martin Norrsken <martin.norrsken@gmail.com>

* remove etcd data dir when etcd is disabled
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix comment
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* use debug instead of info logs
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

Support repository regex rewrite rules when fetching image content.

Example configuration:
```yaml
# /etc/rancher/k3s/registries.yaml
mirrors:
  "docker.io":
    endpoint:
    - "https://registry-1.docker.io/v2

"
    rewrite:
      "^library/alpine$": "my-org/alpine"
```

This will instruct k3s containerd to fetch content for `alpine` images
from `docker.io/my-org/alpine` instead of the default
`docker.io/library/alpine` locations.
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>

* have state stored in etcd at completed start and remove unneeded code

Signed-off-by: Chris Kim <oats87g@gmail.com>

get() is called in a loop until client configuration is successfully
retrieved. Each iteration will try to configure the apiserver proxy,
which will in turn create a new load balancer. Skip creating a new
load balancer if we already have one.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

If the port wanted by the client load balancer is in TIME_WAIT, startup
will fail. Set SO_REUSEPORT so that it can be listened on again
immediately.

The configurable Listen call wants a context, so plumb that through as
well.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

* Always use static ports for the load-balancers

This fixes an issue where RKE2 kube-proxy daemonset pods were failing to
communicate with the apiserver when RKE2 was restarted because the
load-balancer used a different port every time it started up.

This also changes the apiserver load-balancer port to be 1 below the
supervisor port instead of 1 above it. This makes the apiserver port
consistent at 6443 across servers and agents on RKE2.

Additional fixes below were required to successfully test and use this change
on etcd-only nodes.

* Actually add lb-server-port flag to CLI
* Fix nil pointer when starting server with --disable-etcd but no --server
* Don't try to use full URI as initial load-balancer endpoint
* Fix etcd load-balancer pool updates
* Update dynamiclistener to fix cert updates on etcd-only nodes
* Handle recursive initial server URL in load balancer
* Don't run the deploy controller on etcd-only nodes

Docs housekeeping

Signed-off-by: David Nuzik <david.nuzik@rancher.com>

* BUILDING.md
* CODE_OF_CONDUCT.md
* CONTRIBUTING.md
* MAINTAINERS
* README.md
Signed-off-by: David Nuzik <david.nuzik@rancher.com>

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add functionality for etcd snapshot/restore to and from S3 compatible backends.
* Update etcd restore functionality to extract and write certificates and configs from snapshot.

Fix etcd only nodes

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Servers should always be upgraded before agents, but generally this
isn't required because things are compatible between versions. In this
case we're OK with failing closed if the user upgrades out of order, but
we should give a clearer message about what steps are required to fix
the issue.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

We have had a couple issues with newer agents not working with old
servers or vice versa. Add a CI test to test variations on
uplevel/downlevel server/agent against latest, stable, and the previous
branch.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>