)]}' { "log": [ { "commit": "cb76c842664d261934fbb03c3fd8c57699183a60", "tree": "6c7d8dbfed842a5e56a11226a1c3999256f7450d", "parents": [ "c607bf67ae20b17e8f254a7e3817e2d1a93114be" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Aug 11 12:54:28 2025 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Aug 14 16:38:23 2025 +0000" }, "message": "m/node: move clusternet under network\n\nMove the clusternet network side under the core/network umbrella and\nrename it to overlay. Also split out types.go into the ipam package\nto get the overlay package out of a lot of dependents which only import\nit for the Prefixes type which should be part of the ipam package.\n\nThis is a clean move with no functional changes intended yet, these\nwill be stacked on top.\n\nChange-Id: I6a6a6964af9d608f9ec3bf75b386c010cfff1df4\nReviewed-on: https://review.monogon.dev/c/monogon/+/4500\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "c607bf67ae20b17e8f254a7e3817e2d1a93114be", "tree": "23cbb4bb40570be41cca51699c288f193b2b7029", "parents": [ "4bde9313d653c7a3714d824f9904aa4081796560" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jul 22 20:25:26 2025 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Aug 11 21:44:47 2025 +0000" }, "message": "m/node: implement container networking ourselves\n\nThis change gets rid of the CNI mechanism for configuring container\nnetworking in favour of a split approach where the network service is\nextended by a gRPC workload network service which handles all of the\nwork as well as a library which exposes just enough of go-cni\u0027s\ninterface to be a drop-in replacement in containerd, which then talks\nto the workload network service.\n\nThis is a rather unconventional approach do doing things as CNI itself\nis a pluggable interface. The reason for doing it this way is that the\nbinary executing interface of CNI has a huge spec which is also horrible\nto convert into decent Go types and being a binary-calling interface has\ninherent lifecycle, complexity and image size disadvantages. The part of\nCNI that is actually used by containerd is tiny and its arguments are\nwell-specified and have decent Go types. It also avoids the whole CNI\ncaching mechanic which adds further unnecessary complexity.\n\nThe reason for the split service model instead of implementing\neverything in cniproxy is to allow for more complex logic and Monogon\ncontrol plane interfacing from the workload network service. Also this\nwill allow offloading the actual service to things like DPUs.\n\nRight now there is some uglyness left to make this self-contained. Two\nobvious examples are the piping through of the pod network event value\nand the exclusion of the first (non-network) IP from the IP allocator.\nThese will eventually go away but are necessary to get this to work as a\nstandalone change.\n\nChange-Id: I46c604b7dfd58da9e6ddd0a29241680d25a2a745\nReviewed-on: https://review.monogon.dev/c/monogon/+/4496\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "4bde9313d653c7a3714d824f9904aa4081796560", "tree": "4aaf98feae5297653bc791fec367619beff2ab38", "parents": [ "bafa7bd7f5f1db44ed169d447ce56e6a196ed01d" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Aug 06 05:04:11 2025 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Aug 11 09:34:37 2025 +0000" }, "message": "m/node: extract network.Status to node.NetStatus\n\nThis is done to avoid nasty dependency loops involving clusternet and\nthe network service. The clusternet service can currently not be\nincluded by anything also talking to the network service which will be\nneeded by future network work.\n\nTo make this work we pull out the critical network.Status into\nnode.NetStatus which itself imports nothing and is thus safe to import\neverywhere.\n\nChange-Id: I8935de02926b6e06b5211f90c0c7f9abd8699c6d\nReviewed-on: https://review.monogon.dev/c/monogon/+/4495\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "cfbc903146d77408567646708f4c9c3ae782145a", "tree": "494bf768df9bea2743345c10fa0a6335ac04bbbd", "parents": [ "a16e6f917f70054bbe50fdc100ae1a7be2e40d91" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Jul 15 14:18:45 2025 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Jul 17 14:53:07 2025 +0000" }, "message": "treewide: bump to k8s v1.33.2\n\nUpdate Kubernetes to 1.33 which is already at patch version 2. As part\nof K8s gomod dependencies containerd was bumped a minor release to 2.1.3.\nThe UserNamespacesSupport feature gate is now default-on and was thus\ndropped. The netlink patches were upstreamed and can now be dropped as\npart of the depenency update. A new klog sink adapter for our logging\ninterface was introduced as the client-go MutationCache now requires a\nlogger.\n\ncontainerd abuses gRPC interfaces for mocking, thus they are not\nforward-compatible and need a new patch to be compatible with the\nCRI version now being used.\n\nChange-Id: I4feb2ab3bcfca5b83c7ea38ed444b14ade1e9bf0\nReviewed-on: https://review.monogon.dev/c/monogon/+/4433\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "62229cf857f1f205b4190bd3d6069928984e36fe", "tree": "050834d60ca831733825a83aceab78736a5a4404", "parents": [ "59b49c9b57d37673ef4ecf0c2855280910fc4462" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Jul 07 12:47:31 2025 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jul 09 18:03:12 2025 +0000" }, "message": "treewide: update etcd to 3.6\n\nThis is a fairly large update, containing 4 years of upstream\ndevelopment. A lot of code has been moved around, requiring a rebase of\nall patches and ajustments in code using it.\n\nUpstream requires that upgrades first go through etcd 3.5.20, which is\ndone in a CL below this one. Other than that upgrades are possible\nthrough normal Monogon node updates, but downgrades (while implemented\nfor 3.6.0) are still not supported in Monogon until further work is\ndone.\n\nThere are significant issues in etcd synchronization between the\n\"outside\" manager (embed or standalone) and the core (EtcdServer), one\nof which affects removal of the ConsensusMember role, causing a panic\ndue to the client listener not being closed when the server shuts down\non its own. This is triggered by the autopromoter hitting an endpoint on\na shut-down etcd, which accesses a nil backend. This issue existed\nbefore, a full fix will likely involve either significantly rewriting or\ngetting rid of the embed package, so this just fixes the panic-causing\ncode path.\n\nChange-Id: If5932a7428a262fde406a5bb652a40d211301734\nReviewed-on: https://review.monogon.dev/c/monogon/+/4394\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "06341a6b1afd7e6c7c395bd6731c7df978c8c4e5", "tree": "afef720aecd0149092f252413db89d1b5ceba4da", "parents": [ "2b9a0a0fcf0aeece55ba8792a22cfa42733823c0" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Jul 09 08:02:35 2025 +0000" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Jul 09 14:53:49 2025 +0000" }, "message": "build/binary_tarball: rename from static_binary_tarball\n\nThe static_binary_tarball rule no longer has a transition to build\nstatically, so the \"static\" part of the name is not meaningful anymore.\n\nChange-Id: Ifaecf2f7846a963d957d4bfcc89a3d9e7e911f5c\nReviewed-on: https://review.monogon.dev/c/monogon/+/4415\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "5d3f553965576381e6ae227b44358460e232c584", "tree": "ef0c2081810fc54baeca60ad5419bb02aadfffa0", "parents": [ "c36d28d4790c540139b37e4c13c466514c1ac89f" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Sun Jun 29 02:38:26 2025 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Jun 30 00:02:45 2025 +0000" }, "message": "metropolis/node/kubernetes: remove old todo\n\nCloses #436\n\nChange-Id: Ia5e8392e4046a7282171130410454b66ac211799\nReviewed-on: https://review.monogon.dev/c/monogon/+/4355\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "b86917b2bdb755de8106aea08841c914d52d3347", "tree": "18727705322dc5b26584b7fe019812447f737224", "parents": [ "07e6905d472157754a536564046a23654960de45" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 14 16:31:08 2025 +0000" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Mon Jun 16 15:41:59 2025 +0000" }, "message": "metropolis: replace version stamp with product info\n\nThis removes the stamped metropolis version library and the associated\nstampgo infrastructure, and replaces it with the product info file.\n\nThe info is now stored in a separate file in the rootfs, instead of\nembedded in the core binary. This has the benefit that the core binary\nno longer needs to be relinked when stamping info changes.\n\nThe version logging in core/main, and the tconsole are updated to show\nsome of the additional info from the product info.\n\nChange-Id: Ic5ed0e3598e8da71b96748e8d7abfedff41acd3f\nReviewed-on: https://review.monogon.dev/c/monogon/+/4207\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "d0d5d9dd04574305cf86bf1eb3e787549100ea28", "tree": "e685757c85066ce4671e125374725093577ea986", "parents": [ "b554dd389e51718d5acf084cd706d32e16f3994d" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Mar 26 22:07:11 2025 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Jun 02 18:57:29 2025 +0000" }, "message": "treewide: use Fatal in tests instead of Error\n\nError doesn\u0027t return the goroutine, but these cases are final and should end the test case.\n\nChange-Id: I9d87e268b56acd7d1ff5883bb82bf3d74c309176\nReviewed-on: https://review.monogon.dev/c/monogon/+/4044\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "36f3b6dcbcfd359b744a29cf9245c9dd6879435f", "tree": "ee0dcb43cd1a7c22a1fcbaa379d949bd4362b758", "parents": [ "afb922cfba991a2af1473da5850b75e8db03dd56" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue May 20 09:05:12 2025 +0000" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue May 27 07:32:21 2025 +0000" }, "message": "treewide: replace stampsrcs with embed\n\nA rules_go maintainer suggested using embed instead of stampsrcs:\nhttps://github.com/bazel-contrib/rules_go/issues/3507\n\nFor Kubernetes, this means we need to patch the version libraries.\nInstead of creating a separate file for each variable, I put them all in\none file, which is parsed in an init function. This init function needs\nto run before all other init functions, which access the variables.\n\nAnother benefit of this change is that versions are stamped in all\nbinaries which include Kubernetes client libraries, not just hyperkube.\n\nChange-Id: Ib1157d3686fc35e0c4191d2fc8e165862a1973c7\nReviewed-on: https://review.monogon.dev/c/monogon/+/4208\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "51c6748c2158d7dbc1ec79ada63a5e68a27f8533", "tree": "0e14029e3c73d4130b388904aba3237a7224f157", "parents": [ "230a31aec7de7270e5a89a81443f69f9525ad4db" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Mon May 05 13:11:55 2025 +0000" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu May 08 18:26:46 2025 +0000" }, "message": "treewide: implement basic aarch64 support\n\nThis adds aarch64 platforms, and some fixes for aarch64 support. This is\nnot yet complete; e.g. toolchains for aarch64 targets are still missing.\n\nI renamed the amd64 platforms to x86_64 and efi to uefi for consistency\nwith @platforms.\n\nsyscall.Dup2 does not exist on arm64, but unix.Dup2 does.\n\nChange-Id: I3ab081b2b852945b723ec83768f79000b8c4def4\nReviewed-on: https://review.monogon.dev/c/monogon/+/4173\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "0cbf51a530ff05eaacadb12c4cc977c24a0f0fb0", "tree": "fd14354e8ba64d68489f1f4b0116696baf5ee57f", "parents": [ "4cfff958acf023e190191a2842103897201c4dad" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Apr 23 10:21:17 2025 +0000" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu May 01 06:49:22 2025 +0000" }, "message": "m/n/k/hyperkube: avoid unnecessary rebuilds\n\nPreviously, hyperkube was rebuilt each time a commit was made in the\nmonorepo. This change stops this by reading the variables from a\nfiltered stamp file instead. Now, only this filtered file is rebuilt\neach time, which is very fast compared to linking hyperkube.\n\nPreviously, volatile status variables were used for gitTreeState and\nbuildDate. But the volatile status is bad for reproducibility, as it\nmakes Bazel intentionally use stale caches. Instead, these variables\nare now only defined in release builds, and left unstamped during\ndevelopment. These variables are available at the /version endpoint of\nthe apiserver, so there may be some utility in defining them for release\nbuilds, but they are not needed during development.\n\nThe buildDate is now taken from the commit date instead of\nSOURCE_DATE_EPOCH, which simplifies the build process as we don\u0027t need\nto define that variable anymore.\n\nPreviously, KUBERNETES_gitCommit was referenced but not defined by the\nstatus script. It is now defined as the monorepo commit, which is more\nuseful than leaving it blank.\n\nChange-Id: I6228888507e400ca1f53167ee9d4f132f5711a45\nReviewed-on: https://review.monogon.dev/c/monogon/+/4167\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "b00f7f9a97eae55ae6df80bbdea46815498898fa", "tree": "46517933cf9c0d9fc18ccf085dcf335d664e2b94", "parents": [ "1947e9b1480d9a3e90fe8b12bc897fd5cd2abce7" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Mar 06 17:27:22 2025 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Mar 18 14:02:05 2025 +0000" }, "message": "m/node/kubernetes: implement storage resizing\n\nThis implements persistent volume resizing in the storage provisioner.\nThe logic is based on https://github.com/kubernetes-csi/external-resizer\n\nThe mutation caches are an optimization to prevent unnecessary repeated\nprocessing, because they make the controller remember changes that it\nhas made itself, when the watch events for those changes have not\narrived yet.\n\nThe controller supports the RecoverVolumeExpansionFailure feature, which\nallows reducing the requested size when the previous resize fails due to\ninsufficient space. When resize fails, it is retried with backoff.\n\nChange-Id: I0f3d40c1a592b30d25739f5d20b529dfe25dfbe1\nReviewed-on: https://review.monogon.dev/c/monogon/+/4008\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "1947e9b1480d9a3e90fe8b12bc897fd5cd2abce7", "tree": "9c3586cc1e87b87b48d489ac77082b91199c699e", "parents": [ "551a7373e295b30eb7453d51d71b21a5f8bac108" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Jan 16 16:45:03 2025 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Mar 18 14:02:05 2025 +0000" }, "message": "m/n/kubernetes: fix storage provisioner rate limiting\n\nForget() resets the rate limiter, so it should only be called when\nprocessing has suceeded.\n\nFor example, provisioning can fail for a block volume if there is not\nenough disk space for the requested size. Previously, this caused the\nlog to be quickly spammed with \"Failed processing item\" messages, all\nwith \"numrequeues: 0\". With the fix, the retries are properly backed\noff, with the requeue counter incrementing.\n\nChange-Id: I8a31fa03fadb202205967e045d4e30f04567d9d1\nReviewed-on: https://review.monogon.dev/c/monogon/+/4007\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "17ad63fa0b09d3dfe461ac237cd5db5eaeefc2ed", "tree": "aa133f4b89c91044047c902dad5b752696098b14", "parents": [ "12e4b549f88c91e5eccb2abe1631793c879a66c6" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Feb 27 14:43:56 2025 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Feb 27 17:33:51 2025 +0000" }, "message": "m/n/kubernetes/networkpolicy: add Cyclonus test suite\n\nThis adds a test for the network policy controller, based on the\nCyclonus test suite. Running Cyclonus on a real cluster takes multiple\nhours, as there are over 200 test cases, each of which takes around 1\nminute. The test implemented here uses a fake Kubernetes API and pods,\nwhich allows running all tests in around 15 seconds.\n\nIPv6 is partially implemented but disabled. The tests pass, but each\ntest takes around 2 seconds, because some ICMPv6 replies for blocked TCP\nconnections seem to get lost somewhere and are only processed when the\nTCP SYN is resent one second later.\n\nChange-Id: Id77f2dd4d884b6d156e238e07e88c222e3bbe9a2\nReviewed-on: https://review.monogon.dev/c/monogon/+/3905\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "12e4b549f88c91e5eccb2abe1631793c879a66c6", "tree": "9bf724f8068149af2711a1132d569c006d507ecd", "parents": [ "ec03df42d643603d0a8d92b0db1cc4a4a865651e" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Feb 19 16:29:30 2025 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Feb 27 17:23:16 2025 +0000" }, "message": "gomod: update k8s-nft-npc\n\nThis includes all of Jan\u0027s fixes to get the test suite to pass.\n\nChange-Id: Ie172325b87e7e4f4859c3576ce8577d48497027f\nReviewed-on: https://review.monogon.dev/c/monogon/+/3924\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "16cb15ab5aa2fc0193a1534e65ba2e527e3e8f56", "tree": "0d04d148f5127884b12f73b9bc6f83804c65d4cd", "parents": [ "7b1e4c1e89ba5507dd029984a29739b3d43f6846" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Feb 24 18:47:48 2025 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 25 14:23:22 2025 +0000" }, "message": "treewide: explicity load built-in rules\n\nIn Bazel 9 all autoloaded rules will be disabled. This prepares us for\nthat.\n\nChange-Id: Ibaa4fa2e6b7095922a5699d2d5f3ae6c2cba3552\nReviewed-on: https://review.monogon.dev/c/monogon/+/3939\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "52700ae56c5d541e711fbd5f27373b3dc200f8dc", "tree": "ed5e75883fc44d14f7824b0a5ed40a6ab650923e", "parents": [ "e8beaed8dcde2c198e91addb0baa884079363581" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jan 28 15:07:08 2025 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 11 15:05:46 2025 +0000" }, "message": "m/n/k8s: add nftables network policy controller\n\nThis integrates my K8s network policy controller. In its current form it\ndoes not have many guarantees as the custom CNI plugin is not yet in\nthere but it mostly works. Also there is still a DNS hole as host-local\nservices are not properly policed yet.\n\nIt has a basic smoke test using the connectivity testing helper as well\nas some metrics to make sure it is integrated properly and to be able to\nmonitor its performance.\n\nChange-Id: Ia2f54b9975361270678ce742ae5e32df25e515c5\nReviewed-on: https://review.monogon.dev/c/monogon/+/3740\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "e8beaed8dcde2c198e91addb0baa884079363581", "tree": "8470b2dfe6a8017729083a4bb119c1d8f0b514d9", "parents": [ "08fd1cb799ef2629a2da846584cd42fe2d6ecb35" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Feb 05 22:03:50 2025 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 11 13:39:37 2025 +0000" }, "message": "m/n/kubernetes: add metricsprovider\n\nKubernetes has a metrics provider interface, add an adapter to be able\nto get these into our Prometheus registry. This code exists in a similar\nform inside K8s but against their custom metrics architecture, not plain\nPrometheus.\n\nAs these metrics are shared across all workqueues we follow K8s in\nimplementing this with a singleton/global. It\u0027s not the prettiest, but\notherwise we may get issues with Prometheus and duplicate metrics.\n\nChange-Id: I0b6d608d14793e44859166a5a59d446c8f662a25\nReviewed-on: https://review.monogon.dev/c/monogon/+/3829\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6d33a4342a16200d628f30ff91b169927fc2867a", "tree": "e65ad23cb6d0b795420b5ec625a757784d4c3e3b", "parents": [ "7887f758de8f9106a484ca59d9734304aa919e36" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 04 14:34:25 2025 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Feb 06 17:03:43 2025 +0000" }, "message": "treewide: add license header and enable haslicense linter\n\nChange-Id: I873a8d4082d75e8f813d8a726a41187eea7a065e\nReviewed-on: https://review.monogon.dev/c/monogon/+/3825\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "7887f758de8f9106a484ca59d9734304aa919e36", "tree": "f3e85143bc4b4a064e44534327a1f656c83b6340", "parents": [ "e6cc22700801d284386fdf7345dd85f7e522a6cb" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 04 03:06:56 2025 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Feb 06 16:46:49 2025 +0000" }, "message": "third_party: move go patches into their own folder\n\nChange-Id: I7e2f2790e233aaf13cfd6ed2ffcf5544461a4f39\nReviewed-on: https://review.monogon.dev/c/monogon/+/3822\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "0dca6c91ea9b8a14278aeb3a1a8ba6b512479862", "tree": "d3a4605fa9cefa9dccc79fe3df71d1e4335381a8", "parents": [ "b6ed72eabf092066a837fea4b68846376bd70e8a" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jan 28 15:04:13 2025 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Feb 05 14:55:23 2025 +0000" }, "message": "metropolis: use interface groups\n\nThis adds interface groups to all K8s pod interfaces via a CNI plugin\npatch and corresponding configuration. It also adds an interface group\nto the clusternet interface. Using these new interface groups the\nnftables rules for NAT can be simplified.\n\nThese will also be used by the network policy plugin later.\n\nChange-Id: I4638a4349ccb12b8724ad28ae34bb61cac4b4ece\nReviewed-on: https://review.monogon.dev/c/monogon/+/3814\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "896b1388fb26096ccaf60ff99ac8da2a9b07dab3", "tree": "1f70faa162e8af73f4d08d75dceee15010f849c5", "parents": [ "25e0d8f5bdcae3b03b1bc43cad49b4ed0b4e567e" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Jan 15 13:54:26 2025 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Jan 16 08:56:10 2025 +0000" }, "message": "m/n/kubernetes: switch to typed workqueue\n\nThe functions and types without \"Typed\" are deprecated, and should be\nreplaced by the corresponding ones with \"Typed\".\n\nChange-Id: I41c378df953ae4964d1247e470ccf38f13ea1f47\nReviewed-on: https://review.monogon.dev/c/monogon/+/3784\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "3a171d123fff540c8c9d646152a5d5ed9ef873de", "tree": "62fe245a0182c3ba931d8c33278f2dd89c35e77b", "parents": [ "0996ea85ca6200e1729941d316f7891835871938" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Dec 09 23:51:23 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Jan 09 21:19:31 2025 +0000" }, "message": "treewide: add race-detector config\n\nThis also disables all `pure \u003d \"on\"` attributes as they propagate too\nfar and break the race detector because rules_go contradicts itself by\nforcing pure go even when CGO is required by the race detector. We build\neverything for our node images static and pure via a transition anyway,\nso this is actually fine.\n\nChange-Id: I5cd3879fba4258caa94df4dbea5c6472867b7e34\nReviewed-on: https://review.monogon.dev/c/monogon/+/3725\nTested-by: Jenkins CI\nReviewed-by: Hendrik Hofstadt \u003chendrik@monogon.tech\u003e\n" }, { "commit": "681d5157b955f6b942c620837d1a9e90bdefc983", "tree": "254905b461e1545d960fafbdad1ec2c250fc383f", "parents": [ "2edb96aeded0f67904ac9630088454fb12a62317" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Jan 08 00:19:33 2025 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Jan 08 20:54:21 2025 +0000" }, "message": "treewide: clean up test static binary targets\n\nThis removes some intermediate targets only used for transitions by\nconsolidating them into a single one.\n\nChange-Id: I46dcbcb731038edd2b67259de1811018f5ba43da\nReviewed-on: https://review.monogon.dev/c/monogon/+/3753\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\nTested-by: Jenkins CI\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "837cb8e459b9eefabe89ab17df0b7dafb5e3d631", "tree": "32337d84d4f32b0c2c523e2c5bd177f4acfe4808", "parents": [ "b6afed68fd1d2ee9b32d395b388d2db1338d0fa0" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 23 13:52:56 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 23 21:59:59 2024 +0000" }, "message": "treewide: update Kubernetes to 1.32\n\nRelatively easy change, one cadvisor fix is temporarily needed. The\nlegacy log dir patch needed to be rebased, that\u0027s about it.\n\nI enabled single-process OOM killing again as that was the default for\ncgroupv1 and IMO the more sane behavior.\n\nUpstrem changelog at:\nhttps://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.32.md\n\nChange-Id: I537a6e37137d05efb6eec8635915e36fd8b37cbc\nReviewed-on: https://review.monogon.dev/c/monogon/+/3721\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "b62b8e04eb6f2f6ebc54ecc397ded788a924f279", "tree": "9934baf66b686eee0609ec2ceb402450de0afee3", "parents": [ "b9701c362d602b9b51961bcff849b2eb28b65883" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 16 20:18:47 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 16 20:24:07 2024 +0000" }, "message": "m/n/kubernetes: fix flake in TestAsFlags\n\nThis test was flaky due to Go\u0027s map iteration not being deterministic.\nSort the output to make sure we do not introduce unnecessary\nnon-determinism.\n\nFixes: #363\nChange-Id: If70486306a809b7d33bc17206600b0f750429b7d\nReviewed-on: https://review.monogon.dev/c/monogon/+/3708\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "d1a8b64d305c57f45416fc40b39211541113a373", "tree": "17fcd0e77576b200e75a940fb26ce2334a7a8553", "parents": [ "d77e26ee216738393a9808c95266bbcb91ca0e68" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Dec 03 17:40:41 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Dec 04 08:28:03 2024 +0000" }, "message": "treewide: add more ptr.To usages\n\nChange-Id: Ibf511bc012a17e39d6b7b4f3a7d9abc1304d755f\nReviewed-on: https://review.monogon.dev/c/monogon/+/3677\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "d77e26ee216738393a9808c95266bbcb91ca0e68", "tree": "8dd5dfa48c9b388684b697687be4198094ac66e3", "parents": [ "affe8fa229e3a701e060cb6bc35b9362814b5daf" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Dec 02 18:23:10 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Dec 03 14:31:57 2024 +0000" }, "message": "treewide: replace bool-to-boolptr helpers with k8s.io/utils/ptr.To\n\nChange-Id: I90419ddfe087291f41f7f2f3589263e56c15470a\nReviewed-on: https://review.monogon.dev/c/monogon/+/3675\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "2ecccae4ff62b687ec5e218349fcf8a42069dfc9", "tree": "c5a5914c9d3bd8fb37a5650a6b3e4881f9fc2610", "parents": [ "d58edf4e2f745427d69ecc72bfe9a9ead69d697d" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 27 22:03:35 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 02 16:50:54 2024 +0000" }, "message": "m/node: enable user namespaces in K8s\n\nThis enables the two feature gates for user namespace support in K8s.\nWe did not previously have a passwd file which caused Go\u0027s UserLookup\nto fail with an unexpected error. Add an mostly-empty placeholder file\nto placate it.\n\nChange-Id: I71a7a6dc889a289512075a25b7e551f2cd65ffb6\nReviewed-on: https://review.monogon.dev/c/monogon/+/3665\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "d58edf4e2f745427d69ecc72bfe9a9ead69d697d", "tree": "bd9424fdb0a58cb7c78ab99d8a3b1d4ebc07c5db", "parents": [ "ff7452b586134e18af9f1362d7b96dcb64aa8d71" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 27 20:38:14 2024 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 02 16:50:54 2024 +0000" }, "message": "m/n/kubernetes: introduce feature gate infra\n\nThis introduces centralized infrastructure to control feature gates in K8s.\n\nIt includes a test to make sure that we do not keep outdated flags in there.\n\nChange-Id: Ife251cbd5210bc8b3757bb3829e91bcdb2e6fdfb\nReviewed-on: https://review.monogon.dev/c/monogon/+/3664\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "ff7452b586134e18af9f1362d7b96dcb64aa8d71", "tree": "7e3b9fe5c161cedf1073a086d0b6e5511b20bd98", "parents": [ "231ee041b652ab2aea6a64e0c4929fa4beb5851b" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Nov 28 13:08:55 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Nov 28 14:45:57 2024 +0000" }, "message": "m/node/kubernetes: mount PVs with noexec on the host\n\nNow that runc always replaces per-mount-point flags when bind-mounting\nvolumes inside the container, we can mount them with noexec on the host\nwithout affecting workloads. This has some security advantages, as any\nexecutables in volumes are no longer executable from the host.\n\nChange-Id: Id5a8ea8caf702fca58d300fc9e17c21e94ebaf13\nReviewed-on: https://review.monogon.dev/c/monogon/+/3660\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "73beb693ce8aed1c1caffaec2f01b2b9c65516b3", "tree": "378d3b779febf33b1666438b1dd003053d9fd21c", "parents": [ "be70c9247b7c8f7ab0eef4b0c7b1faaf934b8f97" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Nov 27 17:47:09 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 27 19:34:17 2024 +0000" }, "message": "m/node/kubernetes: remove local-strict storage class\n\nIt turns out that the local-strict storage class did not have an effect\non readonly volumes, or on gVisor. And after updating runc to 1.2.0, it\nno longer has an effect anywhere. It appears that setting noexec and\nsimilar flags in the CSI server, using a storage class, is the wrong\napproach and just happened to work by accident. Instead, this should\nprobably be implemented as a Kubernetes feature to set per-mount-point\nflags on the VolumeMount.\n\nThis commit thus removes the local-strict storage class and the mount\noptions processing in the provisioner and CSI server. This will allow\nupdating runc.\n\nAdditionally, the StatefulSet end-to-end test is extended to also run\ntests with gVisor. gVisor apparently does not support block volumes.\n\nSee: https://github.com/monogon-dev/monogon/issues/361\nChange-Id: Ic2f50aa3bc9442ca1dbb9e8742d5b8fecbfc3614\nReviewed-on: https://review.monogon.dev/c/monogon/+/3658\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "be70c9247b7c8f7ab0eef4b0c7b1faaf934b8f97", "tree": "b1126b8ddaf845314329bd33249e2ec0db6940dd", "parents": [ "0ec0c53061acd57cf545440a723c1fd9817ed080" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Nov 21 11:16:03 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Nov 21 12:57:42 2024 +0000" }, "message": "m/node/kubernetes: fix attaching block PVs\n\nAttaching a block PV to a container failed with the error:\n\"failed to create device node at target path: file exists\".\nThis happened because there was already a directory at the path.\nThe directory should only be created for mounts, not for block devices.\n\nI also extended the PV end-to-end test to add a block volume, and check\nthat it can be opened as a block device and has the expected size.\n\nChange-Id: I40ca82cfcbfee1cb3196a900423f967b45790a64\nReviewed-on: https://review.monogon.dev/c/monogon/+/3623\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "0ec0c53061acd57cf545440a723c1fd9817ed080", "tree": "ac07fa1b10948234fe1add7300508a427c058325", "parents": [ "652c2ad2e499ca709523978e04b3a3dbb6df642c" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Aug 29 12:39:47 2024 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 20 18:40:12 2024 +0000" }, "message": "m/n/k/containerd: upgrade to v2\n\nUpgrade containerd to 2.0, migrate config and adjust all paths.\nNo new K8s features are enabled yet, this will come separately.\n\nAlso bumps gVisor to the latest version and essentially reimplements the\nshim as the API has changed a lot.\n\nA drive-by fix in clitable was necessary as the x/tools upgrade\nintroduced a new analysis pass.\n\nChange-Id: I9d25af203b94667aaac69a71eeccad2d42aa5f99\nReviewed-on: https://review.monogon.dev/c/monogon/+/3622\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "652c2ad2e499ca709523978e04b3a3dbb6df642c", "tree": "4a31c1797694ed53331d1a998922c3587d940d5b", "parents": [ "36f0375c9834d82016cb077142d2eaaea981d7a5" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Nov 19 17:40:50 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Nov 20 13:55:19 2024 +0000" }, "message": "m/node/kubernetes: fix PV mount flags and add e2e test\n\nMount flags did not work because of two problems:\n- The provisioner did not copy them from the StorageClass to the\n PersistentVolume.\n- The CSI server used \u003d instead of |\u003d when adding flags, so only one of\n the flags was added or removed.\n\nThere was an existing e2e test for PVs, however this only created the\nPVC/PV without even attaching it to a container. I extended this test to\nattach the PV and check from inside the container that it has the\nexpected mount flags and quota.\n\nThe existing e2e test also created a block PV, however attaching a block\nPV to a container was not tested and is apparently broken, so I removed\nthis test for now.\n\nChange-Id: Ie14adfafd333eab38d2b5f1b4ce8a2aa8795eae0\nReviewed-on: https://review.monogon.dev/c/monogon/+/3613\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "a8938da203b9ecc42a61b4aa9e92b802bf0e4902", "tree": "52c8f2971cc6ce50b9bf17a490a7defbf66e69d2", "parents": [ "9eab31ccbba4a2db416e4c5c387d22ec672ea92f" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Fri Sep 13 22:34:01 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Nov 11 16:03:55 2024 +0000" }, "message": "metropolis/node/kubernetes: add mountOptions support for PVs\n\nWe have very strict defaults on our data mount which prevents exec\u0027s and\nsuid binaries. By adding support for mountOptions on PVs we enable\nthe user to allow specific behaviour e.g. exec\u0027s on the given PV.\n\nChange-Id: I902cf3b9dafb14598cddc18c327ef3f5bcd6450b\nReviewed-on: https://review.monogon.dev/c/monogon/+/3421\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "78567601398f4db5a8080fd30038ff7ac6affe0f", "tree": "757ee7c8d374317366a2535dbfb48ceaa66700f0", "parents": [ "beec27c6bdc2da730ffa2a2be6a68e1610148913" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Oct 31 13:42:04 2024 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Nov 05 13:11:03 2024 +0000" }, "message": "metropolis: remove stutter in ClusterConfiguration.KubernetesConfig\n\nWe already know this is a config (it lives in ClusterConfiguration), no\nneed to call that a config again.\n\nThis doesn\u0027t break any compatibility yet as field names are not (yet)\nunder a stability guarantee.\n\nChange-Id: Ib6492d1c8303cbd0620b979b8047ec9757e301c0\nReviewed-on: https://review.monogon.dev/c/monogon/+/3594\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "e99638e3c7a2f1a604d49c47cc7a2685bfff8c5e", "tree": "636c243a58100c971cc3e224abf2c54324aad00a", "parents": [ "9579be5e09b6293edc78d3142b0c67a24afda93c" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Sep 30 17:06:44 2024 +0000" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Oct 28 14:22:49 2024 +0000" }, "message": "metropolis/node/kubernetes: synchronize metropolis node labels to kubernetes\n\nThis extends the labelmaker to manage Kubernetes node labels mirrored\nfrom Metropolis node labels.\n\nNote that currently there is no way to edit a ClusterConfiguration at\ncluster runtime, but this will come in a future CL.\n\nChange-Id: If7dbc3796085a8b85c1b5b2a181bcb1cee3d1db4\nReviewed-on: https://review.monogon.dev/c/monogon/+/3469\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6d1ff36763f1d48cf8620afd17321a06d2fbe228", "tree": "e0f48b5b138f51579de1ce2662e1b3a39acec6d3", "parents": [ "677de978403a58cd219e77b312b647927bd560ac" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Sep 30 15:15:31 2024 +0000" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Oct 28 14:22:49 2024 +0000" }, "message": "metropolis/node/kubernetes: update labels based on node roles\n\nThis implements the labelmaker, a reconciling loop running on Kubernetes\ncontroller nodes which updates Kubernetes node labels based on cluster\ndata.\n\nCurrently it only updates role labels based on cluster roles, but this\ncan be extended in the future to also replicate Metropolis node labels\ninto Kubernetes node labels.\n\nChange-Id: I9c5ba92bb46f064aa03836720d4a80adc6061ab9\nReviewed-on: https://review.monogon.dev/c/monogon/+/3464\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "0bc92a087ee0eb279ab29c3aba5d127b4202a2ea", "tree": "9c481ad86d6324cdd6bdfff4a55af4d4b4689f3c", "parents": [ "61b97a375aee98f58c13c13be672b442aecc8440" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Oct 01 22:53:08 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Oct 10 15:55:35 2024 +0000" }, "message": "treewide: bump rules_oci to v2.0.0\n\nChange-Id: Idbeb3a3b7645c5b6f774eb43d218ca0bc79dccc1\nReviewed-on: https://review.monogon.dev/c/monogon/+/3474\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "5f1a7de2dfb5db1884fcb677a0bd38daf6dd3c97", "tree": "fd52bf35b4b2e6b5c51f56d62424c9d0820ef537", "parents": [ "e337e938ae8e08dffa3a01045571188413ce70ff" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Sep 19 02:00:14 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Sep 19 12:06:50 2024 +0000" }, "message": "treewide: fix %v in cases where we should use %w\n\nWe should always use %w when using fmt.Errorf as you can use error.Is to\ncompare the underlying error. When printing an error the use of %w is\nwrong and should be replaced with %v.\n\nChange-Id: I741111bd91dcee4099144d2ecaffa879fdbb34a2\nReviewed-on: https://review.monogon.dev/c/monogon/+/2993\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "e337e938ae8e08dffa3a01045571188413ce70ff", "tree": "f82fa1f5722c3eae99506510056fb6a5ce736309", "parents": [ "7a1b27df41a9729dd9669cdaabd6864afc5e85b7" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Sun Sep 15 20:14:39 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Sep 18 22:27:59 2024 +0000" }, "message": "m/n/k/containerd: set device ownership based on security context\n\nWhen a user deploys a pod with a kvm device it is owned by root. By\nsetting device_ownership_from_security_context to true, containerd\nwill chown these devices to the uid/gid set in the securityContext.\nFor more informations see\nhttps://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/\n\nChange-Id: I1a0285dfc560c3c662d5e2eb8e37e68d87408b83\nReviewed-on: https://review.monogon.dev/c/monogon/+/3428\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "3c5d0635f855f16780792a6be311f71b4d59f20b", "tree": "4a48292bf17a874f2d627901ee4f7e9145c5b040", "parents": [ "a036c4e792e4b497c512991291b0cc18bc12b5e3" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Sep 12 10:49:12 2024 +0000" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Sep 16 14:03:22 2024 +0000" }, "message": "osbase/logtree.LeveledLogger -\u003e go/logging.Leveled\n\nThis factors out the common leveled logger interface out of the logtree.\nWe want to use the same interface outside of logtree/supervisor usage\nwithin the resolver code, which will be exposed to clients.\n\nChange-Id: I299e76d91e8cefddf8f36f1e58432418c4694df2\nReviewed-on: https://review.monogon.dev/c/monogon/+/3411\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "732a88411de08ac44d1f2bdb6b948c39c9ddc727", "tree": "6c7b78cf514254594d3ccadbb41f6364dd2cc286", "parents": [ "688ee2b59301e5a0494890003a85583f8da07ec5" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Aug 26 23:25:37 2024 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Aug 27 21:40:54 2024 +0000" }, "message": "treewide: update to Kubernetes 1.31\n\nOverall not that bad, we got rid of some workarounds and added some new\nones. Biggest change is a significant refactor of the hyperkube package\nas Kubernetes really doesn\u0027t like multiple of their top-level Cobra\ncommands to be instantiated. One new patch for gVisor as new fields got\nadded to a Linux struct which caused codegen to rename an existing one.\nThat patch will go away once [1] is released as this has been changed\nback again.\nOtherwise mostly standard rebases of patches. We currently have a\nwarning in kubelet as our containerd CRI does not support the\nRuntimeConfig RPC, but no released version of containerd has that and\nthe fallback works fine for now.\n\n[1] https://go-review.googlesource.com/c/sys/+/607876\n\nChange-Id: I275e5fb78bc1d09c4ca0e8b5705edbaa80f30d96\nReviewed-on: https://review.monogon.dev/c/monogon/+/3355\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "397f7eaa1e98554f8b9fed2c748e492bf739027b", "tree": "e0184b594e51a432b41f7ada43efdb1342e67061", "parents": [ "53964c1343dd37e29c8a61a44f47202b3f3726cc" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Aug 20 21:26:06 2024 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Aug 21 12:33:07 2024 +0000" }, "message": "m/n/kubernetes: set PV inode quota relative to capacity\n\nThis removes the hardcoded 100k inode limit which is very low for large\nPVs in favor of a scaled value dependent on its capacity. This\ntechnically allows overcommit as the inode space is not accounted for on\nthe capacity side, but this was already the case before, just with a\nstatic limit.\n\nChange-Id: I48816cd904127397907c1372e7cbb4b9b5ea60f2\nReviewed-on: https://review.monogon.dev/c/monogon/+/3339\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "91bf1c89cbb61cf9f8183306196bfda97dd852a5", "tree": "6c2c49d69e6db68917f2170055ddae5496664093", "parents": [ "a48bd3c3220063ed6beecf0b36ef6959f79f3790" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Mon Jul 29 17:31:33 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Aug 21 11:10:01 2024 +0000" }, "message": "treewide: integrate new DNS server\n\nThis integrates the new DNS server into the network service, replacing \nCoreDNS.\n\nChange-Id: I1d2e0fd3315dc2c602a8f805ed701633799e9986\nReviewed-on: https://review.monogon.dev/c/monogon/+/3260\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "4cfcc0b0b25fba463225feae64232d40e02b570c", "tree": "69a7d9ce2d531c763d482e340afe5ceced40c068", "parents": [ "c5e0dbd3437d5c739d42d7724a619b126eabdbf5" ], "author": { "name": "Leopold Schabel", "email": "leo@monogon.tech", "time": "Wed Jul 24 13:23:26 2024 +0000" }, "committer": { "name": "Leopold Schabel", "email": "leo@monogon.tech", "time": "Thu Jul 25 12:02:52 2024 +0000" }, "message": "metropolis/node/kubernetes: allow privileged pods\n\nThere are valid use cases for privileged pods in low-assurance clusters.\nIn particular, \"kubectl debug node/... --profile\u003dsysadmin\" is very\nuseful for debugging and requires privileged pods.\n\nIn a production cluster, we\u0027d want to restrict privileged pods\nand other dangerous capabilities (which are already allowed)\nusing pod security or more sophisticated admission controllers,\nincluding enforcing future cluster integrity policy levels.\n\nChange-Id: I8f6470f636cdd13b7c980f04f08f95aaff833b20\nReviewed-on: https://review.monogon.dev/c/monogon/+/3246\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "3325b4b940370ad4282fdaa6027a5672ff8fdc2a", "tree": "7308d80e86a0d0ea34a5d2d5c8dac8cb2dd8efeb", "parents": [ "41b244857ee793cbf74552ec39f2ff614a686a56" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Jul 15 19:19:49 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Jul 22 21:25:58 2024 +0000" }, "message": "workspace: bump bazel_gazelle to v0.37.0\n\nChange-Id: I45a7769d80781075fdfb1c438240a75629dd572a\nReviewed-on: https://review.monogon.dev/c/monogon/+/3220\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "fe6b506b6124b39b0b36c483d03de3b4efc5bdc4", "tree": "b3a4cbd0f4890dc5ee9a30eb643b2d3e9aa79fa5", "parents": [ "9f21f5396aa18bc9f2f83c867ff883f49bbf02ae" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jul 02 16:32:35 2024 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jul 04 14:50:22 2024 +0000" }, "message": "m/node: switch to cgroupv2\n\nThis switches us from legacy cgroup (v1) to cgroup v2 aka unified\ncgroup. Our versions of Kubernetes, containerd and runc/gVisor all\nsupport this by now.\n\ncgroup_bpf needs to be enabled in the kernel for containerd with cgroup\nv2. Also enable swap as this now works with cgroup v2, this gets rid of\na warning for every pod being started.\n\nWe are not really using cgroups ourselves, but as the root cgroup in v2\nis special, move our own process into a subgroup at startup.\n\nChange-Id: I8d63b2ad672568c052c3fe1a2306182f033667fa\nReviewed-on: https://review.monogon.dev/c/monogon/+/3207\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "9f21f5396aa18bc9f2f83c867ff883f49bbf02ae", "tree": "c232f42c84bd6b7ace576261a188134cb0c69771", "parents": [ "f430fbfe35b70283090b6174cf5a920163c0148c" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue May 07 15:14:20 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Jul 04 12:19:37 2024 +0000" }, "message": "treewide: introduce osbase package and move things around\n\nAll except localregistry moved from metropolis/pkg to osbase,\nlocalregistry moved to metropolis/test as its only used there anyway.\n\nChange-Id: If1a4bf377364bef0ac23169e1b90379c71b06d72\nReviewed-on: https://review.monogon.dev/c/monogon/+/3079\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "3b5a917c5a1ac49acad50eeacb5cf275efc3631e", "tree": "1da59c672acf3b68aab81fae38c6b6e5929b82a2", "parents": [ "988403453448d27f6df6eea0a232e97c2a2e739b" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu May 23 13:33:52 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu May 23 12:44:02 2024 +0000" }, "message": "treewide: initialize empty structs with var\n\nChange-Id: I72d3993eaf5fe57c77b1dda8218e36a8cc11813d\nReviewed-on: https://review.monogon.dev/c/monogon/+/3108\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "d5d33ba1e0798b48f56e6a1bc9178af9fc778179", "tree": "76f4f0b0a1175a77b64d5dd7469b3ec6a3d57c2d", "parents": [ "69f5f4e5ffac12c1d8e45e4cc9dc72868aa3af41" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 15 11:45:35 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 15 16:15:25 2024 +0000" }, "message": "m/n/k/reconciler: remove PSP role and rolebinding\n\nPod Security Policies have been removed from Kubernetes. The default PSP \nwas removed in commit 6211e4dc40, but the role and rolebinding was still \nleft. They do not have a function anymore. Now that reconciler updates \nare implemented, these will be removed from existing clusters after \nupgrading.\n\nChange-Id: Ia953a5ae03c581b15efc4e3b3711aaa008dc145d\nReviewed-on: https://review.monogon.dev/c/monogon/+/3091\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "69f5f4e5ffac12c1d8e45e4cc9dc72868aa3af41", "tree": "a28c2166fc40b1a2bee20070b4ae6788477ccf1f", "parents": [ "6bc958326f8bd4f3a1606e8a767d21f12f584e88" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 15 10:32:07 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 15 16:15:25 2024 +0000" }, "message": "m/n/k/reconciler: implement updates\n\nThe reconciler now checks if already present object are equal to the \nexpected object, and else updates them. If the update fails due to \nimmutable fields, the object is instead deleted and recreated.\n\nAlso, the reconciler now logs create/update/delete operations.\n\nFor the CSI driver, the StorageCapacity and RequiresRepublish were added \nand set to their default value. If we don\u0027t do this, the API server will \nadd these defaults, and then our update comparison fails. There is also \na new test which ensures that expected objects have all defaults already \napplied. This test will fail if a Kubernetes upgrade adds new fields \nwith default values.\n\nCloses #288.\n\nChange-Id: Ibfb37d07b4613ae1a883ad47715feeda87135820\nReviewed-on: https://review.monogon.dev/c/monogon/+/2893\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "d20ddccddf601c2a34cc5238bd82b6a4a1744502", "tree": "52eeeb7917b79220ad0f0cb34447525f7c21341b", "parents": [ "8bc82868fd289220078ff317235db084349d9f70" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 08 14:18:29 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue May 14 12:11:45 2024 +0000" }, "message": "m/n/k/reconciler: implement leader election\n\nBefore this change, the reconciler runs on all Kubernetes controllers. \nWhen we are in a rolling upgrade of the cluster where a reconciled \nobject changes, this will cause the old and new versions of the \nreconciler to fight each other, constantly updating the object back and \nforth.\n\nNow, the reconciler is elected among nodes of the latest release. The \nstatus of the reconciliation is communicated to all Kubernetes \ncontrollers through a new key-value in etcd.\n\nAdditionally, compatibility constraints can be expressed by changing the \nconstants minReconcilerRelease and minApiserverRelease, allowing \nreconciliation to happen in a controlled way that ensures compatibility \neven during rolling upgrades.\n\nChange-Id: Iaf7c27702bd9809a13d47bcf041b71438353bef2\nReviewed-on: https://review.monogon.dev/c/monogon/+/3062\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "ddc5e6a098c24c1e69b5c692f534b05dbc763367", "tree": "962bc2b07f054b9c2552018a305fca2d9ee277f9", "parents": [ "2d83a128f6096b8133af9edec00e1cd0cd8215b0" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Apr 23 23:44:34 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon May 06 13:34:32 2024 +0000" }, "message": "treewide: update to UwUbernetes (Kubernetes 1.30)\n\nCo-authored-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nCo-authored-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nChange-Id: Id923f503938314ef8fb4243f36604752edbb4605\nReviewed-on: https://review.monogon.dev/c/monogon/+/3047\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "2d83a128f6096b8133af9edec00e1cd0cd8215b0", "tree": "5fffaa49de3a25ffb8f2588b4050e2da7879ce4a", "parents": [ "6ea5762b371bd7a6b35538b37b2781f8386dd323" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon May 06 14:38:32 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon May 06 13:33:59 2024 +0000" }, "message": "m/n/k/p/kvmdevice: fix device inode error handling\n\nThis was broken in d5f851bb47, where the inverted logic was not kept\nwhen migrating to errors.Is.\n\nChange-Id: Id1bbc96f80b33df539a3a5051d56e126bb453390\nReviewed-on: https://review.monogon.dev/c/monogon/+/3077\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "51daf25d90adca76375e0d141c93d692ab2cd2eb", "tree": "6784b8f4a4c5facdc345ef1d47e0946a6267e74a", "parents": [ "b41b548058101e663a9591beaf2c491a44638d56" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 18 23:18:43 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 22:29:11 2024 +0000" }, "message": "treewide: documentation on exported functions should start with their name\n\nChange-Id: Iea3e929bed743d7edfbf5b54bbaa31796aeaaadd\nReviewed-on: https://review.monogon.dev/c/monogon/+/3027\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "096654adb312a1bc858a0f886b8fba755eab52b4", "tree": "bb753ba3a24eab6a63b7f7c1757f35f0540b880a", "parents": [ "a355821fa06a7f68ff8ddca6050f71e92e4939a5" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 18 23:10:19 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 22:29:11 2024 +0000" }, "message": "treewide: add missing error handling\n\nChange-Id: I55ccf3ff490b58f6af93e665c668428acddc8d65\nReviewed-on: https://review.monogon.dev/c/monogon/+/3019\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "92316fdcb21e4cba0494793f5b90924accfd3fc3", "tree": "3e58fea500fec60fc0df8542f1737173de8677d5", "parents": [ "24ce66f0f5f5dac457d5e65beb2980db6780a72a" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 18 23:06:40 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 22:29:11 2024 +0000" }, "message": "treewide: remove unnecessary use of fmt.Sprint\n\nChange-Id: I619dcf56665365e09be27e7c58b8b3596715b8b4\nReviewed-on: https://review.monogon.dev/c/monogon/+/3016\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "24ce66f0f5f5dac457d5e65beb2980db6780a72a", "tree": "ca5e78ebae92122ec6f9cbe5cf34e64984ebcc05", "parents": [ "2d0230524e96bdca53354fe191554342674c5fc4" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 18 23:59:24 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 22:29:11 2024 +0000" }, "message": "metropolis/node/kubernetes/reconciler: remove redundant nil check\n\nChange-Id: I0ebd2d8d815a964fa854e86868a4870b754ea548\nReviewed-on: https://review.monogon.dev/c/monogon/+/3015\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6e5b8a5b7ad46cc519ba3ca6166cee160b536185", "tree": "89460ff19e0b4f63abe13e5e2c3bd68acfd33f30", "parents": [ "62a02ea54a45152baea559172b95c94822b8fa1c" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 17 02:34:07 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 14:22:13 2024 +0000" }, "message": "treewide: add nolint exceptions for returnerrcheck\n\nChange-Id: Ife7e28de0317627994cb55d6bd5b10fa6016332b\nReviewed-on: https://review.monogon.dev/c/monogon/+/2997\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "d5f851bb477638436826adec756fe562db526865", "tree": "d981b1c62d613b45fb55023da289098d7e377705", "parents": [ "69fec522d5db79d07bb1f227c2ab39c57fdf2831" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Apr 23 14:59:37 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 13:15:14 2024 +0000" }, "message": "treewide: replace error comparisons and assertions with errors.Is\n\nChange-Id: Id2424eb155f2c6842c72c5fafd124d428ef901f2\nReviewed-on: https://review.monogon.dev/c/monogon/+/2994\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "49c9ab02d7ce200db6defbc82d95646ac4d64804", "tree": "da4d21a21fe25fa6a9e6211e26d8c0ef4ebece1f", "parents": [ "0c57d34190434556847345072371a42a9e1c3154" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 11 01:39:06 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Apr 15 21:31:42 2024 +0000" }, "message": "treewide: dont seed random\n\nAs of Go 1.20 there is no reason to call Seed with a random value.\nPrograms that call Seed with a known value to get a specific sequence\nof results should use New(NewSource(seed)) to obtain a local random generator.\n\nChange-Id: Ice1bbfefd900e6e9241428ec345f51f780eed91f\nReviewed-on: https://review.monogon.dev/c/monogon/+/2960\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "3810567012959d2871400ce2ecd39f53b9072bc3", "tree": "d1821ba3db669deec3a240dceb9bbf544b68c611", "parents": [ "2a74e58ac02d0bf6ae25ae1ec4d8f187dd7db5ba" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 11 01:37:29 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Apr 15 21:31:42 2024 +0000" }, "message": "treewide: remove shadowing of stdlib functions\n\nChange-Id: Iaccb22769d53568f6a4004924c218b9929090d89\nReviewed-on: https://review.monogon.dev/c/monogon/+/2957\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "6b6428da110db384cad1f1d65c81f1874c8cecae", "tree": "f44e7d1ffcc410893a9851e76e81939b178853df", "parents": [ "5e460a92353ec619f4f12fffbe3281d40c85cf61" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 11 01:35:41 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Apr 15 21:31:42 2024 +0000" }, "message": "treewide: remove redundant loop vars\n\nChange-Id: I61bada9e3df38e6a94cd6c8fe2d0d8f3ba41c1af\nReviewed-on: https://review.monogon.dev/c/monogon/+/2955\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6211e4dc404a285d858e1ecc69ac488c9cabb96b", "tree": "ff3b84efffb58982e0e55e61ed7fceb5df9609dc", "parents": [ "2ac249bf8e571ae7fd134b586ff9c87dce520956" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Nov 14 19:09:40 2023 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Apr 15 14:45:53 2024 +0000" }, "message": "treewide: k8s 1.28 and lots related updates\n\nFirst, this contains a bunch of dependency updates. Important ones in no\nparticular order:\nKubernetes 1.24.2 -\u003e 1.28.8\netcd 3.5.4 -\u003e 3.5.13\nProtobuf 1.32.0 -\u003e 1.33.0\nOpenTelemetry 0.20.0 -\u003e 1.20.0\ncontainerd 1.6.6 -\u003e 1.7.15\nCoreDNS 1.9.2 -\u003e 1.11.1\n\nWith Kubernetes 1.25 PodSecurityPolicies are removed, this replaces them\nwith a static PodSecurity admission configuration which behaves the same\nor is slightly more permissive in most ways. Only known exceptions are\nthat NET_RAW is no longer an allowed permission and non-standard SELinux\nlabels are no longer permitted (but these never did anything anyways).\nThe RBAC policies are intentionally not removed yet as we do not yet\nhave the capability to actually update these, so they will be removed\nwhen that is available (#288), until then they will stay in-place but\ndo nothing.\n\nWith the containerd upgrade the deprecated option for ignoring\npreseeded/pinned images for garbage collection in Kubelet can be\nremoved.\n\nThis change also contains some drive-by fixes to the controller-manager,\nlike passing the Service IP net and disabling cloud-related control\nloops which generate spurious warnings if enabled.\n\nThe containerd tracing patch is removed as we can now use OTel v1, thus\nthat patch is no longer necessary.\n\nAn actual upgrade test will be part of a future CL as this one is\nalready quite large and it works stand-alone.\n\nCo-authored-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nChange-Id: I8e5f51e6e6240a1b67590458b2f1c24d58c8e91e\nReviewed-on: https://review.monogon.dev/c/monogon/+/2315\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "20b9812e5138784e4e451911f85136e790a759fd", "tree": "d66d8ad643cc9c5f9ea77520856aa092fcab75f2", "parents": [ "db3866a782c443baf4eac4e1cf2b7d03b1bf6c5e" ], "author": { "name": "Jan Schär", "email": "jan@jschaer.ch", "time": "Tue Apr 09 10:44:49 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@jschaer.ch", "time": "Tue Apr 09 10:17:51 2024 +0000" }, "message": "m/n/k/clusternet: delete unused file\n\nThe mentioned pull request was merged, this file is no longer used.\n\nChange-Id: Ibc573e054e53e6ef23684707ec4178afdc301878\nReviewed-on: https://review.monogon.dev/c/monogon/+/2934\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nVouch-Run-CI: Serge Bazanski \u003cserge@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "3bdb5fcf023968526dfe7fadb89b0911bc6d7074", "tree": "37a8c1abdee1cf54b25ca0adf868ed879e4db7b3", "parents": [ "22a71c147af31d02a0db298e2ca8356078471b93" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Mar 14 18:47:35 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 03 15:49:26 2024 +0000" }, "message": "metropolis/core/metrics: expose containerd metrics endpoint\n\nThis adds containerd as another metrics endpoint. It is only available\non nodes with the KubernetesWorker role.\n\nChange-Id: I5f6269165a81d9a4c4cff48d3ed6b6a55d7f4f46\nReviewed-on: https://review.monogon.dev/c/monogon/+/2861\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "22a71c147af31d02a0db298e2ca8356078471b93", "tree": "7f532c633bb06664a105a28e5aa770e00724d977", "parents": [ "ec2906a6874e223813593128b6e72594a1ecfb0f" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 03 04:06:08 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 03 14:55:50 2024 +0000" }, "message": "metropolis/node/kubernetes/metricsproxy: clarify error message\n\nIf the metricsproxy fails to reach its target, we should not return the\nsame error message as the metrics service as that would be confusing.\n\nChange-Id: Ia158686d5a7db3e8e62e149a1c7dc8773702a233\nReviewed-on: https://review.monogon.dev/c/monogon/+/2912\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "7f72748c67df593b110176422d27be878a7a37f4", "tree": "75a621c3ae4ec5daf0d90dffcf298583ef3240c9", "parents": [ "23e5230930b482807be2f7fd29c6f14badf3ad0f" ], "author": { "name": "Jan Schär", "email": "jan@jschaer.ch", "time": "Mon Mar 25 13:03:51 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@jschaer.ch", "time": "Mon Mar 25 19:41:38 2024 +0000" }, "message": "m/n/k/reconciler: refactor resource interface\n\nReplace interface{} with meta.Object, an interface which provides \naccessors for and is implemented by meta.ObjectMeta. List now returns \nthe objects themselves instead of their names. This makes the reconciler \nslightly less generic, as it now only supports kubernetes objects.\n\nThis is a refactoring in preparation for implementing updates in the \nreconciler. There should be no change in behavior.\n\nChange-Id: I97a4b1c0166a1e6fd0f247ee04e7c44cff570fd7\nReviewed-on: https://review.monogon.dev/c/monogon/+/2891\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\nVouch-Run-CI: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "b63ed8a6d7eaaf0fa58b127d90001dc805d72c45", "tree": "4c1cec25146e8936f7d3f9a09c1e031453e1c5d4", "parents": [ "1ac503c7ddd16c796fb163bcbace7a1db24d5201" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 05 14:24:38 2024 +0000" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 21 11:03:54 2024 +0000" }, "message": "m/n/core/network: drop Watch/Value methods, expose Status\n\nThe Watch/Value methods were a leftover from before we had a unified\nevent value API.\n\nChange-Id: Id61732e0570e5fe3d9420857728b1f8a9769e697\nReviewed-on: https://review.monogon.dev/c/monogon/+/2876\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "1dd0c6591533bf63389e81a2104bca3c8326e871", "tree": "e33a710087b67dfe7f34e8434cff8885dc38420c", "parents": [ "456961d6589c1afec75954ca94ed631e1f380566" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 20 18:45:06 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 20 18:12:12 2024 +0000" }, "message": "m/n/kubernetes: improve CSI registration reliability\n\nKubelet\u0027s plugin registration mechanism is quite awful, it\nrelies on being notified by inotify that a new registration socket has\nbeen placed into a specific path, which it then interrogates and\nreports back if the registration succeeded.\n\nThat registration sometimes involves network operations which are prone\nto failure. It reports that failure back to the registration server\nasynchronously but does not attempt to retry the process.\n\nTo actually get Kubelet to retry, one needs to remove and recreate the\nregistration socket.\n\nThis change implements such a mechanism, recreating the socket and\nregistration server on every reported registration failure.\n\nSupervisor backoff is used to prevent busy-looping on non-transient\nerrors.\n\nChange-Id: I79eaf0efdf55ccdede15d8cee42cda7c276e4b50\nReviewed-on: https://review.monogon.dev/c/monogon/+/2785\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "456961d6589c1afec75954ca94ed631e1f380566", "tree": "ac99bfa39deefe0f4aca7478077a66ef8b7c9d74", "parents": [ "1e90c6d29a4af63fa01b472b7a49bdba256797b2" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 20 13:18:26 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 20 18:12:12 2024 +0000" }, "message": "m/n/k/reconciler: set fsGroupPolicy for CSI driver\n\nThis fixes an issue where kubelet did not apply fsGroupChangePolicy due\nto questionable capability detection code with the default\nfsGroupPolicy. Setting this to the File policy asserts that this driver\nalways supports ownership changes and thus bypasses that Kubernetes\ncapability detection code.\n\nChange-Id: I4799a01561af4f3d9c0de7a6040fd5f9db784d3e\nReviewed-on: https://review.monogon.dev/c/monogon/+/2784\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "9c4bece001c15d6ae4793016b2e3854627b2164c", "tree": "3381a01d7f7d3e9fd9f6c6e2e037a3a76e5ce8ce", "parents": [ "93020d77a383e68fd4b1adfafaf136c405648172" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 13 18:32:44 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 13 19:53:58 2024 +0000" }, "message": "m/n/k/containerd: clarify preseed log message\n\nChanging this log message makes it easier to understand what happens.\n\nBefore:\n```\nSuccessfully imported preseeded bundle\nk8s.io/docker.io/bazel/metropolis/test/e2e/preseedtest:preseedtest_image\ninto containerd\n```\n\nAfter:\n```\nSuccessfully imported preseeded bundle\n\"docker.io/bazel/metropolis/test/e2e/preseedtest:preseedtest_image\" into\ncontainerd namespace k8s.io\n```\n\nCloses monogon-dev/monogon#287\n\nChange-Id: I932d36b0cc1926d7248028c8a412f921562a9858\nReviewed-on: https://review.monogon.dev/c/monogon/+/2768\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "93020d77a383e68fd4b1adfafaf136c405648172", "tree": "f35720a2f35a6efdb63b8044ece9d71121929bd9", "parents": [ "502f9973502fec41d358e0c3939f61c5cf58e0de" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 13 18:13:07 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 13 19:53:34 2024 +0000" }, "message": "m/n/k/containerd: use preseeded pause container\n\nTo allow no-network tests we need to bundle the pause container.\n\nChange-Id: I1fa6bb70c10a16097d35d919941f501ddc5f784d\nReviewed-on: https://review.monogon.dev/c/monogon/+/2767\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "ad86a55c9c507478e2c4989f50912d7869164066", "tree": "214d48bcad4ede5909af88ce7deaadedd2d9fbe0", "parents": [ "7dbf18c1932b5c7945a2ba53d7580a6857cda5d3" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Jan 31 17:46:47 2024 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Feb 08 11:10:07 2024 +0000" }, "message": "m/n/kubernetes: serve authproxy with node certificate\n\nWe are currently serving authproxy with the Kubernetes node certificate,\nwhich is somewhat useless, considering that this certificate isn\u0027t even\nissued by the same CA that the client certificates (which are Metropolis\ncertificates) presented.\n\nThis changes the authproxy to serve with Metropolis node certificates\ninstead.\n\nChange-Id: I03ff19c919c6a9fa72c98997432cc06a59e9958e\nReviewed-on: https://review.monogon.dev/c/monogon/+/2740\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "e6e570ae3c26c5fda4855522e8cf04644627295f", "tree": "1678ee01ccfc5277f2e6f79858466a2847d291fd", "parents": [ "6fa92ac53f2cbeb3b2e63dea9f87b1b19a680434" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Nov 28 19:23:19 2023 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 29 12:23:41 2023 +0000" }, "message": "m/n/k/nfproxy: use discovery/v1 API\n\nThe old discovery/v1beta1 is deprecated and removed in 1.25. We need to\nget nfproxy to use the new API (available since 1.21) before we jump\nto a K8s control plane version above 1.25.\n\nChange-Id: I6336e168e9efbfc4a7b41f6fe15efebf95624df2\nReviewed-on: https://review.monogon.dev/c/monogon/+/2407\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "4b42c8a429b1d061faa9823c1ac26adaac3dc012", "tree": "e5bf8412d8fceb0178cbf93b7623934299b475e3", "parents": [ "a6a039209495ee74c2e830a55f496e901b6a3b5b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Sun Nov 19 07:02:51 2023 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Nov 20 22:13:16 2023 +0000" }, "message": "m/n/c/metrics: add kube-apiserver\n\nThis adds the Kubernetes API Server metrics to the list of exported\nmetrics.\n\nChange-Id: Ie5827441362787a3bff03ec6cff1f07332b0ae34\nReviewed-on: https://review.monogon.dev/c/monogon/+/2335\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "60461b2b23eb57319525a3e00d7ae57e51598ebc", "tree": "17f4eb857a29b08a6e2be059279b9d88691aff09", "parents": [ "3fd0977e92c3e86cdfde736debdda66af05d1015" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Oct 26 19:16:59 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Nov 13 21:05:16 2023 +0000" }, "message": "metropolis: move curator client watches to curator/watcher\n\nThis replaces all the ad-hoc code to watch Curator node(s) with calls\nthrough the new curator/watcher library.\n\nChange-Id: Ie2a82b330e4108b9b725515cb10595916c38b323\nReviewed-on: https://review.monogon.dev/c/monogon/+/2263\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "f64f197c8039a72d82efaae6a21f725d3cd3ac7a", "tree": "302a5d9c6ee1d5cdf2b2c8e4abe7b0609c9a2ffa", "parents": [ "54a5a053f2250c03d8476293ecb98fdb458ee5fd" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Fri Jul 28 00:00:50 2023 +0000" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Oct 11 10:53:00 2023 +0000" }, "message": "metropolis/node/core/metrics: fixup metrics authentication\n\nChange-Id: I67643855ab61bfdea980211ffe01e50c2409882b\nReviewed-on: https://review.monogon.dev/c/monogon/+/1979\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "65702194ea264a0fd01fb470bacaf39264b4f637", "tree": "3469201097b30e638f1e446655e1d23b33d90f8d", "parents": [ "f551a7696824a9ddbac63191c489db8280aee0a4" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Aug 31 16:27:38 2023 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Sep 14 13:43:45 2023 +0000" }, "message": "workspace: rules_go, gazelle, go, gVisor update\n\nThis commit not only updates rules_go and friends, but also updates\ngVisor, removes legacy protobuf usage and switches from using\nbuild_configuration to a config flag for bazel\n\nChange-Id: Idb383f35ca0fec4cb7329e9d991f08f28cf9b1fb\nReviewed-on: https://review.monogon.dev/c/monogon/+/2129\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "90613afdf11f7831fc0a673f2fe502c28ab93729", "tree": "1f524cdd0e25a3dd28ff350803d2bc296c3d6fda", "parents": [ "88a76b7a89b3fc81b9135b1197e1ea6fd3698121" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Jul 20 14:26:18 2023 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Jul 26 12:04:58 2023 +0000" }, "message": "metropolis/node/kubernetes: fix mtls authentication to (controller-manager|scheduler)\n\nPreviously it wasn\u0027t possible to authenticate against the services\nas they had no CA they trusted for the sent client certificate.\n\nChange-Id: Ic7cd2419a9e3496680a9393424c7ca1780c4d38c\nReviewed-on: https://review.monogon.dev/c/monogon/+/1951\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "150f24a5421dc1449d79a801524a7c98754f7bca", "tree": "c4f69b7e6260a241f3d946b36eda309e2539ccba", "parents": [ "901c7326fe067707812757e4e9409f756edf0e37" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jul 13 20:11:06 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jul 19 12:17:34 2023 +0000" }, "message": "metropolis/test: use localregistry\n\nThis removes everything but the preseed test image from the preseed\nimage pool, instead opting to serve all test image via localregistry.\n\nThe registry API is served from a dedicated IP inside the virtual\nnetwork and forwarded to an ephemeral listener on the host. The relevant\ninfrastructure is added to the launch package.\n\nAs it is required to add configuration to containerd for this registry\nanyways as it does not and should not have TLS we take that opportunity\nto give it a descriptive name (test.monogon.internal).\n\nVisibilities of images are also adjusted as they are now referenced much\ncloser to their point of use.\n\nAgainst main this saves 51MiB in bundle size (289MiB -\u003e 238MiB).\n\nChange-Id: I31f732eb8c4ccec486204f35e3635b588fd9c85b\nReviewed-on: https://review.monogon.dev/c/monogon/+/1927\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "d1c392a788043f2bd82d936a334bd01e1be97421", "tree": "1bdf2d7a4d7a54b2d8bda0c3c729eb2c9eef90a4", "parents": [ "0553f885b84ca97384ffdb942b30c67d23166a16" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jul 06 19:10:56 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jul 11 10:48:05 2023 +0000" }, "message": "m/n/kubernetes: fix CSI local PV publishing\n\nExperimentally confirmed to fix pods stuck in creating because the\nmount syscall failed with ENOENT because the target directory did not\nexist. The current CSI spec now explicitly says that creation of\ntarget_path is the responsibility of the storage plugin, so let\u0027s\nactually create that directory.\n\nChange-Id: I57d8086f2e70040095206c36e4302b352d06bb84\nReviewed-on: https://review.monogon.dev/c/monogon/+/1914\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "0300077941db0edfdcac0ae42e4a5dad3e8d3fd7", "tree": "979cfc5f4269d3428b725acd79b9a216db8a6f82", "parents": [ "a2ee88d585b9b8603f47544c95f09b380b92b5e2" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Jul 03 02:19:28 2023 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Jul 04 18:58:49 2023 +0000" }, "message": "metropolis/node: allow all ports as NodePorts except special ones\n\nAs we dont have hostPort implemented we can only provide NodePorts to\napplications. To allow apps to use all ports we have to increase the range\nbut have to prevent them from using reserved metropolis ones. This is\ncurrently prevented by patching the allocator and hardcode all of them.\n\nChange-Id: I7c0e8b17643d1ec03e1a1b678bc6276881b1c5e5\nReviewed-on: https://review.monogon.dev/c/monogon/+/1884\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "4599aa2dfa42a7b694ad295bc700db03de96d7f5", "tree": "411035d2b647dcb1adc68db8f22c4384befa8294", "parents": [ "6f5995153827f2b191cc2faebe21ca58764af33b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jun 28 13:09:32 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jun 28 12:20:57 2023 +0000" }, "message": "m/n/k8s: fix start after unclean shutdown\n\nBoth the kvmdevice as well as the CSI runnables listen on Unix sockets.\nThese are normally removed on close (this is actually the default for\nsockets opened wiht ListenUnix, thus drop setting this), but when an\nunclean shutdown occurs they persist. Since one cannot listen on an\nalready-existing socket, opportunistically remove them before listening.\n\nChange-Id: I11d986a2816fde3d7ffef0817ae3bbf39bba4faf\nReviewed-on: https://review.monogon.dev/c/monogon/+/1867\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "2f7e0a281e72ae45fff6c4d79934442367475b81", "tree": "4dcd2233a274bef4645c4bfbbbd62f072d11481a", "parents": [ "c49b207a66a994ccda382d685022d08cbd9ee582" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 22 16:56:13 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 22 16:36:33 2023 +0000" }, "message": "m/node: enlarge K8s networks\n\nFor bigger clusters, the current 10.0.0.0/16 subnet is far too small.\nSwitch to 10.192.0.0/11 which should be out of the way of most of our\ntest infra and is large enough for 8192 nodes with 253 pods which is\nbig enough for the time being. Also migrate the service network\nto 10.224.0.0/16 and make it much bigger. It does not need to be in the\npod CIDR, so move it out of there.\nBut for large clusters this will continue to be a problem until we have\na better allocation algorithm or switch to IPv6 with 464xlat (which\nis not supported on Linux currently however).\n\nChange-Id: Ib3a019fffacec2172721f04c01133b44bffba73b\nReviewed-on: https://review.monogon.dev/c/monogon/+/1848\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "51a3ed59a1408fe5d8103dca5b6a04dbaa4e5b6a", "tree": "b17dd748b088b4c7899c4aee0a1ab862a59509b4", "parents": [ "186109c55db3121749311fc2e954be0eaccdf249" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jun 21 16:45:15 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 22 12:33:31 2023 +0000" }, "message": "m/n/k/containerd: change default runtime to runc\n\nFor high-security usecases it might still make sense to force gVisor,\nbut generally people expect runc as the default runtime. gVisor can\nstill be used by specifying a runtimeclass in the pod.\n\nChange-Id: Idc02275fd00c2a7dff3ce6949268294afa5644eb\nReviewed-on: https://review.monogon.dev/c/monogon/+/1839\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "0e291a193cbfd0b169e749e7f28adc954a58f560", "tree": "01b7ad51279b9060c3c967a0061826d37dbfaf01", "parents": [ "4264b8c641109c05c4828b40cd2e01e686890903" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 01 12:22:45 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jun 13 13:03:53 2023 +0000" }, "message": "m/node: clean up DNS service\n\nThe primary change in here is that CoreDNS now only listens on the\nloopback interface by default.\nThis fixes #217 as it cannot be accessed from the outside anymore.\nSince the containers do not share the host network namespace, they can\nnow no longer access the DNS service. This is solved by introducing a\nnew Network Service API to add listener IPs and using a link-local IP,\n169.254.77.53 for the container DNS.\nWhile at it, I cleaned up various parts of the DNS code.\n\nChange-Id: Id7b618f62690032db335e8478b9de84410c210a1\nReviewed-on: https://review.monogon.dev/c/monogon/+/1759\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "2cfafc9a4c34152dd93b58aa82df1720fb4dd6d6", "tree": "7a944999ab576f4b421651c2c4d513b0b572a1be", "parents": [ "d0be371ea905c3729f98d91d255d775b7c5193d3" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 16:42:47 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Apr 13 14:03:02 2023 +0000" }, "message": "metropolis/node/kubernetes: move worker services to KubernetesWorker nodes\n\nThis finalizes the Big Split. After this change, nodes will only run a\nkubelet (and related services) if they have a KubernetesWorker role\nattached.\n\nThe first node in a new cluster now starts out with KubernetesController\nand ConsensusMember. All joined nodes start with no roles attached.\n\nChange-Id: I25a059318450b7d2dd3c19f3653fc15367867693\nReviewed-on: https://review.monogon.dev/c/monogon/+/1380\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "b565cc679cd5af598dc863890a3e1cce98eb1c57", "tree": "eddf2b4b5636b0c5086cf8fb874927cdc73659c1", "parents": [ "9104e381ab7a2c90087843de00204eed9ed7cf99" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 30 18:43:51 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Apr 06 14:19:17 2023 +0000" }, "message": "m/n/core/clusternet: grab external IP address prefix from network service\n\nThis moves the logic for merging the node IP and node prefixes from the\nsubmitter of the prefixes into the clusternet logic itself.\n\nThis means clusternet now has two independent sources of prefix data:\nthe network service\u0027s external IP address, and the kubelet\u0027s node\nprefixes.\n\nThis simplifies use in a worker/controller split, where a controller\nnode normally doesn\u0027t submit any prefixes as it\u0027s not running a kubelet\nor kubelet-adjacent prefixes - but we still want it to submit its\nexternal IP address.\n\nChange-Id: I46c9430228ce966426d3a8d33a765ecfdfca0d29\nReviewed-on: https://review.monogon.dev/c/monogon/+/1479\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "7920852953a4b0846ddb16cb82a038b064ba473a", "tree": "afa919bc332a93bd0666714843632cffa1095170", "parents": [ "4e6eae2bec769a565eece47438fcb594e7da2765" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 28 20:14:58 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Apr 05 14:14:44 2023 +0000" }, "message": "m/n/kubernetes: use node clusternet to submit cluster networking routes\n\nThis completes the work on using the new cluster networking service from\nKubernetes, thereby allowing non-worker nodes to participate in cluster\nnetworking.\n\nChange-Id: I7f3759186d7c8cc49833be29963f82a1714d293e\nReviewed-on: https://review.monogon.dev/c/monogon/+/1418\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6d6ed31da287a055b18dedaa1fd70420994c66ae", "tree": "59de543dc0ad9bed120c29c62fdf19508b1ce341", "parents": [ "1fdab13a2ea1411b332f67cfa9b1216753b9eb11" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Mar 27 11:04:14 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Apr 03 14:02:00 2023 +0000" }, "message": "m/n/kubernetes/{clusternet,nfproxy}: log informer errors\n\nChange-Id: I9ea1444c7042dd25c25cecc6b6da054554010a85\nReviewed-on: https://review.monogon.dev/c/monogon/+/1447\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "fe39cc21b69bb9fd9f641dfc6b3514386cbb0d4c", "tree": "2c4ff1bc567bb6b5e276bef2028fc196cbc37f2b", "parents": [ "e88ffe9af09b2740bfe0c47ec1efae0380d4f706" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 14:21:54 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 23 12:21:21 2023 +0000" }, "message": "m/n/c/curator: implement IssueCertificate for Kubernetes Workers\n\nThis is not yet used in this change, but will be very soon.\n\nChange-Id: I0283941f15211515537d2b23e0c8cd72dc2d77c5\nReviewed-on: https://review.monogon.dev/c/monogon/+/1378\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "e88ffe9af09b2740bfe0c47ec1efae0380d4f706", "tree": "da2fac1e9bd4343250bc01c1bff81062d7ee60a7", "parents": [ "e6719b379b19ad4439b5fd38da035a3043008d97" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 13:38:46 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 23 12:04:17 2023 +0000" }, "message": "m/n/kubernetes: factor out generating KPKI, support multiple endpoints in Kubeconfig\n\nChange-Id: I0e648c24ffa134314a03715575d1af1b925fd450\nReviewed-on: https://review.monogon.dev/c/monogon/+/1377\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "d85a40ab6fa79efca11b02522b89855952226f33", "tree": "408907867ea99dbc07a5d61ec70b2c8478a57414", "parents": [ "d6fee31d519a22720ae0342e02ccdba405b62ded" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Mar 22 11:14:08 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Mar 22 11:57:36 2023 +0000" }, "message": "m/n/kubernetes/service: only note lack of reconciliation every 10 seconds\n\nChange-Id: I6e070325daa265e2e0a65bc5f5e69cc5c9869a04\nReviewed-on: https://review.monogon.dev/c/monogon/+/1384\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "6fdca3f2e8b60f53f69c8cd39a02109cc47059ac", "tree": "f875b3e103037078ece4842fcdd77cbb87d7a6cf", "parents": [ "f71fe9278055d5a892448554aa7c59862256db7d" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Mar 20 17:47:07 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Mar 22 11:33:51 2023 +0000" }, "message": "m/n/kubernetes: start splitting, run apiproxy\n\nThis begins the process to split the Kubernetes service into a\ncontroller and a worker service.\n\nFirst, we rename the existing service to a Controller, create a Worker\nservice, and make the Worker service run our new tinylb-based apiserver\nloadbalancer.\n\nWe also make the roleserver aware of this change by making it spawn both\nthe controller and worker services according to roles.\n\nWe will move services to the Worker in follow up change requests.\n\nChange-Id: I76e98baa0603ad5df30b5892dd69154b895b35fa\nReviewed-on: https://review.monogon.dev/c/monogon/+/1374\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "ce19acc9d66055d912287d9f1f26c08d3df55aa8", "tree": "6aedbe2ab0aef40955f3d416013ff59e1aec0139", "parents": [ "1f8cad7568ad2e8e539fe44f1b2d51e1f2a19fd5" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 16:28:07 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 17:56:08 2023 +0000" }, "message": "m/n/kubernetes: make CSI provisioner more debuggable\n\nChange-Id: I22292e627ceac0d41a7711964517a53e63636c3e\nReviewed-on: https://review.monogon.dev/c/monogon/+/1379\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "356cbf3e49af75d9cccf92fd8d0a3236727f6761", "tree": "a8865bc1422fdde0d8f5a63f8e7e100156dccfeb", "parents": [ "f9bdf3126488a2728e265a2b28cba564c8072e04" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 16 17:52:20 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 16 21:22:24 2023 +0000" }, "message": "m/n/kubernetes: run reconciler before starting more services\n\nThis makes sure we successfully ran the reconciler at least once before\nattempting to running more than the apiserver. It saves us from a whole\nbunch of services complaining about not having the right permissions to\n(yet) access the cluster.\n\nChange-Id: I605eae9d6bbcc16a9dcb971caa26ee56a06e5d5b\nReviewed-on: https://review.monogon.dev/c/monogon/+/1358\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" } ], "next": "b033b380387a999b7ad19f9d001c42ec570c8945" }