)]}' { "log": [ { "commit": "896b1388fb26096ccaf60ff99ac8da2a9b07dab3", "tree": "1f70faa162e8af73f4d08d75dceee15010f849c5", "parents": [ "25e0d8f5bdcae3b03b1bc43cad49b4ed0b4e567e" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Jan 15 13:54:26 2025 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Jan 16 08:56:10 2025 +0000" }, "message": "m/n/kubernetes: switch to typed workqueue\n\nThe functions and types without \"Typed\" are deprecated, and should be\nreplaced by the corresponding ones with \"Typed\".\n\nChange-Id: I41c378df953ae4964d1247e470ccf38f13ea1f47\nReviewed-on: https://review.monogon.dev/c/monogon/+/3784\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "3a171d123fff540c8c9d646152a5d5ed9ef873de", "tree": "62fe245a0182c3ba931d8c33278f2dd89c35e77b", "parents": [ "0996ea85ca6200e1729941d316f7891835871938" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Dec 09 23:51:23 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Jan 09 21:19:31 2025 +0000" }, "message": "treewide: add race-detector config\n\nThis also disables all `pure \u003d \"on\"` attributes as they propagate too\nfar and break the race detector because rules_go contradicts itself by\nforcing pure go even when CGO is required by the race detector. We build\neverything for our node images static and pure via a transition anyway,\nso this is actually fine.\n\nChange-Id: I5cd3879fba4258caa94df4dbea5c6472867b7e34\nReviewed-on: https://review.monogon.dev/c/monogon/+/3725\nTested-by: Jenkins CI\nReviewed-by: Hendrik Hofstadt \u003chendrik@monogon.tech\u003e\n" }, { "commit": "681d5157b955f6b942c620837d1a9e90bdefc983", "tree": "254905b461e1545d960fafbdad1ec2c250fc383f", "parents": [ "2edb96aeded0f67904ac9630088454fb12a62317" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Jan 08 00:19:33 2025 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Jan 08 20:54:21 2025 +0000" }, "message": "treewide: clean up test static binary targets\n\nThis removes some intermediate targets only used for transitions by\nconsolidating them into a single one.\n\nChange-Id: I46dcbcb731038edd2b67259de1811018f5ba43da\nReviewed-on: https://review.monogon.dev/c/monogon/+/3753\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\nTested-by: Jenkins CI\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "837cb8e459b9eefabe89ab17df0b7dafb5e3d631", "tree": "32337d84d4f32b0c2c523e2c5bd177f4acfe4808", "parents": [ "b6afed68fd1d2ee9b32d395b388d2db1338d0fa0" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 23 13:52:56 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 23 21:59:59 2024 +0000" }, "message": "treewide: update Kubernetes to 1.32\n\nRelatively easy change, one cadvisor fix is temporarily needed. The\nlegacy log dir patch needed to be rebased, that\u0027s about it.\n\nI enabled single-process OOM killing again as that was the default for\ncgroupv1 and IMO the more sane behavior.\n\nUpstrem changelog at:\nhttps://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.32.md\n\nChange-Id: I537a6e37137d05efb6eec8635915e36fd8b37cbc\nReviewed-on: https://review.monogon.dev/c/monogon/+/3721\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "b62b8e04eb6f2f6ebc54ecc397ded788a924f279", "tree": "9934baf66b686eee0609ec2ceb402450de0afee3", "parents": [ "b9701c362d602b9b51961bcff849b2eb28b65883" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 16 20:18:47 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 16 20:24:07 2024 +0000" }, "message": "m/n/kubernetes: fix flake in TestAsFlags\n\nThis test was flaky due to Go\u0027s map iteration not being deterministic.\nSort the output to make sure we do not introduce unnecessary\nnon-determinism.\n\nFixes: #363\nChange-Id: If70486306a809b7d33bc17206600b0f750429b7d\nReviewed-on: https://review.monogon.dev/c/monogon/+/3708\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "d1a8b64d305c57f45416fc40b39211541113a373", "tree": "17fcd0e77576b200e75a940fb26ce2334a7a8553", "parents": [ "d77e26ee216738393a9808c95266bbcb91ca0e68" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Dec 03 17:40:41 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Dec 04 08:28:03 2024 +0000" }, "message": "treewide: add more ptr.To usages\n\nChange-Id: Ibf511bc012a17e39d6b7b4f3a7d9abc1304d755f\nReviewed-on: https://review.monogon.dev/c/monogon/+/3677\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "d77e26ee216738393a9808c95266bbcb91ca0e68", "tree": "8dd5dfa48c9b388684b697687be4198094ac66e3", "parents": [ "affe8fa229e3a701e060cb6bc35b9362814b5daf" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Dec 02 18:23:10 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Dec 03 14:31:57 2024 +0000" }, "message": "treewide: replace bool-to-boolptr helpers with k8s.io/utils/ptr.To\n\nChange-Id: I90419ddfe087291f41f7f2f3589263e56c15470a\nReviewed-on: https://review.monogon.dev/c/monogon/+/3675\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "2ecccae4ff62b687ec5e218349fcf8a42069dfc9", "tree": "c5a5914c9d3bd8fb37a5650a6b3e4881f9fc2610", "parents": [ "d58edf4e2f745427d69ecc72bfe9a9ead69d697d" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 27 22:03:35 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 02 16:50:54 2024 +0000" }, "message": "m/node: enable user namespaces in K8s\n\nThis enables the two feature gates for user namespace support in K8s.\nWe did not previously have a passwd file which caused Go\u0027s UserLookup\nto fail with an unexpected error. Add an mostly-empty placeholder file\nto placate it.\n\nChange-Id: I71a7a6dc889a289512075a25b7e551f2cd65ffb6\nReviewed-on: https://review.monogon.dev/c/monogon/+/3665\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "d58edf4e2f745427d69ecc72bfe9a9ead69d697d", "tree": "bd9424fdb0a58cb7c78ab99d8a3b1d4ebc07c5db", "parents": [ "ff7452b586134e18af9f1362d7b96dcb64aa8d71" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 27 20:38:14 2024 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 02 16:50:54 2024 +0000" }, "message": "m/n/kubernetes: introduce feature gate infra\n\nThis introduces centralized infrastructure to control feature gates in K8s.\n\nIt includes a test to make sure that we do not keep outdated flags in there.\n\nChange-Id: Ife251cbd5210bc8b3757bb3829e91bcdb2e6fdfb\nReviewed-on: https://review.monogon.dev/c/monogon/+/3664\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "ff7452b586134e18af9f1362d7b96dcb64aa8d71", "tree": "7e3b9fe5c161cedf1073a086d0b6e5511b20bd98", "parents": [ "231ee041b652ab2aea6a64e0c4929fa4beb5851b" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Nov 28 13:08:55 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Nov 28 14:45:57 2024 +0000" }, "message": "m/node/kubernetes: mount PVs with noexec on the host\n\nNow that runc always replaces per-mount-point flags when bind-mounting\nvolumes inside the container, we can mount them with noexec on the host\nwithout affecting workloads. This has some security advantages, as any\nexecutables in volumes are no longer executable from the host.\n\nChange-Id: Id5a8ea8caf702fca58d300fc9e17c21e94ebaf13\nReviewed-on: https://review.monogon.dev/c/monogon/+/3660\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "73beb693ce8aed1c1caffaec2f01b2b9c65516b3", "tree": "378d3b779febf33b1666438b1dd003053d9fd21c", "parents": [ "be70c9247b7c8f7ab0eef4b0c7b1faaf934b8f97" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Nov 27 17:47:09 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 27 19:34:17 2024 +0000" }, "message": "m/node/kubernetes: remove local-strict storage class\n\nIt turns out that the local-strict storage class did not have an effect\non readonly volumes, or on gVisor. And after updating runc to 1.2.0, it\nno longer has an effect anywhere. It appears that setting noexec and\nsimilar flags in the CSI server, using a storage class, is the wrong\napproach and just happened to work by accident. Instead, this should\nprobably be implemented as a Kubernetes feature to set per-mount-point\nflags on the VolumeMount.\n\nThis commit thus removes the local-strict storage class and the mount\noptions processing in the provisioner and CSI server. This will allow\nupdating runc.\n\nAdditionally, the StatefulSet end-to-end test is extended to also run\ntests with gVisor. gVisor apparently does not support block volumes.\n\nSee: https://github.com/monogon-dev/monogon/issues/361\nChange-Id: Ic2f50aa3bc9442ca1dbb9e8742d5b8fecbfc3614\nReviewed-on: https://review.monogon.dev/c/monogon/+/3658\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "be70c9247b7c8f7ab0eef4b0c7b1faaf934b8f97", "tree": "b1126b8ddaf845314329bd33249e2ec0db6940dd", "parents": [ "0ec0c53061acd57cf545440a723c1fd9817ed080" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Nov 21 11:16:03 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Nov 21 12:57:42 2024 +0000" }, "message": "m/node/kubernetes: fix attaching block PVs\n\nAttaching a block PV to a container failed with the error:\n\"failed to create device node at target path: file exists\".\nThis happened because there was already a directory at the path.\nThe directory should only be created for mounts, not for block devices.\n\nI also extended the PV end-to-end test to add a block volume, and check\nthat it can be opened as a block device and has the expected size.\n\nChange-Id: I40ca82cfcbfee1cb3196a900423f967b45790a64\nReviewed-on: https://review.monogon.dev/c/monogon/+/3623\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "0ec0c53061acd57cf545440a723c1fd9817ed080", "tree": "ac07fa1b10948234fe1add7300508a427c058325", "parents": [ "652c2ad2e499ca709523978e04b3a3dbb6df642c" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Aug 29 12:39:47 2024 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 20 18:40:12 2024 +0000" }, "message": "m/n/k/containerd: upgrade to v2\n\nUpgrade containerd to 2.0, migrate config and adjust all paths.\nNo new K8s features are enabled yet, this will come separately.\n\nAlso bumps gVisor to the latest version and essentially reimplements the\nshim as the API has changed a lot.\n\nA drive-by fix in clitable was necessary as the x/tools upgrade\nintroduced a new analysis pass.\n\nChange-Id: I9d25af203b94667aaac69a71eeccad2d42aa5f99\nReviewed-on: https://review.monogon.dev/c/monogon/+/3622\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "652c2ad2e499ca709523978e04b3a3dbb6df642c", "tree": "4a31c1797694ed53331d1a998922c3587d940d5b", "parents": [ "36f0375c9834d82016cb077142d2eaaea981d7a5" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Nov 19 17:40:50 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Nov 20 13:55:19 2024 +0000" }, "message": "m/node/kubernetes: fix PV mount flags and add e2e test\n\nMount flags did not work because of two problems:\n- The provisioner did not copy them from the StorageClass to the\n PersistentVolume.\n- The CSI server used \u003d instead of |\u003d when adding flags, so only one of\n the flags was added or removed.\n\nThere was an existing e2e test for PVs, however this only created the\nPVC/PV without even attaching it to a container. I extended this test to\nattach the PV and check from inside the container that it has the\nexpected mount flags and quota.\n\nThe existing e2e test also created a block PV, however attaching a block\nPV to a container was not tested and is apparently broken, so I removed\nthis test for now.\n\nChange-Id: Ie14adfafd333eab38d2b5f1b4ce8a2aa8795eae0\nReviewed-on: https://review.monogon.dev/c/monogon/+/3613\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "a8938da203b9ecc42a61b4aa9e92b802bf0e4902", "tree": "52c8f2971cc6ce50b9bf17a490a7defbf66e69d2", "parents": [ "9eab31ccbba4a2db416e4c5c387d22ec672ea92f" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Fri Sep 13 22:34:01 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Nov 11 16:03:55 2024 +0000" }, "message": "metropolis/node/kubernetes: add mountOptions support for PVs\n\nWe have very strict defaults on our data mount which prevents exec\u0027s and\nsuid binaries. By adding support for mountOptions on PVs we enable\nthe user to allow specific behaviour e.g. exec\u0027s on the given PV.\n\nChange-Id: I902cf3b9dafb14598cddc18c327ef3f5bcd6450b\nReviewed-on: https://review.monogon.dev/c/monogon/+/3421\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "78567601398f4db5a8080fd30038ff7ac6affe0f", "tree": "757ee7c8d374317366a2535dbfb48ceaa66700f0", "parents": [ "beec27c6bdc2da730ffa2a2be6a68e1610148913" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Oct 31 13:42:04 2024 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Nov 05 13:11:03 2024 +0000" }, "message": "metropolis: remove stutter in ClusterConfiguration.KubernetesConfig\n\nWe already know this is a config (it lives in ClusterConfiguration), no\nneed to call that a config again.\n\nThis doesn\u0027t break any compatibility yet as field names are not (yet)\nunder a stability guarantee.\n\nChange-Id: Ib6492d1c8303cbd0620b979b8047ec9757e301c0\nReviewed-on: https://review.monogon.dev/c/monogon/+/3594\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "e99638e3c7a2f1a604d49c47cc7a2685bfff8c5e", "tree": "636c243a58100c971cc3e224abf2c54324aad00a", "parents": [ "9579be5e09b6293edc78d3142b0c67a24afda93c" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Sep 30 17:06:44 2024 +0000" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Oct 28 14:22:49 2024 +0000" }, "message": "metropolis/node/kubernetes: synchronize metropolis node labels to kubernetes\n\nThis extends the labelmaker to manage Kubernetes node labels mirrored\nfrom Metropolis node labels.\n\nNote that currently there is no way to edit a ClusterConfiguration at\ncluster runtime, but this will come in a future CL.\n\nChange-Id: If7dbc3796085a8b85c1b5b2a181bcb1cee3d1db4\nReviewed-on: https://review.monogon.dev/c/monogon/+/3469\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6d1ff36763f1d48cf8620afd17321a06d2fbe228", "tree": "e0f48b5b138f51579de1ce2662e1b3a39acec6d3", "parents": [ "677de978403a58cd219e77b312b647927bd560ac" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Sep 30 15:15:31 2024 +0000" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Oct 28 14:22:49 2024 +0000" }, "message": "metropolis/node/kubernetes: update labels based on node roles\n\nThis implements the labelmaker, a reconciling loop running on Kubernetes\ncontroller nodes which updates Kubernetes node labels based on cluster\ndata.\n\nCurrently it only updates role labels based on cluster roles, but this\ncan be extended in the future to also replicate Metropolis node labels\ninto Kubernetes node labels.\n\nChange-Id: I9c5ba92bb46f064aa03836720d4a80adc6061ab9\nReviewed-on: https://review.monogon.dev/c/monogon/+/3464\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "0bc92a087ee0eb279ab29c3aba5d127b4202a2ea", "tree": "9c481ad86d6324cdd6bdfff4a55af4d4b4689f3c", "parents": [ "61b97a375aee98f58c13c13be672b442aecc8440" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Oct 01 22:53:08 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Oct 10 15:55:35 2024 +0000" }, "message": "treewide: bump rules_oci to v2.0.0\n\nChange-Id: Idbeb3a3b7645c5b6f774eb43d218ca0bc79dccc1\nReviewed-on: https://review.monogon.dev/c/monogon/+/3474\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "5f1a7de2dfb5db1884fcb677a0bd38daf6dd3c97", "tree": "fd52bf35b4b2e6b5c51f56d62424c9d0820ef537", "parents": [ "e337e938ae8e08dffa3a01045571188413ce70ff" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Sep 19 02:00:14 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Sep 19 12:06:50 2024 +0000" }, "message": "treewide: fix %v in cases where we should use %w\n\nWe should always use %w when using fmt.Errorf as you can use error.Is to\ncompare the underlying error. When printing an error the use of %w is\nwrong and should be replaced with %v.\n\nChange-Id: I741111bd91dcee4099144d2ecaffa879fdbb34a2\nReviewed-on: https://review.monogon.dev/c/monogon/+/2993\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "e337e938ae8e08dffa3a01045571188413ce70ff", "tree": "f82fa1f5722c3eae99506510056fb6a5ce736309", "parents": [ "7a1b27df41a9729dd9669cdaabd6864afc5e85b7" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Sun Sep 15 20:14:39 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Sep 18 22:27:59 2024 +0000" }, "message": "m/n/k/containerd: set device ownership based on security context\n\nWhen a user deploys a pod with a kvm device it is owned by root. By\nsetting device_ownership_from_security_context to true, containerd\nwill chown these devices to the uid/gid set in the securityContext.\nFor more informations see\nhttps://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/\n\nChange-Id: I1a0285dfc560c3c662d5e2eb8e37e68d87408b83\nReviewed-on: https://review.monogon.dev/c/monogon/+/3428\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "3c5d0635f855f16780792a6be311f71b4d59f20b", "tree": "4a48292bf17a874f2d627901ee4f7e9145c5b040", "parents": [ "a036c4e792e4b497c512991291b0cc18bc12b5e3" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Sep 12 10:49:12 2024 +0000" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Sep 16 14:03:22 2024 +0000" }, "message": "osbase/logtree.LeveledLogger -\u003e go/logging.Leveled\n\nThis factors out the common leveled logger interface out of the logtree.\nWe want to use the same interface outside of logtree/supervisor usage\nwithin the resolver code, which will be exposed to clients.\n\nChange-Id: I299e76d91e8cefddf8f36f1e58432418c4694df2\nReviewed-on: https://review.monogon.dev/c/monogon/+/3411\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "732a88411de08ac44d1f2bdb6b948c39c9ddc727", "tree": "6c7b78cf514254594d3ccadbb41f6364dd2cc286", "parents": [ "688ee2b59301e5a0494890003a85583f8da07ec5" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Aug 26 23:25:37 2024 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Aug 27 21:40:54 2024 +0000" }, "message": "treewide: update to Kubernetes 1.31\n\nOverall not that bad, we got rid of some workarounds and added some new\nones. Biggest change is a significant refactor of the hyperkube package\nas Kubernetes really doesn\u0027t like multiple of their top-level Cobra\ncommands to be instantiated. One new patch for gVisor as new fields got\nadded to a Linux struct which caused codegen to rename an existing one.\nThat patch will go away once [1] is released as this has been changed\nback again.\nOtherwise mostly standard rebases of patches. We currently have a\nwarning in kubelet as our containerd CRI does not support the\nRuntimeConfig RPC, but no released version of containerd has that and\nthe fallback works fine for now.\n\n[1] https://go-review.googlesource.com/c/sys/+/607876\n\nChange-Id: I275e5fb78bc1d09c4ca0e8b5705edbaa80f30d96\nReviewed-on: https://review.monogon.dev/c/monogon/+/3355\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "397f7eaa1e98554f8b9fed2c748e492bf739027b", "tree": "e0184b594e51a432b41f7ada43efdb1342e67061", "parents": [ "53964c1343dd37e29c8a61a44f47202b3f3726cc" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Aug 20 21:26:06 2024 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Aug 21 12:33:07 2024 +0000" }, "message": "m/n/kubernetes: set PV inode quota relative to capacity\n\nThis removes the hardcoded 100k inode limit which is very low for large\nPVs in favor of a scaled value dependent on its capacity. This\ntechnically allows overcommit as the inode space is not accounted for on\nthe capacity side, but this was already the case before, just with a\nstatic limit.\n\nChange-Id: I48816cd904127397907c1372e7cbb4b9b5ea60f2\nReviewed-on: https://review.monogon.dev/c/monogon/+/3339\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "91bf1c89cbb61cf9f8183306196bfda97dd852a5", "tree": "6c2c49d69e6db68917f2170055ddae5496664093", "parents": [ "a48bd3c3220063ed6beecf0b36ef6959f79f3790" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Mon Jul 29 17:31:33 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Aug 21 11:10:01 2024 +0000" }, "message": "treewide: integrate new DNS server\n\nThis integrates the new DNS server into the network service, replacing \nCoreDNS.\n\nChange-Id: I1d2e0fd3315dc2c602a8f805ed701633799e9986\nReviewed-on: https://review.monogon.dev/c/monogon/+/3260\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "4cfcc0b0b25fba463225feae64232d40e02b570c", "tree": "69a7d9ce2d531c763d482e340afe5ceced40c068", "parents": [ "c5e0dbd3437d5c739d42d7724a619b126eabdbf5" ], "author": { "name": "Leopold Schabel", "email": "leo@monogon.tech", "time": "Wed Jul 24 13:23:26 2024 +0000" }, "committer": { "name": "Leopold Schabel", "email": "leo@monogon.tech", "time": "Thu Jul 25 12:02:52 2024 +0000" }, "message": "metropolis/node/kubernetes: allow privileged pods\n\nThere are valid use cases for privileged pods in low-assurance clusters.\nIn particular, \"kubectl debug node/... --profile\u003dsysadmin\" is very\nuseful for debugging and requires privileged pods.\n\nIn a production cluster, we\u0027d want to restrict privileged pods\nand other dangerous capabilities (which are already allowed)\nusing pod security or more sophisticated admission controllers,\nincluding enforcing future cluster integrity policy levels.\n\nChange-Id: I8f6470f636cdd13b7c980f04f08f95aaff833b20\nReviewed-on: https://review.monogon.dev/c/monogon/+/3246\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "3325b4b940370ad4282fdaa6027a5672ff8fdc2a", "tree": "7308d80e86a0d0ea34a5d2d5c8dac8cb2dd8efeb", "parents": [ "41b244857ee793cbf74552ec39f2ff614a686a56" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Jul 15 19:19:49 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Jul 22 21:25:58 2024 +0000" }, "message": "workspace: bump bazel_gazelle to v0.37.0\n\nChange-Id: I45a7769d80781075fdfb1c438240a75629dd572a\nReviewed-on: https://review.monogon.dev/c/monogon/+/3220\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "fe6b506b6124b39b0b36c483d03de3b4efc5bdc4", "tree": "b3a4cbd0f4890dc5ee9a30eb643b2d3e9aa79fa5", "parents": [ "9f21f5396aa18bc9f2f83c867ff883f49bbf02ae" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jul 02 16:32:35 2024 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jul 04 14:50:22 2024 +0000" }, "message": "m/node: switch to cgroupv2\n\nThis switches us from legacy cgroup (v1) to cgroup v2 aka unified\ncgroup. Our versions of Kubernetes, containerd and runc/gVisor all\nsupport this by now.\n\ncgroup_bpf needs to be enabled in the kernel for containerd with cgroup\nv2. Also enable swap as this now works with cgroup v2, this gets rid of\na warning for every pod being started.\n\nWe are not really using cgroups ourselves, but as the root cgroup in v2\nis special, move our own process into a subgroup at startup.\n\nChange-Id: I8d63b2ad672568c052c3fe1a2306182f033667fa\nReviewed-on: https://review.monogon.dev/c/monogon/+/3207\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "9f21f5396aa18bc9f2f83c867ff883f49bbf02ae", "tree": "c232f42c84bd6b7ace576261a188134cb0c69771", "parents": [ "f430fbfe35b70283090b6174cf5a920163c0148c" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue May 07 15:14:20 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Jul 04 12:19:37 2024 +0000" }, "message": "treewide: introduce osbase package and move things around\n\nAll except localregistry moved from metropolis/pkg to osbase,\nlocalregistry moved to metropolis/test as its only used there anyway.\n\nChange-Id: If1a4bf377364bef0ac23169e1b90379c71b06d72\nReviewed-on: https://review.monogon.dev/c/monogon/+/3079\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "3b5a917c5a1ac49acad50eeacb5cf275efc3631e", "tree": "1da59c672acf3b68aab81fae38c6b6e5929b82a2", "parents": [ "988403453448d27f6df6eea0a232e97c2a2e739b" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu May 23 13:33:52 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu May 23 12:44:02 2024 +0000" }, "message": "treewide: initialize empty structs with var\n\nChange-Id: I72d3993eaf5fe57c77b1dda8218e36a8cc11813d\nReviewed-on: https://review.monogon.dev/c/monogon/+/3108\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "d5d33ba1e0798b48f56e6a1bc9178af9fc778179", "tree": "76f4f0b0a1175a77b64d5dd7469b3ec6a3d57c2d", "parents": [ "69f5f4e5ffac12c1d8e45e4cc9dc72868aa3af41" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 15 11:45:35 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 15 16:15:25 2024 +0000" }, "message": "m/n/k/reconciler: remove PSP role and rolebinding\n\nPod Security Policies have been removed from Kubernetes. The default PSP \nwas removed in commit 6211e4dc40, but the role and rolebinding was still \nleft. They do not have a function anymore. Now that reconciler updates \nare implemented, these will be removed from existing clusters after \nupgrading.\n\nChange-Id: Ia953a5ae03c581b15efc4e3b3711aaa008dc145d\nReviewed-on: https://review.monogon.dev/c/monogon/+/3091\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "69f5f4e5ffac12c1d8e45e4cc9dc72868aa3af41", "tree": "a28c2166fc40b1a2bee20070b4ae6788477ccf1f", "parents": [ "6bc958326f8bd4f3a1606e8a767d21f12f584e88" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 15 10:32:07 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 15 16:15:25 2024 +0000" }, "message": "m/n/k/reconciler: implement updates\n\nThe reconciler now checks if already present object are equal to the \nexpected object, and else updates them. If the update fails due to \nimmutable fields, the object is instead deleted and recreated.\n\nAlso, the reconciler now logs create/update/delete operations.\n\nFor the CSI driver, the StorageCapacity and RequiresRepublish were added \nand set to their default value. If we don\u0027t do this, the API server will \nadd these defaults, and then our update comparison fails. There is also \na new test which ensures that expected objects have all defaults already \napplied. This test will fail if a Kubernetes upgrade adds new fields \nwith default values.\n\nCloses #288.\n\nChange-Id: Ibfb37d07b4613ae1a883ad47715feeda87135820\nReviewed-on: https://review.monogon.dev/c/monogon/+/2893\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "d20ddccddf601c2a34cc5238bd82b6a4a1744502", "tree": "52eeeb7917b79220ad0f0cb34447525f7c21341b", "parents": [ "8bc82868fd289220078ff317235db084349d9f70" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 08 14:18:29 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue May 14 12:11:45 2024 +0000" }, "message": "m/n/k/reconciler: implement leader election\n\nBefore this change, the reconciler runs on all Kubernetes controllers. \nWhen we are in a rolling upgrade of the cluster where a reconciled \nobject changes, this will cause the old and new versions of the \nreconciler to fight each other, constantly updating the object back and \nforth.\n\nNow, the reconciler is elected among nodes of the latest release. The \nstatus of the reconciliation is communicated to all Kubernetes \ncontrollers through a new key-value in etcd.\n\nAdditionally, compatibility constraints can be expressed by changing the \nconstants minReconcilerRelease and minApiserverRelease, allowing \nreconciliation to happen in a controlled way that ensures compatibility \neven during rolling upgrades.\n\nChange-Id: Iaf7c27702bd9809a13d47bcf041b71438353bef2\nReviewed-on: https://review.monogon.dev/c/monogon/+/3062\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "ddc5e6a098c24c1e69b5c692f534b05dbc763367", "tree": "962bc2b07f054b9c2552018a305fca2d9ee277f9", "parents": [ "2d83a128f6096b8133af9edec00e1cd0cd8215b0" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Apr 23 23:44:34 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon May 06 13:34:32 2024 +0000" }, "message": "treewide: update to UwUbernetes (Kubernetes 1.30)\n\nCo-authored-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nCo-authored-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nChange-Id: Id923f503938314ef8fb4243f36604752edbb4605\nReviewed-on: https://review.monogon.dev/c/monogon/+/3047\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "2d83a128f6096b8133af9edec00e1cd0cd8215b0", "tree": "5fffaa49de3a25ffb8f2588b4050e2da7879ce4a", "parents": [ "6ea5762b371bd7a6b35538b37b2781f8386dd323" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon May 06 14:38:32 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon May 06 13:33:59 2024 +0000" }, "message": "m/n/k/p/kvmdevice: fix device inode error handling\n\nThis was broken in d5f851bb47, where the inverted logic was not kept\nwhen migrating to errors.Is.\n\nChange-Id: Id1bbc96f80b33df539a3a5051d56e126bb453390\nReviewed-on: https://review.monogon.dev/c/monogon/+/3077\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "51daf25d90adca76375e0d141c93d692ab2cd2eb", "tree": "6784b8f4a4c5facdc345ef1d47e0946a6267e74a", "parents": [ "b41b548058101e663a9591beaf2c491a44638d56" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 18 23:18:43 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 22:29:11 2024 +0000" }, "message": "treewide: documentation on exported functions should start with their name\n\nChange-Id: Iea3e929bed743d7edfbf5b54bbaa31796aeaaadd\nReviewed-on: https://review.monogon.dev/c/monogon/+/3027\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "096654adb312a1bc858a0f886b8fba755eab52b4", "tree": "bb753ba3a24eab6a63b7f7c1757f35f0540b880a", "parents": [ "a355821fa06a7f68ff8ddca6050f71e92e4939a5" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 18 23:10:19 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 22:29:11 2024 +0000" }, "message": "treewide: add missing error handling\n\nChange-Id: I55ccf3ff490b58f6af93e665c668428acddc8d65\nReviewed-on: https://review.monogon.dev/c/monogon/+/3019\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "92316fdcb21e4cba0494793f5b90924accfd3fc3", "tree": "3e58fea500fec60fc0df8542f1737173de8677d5", "parents": [ "24ce66f0f5f5dac457d5e65beb2980db6780a72a" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 18 23:06:40 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 22:29:11 2024 +0000" }, "message": "treewide: remove unnecessary use of fmt.Sprint\n\nChange-Id: I619dcf56665365e09be27e7c58b8b3596715b8b4\nReviewed-on: https://review.monogon.dev/c/monogon/+/3016\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "24ce66f0f5f5dac457d5e65beb2980db6780a72a", "tree": "ca5e78ebae92122ec6f9cbe5cf34e64984ebcc05", "parents": [ "2d0230524e96bdca53354fe191554342674c5fc4" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 18 23:59:24 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 22:29:11 2024 +0000" }, "message": "metropolis/node/kubernetes/reconciler: remove redundant nil check\n\nChange-Id: I0ebd2d8d815a964fa854e86868a4870b754ea548\nReviewed-on: https://review.monogon.dev/c/monogon/+/3015\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6e5b8a5b7ad46cc519ba3ca6166cee160b536185", "tree": "89460ff19e0b4f63abe13e5e2c3bd68acfd33f30", "parents": [ "62a02ea54a45152baea559172b95c94822b8fa1c" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 17 02:34:07 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 14:22:13 2024 +0000" }, "message": "treewide: add nolint exceptions for returnerrcheck\n\nChange-Id: Ife7e28de0317627994cb55d6bd5b10fa6016332b\nReviewed-on: https://review.monogon.dev/c/monogon/+/2997\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "d5f851bb477638436826adec756fe562db526865", "tree": "d981b1c62d613b45fb55023da289098d7e377705", "parents": [ "69fec522d5db79d07bb1f227c2ab39c57fdf2831" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Apr 23 14:59:37 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 13:15:14 2024 +0000" }, "message": "treewide: replace error comparisons and assertions with errors.Is\n\nChange-Id: Id2424eb155f2c6842c72c5fafd124d428ef901f2\nReviewed-on: https://review.monogon.dev/c/monogon/+/2994\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "49c9ab02d7ce200db6defbc82d95646ac4d64804", "tree": "da4d21a21fe25fa6a9e6211e26d8c0ef4ebece1f", "parents": [ "0c57d34190434556847345072371a42a9e1c3154" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 11 01:39:06 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Apr 15 21:31:42 2024 +0000" }, "message": "treewide: dont seed random\n\nAs of Go 1.20 there is no reason to call Seed with a random value.\nPrograms that call Seed with a known value to get a specific sequence\nof results should use New(NewSource(seed)) to obtain a local random generator.\n\nChange-Id: Ice1bbfefd900e6e9241428ec345f51f780eed91f\nReviewed-on: https://review.monogon.dev/c/monogon/+/2960\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "3810567012959d2871400ce2ecd39f53b9072bc3", "tree": "d1821ba3db669deec3a240dceb9bbf544b68c611", "parents": [ "2a74e58ac02d0bf6ae25ae1ec4d8f187dd7db5ba" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 11 01:37:29 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Apr 15 21:31:42 2024 +0000" }, "message": "treewide: remove shadowing of stdlib functions\n\nChange-Id: Iaccb22769d53568f6a4004924c218b9929090d89\nReviewed-on: https://review.monogon.dev/c/monogon/+/2957\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "6b6428da110db384cad1f1d65c81f1874c8cecae", "tree": "f44e7d1ffcc410893a9851e76e81939b178853df", "parents": [ "5e460a92353ec619f4f12fffbe3281d40c85cf61" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 11 01:35:41 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Apr 15 21:31:42 2024 +0000" }, "message": "treewide: remove redundant loop vars\n\nChange-Id: I61bada9e3df38e6a94cd6c8fe2d0d8f3ba41c1af\nReviewed-on: https://review.monogon.dev/c/monogon/+/2955\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6211e4dc404a285d858e1ecc69ac488c9cabb96b", "tree": "ff3b84efffb58982e0e55e61ed7fceb5df9609dc", "parents": [ "2ac249bf8e571ae7fd134b586ff9c87dce520956" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Nov 14 19:09:40 2023 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Apr 15 14:45:53 2024 +0000" }, "message": "treewide: k8s 1.28 and lots related updates\n\nFirst, this contains a bunch of dependency updates. Important ones in no\nparticular order:\nKubernetes 1.24.2 -\u003e 1.28.8\netcd 3.5.4 -\u003e 3.5.13\nProtobuf 1.32.0 -\u003e 1.33.0\nOpenTelemetry 0.20.0 -\u003e 1.20.0\ncontainerd 1.6.6 -\u003e 1.7.15\nCoreDNS 1.9.2 -\u003e 1.11.1\n\nWith Kubernetes 1.25 PodSecurityPolicies are removed, this replaces them\nwith a static PodSecurity admission configuration which behaves the same\nor is slightly more permissive in most ways. Only known exceptions are\nthat NET_RAW is no longer an allowed permission and non-standard SELinux\nlabels are no longer permitted (but these never did anything anyways).\nThe RBAC policies are intentionally not removed yet as we do not yet\nhave the capability to actually update these, so they will be removed\nwhen that is available (#288), until then they will stay in-place but\ndo nothing.\n\nWith the containerd upgrade the deprecated option for ignoring\npreseeded/pinned images for garbage collection in Kubelet can be\nremoved.\n\nThis change also contains some drive-by fixes to the controller-manager,\nlike passing the Service IP net and disabling cloud-related control\nloops which generate spurious warnings if enabled.\n\nThe containerd tracing patch is removed as we can now use OTel v1, thus\nthat patch is no longer necessary.\n\nAn actual upgrade test will be part of a future CL as this one is\nalready quite large and it works stand-alone.\n\nCo-authored-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nChange-Id: I8e5f51e6e6240a1b67590458b2f1c24d58c8e91e\nReviewed-on: https://review.monogon.dev/c/monogon/+/2315\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "20b9812e5138784e4e451911f85136e790a759fd", "tree": "d66d8ad643cc9c5f9ea77520856aa092fcab75f2", "parents": [ "db3866a782c443baf4eac4e1cf2b7d03b1bf6c5e" ], "author": { "name": "Jan Schär", "email": "jan@jschaer.ch", "time": "Tue Apr 09 10:44:49 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@jschaer.ch", "time": "Tue Apr 09 10:17:51 2024 +0000" }, "message": "m/n/k/clusternet: delete unused file\n\nThe mentioned pull request was merged, this file is no longer used.\n\nChange-Id: Ibc573e054e53e6ef23684707ec4178afdc301878\nReviewed-on: https://review.monogon.dev/c/monogon/+/2934\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nVouch-Run-CI: Serge Bazanski \u003cserge@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "3bdb5fcf023968526dfe7fadb89b0911bc6d7074", "tree": "37a8c1abdee1cf54b25ca0adf868ed879e4db7b3", "parents": [ "22a71c147af31d02a0db298e2ca8356078471b93" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Mar 14 18:47:35 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 03 15:49:26 2024 +0000" }, "message": "metropolis/core/metrics: expose containerd metrics endpoint\n\nThis adds containerd as another metrics endpoint. It is only available\non nodes with the KubernetesWorker role.\n\nChange-Id: I5f6269165a81d9a4c4cff48d3ed6b6a55d7f4f46\nReviewed-on: https://review.monogon.dev/c/monogon/+/2861\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "22a71c147af31d02a0db298e2ca8356078471b93", "tree": "7f532c633bb06664a105a28e5aa770e00724d977", "parents": [ "ec2906a6874e223813593128b6e72594a1ecfb0f" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 03 04:06:08 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 03 14:55:50 2024 +0000" }, "message": "metropolis/node/kubernetes/metricsproxy: clarify error message\n\nIf the metricsproxy fails to reach its target, we should not return the\nsame error message as the metrics service as that would be confusing.\n\nChange-Id: Ia158686d5a7db3e8e62e149a1c7dc8773702a233\nReviewed-on: https://review.monogon.dev/c/monogon/+/2912\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "7f72748c67df593b110176422d27be878a7a37f4", "tree": "75a621c3ae4ec5daf0d90dffcf298583ef3240c9", "parents": [ "23e5230930b482807be2f7fd29c6f14badf3ad0f" ], "author": { "name": "Jan Schär", "email": "jan@jschaer.ch", "time": "Mon Mar 25 13:03:51 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@jschaer.ch", "time": "Mon Mar 25 19:41:38 2024 +0000" }, "message": "m/n/k/reconciler: refactor resource interface\n\nReplace interface{} with meta.Object, an interface which provides \naccessors for and is implemented by meta.ObjectMeta. List now returns \nthe objects themselves instead of their names. This makes the reconciler \nslightly less generic, as it now only supports kubernetes objects.\n\nThis is a refactoring in preparation for implementing updates in the \nreconciler. There should be no change in behavior.\n\nChange-Id: I97a4b1c0166a1e6fd0f247ee04e7c44cff570fd7\nReviewed-on: https://review.monogon.dev/c/monogon/+/2891\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\nVouch-Run-CI: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "b63ed8a6d7eaaf0fa58b127d90001dc805d72c45", "tree": "4c1cec25146e8936f7d3f9a09c1e031453e1c5d4", "parents": [ "1ac503c7ddd16c796fb163bcbace7a1db24d5201" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 05 14:24:38 2024 +0000" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 21 11:03:54 2024 +0000" }, "message": "m/n/core/network: drop Watch/Value methods, expose Status\n\nThe Watch/Value methods were a leftover from before we had a unified\nevent value API.\n\nChange-Id: Id61732e0570e5fe3d9420857728b1f8a9769e697\nReviewed-on: https://review.monogon.dev/c/monogon/+/2876\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "1dd0c6591533bf63389e81a2104bca3c8326e871", "tree": "e33a710087b67dfe7f34e8434cff8885dc38420c", "parents": [ "456961d6589c1afec75954ca94ed631e1f380566" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 20 18:45:06 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 20 18:12:12 2024 +0000" }, "message": "m/n/kubernetes: improve CSI registration reliability\n\nKubelet\u0027s plugin registration mechanism is quite awful, it\nrelies on being notified by inotify that a new registration socket has\nbeen placed into a specific path, which it then interrogates and\nreports back if the registration succeeded.\n\nThat registration sometimes involves network operations which are prone\nto failure. It reports that failure back to the registration server\nasynchronously but does not attempt to retry the process.\n\nTo actually get Kubelet to retry, one needs to remove and recreate the\nregistration socket.\n\nThis change implements such a mechanism, recreating the socket and\nregistration server on every reported registration failure.\n\nSupervisor backoff is used to prevent busy-looping on non-transient\nerrors.\n\nChange-Id: I79eaf0efdf55ccdede15d8cee42cda7c276e4b50\nReviewed-on: https://review.monogon.dev/c/monogon/+/2785\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "456961d6589c1afec75954ca94ed631e1f380566", "tree": "ac99bfa39deefe0f4aca7478077a66ef8b7c9d74", "parents": [ "1e90c6d29a4af63fa01b472b7a49bdba256797b2" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 20 13:18:26 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 20 18:12:12 2024 +0000" }, "message": "m/n/k/reconciler: set fsGroupPolicy for CSI driver\n\nThis fixes an issue where kubelet did not apply fsGroupChangePolicy due\nto questionable capability detection code with the default\nfsGroupPolicy. Setting this to the File policy asserts that this driver\nalways supports ownership changes and thus bypasses that Kubernetes\ncapability detection code.\n\nChange-Id: I4799a01561af4f3d9c0de7a6040fd5f9db784d3e\nReviewed-on: https://review.monogon.dev/c/monogon/+/2784\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "9c4bece001c15d6ae4793016b2e3854627b2164c", "tree": "3381a01d7f7d3e9fd9f6c6e2e037a3a76e5ce8ce", "parents": [ "93020d77a383e68fd4b1adfafaf136c405648172" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 13 18:32:44 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 13 19:53:58 2024 +0000" }, "message": "m/n/k/containerd: clarify preseed log message\n\nChanging this log message makes it easier to understand what happens.\n\nBefore:\n```\nSuccessfully imported preseeded bundle\nk8s.io/docker.io/bazel/metropolis/test/e2e/preseedtest:preseedtest_image\ninto containerd\n```\n\nAfter:\n```\nSuccessfully imported preseeded bundle\n\"docker.io/bazel/metropolis/test/e2e/preseedtest:preseedtest_image\" into\ncontainerd namespace k8s.io\n```\n\nCloses monogon-dev/monogon#287\n\nChange-Id: I932d36b0cc1926d7248028c8a412f921562a9858\nReviewed-on: https://review.monogon.dev/c/monogon/+/2768\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "93020d77a383e68fd4b1adfafaf136c405648172", "tree": "f35720a2f35a6efdb63b8044ece9d71121929bd9", "parents": [ "502f9973502fec41d358e0c3939f61c5cf58e0de" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 13 18:13:07 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 13 19:53:34 2024 +0000" }, "message": "m/n/k/containerd: use preseeded pause container\n\nTo allow no-network tests we need to bundle the pause container.\n\nChange-Id: I1fa6bb70c10a16097d35d919941f501ddc5f784d\nReviewed-on: https://review.monogon.dev/c/monogon/+/2767\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "ad86a55c9c507478e2c4989f50912d7869164066", "tree": "214d48bcad4ede5909af88ce7deaadedd2d9fbe0", "parents": [ "7dbf18c1932b5c7945a2ba53d7580a6857cda5d3" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Jan 31 17:46:47 2024 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Feb 08 11:10:07 2024 +0000" }, "message": "m/n/kubernetes: serve authproxy with node certificate\n\nWe are currently serving authproxy with the Kubernetes node certificate,\nwhich is somewhat useless, considering that this certificate isn\u0027t even\nissued by the same CA that the client certificates (which are Metropolis\ncertificates) presented.\n\nThis changes the authproxy to serve with Metropolis node certificates\ninstead.\n\nChange-Id: I03ff19c919c6a9fa72c98997432cc06a59e9958e\nReviewed-on: https://review.monogon.dev/c/monogon/+/2740\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "e6e570ae3c26c5fda4855522e8cf04644627295f", "tree": "1678ee01ccfc5277f2e6f79858466a2847d291fd", "parents": [ "6fa92ac53f2cbeb3b2e63dea9f87b1b19a680434" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Nov 28 19:23:19 2023 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 29 12:23:41 2023 +0000" }, "message": "m/n/k/nfproxy: use discovery/v1 API\n\nThe old discovery/v1beta1 is deprecated and removed in 1.25. We need to\nget nfproxy to use the new API (available since 1.21) before we jump\nto a K8s control plane version above 1.25.\n\nChange-Id: I6336e168e9efbfc4a7b41f6fe15efebf95624df2\nReviewed-on: https://review.monogon.dev/c/monogon/+/2407\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "4b42c8a429b1d061faa9823c1ac26adaac3dc012", "tree": "e5bf8412d8fceb0178cbf93b7623934299b475e3", "parents": [ "a6a039209495ee74c2e830a55f496e901b6a3b5b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Sun Nov 19 07:02:51 2023 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Nov 20 22:13:16 2023 +0000" }, "message": "m/n/c/metrics: add kube-apiserver\n\nThis adds the Kubernetes API Server metrics to the list of exported\nmetrics.\n\nChange-Id: Ie5827441362787a3bff03ec6cff1f07332b0ae34\nReviewed-on: https://review.monogon.dev/c/monogon/+/2335\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "60461b2b23eb57319525a3e00d7ae57e51598ebc", "tree": "17f4eb857a29b08a6e2be059279b9d88691aff09", "parents": [ "3fd0977e92c3e86cdfde736debdda66af05d1015" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Oct 26 19:16:59 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Nov 13 21:05:16 2023 +0000" }, "message": "metropolis: move curator client watches to curator/watcher\n\nThis replaces all the ad-hoc code to watch Curator node(s) with calls\nthrough the new curator/watcher library.\n\nChange-Id: Ie2a82b330e4108b9b725515cb10595916c38b323\nReviewed-on: https://review.monogon.dev/c/monogon/+/2263\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "f64f197c8039a72d82efaae6a21f725d3cd3ac7a", "tree": "302a5d9c6ee1d5cdf2b2c8e4abe7b0609c9a2ffa", "parents": [ "54a5a053f2250c03d8476293ecb98fdb458ee5fd" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Fri Jul 28 00:00:50 2023 +0000" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Oct 11 10:53:00 2023 +0000" }, "message": "metropolis/node/core/metrics: fixup metrics authentication\n\nChange-Id: I67643855ab61bfdea980211ffe01e50c2409882b\nReviewed-on: https://review.monogon.dev/c/monogon/+/1979\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "65702194ea264a0fd01fb470bacaf39264b4f637", "tree": "3469201097b30e638f1e446655e1d23b33d90f8d", "parents": [ "f551a7696824a9ddbac63191c489db8280aee0a4" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Aug 31 16:27:38 2023 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Sep 14 13:43:45 2023 +0000" }, "message": "workspace: rules_go, gazelle, go, gVisor update\n\nThis commit not only updates rules_go and friends, but also updates\ngVisor, removes legacy protobuf usage and switches from using\nbuild_configuration to a config flag for bazel\n\nChange-Id: Idb383f35ca0fec4cb7329e9d991f08f28cf9b1fb\nReviewed-on: https://review.monogon.dev/c/monogon/+/2129\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "90613afdf11f7831fc0a673f2fe502c28ab93729", "tree": "1f524cdd0e25a3dd28ff350803d2bc296c3d6fda", "parents": [ "88a76b7a89b3fc81b9135b1197e1ea6fd3698121" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Jul 20 14:26:18 2023 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Jul 26 12:04:58 2023 +0000" }, "message": "metropolis/node/kubernetes: fix mtls authentication to (controller-manager|scheduler)\n\nPreviously it wasn\u0027t possible to authenticate against the services\nas they had no CA they trusted for the sent client certificate.\n\nChange-Id: Ic7cd2419a9e3496680a9393424c7ca1780c4d38c\nReviewed-on: https://review.monogon.dev/c/monogon/+/1951\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "150f24a5421dc1449d79a801524a7c98754f7bca", "tree": "c4f69b7e6260a241f3d946b36eda309e2539ccba", "parents": [ "901c7326fe067707812757e4e9409f756edf0e37" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jul 13 20:11:06 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jul 19 12:17:34 2023 +0000" }, "message": "metropolis/test: use localregistry\n\nThis removes everything but the preseed test image from the preseed\nimage pool, instead opting to serve all test image via localregistry.\n\nThe registry API is served from a dedicated IP inside the virtual\nnetwork and forwarded to an ephemeral listener on the host. The relevant\ninfrastructure is added to the launch package.\n\nAs it is required to add configuration to containerd for this registry\nanyways as it does not and should not have TLS we take that opportunity\nto give it a descriptive name (test.monogon.internal).\n\nVisibilities of images are also adjusted as they are now referenced much\ncloser to their point of use.\n\nAgainst main this saves 51MiB in bundle size (289MiB -\u003e 238MiB).\n\nChange-Id: I31f732eb8c4ccec486204f35e3635b588fd9c85b\nReviewed-on: https://review.monogon.dev/c/monogon/+/1927\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "d1c392a788043f2bd82d936a334bd01e1be97421", "tree": "1bdf2d7a4d7a54b2d8bda0c3c729eb2c9eef90a4", "parents": [ "0553f885b84ca97384ffdb942b30c67d23166a16" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jul 06 19:10:56 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jul 11 10:48:05 2023 +0000" }, "message": "m/n/kubernetes: fix CSI local PV publishing\n\nExperimentally confirmed to fix pods stuck in creating because the\nmount syscall failed with ENOENT because the target directory did not\nexist. The current CSI spec now explicitly says that creation of\ntarget_path is the responsibility of the storage plugin, so let\u0027s\nactually create that directory.\n\nChange-Id: I57d8086f2e70040095206c36e4302b352d06bb84\nReviewed-on: https://review.monogon.dev/c/monogon/+/1914\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "0300077941db0edfdcac0ae42e4a5dad3e8d3fd7", "tree": "979cfc5f4269d3428b725acd79b9a216db8a6f82", "parents": [ "a2ee88d585b9b8603f47544c95f09b380b92b5e2" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Jul 03 02:19:28 2023 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Jul 04 18:58:49 2023 +0000" }, "message": "metropolis/node: allow all ports as NodePorts except special ones\n\nAs we dont have hostPort implemented we can only provide NodePorts to\napplications. To allow apps to use all ports we have to increase the range\nbut have to prevent them from using reserved metropolis ones. This is\ncurrently prevented by patching the allocator and hardcode all of them.\n\nChange-Id: I7c0e8b17643d1ec03e1a1b678bc6276881b1c5e5\nReviewed-on: https://review.monogon.dev/c/monogon/+/1884\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "4599aa2dfa42a7b694ad295bc700db03de96d7f5", "tree": "411035d2b647dcb1adc68db8f22c4384befa8294", "parents": [ "6f5995153827f2b191cc2faebe21ca58764af33b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jun 28 13:09:32 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jun 28 12:20:57 2023 +0000" }, "message": "m/n/k8s: fix start after unclean shutdown\n\nBoth the kvmdevice as well as the CSI runnables listen on Unix sockets.\nThese are normally removed on close (this is actually the default for\nsockets opened wiht ListenUnix, thus drop setting this), but when an\nunclean shutdown occurs they persist. Since one cannot listen on an\nalready-existing socket, opportunistically remove them before listening.\n\nChange-Id: I11d986a2816fde3d7ffef0817ae3bbf39bba4faf\nReviewed-on: https://review.monogon.dev/c/monogon/+/1867\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "2f7e0a281e72ae45fff6c4d79934442367475b81", "tree": "4dcd2233a274bef4645c4bfbbbd62f072d11481a", "parents": [ "c49b207a66a994ccda382d685022d08cbd9ee582" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 22 16:56:13 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 22 16:36:33 2023 +0000" }, "message": "m/node: enlarge K8s networks\n\nFor bigger clusters, the current 10.0.0.0/16 subnet is far too small.\nSwitch to 10.192.0.0/11 which should be out of the way of most of our\ntest infra and is large enough for 8192 nodes with 253 pods which is\nbig enough for the time being. Also migrate the service network\nto 10.224.0.0/16 and make it much bigger. It does not need to be in the\npod CIDR, so move it out of there.\nBut for large clusters this will continue to be a problem until we have\na better allocation algorithm or switch to IPv6 with 464xlat (which\nis not supported on Linux currently however).\n\nChange-Id: Ib3a019fffacec2172721f04c01133b44bffba73b\nReviewed-on: https://review.monogon.dev/c/monogon/+/1848\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "51a3ed59a1408fe5d8103dca5b6a04dbaa4e5b6a", "tree": "b17dd748b088b4c7899c4aee0a1ab862a59509b4", "parents": [ "186109c55db3121749311fc2e954be0eaccdf249" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jun 21 16:45:15 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 22 12:33:31 2023 +0000" }, "message": "m/n/k/containerd: change default runtime to runc\n\nFor high-security usecases it might still make sense to force gVisor,\nbut generally people expect runc as the default runtime. gVisor can\nstill be used by specifying a runtimeclass in the pod.\n\nChange-Id: Idc02275fd00c2a7dff3ce6949268294afa5644eb\nReviewed-on: https://review.monogon.dev/c/monogon/+/1839\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "0e291a193cbfd0b169e749e7f28adc954a58f560", "tree": "01b7ad51279b9060c3c967a0061826d37dbfaf01", "parents": [ "4264b8c641109c05c4828b40cd2e01e686890903" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 01 12:22:45 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jun 13 13:03:53 2023 +0000" }, "message": "m/node: clean up DNS service\n\nThe primary change in here is that CoreDNS now only listens on the\nloopback interface by default.\nThis fixes #217 as it cannot be accessed from the outside anymore.\nSince the containers do not share the host network namespace, they can\nnow no longer access the DNS service. This is solved by introducing a\nnew Network Service API to add listener IPs and using a link-local IP,\n169.254.77.53 for the container DNS.\nWhile at it, I cleaned up various parts of the DNS code.\n\nChange-Id: Id7b618f62690032db335e8478b9de84410c210a1\nReviewed-on: https://review.monogon.dev/c/monogon/+/1759\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "2cfafc9a4c34152dd93b58aa82df1720fb4dd6d6", "tree": "7a944999ab576f4b421651c2c4d513b0b572a1be", "parents": [ "d0be371ea905c3729f98d91d255d775b7c5193d3" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 16:42:47 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Apr 13 14:03:02 2023 +0000" }, "message": "metropolis/node/kubernetes: move worker services to KubernetesWorker nodes\n\nThis finalizes the Big Split. After this change, nodes will only run a\nkubelet (and related services) if they have a KubernetesWorker role\nattached.\n\nThe first node in a new cluster now starts out with KubernetesController\nand ConsensusMember. All joined nodes start with no roles attached.\n\nChange-Id: I25a059318450b7d2dd3c19f3653fc15367867693\nReviewed-on: https://review.monogon.dev/c/monogon/+/1380\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "b565cc679cd5af598dc863890a3e1cce98eb1c57", "tree": "eddf2b4b5636b0c5086cf8fb874927cdc73659c1", "parents": [ "9104e381ab7a2c90087843de00204eed9ed7cf99" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 30 18:43:51 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Apr 06 14:19:17 2023 +0000" }, "message": "m/n/core/clusternet: grab external IP address prefix from network service\n\nThis moves the logic for merging the node IP and node prefixes from the\nsubmitter of the prefixes into the clusternet logic itself.\n\nThis means clusternet now has two independent sources of prefix data:\nthe network service\u0027s external IP address, and the kubelet\u0027s node\nprefixes.\n\nThis simplifies use in a worker/controller split, where a controller\nnode normally doesn\u0027t submit any prefixes as it\u0027s not running a kubelet\nor kubelet-adjacent prefixes - but we still want it to submit its\nexternal IP address.\n\nChange-Id: I46c9430228ce966426d3a8d33a765ecfdfca0d29\nReviewed-on: https://review.monogon.dev/c/monogon/+/1479\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "7920852953a4b0846ddb16cb82a038b064ba473a", "tree": "afa919bc332a93bd0666714843632cffa1095170", "parents": [ "4e6eae2bec769a565eece47438fcb594e7da2765" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 28 20:14:58 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Apr 05 14:14:44 2023 +0000" }, "message": "m/n/kubernetes: use node clusternet to submit cluster networking routes\n\nThis completes the work on using the new cluster networking service from\nKubernetes, thereby allowing non-worker nodes to participate in cluster\nnetworking.\n\nChange-Id: I7f3759186d7c8cc49833be29963f82a1714d293e\nReviewed-on: https://review.monogon.dev/c/monogon/+/1418\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6d6ed31da287a055b18dedaa1fd70420994c66ae", "tree": "59de543dc0ad9bed120c29c62fdf19508b1ce341", "parents": [ "1fdab13a2ea1411b332f67cfa9b1216753b9eb11" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Mar 27 11:04:14 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Apr 03 14:02:00 2023 +0000" }, "message": "m/n/kubernetes/{clusternet,nfproxy}: log informer errors\n\nChange-Id: I9ea1444c7042dd25c25cecc6b6da054554010a85\nReviewed-on: https://review.monogon.dev/c/monogon/+/1447\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "fe39cc21b69bb9fd9f641dfc6b3514386cbb0d4c", "tree": "2c4ff1bc567bb6b5e276bef2028fc196cbc37f2b", "parents": [ "e88ffe9af09b2740bfe0c47ec1efae0380d4f706" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 14:21:54 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 23 12:21:21 2023 +0000" }, "message": "m/n/c/curator: implement IssueCertificate for Kubernetes Workers\n\nThis is not yet used in this change, but will be very soon.\n\nChange-Id: I0283941f15211515537d2b23e0c8cd72dc2d77c5\nReviewed-on: https://review.monogon.dev/c/monogon/+/1378\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "e88ffe9af09b2740bfe0c47ec1efae0380d4f706", "tree": "da2fac1e9bd4343250bc01c1bff81062d7ee60a7", "parents": [ "e6719b379b19ad4439b5fd38da035a3043008d97" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 13:38:46 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 23 12:04:17 2023 +0000" }, "message": "m/n/kubernetes: factor out generating KPKI, support multiple endpoints in Kubeconfig\n\nChange-Id: I0e648c24ffa134314a03715575d1af1b925fd450\nReviewed-on: https://review.monogon.dev/c/monogon/+/1377\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "d85a40ab6fa79efca11b02522b89855952226f33", "tree": "408907867ea99dbc07a5d61ec70b2c8478a57414", "parents": [ "d6fee31d519a22720ae0342e02ccdba405b62ded" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Mar 22 11:14:08 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Mar 22 11:57:36 2023 +0000" }, "message": "m/n/kubernetes/service: only note lack of reconciliation every 10 seconds\n\nChange-Id: I6e070325daa265e2e0a65bc5f5e69cc5c9869a04\nReviewed-on: https://review.monogon.dev/c/monogon/+/1384\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "6fdca3f2e8b60f53f69c8cd39a02109cc47059ac", "tree": "f875b3e103037078ece4842fcdd77cbb87d7a6cf", "parents": [ "f71fe9278055d5a892448554aa7c59862256db7d" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Mar 20 17:47:07 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Mar 22 11:33:51 2023 +0000" }, "message": "m/n/kubernetes: start splitting, run apiproxy\n\nThis begins the process to split the Kubernetes service into a\ncontroller and a worker service.\n\nFirst, we rename the existing service to a Controller, create a Worker\nservice, and make the Worker service run our new tinylb-based apiserver\nloadbalancer.\n\nWe also make the roleserver aware of this change by making it spawn both\nthe controller and worker services according to roles.\n\nWe will move services to the Worker in follow up change requests.\n\nChange-Id: I76e98baa0603ad5df30b5892dd69154b895b35fa\nReviewed-on: https://review.monogon.dev/c/monogon/+/1374\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "ce19acc9d66055d912287d9f1f26c08d3df55aa8", "tree": "6aedbe2ab0aef40955f3d416013ff59e1aec0139", "parents": [ "1f8cad7568ad2e8e539fe44f1b2d51e1f2a19fd5" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 16:28:07 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 17:56:08 2023 +0000" }, "message": "m/n/kubernetes: make CSI provisioner more debuggable\n\nChange-Id: I22292e627ceac0d41a7711964517a53e63636c3e\nReviewed-on: https://review.monogon.dev/c/monogon/+/1379\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "356cbf3e49af75d9cccf92fd8d0a3236727f6761", "tree": "a8865bc1422fdde0d8f5a63f8e7e100156dccfeb", "parents": [ "f9bdf3126488a2728e265a2b28cba564c8072e04" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 16 17:52:20 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 16 21:22:24 2023 +0000" }, "message": "m/n/kubernetes: run reconciler before starting more services\n\nThis makes sure we successfully ran the reconciler at least once before\nattempting to running more than the apiserver. It saves us from a whole\nbunch of services complaining about not having the right permissions to\n(yet) access the cluster.\n\nChange-Id: I605eae9d6bbcc16a9dcb971caa26ee56a06e5d5b\nReviewed-on: https://review.monogon.dev/c/monogon/+/1358\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "b033b380387a999b7ad19f9d001c42ec570c8945", "tree": "6093a955f5c08f29e6590fb71781849d100a3e0e", "parents": [ "d8290c8082f752f52d0ba1c765f668e2992bc5d4" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 07 20:06:36 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 07 22:29:46 2023 +0000" }, "message": "*: fix gomodproxy compatibility\n\nThis is necessary for the source to be fetchable from third-party Go\nprojects (currently via a replace directive, as source.monogon.dev isn\u0027t\ngo-getable). Otherwise, `go mod tidy` complains:\n\nreading https://sum.golang.org/lookup/github.com/monogon-dev/monogon@v0.0.0-20230223122556-665b10937eb8: 404 Not Found\n\tserver response:\n\tnot found: create zip: build/analysis/BUILD.bazel: case-insensitive file name collision: \"BUILD\" and \"build\"\n\tbuild/analysis/importsort/BUILD.bazel: case-insensitive file name collision: \"BUILD\" and \"build\"\n\tbuild/analysis/importsort/classify.go: case-insensitive file name collision: \"BUILD\" and \"build\"\n\tbuild/analysis/importsort/importsort.go: case-insensitive file name collision: \"BUILD\" and \"build\"\n\tbuild/analysis/importsort/importsort_test.go: case-insensitive file name collision: \"BUILD\" and \"build\"\n\tbuild/analysis/importsort/testdata/README.md: case-insensitive file name collision: \"BUILD\" and \"build\"\n\t[Truncated: too long.]\n\nChange-Id: If5947be74f7dfcf4ba4bd79c4dc37589f324b891\nReviewed-on: https://review.monogon.dev/c/monogon/+/1223\nTested-by: Leopold Schabel \u003cleo@monogon.tech\u003e\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "98206b93355539404dccd04bd0882aa59ec8cd8b", "tree": "b48ea9471e0451dd88e4606ba77eef5164fb3694", "parents": [ "aaa4d45a0a88e69137f4b946f26f3ce5f8ad0642" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jun 22 16:21:50 2022 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 23 15:31:12 2022 +0000" }, "message": "mn/n/kubernetes: fix warnings\n\nThis fixes a warning that we do not explicitly set the root cgroup and\none that we specify the container runtime type explicitly; in 1.24\neverything other than \"remote\" has been dropped.\n\nChange-Id: I7beb0fbbbd5e38715b8b1e76dac99d2d7c4275d5\nReviewed-on: https://review.monogon.dev/c/monogon/+/785\nTested-by: Jenkins CI\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "78cefcafa315af20d9f603fefd1423fe7bab7483", "tree": "b5d8ab0ce4652e30ace81c0cedf64b847260612d", "parents": [ "4025c9bf83aa038c8858c82bc80bd65acecd7210" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Jun 20 12:59:55 2022 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jun 21 11:44:25 2022 +0000" }, "message": "m/n/kubernetes: factor out cluster domain\n\nThis removes the hardcoded Kubernetes cluster domain and pushes it out\nto a single place at the root of the Kubernetes supervisor tree.\nThis will later be aligned with the cluster domain specified in the\nidentity design document, currently this does not change any behavior.\n\nIt also removes a bogous SAN from the Kubernetes API server certificate\n(kubernetes.default.svc.cluster) for which there is no corresponding\nsearch path.\n\nChange-Id: I30b8907a7b846415f5002c09a24d2d37930a9cd1\nReviewed-on: https://review.monogon.dev/c/monogon/+/773\nTested-by: Jenkins CI\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "83d793ddcd4f75b3653255df5dac154ac3de4e87", "tree": "d79840465c92dddb048f6483c2e1d824784ee8d7", "parents": [ "83a28c93a0e48f500db619492f24f96938cb9b00" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Apr 25 11:17:47 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Mon Apr 25 19:26:50 2022 +0000" }, "message": "m/n/kubernetes: remove --port flag from services\n\nFrom logs:\n\n Flag --port has been deprecated, This flag has no effect now and will be removed in v1.24.\n\nSo that\u0027s what we do. We had this flag only set to disable insecure\nserving, and insecure serving has been removed in upstream, thereby\nrendering the use of this flag a no-op.\n\nController-manager PR: https://github.com/kubernetes/kubernetes/pull/96216\nScheduler PR: https://github.com/kubernetes/kubernetes/pull/96345\n\nChange-Id: If9009aa6f7c72a5ec8b7baf2326964167059c0a1\nReviewed-on: https://review.monogon.dev/c/monogon/+/665\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "d13c1c64387ca9a83bb832a3faa5c4b07268d265", "tree": "0c0f534db4726e4400486aad25235e8c573d455e", "parents": [ "79a1a8f9dd49afe8e0a2364c4586b8f39525b204" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Mar 30 19:58:58 2022 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Apr 05 10:35:29 2022 +0000" }, "message": "treewide: switch to gomod and bump everything\n\nThis switches version resolution from fietsje to gomod and updates\nall Go dependencies. It also bumps rules_go (required by gVisor) and\nswitches the Gazelle naming convention from go_default_xxx to the\nstandard Bazel convention of the default target having the package\nname.\n\nSince Kubernetes dropped upstream Bazel support and doesn\u0027t check in\nall generated files I manually pregenerated the OpenAPI spec. This\nshould be fixed, but because of the already-huge scope of this CL\nand the rebase complexity this is not in here.\n\nChange-Id: Iec8ea613d06946882426c2f9fad5bda7e8aaf833\nReviewed-on: https://review.monogon.dev/c/monogon/+/639\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\nReviewed-by: Leopold Schabel \u003cleo@nexantic.com\u003e\n" }, { "commit": "79a1a8f9dd49afe8e0a2364c4586b8f39525b204", "tree": "2bf599ded06a18c5850cbf513e94fd0cf7ba3776", "parents": [ "a8e23543e792505ea8a40bf544d857163696a25b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Mar 31 17:19:07 2022 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Apr 04 19:45:00 2022 +0000" }, "message": "m/n/k/authproxy: make use of SPDY through proxy work\n\nKubernetes still uses SPDY for interactive/streaming-type calls (like\nexec or port-forward). Our proxy uses a HTTP/2 backend connection to\nKubernetes\u0027s API server. A HTTP/2 stream cannot be upgraded to SPDY\nmeaning these API requests all fail. This implements a slightly ugly\nworkaround by using two HTTP transports, a regular transport which\nsupports HTTP/2 and a fallback transport which does not. The proxy\nselects the fallback transport if it detects that the request is trying\nto upgrade to SPDY.\n\nChange-Id: Idd44f58d07ec5570ddf8941ae7595225f47f254d\nReviewed-on: https://review.monogon.dev/c/monogon/+/645\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "cc078df2124306799c66786833746999259ea792", "tree": "43807fcfec2196430b4bd4def124dad2231451db", "parents": [ "8c2c771a750f30b3edf240fc8352e777795e989b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Dec 23 11:51:55 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Feb 02 14:07:37 2022 +0000" }, "message": "m/n/kubernetes: implement Metropolis authenticating proxy\n\nThis implements an authenticating proxy for K8s which can authenticate\nMetropolis credentials and passes the extracted identity information\nback to the Kubernetes API server. It currently only handles user\nauthentication, machine-to-machine authentication is still done by the\nAPI server itself. It also adds a role binding to allow full access\nto the owner as we do not have an identity system yet.\n\nChange-Id: I02043924bb7ce7a1acdb826dad2d27a4c2008136\nReviewed-on: https://review.monogon.dev/c/monogon/+/509\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "1de8b1845e75dc1e020df21b997b2d6fc66fb65e", "tree": "4a41005b1931aa13c3ed4a1b0732de31482a6eb8", "parents": [ "367f759f54e59b24b55024c8070513f9f7e6f4c1" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Dec 21 17:15:18 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Dec 22 15:57:16 2021 +0000" }, "message": "m/node: pass node identity into k8s\n\nThis plumbs through the node identity to K8s as an identity.Node\nobject and gets rid of the os.Hostname invocation that passed around\nthis data out-of-band. It also changes everything in its path to use\nthe newer identity.Node object instead of a plain string so that the\nMetropolis Identity CA is more accessible.\n\nChange-Id: I6db8e1db7e333c0ea364aefd61c27bf50acc25f3\nReviewed-on: https://review.monogon.dev/c/monogon/+/505\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "764a2de7911a42d57720911332a12895f0aad707", "tree": "dd0e31cee8fb5c753a762462e9eb16f776c3ec73", "parents": [ "e65731049afb6fd49da80f064fa40a28c9d5741d" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Nov 22 16:26:36 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Nov 22 20:39:51 2021 +0000" }, "message": "tree-wide: rewrite ioutil functions to their replacements\n\nThe ioutil package has been deprecated in Go 1.16 [1]. This CL removes\nall our own users of that package and rewrites them to use their\nreplacements in the os package. I initially wanted to do this with a\ngofix but because all replacements were signature-compatible I just\ndid it with a few string replaces and then ran goimports to fix up the\nimports.\n\nI intentionally didn\u0027t rewrite the patches as that would require a\ndifferent process and is IMO of less value.\n\n[1] https://github.com/golang/go/issues/42026\n\nChange-Id: Iac6663a1f1ee49f9b1c6e4b3d97e73f2c3b54a13\nReviewed-on: https://review.monogon.dev/c/monogon/+/449\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "52304a8aa84604846e316e28c955b67e68c52f34", "tree": "df8518bb50b9665af7f4897665d8aa16f4a43e7f", "parents": [ "ba7bf7dc83c15cbd94a1f71b7992df7d7fc7d752" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Fri Oct 29 16:56:18 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Nov 03 11:36:20 2021 +0000" }, "message": "m/node: implement Port type for node ports\n\nThis allows us to use %v/%s to get a pretty port name where needed.\n\nWe also drive-by remove MasterServicePort which is a leftover from\na pre-curator cluster service implementation.\n\nChange-Id: Id8feddf87269b13dd1dad2460a015c1a7ecbc6d7\nReviewed-on: https://review.monogon.dev/c/monogon/+/418\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "96043bc1cb55b1271b21309b2011d64d2361a0fd", "tree": "b4db59595d8635154de74b0a244a6bb28bc52d2d", "parents": [ "3379a5d0ffcd652031c135f2ffe7600272fa0093" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 12:10:13 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 17:29:16 2021 +0000" }, "message": "*: import reformats\n\nAs caused by my IntelliJ/gofmt locally. We really need to do gofmt\nchecks in CI, especially now that we nearly have the tooling ready for\nit.\n\nChange-Id: Id105ba9ad8a34b8b8e883d52d621d47b0ea888d7\nReviewed-on: https://review.monogon.dev/c/monogon/+/338\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "c72aa433ff68b76317233ba8805d55845e9efd1a", "tree": "ecdcb336a19c6cca8bbd426870b2ca023ec55207", "parents": [ "080f7ff710e359f2dab0d8ace98f0aa8e443d98d" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Sep 22 09:35:16 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Mon Sep 27 18:54:36 2021 +0000" }, "message": "m/n/k/containerd: less verbose runsc logging\n\nThis disables debug logging on non -c dbg builds of Metropolis, making\nthe console output less verbose.\n\nThis should maybe just be \u0027fixed\u0027 by making logtree -\u003e console smarter,\nie. implement log output filters, but this will do for now - and I think\nin general we don\u0027t want to have super verbose per-syscall logging\nenabled unless necessary.\n\nThe implementation picks between two runsc .tomls to build the node\nimage with, which works for now but we might have to move to a\nfull-blown config generator (build-time or runtime) when we also start\nhaving differences between containerd.toml.\n\nChange-Id: I5539ca6f4763a769e879f7d50637aa36f3ffd29b\nReviewed-on: https://review.monogon.dev/c/monogon/+/327\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "5253884d51cb64c1d1afcb2d7b969f7c2b50b302", "tree": "10a6bf03472e9c14da2515ea7755d74bb3f660e6", "parents": [ "99f477412a2e701f89f7698be1dd432adcfff17c" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Aug 11 16:22:41 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Thu Aug 19 10:20:55 2021 +0000" }, "message": "m/pkg/pki: refactor, allow for external certificates\n\nThe pki library supported managing certificates in two modes:\n\n - default, when name !\u003d \"\"\n - volatile/ephemeral, when name \u003d\u003d \"\"\n\nThe difference between the two being that default certificates were\nfully stored in etcd (key and x509 certificate), while volatile\ncertificates weren\u0027t stored at all. However, both kinds needed private\nkeys passed to the pki library.\n\nWe want to be able to emit certificates without having private keys for\nthat certificate, so we end up a third mode of operation: \u0027external\ncertificates\u0027. These are still stored in etcd, but without any\ncorresponding private key.\n\nIn the future we might actually get rid of ephemeral certificates by\nexpanding the logic of external certificates to provide a full audit log\nand revocation system, instead of matching by Certificate Name. But this\nwill do for now.\n\nWe also use this opportunity to write some simple tests for this\npackage.\n\nChange-Id: I193f4b147273b0a3981c38d749b43362d3c1b69a\nReviewed-on: https://review.monogon.dev/c/monogon/+/263\nReviewed-by: Mateusz Zalega \u003cmateusz@monogon.tech\u003e\n" }, { "commit": "d98ad45e64b542f9945939d35cba9ebd352ff913", "tree": "cd8fa82c4ccd2bf0616986615f3eb2d7c4798f30", "parents": [ "7f17d9b41f248f4b009f5d702622616f62d0a2fa" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Jun 17 15:55:17 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@nexantic.com", "time": "Tue Jun 22 12:05:20 2021 +0000" }, "message": "metropolis/n/kubernetes/pki: remove verbose \u0027ensure\u0027 cert logging\n\nChange-Id: Ie12f12a2966282d364730a1c7a148fae78ab236d\nReviewed-on: https://review.monogon.dev/c/monogon/+/190\nReviewed-by: Lorenz Brun \u003clorenz@nexantic.com\u003e\n" }, { "commit": "216fe7b3ae949376467f626f339423a31ea7da97", "tree": "b0fe587b671a76bf6229339825d2a61df7fc847b", "parents": [ "6ebdc418f3c4799c12368e34ea78dc9c9757fb54" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Fri May 21 18:36:16 2021 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Fri May 28 17:54:03 2021 +0200" }, "message": "*: reflow comments to 80 characters\n\nThis reformats the entire Metropolis codebase to have comments no longer\nthan 80 characters, implementing CR/66.\n\nThis has been done half manually, as we don\u0027t have a good integration\nbetween commentwrap/Bazel, but that can be implemented if we decide to\ngo for this tool/limit.\n\nChange-Id: If1fff0b093ef806f5dc00551c11506e8290379d0\n" }, { "commit": "99d210d48afc2207ffb4064c58068faa9449a981", "tree": "781a73c0e5bf7e9ff586653eef0cce594b90def0", "parents": [ "4e0dba61375bcb989d86cacf18cf00ebfe6303b4" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon May 17 15:29:18 2021 +0200" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Tue May 18 14:06:11 2021 +0200" }, "message": "m/n/k/plugins/kvmdevice: export resource name variable for easier consumption\n\nTrivial change to consume the resource name of this device plugin as\na variable.\n\nTest Plan: Trivial change\n\nX-Origin-Diff: phab/D791\nGitOrigin-RevId: d71d878f87be1da5a547e17b9965f92e737b644c\n" }, { "commit": "37050126ef89ec30cc677c272471debe55ec0d69", "tree": "c64a64a622ec1c3e1e72fc12a6d4252c0e803cc1", "parents": [ "2999427c182463840a339cf0e82885d8a3b6e79f" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Mar 30 14:00:27 2021 +0200" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Tue Apr 13 11:04:01 2021 +0200" }, "message": "Implement Block PVCs in our storage backend\n\nThis implements full support for Block PVCs in our Kubernetes storage backend.\nThe block PVCs are backed by files made available to the pods using loop devices and\nhave read-only and online expansion support.\n\nThis also requires a Kubernetes patch because they call losetup if block PVCs are used\nwith CSI to establish a form of lock on the backing block device. This lock is not\nexclusive and does absolutely nothing for our use case and could get very expensive\non dense machines so I removed it.\n\nTest Plan: Comes with E2E tests\n\nX-Origin-Diff: phab/D746\nGitOrigin-RevId: 430d3f445286c0d3498b2153df333a19f3fcab89\n" }, { "commit": "d8af5bf4c14a5c53d1736695a1210b6eea4d246e", "tree": "83e4c35e105d8fb0e5bf71ac8c93bbd3e7f964b4", "parents": [ "4e090357c4f1f3bae53a5f2feaf20ea5e1bbbe61" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Tue Mar 16 13:38:29 2021 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Tue Mar 16 13:38:29 2021 +0100" }, "message": "metropolis/node: use Event Value for network status\n\nThis moves over the GetIP API to use our fancy new event/value library.\nThe consumers of this data are currently the cluster manager and the\nkubernetes root service. Both are migrated over.\n\nTest Plan: Refactor, covered by E2E tests.\n\nX-Origin-Diff: phab/D711\nGitOrigin-RevId: 8a1e0dd35236d55492722f4439323cb2ee9574fc\n" }, { "commit": "4e090357c4f1f3bae53a5f2feaf20ea5e1bbbe61", "tree": "335ec273335722befdeca623b8f3f787a2cd6571", "parents": [ "0ed2f96a3a86aff2c9ce36289aa5d58a75f4d59b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Mar 17 17:44:41 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Mar 17 17:44:41 2021 +0100" }, "message": "Add KVM device plugin\n\nThis adds a KVM device plugin for Kubernetes. This plugin allows for unprivileged access and granular\ncontrol of KVM access.\n\nTest Plan: Tested in subsequent revision\n\nX-Origin-Diff: phab/D739\nGitOrigin-RevId: 5cd738a47d24e7bfdc29bbd1a31537209e1ebf46\n" }, { "commit": "056042962060369bd7607ecfea51c515fc3a8140", "tree": "86a6dbf7b1781ed2f5baf332938d4e8211353112", "parents": [ "0ab4edafde3eb22e111e75d6aa5e29faa92c30ca" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Fri Mar 12 17:47:21 2021 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Fri Mar 12 17:47:21 2021 +0100" }, "message": "m/node/kubernetes: parse klog output from services\n\nThis translates Kubernetes\u0027 logging ingo logging that we can\nquery/filter more easily.\n\nTest Plan: We don\u0027t test resulting logs from the system, and I\u0027m not sure we should?\n\nX-Origin-Diff: phab/D716\nGitOrigin-RevId: ba3f42b9a4e3172bf058bd7dce4283f50dc8e69d\n" }, { "commit": "9411f7c2ed0afbbf617075ab37901addc76fadfb", "tree": "f1f62aa538ba3c2265815d2dbe942377264850a5", "parents": [ "0de189355c6afad6f677029d90fa40dee824141b" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Wed Mar 10 13:12:53 2021 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Wed Mar 10 13:12:53 2021 +0100" }, "message": "m/node/kubernetes/pki: refactor out CA functionality\n\nThis factors out all non-k8s-specific CA functionality from\nmetropolis/node/kubernetes/pki into metropolis/pkg/pki.\n\nThis will allow us to re-use the same PKI-in-CA system to issue\ncertificates for the Metropolis cluster and nodes.\n\nWe also drive-by change some Kubernetes/PKI interactions to make things\ncleaner. Notably, this implements Certificate.Mount to return a\nfileargs.FileArgs containing all the files neede to use this\nCertificate.\n\nTest Plan: covered by current e2e tests. An etcd harness to test this independently would be nice, though.\n\nX-Origin-Diff: phab/D709\nGitOrigin-RevId: bdc9ff215b94c9192f65c6da8935fe2818fd14ad\n" }, { "commit": "74e8e5c35fea1ec9ce13c8a2d16100bab45d42d9", "tree": "3ec734c4b86fed54a5039623c789dd4b805b3b6e", "parents": [ "19eb0006edc79edc53fb53ea0eed67e93f4c8eba" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jan 26 14:00:50 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Jan 26 14:00:50 2021 +0100" }, "message": "Make containerd work with read-only root\n\nThis makes containerd work with a read-only root. There were a few config mistakes on our side which\ncaused it to write to the rootfs (mostly leftovers from the switch to /ephemeral) and a semi-hardcoded path\nin /var/lib/cni from containernetworking/cni. This is technically configurable, but it would require patching\nthree different repos (see diff message) and getting all of them to agree to take the change and wait for\nit to propagate to all repos (containerd is known to be slow to release stuff). So let\u0027s just hack in\nthis one-line diff for the time being.\n\nTest Plan: Should be covered by existing tests\n\nX-Origin-Diff: phab/D694\nGitOrigin-RevId: 0e8f5dbfb216539c16e64130af9fe1023722ae1b\n" } ], "next": "31370b07f0df2dc2765d812d4ce00a6b35185b16" }