)]}' { "log": [ { "commit": "0cbf51a530ff05eaacadb12c4cc977c24a0f0fb0", "tree": "fd14354e8ba64d68489f1f4b0116696baf5ee57f", "parents": [ "4cfff958acf023e190191a2842103897201c4dad" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Apr 23 10:21:17 2025 +0000" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu May 01 06:49:22 2025 +0000" }, "message": "m/n/k/hyperkube: avoid unnecessary rebuilds\n\nPreviously, hyperkube was rebuilt each time a commit was made in the\nmonorepo. This change stops this by reading the variables from a\nfiltered stamp file instead. Now, only this filtered file is rebuilt\neach time, which is very fast compared to linking hyperkube.\n\nPreviously, volatile status variables were used for gitTreeState and\nbuildDate. But the volatile status is bad for reproducibility, as it\nmakes Bazel intentionally use stale caches. Instead, these variables\nare now only defined in release builds, and left unstamped during\ndevelopment. These variables are available at the /version endpoint of\nthe apiserver, so there may be some utility in defining them for release\nbuilds, but they are not needed during development.\n\nThe buildDate is now taken from the commit date instead of\nSOURCE_DATE_EPOCH, which simplifies the build process as we don\u0027t need\nto define that variable anymore.\n\nPreviously, KUBERNETES_gitCommit was referenced but not defined by the\nstatus script. It is now defined as the monorepo commit, which is more\nuseful than leaving it blank.\n\nChange-Id: I6228888507e400ca1f53167ee9d4f132f5711a45\nReviewed-on: https://review.monogon.dev/c/monogon/+/4167\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "b00f7f9a97eae55ae6df80bbdea46815498898fa", "tree": "46517933cf9c0d9fc18ccf085dcf335d664e2b94", "parents": [ "1947e9b1480d9a3e90fe8b12bc897fd5cd2abce7" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Mar 06 17:27:22 2025 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Mar 18 14:02:05 2025 +0000" }, "message": "m/node/kubernetes: implement storage resizing\n\nThis implements persistent volume resizing in the storage provisioner.\nThe logic is based on https://github.com/kubernetes-csi/external-resizer\n\nThe mutation caches are an optimization to prevent unnecessary repeated\nprocessing, because they make the controller remember changes that it\nhas made itself, when the watch events for those changes have not\narrived yet.\n\nThe controller supports the RecoverVolumeExpansionFailure feature, which\nallows reducing the requested size when the previous resize fails due to\ninsufficient space. When resize fails, it is retried with backoff.\n\nChange-Id: I0f3d40c1a592b30d25739f5d20b529dfe25dfbe1\nReviewed-on: https://review.monogon.dev/c/monogon/+/4008\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "1947e9b1480d9a3e90fe8b12bc897fd5cd2abce7", "tree": "9c3586cc1e87b87b48d489ac77082b91199c699e", "parents": [ "551a7373e295b30eb7453d51d71b21a5f8bac108" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Jan 16 16:45:03 2025 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Mar 18 14:02:05 2025 +0000" }, "message": "m/n/kubernetes: fix storage provisioner rate limiting\n\nForget() resets the rate limiter, so it should only be called when\nprocessing has suceeded.\n\nFor example, provisioning can fail for a block volume if there is not\nenough disk space for the requested size. Previously, this caused the\nlog to be quickly spammed with \"Failed processing item\" messages, all\nwith \"numrequeues: 0\". With the fix, the retries are properly backed\noff, with the requeue counter incrementing.\n\nChange-Id: I8a31fa03fadb202205967e045d4e30f04567d9d1\nReviewed-on: https://review.monogon.dev/c/monogon/+/4007\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "17ad63fa0b09d3dfe461ac237cd5db5eaeefc2ed", "tree": "aa133f4b89c91044047c902dad5b752696098b14", "parents": [ "12e4b549f88c91e5eccb2abe1631793c879a66c6" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Feb 27 14:43:56 2025 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Feb 27 17:33:51 2025 +0000" }, "message": "m/n/kubernetes/networkpolicy: add Cyclonus test suite\n\nThis adds a test for the network policy controller, based on the\nCyclonus test suite. Running Cyclonus on a real cluster takes multiple\nhours, as there are over 200 test cases, each of which takes around 1\nminute. The test implemented here uses a fake Kubernetes API and pods,\nwhich allows running all tests in around 15 seconds.\n\nIPv6 is partially implemented but disabled. The tests pass, but each\ntest takes around 2 seconds, because some ICMPv6 replies for blocked TCP\nconnections seem to get lost somewhere and are only processed when the\nTCP SYN is resent one second later.\n\nChange-Id: Id77f2dd4d884b6d156e238e07e88c222e3bbe9a2\nReviewed-on: https://review.monogon.dev/c/monogon/+/3905\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "12e4b549f88c91e5eccb2abe1631793c879a66c6", "tree": "9bf724f8068149af2711a1132d569c006d507ecd", "parents": [ "ec03df42d643603d0a8d92b0db1cc4a4a865651e" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Feb 19 16:29:30 2025 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Feb 27 17:23:16 2025 +0000" }, "message": "gomod: update k8s-nft-npc\n\nThis includes all of Jan\u0027s fixes to get the test suite to pass.\n\nChange-Id: Ie172325b87e7e4f4859c3576ce8577d48497027f\nReviewed-on: https://review.monogon.dev/c/monogon/+/3924\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "16cb15ab5aa2fc0193a1534e65ba2e527e3e8f56", "tree": "0d04d148f5127884b12f73b9bc6f83804c65d4cd", "parents": [ "7b1e4c1e89ba5507dd029984a29739b3d43f6846" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Feb 24 18:47:48 2025 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 25 14:23:22 2025 +0000" }, "message": "treewide: explicity load built-in rules\n\nIn Bazel 9 all autoloaded rules will be disabled. This prepares us for\nthat.\n\nChange-Id: Ibaa4fa2e6b7095922a5699d2d5f3ae6c2cba3552\nReviewed-on: https://review.monogon.dev/c/monogon/+/3939\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "52700ae56c5d541e711fbd5f27373b3dc200f8dc", "tree": "ed5e75883fc44d14f7824b0a5ed40a6ab650923e", "parents": [ "e8beaed8dcde2c198e91addb0baa884079363581" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jan 28 15:07:08 2025 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 11 15:05:46 2025 +0000" }, "message": "m/n/k8s: add nftables network policy controller\n\nThis integrates my K8s network policy controller. In its current form it\ndoes not have many guarantees as the custom CNI plugin is not yet in\nthere but it mostly works. Also there is still a DNS hole as host-local\nservices are not properly policed yet.\n\nIt has a basic smoke test using the connectivity testing helper as well\nas some metrics to make sure it is integrated properly and to be able to\nmonitor its performance.\n\nChange-Id: Ia2f54b9975361270678ce742ae5e32df25e515c5\nReviewed-on: https://review.monogon.dev/c/monogon/+/3740\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "e8beaed8dcde2c198e91addb0baa884079363581", "tree": "8470b2dfe6a8017729083a4bb119c1d8f0b514d9", "parents": [ "08fd1cb799ef2629a2da846584cd42fe2d6ecb35" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Feb 05 22:03:50 2025 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 11 13:39:37 2025 +0000" }, "message": "m/n/kubernetes: add metricsprovider\n\nKubernetes has a metrics provider interface, add an adapter to be able\nto get these into our Prometheus registry. This code exists in a similar\nform inside K8s but against their custom metrics architecture, not plain\nPrometheus.\n\nAs these metrics are shared across all workqueues we follow K8s in\nimplementing this with a singleton/global. It\u0027s not the prettiest, but\notherwise we may get issues with Prometheus and duplicate metrics.\n\nChange-Id: I0b6d608d14793e44859166a5a59d446c8f662a25\nReviewed-on: https://review.monogon.dev/c/monogon/+/3829\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6d33a4342a16200d628f30ff91b169927fc2867a", "tree": "e65ad23cb6d0b795420b5ec625a757784d4c3e3b", "parents": [ "7887f758de8f9106a484ca59d9734304aa919e36" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 04 14:34:25 2025 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Feb 06 17:03:43 2025 +0000" }, "message": "treewide: add license header and enable haslicense linter\n\nChange-Id: I873a8d4082d75e8f813d8a726a41187eea7a065e\nReviewed-on: https://review.monogon.dev/c/monogon/+/3825\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "7887f758de8f9106a484ca59d9734304aa919e36", "tree": "f3e85143bc4b4a064e44534327a1f656c83b6340", "parents": [ "e6cc22700801d284386fdf7345dd85f7e522a6cb" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 04 03:06:56 2025 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Feb 06 16:46:49 2025 +0000" }, "message": "third_party: move go patches into their own folder\n\nChange-Id: I7e2f2790e233aaf13cfd6ed2ffcf5544461a4f39\nReviewed-on: https://review.monogon.dev/c/monogon/+/3822\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "0dca6c91ea9b8a14278aeb3a1a8ba6b512479862", "tree": "d3a4605fa9cefa9dccc79fe3df71d1e4335381a8", "parents": [ "b6ed72eabf092066a837fea4b68846376bd70e8a" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jan 28 15:04:13 2025 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Feb 05 14:55:23 2025 +0000" }, "message": "metropolis: use interface groups\n\nThis adds interface groups to all K8s pod interfaces via a CNI plugin\npatch and corresponding configuration. It also adds an interface group\nto the clusternet interface. Using these new interface groups the\nnftables rules for NAT can be simplified.\n\nThese will also be used by the network policy plugin later.\n\nChange-Id: I4638a4349ccb12b8724ad28ae34bb61cac4b4ece\nReviewed-on: https://review.monogon.dev/c/monogon/+/3814\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "896b1388fb26096ccaf60ff99ac8da2a9b07dab3", "tree": "1f70faa162e8af73f4d08d75dceee15010f849c5", "parents": [ "25e0d8f5bdcae3b03b1bc43cad49b4ed0b4e567e" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Jan 15 13:54:26 2025 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Jan 16 08:56:10 2025 +0000" }, "message": "m/n/kubernetes: switch to typed workqueue\n\nThe functions and types without \"Typed\" are deprecated, and should be\nreplaced by the corresponding ones with \"Typed\".\n\nChange-Id: I41c378df953ae4964d1247e470ccf38f13ea1f47\nReviewed-on: https://review.monogon.dev/c/monogon/+/3784\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "3a171d123fff540c8c9d646152a5d5ed9ef873de", "tree": "62fe245a0182c3ba931d8c33278f2dd89c35e77b", "parents": [ "0996ea85ca6200e1729941d316f7891835871938" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Dec 09 23:51:23 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Jan 09 21:19:31 2025 +0000" }, "message": "treewide: add race-detector config\n\nThis also disables all `pure \u003d \"on\"` attributes as they propagate too\nfar and break the race detector because rules_go contradicts itself by\nforcing pure go even when CGO is required by the race detector. We build\neverything for our node images static and pure via a transition anyway,\nso this is actually fine.\n\nChange-Id: I5cd3879fba4258caa94df4dbea5c6472867b7e34\nReviewed-on: https://review.monogon.dev/c/monogon/+/3725\nTested-by: Jenkins CI\nReviewed-by: Hendrik Hofstadt \u003chendrik@monogon.tech\u003e\n" }, { "commit": "681d5157b955f6b942c620837d1a9e90bdefc983", "tree": "254905b461e1545d960fafbdad1ec2c250fc383f", "parents": [ "2edb96aeded0f67904ac9630088454fb12a62317" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Jan 08 00:19:33 2025 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Jan 08 20:54:21 2025 +0000" }, "message": "treewide: clean up test static binary targets\n\nThis removes some intermediate targets only used for transitions by\nconsolidating them into a single one.\n\nChange-Id: I46dcbcb731038edd2b67259de1811018f5ba43da\nReviewed-on: https://review.monogon.dev/c/monogon/+/3753\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\nTested-by: Jenkins CI\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "837cb8e459b9eefabe89ab17df0b7dafb5e3d631", "tree": "32337d84d4f32b0c2c523e2c5bd177f4acfe4808", "parents": [ "b6afed68fd1d2ee9b32d395b388d2db1338d0fa0" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 23 13:52:56 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 23 21:59:59 2024 +0000" }, "message": "treewide: update Kubernetes to 1.32\n\nRelatively easy change, one cadvisor fix is temporarily needed. The\nlegacy log dir patch needed to be rebased, that\u0027s about it.\n\nI enabled single-process OOM killing again as that was the default for\ncgroupv1 and IMO the more sane behavior.\n\nUpstrem changelog at:\nhttps://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.32.md\n\nChange-Id: I537a6e37137d05efb6eec8635915e36fd8b37cbc\nReviewed-on: https://review.monogon.dev/c/monogon/+/3721\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "b62b8e04eb6f2f6ebc54ecc397ded788a924f279", "tree": "9934baf66b686eee0609ec2ceb402450de0afee3", "parents": [ "b9701c362d602b9b51961bcff849b2eb28b65883" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 16 20:18:47 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 16 20:24:07 2024 +0000" }, "message": "m/n/kubernetes: fix flake in TestAsFlags\n\nThis test was flaky due to Go\u0027s map iteration not being deterministic.\nSort the output to make sure we do not introduce unnecessary\nnon-determinism.\n\nFixes: #363\nChange-Id: If70486306a809b7d33bc17206600b0f750429b7d\nReviewed-on: https://review.monogon.dev/c/monogon/+/3708\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "d1a8b64d305c57f45416fc40b39211541113a373", "tree": "17fcd0e77576b200e75a940fb26ce2334a7a8553", "parents": [ "d77e26ee216738393a9808c95266bbcb91ca0e68" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Dec 03 17:40:41 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Dec 04 08:28:03 2024 +0000" }, "message": "treewide: add more ptr.To usages\n\nChange-Id: Ibf511bc012a17e39d6b7b4f3a7d9abc1304d755f\nReviewed-on: https://review.monogon.dev/c/monogon/+/3677\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "d77e26ee216738393a9808c95266bbcb91ca0e68", "tree": "8dd5dfa48c9b388684b697687be4198094ac66e3", "parents": [ "affe8fa229e3a701e060cb6bc35b9362814b5daf" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Dec 02 18:23:10 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Dec 03 14:31:57 2024 +0000" }, "message": "treewide: replace bool-to-boolptr helpers with k8s.io/utils/ptr.To\n\nChange-Id: I90419ddfe087291f41f7f2f3589263e56c15470a\nReviewed-on: https://review.monogon.dev/c/monogon/+/3675\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "2ecccae4ff62b687ec5e218349fcf8a42069dfc9", "tree": "c5a5914c9d3bd8fb37a5650a6b3e4881f9fc2610", "parents": [ "d58edf4e2f745427d69ecc72bfe9a9ead69d697d" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 27 22:03:35 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 02 16:50:54 2024 +0000" }, "message": "m/node: enable user namespaces in K8s\n\nThis enables the two feature gates for user namespace support in K8s.\nWe did not previously have a passwd file which caused Go\u0027s UserLookup\nto fail with an unexpected error. Add an mostly-empty placeholder file\nto placate it.\n\nChange-Id: I71a7a6dc889a289512075a25b7e551f2cd65ffb6\nReviewed-on: https://review.monogon.dev/c/monogon/+/3665\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "d58edf4e2f745427d69ecc72bfe9a9ead69d697d", "tree": "bd9424fdb0a58cb7c78ab99d8a3b1d4ebc07c5db", "parents": [ "ff7452b586134e18af9f1362d7b96dcb64aa8d71" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 27 20:38:14 2024 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 02 16:50:54 2024 +0000" }, "message": "m/n/kubernetes: introduce feature gate infra\n\nThis introduces centralized infrastructure to control feature gates in K8s.\n\nIt includes a test to make sure that we do not keep outdated flags in there.\n\nChange-Id: Ife251cbd5210bc8b3757bb3829e91bcdb2e6fdfb\nReviewed-on: https://review.monogon.dev/c/monogon/+/3664\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "ff7452b586134e18af9f1362d7b96dcb64aa8d71", "tree": "7e3b9fe5c161cedf1073a086d0b6e5511b20bd98", "parents": [ "231ee041b652ab2aea6a64e0c4929fa4beb5851b" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Nov 28 13:08:55 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Nov 28 14:45:57 2024 +0000" }, "message": "m/node/kubernetes: mount PVs with noexec on the host\n\nNow that runc always replaces per-mount-point flags when bind-mounting\nvolumes inside the container, we can mount them with noexec on the host\nwithout affecting workloads. This has some security advantages, as any\nexecutables in volumes are no longer executable from the host.\n\nChange-Id: Id5a8ea8caf702fca58d300fc9e17c21e94ebaf13\nReviewed-on: https://review.monogon.dev/c/monogon/+/3660\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "73beb693ce8aed1c1caffaec2f01b2b9c65516b3", "tree": "378d3b779febf33b1666438b1dd003053d9fd21c", "parents": [ "be70c9247b7c8f7ab0eef4b0c7b1faaf934b8f97" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Nov 27 17:47:09 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 27 19:34:17 2024 +0000" }, "message": "m/node/kubernetes: remove local-strict storage class\n\nIt turns out that the local-strict storage class did not have an effect\non readonly volumes, or on gVisor. And after updating runc to 1.2.0, it\nno longer has an effect anywhere. It appears that setting noexec and\nsimilar flags in the CSI server, using a storage class, is the wrong\napproach and just happened to work by accident. Instead, this should\nprobably be implemented as a Kubernetes feature to set per-mount-point\nflags on the VolumeMount.\n\nThis commit thus removes the local-strict storage class and the mount\noptions processing in the provisioner and CSI server. This will allow\nupdating runc.\n\nAdditionally, the StatefulSet end-to-end test is extended to also run\ntests with gVisor. gVisor apparently does not support block volumes.\n\nSee: https://github.com/monogon-dev/monogon/issues/361\nChange-Id: Ic2f50aa3bc9442ca1dbb9e8742d5b8fecbfc3614\nReviewed-on: https://review.monogon.dev/c/monogon/+/3658\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "be70c9247b7c8f7ab0eef4b0c7b1faaf934b8f97", "tree": "b1126b8ddaf845314329bd33249e2ec0db6940dd", "parents": [ "0ec0c53061acd57cf545440a723c1fd9817ed080" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Nov 21 11:16:03 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Nov 21 12:57:42 2024 +0000" }, "message": "m/node/kubernetes: fix attaching block PVs\n\nAttaching a block PV to a container failed with the error:\n\"failed to create device node at target path: file exists\".\nThis happened because there was already a directory at the path.\nThe directory should only be created for mounts, not for block devices.\n\nI also extended the PV end-to-end test to add a block volume, and check\nthat it can be opened as a block device and has the expected size.\n\nChange-Id: I40ca82cfcbfee1cb3196a900423f967b45790a64\nReviewed-on: https://review.monogon.dev/c/monogon/+/3623\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "0ec0c53061acd57cf545440a723c1fd9817ed080", "tree": "ac07fa1b10948234fe1add7300508a427c058325", "parents": [ "652c2ad2e499ca709523978e04b3a3dbb6df642c" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Aug 29 12:39:47 2024 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 20 18:40:12 2024 +0000" }, "message": "m/n/k/containerd: upgrade to v2\n\nUpgrade containerd to 2.0, migrate config and adjust all paths.\nNo new K8s features are enabled yet, this will come separately.\n\nAlso bumps gVisor to the latest version and essentially reimplements the\nshim as the API has changed a lot.\n\nA drive-by fix in clitable was necessary as the x/tools upgrade\nintroduced a new analysis pass.\n\nChange-Id: I9d25af203b94667aaac69a71eeccad2d42aa5f99\nReviewed-on: https://review.monogon.dev/c/monogon/+/3622\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "652c2ad2e499ca709523978e04b3a3dbb6df642c", "tree": "4a31c1797694ed53331d1a998922c3587d940d5b", "parents": [ "36f0375c9834d82016cb077142d2eaaea981d7a5" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Nov 19 17:40:50 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Nov 20 13:55:19 2024 +0000" }, "message": "m/node/kubernetes: fix PV mount flags and add e2e test\n\nMount flags did not work because of two problems:\n- The provisioner did not copy them from the StorageClass to the\n PersistentVolume.\n- The CSI server used \u003d instead of |\u003d when adding flags, so only one of\n the flags was added or removed.\n\nThere was an existing e2e test for PVs, however this only created the\nPVC/PV without even attaching it to a container. I extended this test to\nattach the PV and check from inside the container that it has the\nexpected mount flags and quota.\n\nThe existing e2e test also created a block PV, however attaching a block\nPV to a container was not tested and is apparently broken, so I removed\nthis test for now.\n\nChange-Id: Ie14adfafd333eab38d2b5f1b4ce8a2aa8795eae0\nReviewed-on: https://review.monogon.dev/c/monogon/+/3613\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "a8938da203b9ecc42a61b4aa9e92b802bf0e4902", "tree": "52c8f2971cc6ce50b9bf17a490a7defbf66e69d2", "parents": [ "9eab31ccbba4a2db416e4c5c387d22ec672ea92f" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Fri Sep 13 22:34:01 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Nov 11 16:03:55 2024 +0000" }, "message": "metropolis/node/kubernetes: add mountOptions support for PVs\n\nWe have very strict defaults on our data mount which prevents exec\u0027s and\nsuid binaries. By adding support for mountOptions on PVs we enable\nthe user to allow specific behaviour e.g. exec\u0027s on the given PV.\n\nChange-Id: I902cf3b9dafb14598cddc18c327ef3f5bcd6450b\nReviewed-on: https://review.monogon.dev/c/monogon/+/3421\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "78567601398f4db5a8080fd30038ff7ac6affe0f", "tree": "757ee7c8d374317366a2535dbfb48ceaa66700f0", "parents": [ "beec27c6bdc2da730ffa2a2be6a68e1610148913" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Oct 31 13:42:04 2024 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Nov 05 13:11:03 2024 +0000" }, "message": "metropolis: remove stutter in ClusterConfiguration.KubernetesConfig\n\nWe already know this is a config (it lives in ClusterConfiguration), no\nneed to call that a config again.\n\nThis doesn\u0027t break any compatibility yet as field names are not (yet)\nunder a stability guarantee.\n\nChange-Id: Ib6492d1c8303cbd0620b979b8047ec9757e301c0\nReviewed-on: https://review.monogon.dev/c/monogon/+/3594\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "e99638e3c7a2f1a604d49c47cc7a2685bfff8c5e", "tree": "636c243a58100c971cc3e224abf2c54324aad00a", "parents": [ "9579be5e09b6293edc78d3142b0c67a24afda93c" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Sep 30 17:06:44 2024 +0000" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Oct 28 14:22:49 2024 +0000" }, "message": "metropolis/node/kubernetes: synchronize metropolis node labels to kubernetes\n\nThis extends the labelmaker to manage Kubernetes node labels mirrored\nfrom Metropolis node labels.\n\nNote that currently there is no way to edit a ClusterConfiguration at\ncluster runtime, but this will come in a future CL.\n\nChange-Id: If7dbc3796085a8b85c1b5b2a181bcb1cee3d1db4\nReviewed-on: https://review.monogon.dev/c/monogon/+/3469\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6d1ff36763f1d48cf8620afd17321a06d2fbe228", "tree": "e0f48b5b138f51579de1ce2662e1b3a39acec6d3", "parents": [ "677de978403a58cd219e77b312b647927bd560ac" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Sep 30 15:15:31 2024 +0000" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Oct 28 14:22:49 2024 +0000" }, "message": "metropolis/node/kubernetes: update labels based on node roles\n\nThis implements the labelmaker, a reconciling loop running on Kubernetes\ncontroller nodes which updates Kubernetes node labels based on cluster\ndata.\n\nCurrently it only updates role labels based on cluster roles, but this\ncan be extended in the future to also replicate Metropolis node labels\ninto Kubernetes node labels.\n\nChange-Id: I9c5ba92bb46f064aa03836720d4a80adc6061ab9\nReviewed-on: https://review.monogon.dev/c/monogon/+/3464\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "0bc92a087ee0eb279ab29c3aba5d127b4202a2ea", "tree": "9c481ad86d6324cdd6bdfff4a55af4d4b4689f3c", "parents": [ "61b97a375aee98f58c13c13be672b442aecc8440" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Oct 01 22:53:08 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Oct 10 15:55:35 2024 +0000" }, "message": "treewide: bump rules_oci to v2.0.0\n\nChange-Id: Idbeb3a3b7645c5b6f774eb43d218ca0bc79dccc1\nReviewed-on: https://review.monogon.dev/c/monogon/+/3474\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "5f1a7de2dfb5db1884fcb677a0bd38daf6dd3c97", "tree": "fd52bf35b4b2e6b5c51f56d62424c9d0820ef537", "parents": [ "e337e938ae8e08dffa3a01045571188413ce70ff" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Sep 19 02:00:14 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Sep 19 12:06:50 2024 +0000" }, "message": "treewide: fix %v in cases where we should use %w\n\nWe should always use %w when using fmt.Errorf as you can use error.Is to\ncompare the underlying error. When printing an error the use of %w is\nwrong and should be replaced with %v.\n\nChange-Id: I741111bd91dcee4099144d2ecaffa879fdbb34a2\nReviewed-on: https://review.monogon.dev/c/monogon/+/2993\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "e337e938ae8e08dffa3a01045571188413ce70ff", "tree": "f82fa1f5722c3eae99506510056fb6a5ce736309", "parents": [ "7a1b27df41a9729dd9669cdaabd6864afc5e85b7" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Sun Sep 15 20:14:39 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Sep 18 22:27:59 2024 +0000" }, "message": "m/n/k/containerd: set device ownership based on security context\n\nWhen a user deploys a pod with a kvm device it is owned by root. By\nsetting device_ownership_from_security_context to true, containerd\nwill chown these devices to the uid/gid set in the securityContext.\nFor more informations see\nhttps://kubernetes.io/blog/2021/11/09/non-root-containers-and-devices/\n\nChange-Id: I1a0285dfc560c3c662d5e2eb8e37e68d87408b83\nReviewed-on: https://review.monogon.dev/c/monogon/+/3428\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "3c5d0635f855f16780792a6be311f71b4d59f20b", "tree": "4a48292bf17a874f2d627901ee4f7e9145c5b040", "parents": [ "a036c4e792e4b497c512991291b0cc18bc12b5e3" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Sep 12 10:49:12 2024 +0000" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Sep 16 14:03:22 2024 +0000" }, "message": "osbase/logtree.LeveledLogger -\u003e go/logging.Leveled\n\nThis factors out the common leveled logger interface out of the logtree.\nWe want to use the same interface outside of logtree/supervisor usage\nwithin the resolver code, which will be exposed to clients.\n\nChange-Id: I299e76d91e8cefddf8f36f1e58432418c4694df2\nReviewed-on: https://review.monogon.dev/c/monogon/+/3411\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "732a88411de08ac44d1f2bdb6b948c39c9ddc727", "tree": "6c7b78cf514254594d3ccadbb41f6364dd2cc286", "parents": [ "688ee2b59301e5a0494890003a85583f8da07ec5" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Aug 26 23:25:37 2024 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Aug 27 21:40:54 2024 +0000" }, "message": "treewide: update to Kubernetes 1.31\n\nOverall not that bad, we got rid of some workarounds and added some new\nones. Biggest change is a significant refactor of the hyperkube package\nas Kubernetes really doesn\u0027t like multiple of their top-level Cobra\ncommands to be instantiated. One new patch for gVisor as new fields got\nadded to a Linux struct which caused codegen to rename an existing one.\nThat patch will go away once [1] is released as this has been changed\nback again.\nOtherwise mostly standard rebases of patches. We currently have a\nwarning in kubelet as our containerd CRI does not support the\nRuntimeConfig RPC, but no released version of containerd has that and\nthe fallback works fine for now.\n\n[1] https://go-review.googlesource.com/c/sys/+/607876\n\nChange-Id: I275e5fb78bc1d09c4ca0e8b5705edbaa80f30d96\nReviewed-on: https://review.monogon.dev/c/monogon/+/3355\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "397f7eaa1e98554f8b9fed2c748e492bf739027b", "tree": "e0184b594e51a432b41f7ada43efdb1342e67061", "parents": [ "53964c1343dd37e29c8a61a44f47202b3f3726cc" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Aug 20 21:26:06 2024 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Aug 21 12:33:07 2024 +0000" }, "message": "m/n/kubernetes: set PV inode quota relative to capacity\n\nThis removes the hardcoded 100k inode limit which is very low for large\nPVs in favor of a scaled value dependent on its capacity. This\ntechnically allows overcommit as the inode space is not accounted for on\nthe capacity side, but this was already the case before, just with a\nstatic limit.\n\nChange-Id: I48816cd904127397907c1372e7cbb4b9b5ea60f2\nReviewed-on: https://review.monogon.dev/c/monogon/+/3339\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "91bf1c89cbb61cf9f8183306196bfda97dd852a5", "tree": "6c2c49d69e6db68917f2170055ddae5496664093", "parents": [ "a48bd3c3220063ed6beecf0b36ef6959f79f3790" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Mon Jul 29 17:31:33 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Aug 21 11:10:01 2024 +0000" }, "message": "treewide: integrate new DNS server\n\nThis integrates the new DNS server into the network service, replacing \nCoreDNS.\n\nChange-Id: I1d2e0fd3315dc2c602a8f805ed701633799e9986\nReviewed-on: https://review.monogon.dev/c/monogon/+/3260\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "4cfcc0b0b25fba463225feae64232d40e02b570c", "tree": "69a7d9ce2d531c763d482e340afe5ceced40c068", "parents": [ "c5e0dbd3437d5c739d42d7724a619b126eabdbf5" ], "author": { "name": "Leopold Schabel", "email": "leo@monogon.tech", "time": "Wed Jul 24 13:23:26 2024 +0000" }, "committer": { "name": "Leopold Schabel", "email": "leo@monogon.tech", "time": "Thu Jul 25 12:02:52 2024 +0000" }, "message": "metropolis/node/kubernetes: allow privileged pods\n\nThere are valid use cases for privileged pods in low-assurance clusters.\nIn particular, \"kubectl debug node/... --profile\u003dsysadmin\" is very\nuseful for debugging and requires privileged pods.\n\nIn a production cluster, we\u0027d want to restrict privileged pods\nand other dangerous capabilities (which are already allowed)\nusing pod security or more sophisticated admission controllers,\nincluding enforcing future cluster integrity policy levels.\n\nChange-Id: I8f6470f636cdd13b7c980f04f08f95aaff833b20\nReviewed-on: https://review.monogon.dev/c/monogon/+/3246\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "3325b4b940370ad4282fdaa6027a5672ff8fdc2a", "tree": "7308d80e86a0d0ea34a5d2d5c8dac8cb2dd8efeb", "parents": [ "41b244857ee793cbf74552ec39f2ff614a686a56" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Jul 15 19:19:49 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Jul 22 21:25:58 2024 +0000" }, "message": "workspace: bump bazel_gazelle to v0.37.0\n\nChange-Id: I45a7769d80781075fdfb1c438240a75629dd572a\nReviewed-on: https://review.monogon.dev/c/monogon/+/3220\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "fe6b506b6124b39b0b36c483d03de3b4efc5bdc4", "tree": "b3a4cbd0f4890dc5ee9a30eb643b2d3e9aa79fa5", "parents": [ "9f21f5396aa18bc9f2f83c867ff883f49bbf02ae" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jul 02 16:32:35 2024 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jul 04 14:50:22 2024 +0000" }, "message": "m/node: switch to cgroupv2\n\nThis switches us from legacy cgroup (v1) to cgroup v2 aka unified\ncgroup. Our versions of Kubernetes, containerd and runc/gVisor all\nsupport this by now.\n\ncgroup_bpf needs to be enabled in the kernel for containerd with cgroup\nv2. Also enable swap as this now works with cgroup v2, this gets rid of\na warning for every pod being started.\n\nWe are not really using cgroups ourselves, but as the root cgroup in v2\nis special, move our own process into a subgroup at startup.\n\nChange-Id: I8d63b2ad672568c052c3fe1a2306182f033667fa\nReviewed-on: https://review.monogon.dev/c/monogon/+/3207\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "9f21f5396aa18bc9f2f83c867ff883f49bbf02ae", "tree": "c232f42c84bd6b7ace576261a188134cb0c69771", "parents": [ "f430fbfe35b70283090b6174cf5a920163c0148c" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue May 07 15:14:20 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Jul 04 12:19:37 2024 +0000" }, "message": "treewide: introduce osbase package and move things around\n\nAll except localregistry moved from metropolis/pkg to osbase,\nlocalregistry moved to metropolis/test as its only used there anyway.\n\nChange-Id: If1a4bf377364bef0ac23169e1b90379c71b06d72\nReviewed-on: https://review.monogon.dev/c/monogon/+/3079\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "3b5a917c5a1ac49acad50eeacb5cf275efc3631e", "tree": "1da59c672acf3b68aab81fae38c6b6e5929b82a2", "parents": [ "988403453448d27f6df6eea0a232e97c2a2e739b" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu May 23 13:33:52 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu May 23 12:44:02 2024 +0000" }, "message": "treewide: initialize empty structs with var\n\nChange-Id: I72d3993eaf5fe57c77b1dda8218e36a8cc11813d\nReviewed-on: https://review.monogon.dev/c/monogon/+/3108\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "d5d33ba1e0798b48f56e6a1bc9178af9fc778179", "tree": "76f4f0b0a1175a77b64d5dd7469b3ec6a3d57c2d", "parents": [ "69f5f4e5ffac12c1d8e45e4cc9dc72868aa3af41" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 15 11:45:35 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 15 16:15:25 2024 +0000" }, "message": "m/n/k/reconciler: remove PSP role and rolebinding\n\nPod Security Policies have been removed from Kubernetes. The default PSP \nwas removed in commit 6211e4dc40, but the role and rolebinding was still \nleft. They do not have a function anymore. Now that reconciler updates \nare implemented, these will be removed from existing clusters after \nupgrading.\n\nChange-Id: Ia953a5ae03c581b15efc4e3b3711aaa008dc145d\nReviewed-on: https://review.monogon.dev/c/monogon/+/3091\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "69f5f4e5ffac12c1d8e45e4cc9dc72868aa3af41", "tree": "a28c2166fc40b1a2bee20070b4ae6788477ccf1f", "parents": [ "6bc958326f8bd4f3a1606e8a767d21f12f584e88" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 15 10:32:07 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 15 16:15:25 2024 +0000" }, "message": "m/n/k/reconciler: implement updates\n\nThe reconciler now checks if already present object are equal to the \nexpected object, and else updates them. If the update fails due to \nimmutable fields, the object is instead deleted and recreated.\n\nAlso, the reconciler now logs create/update/delete operations.\n\nFor the CSI driver, the StorageCapacity and RequiresRepublish were added \nand set to their default value. If we don\u0027t do this, the API server will \nadd these defaults, and then our update comparison fails. There is also \na new test which ensures that expected objects have all defaults already \napplied. This test will fail if a Kubernetes upgrade adds new fields \nwith default values.\n\nCloses #288.\n\nChange-Id: Ibfb37d07b4613ae1a883ad47715feeda87135820\nReviewed-on: https://review.monogon.dev/c/monogon/+/2893\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "d20ddccddf601c2a34cc5238bd82b6a4a1744502", "tree": "52eeeb7917b79220ad0f0cb34447525f7c21341b", "parents": [ "8bc82868fd289220078ff317235db084349d9f70" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed May 08 14:18:29 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue May 14 12:11:45 2024 +0000" }, "message": "m/n/k/reconciler: implement leader election\n\nBefore this change, the reconciler runs on all Kubernetes controllers. \nWhen we are in a rolling upgrade of the cluster where a reconciled \nobject changes, this will cause the old and new versions of the \nreconciler to fight each other, constantly updating the object back and \nforth.\n\nNow, the reconciler is elected among nodes of the latest release. The \nstatus of the reconciliation is communicated to all Kubernetes \ncontrollers through a new key-value in etcd.\n\nAdditionally, compatibility constraints can be expressed by changing the \nconstants minReconcilerRelease and minApiserverRelease, allowing \nreconciliation to happen in a controlled way that ensures compatibility \neven during rolling upgrades.\n\nChange-Id: Iaf7c27702bd9809a13d47bcf041b71438353bef2\nReviewed-on: https://review.monogon.dev/c/monogon/+/3062\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "ddc5e6a098c24c1e69b5c692f534b05dbc763367", "tree": "962bc2b07f054b9c2552018a305fca2d9ee277f9", "parents": [ "2d83a128f6096b8133af9edec00e1cd0cd8215b0" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Apr 23 23:44:34 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon May 06 13:34:32 2024 +0000" }, "message": "treewide: update to UwUbernetes (Kubernetes 1.30)\n\nCo-authored-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nCo-authored-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nChange-Id: Id923f503938314ef8fb4243f36604752edbb4605\nReviewed-on: https://review.monogon.dev/c/monogon/+/3047\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "2d83a128f6096b8133af9edec00e1cd0cd8215b0", "tree": "5fffaa49de3a25ffb8f2588b4050e2da7879ce4a", "parents": [ "6ea5762b371bd7a6b35538b37b2781f8386dd323" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon May 06 14:38:32 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon May 06 13:33:59 2024 +0000" }, "message": "m/n/k/p/kvmdevice: fix device inode error handling\n\nThis was broken in d5f851bb47, where the inverted logic was not kept\nwhen migrating to errors.Is.\n\nChange-Id: Id1bbc96f80b33df539a3a5051d56e126bb453390\nReviewed-on: https://review.monogon.dev/c/monogon/+/3077\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "51daf25d90adca76375e0d141c93d692ab2cd2eb", "tree": "6784b8f4a4c5facdc345ef1d47e0946a6267e74a", "parents": [ "b41b548058101e663a9591beaf2c491a44638d56" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 18 23:18:43 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 22:29:11 2024 +0000" }, "message": "treewide: documentation on exported functions should start with their name\n\nChange-Id: Iea3e929bed743d7edfbf5b54bbaa31796aeaaadd\nReviewed-on: https://review.monogon.dev/c/monogon/+/3027\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "096654adb312a1bc858a0f886b8fba755eab52b4", "tree": "bb753ba3a24eab6a63b7f7c1757f35f0540b880a", "parents": [ "a355821fa06a7f68ff8ddca6050f71e92e4939a5" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 18 23:10:19 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 22:29:11 2024 +0000" }, "message": "treewide: add missing error handling\n\nChange-Id: I55ccf3ff490b58f6af93e665c668428acddc8d65\nReviewed-on: https://review.monogon.dev/c/monogon/+/3019\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "92316fdcb21e4cba0494793f5b90924accfd3fc3", "tree": "3e58fea500fec60fc0df8542f1737173de8677d5", "parents": [ "24ce66f0f5f5dac457d5e65beb2980db6780a72a" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 18 23:06:40 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 22:29:11 2024 +0000" }, "message": "treewide: remove unnecessary use of fmt.Sprint\n\nChange-Id: I619dcf56665365e09be27e7c58b8b3596715b8b4\nReviewed-on: https://review.monogon.dev/c/monogon/+/3016\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "24ce66f0f5f5dac457d5e65beb2980db6780a72a", "tree": "ca5e78ebae92122ec6f9cbe5cf34e64984ebcc05", "parents": [ "2d0230524e96bdca53354fe191554342674c5fc4" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 18 23:59:24 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 22:29:11 2024 +0000" }, "message": "metropolis/node/kubernetes/reconciler: remove redundant nil check\n\nChange-Id: I0ebd2d8d815a964fa854e86868a4870b754ea548\nReviewed-on: https://review.monogon.dev/c/monogon/+/3015\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6e5b8a5b7ad46cc519ba3ca6166cee160b536185", "tree": "89460ff19e0b4f63abe13e5e2c3bd68acfd33f30", "parents": [ "62a02ea54a45152baea559172b95c94822b8fa1c" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 17 02:34:07 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 14:22:13 2024 +0000" }, "message": "treewide: add nolint exceptions for returnerrcheck\n\nChange-Id: Ife7e28de0317627994cb55d6bd5b10fa6016332b\nReviewed-on: https://review.monogon.dev/c/monogon/+/2997\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "d5f851bb477638436826adec756fe562db526865", "tree": "d981b1c62d613b45fb55023da289098d7e377705", "parents": [ "69fec522d5db79d07bb1f227c2ab39c57fdf2831" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Apr 23 14:59:37 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 13:15:14 2024 +0000" }, "message": "treewide: replace error comparisons and assertions with errors.Is\n\nChange-Id: Id2424eb155f2c6842c72c5fafd124d428ef901f2\nReviewed-on: https://review.monogon.dev/c/monogon/+/2994\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "49c9ab02d7ce200db6defbc82d95646ac4d64804", "tree": "da4d21a21fe25fa6a9e6211e26d8c0ef4ebece1f", "parents": [ "0c57d34190434556847345072371a42a9e1c3154" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 11 01:39:06 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Apr 15 21:31:42 2024 +0000" }, "message": "treewide: dont seed random\n\nAs of Go 1.20 there is no reason to call Seed with a random value.\nPrograms that call Seed with a known value to get a specific sequence\nof results should use New(NewSource(seed)) to obtain a local random generator.\n\nChange-Id: Ice1bbfefd900e6e9241428ec345f51f780eed91f\nReviewed-on: https://review.monogon.dev/c/monogon/+/2960\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "3810567012959d2871400ce2ecd39f53b9072bc3", "tree": "d1821ba3db669deec3a240dceb9bbf544b68c611", "parents": [ "2a74e58ac02d0bf6ae25ae1ec4d8f187dd7db5ba" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 11 01:37:29 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Apr 15 21:31:42 2024 +0000" }, "message": "treewide: remove shadowing of stdlib functions\n\nChange-Id: Iaccb22769d53568f6a4004924c218b9929090d89\nReviewed-on: https://review.monogon.dev/c/monogon/+/2957\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "6b6428da110db384cad1f1d65c81f1874c8cecae", "tree": "f44e7d1ffcc410893a9851e76e81939b178853df", "parents": [ "5e460a92353ec619f4f12fffbe3281d40c85cf61" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 11 01:35:41 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Apr 15 21:31:42 2024 +0000" }, "message": "treewide: remove redundant loop vars\n\nChange-Id: I61bada9e3df38e6a94cd6c8fe2d0d8f3ba41c1af\nReviewed-on: https://review.monogon.dev/c/monogon/+/2955\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6211e4dc404a285d858e1ecc69ac488c9cabb96b", "tree": "ff3b84efffb58982e0e55e61ed7fceb5df9609dc", "parents": [ "2ac249bf8e571ae7fd134b586ff9c87dce520956" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Nov 14 19:09:40 2023 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Apr 15 14:45:53 2024 +0000" }, "message": "treewide: k8s 1.28 and lots related updates\n\nFirst, this contains a bunch of dependency updates. Important ones in no\nparticular order:\nKubernetes 1.24.2 -\u003e 1.28.8\netcd 3.5.4 -\u003e 3.5.13\nProtobuf 1.32.0 -\u003e 1.33.0\nOpenTelemetry 0.20.0 -\u003e 1.20.0\ncontainerd 1.6.6 -\u003e 1.7.15\nCoreDNS 1.9.2 -\u003e 1.11.1\n\nWith Kubernetes 1.25 PodSecurityPolicies are removed, this replaces them\nwith a static PodSecurity admission configuration which behaves the same\nor is slightly more permissive in most ways. Only known exceptions are\nthat NET_RAW is no longer an allowed permission and non-standard SELinux\nlabels are no longer permitted (but these never did anything anyways).\nThe RBAC policies are intentionally not removed yet as we do not yet\nhave the capability to actually update these, so they will be removed\nwhen that is available (#288), until then they will stay in-place but\ndo nothing.\n\nWith the containerd upgrade the deprecated option for ignoring\npreseeded/pinned images for garbage collection in Kubelet can be\nremoved.\n\nThis change also contains some drive-by fixes to the controller-manager,\nlike passing the Service IP net and disabling cloud-related control\nloops which generate spurious warnings if enabled.\n\nThe containerd tracing patch is removed as we can now use OTel v1, thus\nthat patch is no longer necessary.\n\nAn actual upgrade test will be part of a future CL as this one is\nalready quite large and it works stand-alone.\n\nCo-authored-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nChange-Id: I8e5f51e6e6240a1b67590458b2f1c24d58c8e91e\nReviewed-on: https://review.monogon.dev/c/monogon/+/2315\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "20b9812e5138784e4e451911f85136e790a759fd", "tree": "d66d8ad643cc9c5f9ea77520856aa092fcab75f2", "parents": [ "db3866a782c443baf4eac4e1cf2b7d03b1bf6c5e" ], "author": { "name": "Jan Schär", "email": "jan@jschaer.ch", "time": "Tue Apr 09 10:44:49 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@jschaer.ch", "time": "Tue Apr 09 10:17:51 2024 +0000" }, "message": "m/n/k/clusternet: delete unused file\n\nThe mentioned pull request was merged, this file is no longer used.\n\nChange-Id: Ibc573e054e53e6ef23684707ec4178afdc301878\nReviewed-on: https://review.monogon.dev/c/monogon/+/2934\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nVouch-Run-CI: Serge Bazanski \u003cserge@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "3bdb5fcf023968526dfe7fadb89b0911bc6d7074", "tree": "37a8c1abdee1cf54b25ca0adf868ed879e4db7b3", "parents": [ "22a71c147af31d02a0db298e2ca8356078471b93" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Mar 14 18:47:35 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 03 15:49:26 2024 +0000" }, "message": "metropolis/core/metrics: expose containerd metrics endpoint\n\nThis adds containerd as another metrics endpoint. It is only available\non nodes with the KubernetesWorker role.\n\nChange-Id: I5f6269165a81d9a4c4cff48d3ed6b6a55d7f4f46\nReviewed-on: https://review.monogon.dev/c/monogon/+/2861\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "22a71c147af31d02a0db298e2ca8356078471b93", "tree": "7f532c633bb06664a105a28e5aa770e00724d977", "parents": [ "ec2906a6874e223813593128b6e72594a1ecfb0f" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 03 04:06:08 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 03 14:55:50 2024 +0000" }, "message": "metropolis/node/kubernetes/metricsproxy: clarify error message\n\nIf the metricsproxy fails to reach its target, we should not return the\nsame error message as the metrics service as that would be confusing.\n\nChange-Id: Ia158686d5a7db3e8e62e149a1c7dc8773702a233\nReviewed-on: https://review.monogon.dev/c/monogon/+/2912\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "7f72748c67df593b110176422d27be878a7a37f4", "tree": "75a621c3ae4ec5daf0d90dffcf298583ef3240c9", "parents": [ "23e5230930b482807be2f7fd29c6f14badf3ad0f" ], "author": { "name": "Jan Schär", "email": "jan@jschaer.ch", "time": "Mon Mar 25 13:03:51 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@jschaer.ch", "time": "Mon Mar 25 19:41:38 2024 +0000" }, "message": "m/n/k/reconciler: refactor resource interface\n\nReplace interface{} with meta.Object, an interface which provides \naccessors for and is implemented by meta.ObjectMeta. List now returns \nthe objects themselves instead of their names. This makes the reconciler \nslightly less generic, as it now only supports kubernetes objects.\n\nThis is a refactoring in preparation for implementing updates in the \nreconciler. There should be no change in behavior.\n\nChange-Id: I97a4b1c0166a1e6fd0f247ee04e7c44cff570fd7\nReviewed-on: https://review.monogon.dev/c/monogon/+/2891\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\nVouch-Run-CI: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "b63ed8a6d7eaaf0fa58b127d90001dc805d72c45", "tree": "4c1cec25146e8936f7d3f9a09c1e031453e1c5d4", "parents": [ "1ac503c7ddd16c796fb163bcbace7a1db24d5201" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 05 14:24:38 2024 +0000" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 21 11:03:54 2024 +0000" }, "message": "m/n/core/network: drop Watch/Value methods, expose Status\n\nThe Watch/Value methods were a leftover from before we had a unified\nevent value API.\n\nChange-Id: Id61732e0570e5fe3d9420857728b1f8a9769e697\nReviewed-on: https://review.monogon.dev/c/monogon/+/2876\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "1dd0c6591533bf63389e81a2104bca3c8326e871", "tree": "e33a710087b67dfe7f34e8434cff8885dc38420c", "parents": [ "456961d6589c1afec75954ca94ed631e1f380566" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 20 18:45:06 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 20 18:12:12 2024 +0000" }, "message": "m/n/kubernetes: improve CSI registration reliability\n\nKubelet\u0027s plugin registration mechanism is quite awful, it\nrelies on being notified by inotify that a new registration socket has\nbeen placed into a specific path, which it then interrogates and\nreports back if the registration succeeded.\n\nThat registration sometimes involves network operations which are prone\nto failure. It reports that failure back to the registration server\nasynchronously but does not attempt to retry the process.\n\nTo actually get Kubelet to retry, one needs to remove and recreate the\nregistration socket.\n\nThis change implements such a mechanism, recreating the socket and\nregistration server on every reported registration failure.\n\nSupervisor backoff is used to prevent busy-looping on non-transient\nerrors.\n\nChange-Id: I79eaf0efdf55ccdede15d8cee42cda7c276e4b50\nReviewed-on: https://review.monogon.dev/c/monogon/+/2785\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "456961d6589c1afec75954ca94ed631e1f380566", "tree": "ac99bfa39deefe0f4aca7478077a66ef8b7c9d74", "parents": [ "1e90c6d29a4af63fa01b472b7a49bdba256797b2" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 20 13:18:26 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 20 18:12:12 2024 +0000" }, "message": "m/n/k/reconciler: set fsGroupPolicy for CSI driver\n\nThis fixes an issue where kubelet did not apply fsGroupChangePolicy due\nto questionable capability detection code with the default\nfsGroupPolicy. Setting this to the File policy asserts that this driver\nalways supports ownership changes and thus bypasses that Kubernetes\ncapability detection code.\n\nChange-Id: I4799a01561af4f3d9c0de7a6040fd5f9db784d3e\nReviewed-on: https://review.monogon.dev/c/monogon/+/2784\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "9c4bece001c15d6ae4793016b2e3854627b2164c", "tree": "3381a01d7f7d3e9fd9f6c6e2e037a3a76e5ce8ce", "parents": [ "93020d77a383e68fd4b1adfafaf136c405648172" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 13 18:32:44 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 13 19:53:58 2024 +0000" }, "message": "m/n/k/containerd: clarify preseed log message\n\nChanging this log message makes it easier to understand what happens.\n\nBefore:\n```\nSuccessfully imported preseeded bundle\nk8s.io/docker.io/bazel/metropolis/test/e2e/preseedtest:preseedtest_image\ninto containerd\n```\n\nAfter:\n```\nSuccessfully imported preseeded bundle\n\"docker.io/bazel/metropolis/test/e2e/preseedtest:preseedtest_image\" into\ncontainerd namespace k8s.io\n```\n\nCloses monogon-dev/monogon#287\n\nChange-Id: I932d36b0cc1926d7248028c8a412f921562a9858\nReviewed-on: https://review.monogon.dev/c/monogon/+/2768\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "93020d77a383e68fd4b1adfafaf136c405648172", "tree": "f35720a2f35a6efdb63b8044ece9d71121929bd9", "parents": [ "502f9973502fec41d358e0c3939f61c5cf58e0de" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 13 18:13:07 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 13 19:53:34 2024 +0000" }, "message": "m/n/k/containerd: use preseeded pause container\n\nTo allow no-network tests we need to bundle the pause container.\n\nChange-Id: I1fa6bb70c10a16097d35d919941f501ddc5f784d\nReviewed-on: https://review.monogon.dev/c/monogon/+/2767\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "ad86a55c9c507478e2c4989f50912d7869164066", "tree": "214d48bcad4ede5909af88ce7deaadedd2d9fbe0", "parents": [ "7dbf18c1932b5c7945a2ba53d7580a6857cda5d3" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Jan 31 17:46:47 2024 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Feb 08 11:10:07 2024 +0000" }, "message": "m/n/kubernetes: serve authproxy with node certificate\n\nWe are currently serving authproxy with the Kubernetes node certificate,\nwhich is somewhat useless, considering that this certificate isn\u0027t even\nissued by the same CA that the client certificates (which are Metropolis\ncertificates) presented.\n\nThis changes the authproxy to serve with Metropolis node certificates\ninstead.\n\nChange-Id: I03ff19c919c6a9fa72c98997432cc06a59e9958e\nReviewed-on: https://review.monogon.dev/c/monogon/+/2740\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "e6e570ae3c26c5fda4855522e8cf04644627295f", "tree": "1678ee01ccfc5277f2e6f79858466a2847d291fd", "parents": [ "6fa92ac53f2cbeb3b2e63dea9f87b1b19a680434" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Nov 28 19:23:19 2023 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 29 12:23:41 2023 +0000" }, "message": "m/n/k/nfproxy: use discovery/v1 API\n\nThe old discovery/v1beta1 is deprecated and removed in 1.25. We need to\nget nfproxy to use the new API (available since 1.21) before we jump\nto a K8s control plane version above 1.25.\n\nChange-Id: I6336e168e9efbfc4a7b41f6fe15efebf95624df2\nReviewed-on: https://review.monogon.dev/c/monogon/+/2407\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "4b42c8a429b1d061faa9823c1ac26adaac3dc012", "tree": "e5bf8412d8fceb0178cbf93b7623934299b475e3", "parents": [ "a6a039209495ee74c2e830a55f496e901b6a3b5b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Sun Nov 19 07:02:51 2023 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Nov 20 22:13:16 2023 +0000" }, "message": "m/n/c/metrics: add kube-apiserver\n\nThis adds the Kubernetes API Server metrics to the list of exported\nmetrics.\n\nChange-Id: Ie5827441362787a3bff03ec6cff1f07332b0ae34\nReviewed-on: https://review.monogon.dev/c/monogon/+/2335\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "60461b2b23eb57319525a3e00d7ae57e51598ebc", "tree": "17f4eb857a29b08a6e2be059279b9d88691aff09", "parents": [ "3fd0977e92c3e86cdfde736debdda66af05d1015" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Oct 26 19:16:59 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Nov 13 21:05:16 2023 +0000" }, "message": "metropolis: move curator client watches to curator/watcher\n\nThis replaces all the ad-hoc code to watch Curator node(s) with calls\nthrough the new curator/watcher library.\n\nChange-Id: Ie2a82b330e4108b9b725515cb10595916c38b323\nReviewed-on: https://review.monogon.dev/c/monogon/+/2263\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "f64f197c8039a72d82efaae6a21f725d3cd3ac7a", "tree": "302a5d9c6ee1d5cdf2b2c8e4abe7b0609c9a2ffa", "parents": [ "54a5a053f2250c03d8476293ecb98fdb458ee5fd" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Fri Jul 28 00:00:50 2023 +0000" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Oct 11 10:53:00 2023 +0000" }, "message": "metropolis/node/core/metrics: fixup metrics authentication\n\nChange-Id: I67643855ab61bfdea980211ffe01e50c2409882b\nReviewed-on: https://review.monogon.dev/c/monogon/+/1979\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "65702194ea264a0fd01fb470bacaf39264b4f637", "tree": "3469201097b30e638f1e446655e1d23b33d90f8d", "parents": [ "f551a7696824a9ddbac63191c489db8280aee0a4" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Aug 31 16:27:38 2023 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Sep 14 13:43:45 2023 +0000" }, "message": "workspace: rules_go, gazelle, go, gVisor update\n\nThis commit not only updates rules_go and friends, but also updates\ngVisor, removes legacy protobuf usage and switches from using\nbuild_configuration to a config flag for bazel\n\nChange-Id: Idb383f35ca0fec4cb7329e9d991f08f28cf9b1fb\nReviewed-on: https://review.monogon.dev/c/monogon/+/2129\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "90613afdf11f7831fc0a673f2fe502c28ab93729", "tree": "1f524cdd0e25a3dd28ff350803d2bc296c3d6fda", "parents": [ "88a76b7a89b3fc81b9135b1197e1ea6fd3698121" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Jul 20 14:26:18 2023 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Jul 26 12:04:58 2023 +0000" }, "message": "metropolis/node/kubernetes: fix mtls authentication to (controller-manager|scheduler)\n\nPreviously it wasn\u0027t possible to authenticate against the services\nas they had no CA they trusted for the sent client certificate.\n\nChange-Id: Ic7cd2419a9e3496680a9393424c7ca1780c4d38c\nReviewed-on: https://review.monogon.dev/c/monogon/+/1951\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "150f24a5421dc1449d79a801524a7c98754f7bca", "tree": "c4f69b7e6260a241f3d946b36eda309e2539ccba", "parents": [ "901c7326fe067707812757e4e9409f756edf0e37" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jul 13 20:11:06 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jul 19 12:17:34 2023 +0000" }, "message": "metropolis/test: use localregistry\n\nThis removes everything but the preseed test image from the preseed\nimage pool, instead opting to serve all test image via localregistry.\n\nThe registry API is served from a dedicated IP inside the virtual\nnetwork and forwarded to an ephemeral listener on the host. The relevant\ninfrastructure is added to the launch package.\n\nAs it is required to add configuration to containerd for this registry\nanyways as it does not and should not have TLS we take that opportunity\nto give it a descriptive name (test.monogon.internal).\n\nVisibilities of images are also adjusted as they are now referenced much\ncloser to their point of use.\n\nAgainst main this saves 51MiB in bundle size (289MiB -\u003e 238MiB).\n\nChange-Id: I31f732eb8c4ccec486204f35e3635b588fd9c85b\nReviewed-on: https://review.monogon.dev/c/monogon/+/1927\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "d1c392a788043f2bd82d936a334bd01e1be97421", "tree": "1bdf2d7a4d7a54b2d8bda0c3c729eb2c9eef90a4", "parents": [ "0553f885b84ca97384ffdb942b30c67d23166a16" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jul 06 19:10:56 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jul 11 10:48:05 2023 +0000" }, "message": "m/n/kubernetes: fix CSI local PV publishing\n\nExperimentally confirmed to fix pods stuck in creating because the\nmount syscall failed with ENOENT because the target directory did not\nexist. The current CSI spec now explicitly says that creation of\ntarget_path is the responsibility of the storage plugin, so let\u0027s\nactually create that directory.\n\nChange-Id: I57d8086f2e70040095206c36e4302b352d06bb84\nReviewed-on: https://review.monogon.dev/c/monogon/+/1914\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "0300077941db0edfdcac0ae42e4a5dad3e8d3fd7", "tree": "979cfc5f4269d3428b725acd79b9a216db8a6f82", "parents": [ "a2ee88d585b9b8603f47544c95f09b380b92b5e2" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Jul 03 02:19:28 2023 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Jul 04 18:58:49 2023 +0000" }, "message": "metropolis/node: allow all ports as NodePorts except special ones\n\nAs we dont have hostPort implemented we can only provide NodePorts to\napplications. To allow apps to use all ports we have to increase the range\nbut have to prevent them from using reserved metropolis ones. This is\ncurrently prevented by patching the allocator and hardcode all of them.\n\nChange-Id: I7c0e8b17643d1ec03e1a1b678bc6276881b1c5e5\nReviewed-on: https://review.monogon.dev/c/monogon/+/1884\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "4599aa2dfa42a7b694ad295bc700db03de96d7f5", "tree": "411035d2b647dcb1adc68db8f22c4384befa8294", "parents": [ "6f5995153827f2b191cc2faebe21ca58764af33b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jun 28 13:09:32 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jun 28 12:20:57 2023 +0000" }, "message": "m/n/k8s: fix start after unclean shutdown\n\nBoth the kvmdevice as well as the CSI runnables listen on Unix sockets.\nThese are normally removed on close (this is actually the default for\nsockets opened wiht ListenUnix, thus drop setting this), but when an\nunclean shutdown occurs they persist. Since one cannot listen on an\nalready-existing socket, opportunistically remove them before listening.\n\nChange-Id: I11d986a2816fde3d7ffef0817ae3bbf39bba4faf\nReviewed-on: https://review.monogon.dev/c/monogon/+/1867\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "2f7e0a281e72ae45fff6c4d79934442367475b81", "tree": "4dcd2233a274bef4645c4bfbbbd62f072d11481a", "parents": [ "c49b207a66a994ccda382d685022d08cbd9ee582" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 22 16:56:13 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 22 16:36:33 2023 +0000" }, "message": "m/node: enlarge K8s networks\n\nFor bigger clusters, the current 10.0.0.0/16 subnet is far too small.\nSwitch to 10.192.0.0/11 which should be out of the way of most of our\ntest infra and is large enough for 8192 nodes with 253 pods which is\nbig enough for the time being. Also migrate the service network\nto 10.224.0.0/16 and make it much bigger. It does not need to be in the\npod CIDR, so move it out of there.\nBut for large clusters this will continue to be a problem until we have\na better allocation algorithm or switch to IPv6 with 464xlat (which\nis not supported on Linux currently however).\n\nChange-Id: Ib3a019fffacec2172721f04c01133b44bffba73b\nReviewed-on: https://review.monogon.dev/c/monogon/+/1848\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "51a3ed59a1408fe5d8103dca5b6a04dbaa4e5b6a", "tree": "b17dd748b088b4c7899c4aee0a1ab862a59509b4", "parents": [ "186109c55db3121749311fc2e954be0eaccdf249" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jun 21 16:45:15 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 22 12:33:31 2023 +0000" }, "message": "m/n/k/containerd: change default runtime to runc\n\nFor high-security usecases it might still make sense to force gVisor,\nbut generally people expect runc as the default runtime. gVisor can\nstill be used by specifying a runtimeclass in the pod.\n\nChange-Id: Idc02275fd00c2a7dff3ce6949268294afa5644eb\nReviewed-on: https://review.monogon.dev/c/monogon/+/1839\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "0e291a193cbfd0b169e749e7f28adc954a58f560", "tree": "01b7ad51279b9060c3c967a0061826d37dbfaf01", "parents": [ "4264b8c641109c05c4828b40cd2e01e686890903" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 01 12:22:45 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jun 13 13:03:53 2023 +0000" }, "message": "m/node: clean up DNS service\n\nThe primary change in here is that CoreDNS now only listens on the\nloopback interface by default.\nThis fixes #217 as it cannot be accessed from the outside anymore.\nSince the containers do not share the host network namespace, they can\nnow no longer access the DNS service. This is solved by introducing a\nnew Network Service API to add listener IPs and using a link-local IP,\n169.254.77.53 for the container DNS.\nWhile at it, I cleaned up various parts of the DNS code.\n\nChange-Id: Id7b618f62690032db335e8478b9de84410c210a1\nReviewed-on: https://review.monogon.dev/c/monogon/+/1759\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "2cfafc9a4c34152dd93b58aa82df1720fb4dd6d6", "tree": "7a944999ab576f4b421651c2c4d513b0b572a1be", "parents": [ "d0be371ea905c3729f98d91d255d775b7c5193d3" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 16:42:47 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Apr 13 14:03:02 2023 +0000" }, "message": "metropolis/node/kubernetes: move worker services to KubernetesWorker nodes\n\nThis finalizes the Big Split. After this change, nodes will only run a\nkubelet (and related services) if they have a KubernetesWorker role\nattached.\n\nThe first node in a new cluster now starts out with KubernetesController\nand ConsensusMember. All joined nodes start with no roles attached.\n\nChange-Id: I25a059318450b7d2dd3c19f3653fc15367867693\nReviewed-on: https://review.monogon.dev/c/monogon/+/1380\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "b565cc679cd5af598dc863890a3e1cce98eb1c57", "tree": "eddf2b4b5636b0c5086cf8fb874927cdc73659c1", "parents": [ "9104e381ab7a2c90087843de00204eed9ed7cf99" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 30 18:43:51 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Apr 06 14:19:17 2023 +0000" }, "message": "m/n/core/clusternet: grab external IP address prefix from network service\n\nThis moves the logic for merging the node IP and node prefixes from the\nsubmitter of the prefixes into the clusternet logic itself.\n\nThis means clusternet now has two independent sources of prefix data:\nthe network service\u0027s external IP address, and the kubelet\u0027s node\nprefixes.\n\nThis simplifies use in a worker/controller split, where a controller\nnode normally doesn\u0027t submit any prefixes as it\u0027s not running a kubelet\nor kubelet-adjacent prefixes - but we still want it to submit its\nexternal IP address.\n\nChange-Id: I46c9430228ce966426d3a8d33a765ecfdfca0d29\nReviewed-on: https://review.monogon.dev/c/monogon/+/1479\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "7920852953a4b0846ddb16cb82a038b064ba473a", "tree": "afa919bc332a93bd0666714843632cffa1095170", "parents": [ "4e6eae2bec769a565eece47438fcb594e7da2765" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 28 20:14:58 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Apr 05 14:14:44 2023 +0000" }, "message": "m/n/kubernetes: use node clusternet to submit cluster networking routes\n\nThis completes the work on using the new cluster networking service from\nKubernetes, thereby allowing non-worker nodes to participate in cluster\nnetworking.\n\nChange-Id: I7f3759186d7c8cc49833be29963f82a1714d293e\nReviewed-on: https://review.monogon.dev/c/monogon/+/1418\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6d6ed31da287a055b18dedaa1fd70420994c66ae", "tree": "59de543dc0ad9bed120c29c62fdf19508b1ce341", "parents": [ "1fdab13a2ea1411b332f67cfa9b1216753b9eb11" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Mar 27 11:04:14 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Apr 03 14:02:00 2023 +0000" }, "message": "m/n/kubernetes/{clusternet,nfproxy}: log informer errors\n\nChange-Id: I9ea1444c7042dd25c25cecc6b6da054554010a85\nReviewed-on: https://review.monogon.dev/c/monogon/+/1447\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "fe39cc21b69bb9fd9f641dfc6b3514386cbb0d4c", "tree": "2c4ff1bc567bb6b5e276bef2028fc196cbc37f2b", "parents": [ "e88ffe9af09b2740bfe0c47ec1efae0380d4f706" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 14:21:54 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 23 12:21:21 2023 +0000" }, "message": "m/n/c/curator: implement IssueCertificate for Kubernetes Workers\n\nThis is not yet used in this change, but will be very soon.\n\nChange-Id: I0283941f15211515537d2b23e0c8cd72dc2d77c5\nReviewed-on: https://review.monogon.dev/c/monogon/+/1378\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "e88ffe9af09b2740bfe0c47ec1efae0380d4f706", "tree": "da2fac1e9bd4343250bc01c1bff81062d7ee60a7", "parents": [ "e6719b379b19ad4439b5fd38da035a3043008d97" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 13:38:46 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 23 12:04:17 2023 +0000" }, "message": "m/n/kubernetes: factor out generating KPKI, support multiple endpoints in Kubeconfig\n\nChange-Id: I0e648c24ffa134314a03715575d1af1b925fd450\nReviewed-on: https://review.monogon.dev/c/monogon/+/1377\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "d85a40ab6fa79efca11b02522b89855952226f33", "tree": "408907867ea99dbc07a5d61ec70b2c8478a57414", "parents": [ "d6fee31d519a22720ae0342e02ccdba405b62ded" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Mar 22 11:14:08 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Mar 22 11:57:36 2023 +0000" }, "message": "m/n/kubernetes/service: only note lack of reconciliation every 10 seconds\n\nChange-Id: I6e070325daa265e2e0a65bc5f5e69cc5c9869a04\nReviewed-on: https://review.monogon.dev/c/monogon/+/1384\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "6fdca3f2e8b60f53f69c8cd39a02109cc47059ac", "tree": "f875b3e103037078ece4842fcdd77cbb87d7a6cf", "parents": [ "f71fe9278055d5a892448554aa7c59862256db7d" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Mar 20 17:47:07 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Mar 22 11:33:51 2023 +0000" }, "message": "m/n/kubernetes: start splitting, run apiproxy\n\nThis begins the process to split the Kubernetes service into a\ncontroller and a worker service.\n\nFirst, we rename the existing service to a Controller, create a Worker\nservice, and make the Worker service run our new tinylb-based apiserver\nloadbalancer.\n\nWe also make the roleserver aware of this change by making it spawn both\nthe controller and worker services according to roles.\n\nWe will move services to the Worker in follow up change requests.\n\nChange-Id: I76e98baa0603ad5df30b5892dd69154b895b35fa\nReviewed-on: https://review.monogon.dev/c/monogon/+/1374\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "ce19acc9d66055d912287d9f1f26c08d3df55aa8", "tree": "6aedbe2ab0aef40955f3d416013ff59e1aec0139", "parents": [ "1f8cad7568ad2e8e539fe44f1b2d51e1f2a19fd5" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 16:28:07 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 17:56:08 2023 +0000" }, "message": "m/n/kubernetes: make CSI provisioner more debuggable\n\nChange-Id: I22292e627ceac0d41a7711964517a53e63636c3e\nReviewed-on: https://review.monogon.dev/c/monogon/+/1379\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "356cbf3e49af75d9cccf92fd8d0a3236727f6761", "tree": "a8865bc1422fdde0d8f5a63f8e7e100156dccfeb", "parents": [ "f9bdf3126488a2728e265a2b28cba564c8072e04" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 16 17:52:20 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 16 21:22:24 2023 +0000" }, "message": "m/n/kubernetes: run reconciler before starting more services\n\nThis makes sure we successfully ran the reconciler at least once before\nattempting to running more than the apiserver. It saves us from a whole\nbunch of services complaining about not having the right permissions to\n(yet) access the cluster.\n\nChange-Id: I605eae9d6bbcc16a9dcb971caa26ee56a06e5d5b\nReviewed-on: https://review.monogon.dev/c/monogon/+/1358\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "b033b380387a999b7ad19f9d001c42ec570c8945", "tree": "6093a955f5c08f29e6590fb71781849d100a3e0e", "parents": [ "d8290c8082f752f52d0ba1c765f668e2992bc5d4" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 07 20:06:36 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 07 22:29:46 2023 +0000" }, "message": "*: fix gomodproxy compatibility\n\nThis is necessary for the source to be fetchable from third-party Go\nprojects (currently via a replace directive, as source.monogon.dev isn\u0027t\ngo-getable). Otherwise, `go mod tidy` complains:\n\nreading https://sum.golang.org/lookup/github.com/monogon-dev/monogon@v0.0.0-20230223122556-665b10937eb8: 404 Not Found\n\tserver response:\n\tnot found: create zip: build/analysis/BUILD.bazel: case-insensitive file name collision: \"BUILD\" and \"build\"\n\tbuild/analysis/importsort/BUILD.bazel: case-insensitive file name collision: \"BUILD\" and \"build\"\n\tbuild/analysis/importsort/classify.go: case-insensitive file name collision: \"BUILD\" and \"build\"\n\tbuild/analysis/importsort/importsort.go: case-insensitive file name collision: \"BUILD\" and \"build\"\n\tbuild/analysis/importsort/importsort_test.go: case-insensitive file name collision: \"BUILD\" and \"build\"\n\tbuild/analysis/importsort/testdata/README.md: case-insensitive file name collision: \"BUILD\" and \"build\"\n\t[Truncated: too long.]\n\nChange-Id: If5947be74f7dfcf4ba4bd79c4dc37589f324b891\nReviewed-on: https://review.monogon.dev/c/monogon/+/1223\nTested-by: Leopold Schabel \u003cleo@monogon.tech\u003e\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "98206b93355539404dccd04bd0882aa59ec8cd8b", "tree": "b48ea9471e0451dd88e4606ba77eef5164fb3694", "parents": [ "aaa4d45a0a88e69137f4b946f26f3ce5f8ad0642" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jun 22 16:21:50 2022 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jun 23 15:31:12 2022 +0000" }, "message": "mn/n/kubernetes: fix warnings\n\nThis fixes a warning that we do not explicitly set the root cgroup and\none that we specify the container runtime type explicitly; in 1.24\neverything other than \"remote\" has been dropped.\n\nChange-Id: I7beb0fbbbd5e38715b8b1e76dac99d2d7c4275d5\nReviewed-on: https://review.monogon.dev/c/monogon/+/785\nTested-by: Jenkins CI\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "78cefcafa315af20d9f603fefd1423fe7bab7483", "tree": "b5d8ab0ce4652e30ace81c0cedf64b847260612d", "parents": [ "4025c9bf83aa038c8858c82bc80bd65acecd7210" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Jun 20 12:59:55 2022 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jun 21 11:44:25 2022 +0000" }, "message": "m/n/kubernetes: factor out cluster domain\n\nThis removes the hardcoded Kubernetes cluster domain and pushes it out\nto a single place at the root of the Kubernetes supervisor tree.\nThis will later be aligned with the cluster domain specified in the\nidentity design document, currently this does not change any behavior.\n\nIt also removes a bogous SAN from the Kubernetes API server certificate\n(kubernetes.default.svc.cluster) for which there is no corresponding\nsearch path.\n\nChange-Id: I30b8907a7b846415f5002c09a24d2d37930a9cd1\nReviewed-on: https://review.monogon.dev/c/monogon/+/773\nTested-by: Jenkins CI\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "83d793ddcd4f75b3653255df5dac154ac3de4e87", "tree": "d79840465c92dddb048f6483c2e1d824784ee8d7", "parents": [ "83a28c93a0e48f500db619492f24f96938cb9b00" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Apr 25 11:17:47 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Mon Apr 25 19:26:50 2022 +0000" }, "message": "m/n/kubernetes: remove --port flag from services\n\nFrom logs:\n\n Flag --port has been deprecated, This flag has no effect now and will be removed in v1.24.\n\nSo that\u0027s what we do. We had this flag only set to disable insecure\nserving, and insecure serving has been removed in upstream, thereby\nrendering the use of this flag a no-op.\n\nController-manager PR: https://github.com/kubernetes/kubernetes/pull/96216\nScheduler PR: https://github.com/kubernetes/kubernetes/pull/96345\n\nChange-Id: If9009aa6f7c72a5ec8b7baf2326964167059c0a1\nReviewed-on: https://review.monogon.dev/c/monogon/+/665\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "d13c1c64387ca9a83bb832a3faa5c4b07268d265", "tree": "0c0f534db4726e4400486aad25235e8c573d455e", "parents": [ "79a1a8f9dd49afe8e0a2364c4586b8f39525b204" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Mar 30 19:58:58 2022 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Apr 05 10:35:29 2022 +0000" }, "message": "treewide: switch to gomod and bump everything\n\nThis switches version resolution from fietsje to gomod and updates\nall Go dependencies. It also bumps rules_go (required by gVisor) and\nswitches the Gazelle naming convention from go_default_xxx to the\nstandard Bazel convention of the default target having the package\nname.\n\nSince Kubernetes dropped upstream Bazel support and doesn\u0027t check in\nall generated files I manually pregenerated the OpenAPI spec. This\nshould be fixed, but because of the already-huge scope of this CL\nand the rebase complexity this is not in here.\n\nChange-Id: Iec8ea613d06946882426c2f9fad5bda7e8aaf833\nReviewed-on: https://review.monogon.dev/c/monogon/+/639\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\nReviewed-by: Leopold Schabel \u003cleo@nexantic.com\u003e\n" }, { "commit": "79a1a8f9dd49afe8e0a2364c4586b8f39525b204", "tree": "2bf599ded06a18c5850cbf513e94fd0cf7ba3776", "parents": [ "a8e23543e792505ea8a40bf544d857163696a25b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Mar 31 17:19:07 2022 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Apr 04 19:45:00 2022 +0000" }, "message": "m/n/k/authproxy: make use of SPDY through proxy work\n\nKubernetes still uses SPDY for interactive/streaming-type calls (like\nexec or port-forward). Our proxy uses a HTTP/2 backend connection to\nKubernetes\u0027s API server. A HTTP/2 stream cannot be upgraded to SPDY\nmeaning these API requests all fail. This implements a slightly ugly\nworkaround by using two HTTP transports, a regular transport which\nsupports HTTP/2 and a fallback transport which does not. The proxy\nselects the fallback transport if it detects that the request is trying\nto upgrade to SPDY.\n\nChange-Id: Idd44f58d07ec5570ddf8941ae7595225f47f254d\nReviewed-on: https://review.monogon.dev/c/monogon/+/645\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "cc078df2124306799c66786833746999259ea792", "tree": "43807fcfec2196430b4bd4def124dad2231451db", "parents": [ "8c2c771a750f30b3edf240fc8352e777795e989b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Dec 23 11:51:55 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Feb 02 14:07:37 2022 +0000" }, "message": "m/n/kubernetes: implement Metropolis authenticating proxy\n\nThis implements an authenticating proxy for K8s which can authenticate\nMetropolis credentials and passes the extracted identity information\nback to the Kubernetes API server. It currently only handles user\nauthentication, machine-to-machine authentication is still done by the\nAPI server itself. It also adds a role binding to allow full access\nto the owner as we do not have an identity system yet.\n\nChange-Id: I02043924bb7ce7a1acdb826dad2d27a4c2008136\nReviewed-on: https://review.monogon.dev/c/monogon/+/509\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "1de8b1845e75dc1e020df21b997b2d6fc66fb65e", "tree": "4a41005b1931aa13c3ed4a1b0732de31482a6eb8", "parents": [ "367f759f54e59b24b55024c8070513f9f7e6f4c1" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Dec 21 17:15:18 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Dec 22 15:57:16 2021 +0000" }, "message": "m/node: pass node identity into k8s\n\nThis plumbs through the node identity to K8s as an identity.Node\nobject and gets rid of the os.Hostname invocation that passed around\nthis data out-of-band. It also changes everything in its path to use\nthe newer identity.Node object instead of a plain string so that the\nMetropolis Identity CA is more accessible.\n\nChange-Id: I6db8e1db7e333c0ea364aefd61c27bf50acc25f3\nReviewed-on: https://review.monogon.dev/c/monogon/+/505\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "764a2de7911a42d57720911332a12895f0aad707", "tree": "dd0e31cee8fb5c753a762462e9eb16f776c3ec73", "parents": [ "e65731049afb6fd49da80f064fa40a28c9d5741d" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Nov 22 16:26:36 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Nov 22 20:39:51 2021 +0000" }, "message": "tree-wide: rewrite ioutil functions to their replacements\n\nThe ioutil package has been deprecated in Go 1.16 [1]. This CL removes\nall our own users of that package and rewrites them to use their\nreplacements in the os package. I initially wanted to do this with a\ngofix but because all replacements were signature-compatible I just\ndid it with a few string replaces and then ran goimports to fix up the\nimports.\n\nI intentionally didn\u0027t rewrite the patches as that would require a\ndifferent process and is IMO of less value.\n\n[1] https://github.com/golang/go/issues/42026\n\nChange-Id: Iac6663a1f1ee49f9b1c6e4b3d97e73f2c3b54a13\nReviewed-on: https://review.monogon.dev/c/monogon/+/449\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "52304a8aa84604846e316e28c955b67e68c52f34", "tree": "df8518bb50b9665af7f4897665d8aa16f4a43e7f", "parents": [ "ba7bf7dc83c15cbd94a1f71b7992df7d7fc7d752" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Fri Oct 29 16:56:18 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Nov 03 11:36:20 2021 +0000" }, "message": "m/node: implement Port type for node ports\n\nThis allows us to use %v/%s to get a pretty port name where needed.\n\nWe also drive-by remove MasterServicePort which is a leftover from\na pre-curator cluster service implementation.\n\nChange-Id: Id8feddf87269b13dd1dad2460a015c1a7ecbc6d7\nReviewed-on: https://review.monogon.dev/c/monogon/+/418\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "96043bc1cb55b1271b21309b2011d64d2361a0fd", "tree": "b4db59595d8635154de74b0a244a6bb28bc52d2d", "parents": [ "3379a5d0ffcd652031c135f2ffe7600272fa0093" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 12:10:13 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 17:29:16 2021 +0000" }, "message": "*: import reformats\n\nAs caused by my IntelliJ/gofmt locally. We really need to do gofmt\nchecks in CI, especially now that we nearly have the tooling ready for\nit.\n\nChange-Id: Id105ba9ad8a34b8b8e883d52d621d47b0ea888d7\nReviewed-on: https://review.monogon.dev/c/monogon/+/338\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" } ], "next": "c72aa433ff68b76317233ba8805d55845e9efd1a" }