)]}' { "log": [ { "commit": "1b6cd6feb2ea0ee9940e59ec787803dae0071b22", "tree": "8fd33a9dd8da12a7524bb24fceef24350663d603", "parents": [ "8ffa54e80544005e0f779c681a8c9dfc6afecfa7" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Apr 29 15:30:22 2025 +0000" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Apr 30 10:17:21 2025 +0000" }, "message": "treewide: replace platform_transition_binary\n\nplatform_transition_binary changes the platform, but does not set\n@io_bazel_rules_go//go/config:static. Instead, build_static_transition\nis now used, which sets both.\n\nA second benefit of this change is that we have fewer places where the\namd64 architecture is mentioned, which should make it easier to enable\nmulti-platform builds.\n\nChange-Id: Id01e0d942a12770b8b34b0e6825f314128149b40\nReviewed-on: https://review.monogon.dev/c/monogon/+/4162\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "9d2f3c681fee76b54dc202da6ca140151f588be8", "tree": "9f673387eea27eac06fbd16e9c2f3cfc689cc7fb", "parents": [ "82900a743f1eebcb80c0a310563be149691b89a7" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Mon Apr 14 11:17:22 2025 +0000" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Apr 29 06:55:58 2025 +0000" }, "message": "m/test/localregistry: use osbase/oci/registry\n\nThis replaces the localregistry implementation with a small wrapper\naround the new registry package.\n\nThe images attribute of the Bazel rule was changed from a list to a\ndict, which makes the repository and tag independent from the file path.\n\nChange-Id: I1f6213dd67f7bdcf2373fe136958caa68b9f4d10\nReviewed-on: https://review.monogon.dev/c/monogon/+/4089\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "47eb65bd29d4576593c134915088fe8bf144b047", "tree": "613483a5514ef15b9698f0b0097feee54bed7325", "parents": [ "90d4051ae6119dc08dfa17f3a9e95e5b98fba2a5" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Mar 27 16:49:27 2025 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Mar 31 11:30:21 2025 +0000" }, "message": "treewide: remove usage of osbase/test/launch for logging\n\nChange-Id: Ib0279f1f1cbbefeb5064e78cfb36b0bf7a59f5cb\nReviewed-on: https://review.monogon.dev/c/monogon/+/4045\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "b00f7f9a97eae55ae6df80bbdea46815498898fa", "tree": "46517933cf9c0d9fc18ccf085dcf335d664e2b94", "parents": [ "1947e9b1480d9a3e90fe8b12bc897fd5cd2abce7" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Mar 06 17:27:22 2025 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Mar 18 14:02:05 2025 +0000" }, "message": "m/node/kubernetes: implement storage resizing\n\nThis implements persistent volume resizing in the storage provisioner.\nThe logic is based on https://github.com/kubernetes-csi/external-resizer\n\nThe mutation caches are an optimization to prevent unnecessary repeated\nprocessing, because they make the controller remember changes that it\nhas made itself, when the watch events for those changes have not\narrived yet.\n\nThe controller supports the RecoverVolumeExpansionFailure feature, which\nallows reducing the requested size when the previous resize fails due to\ninsufficient space. When resize fails, it is retried with backoff.\n\nChange-Id: I0f3d40c1a592b30d25739f5d20b529dfe25dfbe1\nReviewed-on: https://review.monogon.dev/c/monogon/+/4008\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "9bd9bd45d58fd615c0c240226e6fb74e406b0d17", "tree": "18961f688d41f4098e34231c201f2e96ac35d864", "parents": [ "ffd8c7bb37da9b72eb66a0555e319ca2290ea761" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Fri Feb 14 17:08:52 2025 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Feb 27 07:43:17 2025 +0000" }, "message": "treewide: replace deprecated grpc.Dial with grpc.NewClient\n\nChange-Id: I925912ca1ee01d547fd9c1813eb083a2cd9a590a\nReviewed-on: https://review.monogon.dev/c/monogon/+/3858\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "52700ae56c5d541e711fbd5f27373b3dc200f8dc", "tree": "ed5e75883fc44d14f7824b0a5ed40a6ab650923e", "parents": [ "e8beaed8dcde2c198e91addb0baa884079363581" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jan 28 15:07:08 2025 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Feb 11 15:05:46 2025 +0000" }, "message": "m/n/k8s: add nftables network policy controller\n\nThis integrates my K8s network policy controller. In its current form it\ndoes not have many guarantees as the custom CNI plugin is not yet in\nthere but it mostly works. Also there is still a DNS hole as host-local\nservices are not properly policed yet.\n\nIt has a basic smoke test using the connectivity testing helper as well\nas some metrics to make sure it is integrated properly and to be able to\nmonitor its performance.\n\nChange-Id: Ia2f54b9975361270678ce742ae5e32df25e515c5\nReviewed-on: https://review.monogon.dev/c/monogon/+/3740\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "de57e6f273b05ebf9f58bf4a4ca9734038bcad9f", "tree": "8bc29c1edb49cdb69870f13794add9a3fc1b5762", "parents": [ "c359d550ca8bf59acc77dd9aefc5b09572a7e399" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jan 08 16:34:08 2025 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Feb 10 16:00:22 2025 +0000" }, "message": "m/test/e2e/connectivity: add connectivity tester\n\nThis adds a connectivity testing framework. It uses pod agents and\ncommunicates with them over stdio. This is used to implement a simple\nsmoke test and will later be used to test network policy controllers.\n\nChange-Id: If40673a91336dbe3a7a383bf2e9d17736fad3bdc\nReviewed-on: https://review.monogon.dev/c/monogon/+/3756\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6d33a4342a16200d628f30ff91b169927fc2867a", "tree": "e65ad23cb6d0b795420b5ec625a757784d4c3e3b", "parents": [ "7887f758de8f9106a484ca59d9734304aa919e36" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 04 14:34:25 2025 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Feb 06 17:03:43 2025 +0000" }, "message": "treewide: add license header and enable haslicense linter\n\nChange-Id: I873a8d4082d75e8f813d8a726a41187eea7a065e\nReviewed-on: https://review.monogon.dev/c/monogon/+/3825\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "8f1254d1919c7cda42c611c9e1d83cf9a2ef8034", "tree": "5be283b1ba93876be9c5c53f256ef55793b35bd3", "parents": [ "32e74305db44feaa564da55b3108ff3cc3f1fd32" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jan 28 14:10:05 2025 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Feb 03 11:13:25 2025 +0000" }, "message": "m/test/launch: extend GetKubeClientSet with rest.Config\n\nK8s streaming transports need a separate rest.Config, expose that from\nthe GetKubeClientSet.\n\nChange-Id: I7c4ee5dae0349bd6742afcbaf23aa7536b1bdf88\nReviewed-on: https://review.monogon.dev/c/monogon/+/3811\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "156248b949f3da7c8d0f4f46cb97ac7606464952", "tree": "ff52faf242a29f1916edad64bca6282f8030ee66", "parents": [ "227c5cbbdd8f682b6e4d4cc661fa0d6e734206f2" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Fri Jan 10 00:27:45 2025 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Fri Jan 10 20:13:30 2025 +0000" }, "message": "treewide: format repo with buildifier\n\nChange-Id: Ia7aebeb7bba5b119c9157d1ad805cc477bcbb68a\nReviewed-on: https://review.monogon.dev/c/monogon/+/3774\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "3a171d123fff540c8c9d646152a5d5ed9ef873de", "tree": "62fe245a0182c3ba931d8c33278f2dd89c35e77b", "parents": [ "0996ea85ca6200e1729941d316f7891835871938" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Dec 09 23:51:23 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Jan 09 21:19:31 2025 +0000" }, "message": "treewide: add race-detector config\n\nThis also disables all `pure \u003d \"on\"` attributes as they propagate too\nfar and break the race detector because rules_go contradicts itself by\nforcing pure go even when CGO is required by the race detector. We build\neverything for our node images static and pure via a transition anyway,\nso this is actually fine.\n\nChange-Id: I5cd3879fba4258caa94df4dbea5c6472867b7e34\nReviewed-on: https://review.monogon.dev/c/monogon/+/3725\nTested-by: Jenkins CI\nReviewed-by: Hendrik Hofstadt \u003chendrik@monogon.tech\u003e\n" }, { "commit": "5c717dd5a7dfecc7a0c629abf5b0b9af7583fe95", "tree": "d698cacb7a91551f73fd909c330cb41c660e86d8", "parents": [ "deaf0c044579516df1fb510c106e8e7881028701" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jan 08 19:35:29 2025 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jan 09 13:04:14 2025 +0000" }, "message": "m/t/e2e/suites/kubernetes: remove orphaned tests\n\nThese were never automatically exercised as they relied on a\nmanually-set environment variable. The infrastructure that they were\ntesting was long removed, remove them as well.\n\nChange-Id: Ifdf89cfc21fd9069db2577d3ffc7c7ad674da703\nReviewed-on: https://review.monogon.dev/c/monogon/+/3757\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "681d5157b955f6b942c620837d1a9e90bdefc983", "tree": "254905b461e1545d960fafbdad1ec2c250fc383f", "parents": [ "2edb96aeded0f67904ac9630088454fb12a62317" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Jan 08 00:19:33 2025 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Jan 08 20:54:21 2025 +0000" }, "message": "treewide: clean up test static binary targets\n\nThis removes some intermediate targets only used for transitions by\nconsolidating them into a single one.\n\nChange-Id: I46dcbcb731038edd2b67259de1811018f5ba43da\nReviewed-on: https://review.monogon.dev/c/monogon/+/3753\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\nTested-by: Jenkins CI\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "d1a8b64d305c57f45416fc40b39211541113a373", "tree": "17fcd0e77576b200e75a940fb26ce2334a7a8553", "parents": [ "d77e26ee216738393a9808c95266bbcb91ca0e68" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Dec 03 17:40:41 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Dec 04 08:28:03 2024 +0000" }, "message": "treewide: add more ptr.To usages\n\nChange-Id: Ibf511bc012a17e39d6b7b4f3a7d9abc1304d755f\nReviewed-on: https://review.monogon.dev/c/monogon/+/3677\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "2ecccae4ff62b687ec5e218349fcf8a42069dfc9", "tree": "c5a5914c9d3bd8fb37a5650a6b3e4881f9fc2610", "parents": [ "d58edf4e2f745427d69ecc72bfe9a9ead69d697d" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 27 22:03:35 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Dec 02 16:50:54 2024 +0000" }, "message": "m/node: enable user namespaces in K8s\n\nThis enables the two feature gates for user namespace support in K8s.\nWe did not previously have a passwd file which caused Go\u0027s UserLookup\nto fail with an unexpected error. Add an mostly-empty placeholder file\nto placate it.\n\nChange-Id: I71a7a6dc889a289512075a25b7e551f2cd65ffb6\nReviewed-on: https://review.monogon.dev/c/monogon/+/3665\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "73beb693ce8aed1c1caffaec2f01b2b9c65516b3", "tree": "378d3b779febf33b1666438b1dd003053d9fd21c", "parents": [ "be70c9247b7c8f7ab0eef4b0c7b1faaf934b8f97" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Nov 27 17:47:09 2024 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Nov 27 19:34:17 2024 +0000" }, "message": "m/node/kubernetes: remove local-strict storage class\n\nIt turns out that the local-strict storage class did not have an effect\non readonly volumes, or on gVisor. And after updating runc to 1.2.0, it\nno longer has an effect anywhere. It appears that setting noexec and\nsimilar flags in the CSI server, using a storage class, is the wrong\napproach and just happened to work by accident. Instead, this should\nprobably be implemented as a Kubernetes feature to set per-mount-point\nflags on the VolumeMount.\n\nThis commit thus removes the local-strict storage class and the mount\noptions processing in the provisioner and CSI server. This will allow\nupdating runc.\n\nAdditionally, the StatefulSet end-to-end test is extended to also run\ntests with gVisor. gVisor apparently does not support block volumes.\n\nSee: https://github.com/monogon-dev/monogon/issues/361\nChange-Id: Ic2f50aa3bc9442ca1dbb9e8742d5b8fecbfc3614\nReviewed-on: https://review.monogon.dev/c/monogon/+/3658\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "be70c9247b7c8f7ab0eef4b0c7b1faaf934b8f97", "tree": "b1126b8ddaf845314329bd33249e2ec0db6940dd", "parents": [ "0ec0c53061acd57cf545440a723c1fd9817ed080" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Nov 21 11:16:03 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Nov 21 12:57:42 2024 +0000" }, "message": "m/node/kubernetes: fix attaching block PVs\n\nAttaching a block PV to a container failed with the error:\n\"failed to create device node at target path: file exists\".\nThis happened because there was already a directory at the path.\nThe directory should only be created for mounts, not for block devices.\n\nI also extended the PV end-to-end test to add a block volume, and check\nthat it can be opened as a block device and has the expected size.\n\nChange-Id: I40ca82cfcbfee1cb3196a900423f967b45790a64\nReviewed-on: https://review.monogon.dev/c/monogon/+/3623\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "652c2ad2e499ca709523978e04b3a3dbb6df642c", "tree": "4a31c1797694ed53331d1a998922c3587d940d5b", "parents": [ "36f0375c9834d82016cb077142d2eaaea981d7a5" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Nov 19 17:40:50 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Nov 20 13:55:19 2024 +0000" }, "message": "m/node/kubernetes: fix PV mount flags and add e2e test\n\nMount flags did not work because of two problems:\n- The provisioner did not copy them from the StorageClass to the\n PersistentVolume.\n- The CSI server used \u003d instead of |\u003d when adding flags, so only one of\n the flags was added or removed.\n\nThere was an existing e2e test for PVs, however this only created the\nPVC/PV without even attaching it to a container. I extended this test to\nattach the PV and check from inside the container that it has the\nexpected mount flags and quota.\n\nThe existing e2e test also created a block PV, however attaching a block\nPV to a container was not tested and is apparently broken, so I removed\nthis test for now.\n\nChange-Id: Ie14adfafd333eab38d2b5f1b4ce8a2aa8795eae0\nReviewed-on: https://review.monogon.dev/c/monogon/+/3613\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "36f0375c9834d82016cb077142d2eaaea981d7a5", "tree": "301dacf15758e619d2c7fc0901e90ce6a5229f81", "parents": [ "1fc5eb01ef91a4c6fc936a177329b845f0bb45d7" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Nov 19 17:41:05 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Nov 20 13:55:19 2024 +0000" }, "message": "m/test/e2e/suites/kubernetes: increase test timeouts\n\nThese timeouts are too short and cause spurious test failures.\n\nChange-Id: I21252337a150bb5774ef031eea53ec1a366f7fbd\nReviewed-on: https://review.monogon.dev/c/monogon/+/3614\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "78567601398f4db5a8080fd30038ff7ac6affe0f", "tree": "757ee7c8d374317366a2535dbfb48ceaa66700f0", "parents": [ "beec27c6bdc2da730ffa2a2be6a68e1610148913" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Oct 31 13:42:04 2024 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Nov 05 13:11:03 2024 +0000" }, "message": "metropolis: remove stutter in ClusterConfiguration.KubernetesConfig\n\nWe already know this is a config (it lives in ClusterConfiguration), no\nneed to call that a config again.\n\nThis doesn\u0027t break any compatibility yet as field names are not (yet)\nunder a stability guarantee.\n\nChange-Id: Ib6492d1c8303cbd0620b979b8047ec9757e301c0\nReviewed-on: https://review.monogon.dev/c/monogon/+/3594\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "39f4f5c360e7a286bff4adaeabc52393dc28dc22", "tree": "c81382f2408a83ab7391414738713633b8fc9608", "parents": [ "1e39914fbcecda7ec236e67f143bbefc31eee9da" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Oct 29 09:41:50 2024 +0100" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Oct 30 13:10:29 2024 +0000" }, "message": "metropolis: add cluster domain config and metroctl param\n\nThis adds a --cluster parameter to metroctl and a cluster domain field\nto the bootstrap configuration. It is not yet used anywhere, but later\nthe cluster domain will be used to identify the cluster.\n\nThe length of the cluster domain is limited to 80, to allow for\nconstructing subdomains. This limit could be increased later if needed,\nbut it cannot easily be decreased, so I chose a conservative value that\nshould be enough in most cases.\n\nChange-Id: I627cca8eb1d92c4b06e4dfd6b6926a013e8f33ae\nReviewed-on: https://review.monogon.dev/c/monogon/+/3508\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "1e39914fbcecda7ec236e67f143bbefc31eee9da", "tree": "806a09d23eec324d7ff131f42ddfab13cc0f98e0", "parents": [ "20498ddc40079451c83ba3708afc57d820866cb3" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 22 10:58:15 2024 +0000" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Oct 30 11:42:51 2024 +0000" }, "message": "metropolis: first pass API for reconfiguring cluster\n\nThis implements management.ConfigureCluster. This API is based around\nProtobuf FieldMasks, which is a new thing in the Metropolis codebase\n(node config mutation is performed via optional fields).\n\nWhether this is the right way to do this is to be discussed.\nAlternatives considered are:\n\n1. Always insert a full new config, providing the old one as a base. The\n downside of that is the potential conflicts that will spring up the\n moment we have systems regularly mutate independent parts of the\n config. Additionally, this might lead to some odd behaviour when\n dealing with clients that don\u0027t have support for newer versions of\n the config proto.\n2. Use optional fields, like in Node role code. However, this has the\n downside of duplicating protos (one for the config state, one for the\n mutation request). Plus, protobuf optionals are still somewhat\n unusual.\n3. Provide individual requests for mutating fields (like with Node\n labels). This also results in a lot of boilerplate code.\n4. Something akin to JSON Patch, but for protobufs, which doesn\u0027t seem\n to exist.\n\nChange-Id: I42e5eabd42076e947f4bc8399b843e0e1fd48548\nReviewed-on: https://review.monogon.dev/c/monogon/+/3591\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "e99638e3c7a2f1a604d49c47cc7a2685bfff8c5e", "tree": "636c243a58100c971cc3e224abf2c54324aad00a", "parents": [ "9579be5e09b6293edc78d3142b0c67a24afda93c" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Sep 30 17:06:44 2024 +0000" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Oct 28 14:22:49 2024 +0000" }, "message": "metropolis/node/kubernetes: synchronize metropolis node labels to kubernetes\n\nThis extends the labelmaker to manage Kubernetes node labels mirrored\nfrom Metropolis node labels.\n\nNote that currently there is no way to edit a ClusterConfiguration at\ncluster runtime, but this will come in a future CL.\n\nChange-Id: If7dbc3796085a8b85c1b5b2a181bcb1cee3d1db4\nReviewed-on: https://review.monogon.dev/c/monogon/+/3469\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "6d1ff36763f1d48cf8620afd17321a06d2fbe228", "tree": "e0f48b5b138f51579de1ce2662e1b3a39acec6d3", "parents": [ "677de978403a58cd219e77b312b647927bd560ac" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Sep 30 15:15:31 2024 +0000" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Oct 28 14:22:49 2024 +0000" }, "message": "metropolis/node/kubernetes: update labels based on node roles\n\nThis implements the labelmaker, a reconciling loop running on Kubernetes\ncontroller nodes which updates Kubernetes node labels based on cluster\ndata.\n\nCurrently it only updates role labels based on cluster roles, but this\ncan be extended in the future to also replicate Metropolis node labels\ninto Kubernetes node labels.\n\nChange-Id: I9c5ba92bb46f064aa03836720d4a80adc6061ab9\nReviewed-on: https://review.monogon.dev/c/monogon/+/3464\nTested-by: Jenkins CI\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\n" }, { "commit": "0bc92a087ee0eb279ab29c3aba5d127b4202a2ea", "tree": "9c481ad86d6324cdd6bdfff4a55af4d4b4689f3c", "parents": [ "61b97a375aee98f58c13c13be672b442aecc8440" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Oct 01 22:53:08 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Oct 10 15:55:35 2024 +0000" }, "message": "treewide: bump rules_oci to v2.0.0\n\nChange-Id: Idbeb3a3b7645c5b6f774eb43d218ca0bc79dccc1\nReviewed-on: https://review.monogon.dev/c/monogon/+/3474\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "a512b0e03b370ea86b383212863d81b6d9677f3a", "tree": "373bb9ff7fd8e63928205c28d8480c33bfd8f2aa", "parents": [ "5fb8a3fc41a1c59636adaf55c6495c1a671ef7ad" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Sat Sep 28 03:57:43 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Oct 08 13:55:15 2024 +0000" }, "message": "metropolis/vm: delete vm package\n\nThis only contains the CRD right now and is not used/implemented\nanywhere. This is also the only usage of kube-code-gen which breaks with\nthe newest version of rules_go. Since we don\u0027t plan to use this\nin the near future this also gets deleted, because even if we need it\nagain, we can just revert this change.\n\nChange-Id: I29ab75541957fce6a7dd8414c0df3cfdf90f8ec3\nReviewed-on: https://review.monogon.dev/c/monogon/+/3465\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "d5538b52d7a8739f7123458c10973be36b27b9ff", "tree": "fd718931af36798650ddbf1a8978a94220994e82", "parents": [ "1dcede9600e4c1584da4fbe89128970ea9532860" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Wed Sep 25 13:16:49 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Sep 26 11:44:09 2024 +0000" }, "message": "m/n/c/consensus: fix startup after removing a cluster node\n\nThe consensus service was waiting for all initial peers to be DNS\nresolvable before starting etcd. However, the list of initial peers is\nnever updated. If an etcd member is removed from the cluster, it is no\nlonger resolvable, but may still be contained in initial peer lists. The\nconsensus service then fails to start, as it is blocked forever waiting\nfor the removed peer to become resolvable.\n\nThe wait for resolvability was added in c1cb37ce9c43 with this\nexplanation:\n\n\u003e It also makes the consensus service wait for DNS resolvability before\n\u003e attempting to join an existing cluster, which makes etcd startup much\n\u003e cleaner (as etcd will itself crash if it cannot immediately resolve\n\u003e its ExistingPeers in startup).\n\nThis does not appear to be needed anymore. I did not observe etcd\ncrashes after removing the wait for resolvability.\n\nI extended the e2e test to test this scenario. After removing the\nconsensus role, it also deletes the node and reboots the remaining\nnodes. I moved these tests to the ha_cold suite, because with encryption\nenabled, we currently cannot reboot a node in a 2-node cluster.\n\nChange-Id: If811c79ea127550fa9ca750014272fa885767c77\nReviewed-on: https://review.monogon.dev/c/monogon/+/3454\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "ad8982fcd78a3408c024d9031fa611b48dd86304", "tree": "b6a7f84b0d7d8e1d4531883eac22dab990c6f1c7", "parents": [ "fc6e1cf11d0d96fac1e8d52b5787b207f8b1fd9f" ], "author": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Tue Sep 17 13:56:34 2024 +0200" }, "committer": { "name": "Jan Schär", "email": "jan@monogon.tech", "time": "Thu Sep 26 11:44:09 2024 +0000" }, "message": "m/node/core: remove etcd membership before removing consensus role\n\nWhen removing the consensus role, we also need to remove etcd\nmembership. It is safer to remove membership first, and then the role,\nbecause otherwise, the etcd cluster is in a degraded state during the\ntime where etcd on the node has been stopped, but the node is still\ncounted as a voting member by etcd.\n\nIf the membership is removed, but then removing the role fails, the\ncluster ends up in an inconsistent state. If the affected node was the\ncurator or etcd leader, that will almost certainly happen. In this case,\nthe request can just be retried until it succeeds, and then the cluster\nstate is consistent again between etcd membership and roles.\n\nChange-Id: I1ab526470a4201e76817e8ca0a597996fb903d1f\nReviewed-on: https://review.monogon.dev/c/monogon/+/3437\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "5f1a7de2dfb5db1884fcb677a0bd38daf6dd3c97", "tree": "fd52bf35b4b2e6b5c51f56d62424c9d0820ef537", "parents": [ "e337e938ae8e08dffa3a01045571188413ce70ff" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Sep 19 02:00:14 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Sep 19 12:06:50 2024 +0000" }, "message": "treewide: fix %v in cases where we should use %w\n\nWe should always use %w when using fmt.Errorf as you can use error.Is to\ncompare the underlying error. When printing an error the use of %w is\nwrong and should be replaced with %v.\n\nChange-Id: I741111bd91dcee4099144d2ecaffa879fdbb34a2\nReviewed-on: https://review.monogon.dev/c/monogon/+/2993\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "732a88411de08ac44d1f2bdb6b948c39c9ddc727", "tree": "6c7b78cf514254594d3ccadbb41f6364dd2cc286", "parents": [ "688ee2b59301e5a0494890003a85583f8da07ec5" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Aug 26 23:25:37 2024 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Aug 27 21:40:54 2024 +0000" }, "message": "treewide: update to Kubernetes 1.31\n\nOverall not that bad, we got rid of some workarounds and added some new\nones. Biggest change is a significant refactor of the hyperkube package\nas Kubernetes really doesn\u0027t like multiple of their top-level Cobra\ncommands to be instantiated. One new patch for gVisor as new fields got\nadded to a Linux struct which caused codegen to rename an existing one.\nThat patch will go away once [1] is released as this has been changed\nback again.\nOtherwise mostly standard rebases of patches. We currently have a\nwarning in kubelet as our containerd CRI does not support the\nRuntimeConfig RPC, but no released version of containerd has that and\nthe fallback works fine for now.\n\n[1] https://go-review.googlesource.com/c/sys/+/607876\n\nChange-Id: I275e5fb78bc1d09c4ca0e8b5705edbaa80f30d96\nReviewed-on: https://review.monogon.dev/c/monogon/+/3355\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "82e6af71ad2b7927de8d754799271ee9f39506f9", "tree": "4da4ec95a6e4c5f58957c555d8646e46dbb25c6d", "parents": [ "bceb1604c4d6ce1396c63083d2fd8aae98346cf3" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Jul 23 00:05:42 2024 +0000" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Aug 13 12:43:45 2024 +0000" }, "message": "treewide: replace hardcoded runfiles paths\n\nWe hardcoded some of the runfiles paths to find specific files. This replaces the hardcoded paths by a call to rlocationpath. This prevents running a target without the correct dependencies at build time instead of at runtime\n\nChange-Id: I7ce56935ac80be6b28b824ccb0781ab401bd6521\nReviewed-on: https://review.monogon.dev/c/monogon/+/3301\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "3325b4b940370ad4282fdaa6027a5672ff8fdc2a", "tree": "7308d80e86a0d0ea34a5d2d5c8dac8cb2dd8efeb", "parents": [ "41b244857ee793cbf74552ec39f2ff614a686a56" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Jul 15 19:19:49 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Jul 22 21:25:58 2024 +0000" }, "message": "workspace: bump bazel_gazelle to v0.37.0\n\nChange-Id: I45a7769d80781075fdfb1c438240a75629dd572a\nReviewed-on: https://review.monogon.dev/c/monogon/+/3220\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "9f21f5396aa18bc9f2f83c867ff883f49bbf02ae", "tree": "c232f42c84bd6b7ace576261a188134cb0c69771", "parents": [ "f430fbfe35b70283090b6174cf5a920163c0148c" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue May 07 15:14:20 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Jul 04 12:19:37 2024 +0000" }, "message": "treewide: introduce osbase package and move things around\n\nAll except localregistry moved from metropolis/pkg to osbase,\nlocalregistry moved to metropolis/test as its only used there anyway.\n\nChange-Id: If1a4bf377364bef0ac23169e1b90379c71b06d72\nReviewed-on: https://review.monogon.dev/c/monogon/+/3079\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "2b6dc312656035aedade6f368af1994bdb8b6021", "tree": "488e63bfdf22b6b389e160a01d4f731c3956e2f3", "parents": [ "8111b901b88c8ef9ca5e113584c928de4bfdd24d" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Jun 04 17:44:55 2024 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Jun 11 17:01:21 2024 +0000" }, "message": "metropolis/test: create swtpm TPMs at runtime instead of compile time\n\nThe generated TPM data is random (it contains generated cryptographic\nkeys) so we really shouldn\u0027t be building it with Bazel.\n\nInstead, let\u0027s create it at runtime for e2e tests, and also actually\ngenerate separate TPM data per node with a common issuer for all.\n\nMoving the logic out of //metropolis/node also feels deserved, as this\nis all squarely in test territory.\n\nChange-Id: I257ee54c88ede685ba3faf573282b0f9228b10e8\nReviewed-on: https://review.monogon.dev/c/monogon/+/3132\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "99b021469b209bf184cd8d18749a7c1e74852a50", "tree": "9b916b10f5048cd40e9b0c929926d6d70abb36fa", "parents": [ "d5d33ba1e0798b48f56e6a1bc9178af9fc778179" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Apr 17 16:33:28 2024 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu May 16 08:35:09 2024 +0000" }, "message": "m/test/e2e: split out tests into subpackages\n\nThe end-to-end tests have grown large enough that they merit their own\ntest targets. To make this more Go-idiomatic, we split away the tests\nnot just int separate Bazel targets, but also Go packages.\n\nWe also add per-test resource requests for Bazel, including a new\nresource kind (iops). This makes the tests more deterministic and allows\nuse to eg. use --runs_per_test\u003d10 to deflake test logic without hitting\nresource contention issues.\n\n//metropolis/test/e2e/suites/core:core_test PASSED in 35.1s\n Stats over 10 runs: max \u003d 35.1s, min \u003d 26.6s, avg \u003d 31.9s, dev \u003d 2.6s\n//metropolis/test/e2e/suites/ha:ha_test PASSED in 114.6s\n Stats over 10 runs: max \u003d 114.6s, min \u003d 90.1s, avg \u003d 100.9s, dev \u003d 7.6s\n//metropolis/test/e2e/suites/ha_cold:ha_cold_test PASSED in 67.8s\n Stats over 10 runs: max \u003d 67.8s, min \u003d 55.5s, avg \u003d 62.0s, dev \u003d 4.1s\n//metropolis/test/e2e/suites/kubernetes:kubernetes_test PASSED in 80.9s\n Stats over 10 runs: max \u003d 80.9s, min \u003d 58.8s, avg \u003d 68.6s, dev \u003d 6.0s\n\nChange-Id: I8f31e09f599fd90c9941e2b69f36789817fa90ce\nReviewed-on: https://review.monogon.dev/c/monogon/+/3086\nReviewed-by: Jan Schär \u003cjan@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "ddc5e6a098c24c1e69b5c692f534b05dbc763367", "tree": "962bc2b07f054b9c2552018a305fca2d9ee277f9", "parents": [ "2d83a128f6096b8133af9edec00e1cd0cd8215b0" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Apr 23 23:44:34 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon May 06 13:34:32 2024 +0000" }, "message": "treewide: update to UwUbernetes (Kubernetes 1.30)\n\nCo-authored-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nCo-authored-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nChange-Id: Id923f503938314ef8fb4243f36604752edbb4605\nReviewed-on: https://review.monogon.dev/c/monogon/+/3047\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "7be54aa2e0614d174d664c67f8dfccd5a2f1e856", "tree": "0af35e56eadcb6449676a0c6eb51ce90e815ed02", "parents": [ "500f6e08356b1cf358e619247582be784616964e" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Apr 09 12:07:10 2024 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Apr 25 12:01:18 2024 +0000" }, "message": "m/test/e2e: add TestE2EColdStartHA\n\nThis exercises full cluster shutdown and restart.\n\nChange-Id: I546a46c7c8d34da23466b8b959076135c503b077\nReviewed-on: https://review.monogon.dev/c/monogon/+/2943\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "b41b548058101e663a9591beaf2c491a44638d56", "tree": "4e977981d188d2e1d8cc37ba717c9a1787a04324", "parents": [ "513df18bf6ae7ad0cc17807674ee561c518d0654" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Apr 18 23:24:01 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 22:29:11 2024 +0000" }, "message": "treewide: remove duplicate imports\n\nChange-Id: I3708f9b6fb95d9463e3b9da12757a4b19416124f\nReviewed-on: https://review.monogon.dev/c/monogon/+/3026\nVouch-Run-CI: Tim Windelschmidt \u003ctim@monogon.tech\u003e\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "d5f851bb477638436826adec756fe562db526865", "tree": "d981b1c62d613b45fb55023da289098d7e377705", "parents": [ "69fec522d5db79d07bb1f227c2ab39c57fdf2831" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Apr 23 14:59:37 2024 +0200" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 24 13:15:14 2024 +0000" }, "message": "treewide: replace error comparisons and assertions with errors.Is\n\nChange-Id: Id2424eb155f2c6842c72c5fafd124d428ef901f2\nReviewed-on: https://review.monogon.dev/c/monogon/+/2994\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "538292d66196e8ba1a63454c4a9e2aa547684ef3", "tree": "d590a37f8d29c49e041411b07d83eec84c6931f5", "parents": [ "5ad3144690965827669ce29f71c534caae42b901" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Apr 17 14:50:02 2024 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Apr 17 15:12:25 2024 +0000" }, "message": "metropolis: replace node pubkey with id in cluster directory\n\nThe pubkey in the cluster directory was never used in the first place,\nand its presence complicates things (exposes the notion of nodes having\na public key and potentially causes reliance on the public key in\nuntrusted scenarios, eg. when the cluster directory is persisted to\nuntrusted storage).\n\nLet\u0027s just replace that field with a string node ID instead, as that\u0027s\nalso immediately useful in future code (persisting host name mapping\nbetween reboots).\n\nChange-Id: I9b29ee36974ef6edce6076b5df1b8b330fef8bd8\nReviewed-on: https://review.monogon.dev/c/monogon/+/2981\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "37cfcc109508d5370900228d5f20f2183ed2d65b", "tree": "8f6ed3609c784eab89d28b8e7b8e5b8ab83a1bda", "parents": [ "c16f0488f8466a3e0ea81fb12ae249fe46bba892" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 21 11:59:07 2024 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Apr 11 15:16:05 2024 +0000" }, "message": "m/test/e2e: Implement TestE2ECoreHA\n\nThis is a basic test which exercises a TPM-sealed three-node cluster by\nperforming a rolling restart of control plane nodes.\n\nChange-Id: Ic6f46192d8ccba1ef7a767988cf5a216beb5a4c6\nReviewed-on: https://review.monogon.dev/c/monogon/+/2884\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "3bdb5fcf023968526dfe7fadb89b0911bc6d7074", "tree": "37a8c1abdee1cf54b25ca0adf868ed879e4db7b3", "parents": [ "22a71c147af31d02a0db298e2ca8356078471b93" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Thu Mar 14 18:47:35 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Wed Apr 03 15:49:26 2024 +0000" }, "message": "metropolis/core/metrics: expose containerd metrics endpoint\n\nThis adds containerd as another metrics endpoint. It is only available\non nodes with the KubernetesWorker role.\n\nChange-Id: I5f6269165a81d9a4c4cff48d3ed6b6a55d7f4f46\nReviewed-on: https://review.monogon.dev/c/monogon/+/2861\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "276a746de8b2b551f7088e88c93da0e0b15c99d6", "tree": "de82f9b1f243151c7a7d8d52bb8136a1d07c4f3f", "parents": [ "87d9c59a3b3dbbd4264f9c8b224e58fc5ff18815" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jul 12 21:28:54 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Mar 21 10:09:21 2024 +0000" }, "message": "m/test/e2e: test NodePort\n\nThis was originally written as a test for validating fixes for\nthe issue that NodePort was not working if any non-local pods were in\nthe NodePort service, even for externalTrafficPolicy: cluster services.\nAs it turns out CL:2795 fixed this, the changes in previous versions of\nthis CL broke it again. So now it just consists of the test itself,\nwhich passes.\n\nChange-Id: If4cf4ffc46a5456b4defa330776e043593e61b29\nReviewed-on: https://review.monogon.dev/c/monogon/+/1924\nTested-by: Jenkins CI\nReviewed-by: Tim Windelschmidt \u003ctim@monogon.tech\u003e\n" }, { "commit": "2a1d1b2e90a44e140dd95a492de0c857287e071f", "tree": "392015b9ffa5f6f38da494c0a2fc519f16883113", "parents": [ "5d556cae21803212ac72a3713ed449b412f777af" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Feb 06 07:07:42 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Mon Feb 12 14:11:04 2024 +0000" }, "message": "treewide: replace datafile pkg with rules_go/runfiles pkg\n\nrules_go/runfiles provides the same functionality as our datafile\npackage. This change also contains some specifics for the now active\nbzlmod, which replaces all WORKSPACE related behaviour. As example the\nWORKSPACE name is now always set to _main.\n\n\nChange-Id: I1a69c72b479330a627b402135670f218c297906f\nReviewed-on: https://review.monogon.dev/c/monogon/+/2745\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "0974b2275edc21ce3b76606ba7f8eed84e5cc9f0", "tree": "b9bd73528dc6823168273fb8eb58d02054e90047", "parents": [ "c834b7dd62f20188f3ffd7cbb092e2536403474b" ], "author": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Jan 16 14:04:15 2024 +0100" }, "committer": { "name": "Tim Windelschmidt", "email": "tim@monogon.tech", "time": "Tue Jan 23 15:52:54 2024 +0000" }, "message": "treewide: replace rules_docker with rules_oci\n\nrules_docker is not maintained anymore and recommends migration to\nrules_oci\n\nChange-Id: I089f3cf44888b3c3c0baa2c84a319b04b1a7dec4\nReviewed-on: https://review.monogon.dev/c/monogon/+/2712\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "150f24a5421dc1449d79a801524a7c98754f7bca", "tree": "c4f69b7e6260a241f3d946b36eda309e2539ccba", "parents": [ "901c7326fe067707812757e4e9409f756edf0e37" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Jul 13 20:11:06 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Jul 19 12:17:34 2023 +0000" }, "message": "metropolis/test: use localregistry\n\nThis removes everything but the preseed test image from the preseed\nimage pool, instead opting to serve all test image via localregistry.\n\nThe registry API is served from a dedicated IP inside the virtual\nnetwork and forwarded to an ephemeral listener on the host. The relevant\ninfrastructure is added to the launch package.\n\nAs it is required to add configuration to containerd for this registry\nanyways as it does not and should not have TLS we take that opportunity\nto give it a descriptive name (test.monogon.internal).\n\nVisibilities of images are also adjusted as they are now referenced much\ncloser to their point of use.\n\nAgainst main this saves 51MiB in bundle size (289MiB -\u003e 238MiB).\n\nChange-Id: I31f732eb8c4ccec486204f35e3635b588fd9c85b\nReviewed-on: https://review.monogon.dev/c/monogon/+/1927\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "a0bc6d3f0ce4f3a73eb0019e4f18f508ee36ce21", "tree": "6f77b3184d1cd558dfd8f29437fb61c2e74df431", "parents": [ "3722025f8ed0b46eb7f48c7c0fbfc53de9e84340" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Jun 28 18:57:40 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Jul 03 08:03:11 2023 +0000" }, "message": "m/test/e2e: split core/kubernetes tests, clean up\n\nThis splits the large TestE2E function into two separate functions and\ntests: one which exercises the core functionality of Kubernetes, the\nother which exercises just the Kubernetes bits.\n\nThis allows for easier testing during development, and generally trades\noff higher resources usage for faster execution time in CI.\n\nAt the same time we do some small cleanups of the E2E functionality:\n\n 1. Node startup is now parallelized.\n 2. Non-bootstrap nodes can now be left in NEW (this was used in\n diagnosing issue #234, but it currently unused in the main code).\n 3. Kubernetes access now goes over SOCKS.\n 4. Some Cluster helper functions have been added.\n\nAll in all this should allow us writing more E2E tests in the future,\nand at some point also maybe turn Cluster into an interface that is\nimplemented both by the current framework but also some persistent tests\nrunning against long-term VMs/physical machines.\n\nChange-Id: Ia4586b2aaa5fc8c979d35f4b49513638481e4c10\nReviewed-on: https://review.monogon.dev/c/monogon/+/1870\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "a551c58f3ceb3af37e5e596c3b5fc84609d6e429", "tree": "90f380e1401e6da73762c027c5fb4df9dd357774", "parents": [ "8481f7506b4c67de54fa96b5510007dc2c66a348" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jun 27 01:09:09 2023 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jun 27 10:07:47 2023 +0000" }, "message": "m/t/e2e: adapt runtime test\n\nSince we\u0027re now defaulting to runc, test gVisor separately instead of\nrunc.\n\nChange-Id: Idbf9c961526ea82e20113286fd801553ad785aa9\nReviewed-on: https://review.monogon.dev/c/monogon/+/1858\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "54e212a9914ad8003fc4e353f96651340d287c2d", "tree": "df3b1624d9679e30aefac9b98b2f9b91523eca0b", "parents": [ "d34299ebe13211802739d698e526be78161eac6f" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Jun 14 13:45:11 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Jun 20 11:37:55 2023 +0000" }, "message": "metropolis: implement Metrics Service\n\nThis is the first pass at a Metrics Service. It currently consists of an\nHTTP reverse proxy which authenticates incoming connections using the\nCluster CA and certificates, and passes these connections over to a\nlocally running node_exporter.\n\nIn the future more exporters will be added, and we will likely also run\nour own exporter for Metropolis-specific metrics.\n\nChange-Id: Ibab52aa303965dd7d975f5035f411d1c56ad73e6\nReviewed-on: https://review.monogon.dev/c/monogon/+/1816\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "2cfafc9a4c34152dd93b58aa82df1720fb4dd6d6", "tree": "7a944999ab576f4b421651c2c4d513b0b572a1be", "parents": [ "d0be371ea905c3729f98d91d255d775b7c5193d3" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Mar 21 16:42:47 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Apr 13 14:03:02 2023 +0000" }, "message": "metropolis/node/kubernetes: move worker services to KubernetesWorker nodes\n\nThis finalizes the Big Split. After this change, nodes will only run a\nkubelet (and related services) if they have a KubernetesWorker role\nattached.\n\nThe first node in a new cluster now starts out with KubernetesController\nand ConsensusMember. All joined nodes start with no roles attached.\n\nChange-Id: I25a059318450b7d2dd3c19f3653fc15367867693\nReviewed-on: https://review.monogon.dev/c/monogon/+/1380\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "9104e381ab7a2c90087843de00204eed9ed7cf99", "tree": "73bd733d7615f660d33ee8cae514782b66b53734", "parents": [ "c09cca0e59c56f054a2f47872e54f83cad288c31" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Apr 04 20:08:21 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Apr 06 14:19:04 2023 +0000" }, "message": "metropolis/test/e2e: add self-test image for networking\n\nWe don\u0027t have any networking tests in our E2E tests. This adds an image\nwhich de-facto implements one. Or at least, will implement one once we\nmove to split workers/controllers and contacting a Kubernetes apiserver\nfrom a pod will mean we\u0027re actually testing cross-node traffic.\n\nChange-Id: I3d7be3824ac041d72e1c19cd468d30dbcb71fa03\nReviewed-on: https://review.monogon.dev/c/monogon/+/1481\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "630fb5c5349b13330b7de6f8300b495b801db061", "tree": "9d946ba0dd34a6ba0567f4f7120174797e29a8fe", "parents": [ "1fb2b10801eb4ea56a1e00f174923ec83f039623" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Apr 06 10:50:24 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Apr 06 09:55:51 2023 +0000" }, "message": "m/test/e2e: deflake\n\nNow that nodes don\u0027t heartbeat before they have critical ESP data\npersisted, we can simply make sure they heartbeat before any disruptive\nreboot and that will remove our biggest source of flakiness in E2E\ntests.\n\nChange-Id: I9d4483015341157af6b27c8bd98f5df64da229d2\nReviewed-on: https://review.monogon.dev/c/monogon/+/1499\nTested-by: Jenkins CI\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\n" }, { "commit": "8535cb5bc5437960430ff94d3ea7280ccf931340", "tree": "57edb5cf064ad8b43aef52c1bbb974dd5cce7c26", "parents": [ "30fd15406e2c9cba7391f6af96c775b313a115fa" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Mar 29 14:15:08 2023 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Mar 29 17:18:22 2023 +0000" }, "message": "m/n/core/rpc: implement node verification in authenticated connections\n\nThe current API of NewAuthenticatedCredentials is not easily extensible,\nso switch over to such an API now.\n\nThis then adds a WantRemoteNode option which verifies that the remote\nconnection is established to a node with a given ID.\n\nChange-Id: Ie9f6b33d8b032729181bae5591eba9856ea2f523\nReviewed-on: https://review.monogon.dev/c/monogon/+/1427\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "05f813bf2d311f94dbc8021a85b37ff7c2e33242", "tree": "861772847ef842bbdc362224c442a7679b8b10f2", "parents": [ "cc4e96aed59648a3c4ac3faf3755deff4bb7f656" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 16 17:58:39 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 16 20:52:16 2023 +0000" }, "message": "m/test/e2e: use concise-style logging\n\nMaking our test logs look like LogEntry.ConciseString() means we have\nsignificantly more readable test logs.\n\nChange-Id: I0b1eab6a5a837bb2001f3b32779c23df2feaa381\nReviewed-on: https://review.monogon.dev/c/monogon/+/1362\nReviewed-by: Leopold Schabel \u003cleo@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "591d808678b9770bd579509928997dc5494806e8", "tree": "3afd01fdd280f279610160141c6ef1b02debb119", "parents": [ "cf23ebc1afc53f93d56a0fd33209db7b033a991a" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 16 00:26:59 2023 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Mar 16 13:41:02 2023 +0000" }, "message": "m/test/e2e: stop downloading container images\n\nHaving tests rely on The Internet isn\u0027t great, having tests rely on the\nDockercorp registry is even worse. Instead, let\u0027s test everything using\nthe preseed_test image.\n\nChange-Id: Ib82ce266592e9c6d2f0d4597abcc114c12746b1f\nReviewed-on: https://review.monogon.dev/c/monogon/+/1338\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "97f212c1d25424a099b6a2ff52e0464a2755f11e", "tree": "f5da74b0ac98113b684f51c98946d405fbeacb77", "parents": [ "6294854ace5e06e3b731878544eb39f5351de66d" ], "author": { "name": "Leopold", "email": "leo@monogon.tech", "time": "Sat Jan 21 19:06:34 2023 +0100" }, "committer": { "name": "Leopold Schabel", "email": "leo@monogon.tech", "time": "Tue Jan 24 16:16:59 2023 +0000" }, "message": "build/ci: mark supervisor and e2e tests as flaky\n\nChange-Id: I56459eac238d3ecc5c8429226cab1c32ceb2e0c4\nReviewed-on: https://review.monogon.dev/c/monogon/+/1088\nTested-by: Jenkins CI\nReviewed-by: Serge Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "ddf19b4b194936cc310eae9fc5c01bedcedbb900", "tree": "9eb4a4760f926cfa78b227c782ed306961049ab9", "parents": [ "5055d727cdcf6692d0049a8963ec56ac3401721b" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Wed Jun 22 12:27:37 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Thu Jun 23 16:23:08 2022 +0000" }, "message": "m/t/e2e: move testEventual to common test util pkg\n\ntestEventual, among other implementation, will be reused in metroctl\ntests.\n\nChange-Id: I24df31a72034b707e3906889e7a569c8e97669ad\nReviewed-on: https://review.monogon.dev/c/monogon/+/788\nTested-by: Jenkins CI\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "78cefcafa315af20d9f603fefd1423fe7bab7483", "tree": "b5d8ab0ce4652e30ace81c0cedf64b847260612d", "parents": [ "4025c9bf83aa038c8858c82bc80bd65acecd7210" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Mon Jun 20 12:59:55 2022 +0000" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Jun 21 11:44:25 2022 +0000" }, "message": "m/n/kubernetes: factor out cluster domain\n\nThis removes the hardcoded Kubernetes cluster domain and pushes it out\nto a single place at the root of the Kubernetes supervisor tree.\nThis will later be aligned with the cluster domain specified in the\nidentity design document, currently this does not change any behavior.\n\nIt also removes a bogous SAN from the Kubernetes API server certificate\n(kubernetes.default.svc.cluster) for which there is no corresponding\nsearch path.\n\nChange-Id: I30b8907a7b846415f5002c09a24d2d37930a9cd1\nReviewed-on: https://review.monogon.dev/c/monogon/+/773\nTested-by: Jenkins CI\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "32b192929c34e408bec6286de471313a4cfce5e2", "tree": "5a05f888581a3749ede7f09340119171422150e2", "parents": [ "08cb464d60f859ad029a52abe161cae02a0bf405" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Tue May 17 13:26:55 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Fri May 27 10:24:27 2022 +0000" }, "message": "m/n/core: implement node heartbeats\n\nThis change introduces cluster member node health monitoring by\nimplementing a bidirectional RPC stream the nodes will periodically\nsend their heartbeat updates through. Management.GetNodes call was\nmodified to include the new node health information.\n\nRelevant data available through the management API is non-persistent,\nand stored within current Curator leader\u0027s local state. As such, it\nwill become briefly unavailable in an event of leader re-election. The\ninformation returned, however, is guaranteed to be correct.\n\nChange-Id: I916ac48f496941a7decc09d672ecf72a914b0d88\nReviewed-on: https://review.monogon.dev/c/monogon/+/694\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\nTested-by: Jenkins CI\n" }, { "commit": "0246f5eb3a48f8a521ab20d776b923fcf0af6e1c", "tree": "73ff4458a28566fa580c116958aeceb222d7e4ac", "parents": [ "2930e9966deca2ebcb9b497d4d133ffb6258ed87" ], "author": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Fri Apr 22 17:29:04 2022 +0200" }, "committer": { "name": "Mateusz Zalega", "email": "mateusz@monogon.tech", "time": "Tue May 03 12:11:19 2022 +0000" }, "message": "m/test: implement non-transient QEMU VMs\n\nThis patch reworks the launch code, enabling rebooting of cluster\nmember VMs, while precluding erasure of their transient state (disk\nimage, OVMF firmware variables, TPM state, MAC address).\n\nRebootNode method included in this patch is cluster-aware in the sense\nthat it blocks until the node has re-joined the cluster.\n\nChange-Id: Ie1236297d214399e927a67295200f8b8879a5b39\nReviewed-on: https://review.monogon.dev/c/monogon/+/664\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "be74284cb84581b7217a934d2a771edb7c948223", "tree": "c943b51d32f0f0c0f81b97faa4660a9099b3caee", "parents": [ "fe7134b0b25b620b6f40b1f41f37ab93fca6d3c0" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Mon Apr 04 13:18:50 2022 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Apr 06 09:52:24 2022 +0000" }, "message": "m/test: implement SOCKS proxy in cluster tests\n\nThis uses the new socksproxy package to run a proxy server in the\nnanoswitch, and uses it within tests to access the test cluster\u0027s nodes.\n\nThe cluster test code (and nanoswitch) still forward traffic to the\nfirst node, but this will be gradually removed as SOCKS support is\nimplemented in metroctl and the debug tool. Forwards from host ports to\ndifferent node can then be implemented as part of the dbg tool (instead\nof the cluster launch code) to maintain a simple interface during debug\nand development.\n\nWe also use the opportunity to make the non-cluster launch code not\nMetropolis specific (by removing an assumption that all ports on all\nnodes are Metropolis ports). In the long term, we will probably remove\nnon-cluster launches entirely (or further turn this code into just being\na \u0027launch qemu\u0027 wrapper).\n\nChange-Id: I9b321bde95ba74fbfaa695eaaad8f9974aba5372\nReviewed-on: https://review.monogon.dev/c/monogon/+/648\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "d13c1c64387ca9a83bb832a3faa5c4b07268d265", "tree": "0c0f534db4726e4400486aad25235e8c573d455e", "parents": [ "79a1a8f9dd49afe8e0a2364c4586b8f39525b204" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Mar 30 19:58:58 2022 +0200" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Tue Apr 05 10:35:29 2022 +0000" }, "message": "treewide: switch to gomod and bump everything\n\nThis switches version resolution from fietsje to gomod and updates\nall Go dependencies. It also bumps rules_go (required by gVisor) and\nswitches the Gazelle naming convention from go_default_xxx to the\nstandard Bazel convention of the default target having the package\nname.\n\nSince Kubernetes dropped upstream Bazel support and doesn\u0027t check in\nall generated files I manually pregenerated the OpenAPI spec. This\nshould be fixed, but because of the already-huge scope of this CL\nand the rebase complexity this is not in here.\n\nChange-Id: Iec8ea613d06946882426c2f9fad5bda7e8aaf833\nReviewed-on: https://review.monogon.dev/c/monogon/+/639\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\nReviewed-by: Leopold Schabel \u003cleo@nexantic.com\u003e\n" }, { "commit": "6dff6d6a57b999eb91f1b9cf956e2ebc18c2defd", "tree": "4db4fa350e81b0fc52db7cf81f4c620114b28d18", "parents": [ "636032e843efcdef0716ed9956f40642d07b8d4c" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Fri Jan 28 18:15:14 2022 +0100" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Feb 23 16:15:54 2022 +0000" }, "message": "m/n/roleserve: reactive service management\n\nBottom line up first: this starts etcd, the curator and Kubernetes on\nnodes that register into the cluster. Effectively, this is multi-node\nsupport.\n\nThis significantly refactors the node roleserver to start both the\ncontrol plane and Kubernetes on demand, based on roles assigned by the\ncluster (or due to bootstrapping a new cluster). Most importantly, we\npretty much remove all cluster-bootstrapping code from the node startup\nprocess, thereby making the first node and any subsequent nodes not go\nthrough different codepaths.\n\nIn addition, access to the cluster Curators is now also mediated via\nthe roleserver, which is the component aware whether the node code\nshould connect to the local curator (if the control plane is running) or\nto remote curators (if the control plane is not [yet] running).\n\nThis implementation is a bit verbose as we make heavy use of untyped\nEvent Values, and we add quite a few lines repeated of code to combine\ndata from different values into something that a goroutine can wait on.\nOnce Go 1.18 lands we should be able to make this code much nicer.\n\nThere\u0027s still a few things that need to be implemented for all flows to\nbe working fully (notably, we can end up with stale curator clients,\ncurator clients are not load balanced across multiple curators, and\ncluster directories for connecting to the curator do not get updated\nafter startup). However, these are all features that we should be able\nto easily implement once this lands.\n\nCurrently this is only covered by the e2e test. The individual workers\nwithin roleserver should be able to be independently tested, and this is\nsomething I plan on doing very soon as another change on top, while this\none is being reviewed.\n\nWith time, the two large startup components (the cluster \"enrolment\"\nmanager and the roleserver) have slightly lost their original purpose\nand their names aren\u0027t exactly fitting anymore. I might rename them in\nan upcoming change, if anyone has any good naming ideas I\u0027m all ears :).\n\nChange-Id: Iaf0fc9f6fdd2122e6aae19607be1648382063e66\nReviewed-on: https://review.monogon.dev/c/monogon/+/532\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "cc078df2124306799c66786833746999259ea792", "tree": "43807fcfec2196430b4bd4def124dad2231451db", "parents": [ "8c2c771a750f30b3edf240fc8352e777795e989b" ], "author": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Thu Dec 23 11:51:55 2021 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@monogon.tech", "time": "Wed Feb 02 14:07:37 2022 +0000" }, "message": "m/n/kubernetes: implement Metropolis authenticating proxy\n\nThis implements an authenticating proxy for K8s which can authenticate\nMetropolis credentials and passes the extracted identity information\nback to the Kubernetes API server. It currently only handles user\nauthentication, machine-to-machine authentication is still done by the\nAPI server itself. It also adds a role binding to allow full access\nto the owner as we do not have an identity system yet.\n\nChange-Id: I02043924bb7ce7a1acdb826dad2d27a4c2008136\nReviewed-on: https://review.monogon.dev/c/monogon/+/509\nReviewed-by: Sergiusz Bazanski \u003cserge@monogon.tech\u003e\n" }, { "commit": "e78a08987e48aa5d9f77954886b7cc544f218638", "tree": "77d91020801cf19d2979db69495e40f3aeb889d5", "parents": [ "957c5b142abf8976c212ae013e6c36c4ff80f6c8" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Thu Oct 07 17:03:49 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Thu Dec 09 17:51:43 2021 +0000" }, "message": "m/n/c/cluster: implement register flow\n\nChange-Id: I197cbfa96d34c9912c7fc19710db25276e7440fc\nReviewed-on: https://review.monogon.dev/c/monogon/+/454\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "66e589595ecbefdc1466ea5e98e9c237e3300f8e", "tree": "c5bf14131ce984dea96ee6825c12b5e3cf7a342a", "parents": [ "a1a96b454eb3c21d03b7f95f1917dd6ce1b84b8a" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 17:06:56 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Mon Oct 11 13:27:02 2021 +0000" }, "message": "m/test: refactor cluster launch code, use for e2e tests\n\nThis is a light dust-off pass for the existing cluster launch code.\nNotably, we separate Metropolis-specific code into a subpackage\n(allowing us to make the package itself depend on the required\nnode/kernel images, without introducing dependency loops or unnecessary\ndependencies on the Metropolis node image).\n\nWe also make the LaunchCluster code return an already authenticated\nManagement client, and subsequent changes will use this client to add\nmore nodes to the running cluster.\n\nWe then move the E2E test to use LaunchCluster instead of LaunchNode, in\npreparation for running a multi-node cluster in the E2E test.\n\nWe also add some more log calls and clean up the existing ones to make\nit clear which subsystem (launch, launch/cluster or e2e) is respondible\nfor each message.\n\nChange-Id: I838bdc75073831fe94b9cdcef4fb3ab6bf8cba2c\nReviewed-on: https://review.monogon.dev/c/monogon/+/343\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "bf68fa9d8cbf6d283da8d538c1f28d8f53df0fcd", "tree": "d62cda0e060b4376dec815629f72e1661d77a73f", "parents": [ "bc671d09b9cdeb420260797c22020aa12059eb36" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Oct 05 17:53:58 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Wed Oct 06 14:50:09 2021 +0000" }, "message": "m/n/c/roleserve: implement ClusterAgent\n\nThe ClusterAgent is a runnable that is scheduled to run on all cluster\nnodes. It\u0027s currently used to report the current node status to the\nCluster, and in the future can be used to implement hearbeat detection\nfor nodes.\n\nChange-Id: Iff394e2cc37064d1e42fd27e40884dda83d88418\nReviewed-on: https://review.monogon.dev/c/monogon/+/341\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "d7d6e0284de38cbeeb185ca17c0853b4b2c10ee9", "tree": "37e0b443caf904f0b78d423ba6580c1416f5bc11", "parents": [ "9ffa1f9577003ab70a6b483475874f3552d1ccc3" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Wed Sep 01 15:03:06 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Fri Sep 03 11:15:40 2021 +0000" }, "message": "m/n/core/rpc: create library for common gRPC functions\n\nThis is the beginning of consolidating all gRPC-related code into a\nsingle package.\n\nWe also run the Curator service publicly and place it behind a new\nauthorization permission bit. This is in preparation for Curator\nfollowers needing access to this Service.\n\nSome of the service split and authorization options are likely to be\nchanged in the future (I\u0027m considering renaming Curator to something\nelse, or at least clearly stating that it\u0027s a node-to-node service).\n\nChange-Id: I0a4a57da15b35688aefe7bf669ba6342d46aa3f5\nReviewed-on: https://review.monogon.dev/c/monogon/+/316\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "1f9a03b3f952320824b1ae49e56da3cb814cd5b0", "tree": "315ea3ca5711b2dca9173dcf825c18e031affa84", "parents": [ "b9044c888097757c36933062f27b5f5ee103ee5f" ], "author": { "name": "Serge Bazanski", "email": "serge@monogon.tech", "time": "Tue Aug 17 13:40:53 2021 +0200" }, "committer": { "name": "Sergiusz Bazanski", "email": "serge@monogon.tech", "time": "Tue Aug 24 17:26:20 2021 +0000" }, "message": "m/test/e2e: retrieve owner credentials in e2e test\n\nThis exercises AAA.Escrow for the initial cluster owner within our large\ne2e test suite. The certificate retrieved this way is not yet used, but\nis verified to be emitted for the correct public key.\n\nChange-Id: Id33178cd223e3180d6f834c6fac94d6d657d5349\nReviewed-on: https://review.monogon.dev/c/monogon/+/290\nReviewed-by: Lorenz Brun \u003clorenz@monogon.tech\u003e\n" }, { "commit": "216fe7b3ae949376467f626f339423a31ea7da97", "tree": "b0fe587b671a76bf6229339825d2a61df7fc847b", "parents": [ "6ebdc418f3c4799c12368e34ea78dc9c9757fb54" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Fri May 21 18:36:16 2021 +0200" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Fri May 28 17:54:03 2021 +0200" }, "message": "*: reflow comments to 80 characters\n\nThis reformats the entire Metropolis codebase to have comments no longer\nthan 80 characters, implementing CR/66.\n\nThis has been done half manually, as we don\u0027t have a good integration\nbetween commentwrap/Bazel, but that can be implemented if we decide to\ngo for this tool/limit.\n\nChange-Id: If1fff0b093ef806f5dc00551c11506e8290379d0\n" }, { "commit": "f055a7fce0263a30fd2c853b5ed002a765fc23e8", "tree": "de2dc0daeebfc7ecce2b1987ffb13eb4f2475088", "parents": [ "2666513457e8d7a282560a7090f35439ab9695ce" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Tue Apr 13 16:22:33 2021 +0200" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Wed Apr 14 14:35:09 2021 +0200" }, "message": "third_party/linux: build using unhermetic rule\n\nThis replaces ad-hoc genrules (for the node Linux image and the ktest\nimage) with a real Bazel rule with an attached transition which ensures\nwe end up with the same-ish configurations for all builds of an image.\n\nThis reduces rebuilds of the ktest Linux kernel, from three down to one.\n\nBefore: https://drive.google.com/file/d/1c6VmY2bqx9Pgs61TOUfgMi8Sn0WQeobu/view\n\nAfter: https://drive.google.com/file/d/13eO1rLhoBCMMRUKrmJz8QnhdAR3ctIGb/view\n\nWe also drive-by fix the Kubernetes CTS test suite to run on a single-node\nCluster (instead of failing early due to that being currently reworked).\n\nTest Plan: Build system refactor, following existing test.\n\nX-Origin-Diff: phab/D761\nGitOrigin-RevId: b5545ac5fd402fbf0340d941a90b9ea6ea0b6d43\n" }, { "commit": "37050126ef89ec30cc677c272471debe55ec0d69", "tree": "c64a64a622ec1c3e1e72fc12a6d4252c0e803cc1", "parents": [ "2999427c182463840a339cf0e82885d8a3b6e79f" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Tue Mar 30 14:00:27 2021 +0200" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Tue Apr 13 11:04:01 2021 +0200" }, "message": "Implement Block PVCs in our storage backend\n\nThis implements full support for Block PVCs in our Kubernetes storage backend.\nThe block PVCs are backed by files made available to the pods using loop devices and\nhave read-only and online expansion support.\n\nThis also requires a Kubernetes patch because they call losetup if block PVCs are used\nwith CSI to establish a form of lock on the backing block device. This lock is not\nexclusive and does absolutely nothing for our use case and could get very expensive\non dense machines so I removed it.\n\nTest Plan: Comes with E2E tests\n\nX-Origin-Diff: phab/D746\nGitOrigin-RevId: 430d3f445286c0d3498b2153df333a19f3fcab89\n" }, { "commit": "30167f5cf55829d38f9d480466d7b5742c62a5fc", "tree": "fd89a3bb8a1c08b10d870a6b185b2deffa131cac", "parents": [ "9956e72c6c0b4f6436dc9493bc213965ee0cc191" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Wed Mar 17 17:49:01 2021 +0100" }, "committer": { "name": "Leopold Schabel", "email": "leo@nexantic.com", "time": "Tue Apr 13 11:03:56 2021 +0200" }, "message": "Add VM infrastructure smoke test\n\nThis adds an E2E test which exercises the VM infrastructure (Kubernetes, KVM device plugin and QEMU).\nThis test should ensure that nobody breaks the core infrastructure Metropolis VMs rely on.\n\nTest Plan: This is a test\n\nX-Origin-Diff: phab/D740\nGitOrigin-RevId: ddf629725dfb664ace5a50efee9ed9442962d6f7\n" }, { "commit": "0ed2f96a3a86aff2c9ce36289aa5d58a75f4d59b", "tree": "afbe1fb6cd0a1667e981edfe97969338437bdaca", "parents": [ "056042962060369bd7607ecfea51c515fc3a8140" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Mar 15 16:39:30 2021 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Mar 15 16:39:30 2021 +0100" }, "message": "metropolis/proto: EnrolmentConfig -\u003e NodeParameters\n\nThis starts off the move to a node configuration API conforming to\nthe lifecycle management design document.\n\nInstead of an Enrolment Config used only to join an existing cluster, we\nmove to a NodeParameters proto that must always be given to a node if\nit\u0027s supposed to either bootstrap a new cluster or join an existing one.\n\nThis links the existing cluster management code (and its state machine)\nto work with this file. However, that state machine will be removed very\nsoon, anyway.\n\nWe also remove everything related to golden tickets.\n\nThis breaks multi-node tests.\n\nX-Origin-Diff: phab/D710\nGitOrigin-RevId: f22615fbccab975f2d5e6928bdc7387ab3aa5714\n" }, { "commit": "19eb0006edc79edc53fb53ea0eed67e93f4c8eba", "tree": "704a52ab75bde43409d80246cf23bce6b6be3467", "parents": [ "842536b10bd1b11e62317940feef215442a8ecb4" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Jan 21 14:25:25 2021 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Jan 21 14:25:25 2021 +0100" }, "message": "third_party: bump Kubernetes to 1.19.7\n\nThis... didn\u0027t exactly go well. Turns out a change between rc.1 and rc.2\nbroke our runc runtime by enabling seccomp by default for pod sandboxes.\n\nWe work around this by reverting this change, and filing T916 to solve\nthis soon.\n\nThis fixes T910 and T909.\n\nTest Plan: kube bump, CI should run e2e, didn\u0027t run CTS.\n\nBug: T910, T909\n\nX-Origin-Diff: phab/D691\nGitOrigin-RevId: 78afca77c294895859e0af9150128d82677d875b\n" }, { "commit": "f12bedfa4cd144c3abc4deac58405067d55f9c87", "tree": "ddbc408e424a0ea8e446bcf0022ee16278202d63", "parents": [ "c3ad846e0eaf4cf008130a643ff247aa27531e17" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Fri Jan 15 16:58:50 2021 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Fri Jan 15 16:58:50 2021 +0100" }, "message": "*: bump up Go dependencies\n\nThis started off as \u0027let\u0027s bump gVisor\u0027. However, pulling that thread\nresulted in quite a few things that also required bumping for the build\nto actually work. Here I come back from a day in the Bazel mines,\nbearing fruits of my labor.\n\nNotable changes:\n\n - bump up gVisor\n - bump up containerd\n - bump up Bazel\n - bump up rules_go, rules_docker, Gazelle\n - use google.golang.org/protobuf (the \u0027new\u0027 go proto package)\n - bump up gRPC (but not too much, as go-etcd is still straggling)\n\nNotable effects:\n\n - new gVisor supports TTY allocation (kubectl run -it\n --image\u003dubuntu:20.04 ubuntu bash now works!)\n\nNotable notes:\n\n - gVisor shim has new been rolled into the main gVisor package and is\n slightly easier to build (we can get rid of a bunch of patches).\n - Opencontainers\u0027 runtime-specs now follow containerd instead of gVisor\n - gVisor had to be taught to use the slightly newer runtime-specs via a\n new patch.\n - go_rule() in Starlark is now deprecated, and we had to change our\n Starlark rule definitions to use rule() instead. We also had to patch\n gVisor to do that (as there hasn\u0027t yet been a release that rolled\n this up).\n - Gazelle now supports different naming schemes for generated Go\n targets - either the old //foo/bar:go_default_library scheme, or a\n new and nicer //foo/bar:bar scheme. We currently force the usage of\n the old scheme, as switching over is probably not going to be easy\n (we use a lot of external Bazel files, and we have to wait for their\n compatibility with the new scheme first).\n - New Bazel/rules_go sets a TMPDIR long enough to generate paths (via\n ioutil.TempDir) to which sockets cannot be bound (108-byte limit).\n - The new protobuf API is incompatible with gogoproto. containerd/ttrpc\n uses gogoproto, but we are smart enough to pull in the old protobuf\n library as gogoproto\u0027s transitive dep. However, ttrpc also wants to\n use some proto-generated grpc bits, and that doesn\u0027t work. We have to\n pull in a ttrpc fork from a PR that hasn\u0027t yet been merged that fixes\n this issue.\n\nTest Plan: Refactor only, should be covered by tests.\n\nX-Origin-Diff: phab/D689\nGitOrigin-RevId: 1188c0605d25e7f40307fab5fd96e7019f3a9171\n" }, { "commit": "31370b07f0df2dc2765d812d4ce00a6b35185b16", "tree": "15563902eee9591083284441c8505b084b275d0a", "parents": [ "313816f41244d7520eb2b6f8c231328ee5b7a4ef" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Jan 07 16:31:14 2021 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Jan 07 16:31:14 2021 +0100" }, "message": "*: git.monogon.dev -\u003e source.monogon.dev\n\nThis implements T882, setting our (virtual) GOPATH to source.monogon.dev\nfor this repository.\n\nTest Plan: Refactor, CI only.\n\nX-Origin-Diff: phab/D686\nGitOrigin-RevId: c5e2309089948ffc3a98e68e2e0e1cbb157d3a36\n" }, { "commit": "0be9be88224dd87eedb10436b11615fa59862271", "tree": "2cffcd0ca273ada48c0b42a36bd25bb1cc2da35c", "parents": [ "549b72b2d65051403301f53111509f77e88b379b" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Jan 07 15:23:44 2021 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Thu Jan 07 15:23:44 2021 +0100" }, "message": "metropolis: Lock down visibility rules\n\nThis formalizes the package structure introduced by D683.\n\nTest Plan: Pure refactor, CI only.\n\nX-Origin-Diff: phab/D684\nGitOrigin-RevId: 574aa14c71faf94f4a5c02a2110e2e3fef7d36ac\n" }, { "commit": "6df7c4f6b2c9a896357cb6c4e236d588f4e23277", "tree": "1f6690534fa123509708fe197ef3f35e6edf6903", "parents": [ "df952416e693f5b3180f1e69b6021a589cdc80d9" ], "author": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Dec 21 15:02:00 2020 +0100" }, "committer": { "name": "Lorenz Brun", "email": "lorenz@nexantic.com", "time": "Mon Dec 21 15:02:00 2020 +0100" }, "message": "Properly exit CTS on signals\n\nThis kills the loops when the global context is cancelled ensuring reliable termination\nof the CTS with Ctrl+C or a signal.\n\nTest Plan: Manually tested by aborting the CTS with Ctrl+C\n\nX-Origin-Diff: phab/D673\nGitOrigin-RevId: a2f367cd4a7a57bb573bd57656148681add048a2\n" }, { "commit": "662b5b3119b0798980b887d1ef9fa1b5632aa7fb", "tree": "3e1fc4ab033530e6d579112ba500d2c6edb43368", "parents": [ "39f2f691726dc6e0a291aa8609085b835a313dad" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Dec 21 13:49:00 2020 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Mon Dec 21 13:49:00 2020 +0100" }, "message": "smalltown -\u003e metropolis\n\nThis pass removes all mentions of Smalltown, both from code and comments,\nand replaces them with appropriate new terminology.\n\nTest Plan: Refactor, covered by CI.\n\nX-Origin-Diff: phab/D674\nGitOrigin-RevId: 04a94d44ef07d46f7821530da5614daefe16d7ea\n" }, { "commit": "77cb6c5ec3acadf02ad5005dd751cfbf0ec1602f", "tree": "7ddfcdf78c489a5d6fad7a20bd3580d803407450", "parents": [ "26d41999e0c71813648c16ad84bba810c3b9d593" ], "author": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Sat Dec 19 00:09:22 2020 +0100" }, "committer": { "name": "Serge Bazanski", "email": "serge@nexantic.com", "time": "Sat Dec 19 00:09:22 2020 +0100" }, "message": "core -\u003e metropolis\n\nSmalltown is now called Metropolis!\n\nThis is the first commit in a series of cleanup commits that prepare us\nfor an open source release. This one just some Bazel packages around to\nfollow a stricter directory layout.\n\nAll of Metropolis now lives in `//metropolis`.\n\nAll of Metropolis Node code now lives in `//metropolis/node`.\n\nAll of the main /init now lives in `//m/n/core`.\n\nAll of the Kubernetes functionality/glue now lives in `//m/n/kubernetes`.\n\nNext steps:\n - hunt down all references to Smalltown and replace them appropriately\n - narrow down visibility rules\n - document new code organization\n - move `//build/toolchain` to `//monogon/build/toolchain`\n - do another cleanup pass between `//golibs` and\n `//monogon/node/{core,common}`.\n - remove `//delta` and `//anubis`\n\nFixes T799.\n\nTest Plan: Just a very large refactor. CI should help us out here.\n\nBug: T799\n\nX-Origin-Diff: phab/D667\nGitOrigin-RevId: 6029b8d4edc42325d50042596b639e8b122d0ded\n" } ] }