Merge remote-tracking branch 'origin/main' into k0s-1-29

Makefile

@@ -15,7 +15,7 @@ K0S_GO_VERSION = v1.29.9+k0s.0
 PREVIOUS_K0S_VERSION ?= v1.28.14+k0s.0-ec.0
 PREVIOUS_K0S_GO_VERSION ?= v1.28.14+k0s.0
 K0S_BINARY_SOURCE_OVERRIDE =
-TROUBLESHOOT_VERSION = v0.107.4
+TROUBLESHOOT_VERSION = v0.109.0
 
 KOTS_VERSION = v$(shell awk '/^version/{print $$2}' pkg/addons/adminconsole/static/metadata.yaml | sed -E 's/([0-9]+\.[0-9]+\.[0-9]+).*/\1/')
 # When updating KOTS_BINARY_URL_OVERRIDE, also update the KOTS_VERSION above or

go.mod

@@ -31,7 +31,7 @@ require (
 	github.com/replicatedhq/embedded-cluster/kinds v0.0.0
 	github.com/replicatedhq/embedded-cluster/utils v0.0.0
 	github.com/replicatedhq/kotskinds v0.0.0-20240814191029-3f677ee409a0
-	github.com/replicatedhq/troubleshoot v0.108.1
+	github.com/replicatedhq/troubleshoot v0.109.0
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/viper v1.19.0

go.sum

@@ -907,8 +907,8 @@ github.com/redis/go-redis/v9 v9.5.2 h1:L0L3fcSNReTRGyZ6AqAEN0K56wYeYAwapBIhkvh0f
 github.com/redis/go-redis/v9 v9.5.2/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
 github.com/replicatedhq/kotskinds v0.0.0-20240814191029-3f677ee409a0 h1:Gi+Fs6583v7GmgQKJyaZuBzcih0z5YXBREDQ8AWY2JM=
 github.com/replicatedhq/kotskinds v0.0.0-20240814191029-3f677ee409a0/go.mod h1:QjhIUu3+OmHZ09u09j3FCoTt8F3BYtQglS+OLmftu9I=
-github.com/replicatedhq/troubleshoot v0.108.1 h1:Yri05zhzIZRrbSYWsvCWjpcp8KzNj2GfrfQRLnZH9UU=
-github.com/replicatedhq/troubleshoot v0.108.1/go.mod h1:mxf8uoKpyFhaYfR3NV1iPwztBf8XWP0B/JpxamZ1UJY=
+github.com/replicatedhq/troubleshoot v0.109.0 h1:lw81hf/lD9/YPj+VOyGdDnw7FSCJkignPQYLVpjnl2k=
+github.com/replicatedhq/troubleshoot v0.109.0/go.mod h1:mxf8uoKpyFhaYfR3NV1iPwztBf8XWP0B/JpxamZ1UJY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=

pkg/addons/adminconsole/static/metadata.yaml

@@ -5,26 +5,26 @@
 # $ make buildtools
 # $ output/bin/buildtools update addon <addon name>
 #
-version: 1.120.3
+version: 1.121.0
 location: oci://proxy.replicated.com/anonymous/registry.replicated.com/library/admin-console
 images:
     kotsadm:
         repo: proxy.replicated.com/anonymous/kotsadm/kotsadm
         tag:
-            amd64: v1.120.3-amd64@sha256:884cbaf8213c16bfe2ef12f628f5477a4a75252270282b6451081cd841c5723f
-            arm64: v1.120.3-arm64@sha256:3d11d7d14bd4305c3fcf64f5a8a52eb1e27fa0bf461232bd63c275c05666487a
+            amd64: v1.121.0-amd64@sha256:d13e5ee489b067c02d571c49a8ef505a31313ac27bb93c4393e53a3a2c971ba1
+            arm64: v1.121.0-arm64@sha256:f9e33c73b5dc950feccd1253d10450d8a3feec1b0cf01a97ed941025bdee905b
     kotsadm-migrations:
         repo: proxy.replicated.com/anonymous/kotsadm/kotsadm-migrations
         tag:
-            amd64: v1.120.3-amd64@sha256:c56582c4487b829537bfefb40f57addd0da472c5d919066e585879f99b82e377
-            arm64: v1.120.3-arm64@sha256:693354624b06d10c37710bf533543948f78659c2771a0fc75a4b03eb2ee37829
+            amd64: v1.121.0-amd64@sha256:f18ad85c8e35af5ac5668bda45b8c5d3fcb03d5edb9d8adc6ea7431d50d0ce93
+            arm64: v1.121.0-arm64@sha256:3a50f6638ac2686da3714486989d525d9e79b0e9dd2bef31c4065f8aecd17edf
     kurl-proxy:
         repo: proxy.replicated.com/anonymous/kotsadm/kurl-proxy
         tag:
-            amd64: v1.120.3-amd64@sha256:9dae75b4c5ba933d2f8ce7206101b9858e4ab0da0b9534f6f9742458a7dd3f04
-            arm64: v1.120.3-arm64@sha256:13dd2a2e4474f75c56f041ea8366983802407b225e991469a8e91b7d716113de
+            amd64: v1.121.0-amd64@sha256:07103fe556beda8e7a92f188fb3fb4cb865d8637292d3df754b698eec2d3c95c
+            arm64: v1.121.0-arm64@sha256:4c3ab0805f2e8c95d7ff526e80f9a93656461bd7d03ec74f8a757fa3097dd677
     rqlite:
         repo: proxy.replicated.com/anonymous/kotsadm/rqlite
         tag:
-            amd64: 8.32.7-r0-amd64@sha256:2c3e36a6b146311d2cfa6b6d72f3882a8af9ac4b3aaa9f1df3169760db5c02c7
-            arm64: 8.32.7-r0-arm64@sha256:a2df1c987aefdaab8e42797623eb27e2c1e707c55c42a29e60a43e71dfd5bdf3
+            amd64: 8.34.0-r0-amd64@sha256:3bcc7027c0dc12bf1bc15740b1b3b0c9a12c0ba54127130ad18cedd158c2eba9
+            arm64: 8.34.0-r0-arm64@sha256:401f8e82872ce1abe4f1aaa2e655f987a3a5f47504043de798620bc93ef7ed3a

pkg/addons/openebs/static/metadata.yaml

@@ -11,15 +11,15 @@ images:
     kubectl:
         repo: proxy.replicated.com/anonymous/replicated/ec-kubectl
         tag:
-            amd64: 1.31.2-r1-amd64@sha256:a0c7ac02a487c11b7d059da8de2265049449b9e2ebc5feac86532289b7c1fa76
-            arm64: 1.31.2-r1-arm64@sha256:8e30ee747ae996f40114632f65e4d3810eae56f632f72d22a4bf903a3ddd5742
+            amd64: 1.31.2-r1-amd64@sha256:ff86169e548c201461e584486c75736bc537fa67bf69eda6abb61fe07c510feb
+            arm64: 1.31.2-r1-arm64@sha256:11b83dbfde7f9b2d51206bf6616c558889086dc2326c29a306a5d9a8d1032848
     openebs-linux-utils:
         repo: proxy.replicated.com/anonymous/replicated/ec-openebs-linux-utils
         tag:
-            amd64: 4.1.1-amd64@sha256:7d9a5141295411688da70fc226be8f7ead1190c91e214fa5f1e4c0b5c2baaa74
-            arm64: 4.1.1-arm64@sha256:d882aa74433c582650b21cabf361660de6ef11601ed57400aa1ac7fb2f727eee
+            amd64: 4.1.1-amd64@sha256:01fb0149627bbe5af78541ff477542314b6e17e1b82cff79047a062de89d2d16
+            arm64: 4.1.1-arm64@sha256:be1d3a6b9cf3be529ccb8687670311b5db9a312e553d930b034941c85b26e107
     openebs-provisioner-localpv:
         repo: proxy.replicated.com/anonymous/replicated/ec-openebs-provisioner-localpv
         tag:
-            amd64: 4.1.1-r1-amd64@sha256:d9644f94daf42a28216a3b632d4cbf44b7e7e6fbfcea8ff7a0de5c611efe6ba2
-            arm64: 4.1.1-r1-arm64@sha256:31b8cc13e7c0f0bf1131ce34b1c9cdf45e9a4de1ae0eabfde03a9b5e986556d6
+            amd64: 4.1.1-r1-amd64@sha256:1388244c8ae9e1415f6225fbcf6d16ab7bfd862085ea070517af1820316bef13
+            arm64: 4.1.1-r1-arm64@sha256:a682a555b768c425d1ed8ddab70f7ebf43ae87a85b2e87d696e9d71667e65242

pkg/addons/seaweedfs/static/metadata.yaml

@@ -11,5 +11,5 @@ images:
     seaweedfs:
         repo: proxy.replicated.com/anonymous/replicated/ec-seaweedfs
         tag:
-            amd64: 3.79-r0-amd64@sha256:c0d881636d0532601ef40b4721811043ff3b7bda8d1fce3baf2242cbdd404438
-            arm64: 3.79-r0-arm64@sha256:b8ce77bd7df62d100fbb4d46c21fe76f5b1b9fae6c15f9ce80b419ad3d2b6ae1
+            amd64: 3.79-r0-amd64@sha256:35ab43061501726c1f585ddac5c58e648816c3506a2198d07d6f4cf755a99b38
+            arm64: 3.79-r0-arm64@sha256:067a93a25fad6c84ae82fee5e7b300dec728dcb36fe96241084bead2b793eead

pkg/addons/velero/static/metadata.yaml

@@ -11,13 +11,13 @@ images:
     kubectl:
         repo: proxy.replicated.com/anonymous/replicated/ec-kubectl
         tag:
-            amd64: 1.31.2-r1-amd64@sha256:a0c7ac02a487c11b7d059da8de2265049449b9e2ebc5feac86532289b7c1fa76
-            arm64: 1.31.2-r1-arm64@sha256:8e30ee747ae996f40114632f65e4d3810eae56f632f72d22a4bf903a3ddd5742
+            amd64: 1.31.2-r1-amd64@sha256:ff86169e548c201461e584486c75736bc537fa67bf69eda6abb61fe07c510feb
+            arm64: 1.31.2-r1-arm64@sha256:11b83dbfde7f9b2d51206bf6616c558889086dc2326c29a306a5d9a8d1032848
     velero:
         repo: proxy.replicated.com/anonymous/replicated/ec-velero
         tag:
-            amd64: 1.14.1-r1-amd64@sha256:52521e708a61c24fca30bd928cdf0f49e8201aca6cb48ad23f23a725bdafa495
-            arm64: 1.14.1-r1-arm64@sha256:e8e75a4304fa06f43dce3aaa0d34df8fbbaed413eca1d39453859f8fedc876f9
+            amd64: 1.14.1-r1-amd64@sha256:622683d49fef78b93db433d06cf7d9d8ff6ecfe5a463fcc0fed63ff2aabb9b06
+            arm64: 1.14.1-r1-arm64@sha256:2f8e8d968bd9e19d23816b6f4e1a35aa85f920d3f0e8dcdeb971b46b6657ec4e
     velero-plugin-for-aws:
         repo: proxy.replicated.com/anonymous/replicated/ec-velero-plugin-for-aws
         tag:

pkg/cmd/install.go

@@ -773,14 +773,20 @@ func installCommand() *cli.Command {
 			if channelRelease, err := release.GetChannelRelease(); err != nil {
 				return fmt.Errorf("unable to read channel release data: %w", err)
 			} else if channelRelease != nil && channelRelease.Airgap && c.String("airgap-bundle") == "" && !c.Bool("no-prompt") {
-				logrus.Infof("You downloaded an air gap bundle but are performing an online installation.")
+				logrus.Warnf("You downloaded an air gap bundle but are performing an online installation.")
 				logrus.Infof("To do an air gap installation, pass the air gap bundle with --airgap-bundle.")
 				if !prompts.New().Confirm("Do you want to proceed with an online installation?", false) {
 					return ErrNothingElseToAdd
 				}
 			}
 
 			metrics.ReportApplyStarted(c)
+
+			logrus.Debugf("configuring sysctl")
+			if err := configutils.ConfigureSysctl(provider); err != nil {
+				return fmt.Errorf("unable to configure sysctl: %w", err)
+			}
+
 			logrus.Debugf("configuring network manager")
 			if err := configureNetworkManager(c, provider); err != nil {
 				return fmt.Errorf("unable to configure network manager: %w", err)

pkg/cmd/join.go

@@ -224,7 +224,10 @@ var joinCommand = &cli.Command{
 			return fmt.Errorf("failed to check proxy config for local IP: %w", err)
 		}
 		if !proxyOK {
-			return fmt.Errorf("no-proxy config %q does not allow access to local IP %q", jcmd.InstallationSpec.Proxy.NoProxy, localIP)
+			logrus.Errorf("This node's IP address %s is not included in the no-proxy list (%s).", localIP, jcmd.InstallationSpec.Proxy.NoProxy)
+			logrus.Infof(`The no-proxy list cannot easily be modified after initial installation.`)
+			logrus.Infof(`Recreate the first node and pass all node IP addresses to --no-proxy.`)
+			return ErrNothingElseToAdd
 		}
 
 		isAirgap := c.String("airgap-bundle") != ""
@@ -249,6 +252,11 @@ var joinCommand = &cli.Command{
 			return err
 		}
 
+		logrus.Debugf("configuring sysctl")
+		if err := configutils.ConfigureSysctl(provider); err != nil {
+			return fmt.Errorf("unable to configure sysctl: %w", err)
+		}
+
 		// jcmd.InstallationSpec.MetricsBaseURL is the replicated.app endpoint url
 		replicatedAPIURL := jcmd.InstallationSpec.MetricsBaseURL
 		proxyRegistryURL := fmt.Sprintf("https://%s", defaults.ProxyRegistryAddress)

pkg/cmd/preflights.go

@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	ecv1beta1 "github.com/replicatedhq/embedded-cluster/kinds/apis/v1beta1"
+	"github.com/replicatedhq/embedded-cluster/pkg/configutils"
 	"github.com/replicatedhq/embedded-cluster/pkg/defaults"
 	"github.com/replicatedhq/embedded-cluster/pkg/versions"
 	"github.com/sirupsen/logrus"
@@ -79,6 +80,10 @@ func installRunPreflightsCommand() *cli.Command {
 				return err
 			}
 
+			if err := configutils.ConfigureSysctl(provider); err != nil {
+				return err
+			}
+
 			applier, err := getAddonsApplier(c, runtimeConfig, "", proxy)
 			if err != nil {
 				return err
@@ -170,6 +175,10 @@ var joinRunPreflightsCommand = &cli.Command{
 			return err
 		}
 
+		if err := configutils.ConfigureSysctl(provider); err != nil {
+			return err
+		}
+
 		applier, err := getAddonsApplier(c, jcmd.InstallationSpec.RuntimeConfig, "", jcmd.InstallationSpec.Proxy)
 		if err != nil {
 			return err

pkg/cmd/reset.go

@@ -501,6 +501,10 @@ func resetCommand() *cli.Command {
 				return fmt.Errorf("failed to remove embedded cluster data config: %w", err)
 			}
 
+			if err := helpers.RemoveAll("/etc/sysctl.d/99-embedded-cluster.conf"); err != nil {
+				return fmt.Errorf("failed to remove embedded cluster sysctl config: %w", err)
+			}
+
 			if _, err := helpers.RunCommand("reboot"); err != nil {
 				return err
 			}

pkg/cmd/restore.go

@@ -969,6 +969,11 @@ func restoreCommand() *cli.Command {
 				}
 			}
 
+			logrus.Debugf("configuring sysctl")
+			if err := configutils.ConfigureSysctl(provider); err != nil {
+				return fmt.Errorf("unable to configure sysctl: %w", err)
+			}
+
 			proxy, err := getProxySpecFromFlags(c)
 			if err != nil {
 				return fmt.Errorf("unable to get proxy spec from flags: %w", err)

pkg/configutils/runtime.go

@@ -3,14 +3,22 @@ package configutils
 import (
 	"fmt"
 	"os"
+	"os/exec"
 	"path/filepath"
 
 	"github.com/replicatedhq/embedded-cluster/kinds/apis/v1beta1"
 	"github.com/replicatedhq/embedded-cluster/pkg/defaults"
+	"github.com/replicatedhq/embedded-cluster/pkg/goods"
 	"github.com/replicatedhq/embedded-cluster/pkg/helpers"
+	"github.com/sirupsen/logrus"
 	"sigs.k8s.io/yaml"
 )
 
+// sysctlConfigPath is the path to the sysctl config file that is used to configure
+// the embedded cluster. This could have been a constant but we want to be able to
+// override it for testing purposes.
+var sysctlConfigPath = "/etc/sysctl.d/99-embedded-cluster.conf"
+
 func WriteRuntimeConfig(spec *v1beta1.RuntimeConfigSpec) error {
 	if spec == nil {
 		return nil
@@ -57,3 +65,24 @@ func ReadRuntimeConfig() (*v1beta1.RuntimeConfigSpec, error) {
 
 	return &spec, nil
 }
+
+// ConfigureSysctl writes the sysctl config file for the embedded cluster and
+// reloads the sysctl configuration. This function has a distinct behavior: if
+// the sysctl binary does not exist it returns an error but if it fails to lay
+// down the sysctl config on disk it simply returns nil.
+func ConfigureSysctl(provider *defaults.Provider) error {
+	if _, err := exec.LookPath("sysctl"); err != nil {
+		return fmt.Errorf("unable to find sysctl binary: %w", err)
+	}
+
+	materializer := goods.NewMaterializer(provider)
+	if err := materializer.SysctlConfig(sysctlConfigPath); err != nil {
+		logrus.Debugf("unable to materialize sysctl config: %v", err)
+		return nil
+	}
+
+	if _, err := helpers.RunCommand("sysctl", "--system"); err != nil {
+		logrus.Debugf("unable to configure sysctl: %v", err)
+	}
+	return nil
+}

pkg/configutils/runtime_test.go

@@ -0,0 +1,41 @@
+package configutils
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/replicatedhq/embedded-cluster/pkg/defaults"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestConfigureSysctl(t *testing.T) {
+	basedir, err := os.MkdirTemp("", "embedded-cluster-test-base-dir")
+	assert.NoError(t, err)
+	defer os.RemoveAll(basedir)
+
+	orig := sysctlConfigPath
+	defer func() {
+		sysctlConfigPath = orig
+	}()
+
+	provider := defaults.NewProvider(basedir)
+
+	// happy path.
+	dstdir, err := os.MkdirTemp("", "embedded-cluster-test")
+	assert.NoError(t, err)
+	defer os.RemoveAll(dstdir)
+
+	sysctlConfigPath = filepath.Join(dstdir, "sysctl.conf")
+	err = ConfigureSysctl(provider)
+	assert.NoError(t, err)
+
+	// check that the file exists.
+	_, err = os.Stat(sysctlConfigPath)
+	assert.NoError(t, err)
+
+	// now use a non-existing directory.
+	sysctlConfigPath = filepath.Join(dstdir, "non-existing-dir", "sysctl.conf")
+	// we do not expect an error here.
+	assert.NoError(t, err)
+}

pkg/goods/goods.go

@@ -20,6 +20,8 @@ var (
 	systemdfs embed.FS
 	//go:embed internal/bins/*
 	internalBinfs embed.FS
+	//go:embed static/*
+	staticfs embed.FS
 )
 
 // K0sBinarySHA256 returns the SHA256 checksum of the embedded k0s binary.

pkg/goods/materializer.go

@@ -76,6 +76,18 @@ func (m *Materializer) CalicoNetworkManagerConfig() error {
 	return nil
 }
 
+// SysctlConfig writes the embedded sysctl config to the /etc/sysctl.d directory.
+func (m *Materializer) SysctlConfig(dstpath string) error {
+	content, err := staticfs.ReadFile("static/99-embedded-cluster.conf")
+	if err != nil {
+		return fmt.Errorf("unable to open embedded sysctl config file: %w", err)
+	}
+	if err := os.WriteFile(dstpath, content, 0644); err != nil {
+		return fmt.Errorf("unable to write file: %w", err)
+	}
+	return nil
+}
+
 // Materialize writes to disk all embedded assets.
 func (m *Materializer) Materialize() error {
 	if err := m.Binaries(); err != nil {

pkg/goods/materializer_test.go

@@ -0,0 +1,34 @@
+package goods
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestMaterializer_SysctlConfig(t *testing.T) {
+	m := NewMaterializer(nil)
+
+	// happy path.
+	dstdir, err := os.MkdirTemp("", "embedded-cluster-test")
+	assert.NoError(t, err)
+	defer os.RemoveAll(dstdir)
+
+	dstpath := filepath.Join(dstdir, "sysctl.conf")
+	err = m.SysctlConfig(dstpath)
+	assert.NoError(t, err)
+
+	expected, err := os.ReadFile(dstpath)
+	assert.NoError(t, err)
+
+	content, err := staticfs.ReadFile("static/99-embedded-cluster.conf")
+	assert.NoError(t, err)
+	assert.Equal(t, string(expected), string(content))
+
+	// write to a non-existent directory.
+	dstpath = filepath.Join(dstdir, "dir-does-not-exist", "sysctl.conf")
+	err = m.SysctlConfig(dstpath)
+	assert.Contains(t, err.Error(), "no such file or directory")
+}

pkg/goods/static/99-embedded-cluster.conf

@@ -0,0 +1,11 @@
+# this entry enables ip forwarding. this feature is necessary as embedded
+# cluster creates virtual network interfaces and need the traffic among them to
+# be forwarded.
+net.ipv4.ip_forward = 1
+
+# arp filter and ignore need to be disabled otherwise we can't have arp
+# resolving across the calico network interfaces.
+net.ipv4.conf.default.arp_filter = 0
+net.ipv4.conf.default.arp_ignore = 0
+net.ipv4.conf.all.arp_filter = 0
+net.ipv4.conf.all.arp_ignore = 0