[release-1.27] Backports for 2024-07 release cycle

Dockerfile.dapper

@@ -22,7 +22,7 @@ RUN apk -U --no-cache add \
 RUN PIPX_BIN_DIR=/usr/local/bin pipx install awscli
 
 # Install Trivy
-ENV TRIVY_VERSION="0.51.4"
+ENV TRIVY_VERSION="0.53.0"
 RUN case "$(go env GOARCH)" in \
  arm64) TRIVY_ARCH="ARM64" ;; \
  amd64) TRIVY_ARCH="64bit" ;; \

docs/adrs/etcd-s3-secret.md

@@ -0,0 +1,83 @@
+# Support etcd Snapshot Configuration via Kubernetes Secret
+
+Date: 2024-02-06
+Revised: 2024-06-10
+
+## Status
+
+Accepted
+
+## Context
+
+### Current State
+
+K3s currently reads configuration for S3 storage of etcd snapshots from CLI flags and/or configuration files.
+
+Security-conscious users have raised issue with the current state. They want to store snapshots on S3, but do not want
+to have credentials visible in config files or systemd units. Users operating in highly secure environments have also
+asked for the ability to configure a proxy server to be used when creating/restoring snapshots stored on S3, without
+managing complicated `NO_PROXY` settings or affecting the rest of the K3s process environment.
+
+### Security Considerations
+
+Storing credentials on-disk is generally considered a bad idea, and is not allowed by security practices in many
+organizations. Use of static credentials in the config file also makes them difficult to rotate, as K3s only reloads the
+configuration on startup.
+
+### Existing Work
+
+Cloud-providers and other tools that need to auth to external systems frequently can be configured to retrieve secrets
+from an existing credential secret that is provisioned via an external process, such as a secrets management tool. This
+avoids embedding the credentials directly in the system configuration, chart values, and so on.
+
+## Decision
+
+* We will add a `--etcd-s3-proxy` flag that can be used to set the proxy used by the S3 client. This will override the
+ settings that golang's default HTTP client reads from the `HTTP_PROXY/HTTPS_PROXY/NO_PROXY` environment varibles.
+* We will add support for reading etcd snapshot S3 configuration from a Secret. The secret name will be specified via a new
+ `--etcd-s3-config-secret` flag, which accepts the name of the Secret in the `kube-system` namespace.
+* Presence of the `--etcd-s3-config-secret` flag does not imply `--etcd-s3`. If S3 is not enabled by use of the `--etcd-s3` flag,
+ the Secret will not be used.
+* The Secret does not need to exist when K3s starts; it will be checked for every time a snapshot operation is performed.
+* Secret and CLI/config values will NOT be merged. The Secret will provide values to be used in absence of other
+ configuration; if S3 configuration is passed via CLI flags or configuration file, ALL fields set by the Secret
+ will be ignored.
+* The Secret will ONLY be used for on-demand and scheduled snapshot save operations; it will not be used by snapshot restore.
+ Snapshot restore operations that want to retrieve a snapshot from S3 will need to pass the appropriate configuration
+ via environment variables or CLI flags, as the Secret is not available during the restore process.
+
+Fields within the Secret will match `k3s server` CLI flags / config file keys. For the `etcd-s3-endpoint-ca`, which
+normally contains the path of a file on disk, the `etcd-s3-endpoint-ca` field can specify an inline PEM-encoded CA
+bundle, or the `etcd-s3-endpoint-ca-name` can be used to specify the name of a ConfigMap in the `kube-system` namespace
+containing one or more CA bundles. All valid CA bundles found in either field are loaded.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+ name: k3s-etcd-snapshot-s3-config
+ namespace: kube-system
+stringData:
+ etcd-s3-endpoint: ""
+ etcd-s3-endpoint-ca: ""
+ etcd-s3-endpoint-ca-name: ""
+ etcd-s3-skip-ssl-verify: "false"
+ etcd-s3-access-key: "AWS_ACCESS_KEY_ID"
+ etcd-s3-secret-key: "AWS_SECRET_ACCESS_KEY"
+ etcd-s3-bucket: "bucket"
+ etcd-s3-folder: "folder"
+ etcd-s3-region: "us-east-1"
+ etcd-s3-insecure: "false"
+ etcd-s3-timeout: "5m"
+ etcd-s3-proxy: ""
+```
+
+## Consequences
+
+This will require additional documentation, tests, and QA work to validate use of secrets for s3 snapshot configuration.
+
+## Revisions
+
+#### 2024-06-10:
+* Changed flag to `etcd-s3-config-secret` to avoid confusion with `etcd-s3-secret-key`.
+* Added `etcd-s3-folder` to example Secret.

go.mod

@@ -117,7 +117,7 @@ require (
  github.com/joho/godotenv v1.5.1
  github.com/json-iterator/go v1.1.12
  github.com/k3s-io/helm-controller v0.15.10
- github.com/k3s-io/kine v0.11.9
+ github.com/k3s-io/kine v0.11.11
  github.com/klauspost/compress v1.17.7
  github.com/kubernetes-sigs/cri-tools v0.0.0-00010101000000-000000000000
  github.com/lib/pq v1.10.2
@@ -136,8 +136,8 @@ require (
  github.com/rancher/dynamiclistener v0.3.6
  github.com/rancher/lasso v0.0.0-20230830164424-d684fdeb6f29
  github.com/rancher/permissions v0.0.0-20240523180510-4001d3d637f7
- github.com/rancher/remotedialer v0.3.0
- github.com/rancher/wharfie v0.5.3
+ github.com/rancher/remotedialer v0.4.1
+ github.com/rancher/wharfie v0.6.4
  github.com/rancher/wrangler v1.1.1
  github.com/robfig/cron/v3 v3.0.1
  github.com/rootless-containers/rootlesskit v1.0.1
@@ -149,11 +149,9 @@ require (
  github.com/vishvananda/netlink v1.2.1-beta.2
  github.com/yl2chen/cidranger v1.0.2
  go.etcd.io/etcd/api/v3 v3.5.13
- go.etcd.io/etcd/client/pkg/v3 v3.5.13
  go.etcd.io/etcd/client/v3 v3.5.13
- go.etcd.io/etcd/etcdutl/v3 v3.5.9
+ go.etcd.io/etcd/etcdutl/v3 v3.5.13
  go.etcd.io/etcd/server/v3 v3.5.13
- go.uber.org/zap v1.27.0
  golang.org/x/crypto v0.23.0
  golang.org/x/net v0.25.0
  golang.org/x/sync v0.7.0
@@ -235,9 +233,9 @@ require (
  github.com/containernetworking/cni v1.1.2 // indirect
  github.com/containernetworking/plugins v1.4.1 // indirect
  github.com/containers/ocicrypt v1.1.10 // indirect
- github.com/coreos/go-oidc v2.1.0+incompatible // indirect
- github.com/coreos/go-semver v0.3.0 // indirect
- github.com/cpuguy83/go-md2man/v2 v2.0.3 // indirect
+ github.com/coreos/go-oidc v2.2.1+incompatible // indirect
+ github.com/coreos/go-semver v0.3.1 // indirect
+ github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
  github.com/cyphar/filepath-securejoin v0.2.4 // indirect
  github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
  github.com/daviddengcn/go-colortext v1.0.0 // indirect
@@ -300,7 +298,7 @@ require (
  github.com/hashicorp/errwrap v1.1.0 // indirect
  github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
  github.com/hashicorp/go-multierror v1.1.1 // indirect
- github.com/hashicorp/go-retryablehttp v0.7.4 // indirect
+ github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
  github.com/hashicorp/go-version v1.6.0 // indirect
  github.com/hashicorp/golang-lru v0.5.4 // indirect
  github.com/hashicorp/golang-lru/arc/v2 v2.0.5 // indirect
@@ -434,15 +432,16 @@ require (
  github.com/tchap/go-patricia/v2 v2.3.1 // indirect
  github.com/tidwall/btree v1.6.0 // indirect
  github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 // indirect
- github.com/urfave/cli/v2 v2.23.5 // indirect
+ github.com/urfave/cli/v2 v2.27.2 // indirect
  github.com/vbatts/tar-split v0.11.5 // indirect
  github.com/vishvananda/netns v0.0.4 // indirect
  github.com/vmware/govmomi v0.30.6 // indirect
  github.com/whyrusleeping/go-keyspace v0.0.0-20160322163242-5b898ac5add1 // indirect
  github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 // indirect
  github.com/xlab/treeprint v1.1.0 // indirect
- github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
+ github.com/xrash/smetrics v0.0.0-20240312152122-5f08fbb34913 // indirect
  go.etcd.io/bbolt v1.3.9 // indirect
+ go.etcd.io/etcd/client/pkg/v3 v3.5.13 // indirect
  go.etcd.io/etcd/client/v2 v2.305.13 // indirect
  go.etcd.io/etcd/pkg/v3 v3.5.13 // indirect
  go.etcd.io/etcd/raft/v3 v3.5.13 // indirect
@@ -464,6 +463,7 @@ require (
  go.uber.org/fx v1.20.1 // indirect
  go.uber.org/mock v0.4.0 // indirect
  go.uber.org/multierr v1.11.0 // indirect
+ go.uber.org/zap v1.27.0 // indirect
  golang.org/x/exp v0.0.0-20240222234643-814bf88cf225 // indirect
  golang.org/x/mod v0.15.0 // indirect
  golang.org/x/oauth2 v0.17.0 // indirect