k3s: fix CNI networking, service PATH, and manifests directory

Several issues prevented k3s from starting and running pods in the
Yocto image:

k3s.service / k3s-agent.service:
- Add /opt/cni/bin and /usr/libexec/cni to PATH so k3s can find
  CNI plugin binaries (host-local, flannel, bridge, etc.)
- Create /run/flannel/subnet.env at startup if not present — k3s's
  embedded flannel controller expects this file for CNI configuration
- Add --disable-cloud-controller to server — the cloud controller
  manager is for cloud provider integration (AWS/GCP) and causes a
  timeout loop in standalone/QEMU environments

k3s_git.bb:
- Create /var/lib/rancher/k3s/server/manifests/ directory — k3s
  expects this at startup for auto-deploying system components
- Switch CNI config from cni-containerd-net.conf (containerd bridge
  with 10.88.0.0/16 subnet) to cni-flannel.conflist which matches
  k3s's flannel networking (10.42.0.0/16 via flannel plugin)

cni-flannel.conflist:
- New flannel CNI config that delegates to the flannel plugin with
  hairpin mode, forceAddress, and portmap capabilities

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

4 files changed, 39 insertions, 3 deletions

diff --git a/recipes-containers/k3s/k3s/cni-flannel.conflist b/recipes-containers/k3s/k3s/cni-flannel.conflist
new file mode 100644
index 00000000..afa9afb0
--- /dev/null
+++ b/recipes-containers/k3s/k3s/cni-flannel.conflist
@@ -0,0 +1,20 @@
+{
+  "name": "cbr0",
+  "cniVersion": "1.0.0",
+  "plugins": [
+    {
+      "type": "flannel",
+      "delegate": {
+        "hairpinMode": true,
+        "forceAddress": true,
+        "isDefaultGateway": true
+      }
+    },
+    {
+      "type": "portmap",
+      "capabilities": {
+        "portMappings": true
+      }
+    }
+  ]
+}
diff --git a/recipes-containers/k3s/k3s/k3s-agent.service b/recipes-containers/k3s/k3s/k3s-agent.service
index 9f9016da..40d0564b 100644
--- a/recipes-containers/k3s/k3s/k3s-agent.service
+++ b/recipes-containers/k3s/k3s/k3s-agent.service
@@ -10,6 +10,8 @@ WantedBy=multi-user.target
 
 [Service]
 Type=notify
+# Ensure CNI plugin binaries are discoverable
+Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/cni/bin:/usr/libexec/cni
 KillMode=control-group
 Delegate=yes
 LimitNOFILE=infinity
@@ -21,6 +23,10 @@ Restart=always
 RestartSec=5s
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
+# Create flannel subnet.env if not present — k3s's embedded flannel
+# controller populates this after joining, but the CNI plugin needs
+# the file to exist at sandbox creation time
+ExecStartPre=/bin/sh -c 'mkdir -p /run/flannel && test -f /run/flannel/subnet.env || echo "FLANNEL_NETWORK=10.42.0.0/16\nFLANNEL_SUBNET=10.42.0.1/24\nFLANNEL_MTU=1450\nFLANNEL_IPMASQ=true" > /run/flannel/subnet.env'
 ExecStart=/usr/local/bin/k3s agent
 ExecStopPost=/usr/local/bin/k3s-clean
 
diff --git a/recipes-containers/k3s/k3s/k3s.service b/recipes-containers/k3s/k3s/k3s.service
index 33d3ee74..42dc1832 100644
--- a/recipes-containers/k3s/k3s/k3s.service
+++ b/recipes-containers/k3s/k3s/k3s.service
@@ -15,6 +15,8 @@ Type=notify
 EnvironmentFile=-/etc/default/%N
 EnvironmentFile=-/etc/sysconfig/%N
 EnvironmentFile=-/etc/systemd/system/k3s.service.env
+# Ensure CNI plugin binaries are discoverable
+Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/cni/bin:/usr/libexec/cni
 KillMode=process
 Delegate=yes
 # Having non-zero Limit*s causes performance problems due to accounting overhead
@@ -29,7 +31,10 @@ RestartSec=5s
 ExecStartPre=/bin/sh -xc '! systemctl is-enabled --quiet nm-cloud-setup.service'
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server
+# Create flannel subnet.env if not present — k3s's embedded flannel
+# controller expects this file for CNI plugin configuration
+ExecStartPre=/bin/sh -c 'mkdir -p /run/flannel && test -f /run/flannel/subnet.env || echo "FLANNEL_NETWORK=10.42.0.0/16\nFLANNEL_SUBNET=10.42.0.1/24\nFLANNEL_MTU=1450\nFLANNEL_IPMASQ=true" > /run/flannel/subnet.env'
+ExecStart=/usr/local/bin/k3s server --disable-cloud-controller
 # Avoid any delay due to this service when the system is rebooting or shutting
 # down by using the k3s-killall.sh script to kill all of the running k3s
 # services and containers
diff --git a/recipes-containers/k3s/k3s_git.bb b/recipes-containers/k3s/k3s_git.bb
index 4a747752..f478592f 100644
--- a/recipes-containers/k3s/k3s_git.bb
+++ b/recipes-containers/k3s/k3s_git.bb
@@ -9,7 +9,7 @@ SRC_URI = "git://github.com/rancher/k3s.git;branch=release-1.35;name=k3s;protoco
            file://k3s-agent.service \
            file://k3s-agent \
            file://k3s-clean \
-           file://cni-containerd-net.conf \
+           file://cni-flannel.conflist \
            file://k3s-killall.sh \
           "
 
@@ -19,7 +19,8 @@ SRCREV_k3s = "4841276da0cf9f6f3e323b6cc8b10da381331f98"
 SRCREV_FORMAT = "k3s_fuse"
 PV = "v1.35.2+k3s1+git"
 
-CNI_NETWORKING_FILES ?= "${UNPACKDIR}/cni-containerd-net.conf"
+# K3s uses flannel for CNI networking, not the containerd bridge config
+CNI_NETWORKING_FILES ?= "${UNPACKDIR}/cni-flannel.conflist"
 
 # Build tags - used by both do_compile and do_discover_modules
 TAGS = "static_build netcgo osusergo providerless"
@@ -116,6 +117,10 @@ do_install() {
 
         mkdir -p ${D}${datadir}/k3s/
         install -m 0755 ${S}/src/import/contrib/util/check-config.sh ${D}${datadir}/k3s/
+
+        # Create server manifests directory — k3s expects this at startup for
+        # auto-deploying system components (coredns, traefik, etc.)
+        install -d "${D}/var/lib/rancher/k3s/server/manifests"
 }
 
 PACKAGES =+ "${PN}-server ${PN}-agent"