hogweed1/k8s
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add kfk
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source
This commit is contained in:
Simple_Not
2023-12-06 12:57:14 +10:00
parent 278324f8c7
commit 29ee425ddf
83 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
check-charts/racnher/.helmignore Normal file
View File

@@ -0,0 +1 @@
tests

16
check-charts/racnher/Chart.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: v2
appVersion: v2.8.0-rc1
description: Install Rancher Server to manage Kubernetes clusters across providers.
home: https://rancher.com
icon: https://github.com/rancher/ui/blob/master/public/assets/images/logos/welcome-cow.svg
keywords:
- rancher
kubeVersion: < 1.29.0-0
maintainers:
- email: charts@rancher.com
name: Rancher Labs
name: rancher
sources:
- https://github.com/rancher/rancher
- https://github.com/rancher/server-chart
version: 2.8.0-rc1

208
check-charts/racnher/README.md Normal file
View File

@@ -0,0 +1,208 @@
By installing this application, you accept the [End User License Agreement & Terms & Conditions](https://www.suse.com/licensing/eula/).
# Rancher
***Rancher*** is open source software that combines everything an organization needs to adopt and run containers in production. Built on Kubernetes, Rancher makes it easy for DevOps teams to test, deploy and manage their applications.
### Introduction
This chart bootstraps a [Rancher Server](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster) on a Kubernetes cluster using the [Helm](https://helm.sh/) package manager. For a Rancher Supported Deployment please follow our [HA install instructions](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-cluster-setup/high-availability-installs).
### Prerequisites Details
*For installations covered under [Rancher Support SLA](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions) the target cluster must be **[RKE1](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-cluster-setup/rke1-for-rancher)**, **[RKE2](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-cluster-setup/rke2-for-rancher)**, **[K3s](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-cluster-setup/k3s-for-rancher)**, **[AKS](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-on-aks)**, **[EKS](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-on-amazon-eks)**, or **[GKE](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-on-gke)**.*
Make sure the node(s) for the Rancher server fulfill the following requirements:
[Operating Systems and Container Runtime Requirements](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#operating-systems-and-container-runtime-requirements)
[Hardware Requirements](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#hardware-requirements)
- [CPU and Memory](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#cpu-and-memory)
- [Ingress](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#ingress)
- [Disks](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#disks)
[Networking Requirements](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#networking-requirements)
- [Node IP Addresses](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#node-ip-addresses)
- [Port Requirements](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#port-requirements)
[Install the Required CLI Tools](https://ranchermanager.docs.rancher.com/pages-for-subheaders/cli-with-rancher)
- [kubectl](https://ranchermanager.docs.rancher.com/reference-guides/cli-with-rancher/kubectl-utility) - Kubernetes command-line tool.
- [helm](https://docs.helm.sh/using_helm/#installing-helm) - Package management for Kubernetes. Refer to the [Helm version requirements](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/resources/helm-version-requirements) to choose a version of Helm to install Rancher.
For a list of best practices that we recommend for running the Rancher server in production, refer to the [best practices section](https://ranchermanager.docs.rancher.com/pages-for-subheaders/best-practices).
## Installing Rancher
For production environments, we recommend installing Rancher in a [high-availability Kubernetes installation](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-cluster-setup/high-availability-installs) so that your user base can always access Rancher Server. When installed in a Kubernetes cluster, Rancher will integrate with the clusters etcd database and take advantage of Kubernetes scheduling for high-availability.
Optional: Installing Rancher on a [Single-node](https://ranchermanager.docs.rancher.com/pages-for-subheaders/rancher-on-a-single-node-with-docker) Kubernetes Cluster
#### Add the Helm Chart Repository
Use [helm repo add](https://helm.sh/docs/helm/helm_repo_add/) command to add the Helm chart repository that contains charts to install Rancher. For more information about the repository choices and which is best for your use case, see Choosing a Version of Rancher.
```bash
helm repo add rancher-latest https://releases.rancher.com/server-charts/latest
```
#### Create a Namespace for Rancher
Well need to define a Kubernetes namespace where the resources created by the Chart should be installed. This should always be cattle-system:
```bash
kubectl create namespace cattle-system
```
#### Choose your SSL Configuration
The Rancher management server is designed to be secure by default and requires SSL/TLS configuration.
There are three recommended options for the source of the certificate used for TLS termination at the Rancher server:
- [Rancher-generated TLS certificate](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#3-choose-your-ssl-configuration)
- [Lets Encrypt](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#3-choose-your-ssl-configuration)
- [Bring your own certificate](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#3-choose-your-ssl-configuration)
#### Install cert-manager
This step is only required to use certificates issued by Ranchers generated CA **`(ingress.tls.source=rancher)`** or to request Lets Encrypt issued certificates **`(ingress.tls.source=letsEncrypt)`**.
[These instructions are adapted from the official cert-manager documentation.](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#4-install-cert-manager)
#### Install Rancher with Helm and Your Chosen Certificate Option
- [Rancher to generated certificates](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#5-install-rancher-with-helm-and-your-chosen-certificate-option)
```bash
helm install rancher rancher-latest/rancher \
--namespace cattle-system \
--set hostname=rancher.my.org
```
- [Lets Encrypt](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#5-install-rancher-with-helm-and-your-chosen-certificate-option)
```bash
helm install rancher rancher-latest/rancher \
--namespace cattle-system \
--set hostname=rancher.my.org \
--set ingress.tls.source=letsEncrypt \
--set letsEncrypt.email=me@example.org
```
- [Certificates from Files](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#5-install-rancher-with-helm-and-your-chosen-certificate-option)
```bash
helm install rancher rancher-latest/rancher \
--namespace cattle-system \
--set hostname=rancher.my.org \
--set ingress.tls.source=secret
```
*If you are using a Private CA signed certificate , add **--set privateCA=true** to the command:`*
```bash
helm install rancher rancher-latest/rancher \
--namespace cattle-system \
--set hostname=rancher.my.org \
--set ingress.tls.source=secret \
--set privateCA=true
```
#### Verify that the Rancher Server is Successfully Deployed
After adding the secrets, check if Rancher was rolled out successfully:
```bash
kubectl -n cattle-system rollout status deploy/rancher
Waiting for deployment "rancher" rollout to finish: 0 of 3 updated replicas are available...
deployment "rancher" successfully rolled out
```
If you see the following **`error: error: deployment "rancher" exceeded its progress deadline`**, you can check the status of the deployment by running the following command:
```bash
kubectl -n cattle-system get deploy rancher
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
rancher 3 3 3 3 3m
```
It should show the same count for **`DESIRED`** and **`AVAILABLE`**.
#### Save Your Options
Make sure you save the **`--set`** options you used. You will need to use the same options when you upgrade Rancher to new versions with Helm.
#### Finishing Up
Thats it. You should have a functional Rancher server.
In a web browser, go to the DNS name that forwards traffic to your load balancer. Then you should be greeted by the colorful login page.
Doesnt work? Take a look at the [Troubleshooting Page](https://ranchermanager.docs.rancher.com/troubleshooting/general-troubleshooting)
***All of these instructions are defined in detailed in the [Rancher Documentation](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#install-the-rancher-helm-chart).***
### Helm Chart Options for Kubernetes Installations
The full [Helm Chart Options](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/helm-chart-options) can be found here.
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
#### Common Options
| Parameter | Default Value | Description |
| ------------------------- | ------------- | -------------------------------------------------------------------------------------------- |
| `hostname` | " " | ***string*** - the Fully Qualified Domain Name for your Rancher Server |
| `ingress.tls.source` | "rancher" | ***string*** - Where to get the cert for the ingress. - "***rancher, letsEncrypt, secret***" |
| `letsEncrypt.email` | " " | ***string*** - Your email address |
| `letsEncrypt.environment` | "production" | ***string*** - Valid options: "***staging, production***" |
| `privateCA` | false | ***bool*** - Set to true if your cert is signed by a private CA |
#### Advanced Options
| Parameter | Default Value | Description |
| ---------------------------------------- | ------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `additionalTrustedCAs` | false | ***bool*** - [See Additional Trusted CAs Server](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/helm-chart-options#additional-trusted-cas) |
| `addLocal` | "true" | ***string*** - As of Rancher v2.5.0 this flag is deprecated and must be set to "true" |
| `antiAffinity` | "preferred" | ***string*** - AntiAffinity rule for Rancher pods - *"preferred, required"* |
| `replicas` | 3 | ***int*** - Number of replicas of Rancher pods |
| `auditLog.destination` | "sidecar" | ***string*** - Stream to sidecar container console or hostPath volume - *"sidecar, hostPath"* |
| `auditLog.hostPath` | "/var/log/rancher/audit" | ***string*** - log file destination on host (only applies when **auditLog.destination** is set to **hostPath**) |
| `auditLog.level` | 0 | ***int*** - set the [API Audit Log level](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#audit-log-levels). 0 is off. [0-3] |
| `auditLog.maxAge` | 1 | ***int*** - maximum number of days to retain old audit log files (only applies when **auditLog.destination** is set to **hostPath**) |
| `auditLog.maxBackup` | 1 | int - maximum number of audit log files to retain (only applies when **auditLog.destination** is set to **hostPath**) |
| `auditLog.maxSize` | 100 | ***int*** - maximum size in megabytes of the audit log file before it gets rotated (only applies when **auditLog.destination** is set to **hostPath**) |
| `auditLog.image.repository` | "rancher/mirrored-bci-micro" | ***string*** - Location for the image used to collect audit logs *Note: Available as of v2.7.0* |
| `auditLog.image.tag` | "15.4.14.3" | ***string*** - Tag for the image used to collect audit logs *Note: Available as of v2.7.0* |
| `auditLog.image.pullPolicy` | "IfNotPresent" | ***string*** - Override imagePullPolicy for auditLog images - *"Always", "Never", "IfNotPresent"* *Note: Available as of v2.7.0* |
| `busyboxImage` | "" | ***string*** - *Deprecated `auditlog.image.repository` should be used to control auditing sidecar image.* Image location for busybox image used to collect audit logs *Note: Available as of v2.2.0, and Deprecated as of v2.7.0* |
| `busyboxImagePullPolicy` | "IfNotPresent" | ***string*** - - *Deprecated `auditlog.image.pullPolicy` should be used to control auditing sidecar image.* Override imagePullPolicy for busybox images - *"Always", "Never", "IfNotPresent"* *Deprecated as of v2.7.0* |
| `debug` | false | ***bool*** - set debug flag on rancher server |
| `certmanager.version` | " " | ***string*** - set cert-manager compatibility |
| `extraEnv` | [] | ***list*** - set additional environment variables for Rancher Note: *Available as of v2.2.0* |
| `imagePullSecrets` | [] | ***list*** - list of names of Secret resource containing private registry credentials |
| `ingress.enabled` | true | ***bool*** - install ingress resource |
| `ingress.ingressClassName` | " " | ***string*** - class name of ingress if not set manually or by the ingress controller's defaults |
| `ingress.includeDefaultExtraAnnotations` | true | ***bool*** - Add default nginx annotations |
| `ingress.extraAnnotations` | {} | ***map*** - additional annotations to customize the ingress |
| `ingress.configurationSnippet` | " " | ***string*** - Add additional Nginx configuration. Can be used for proxy configuration. Note: *Available as of v2.0.15, v2.1.10 and v2.2.4* |
| `service.annotations` | {} | ***map*** - annotations to customize the service |
| `service.type` | " " | ***string*** - Override the type used for the service - *"NodePort", "LoadBalancer", "ClusterIP"* |
| `letsEncrypt.ingress.class` | " " | ***string*** - optional ingress class for the cert-manager acmesolver ingress that responds to the Lets *Encrypt ACME challenges* |
| `proxy` | " " | ***string** - HTTP[S] proxy server for Rancher |
| `noProxy` | "127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local" | ***string*** - comma separated list of hostnames or ip address not to use the proxy |
| `resources` | {} | ***map*** - rancher pod resource requests & limits |
| `rancherImage` | "rancher/rancher" | ***string*** - rancher image source |
| `rancherImageTag` | same as chart version | ***string*** - rancher/rancher image tag |
| `rancherImagePullPolicy` | "IfNotPresent" | ***string*** - Override imagePullPolicy for rancher server images - *"Always", "Never", "IfNotPresent"* |
| `tls` | "ingress" | ***string*** - See External TLS Termination for details. - *"ingress, external"* |
| `systemDefaultRegistry` | "" | ***string*** - private registry to be used for all system Docker images, e.g., [http://registry.example.com/] *Available as of v2.3.0* |
| `useBundledSystemChart` | false | ***bool*** - select to use the system-charts packaged with Rancher server. This option is used for air gapped installations. *Available as of v2.3.0* |
| `customLogos.enabled` | false | ***bool*** - Enabled [Ember Rancher UI (cluster manager) custom logos](https://github.com/rancher/ui/tree/master/public/assets/images/logos) and [Vue Rancher UI (cluster explorer) custom logos](https://github.com/rancher/dashboard/tree/master/shell/assets/images/pl) persistence volume |
| `customLogos.volumeSubpaths.emberUi` | "ember" | ***string*** - Volume subpath for [Ember Rancher UI (cluster manager) custom logos](https://github.com/rancher/ui/tree/master/public/assets/images/logos) persistence |
| `customLogos.volumeSubpaths.vueUi` | "vue" | ***string*** - Volume subpath for [Vue Rancher UI (cluster explorer) custom logos](https://github.com/rancher/dashboard/tree/master/shell/assets/images/pl) persistence |
| `customLogos.volumeName` | "" | ***string*** - Use an existing volume. Custom logos should be copied to the proper `volume/subpath` folder by the user. Optional for persistentVolumeClaim, required for configMap |
| `customLogos.storageClass` | "" | ***string*** - Set custom logos persistentVolumeClaim storage class. Required for dynamic pv |
| `customLogos.accessMode` | "ReadWriteOnce" | ***string*** - Set custom persistentVolumeClaim access mode |
| `customLogos.size` | "1Gi" | ***string*** - Set custom persistentVolumeClaim size |

94
check-charts/racnher/scripts/post-delete-hook.sh Normal file
View File

@@ -0,0 +1,94 @@
#!/bin/bash
set -e
namespaces="${NAMESPACES}"
rancher_namespace="${RANCHER_NAMESPACE}"
timeout="${TIMEOUT}"
ignoreTimeoutError="${IGNORETIMEOUTERROR}"
if [[ -z ${namespaces} ]]; then
echo "No namespace is provided."
exit 1
fi
if [[ -z ${rancher_namespace} ]]; then
echo "No rancher namespace is provided."
exit 1
fi
if [[ -z ${timeout} ]]; then
echo "No timeout value is provided."
exit 1
fi
if [[ -z ${ignoreTimeoutError} ]]; then
echo "No ignoreTimeoutError value is provided."
exit 1
fi
succeeded=()
failed=()
get_pod_count() {
kubectl get pods --selector app="${1}" -n "${2}" -o json | jq '.items | length'
}
echo "Uninstalling Rancher resources in the following namespaces: ${namespaces}"
for namespace in ${namespaces}; do
for app in $(helm list -n "${namespace}" -q); do
if [[ ${app} =~ .crd$ ]]; then
echo "--- Skip the app [${app}] in the namespace [${namespace}]"
continue
fi
echo "--- Deleting the app [${app}] in the namespace [${namespace}]"
if [[ ! $(helm uninstall "${app}" -n "${namespace}") ]]; then
failed=("${failed[@]}" "${app}")
continue
fi
t=0
while true; do
if [[ $(get_pod_count "${app}" "${namespace}") -eq 0 ]]; then
echo "successfully uninstalled [${app}] in the namespace [${namespace}]"
succeeded=("${succeeded[@]}" "${app}")
break
fi
if [[ ${t} -ge ${timeout} ]]; then
echo "timeout uninstalling [${app}] in the namespace [${namespace}]"
failed=("${failed[@]}" "${app}")
break
fi
# by default, wait 120 seconds in total for an app to be uninstalled
echo "waiting 5 seconds for pods of [${app}] to be terminated ..."
sleep 5
t=$((t + 5))
done
done
# delete the helm operator pods
for pod in $(kubectl get pods -n "${namespace}" -o name); do
if [[ ${pod} =~ ^pod\/helm-operation-* ]]; then
echo "--- Deleting the pod [${pod}] in the namespace [${namespace}]"
kubectl delete "${pod}" -n "${namespace}"
fi
done
done
echo "Removing Rancher bootstrap secret in the following namespace: ${rancher_namespace}"
kubectl --ignore-not-found=true delete secret bootstrap-secret -n "${rancher_namespace}"
echo "------ Summary ------"
if [[ ${#succeeded[@]} -ne 0 ]]; then
echo "Succeeded to uninstall the following apps:" "${succeeded[@]}"
fi
if [[ ${#failed[@]} -ne 0 ]]; then
echo "Failed to uninstall the following apps:" "${failed[@]}"
if [[ "${ignoreTimeoutError}" == "false" ]]; then
exit 2
fi
else
echo "Cleanup finished successfully."
fi

22
check-charts/racnher/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,22 @@
Rancher Server has been installed.
NOTE: Rancher may take several minutes to fully initialize. Please standby while Certificates are being issued, Containers are started and the Ingress rule comes up.
Check out our docs at https://rancher.com/docs/
If you provided your own bootstrap password during installation, browse to https://{{ .Values.hostname }} to get started.
If this is the first time you installed Rancher, get started by running this command and clicking the URL it generates:
```
echo https://{{ .Values.hostname }}/dashboard/?setup=$(kubectl get secret --namespace cattle-system bootstrap-secret -o go-template='{{ "{{" }}.data.bootstrapPassword|base64decode{{ "}}" }}')
```
To get just the bootstrap password on its own, run:
```
kubectl get secret --namespace cattle-system bootstrap-secret -o go-template='{{ "{{" }}.data.bootstrapPassword|base64decode{{ "}}" }}{{ "{{" }} "\n" {{ "}}" }}'
```
Happy Containering!

101
check-charts/racnher/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,101 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "rancher.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "rancher.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified chart name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "rancher.chartname" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | trunc 63 | trimSuffix "-" -}}
{{- end -}}
# Render Values in configurationSnippet
{{- define "configurationSnippet" -}}
{{- tpl (.Values.ingress.configurationSnippet) . | nindent 6 -}}
{{- end -}}
{{/*
Generate the labels.
*/}}
{{- define "rancher.labels" -}}
app: {{ template "rancher.fullname" . }}
chart: {{ template "rancher.chartname" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- end }}
# Windows Support
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector-terms" -}}
{{- $key := "kubernetes.io/os" -}}
- matchExpressions:
- key: {{ $key }}
operator: NotIn
values:
- windows
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.systemDefaultRegistry -}}
{{- if hasSuffix "/" .Values.systemDefaultRegistry -}}
{{- printf "%s" .Values.systemDefaultRegistry -}}
{{- else -}}
{{- printf "%s/" .Values.systemDefaultRegistry -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Define the chosen value for PSPs. If this value is "", then the user did not set the value. This will
result in psps on <=1.24 and no psps on >=1.25. If the value is true/false, then the user specifically
chose an option, and that option will be used. If it is set otherwise, then we fail so the user can correct
the invalid value.
*/}}
{{- define "rancher.chart_psp_enabled" -}}
{{- if kindIs "bool" .Values.global.cattle.psp.enabled -}}
{{ .Values.global.cattle.psp.enabled }}
{{- else if empty .Values.global.cattle.psp.enabled -}}
{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
{{- if (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") -}}
true
{{- else -}}
false
{{- end -}}
{{- else -}}
true
{{- end -}}
{{- else -}}
{{- fail "Invalid value for .Values.global.cattle.psp.enabled - must be a bool of true, false, or \"\"" -}}
{{- end -}}
{{- end -}}

14
check-charts/racnher/templates/clusterRoleBinding.yaml Normal file
View File

@@ -0,0 +1,14 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
subjects:
- kind: ServiceAccount
name: {{ template "rancher.fullname" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io

13
check-charts/racnher/templates/configMap.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: rancher-config
labels: {{ include "rancher.labels" . | nindent 4 }}
app.kubernetes.io/part-of: "rancher"
data:
priorityClassName: {{ .Values.priorityClassName }}
{{- if and .Values.webhook (kindIs "string" .Values.webhook) }}
rancher-webhook: {{ .Values.webhook | quote }}
{{- else if .Values.webhook }}
rancher-webhook: {{ toYaml .Values.webhook | quote }}
{{- end }}

253
check-charts/racnher/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,253 @@
kind: Deployment
apiVersion: apps/v1
metadata:
name: {{ template "rancher.fullname" . }}
annotations:
{{- if (lt (int .Values.replicas) 0) }}
management.cattle.io/scale-available: "{{ sub 0 (int .Values.replicas)}}"
{{- end }}
labels:
{{ include "rancher.labels" . | indent 4 }}
spec:
{{- if (gt (int .Values.replicas) 0) }}
replicas: {{ .Values.replicas }}
{{- end }}
selector:
matchLabels:
app: {{ template "rancher.fullname" . }}
strategy:
rollingUpdate:
maxSurge: 1
{{- if (eq (int .Values.replicas) 1) }}
maxUnavailable: 0
{{- else }}
maxUnavailable: 1
{{- end }}
type: RollingUpdate
template:
metadata:
labels:
app: {{ template "rancher.fullname" . }}
release: {{ .Release.Name }}
spec:
priorityClassName: {{ .Values.priorityClassName }}
serviceAccountName: {{ template "rancher.fullname" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 6 }}
{{- end }}
affinity:
podAntiAffinity:
{{- if eq .Values.antiAffinity "required" }}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- {{ template "rancher.fullname" . }}
topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }}
{{- else }}
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- {{ template "rancher.fullname" . }}
topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }}
{{- end }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms: {{ include "linux-node-selector-terms" . | nindent 14 }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
containers:
- image: {{ .Values.rancherImage }}:{{ default .Chart.AppVersion .Values.rancherImageTag }}
imagePullPolicy: {{ default "IfNotPresent" .Values.rancherImagePullPolicy }}
name: {{ template "rancher.name" . }}
ports:
- containerPort: 80
protocol: TCP
{{- if (and .Values.hostPort (gt (int .Values.hostPort) 0)) }}
- containerPort: 444
hostPort: {{ int .Values.hostPort }}
protocol: TCP
{{- end}}
args:
{{- if .Values.debug }}
- "--debug"
{{- end }}
{{- if .Values.privateCA }}
# Private CA - don't clear ca certs
{{- else if and (eq .Values.tls "ingress") (eq .Values.ingress.tls.source "rancher") }}
# Rancher self-signed - don't clear ca certs
{{- else }}
# Public trusted CA - clear ca certs
- "--no-cacerts"
{{- end }}
- "--http-listen-port=80"
- "--https-listen-port=443"
- "--add-local={{ .Values.addLocal }}"
env:
- name: CATTLE_NAMESPACE
value: {{ .Release.Namespace }}
- name: CATTLE_PEER_SERVICE
value: {{ template "rancher.fullname" . }}
{{- if .Values.features }}
- name: CATTLE_FEATURES
value: "{{ .Values.features }}"
{{- end}}
{{- if .Values.noDefaultAdmin }}
- name: CATTLE_NO_DEFAULT_ADMIN
value: "{{ .Values.noDefaultAdmin }}"
{{- end}}
{{- if gt (int .Values.auditLog.level) 0 }}
- name: AUDIT_LEVEL
value: {{ .Values.auditLog.level | quote }}
- name: AUDIT_LOG_MAXAGE
value: {{ .Values.auditLog.maxAge | quote }}
- name: AUDIT_LOG_MAXBACKUP
value: {{ .Values.auditLog.maxBackup | quote }}
- name: AUDIT_LOG_MAXSIZE
value: {{ .Values.auditLog.maxSize | quote }}
{{- end }}
{{- if .Values.proxy }}
- name: HTTP_PROXY
value: {{ .Values.proxy }}
- name: HTTPS_PROXY
value: {{ .Values.proxy }}
- name: NO_PROXY
value: {{ .Values.noProxy }}
{{- end }}
{{- if .Values.systemDefaultRegistry }}
- name: CATTLE_SYSTEM_DEFAULT_REGISTRY
value: {{ .Values.systemDefaultRegistry }}
{{- end }}
{{- if .Values.useBundledSystemChart }}
- name: CATTLE_SYSTEM_CATALOG
value: bundled
{{- end }}
{{- if .Values.restrictedAdmin }}
- name: CATTLE_RESTRICTED_DEFAULT_ADMIN
value: "true"
{{- end}}
{{- if .Values.bootstrapPassword }}
- name: CATTLE_BOOTSTRAP_PASSWORD
valueFrom:
secretKeyRef:
name: "bootstrap-secret"
key: "bootstrapPassword"
{{- end }}
{{- if .Values.extraEnv }}
{{ toYaml .Values.extraEnv | indent 8}}
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: 80
initialDelaySeconds: {{.Values.livenessProbe.initialDelaySeconds | default 60 }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds | default 30 }}
readinessProbe:
httpGet:
path: /healthz
port: 80
initialDelaySeconds: {{.Values.readinessProbe.initialDelaySeconds | default 5}}
periodSeconds: {{ .Values.readinessProbe.periodSeconds | default 30}}
{{- if .Values.startupProbe }}
startupProbe:
httpGet:
path: /healthz
port: 80
failureThreshold: {{.Values.startupProbe.failureThreshold | default 1}}
periodSeconds: {{ .Values.startupProbe.periodSeconds | default 30}}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
{{- if .Values.additionalTrustedCAs }}
- mountPath: /etc/pki/trust/anchors/ca-additional.pem
name: tls-ca-additional-volume
subPath: ca-additional.pem
readOnly: true
- mountPath: /etc/rancher/ssl/ca-additional.pem
name: tls-ca-additional-volume
subPath: ca-additional.pem
readOnly: true
{{- end }}
{{- if .Values.privateCA }}
# Pass CA cert into rancher for private CA
- mountPath: /etc/rancher/ssl/cacerts.pem
name: tls-ca-volume
subPath: cacerts.pem
readOnly: true
{{- end }}
{{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }}
# Mount rancher custom-logos volume
- mountPath: /usr/share/rancher/ui/assets/images/logos
name: custom-logos
subPath: {{ .Values.customLogos.volumeSubpaths.emberUi | default "ember" | quote }}
- mountPath: /usr/share/rancher/ui-dashboard/dashboard/_nuxt/assets/images/pl
name: custom-logos
subPath: {{ .Values.customLogos.volumeSubpaths.vueUi | default "vue" | quote }}
{{- end }}
{{- if gt (int .Values.auditLog.level) 0 }}
- mountPath: /var/log/auditlog
name: audit-log
{{- end }}
{{- if eq .Values.auditLog.destination "sidecar" }}
{{- if gt (int .Values.auditLog.level) 0 }}
# Make audit logs available for Rancher log collector tools.
{{- if .Values.busyboxImage }}
- image: {{ .Values.busyboxImage}}
{{- else }}
- image: {{ .Values.auditLog.image.repository }}:{{.Values.auditLog.image.tag}}
{{- end }}
{{- if .Values.busyboxImagePullPolicy }}
imagePullPolicy: {{ .Values.busyboxImagePullPolicy }}
{{- else }}
imagePullPolicy: {{ .Values.auditLog.image.pullPolicy }}
{{- end }}
name: {{ template "rancher.name" . }}-audit-log
command: ["tail"]
args: ["-F", "/var/log/auditlog/rancher-api-audit.log"]
volumeMounts:
- mountPath: /var/log/auditlog
name: audit-log
{{- end }}
{{- end }}
volumes:
{{- if .Values.additionalTrustedCAs }}
- name: tls-ca-additional-volume
secret:
defaultMode: 0400
secretName: tls-ca-additional
{{- end }}
{{- if .Values.privateCA }}
- name: tls-ca-volume
secret:
defaultMode: 0400
secretName: tls-ca
{{- end }}
{{- if gt (int .Values.auditLog.level) 0 }}
{{- if eq .Values.auditLog.destination "hostPath" }}
- name: audit-log
hostPath:
path: {{ .Values.auditLog.hostPath }}
type: DirectoryOrCreate
{{- else }}
- name: audit-log
emptyDir: {}
{{- end }}
{{- end }}
{{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }}
- name: custom-logos
{{- if (eq .Values.customLogos.volumeKind "persistentVolumeClaim") }}
persistentVolumeClaim:
claimName: {{ .Values.customLogos.volumeName | default (printf "%s-custom-logos" (include "rancher.fullname" .)) }}
{{- else if (eq .Values.customLogos.volumeKind "configMap") }}
configMap:
name: {{ .Values.customLogos.volumeName }}
{{- end }}
{{- end }}

66
check-charts/racnher/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,66 @@
{{- if .Values.ingress.enabled }}
{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
apiVersion: networking.k8s.io/v1
{{- else }}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
annotations:
{{- if .Values.ingress.configurationSnippet }}
nginx.ingress.kubernetes.io/configuration-snippet: |
{{- template "configurationSnippet" . }}
{{- end }}
{{- if eq .Values.tls "external" }}
nginx.ingress.kubernetes.io/ssl-redirect: "false" # turn off ssl redirect for external.
{{- else }}
{{- if ne .Values.ingress.tls.source "secret" }}
{{- $certmanagerVer := split "." .Values.certmanager.version -}}
{{- if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
certmanager.k8s.io/issuer: {{ template "rancher.fullname" . }}
{{- else }}
cert-manager.io/issuer: {{ template "rancher.fullname" . }}
cert-manager.io/issuer-kind: Issuer
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.ingress.includeDefaultExtraAnnotations }}
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
{{- end }}
{{- if .Values.ingress.extraAnnotations }}
{{ toYaml .Values.ingress.extraAnnotations | indent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.ingressClassName }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
{{- end }}
rules:
- host: {{ .Values.hostname }} # hostname to access rancher server
http:
paths:
- backend:
{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
service:
name: {{ template "rancher.fullname" . }}
port:
number: {{ .Values.ingress.servicePort }}
{{- else }}
serviceName: {{ template "rancher.fullname" . }}
servicePort: {{ .Values.ingress.servicePort }}
{{- end }}
{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
pathType: ImplementationSpecific
path: "/"
{{- end }}
{{- if eq .Values.tls "ingress" }}
tls:
- hosts:
- {{ .Values.hostname }}
secretName: {{ .Values.ingress.tls.secretName }}
{{- end }}
{{- end }}

37
check-charts/racnher/templates/issuer-letsEncrypt.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{- if eq .Values.tls "ingress" -}}
{{- if eq .Values.ingress.tls.source "letsEncrypt" -}}
{{- $certmanagerVer := split "." .Values.certmanager.version -}}
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
apiVersion: cert-manager.io/v1beta1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha2
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
apiVersion: certmanager.k8s.io/v1alpha1
{{- else }}
apiVersion: cert-manager.io/v1
{{- end }}
kind: Issuer
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
spec:
acme:
{{- if eq .Values.letsEncrypt.environment "production" }}
server: https://acme-v02.api.letsencrypt.org/directory
{{- else }}
server: https://acme-staging-v02.api.letsencrypt.org/directory
{{- end }}
email: {{ .Values.letsEncrypt.email }}
privateKeySecretRef:
name: letsencrypt-{{ .Values.letsEncrypt.environment }}
{{- if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
http01: {}
{{- else }}
solvers:
- http01:
ingress:
class: {{ .Values.letsEncrypt.ingress.class }}
{{- end }}
{{- end -}}
{{- end -}}

22
check-charts/racnher/templates/issuer-rancher.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{- if eq .Values.tls "ingress" -}}
{{- if eq .Values.ingress.tls.source "rancher" -}}
{{- $certmanagerVer := split "." .Values.certmanager.version -}}
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
apiVersion: cert-manager.io/v1beta1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha2
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
apiVersion: certmanager.k8s.io/v1alpha1
{{- else }}
apiVersion: cert-manager.io/v1
{{- end }}
kind: Issuer
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
spec:
ca:
secretName: tls-rancher
{{- end -}}
{{- end -}}

19
check-charts/racnher/templates/post-delete-hook-cluster-role-binding.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.postDelete.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "2"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "rancher.fullname" . }}-post-delete
subjects:
- kind: ServiceAccount
name: {{ template "rancher.fullname" . }}-post-delete
namespace: {{ .Release.Namespace }}
{{- end }}

47
check-charts/racnher/templates/post-delete-hook-cluster-role.yaml Normal file
View File

@@ -0,0 +1,47 @@
{{- if .Values.postDelete.enabled }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
rules:
- apiGroups: [ "extensions","apps" ]
resources: [ "deployments" ]
verbs: [ "get", "list", "delete" ]
- apiGroups: [ "batch" ]
resources: [ "jobs" ]
verbs: [ "get", "list", "watch", "delete", "create" ]
- apiGroups: [ "rbac.authorization.k8s.io" ]
resources: [ "clusterroles", "clusterrolebindings", "roles", "rolebindings" ]
verbs: [ "get", "list", "delete", "create" ]
- apiGroups: [ "" ]
resources: [ "pods", "secrets", "services", "configmaps" ]
verbs: [ "get", "list", "delete" ]
- apiGroups: [ "" ]
resources: [ "serviceaccounts" ]
verbs: [ "get", "list", "delete", "create" ]
- apiGroups: [ "networking.k8s.io" ]
resources: [ "networkpolicies" ]
verbs: [ "get", "list", "delete" ]
- apiGroups: [ "admissionregistration.k8s.io" ]
resources: [ "validatingwebhookconfigurations", "mutatingwebhookconfigurations" ]
verbs: [ "get", "list", "delete" ]
- apiGroups: [ "policy" ]
resources: [ "podsecuritypolicies" ]
verbs: ["delete", "create" ]
{{- if eq (include "rancher.chart_psp_enabled" . ) "true" }}
- apiGroups: [ "policy" ]
resources: [ "podsecuritypolicies" ]
verbs: [ "use"]
{{- end }}
- apiGroups: [ "networking.k8s.io" ]
resources: [ "ingresses" ]
verbs: [ "delete" ]
- apiGroups: [ "cert-manager.io" ]
resources: [ "issuers" ]
verbs: [ "delete" ]
{{- end }}

15
check-charts/racnher/templates/post-delete-hook-config-map.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.postDelete.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
namespace: {{ .Release.Namespace }}
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
data:
post-delete-hook.sh: |-
{{ $.Files.Get "scripts/post-delete-hook.sh" | indent 4 }}
{{- end }}

46
check-charts/racnher/templates/post-delete-hook-job.yaml Normal file
View File

@@ -0,0 +1,46 @@
{{- if .Values.postDelete.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
namespace: {{ .Release.Namespace }}
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "3"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
backoffLimit: 3
template:
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
labels: {{ include "rancher.labels" . | nindent 8 }}
spec:
serviceAccountName: {{ template "rancher.fullname" . }}-post-delete
restartPolicy: OnFailure
containers:
- name: {{ template "rancher.name" . }}-post-delete
image: "{{ include "system_default_registry" . }}{{ .Values.postDelete.image.repository }}:{{ .Values.postDelete.image.tag }}"
imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 0
command:
- /scripts/post-delete-hook.sh
volumeMounts:
- mountPath: /scripts
name: config-volume
env:
- name: NAMESPACES
value: {{ .Values.postDelete.namespaceList | join " " | quote }}
- name: RANCHER_NAMESPACE
value: {{ .Release.Namespace }}
- name: TIMEOUT
value: {{ .Values.postDelete.timeout | quote }}
- name: IGNORETIMEOUTERROR
value: {{ .Values.postDelete.ignoreTimeoutError | quote }}
volumes:
- name: config-volume
configMap:
name: {{ template "rancher.fullname" . }}-post-delete
defaultMode: 0777
{{- end }}

34
check-charts/racnher/templates/post-delete-hook-psp.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{- if eq (include "rancher.chart_psp_enabled" . ) "true" -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "rancher.fullname" . }}-post-delete
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
volumes:
- 'secret'
- 'configMap'
{{- end }}

12
check-charts/racnher/templates/post-delete-hook-service-account.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.postDelete.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
namespace: {{ .Release.Namespace }}
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
{{- end }}

8
check-charts/racnher/templates/priorityClass.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: rancher-critical
labels: {{ include "rancher.labels" . | nindent 4 }}
value: 1000000000
globalDefault: false
description: "Priority class used by pods critical to rancher's functionality."

19
check-charts/racnher/templates/pvc.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if and (.Values.customLogos.enabled) (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (not .Values.customLogos.volumeName) }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "rancher.fullname" . }}-custom-logos
spec:
accessModes:
- {{ .Values.customLogos.accessMode | quote }}
resources:
requests:
storage: {{ .Values.customLogos.size | quote }}
storageClassName: {{ if .Values.customLogos.storageClass }}
{{- if (eq "-" .Values.customLogos.storageClass) -}}
""
{{- else }}
{{- .Values.customLogos.storageClass }}
{{- end -}}
{{- end }}
{{- end }}

25
check-charts/racnher/templates/secret.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{/* Use the bootstrap password from values.yaml if an existing secret is not found */}}
{{- $bootstrapPassword := .Values.bootstrapPassword -}}
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "bootstrap-secret" -}}
{{- if $existingSecret -}}
{{- if $existingSecret.data -}}
{{- if $existingSecret.data.bootstrapPassword -}}
{{- $bootstrapPassword = $existingSecret.data.bootstrapPassword | b64dec -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* If a bootstrap password was found in the values or an existing password was found create the secret */}}
{{- if $bootstrapPassword }}
apiVersion: v1
kind: Secret
metadata:
name: "bootstrap-secret"
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/resource-policy": keep
type: Opaque
data:
bootstrapPassword: {{ $bootstrapPassword | b64enc | quote }}
{{- end }}

28
check-charts/racnher/templates/service.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: v1
kind: Service
metadata:
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
spec:
{{- /*
If service.type is not provided this attribute is ommitted and k8s default of ClusterIP is used.
*/}}
{{- if .Values.service.type }}
type: {{ .Values.service.type }}
{{- end }}
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
- port: 443
targetPort: 444
protocol: TCP
name: https-internal
selector:
app: {{ template "rancher.fullname" . }}

6
check-charts/racnher/templates/serviceAccount.yaml Normal file
View File

@@ -0,0 +1,6 @@
kind: ServiceAccount
apiVersion: v1
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}

192
check-charts/racnher/values.yaml Normal file
View File

@@ -0,0 +1,192 @@
# Additional Trusted CAs.
# Enable this flag and add your CA certs as a secret named tls-ca-additional in the namespace.
# See README.md for details.
additionalTrustedCAs: false
antiAffinity: preferred
topologyKey: kubernetes.io/hostname
# Audit Logs https://rancher.com/docs/rancher/v2.x/en/installation/api-auditing/
# The audit log is piped to the console of the rancher-audit-log container in the rancher pod.
# https://rancher.com/docs/rancher/v2.x/en/installation/api-auditing/
# destination stream to sidecar container console or hostPath volume
# level: Verbosity of logs, 0 to 3. 0 is off 3 is a lot.
auditLog:
destination: sidecar
hostPath: /var/log/rancher/audit/
level: 0
maxAge: 1
maxBackup: 1
maxSize: 100
# Image for collecting rancher audit logs.
# Important: update pkg/image/export/resolve.go when this default image is changed, so that it's reflected accordingly in rancher-images.txt generated for air-gapped setups.
image:
repository: "rancher/mirrored-bci-micro"
tag: 15.4.14.3
# Override imagePullPolicy image
# options: Always, Never, IfNotPresent
pullPolicy: "IfNotPresent"
# As of Rancher v2.5.0 this flag is deprecated and must be set to 'true' in order for Rancher to start
addLocal: "true"
# Add debug flag to Rancher server
debug: false
# When starting Rancher for the first time, bootstrap the admin as restricted-admin
restrictedAdmin: false
# Extra environment variables passed to the rancher pods.
# extraEnv:
# - name: CATTLE_TLS_MIN_VERSION
# value: "1.0"
# Fully qualified name to reach your Rancher server
# hostname: rancher.my.org
## Optional array of imagePullSecrets containing private registry credentials
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# - name: secretName
config:
use-forwarded-headers: "true"
### ingress ###
# Readme for details and instruction on adding tls secrets.
ingress:
# If set to false, ingress will not be created
# Defaults to true
# options: true, false
enabled: false
includeDefaultExtraAnnotations: false
extraAnnotations: {}
ingressClassName: "cilium"
# backend port number
servicePort: 80
# configurationSnippet - Add additional Nginx configuration. This example statically sets a header on the ingress.
# configurationSnippet: |
# more_set_input_headers "X-Forwarded-Host: {{ .Values.hostname }}";
tls:
# options: rancher, letsEncrypt, secret
source: rancher
secretName: tls-rancher-ingress
### service ###
# Override to use NodePort or LoadBalancer service type - default is ClusterIP
service:
type: "LoadBalancer"
annotations: {}
targetPorts:
https: http
### LetsEncrypt config ###
# ProTip: The production environment only allows you to register a name 5 times a week.
# Use staging until you have your config right.
letsEncrypt:
# email: none@example.com
environment: production
ingress:
# options: traefik, nginx
class: ""
# If you are using certs signed by a private CA set to 'true' and set the 'tls-ca'
# in the 'rancher-system' namespace. See the README.md for details
privateCA: false
# http[s] proxy server passed into rancher server.
# proxy: http://<username>@<password>:<url>:<port>
# comma separated list of domains or ip addresses that will not use the proxy
noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local
# Override rancher image location for Air Gap installs
rancherImage: rancher/rancher
# rancher/rancher image tag. https://hub.docker.com/r/rancher/rancher/tags/
# Defaults to .Chart.appVersion
# rancherImageTag: v2.0.7
# Override imagePullPolicy for rancher server images
# options: Always, Never, IfNotPresent
# Defaults to IfNotPresent
# rancherImagePullPolicy: <pullPolicy>
# Number of Rancher server replicas. Setting to negative number will dynamically between 0 and the abs(replicas) based on available nodes.
# of available nodes in the cluster
replicas: 3
# Set priorityClassName to avoid eviction
priorityClassName: rancher-critical
# Set pod resource requests/limits for Rancher.
resources: {}
#
# tls
# Where to offload the TLS/SSL encryption
# - ingress (default)
# - external
tls: external
systemDefaultRegistry: ""
# Set to use the packaged system charts
useBundledSystemChart: false
# Certmanager version compatibility
certmanager:
version: ""
# Rancher custom logos persistence
customLogos:
enabled: false
volumeSubpaths:
emberUi: "ember"
vueUi: "vue"
## Volume kind to use for persistence: persistentVolumeClaim, configMap
volumeKind: persistentVolumeClaim
## Use an existing volume. Custom logos should be copied to the volume by the user
# volumeName: custom-logos
## Just for volumeKind: persistentVolumeClaim
## To disables dynamic provisioning, set storageClass: "" or storageClass: "-"
# storageClass: "-"
accessMode: ReadWriteOnce
size: 1Gi
# Rancher post-delete hook
postDelete:
enabled: true
image:
repository: rancher/shell
tag: v0.1.21-rc1
namespaceList:
- cattle-fleet-system
- cattle-system
- rancher-operator-system
# Number of seconds to wait for an app to be uninstalled
timeout: 120
# by default, the job will fail if it fail to uninstall any of the apps
ignoreTimeoutError: false
# Set a bootstrap password. If leave empty, a random password will be generated.
bootstrapPassword: "admin2ch"
hostname: "rancher.guaranteedstruggle.host"
livenessProbe:
initialDelaySeconds: 60
periodSeconds: 30
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 30
global:
cattle:
psp:
# will default to true on 1.24 and below, and false for 1.25 and above
# can be changed manually to true or false to bypass version checks and force that option
enabled: ""
# helm values to use when installing the rancher-webhook chart.
# helm values set here will override all other global values used when installing the webhook such as priorityClassName and systemRegistry settings.
webhook: ""