hogweed1/k8s
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add kfk
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source
This commit is contained in:
Simple_Not
2023-12-06 12:57:14 +10:00
parent 278324f8c7
commit 29ee425ddf
83 changed files with 9 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
check-charts/racnher/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,22 @@
Rancher Server has been installed.
NOTE: Rancher may take several minutes to fully initialize. Please standby while Certificates are being issued, Containers are started and the Ingress rule comes up.
Check out our docs at https://rancher.com/docs/
If you provided your own bootstrap password during installation, browse to https://{{ .Values.hostname }} to get started.
If this is the first time you installed Rancher, get started by running this command and clicking the URL it generates:
```
echo https://{{ .Values.hostname }}/dashboard/?setup=$(kubectl get secret --namespace cattle-system bootstrap-secret -o go-template='{{ "{{" }}.data.bootstrapPassword|base64decode{{ "}}" }}')
```
To get just the bootstrap password on its own, run:
```
kubectl get secret --namespace cattle-system bootstrap-secret -o go-template='{{ "{{" }}.data.bootstrapPassword|base64decode{{ "}}" }}{{ "{{" }} "\n" {{ "}}" }}'
```
Happy Containering!

101
check-charts/racnher/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,101 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "rancher.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "rancher.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified chart name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "rancher.chartname" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | trunc 63 | trimSuffix "-" -}}
{{- end -}}
# Render Values in configurationSnippet
{{- define "configurationSnippet" -}}
{{- tpl (.Values.ingress.configurationSnippet) . | nindent 6 -}}
{{- end -}}
{{/*
Generate the labels.
*/}}
{{- define "rancher.labels" -}}
app: {{ template "rancher.fullname" . }}
chart: {{ template "rancher.chartname" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- end }}
# Windows Support
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector-terms" -}}
{{- $key := "kubernetes.io/os" -}}
- matchExpressions:
- key: {{ $key }}
operator: NotIn
values:
- windows
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.systemDefaultRegistry -}}
{{- if hasSuffix "/" .Values.systemDefaultRegistry -}}
{{- printf "%s" .Values.systemDefaultRegistry -}}
{{- else -}}
{{- printf "%s/" .Values.systemDefaultRegistry -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Define the chosen value for PSPs. If this value is "", then the user did not set the value. This will
result in psps on <=1.24 and no psps on >=1.25. If the value is true/false, then the user specifically
chose an option, and that option will be used. If it is set otherwise, then we fail so the user can correct
the invalid value.
*/}}
{{- define "rancher.chart_psp_enabled" -}}
{{- if kindIs "bool" .Values.global.cattle.psp.enabled -}}
{{ .Values.global.cattle.psp.enabled }}
{{- else if empty .Values.global.cattle.psp.enabled -}}
{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
{{- if (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") -}}
true
{{- else -}}
false
{{- end -}}
{{- else -}}
true
{{- end -}}
{{- else -}}
{{- fail "Invalid value for .Values.global.cattle.psp.enabled - must be a bool of true, false, or \"\"" -}}
{{- end -}}
{{- end -}}

14
check-charts/racnher/templates/clusterRoleBinding.yaml Normal file
View File

@@ -0,0 +1,14 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
subjects:
- kind: ServiceAccount
name: {{ template "rancher.fullname" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io

13
check-charts/racnher/templates/configMap.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: rancher-config
labels: {{ include "rancher.labels" . | nindent 4 }}
app.kubernetes.io/part-of: "rancher"
data:
priorityClassName: {{ .Values.priorityClassName }}
{{- if and .Values.webhook (kindIs "string" .Values.webhook) }}
rancher-webhook: {{ .Values.webhook | quote }}
{{- else if .Values.webhook }}
rancher-webhook: {{ toYaml .Values.webhook | quote }}
{{- end }}

253
check-charts/racnher/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,253 @@
kind: Deployment
apiVersion: apps/v1
metadata:
name: {{ template "rancher.fullname" . }}
annotations:
{{- if (lt (int .Values.replicas) 0) }}
management.cattle.io/scale-available: "{{ sub 0 (int .Values.replicas)}}"
{{- end }}
labels:
{{ include "rancher.labels" . | indent 4 }}
spec:
{{- if (gt (int .Values.replicas) 0) }}
replicas: {{ .Values.replicas }}
{{- end }}
selector:
matchLabels:
app: {{ template "rancher.fullname" . }}
strategy:
rollingUpdate:
maxSurge: 1
{{- if (eq (int .Values.replicas) 1) }}
maxUnavailable: 0
{{- else }}
maxUnavailable: 1
{{- end }}
type: RollingUpdate
template:
metadata:
labels:
app: {{ template "rancher.fullname" . }}
release: {{ .Release.Name }}
spec:
priorityClassName: {{ .Values.priorityClassName }}
serviceAccountName: {{ template "rancher.fullname" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 6 }}
{{- end }}
affinity:
podAntiAffinity:
{{- if eq .Values.antiAffinity "required" }}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- {{ template "rancher.fullname" . }}
topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }}
{{- else }}
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- {{ template "rancher.fullname" . }}
topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }}
{{- end }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms: {{ include "linux-node-selector-terms" . | nindent 14 }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
containers:
- image: {{ .Values.rancherImage }}:{{ default .Chart.AppVersion .Values.rancherImageTag }}
imagePullPolicy: {{ default "IfNotPresent" .Values.rancherImagePullPolicy }}
name: {{ template "rancher.name" . }}
ports:
- containerPort: 80
protocol: TCP
{{- if (and .Values.hostPort (gt (int .Values.hostPort) 0)) }}
- containerPort: 444
hostPort: {{ int .Values.hostPort }}
protocol: TCP
{{- end}}
args:
{{- if .Values.debug }}
- "--debug"
{{- end }}
{{- if .Values.privateCA }}
# Private CA - don't clear ca certs
{{- else if and (eq .Values.tls "ingress") (eq .Values.ingress.tls.source "rancher") }}
# Rancher self-signed - don't clear ca certs
{{- else }}
# Public trusted CA - clear ca certs
- "--no-cacerts"
{{- end }}
- "--http-listen-port=80"
- "--https-listen-port=443"
- "--add-local={{ .Values.addLocal }}"
env:
- name: CATTLE_NAMESPACE
value: {{ .Release.Namespace }}
- name: CATTLE_PEER_SERVICE
value: {{ template "rancher.fullname" . }}
{{- if .Values.features }}
- name: CATTLE_FEATURES
value: "{{ .Values.features }}"
{{- end}}
{{- if .Values.noDefaultAdmin }}
- name: CATTLE_NO_DEFAULT_ADMIN
value: "{{ .Values.noDefaultAdmin }}"
{{- end}}
{{- if gt (int .Values.auditLog.level) 0 }}
- name: AUDIT_LEVEL
value: {{ .Values.auditLog.level | quote }}
- name: AUDIT_LOG_MAXAGE
value: {{ .Values.auditLog.maxAge | quote }}
- name: AUDIT_LOG_MAXBACKUP
value: {{ .Values.auditLog.maxBackup | quote }}
- name: AUDIT_LOG_MAXSIZE
value: {{ .Values.auditLog.maxSize | quote }}
{{- end }}
{{- if .Values.proxy }}
- name: HTTP_PROXY
value: {{ .Values.proxy }}
- name: HTTPS_PROXY
value: {{ .Values.proxy }}
- name: NO_PROXY
value: {{ .Values.noProxy }}
{{- end }}
{{- if .Values.systemDefaultRegistry }}
- name: CATTLE_SYSTEM_DEFAULT_REGISTRY
value: {{ .Values.systemDefaultRegistry }}
{{- end }}
{{- if .Values.useBundledSystemChart }}
- name: CATTLE_SYSTEM_CATALOG
value: bundled
{{- end }}
{{- if .Values.restrictedAdmin }}
- name: CATTLE_RESTRICTED_DEFAULT_ADMIN
value: "true"
{{- end}}
{{- if .Values.bootstrapPassword }}
- name: CATTLE_BOOTSTRAP_PASSWORD
valueFrom:
secretKeyRef:
name: "bootstrap-secret"
key: "bootstrapPassword"
{{- end }}
{{- if .Values.extraEnv }}
{{ toYaml .Values.extraEnv | indent 8}}
{{- end }}
livenessProbe:
httpGet:
path: /healthz
port: 80
initialDelaySeconds: {{.Values.livenessProbe.initialDelaySeconds | default 60 }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds | default 30 }}
readinessProbe:
httpGet:
path: /healthz
port: 80
initialDelaySeconds: {{.Values.readinessProbe.initialDelaySeconds | default 5}}
periodSeconds: {{ .Values.readinessProbe.periodSeconds | default 30}}
{{- if .Values.startupProbe }}
startupProbe:
httpGet:
path: /healthz
port: 80
failureThreshold: {{.Values.startupProbe.failureThreshold | default 1}}
periodSeconds: {{ .Values.startupProbe.periodSeconds | default 30}}
{{- end }}
resources:
{{ toYaml .Values.resources | indent 10 }}
volumeMounts:
{{- if .Values.additionalTrustedCAs }}
- mountPath: /etc/pki/trust/anchors/ca-additional.pem
name: tls-ca-additional-volume
subPath: ca-additional.pem
readOnly: true
- mountPath: /etc/rancher/ssl/ca-additional.pem
name: tls-ca-additional-volume
subPath: ca-additional.pem
readOnly: true
{{- end }}
{{- if .Values.privateCA }}
# Pass CA cert into rancher for private CA
- mountPath: /etc/rancher/ssl/cacerts.pem
name: tls-ca-volume
subPath: cacerts.pem
readOnly: true
{{- end }}
{{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }}
# Mount rancher custom-logos volume
- mountPath: /usr/share/rancher/ui/assets/images/logos
name: custom-logos
subPath: {{ .Values.customLogos.volumeSubpaths.emberUi | default "ember" | quote }}
- mountPath: /usr/share/rancher/ui-dashboard/dashboard/_nuxt/assets/images/pl
name: custom-logos
subPath: {{ .Values.customLogos.volumeSubpaths.vueUi | default "vue" | quote }}
{{- end }}
{{- if gt (int .Values.auditLog.level) 0 }}
- mountPath: /var/log/auditlog
name: audit-log
{{- end }}
{{- if eq .Values.auditLog.destination "sidecar" }}
{{- if gt (int .Values.auditLog.level) 0 }}
# Make audit logs available for Rancher log collector tools.
{{- if .Values.busyboxImage }}
- image: {{ .Values.busyboxImage}}
{{- else }}
- image: {{ .Values.auditLog.image.repository }}:{{.Values.auditLog.image.tag}}
{{- end }}
{{- if .Values.busyboxImagePullPolicy }}
imagePullPolicy: {{ .Values.busyboxImagePullPolicy }}
{{- else }}
imagePullPolicy: {{ .Values.auditLog.image.pullPolicy }}
{{- end }}
name: {{ template "rancher.name" . }}-audit-log
command: ["tail"]
args: ["-F", "/var/log/auditlog/rancher-api-audit.log"]
volumeMounts:
- mountPath: /var/log/auditlog
name: audit-log
{{- end }}
{{- end }}
volumes:
{{- if .Values.additionalTrustedCAs }}
- name: tls-ca-additional-volume
secret:
defaultMode: 0400
secretName: tls-ca-additional
{{- end }}
{{- if .Values.privateCA }}
- name: tls-ca-volume
secret:
defaultMode: 0400
secretName: tls-ca
{{- end }}
{{- if gt (int .Values.auditLog.level) 0 }}
{{- if eq .Values.auditLog.destination "hostPath" }}
- name: audit-log
hostPath:
path: {{ .Values.auditLog.hostPath }}
type: DirectoryOrCreate
{{- else }}
- name: audit-log
emptyDir: {}
{{- end }}
{{- end }}
{{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }}
- name: custom-logos
{{- if (eq .Values.customLogos.volumeKind "persistentVolumeClaim") }}
persistentVolumeClaim:
claimName: {{ .Values.customLogos.volumeName | default (printf "%s-custom-logos" (include "rancher.fullname" .)) }}
{{- else if (eq .Values.customLogos.volumeKind "configMap") }}
configMap:
name: {{ .Values.customLogos.volumeName }}
{{- end }}
{{- end }}

66
check-charts/racnher/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,66 @@
{{- if .Values.ingress.enabled }}
{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
apiVersion: networking.k8s.io/v1
{{- else }}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
annotations:
{{- if .Values.ingress.configurationSnippet }}
nginx.ingress.kubernetes.io/configuration-snippet: |
{{- template "configurationSnippet" . }}
{{- end }}
{{- if eq .Values.tls "external" }}
nginx.ingress.kubernetes.io/ssl-redirect: "false" # turn off ssl redirect for external.
{{- else }}
{{- if ne .Values.ingress.tls.source "secret" }}
{{- $certmanagerVer := split "." .Values.certmanager.version -}}
{{- if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
certmanager.k8s.io/issuer: {{ template "rancher.fullname" . }}
{{- else }}
cert-manager.io/issuer: {{ template "rancher.fullname" . }}
cert-manager.io/issuer-kind: Issuer
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.ingress.includeDefaultExtraAnnotations }}
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
{{- end }}
{{- if .Values.ingress.extraAnnotations }}
{{ toYaml .Values.ingress.extraAnnotations | indent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.ingressClassName }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
{{- end }}
rules:
- host: {{ .Values.hostname }} # hostname to access rancher server
http:
paths:
- backend:
{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
service:
name: {{ template "rancher.fullname" . }}
port:
number: {{ .Values.ingress.servicePort }}
{{- else }}
serviceName: {{ template "rancher.fullname" . }}
servicePort: {{ .Values.ingress.servicePort }}
{{- end }}
{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
pathType: ImplementationSpecific
path: "/"
{{- end }}
{{- if eq .Values.tls "ingress" }}
tls:
- hosts:
- {{ .Values.hostname }}
secretName: {{ .Values.ingress.tls.secretName }}
{{- end }}
{{- end }}

37
check-charts/racnher/templates/issuer-letsEncrypt.yaml Normal file
View File

@@ -0,0 +1,37 @@
{{- if eq .Values.tls "ingress" -}}
{{- if eq .Values.ingress.tls.source "letsEncrypt" -}}
{{- $certmanagerVer := split "." .Values.certmanager.version -}}
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
apiVersion: cert-manager.io/v1beta1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha2
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
apiVersion: certmanager.k8s.io/v1alpha1
{{- else }}
apiVersion: cert-manager.io/v1
{{- end }}
kind: Issuer
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
spec:
acme:
{{- if eq .Values.letsEncrypt.environment "production" }}
server: https://acme-v02.api.letsencrypt.org/directory
{{- else }}
server: https://acme-staging-v02.api.letsencrypt.org/directory
{{- end }}
email: {{ .Values.letsEncrypt.email }}
privateKeySecretRef:
name: letsencrypt-{{ .Values.letsEncrypt.environment }}
{{- if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
http01: {}
{{- else }}
solvers:
- http01:
ingress:
class: {{ .Values.letsEncrypt.ingress.class }}
{{- end }}
{{- end -}}
{{- end -}}

22
check-charts/racnher/templates/issuer-rancher.yaml Normal file
View File

@@ -0,0 +1,22 @@
{{- if eq .Values.tls "ingress" -}}
{{- if eq .Values.ingress.tls.source "rancher" -}}
{{- $certmanagerVer := split "." .Values.certmanager.version -}}
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
apiVersion: cert-manager.io/v1beta1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha2
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
apiVersion: certmanager.k8s.io/v1alpha1
{{- else }}
apiVersion: cert-manager.io/v1
{{- end }}
kind: Issuer
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
spec:
ca:
secretName: tls-rancher
{{- end -}}
{{- end -}}

19
check-charts/racnher/templates/post-delete-hook-cluster-role-binding.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if .Values.postDelete.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "2"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "rancher.fullname" . }}-post-delete
subjects:
- kind: ServiceAccount
name: {{ template "rancher.fullname" . }}-post-delete
namespace: {{ .Release.Namespace }}
{{- end }}

47
check-charts/racnher/templates/post-delete-hook-cluster-role.yaml Normal file
View File

@@ -0,0 +1,47 @@
{{- if .Values.postDelete.enabled }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
rules:
- apiGroups: [ "extensions","apps" ]
resources: [ "deployments" ]
verbs: [ "get", "list", "delete" ]
- apiGroups: [ "batch" ]
resources: [ "jobs" ]
verbs: [ "get", "list", "watch", "delete", "create" ]
- apiGroups: [ "rbac.authorization.k8s.io" ]
resources: [ "clusterroles", "clusterrolebindings", "roles", "rolebindings" ]
verbs: [ "get", "list", "delete", "create" ]
- apiGroups: [ "" ]
resources: [ "pods", "secrets", "services", "configmaps" ]
verbs: [ "get", "list", "delete" ]
- apiGroups: [ "" ]
resources: [ "serviceaccounts" ]
verbs: [ "get", "list", "delete", "create" ]
- apiGroups: [ "networking.k8s.io" ]
resources: [ "networkpolicies" ]
verbs: [ "get", "list", "delete" ]
- apiGroups: [ "admissionregistration.k8s.io" ]
resources: [ "validatingwebhookconfigurations", "mutatingwebhookconfigurations" ]
verbs: [ "get", "list", "delete" ]
- apiGroups: [ "policy" ]
resources: [ "podsecuritypolicies" ]
verbs: ["delete", "create" ]
{{- if eq (include "rancher.chart_psp_enabled" . ) "true" }}
- apiGroups: [ "policy" ]
resources: [ "podsecuritypolicies" ]
verbs: [ "use"]
{{- end }}
- apiGroups: [ "networking.k8s.io" ]
resources: [ "ingresses" ]
verbs: [ "delete" ]
- apiGroups: [ "cert-manager.io" ]
resources: [ "issuers" ]
verbs: [ "delete" ]
{{- end }}

15
check-charts/racnher/templates/post-delete-hook-config-map.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.postDelete.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
namespace: {{ .Release.Namespace }}
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
data:
post-delete-hook.sh: |-
{{ $.Files.Get "scripts/post-delete-hook.sh" | indent 4 }}
{{- end }}

46
check-charts/racnher/templates/post-delete-hook-job.yaml Normal file
View File

@@ -0,0 +1,46 @@
{{- if .Values.postDelete.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
namespace: {{ .Release.Namespace }}
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "3"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
backoffLimit: 3
template:
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
labels: {{ include "rancher.labels" . | nindent 8 }}
spec:
serviceAccountName: {{ template "rancher.fullname" . }}-post-delete
restartPolicy: OnFailure
containers:
- name: {{ template "rancher.name" . }}-post-delete
image: "{{ include "system_default_registry" . }}{{ .Values.postDelete.image.repository }}:{{ .Values.postDelete.image.tag }}"
imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 0
command:
- /scripts/post-delete-hook.sh
volumeMounts:
- mountPath: /scripts
name: config-volume
env:
- name: NAMESPACES
value: {{ .Values.postDelete.namespaceList | join " " | quote }}
- name: RANCHER_NAMESPACE
value: {{ .Release.Namespace }}
- name: TIMEOUT
value: {{ .Values.postDelete.timeout | quote }}
- name: IGNORETIMEOUTERROR
value: {{ .Values.postDelete.ignoreTimeoutError | quote }}
volumes:
- name: config-volume
configMap:
name: {{ template "rancher.fullname" . }}-post-delete
defaultMode: 0777
{{- end }}

34
check-charts/racnher/templates/post-delete-hook-psp.yaml Normal file
View File

@@ -0,0 +1,34 @@
{{- if eq (include "rancher.chart_psp_enabled" . ) "true" -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "rancher.fullname" . }}-post-delete
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
volumes:
- 'secret'
- 'configMap'
{{- end }}

12
check-charts/racnher/templates/post-delete-hook-service-account.yaml Normal file
View File

@@ -0,0 +1,12 @@
{{- if .Values.postDelete.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
namespace: {{ .Release.Namespace }}
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
{{- end }}

8
check-charts/racnher/templates/priorityClass.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: rancher-critical
labels: {{ include "rancher.labels" . | nindent 4 }}
value: 1000000000
globalDefault: false
description: "Priority class used by pods critical to rancher's functionality."

19
check-charts/racnher/templates/pvc.yaml Normal file
View File

@@ -0,0 +1,19 @@
{{- if and (.Values.customLogos.enabled) (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (not .Values.customLogos.volumeName) }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "rancher.fullname" . }}-custom-logos
spec:
accessModes:
- {{ .Values.customLogos.accessMode | quote }}
resources:
requests:
storage: {{ .Values.customLogos.size | quote }}
storageClassName: {{ if .Values.customLogos.storageClass }}
{{- if (eq "-" .Values.customLogos.storageClass) -}}
""
{{- else }}
{{- .Values.customLogos.storageClass }}
{{- end -}}
{{- end }}
{{- end }}

25
check-charts/racnher/templates/secret.yaml Normal file
View File

@@ -0,0 +1,25 @@
{{/* Use the bootstrap password from values.yaml if an existing secret is not found */}}
{{- $bootstrapPassword := .Values.bootstrapPassword -}}
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "bootstrap-secret" -}}
{{- if $existingSecret -}}
{{- if $existingSecret.data -}}
{{- if $existingSecret.data.bootstrapPassword -}}
{{- $bootstrapPassword = $existingSecret.data.bootstrapPassword | b64dec -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* If a bootstrap password was found in the values or an existing password was found create the secret */}}
{{- if $bootstrapPassword }}
apiVersion: v1
kind: Secret
metadata:
name: "bootstrap-secret"
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/resource-policy": keep
type: Opaque
data:
bootstrapPassword: {{ $bootstrapPassword | b64enc | quote }}
{{- end }}

28
check-charts/racnher/templates/service.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: v1
kind: Service
metadata:
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
spec:
{{- /*
If service.type is not provided this attribute is ommitted and k8s default of ClusterIP is used.
*/}}
{{- if .Values.service.type }}
type: {{ .Values.service.type }}
{{- end }}
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
- port: 443
targetPort: 444
protocol: TCP
name: https-internal
selector:
app: {{ template "rancher.fullname" . }}

6
check-charts/racnher/templates/serviceAccount.yaml Normal file
View File

@@ -0,0 +1,6 @@
kind: ServiceAccount
apiVersion: v1
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}