Add Rancher management UI

infrastructure/addons/kustomization-rancher.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: addon-rancher
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: platform
+  path: ./infrastructure/addons/rancher
+  wait: true
+  timeout: 15m
+  suspend: false
+  dependsOn:
+    - name: addon-tailscale-operator

infrastructure/addons/kustomization.yaml

@@ -9,3 +9,4 @@ resources:
   - kustomization-tailscale-proxyclass.yaml
   - kustomization-observability.yaml
   - kustomization-observability-content.yaml
+  - kustomization-rancher.yaml

infrastructure/addons/rancher/helmrelease-rancher.yaml

@@ -0,0 +1,45 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: rancher
+  namespace: flux-system
+spec:
+  interval: 10m
+  targetNamespace: cattle-system
+  chart:
+    spec:
+      chart: rancher
+      version: "2.9.3"
+      sourceRef:
+        kind: HelmRepository
+        name: rancher-stable
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+  values:
+    hostname: k8s-cluster-cp-1.silverside-gopher.ts.net
+    tls: external
+    replicas: 1
+    bootstrapPassword: password
+    extraEnv:
+      - name: CATTLE_PROMETHEUS_METRICS
+        value: "true"
+    resources:
+      requests:
+        cpu: 500m
+        memory: 512Mi
+      limits:
+        cpu: 1000m
+        memory: 1Gi
+    affinity:
+      nodeAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          nodeSelectorTerms:
+            - matchExpressions:
+                - key: node-role.kubernetes.io/control-plane
+                  operator: DoesNotExist

infrastructure/addons/rancher/helmrepository-rancher.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: rancher-stable
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://releases.rancher.com/server-charts/stable

infrastructure/addons/rancher/ingress-rancher.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: rancher
+  namespace: cattle-system
+  annotations:
+    traefik.ingress.kubernetes.io/router.entrypoints: rancher
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    cert-manager.io/cluster-issuer: "selfsigned-cluster-issuer"
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: k8s-cluster-cp-1.silverside-gopher.ts.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: rancher
+                port:
+                  number: 80
+  tls:
+    - hosts:
+        - k8s-cluster-cp-1.silverside-gopher.ts.net
+      secretName: rancher-tls

infrastructure/addons/rancher/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helmrepository-rancher.yaml
+  - helmrelease-rancher.yaml
+  - traefik-helmchartconfig-rancher-entrypoint.yaml
+  - ingress-rancher.yaml
+  - rancher-bootstrap-password-externalsecret.yaml

infrastructure/addons/rancher/rancher-bootstrap-password-externalsecret.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: rancher-bootstrap-password
+  namespace: cattle-system
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: doppler-hetznerterra
+    kind: ClusterSecretStore
+  target:
+    name: rancher-bootstrap-password
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      data:
+        bootstrapPassword: "{{ .rancherBootstrapPassword }}"
+  data:
+    - secretKey: rancherBootstrapPassword
+      remoteRef:
+        key: RANCHER_BOOTSTRAP_PASSWORD

infrastructure/addons/rancher/traefik-helmchartconfig-rancher-entrypoint.yaml

@@ -0,0 +1,15 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    additionalArguments:
+      - "--entryPoints.rancher.address=:9442/tcp"
+    ports:
+      rancher:
+        port: 9442
+        expose: true
+        exposedPort: 9442
+        protocol: TCP