OpenStaticFish/HetznerTerra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: vendor Rancher chart for bootstrap
Deploy Cluster / Terraform (push) Successful in 31s
Details
Deploy Cluster / Ansible (push) Has been cancelled
Details

Browse Source
This commit is contained in:
MichaelFisher1997
2026-04-25 23:08:26 +00:00
parent f3c96b65d2
commit b1eab6a0fa
33 changed files with 1818 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infrastructure/addons/rancher/helmrelease-rancher.yaml
+3 -4
View File
@@ -9,11 +9,10 @@ spec:
targetNamespace: cattle-system
chart:
spec:
chart: rancher
version: "2.13.3"
chart: ./infrastructure/charts/rancher
sourceRef:
kind: HelmRepository
name: rancher-stable
kind: GitRepository
name: platform
namespace: flux-system
install:
createNamespace: true
infrastructure/addons/rancher/kustomization.yaml
-1
View File
@@ -2,7 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- helmrepository-rancher.yaml
- helmrelease-rancher.yaml
- rancher-bootstrap-password-flux-externalsecret.yaml
- rancher-bootstrap-password-externalsecret.yaml
infrastructure/charts/rancher/.helmignore
+1
View File
@@ -0,0 +1 @@
tests
infrastructure/charts/rancher/Chart.yaml
+15
View File
@@ -0,0 +1,15 @@
apiVersion: v2
appVersion: v2.13.3
description: Install Rancher Server to manage Kubernetes clusters across providers.
home: https://rancher.com
icon: https://raw.githubusercontent.com/rancher/ui/master/public/assets/images/logos/welcome-cow.svg
keywords:
- rancher
kubeVersion: < 1.35.0-0
maintainers:
- email: charts@rancher.com
name: Rancher Labs
name: rancher
sources:
- https://github.com/rancher/rancher
version: 2.13.3
infrastructure/charts/rancher/README.md
+209
View File
@@ -0,0 +1,209 @@
By installing this application, you accept the [End User License Agreement & Terms & Conditions](https://www.suse.com/licensing/eula/).
# Rancher
***Rancher*** is open source software that combines everything an organization needs to adopt and run containers in production. Built on Kubernetes, Rancher makes it easy for DevOps teams to test, deploy and manage their applications.
### Introduction
This chart bootstraps a [Rancher Server](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster) on a Kubernetes cluster using the [Helm](https://helm.sh/) package manager. For a Rancher Supported Deployment please follow our [HA install instructions](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-cluster-setup/high-availability-installs).
### Prerequisites Details
*For installations covered under [Rancher Support SLA](https://www.suse.com/suse-rancher/support-matrix/all-supported-versions) the target cluster must be **[RKE1](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-cluster-setup/rke1-for-rancher)**, **[RKE2](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-cluster-setup/rke2-for-rancher)**, **[K3s](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-cluster-setup/k3s-for-rancher)**, **[AKS](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-on-aks)**, **[EKS](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-on-amazon-eks)**, or **[GKE](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster/rancher-on-gke)**.*
Make sure the node(s) for the Rancher server fulfill the following requirements:
[Operating Systems and Container Runtime Requirements](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#operating-systems-and-container-runtime-requirements)
[Hardware Requirements](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#hardware-requirements)
- [CPU and Memory](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#cpu-and-memory)
- [Ingress](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#ingress)
- [Disks](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#disks)
[Networking Requirements](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#networking-requirements)
- [Node IP Addresses](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#node-ip-addresses)
- [Port Requirements](https://ranchermanager.docs.rancher.com/pages-for-subheaders/installation-requirements#port-requirements)
[Install the Required CLI Tools](https://ranchermanager.docs.rancher.com/pages-for-subheaders/cli-with-rancher)
- [kubectl](https://ranchermanager.docs.rancher.com/reference-guides/cli-with-rancher/kubectl-utility) - Kubernetes command-line tool.
- [helm](https://docs.helm.sh/using_helm/#installing-helm) - Package management for Kubernetes. Refer to the [Helm version requirements](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/resources/helm-version-requirements) to choose a version of Helm to install Rancher.
For a list of best practices that we recommend for running the Rancher server in production, refer to the [best practices section](https://ranchermanager.docs.rancher.com/pages-for-subheaders/best-practices).
## Installing Rancher
For production environments, we recommend installing Rancher in a [high-availability Kubernetes installation](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-cluster-setup/high-availability-installs) so that your user base can always access Rancher Server. When installed in a Kubernetes cluster, Rancher will integrate with the clusters etcd database and take advantage of Kubernetes scheduling for high-availability.
Optional: Installing Rancher on a [Single-node](https://ranchermanager.docs.rancher.com/pages-for-subheaders/rancher-on-a-single-node-with-docker) Kubernetes Cluster
#### Add the Helm Chart Repository
Use [helm repo add](https://helm.sh/docs/helm/helm_repo_add/) command to add the Helm chart repository that contains charts to install Rancher. For more information about the repository choices and which is best for your use case, see Choosing a Version of Rancher.
```bash
helm repo add rancher-latest https://releases.rancher.com/server-charts/latest
```
#### Create a Namespace for Rancher
Well need to define a Kubernetes namespace where the resources created by the Chart should be installed. This should always be cattle-system:
```bash
kubectl create namespace cattle-system
```
#### Choose your SSL Configuration
The Rancher management server is designed to be secure by default and requires SSL/TLS configuration.
There are three recommended options for the source of the certificate used for TLS termination at the Rancher server:
- [Rancher-generated TLS certificate](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#3-choose-your-ssl-configuration)
- [Lets Encrypt](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#3-choose-your-ssl-configuration)
- [Bring your own certificate](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#3-choose-your-ssl-configuration)
#### Install cert-manager
This step is only required to use certificates issued by Ranchers generated CA **`(ingress.tls.source=rancher)`** or to request Lets Encrypt issued certificates **`(ingress.tls.source=letsEncrypt)`**.
[These instructions are adapted from the official cert-manager documentation.](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#4-install-cert-manager)
#### Install Rancher with Helm and Your Chosen Certificate Option
- [Rancher to generated certificates](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#5-install-rancher-with-helm-and-your-chosen-certificate-option)
```bash
helm install rancher rancher-latest/rancher \
--namespace cattle-system \
--set hostname=rancher.my.org
```
- [Lets Encrypt](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#5-install-rancher-with-helm-and-your-chosen-certificate-option)
```bash
helm install rancher rancher-latest/rancher \
--namespace cattle-system \
--set hostname=rancher.my.org \
--set ingress.tls.source=letsEncrypt \
--set letsEncrypt.email=me@example.org
```
- [Certificates from Files](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#5-install-rancher-with-helm-and-your-chosen-certificate-option)
```bash
helm install rancher rancher-latest/rancher \
--namespace cattle-system \
--set hostname=rancher.my.org \
--set ingress.tls.source=secret
```
*If you are using a Private CA signed certificate , add **--set privateCA=true** to the command:`*
```bash
helm install rancher rancher-latest/rancher \
--namespace cattle-system \
--set hostname=rancher.my.org \
--set ingress.tls.source=secret \
--set privateCA=true
```
#### Verify that the Rancher Server is Successfully Deployed
After adding the secrets, check if Rancher was rolled out successfully:
```bash
kubectl -n cattle-system rollout status deploy/rancher
Waiting for deployment "rancher" rollout to finish: 0 of 3 updated replicas are available...
deployment "rancher" successfully rolled out
```
If you see the following **`error: error: deployment "rancher" exceeded its progress deadline`**, you can check the status of the deployment by running the following command:
```bash
kubectl -n cattle-system get deploy rancher
NAME DESIRED CURRENT UP-TO-DATE AVAILABLE AGE
rancher 3 3 3 3 3m
```
It should show the same count for **`DESIRED`** and **`AVAILABLE`**.
#### Save Your Options
Make sure you save the **`--set`** options you used. You will need to use the same options when you upgrade Rancher to new versions with Helm.
#### Finishing Up
Thats it. You should have a functional Rancher server.
In a web browser, go to the DNS name that forwards traffic to your load balancer. Then you should be greeted by the colorful login page.
Doesnt work? Take a look at the [Troubleshooting Page](https://ranchermanager.docs.rancher.com/troubleshooting/general-troubleshooting)
***All of these instructions are defined in detailed in the [Rancher Documentation](https://ranchermanager.docs.rancher.com/pages-for-subheaders/install-upgrade-on-a-kubernetes-cluster#install-the-rancher-helm-chart).***
### Helm Chart Options for Kubernetes Installations
The full [Helm Chart Options](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/helm-chart-options) can be found here.
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
#### Common Options
| Parameter | Default Value | Description |
| ------------------------- | ------------- | -------------------------------------------------------------------------------------------- |
| `hostname` | " " | ***string*** - the Fully Qualified Domain Name for your Rancher Server |
| `ingress.tls.source` | "rancher" | ***string*** - Where to get the cert for the ingress. - "***rancher, letsEncrypt, secret***" |
| `letsEncrypt.email` | " " | ***string*** - Your email address |
| `letsEncrypt.environment` | "production" | ***string*** - Valid options: "***staging, production***" |
| `privateCA` | false | ***bool*** - Set to true if your cert is signed by a private CA |
#### Advanced Options
| Parameter | Default Value | Description |
| ---------------------------------------- | ------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `additionalTrustedCAs` | false | ***bool*** - [See Additional Trusted CAs Server](https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/installation-references/helm-chart-options#additional-trusted-cas) |
| `addLocal` | "true" | ***string*** - As of Rancher v2.5.0 this flag is deprecated and must be set to "true" |
| `antiAffinity` | "preferred" | ***string*** - AntiAffinity rule for Rancher pods - *"preferred, required"* |
| `replicas` | 3 | ***int*** - Number of replicas of Rancher pods |
| `auditLog.destination` | "sidecar" | ***string*** - Stream to sidecar container console or hostPath volume - *"sidecar, hostPath"* |
| `auditLog.hostPath` | "/var/log/rancher/audit" | ***string*** - log file destination on host (only applies when **auditLog.destination** is set to **hostPath**) |
| `auditLog.level` | 0 | ***int*** - set the API Audit Log level |
| `auditLog.enabled` | false | ***bool*** - enable the rancher audit logging system |
| `auditLog.maxAge` | 1 | ***int*** - maximum number of days to retain old audit log files (only applies when **auditLog.destination** is set to **hostPath**) |
| `auditLog.maxBackup` | 1 | int - maximum number of audit log files to retain (only applies when **auditLog.destination** is set to **hostPath**) |
| `auditLog.maxSize` | 100 | ***int*** - maximum size in megabytes of the audit log file before it gets rotated (only applies when **auditLog.destination** is set to **hostPath**) |
| `auditLog.image.repository` | "rancher/mirrored-bci-micro" | ***string*** - Location for the image used to collect audit logs *Note: Available as of v2.7.0* |
| `auditLog.image.tag` | "15.4.14.3" | ***string*** - Tag for the image used to collect audit logs *Note: Available as of v2.7.0* |
| `auditLog.image.pullPolicy` | "IfNotPresent" | ***string*** - Override imagePullPolicy for auditLog images - *"Always", "Never", "IfNotPresent"* *Note: Available as of v2.7.0* |
| `busyboxImage` | "" | ***string*** - *Deprecated `auditlog.image.repository` should be used to control auditing sidecar image.* Image location for busybox image used to collect audit logs *Note: Available as of v2.2.0, and Deprecated as of v2.7.0* |
| `busyboxImagePullPolicy` | "IfNotPresent" | ***string*** - - *Deprecated `auditlog.image.pullPolicy` should be used to control auditing sidecar image.* Override imagePullPolicy for busybox images - *"Always", "Never", "IfNotPresent"* *Deprecated as of v2.7.0* |
| `debug` | false | ***bool*** - set debug flag on rancher server |
| `certmanager.version` | " " | ***string*** - set cert-manager compatibility |
| `extraEnv` | [] | ***list*** - set additional environment variables for Rancher Note: *Available as of v2.2.0* |
| `imagePullSecrets` | [] | ***list*** - list of names of Secret resource containing private registry credentials |
| `ingress.enabled` | true | ***bool*** - install ingress resource |
| `ingress.ingressClassName` | " " | ***string*** - class name of ingress if not set manually or by the ingress controller's defaults |
| `ingress.includeDefaultExtraAnnotations` | true | ***bool*** - Add default nginx annotations |
| `ingress.extraAnnotations` | {} | ***map*** - additional annotations to customize the ingress |
| `ingress.configurationSnippet` | " " | ***string*** - Add additional Nginx configuration. Can be used for proxy configuration. Note: *Available as of v2.0.15, v2.1.10 and v2.2.4* |
| `service.annotations` | {} | ***map*** - annotations to customize the service |
| `service.type` | " " | ***string*** - Override the type used for the service - *"NodePort", "LoadBalancer", "ClusterIP"* |
| `letsEncrypt.ingress.class` | " " | ***string*** - optional ingress class for the cert-manager acmesolver ingress that responds to the Lets *Encrypt ACME challenges* |
| `proxy` | " " | ***string** - HTTP[S] proxy server for Rancher |
| `noProxy` | "127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local" | ***string*** - comma separated list of hostnames or ip address not to use the proxy |
| `resources` | {} | ***map*** - rancher pod resource requests & limits |
| `rancherImage` | "rancher/rancher" | ***string*** - rancher image source |
| `rancherImageTag` | same as chart version | ***string*** - rancher/rancher image tag |
| `rancherImagePullPolicy` | "IfNotPresent" | ***string*** - Override imagePullPolicy for rancher server images - *"Always", "Never", "IfNotPresent"* |
| `tls` | "ingress" | ***string*** - See External TLS Termination for details. - *"ingress, external"* |
| `systemDefaultRegistry` | "" | ***string*** - private registry to be used for all system Docker images, e.g., [http://registry.example.com/] *Available as of v2.3.0* |
| `useBundledSystemChart` | false | ***bool*** - select to use the system-charts packaged with Rancher server. This option is used for air gapped installations. *Available as of v2.3.0* |
| `customLogos.enabled` | false | ***bool*** - Enabled [Ember Rancher UI (cluster manager) custom logos](https://github.com/rancher/ui/tree/master/public/assets/images/logos) and [Vue Rancher UI (cluster explorer) custom logos](https://github.com/rancher/dashboard/tree/master/shell/assets/images/pl) persistence volume |
| `customLogos.volumeSubpaths.emberUi` | "ember" | ***string*** - Volume subpath for [Ember Rancher UI (cluster manager) custom logos](https://github.com/rancher/ui/tree/master/public/assets/images/logos) persistence |
| `customLogos.volumeSubpaths.vueUi` | "vue" | ***string*** - Volume subpath for [Vue Rancher UI (cluster explorer) custom logos](https://github.com/rancher/dashboard/tree/master/shell/assets/images/pl) persistence |
| `customLogos.volumeName` | "" | ***string*** - Use an existing volume. Custom logos should be copied to the proper `volume/subpath` folder by the user. Optional for persistentVolumeClaim, required for configMap |
| `customLogos.storageClass` | "" | ***string*** - Set custom logos persistentVolumeClaim storage class. Required for dynamic pv |
| `customLogos.accessMode` | "ReadWriteOnce" | ***string*** - Set custom persistentVolumeClaim access mode |
| `customLogos.size` | "1Gi" | ***string*** - Set custom persistentVolumeClaim size |
infrastructure/charts/rancher/scripts/post-delete-hook.sh
+100
View File
@@ -0,0 +1,100 @@
#!/bin/bash
set -e
namespaces="${NAMESPACES}"
rancher_namespace="${RANCHER_NAMESPACE}"
timeout="${TIMEOUT}"
ignoreTimeoutError="${IGNORETIMEOUTERROR}"
if [[ -z ${namespaces} ]]; then
echo "No namespace is provided."
exit 1
fi
if [[ -z ${rancher_namespace} ]]; then
echo "No rancher namespace is provided."
exit 1
fi
if [[ -z ${timeout} ]]; then
echo "No timeout value is provided."
exit 1
fi
if [[ -z ${ignoreTimeoutError} ]]; then
echo "No ignoreTimeoutError value is provided."
exit 1
fi
succeeded=()
failed=()
get_pod_count() {
kubectl get pods --selector app="${1}" -n "${2}" -o json | jq '.items | length'
}
echo "Uninstalling Rancher resources in the following namespaces: ${namespaces}"
for namespace in ${namespaces}; do
for app in $(helm list -n "${namespace}" -q); do
if [[ ${app} =~ .crd$ ]]; then
echo "--- Skip the app [${app}] in the namespace [${namespace}]"
continue
fi
echo "--- Deleting the app [${app}] in the namespace [${namespace}]"
if [[ ! $(helm uninstall "${app}" -n "${namespace}") ]]; then
failed=("${failed[@]}" "${app}")
continue
fi
t=0
while true; do
if [[ $(get_pod_count "${app}" "${namespace}") -eq 0 ]]; then
echo "successfully uninstalled [${app}] in the namespace [${namespace}]"
succeeded=("${succeeded[@]}" "${app}")
break
fi
if [[ ${t} -ge ${timeout} ]]; then
echo "timeout uninstalling [${app}] in the namespace [${namespace}]"
failed=("${failed[@]}" "${app}")
break
fi
# by default, wait 120 seconds in total for an app to be uninstalled
echo "waiting 5 seconds for pods of [${app}] to be terminated ..."
sleep 5
t=$((t + 5))
done
done
# delete the helm operator pods
for pod in $(kubectl get pods -n "${namespace}" -o name); do
if [[ ${pod} =~ ^pod\/helm-operation-* ]]; then
echo "--- Deleting the pod [${pod}] in the namespace [${namespace}]"
kubectl delete "${pod}" -n "${namespace}"
fi
done
done
echo "Removing Rancher bootstrap secret in the following namespace: ${rancher_namespace}"
kubectl --ignore-not-found=true delete secret bootstrap-secret -n "${rancher_namespace}"
echo 'Removing Rancher v1.ext.cattle.io APIService'
kubectl --ignore-not-found=true delete apiservice v1.ext.cattle.io
echo "Removing Rancher imperative-api-extension Service in the following namespace: ${rancher_namespace}"
kubectl --ignore-not-found=true delete service imperative-api-extension -n "${rancher_namespace}"
echo "------ Summary ------"
if [[ ${#succeeded[@]} -ne 0 ]]; then
echo "Succeeded to uninstall the following apps:" "${succeeded[@]}"
fi
if [[ ${#failed[@]} -ne 0 ]]; then
echo "Failed to uninstall the following apps:" "${failed[@]}"
if [[ "${ignoreTimeoutError}" == "false" ]]; then
exit 2
fi
else
echo "Cleanup finished successfully."
fi
infrastructure/charts/rancher/scripts/pre-upgrade-hook.sh
+134
View File
@@ -0,0 +1,134 @@
#!/bin/bash
set -eo pipefail
# Global counters
declare -A COUNTS
RESOURCES_FOUND=false
check_prerequisites() {
if ! command -v kubectl &>/dev/null; then
echo "Missing required tool: kubectl"
exit 1
fi
}
print_resource_table() {
local kind="$1"
local items="$2"
local -a headers=("${@:3}")
local count
count=$(wc -l <<< "$items")
COUNTS["$kind"]=$count
RESOURCES_FOUND=true
echo "Found $count $kind resource(s):"
echo
IFS=$'\n' read -r -d '' -a lines < <(printf '%s\0' "$items")
# Initialize max_lengths array with header lengths
local -a max_lengths
for i in "${!headers[@]}"; do
max_lengths[i]=${#headers[i]}
done
# Calculate max width for each column
for line in "${lines[@]}"; do
IFS=$'\t' read -r -a cols <<< "$line"
for i in "${!cols[@]}"; do
(( ${#cols[i]} > max_lengths[i] )) && max_lengths[i]=${#cols[i]}
done
done
for i in "${!headers[@]}"; do
printf "%-${max_lengths[i]}s " "${headers[i]}"
done
printf "\n"
for i in "${!headers[@]}"; do
printf "%-${max_lengths[i]}s " "$(printf '%*s' "${max_lengths[i]}" '' | tr ' ' '-')"
done
printf "\n"
for line in "${lines[@]}"; do
IFS=$'\t' read -r -a cols <<< "$line"
for i in "${!cols[@]}"; do
printf "%-${max_lengths[i]}s " "${cols[i]}"
done
printf "\n"
done
echo
}
detect_resource() {
local crd="$1"
local kind="$2"
local jsonpath="$3"
local -a headers=("${@:4}")
echo "Checking for $kind resources..."
local output
if ! output=$(kubectl get "$crd" --all-namespaces -o=jsonpath="$jsonpath" 2>&1); then
if grep -q "the server doesn't have a resource type" <<< "$output"; then
echo "Resource type $crd not found. Skipping."
echo
return 0
else
echo "Error retrieving $kind resources: $output"
exit 1
fi
fi
if [ -z "$output" ]; then
echo "No $kind resources found."
echo
else
print_resource_table "$kind" "$output" "${headers[@]}"
fi
}
print_summary() {
echo "===== SUMMARY ====="
local total=0
for kind in "${!COUNTS[@]}"; do
local count=${COUNTS[$kind]}
echo "$kind: $count"
total=$((total + count))
done
echo "Total resources detected: $total"
if [ "$RESOURCES_FOUND" = true ]; then
echo "Error: Rancher v2.12+ does not support RKE1.
Detected RKE1-related resources (listed above).
Please migrate these clusters to RKE2 or K3s, or delete the related resources.
More info: https://www.suse.com/c/rke-end-of-life-by-july-2025-replatform-to-rke2-or-k3s"
exit 1
else
echo "No RKE related resources found."
fi
}
main() {
check_prerequisites
detect_resource "clusters.management.cattle.io" "RKE Management Cluster" \
'{range .items[?(@.spec.rancherKubernetesEngineConfig)]}{.metadata.name}{"\t"}{.spec.displayName}{"\n"}{end}' \
"NAME" "DISPLAY NAME"
detect_resource "nodetemplates.management.cattle.io" "NodeTemplate" \
'{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\t"}{.spec.displayName}{"\n"}{end}' \
"NAMESPACE" "NAME" "DISPLAY NAME"
detect_resource "clustertemplates.management.cattle.io" "ClusterTemplate" \
'{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\t"}{.spec.displayName}{"\n"}{end}' \
"NAMESPACE" "NAME" "DISPLAY NAME"
print_summary
}
main
infrastructure/charts/rancher/templates/NOTES.txt
+34
View File
@@ -0,0 +1,34 @@
{{- $action := "installed" -}}
{{ if .Release.IsUpgrade -}}
{{ $action = "upgraded" -}}
{{ end -}}
{{- include "tpl.chart.deprecated" (list .Values.busyboxImage ".Values.busyboxImage" "Use `.Values.auditLog.image.repository` & `.Values.auditLog.image.tag` instead.") -}}
{{- include "tpl.chart.replace" (list .Values.busyboxImagePullPolicy ".Values.busyboxImagePullPolicy" ".Values.auditLog.image.pullPolicy") -}}
{{- include "tpl.chart.deprecated" (list .Values.rancherImage ".Values.rancherImage" "Use `.Values.image.repository` & `.Values.image.registry` instead; if you used image name with Registry included you must split them up.") -}}
{{- include "tpl.chart.replace" (list .Values.rancherImageTag ".Values.rancherImageTag" ".Values.image.tag") -}}
{{- include "tpl.chart.replace" (list .Values.rancherImagePullPolicy ".Values.rancherImagePullPolicy" ".Values.image.pullPolicy") -}}
Rancher Server has been {{ $action }}. Rancher may take several minutes to fully initialize.
Please standby while Certificates are being issued, Containers are started and the Ingress rule comes up.
Check out our docs at https://rancher.com/docs/
## First Time Login
If you provided your own bootstrap password during installation, browse to https://{{ .Values.hostname }} to get started.
If this is the first time you installed Rancher, get started by running this command and clicking the URL it generates:
```
echo https://{{ .Values.hostname }}/dashboard/?setup=$(kubectl get secret --namespace cattle-system bootstrap-secret -o go-template='{{ "{{" }}.data.bootstrapPassword|base64decode{{ "}}" }}')
```
To get just the bootstrap password on its own, run:
```
kubectl get secret --namespace cattle-system bootstrap-secret -o go-template='{{ "{{" }}.data.bootstrapPassword|base64decode{{ "}}" }}{{ "{{" }} "\n" {{ "}}" }}'
```
Happy Containering!
infrastructure/charts/rancher/templates/_helpers.tpl
+191
View File
@@ -0,0 +1,191 @@
{{/* vim: set filetype=mustache: */}}
{{ define "tpl.url.ensureTrailingSlash" -}}
{{ $url := . | trimSuffix "/" -}}
{{ printf "%s/" $url }}
{{- end -}}
{{ define "tpl.chart.deprecated" -}}
{{ $val := index . 0 -}}
{{ $name := index . 1 -}}
{{ $msg := "" -}}
{{ if ge (len .) 3 -}}
{{ $msg = index . 2 -}}
{{ end -}}
{{ if $val -}}
{{ printf "[WARNING] Deprecated: %s is deprecated and will be removed in a future release.%s\n" $name $msg | indent 0 }}
{{ end -}}
{{ end -}}
{{ define "tpl.chart.replace" -}}
{{ $val := index . 0 -}}
{{ $old := index . 1 -}}
{{ $new := index . 2 -}}
{{ if $val -}}
{{ printf "[WARNING] Deprecated: %s is deprecated. Please use %s instead.\n" $old $new | indent 0 }}
{{ end -}}
{{ end -}}
{{/*
Expand the name of the chart.
*/}}
{{- define "rancher.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "rancher.fullname" -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified chart name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "rancher.chartname" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Prepare the Rancher Image value w/ new fields as opt-in for now.
*/}}
{{ define "rancher.image" -}}
{{ if .Values.rancherImage -}}
{{ .Values.rancherImage -}}
{{ else -}}
{{ printf "%s%s" (include "defaultOrOverrideRegistry" (list . (default "" .Values.image.registry))) (include "rancher.imageRepo" .) -}}
{{ end -}}
{{ end -}}
{{/*
Prepare the Rancher Image repo value w/ new fields as opt-in for now.
*/}}
{{ define "rancher.imageRepo" -}}
{{ default "rancher/rancher" .Values.image.repository -}}
{{ end -}}
{{/*
Prepare the Rancher Image Tag value w/ new fields as opt-in for now.
*/}}
{{ define "rancher.imageTag" -}}
{{ default .Chart.AppVersion (default .Values.image.tag (default "" .Values.rancherImageTag)) -}}
{{ end -}}
{{/*
Prepare the Rancher Image Pull Policy value w/ new fields as opt-in for now.
*/}}
{{ define "rancher.imagePullPolicy" -}}
{{ default "IfNotPresent" (default .Values.image.pullPolicy (default "" .Values.rancherImagePullPolicy)) -}}
{{ end -}}
{{/*
Render Values in configurationSnippet
*/}}
{{- define "configurationSnippet" -}}
{{- tpl (.Values.ingress.configurationSnippet) . | nindent 6 -}}
{{- end -}}
{{/*
Generate the labels.
*/}}
{{- define "rancher.labels" -}}
app: {{ template "rancher.fullname" . }}
chart: {{ template "rancher.chartname" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- end }}
{{/*
Generate the labels for pre-upgrade-hook.
*/}}
{{- define "rancher.preupgradelabels" -}}
app: {{ template "rancher.fullname" . }}-pre-upgrade
chart: {{ template "rancher.chartname" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
{{- end }}
{{/*
Generate the Kubernetes recommended common labels.
Usage:
include "rancher.commonLabels" (dict "context" . "component" "xyz" "partOf" "abc")
*/}}
{{- define "rancher.commonLabels" -}}
{{- $ctx := .context }}
app.kubernetes.io/name: {{ $ctx.Chart.Name | quote }}
app.kubernetes.io/instance: {{ $ctx.Release.Name | quote }}
app.kubernetes.io/version: {{ $ctx.Chart.AppVersion | quote }}
app.kubernetes.io/managed-by: {{ $ctx.Release.Service | quote }}
{{- with .component }}
app.kubernetes.io/component: {{ . | quote }}
{{- end }}
{{- with .partOf }}
app.kubernetes.io/part-of: {{ . | quote }}
{{- end }}
{{- end }}
# Windows Support
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector-terms" -}}
{{- $key := "kubernetes.io/os" -}}
- key: {{ $key }}
operator: NotIn
values:
- windows
{{- end -}}
{{ define "system_default_registry" -}}
{{ if .Values.systemDefaultRegistry -}}
{{ include "tpl.url.ensureTrailingSlash" .Values.systemDefaultRegistry }}
{{- end -}}
{{ end -}}
{{ define "defaultOrOverrideRegistry" -}}
{{ $rootContext := index . 0 -}}
{{ $inputRegistry := index . 1 | default "" -}}
{{ if ne $inputRegistry "" -}}
{{ $inputRegistry = (include "tpl.url.ensureTrailingSlash" $inputRegistry) -}}
{{ end -}}
{{ $systemDefault := include "system_default_registry" $rootContext | default "" -}}
{{ coalesce $inputRegistry $systemDefault "" }}
{{- end -}}
{{/*
Select correct auditLog image
*/}}
{{ define "auditLog.image" -}}
{{ if .Values.busyboxImage -}}
{{ .Values.busyboxImage -}}
{{ else -}}
{{- .Values.auditLog.image.repository -}}:{{- .Values.auditLog.image.tag -}}
{{ end -}}
{{ end -}}
{{/*
Determine the registration mode, defaulting to online if not specified
*/}}
{{ define "registration.mode" -}}
{{ default "online" .Values.registration.mode | quote }}
{{- end -}}
infrastructure/charts/rancher/templates/clusterRoleBinding.yaml
+14
View File
@@ -0,0 +1,14 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
subjects:
- kind: ServiceAccount
name: {{ template "rancher.fullname" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
infrastructure/charts/rancher/templates/configMap.yaml
+18
View File
@@ -0,0 +1,18 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: rancher-config
labels: {{ include "rancher.labels" . | nindent 4 }}
app.kubernetes.io/part-of: "rancher"
data:
priorityClassName: {{ .Values.priorityClassName }}
{{- if and .Values.webhook (kindIs "string" .Values.webhook) }}
rancher-webhook: {{ .Values.webhook | quote }}
{{- else if .Values.webhook }}
rancher-webhook: {{ toYaml .Values.webhook | quote }}
{{- end }}
{{- if and .Values.fleet (kindIs "string" .Values.fleet) }}
fleet: {{ .Values.fleet | quote }}
{{- else if .Values.fleet }}
fleet: {{ toYaml .Values.fleet | quote }}
{{- end }}
infrastructure/charts/rancher/templates/deployment.yaml
+283
View File
@@ -0,0 +1,283 @@
kind: Deployment
apiVersion: apps/v1
metadata:
name: {{ template "rancher.fullname" . }}
annotations:
{{- if (lt (int .Values.replicas) 0) }}
management.cattle.io/scale-available: "{{ sub 0 (int .Values.replicas)}}"
{{- end }}
labels:
{{ include "rancher.labels" . | indent 4 }}
spec:
{{- if (gt (int .Values.replicas) 0) }}
replicas: {{ .Values.replicas }}
{{- end }}
selector:
matchLabels:
app: {{ template "rancher.fullname" . }}
strategy:
rollingUpdate:
maxSurge: 1
{{- if (eq (int .Values.replicas) 1) }}
maxUnavailable: 0
{{- else }}
maxUnavailable: 1
{{- end }}
type: RollingUpdate
template:
metadata:
labels:
app: {{ template "rancher.fullname" . }}
release: {{ .Release.Name }}
spec:
priorityClassName: {{ .Values.priorityClassName }}
serviceAccountName: {{ template "rancher.fullname" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 6 }}
{{- end }}
affinity:
podAntiAffinity:
{{- if eq .Values.antiAffinity "required" }}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- {{ template "rancher.fullname" . }}
topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }}
{{- else }}
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- {{ template "rancher.fullname" . }}
topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }}
{{- end }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions: {{ include "linux-node-selector-terms" . | nindent 16 }}
{{- if .Values.extraNodeSelectorTerms }}
{{- toYaml .Values.extraNodeSelectorTerms | nindent 16 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.extraTolerations }}
{{- toYaml .Values.extraTolerations | nindent 8 }}
{{- end }}
{{- if .Values.hostNetwork }}
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
{{- end }}
containers:
- image: "{{ template "rancher.image" . }}:{{ template "rancher.imageTag" . }}"
imagePullPolicy: {{ include "rancher.imagePullPolicy" . }}
name: {{ template "rancher.name" . }}
ports:
- containerPort: 80
protocol: TCP
{{- if (and .Values.hostPort (gt (int .Values.hostPort) 0)) }}
- containerPort: 444
hostPort: {{ int .Values.hostPort }}
protocol: TCP
{{- end}}
- containerPort: 6666
protocol: TCP
args:
{{- if .Values.debug }}
- "--debug"
{{- end }}
{{- if .Values.privateCA }}
# Private CA - don't clear ca certs
{{- else if and (eq .Values.tls "ingress") (eq .Values.ingress.tls.source "rancher") }}
# Rancher self-signed - don't clear ca certs
{{- else }}
# Public trusted CA - clear ca certs
- "--no-cacerts"
{{- end }}
- "--http-listen-port=80"
- "--https-listen-port=443"
- "--add-local={{ .Values.addLocal }}"
env:
- name: CATTLE_NAMESPACE
value: {{ .Release.Namespace }}
- name: CATTLE_PEER_SERVICE
value: {{ template "rancher.fullname" . }}
{{- if .Values.features }}
- name: CATTLE_FEATURES
value: "{{ .Values.features }}"
{{- end}}
{{- if .Values.noDefaultAdmin }}
- name: CATTLE_NO_DEFAULT_ADMIN
value: "{{ .Values.noDefaultAdmin }}"
{{- end}}
{{- if .Values.auditLog.enabled }}
- name: AUDIT_LOG_ENABLED
value: "true"
- name: AUDIT_LEVEL
value: {{ .Values.auditLog.level | quote }}
- name: AUDIT_LOG_MAXAGE
value: {{ .Values.auditLog.maxAge | quote }}
- name: AUDIT_LOG_MAXBACKUP
value: {{ .Values.auditLog.maxBackup | quote }}
- name: AUDIT_LOG_MAXSIZE
value: {{ .Values.auditLog.maxSize | quote }}
{{- end }}
{{- if .Values.proxy }}
- name: HTTP_PROXY
value: {{ .Values.proxy }}
- name: HTTPS_PROXY
value: {{ .Values.proxy }}
- name: NO_PROXY
value: {{ .Values.noProxy }}
{{- end }}
{{- if .Values.systemDefaultRegistry }}
- name: CATTLE_SYSTEM_DEFAULT_REGISTRY
value: {{ .Values.systemDefaultRegistry }}
{{- end }}
{{- if .Values.useBundledSystemChart }}
- name: CATTLE_SYSTEM_CATALOG
value: bundled
{{- end }}
{{- if .Values.bootstrapPassword }}
- name: CATTLE_BOOTSTRAP_PASSWORD
valueFrom:
secretKeyRef:
name: "bootstrap-secret"
key: "bootstrapPassword"
{{- end }}
{{- if .Values.agentTLSMode }}
- name: CATTLE_AGENT_TLS_MODE
value: "{{ .Values.agentTLSMode }}"
{{- end }}
- name: IMPERATIVE_API_DIRECT
value: "true"
- name: IMPERATIVE_API_APP_SELECTOR
value: {{ template "rancher.fullname" . }}
{{- if .Values.aggregationRegistrationTimeout }}
- name: AGGREGATION_REGISTRATION_TIMEOUT
value: {{ .Values.aggregationRegistrationTimeout }}
{{- end }}
{{- if .Values.cacheSyncTimeout }}
- name: CACHE_SYNC_TIMEOUT
value: {{ .Values.cacheSyncTimeout }}
{{- end }}
{{- if .Values.extraEnv }}
{{ toYaml .Values.extraEnv | indent 8}}
{{- end }}
startupProbe:
httpGet:
path: /healthz
port: 80
timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
livenessProbe:
httpGet:
path: /healthz
port: 80
{{- with .Values.livenessProbe.initialDelaySeconds}}
initialDelaySeconds: {{ . }}
{{- end }}
timeoutSeconds: {{.Values.livenessProbe.timeoutSeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
failureThreshold: {{.Values.livenessProbe.failureThreshold }}
readinessProbe:
httpGet:
path: /healthz
port: 80
{{- with .Values.readinessProbe.initialDelaySeconds}}
initialDelaySeconds: {{ . }}
{{- end }}
timeoutSeconds: {{.Values.readinessProbe.timeoutSeconds }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
failureThreshold: {{.Values.readinessProbe.failureThreshold }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 10 }}
{{- end }}
volumeMounts:
{{- if .Values.additionalTrustedCAs }}
- mountPath: /etc/pki/trust/anchors/ca-additional.pem
name: tls-ca-additional-volume
subPath: ca-additional.pem
readOnly: true
- mountPath: /etc/rancher/ssl/ca-additional.pem
name: tls-ca-additional-volume
subPath: ca-additional.pem
readOnly: true
{{- end }}
{{- if .Values.privateCA }}
# Pass CA cert into rancher for private CA
- mountPath: /etc/rancher/ssl/cacerts.pem
name: tls-ca-volume
subPath: cacerts.pem
readOnly: true
{{- end }}
{{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }}
# Mount rancher custom-logos volume
- mountPath: /usr/share/rancher/ui/assets/images/logos
name: custom-logos
subPath: {{ .Values.customLogos.volumeSubpaths.emberUi | default "ember" | quote }}
- mountPath: /usr/share/rancher/ui-dashboard/dashboard/_nuxt/assets/images/pl
name: custom-logos
subPath: {{ .Values.customLogos.volumeSubpaths.vueUi | default "vue" | quote }}
{{- end }}
{{- if .Values.auditLog.enabled }}
- mountPath: /var/log/auditlog
name: audit-log
{{- end }}
{{- if eq .Values.auditLog.destination "sidecar" }}
{{- if .Values.auditLog.enabled }}
# Make audit logs available for Rancher log collector tools.
- image: "{{ printf "%s%s" (include "defaultOrOverrideRegistry" (list . (default "" .Values.auditLog.image.registry))) (include "auditLog.image" .) }}"
imagePullPolicy: {{ default .Values.auditLog.image.pullPolicy .Values.busyboxImagePullPolicy }}
name: {{ template "rancher.name" . }}-audit-log
command: ["tail"]
args: ["-F", "/var/log/auditlog/rancher-api-audit.log"]
volumeMounts:
- mountPath: /var/log/auditlog
name: audit-log
{{- if .Values.auditLog.resources }}
resources: {{- toYaml .Values.auditLog.resources | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}
volumes:
{{- if .Values.additionalTrustedCAs }}
- name: tls-ca-additional-volume
secret:
defaultMode: 0400
secretName: tls-ca-additional
{{- end }}
{{- if .Values.privateCA }}
- name: tls-ca-volume
secret:
defaultMode: 0400
secretName: tls-ca
{{- end }}
{{- if .Values.auditLog.enabled }}
{{- if eq .Values.auditLog.destination "hostPath" }}
- name: audit-log
hostPath:
path: {{ .Values.auditLog.hostPath }}
type: DirectoryOrCreate
{{- else }}
- name: audit-log
emptyDir: {}
{{- end }}
{{- end }}
{{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }}
- name: custom-logos
{{- if (eq .Values.customLogos.volumeKind "persistentVolumeClaim") }}
persistentVolumeClaim:
claimName: {{ .Values.customLogos.volumeName | default (printf "%s-custom-logos" (include "rancher.fullname" .)) }}
{{- else if (eq .Values.customLogos.volumeKind "configMap") }}
configMap:
name: {{ .Values.customLogos.volumeName }}
{{- end }}
{{- end }}
infrastructure/charts/rancher/templates/extra-manifests.yaml
+4
View File
@@ -0,0 +1,4 @@
{{ range .Values.extraObjects }}
---
{{ tpl (toYaml .) $ }}
{{ end }}
infrastructure/charts/rancher/templates/ingress.yaml
+69
View File
@@ -0,0 +1,69 @@
{{- if .Values.ingress.enabled }}
{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
apiVersion: networking.k8s.io/v1
{{- else }}
apiVersion: networking.k8s.io/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
annotations:
{{- if .Values.ingress.configurationSnippet }}
nginx.ingress.kubernetes.io/configuration-snippet: |
{{- template "configurationSnippet" . }}
{{- end }}
{{- if eq .Values.tls "external" }}
nginx.ingress.kubernetes.io/ssl-redirect: "false" # turn off ssl redirect for external.
{{- else }}
{{- if ne .Values.ingress.tls.source "secret" }}
{{- $certmanagerVer := split "." .Values.certmanager.version -}}
{{- if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
certmanager.k8s.io/issuer: {{ template "rancher.fullname" . }}
{{- else }}
cert-manager.io/issuer: {{ template "rancher.fullname" . }}
cert-manager.io/issuer-kind: Issuer
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.ingress.includeDefaultExtraAnnotations }}
nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
{{- end }}
{{- if eq (int .Values.ingress.servicePort) 443 }}
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
{{- end }}
{{- if .Values.ingress.extraAnnotations }}
{{ toYaml .Values.ingress.extraAnnotations | indent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.ingressClassName }}
ingressClassName: {{ .Values.ingress.ingressClassName }}
{{- end }}
rules:
- host: {{ .Values.hostname }} # hostname to access rancher server
http:
paths:
- backend:
{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
service:
name: {{ template "rancher.fullname" . }}
port:
number: {{ .Values.ingress.servicePort }}
{{- else }}
serviceName: {{ template "rancher.fullname" . }}
servicePort: {{ .Values.ingress.servicePort }}
{{- end }}
{{- if or (.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress") (not (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress")) }}
pathType: {{ .Values.ingress.pathType }}
path: {{ .Values.ingress.path }}
{{- end }}
{{- if eq .Values.tls "ingress" }}
tls:
- hosts:
- {{ .Values.hostname }}
secretName: {{ .Values.ingress.tls.secretName }}
{{- end }}
{{- end }}
infrastructure/charts/rancher/templates/issuer-letsEncrypt.yaml
+37
View File
@@ -0,0 +1,37 @@
{{- if eq .Values.tls "ingress" -}}
{{- if eq .Values.ingress.tls.source "letsEncrypt" -}}
{{- $certmanagerVer := split "." .Values.certmanager.version -}}
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
apiVersion: cert-manager.io/v1beta1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha2
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
apiVersion: certmanager.k8s.io/v1alpha1
{{- else }}
apiVersion: cert-manager.io/v1
{{- end }}
kind: Issuer
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
spec:
acme:
{{- if eq .Values.letsEncrypt.environment "production" }}
server: https://acme-v02.api.letsencrypt.org/directory
{{- else }}
server: https://acme-staging-v02.api.letsencrypt.org/directory
{{- end }}
email: {{ .Values.letsEncrypt.email }}
privateKeySecretRef:
name: letsencrypt-{{ .Values.letsEncrypt.environment }}
{{- if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
http01: {}
{{- else }}
solvers:
- http01:
ingress:
class: {{ .Values.letsEncrypt.ingress.class }}
{{- end }}
{{- end -}}
{{- end -}}
infrastructure/charts/rancher/templates/issuer-rancher.yaml
+22
View File
@@ -0,0 +1,22 @@
{{- if eq .Values.tls "ingress" -}}
{{- if eq .Values.ingress.tls.source "rancher" -}}
{{- $certmanagerVer := split "." .Values.certmanager.version -}}
{{- if or (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 16)) }}
apiVersion: cert-manager.io/v1beta1
{{- else if or (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (ge (int $certmanagerVer._1) 11)) }}
apiVersion: cert-manager.io/v1alpha2
{{- else if or (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1") (and (gt (len $certmanagerVer._0) 0) (eq (int $certmanagerVer._0) 0) (lt (int $certmanagerVer._1) 11)) }}
apiVersion: certmanager.k8s.io/v1alpha1
{{- else }}
apiVersion: cert-manager.io/v1
{{- end }}
kind: Issuer
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
spec:
ca:
secretName: tls-rancher
{{- end -}}
{{- end -}}
infrastructure/charts/rancher/templates/post-delete-hook-cluster-role-binding.yaml
+19
View File
@@ -0,0 +1,19 @@
{{- if .Values.postDelete.enabled }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "2"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "rancher.fullname" . }}-post-delete
subjects:
- kind: ServiceAccount
name: {{ template "rancher.fullname" . }}-post-delete
namespace: {{ .Release.Namespace }}
{{- end }}
infrastructure/charts/rancher/templates/post-delete-hook-cluster-role.yaml
+42
View File
@@ -0,0 +1,42 @@
{{- if .Values.postDelete.enabled }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
rules:
- apiGroups: [ "extensions","apps" ]
resources: [ "deployments" ]
verbs: [ "get", "list", "delete" ]
- apiGroups: [ "batch" ]
resources: [ "jobs", "cronjobs" ]
verbs: [ "get", "list", "watch", "delete", "create" ]
- apiGroups: [ "rbac.authorization.k8s.io" ]
resources: [ "clusterroles", "clusterrolebindings", "roles", "rolebindings" ]
verbs: [ "get", "list", "delete", "create" ]
- apiGroups: [ "" ]
resources: [ "pods", "secrets", "services", "configmaps" ]
verbs: [ "get", "list", "delete" ]
- apiGroups: [ "" ]
resources: [ "serviceaccounts" ]
verbs: [ "get", "list", "delete", "create" ]
- apiGroups: [ "networking.k8s.io" ]
resources: [ "networkpolicies" ]
verbs: [ "get", "list", "delete" ]
- apiGroups: [ "admissionregistration.k8s.io" ]
resources: [ "validatingwebhookconfigurations", "mutatingwebhookconfigurations" ]
verbs: [ "get", "list", "delete" ]
- apiGroups: [ "networking.k8s.io" ]
resources: [ "ingresses" ]
verbs: [ "delete" ]
- apiGroups: [ "cert-manager.io" ]
resources: [ "issuers" ]
verbs: [ "delete" ]
- apiGroups: [ "apiregistration.k8s.io" ]
resources: [ "apiservices" ]
verbs: [ "delete" ]
{{- end }}
infrastructure/charts/rancher/templates/post-delete-hook-config-map.yaml
+15
View File
@@ -0,0 +1,15 @@
{{- if .Values.postDelete.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
namespace: {{ .Release.Namespace }}
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
data:
post-delete-hook.sh: |-
{{ $.Files.Get "scripts/post-delete-hook.sh" | indent 4 }}
{{- end }}
infrastructure/charts/rancher/templates/post-delete-hook-job.yaml
+46
View File
@@ -0,0 +1,46 @@
{{- if .Values.postDelete.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
namespace: {{ .Release.Namespace }}
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "3"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
backoffLimit: 3
template:
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
labels: {{ include "rancher.labels" . | nindent 8 }}
spec:
serviceAccountName: {{ template "rancher.fullname" . }}-post-delete
restartPolicy: OnFailure
containers:
- name: {{ template "rancher.name" . }}-post-delete
image: "{{ printf "%s%s" (include "defaultOrOverrideRegistry" (list . .Values.postDelete.image.registry)) .Values.postDelete.image.repository }}:{{ .Values.postDelete.image.tag }}"
imagePullPolicy: {{ default "IfNotPresent" .Values.postDelete.pullPolicy }}
securityContext:
runAsUser: 0
command:
- /scripts/post-delete-hook.sh
volumeMounts:
- mountPath: /scripts
name: config-volume
env:
- name: NAMESPACES
value: {{ .Values.postDelete.namespaceList | join " " | quote }}
- name: RANCHER_NAMESPACE
value: {{ .Release.Namespace }}
- name: TIMEOUT
value: {{ .Values.postDelete.timeout | quote }}
- name: IGNORETIMEOUTERROR
value: {{ .Values.postDelete.ignoreTimeoutError | quote }}
volumes:
- name: config-volume
configMap:
name: {{ template "rancher.fullname" . }}-post-delete
defaultMode: 0777
{{- end }}
infrastructure/charts/rancher/templates/post-delete-hook-service-account.yaml
+12
View File
@@ -0,0 +1,12 @@
{{- if .Values.postDelete.enabled }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "rancher.fullname" . }}-post-delete
namespace: {{ .Release.Namespace }}
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
{{- end }}
infrastructure/charts/rancher/templates/pre-upgrade-hook-cluster-role-binding.yaml
+17
View File
@@ -0,0 +1,17 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ template "rancher.fullname" . }}-pre-upgrade
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "rancher.fullname" . }}-pre-upgrade
subjects:
- kind: ServiceAccount
name: {{ template "rancher.fullname" . }}-pre-upgrade
namespace: {{ .Release.Namespace }}
infrastructure/charts/rancher/templates/pre-upgrade-hook-cluster-role.yaml
+16
View File
@@ -0,0 +1,16 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "rancher.fullname" . }}-pre-upgrade
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
rules:
- apiGroups: ["management.cattle.io"]
resources:
- "clusters"
- "nodetemplates"
- "clustertemplates"
verbs: ["get", "list"]
infrastructure/charts/rancher/templates/pre-upgrade-hook-config-map.yaml
+13
View File
@@ -0,0 +1,13 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ template "rancher.fullname" . }}-pre-upgrade
namespace: {{ .Release.Namespace }}
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
data:
pre-upgrade-hook.sh: |-
{{ $.Files.Get "scripts/pre-upgrade-hook.sh" | indent 4 }}
infrastructure/charts/rancher/templates/pre-upgrade-hook-job.yaml
+35
View File
@@ -0,0 +1,35 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "rancher.fullname" . }}-pre-upgrade
namespace: {{ .Release.Namespace }}
labels: {{ include "rancher.preupgradelabels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
spec:
backoffLimit: 3
template:
metadata:
name: {{ template "rancher.fullname" . }}-pre-upgrade
labels: {{ include "rancher.preupgradelabels" . | nindent 8 }}
spec:
serviceAccountName: {{ template "rancher.fullname" . }}-pre-upgrade
restartPolicy: Never
containers:
- name: {{ template "rancher.name" . }}-pre-upgrade
image: "{{ printf "%s%s" (include "defaultOrOverrideRegistry" (list . .Values.preUpgrade.image.registry)) .Values.preUpgrade.image.repository }}:{{ .Values.preUpgrade.image.tag }}"
imagePullPolicy: {{ default "IfNotPresent" .Values.preUpgrade.pullPolicy }}
securityContext:
runAsUser: 0
command:
- /scripts/pre-upgrade-hook.sh
volumeMounts:
- mountPath: /scripts
name: config-volume
volumes:
- name: config-volume
configMap:
name: {{ template "rancher.fullname" . }}-pre-upgrade
defaultMode: 0777
infrastructure/charts/rancher/templates/pre-upgrade-hook-service-account.yaml
+10
View File
@@ -0,0 +1,10 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "rancher.fullname" . }}-pre-upgrade
namespace: {{ .Release.Namespace }}
labels: {{ include "rancher.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-upgrade
"helm.sh/hook-weight": "-1"
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
infrastructure/charts/rancher/templates/priorityClass.yaml
+8
View File
@@ -0,0 +1,8 @@
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: rancher-critical
labels: {{ include "rancher.labels" . | nindent 4 }}
value: 1000000000
globalDefault: false
description: "Priority class used by pods critical to rancher's functionality."
infrastructure/charts/rancher/templates/pvc.yaml
+19
View File
@@ -0,0 +1,19 @@
{{- if and (.Values.customLogos.enabled) (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (not .Values.customLogos.volumeName) }}
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: {{ template "rancher.fullname" . }}-custom-logos
spec:
accessModes:
- {{ .Values.customLogos.accessMode | quote }}
resources:
requests:
storage: {{ .Values.customLogos.size | quote }}
storageClassName: {{ if .Values.customLogos.storageClass }}
{{- if (eq "-" .Values.customLogos.storageClass) -}}
""
{{- else }}
{{- .Values.customLogos.storageClass }}
{{- end -}}
{{- end }}
{{- end }}
infrastructure/charts/rancher/templates/secret.yaml
+25
View File
@@ -0,0 +1,25 @@
{{/* Use the bootstrap password from values.yaml if an existing secret is not found */}}
{{- $bootstrapPassword := .Values.bootstrapPassword -}}
{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace "bootstrap-secret" -}}
{{- if $existingSecret -}}
{{- if $existingSecret.data -}}
{{- if $existingSecret.data.bootstrapPassword -}}
{{- $bootstrapPassword = $existingSecret.data.bootstrapPassword | b64dec -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/* If a bootstrap password was found in the values or an existing password was found create the secret */}}
{{- if $bootstrapPassword }}
apiVersion: v1
kind: Secret
metadata:
name: "bootstrap-secret"
namespace: {{ .Release.Namespace }}
annotations:
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "-5"
"helm.sh/resource-policy": keep
type: Opaque
data:
bootstrapPassword: {{ $bootstrapPassword | b64enc | quote }}
{{- end }}
infrastructure/charts/rancher/templates/service.yaml
+30
View File
@@ -0,0 +1,30 @@
apiVersion: v1
kind: Service
metadata:
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
spec:
{{- /*
If service.type is not provided this attribute is ommitted and k8s default of ClusterIP is used.
*/}}
{{- if .Values.service.type }}
type: {{ .Values.service.type }}
{{- end }}
ports:
{{- if not (default .Values.service.disableHTTP false) }}
- port: 80
targetPort: 80
protocol: TCP
name: http
{{- end }}
- port: 443
targetPort: 444
protocol: TCP
name: https-internal
selector:
app: {{ template "rancher.fullname" . }}
infrastructure/charts/rancher/templates/serviceAccount.yaml
+6
View File
@@ -0,0 +1,6 @@
kind: ServiceAccount
apiVersion: v1
metadata:
name: {{ template "rancher.fullname" . }}
labels:
{{ include "rancher.labels" . | indent 4 }}
infrastructure/charts/rancher/values.schema.json
+78
View File
@@ -0,0 +1,78 @@
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "urn:rancher:schema:rancher-chart:v1",
"title": "Rancher Chart Values",
"type": "object",
"properties": {
"agentTLSMode": {
"type": ["string", "null"],
"enum": ["strict", "system-store", "", null],
"description": "agentTLSMode must be 'strict' or 'system-store' or null (defaults to system-store)"
},
"auditLog": {
"type": "object",
"properties": {
"destination": {
"type": "string",
"enum": ["sidecar", "hostPath"],
"description": "auditLog.destination must be either 'sidecar' or 'hostPath'"
},
"level": {
"type": "integer",
"enum": [0, 1, 2, 3],
"description": "auditLog.level must be a number 0-3; 0 to disable, 3 for most verbose"
},
"enabled": {
"type": "boolean",
"description": "auditLog.enabled must be a boolean"
}
}
},
"service": {
"type": "object",
"description": "The default rancher service configuration",
"properties": {
"type": {
"type": ["string", "null"],
"enum": ["ClusterIP", "LoadBalancer", "NodePort", "", null]
},
"disableHTTP": {
"type": "boolean"
}
}
},
"ingress": {
"type": "object",
"description": "The default rancher ingress configuration",
"properties": {
"servicePort": {
"type": "integer",
"enum": [443, 80]
}
}
}
},
"required": [],
"if": {
"properties": {
"service": {
"properties": {
"disableHTTP": { "const": true }
},
"required": ["disableHTTP"]
}
}
},
"then": {
"properties": {
"ingress": {
"properties": {
"servicePort": {
"enum": [443]
}
},
"required": ["servicePort"]
}
}
}
}
infrastructure/charts/rancher/values.yaml
+293
View File
@@ -0,0 +1,293 @@
# Additional Trusted CAs.
# Enable this flag and add your CA certs as a secret named tls-ca-additional in the namespace.
# See README.md for details.
additionalTrustedCAs: false
antiAffinity: preferred
topologyKey: kubernetes.io/hostname
# Source: https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log
auditLog:
enabled: false
# level can be one of 0, 1, 2, or 3 with 3 being the most verbose. This value is a system level default and may
# impact the verbosity on any AuditPolicies you define. See below for a description of each log level:
# 0: Only log metadata such as URI, method, user, etc
# 1: Log metadata, request headers, and response headers
# 2: Log metadata, request header, response headers, and request body
# 3: Log metadata, request header, response heaeders, request body, and response body
level: 0
# destination may be one of "sidecar" or "hostpath". When set to "sidecar" logs will be sent and output to a sidecar
# container called "rancher-audit-log". When "hostpath" logs are written to a hostpath volume called "audit-log" to
# a directory configured by auditLog.hostPath.
destination: sidecar
hostPath: /var/log/rancher/audit/
maxAge: 1
maxBackup: 1
maxSize: 100
# Set pod resource requests/limits for Audit log sidecar (ONLY used if destination=sidecar).
resources: {}
# Image for collecting rancher audit logs.
# Important: update pkg/image/export/resolve.go when this default image is changed, so that it's reflected accordingly in rancher-images.txt generated for air-gapped setups.
image:
# Optional: Image-specific registry override
# registry: ""
repository: "rancher/mirrored-bci-micro"
tag: 15.6.24.2
# Optional: Image-specific pullPolicy Override
# options: Always, Never, IfNotPresent
pullPolicy: "IfNotPresent"
# Timeout for rancher controllers to complete a cache sync. Larger clusters may need to increase this value.
# cacheSyncTimeout: 5m
# As of Rancher v2.5.0 this flag is deprecated and must be set to 'true' in order for Rancher to start
addLocal: "true"
# Add debug flag to Rancher server
debug: false
# Control how the Rancher agents validate TLS connections
# Valid options: strict, or system-store
# Note, for new installations empty will default to strict on 2.9+, or system-store on 2.8 or older
agentTLSMode: ""
# Extra environment variables passed to the rancher pods.
# extraEnv:
# - name: CATTLE_TLS_MIN_VERSION
# value: "1.0"
# Fully qualified name to reach your Rancher server
# hostname: rancher.my.org
## Optional array of imagePullSecrets containing private registry credentials
## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
imagePullSecrets: []
# - name: secretName
### ingress ###
# Readme for details and instruction on adding tls secrets.
ingress:
# If set to false, ingress will not be created
# Defaults to true
# options: true, false
enabled: true
includeDefaultExtraAnnotations: true
extraAnnotations: {}
ingressClassName: ""
# Certain ingress controllers will require the pathType or path to be set to a different value.
pathType: ImplementationSpecific
path: "/"
# Backend port number; should use either: 80, or 443.
# Must use 443 when `service.disableHTTP` is set to true.
servicePort: 80
# configurationSnippet - Add additional Nginx configuration. This example statically sets a header on the ingress.
# configurationSnippet: |
# more_set_input_headers "X-Forwarded-Host: {{ .Values.hostname }}";
tls:
# options: rancher, letsEncrypt, secret
source: rancher
secretName: tls-rancher-ingress
### service ###
# Override to use NodePort or LoadBalancer service type - default is ClusterIP
service:
type: ""
annotations: {}
# An optional security setting to disables the HTTP port of the rancher service
# When set true, you must also set `ingress.servicePort` to 443 and the appropriate ingress annotation to use HTTPS
disableHTTP: false
### LetsEncrypt config ###
# ProTip: The production environment only allows you to register a name 5 times a week.
# Use staging until you have your config right.
letsEncrypt:
# email: none@example.com
environment: production
ingress:
# options: traefik, nginx
class: ""
# If you are using certs signed by a private CA set to 'true' and set the 'tls-ca'
# in the 'cattle-system' namespace. See the README.md for details
privateCA: false
# http[s] proxy server passed into rancher server.
# proxy: http://<username>@<password>:<url>:<port>
# comma separated list of domains or ip addresses that will not use the proxy
noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local
# Rancher image configuration
image:
# Optional: Image-specific registry override
# registry: ""
repository: rancher/rancher
# Defaults to .Chart.appVersion
# rancher/rancher image tag. https://hub.docker.com/r/rancher/rancher/tags/
tag: ""
pullPolicy: IfNotPresent
## Deprecation Notice: `rancherImage`, `rancherImageTag`, and `rancherImagePullPolicy` are deprecated - use `image.*` fields instead.
# Override the name of the Rancher image to pull.
# To override the registry location use systemDefaultRegistry instead.
# rancherImage: ""
# rancher/rancher image tag. https://hub.docker.com/r/rancher/rancher/tags/
# Defaults to .Chart.appVersion
# rancherImageTag: v2.0.7
# Override imagePullPolicy for rancher server images
# options: Always, Never, IfNotPresent
# Defaults to IfNotPresent
# rancherImagePullPolicy: <pullPolicy>
# aggregationRegistrationTimeout: 5m
# Number of Rancher server replicas. Setting to negative number will dynamically between 0 and the abs(replicas) based on available nodes.
# of available nodes in the cluster
replicas: 3
# Set priorityClassName to avoid eviction
priorityClassName: rancher-critical
# Set pod resource requests/limits for Rancher.
resources: {}
#
# tls
# Where to offload the TLS/SSL encryption
# - ingress (default)
# - external
tls: ingress
# Set a custom image registry mirror to pull Rancher images from; useful in air-gapped environments.
systemDefaultRegistry: ""
# Set to use the packaged system charts
useBundledSystemChart: false
# Certmanager version compatibility
certmanager:
version: ""
# Rancher custom logos persistence
customLogos:
enabled: false
volumeSubpaths:
emberUi: "ember"
vueUi: "vue"
## Volume kind to use for persistence: persistentVolumeClaim, configMap
volumeKind: persistentVolumeClaim
## Use an existing volume. Custom logos should be copied to the volume by the user
# volumeName: custom-logos
## Just for volumeKind: persistentVolumeClaim
## To disables dynamic provisioning, set storageClass: "" or storageClass: "-"
# storageClass: "-"
accessMode: ReadWriteOnce
size: 1Gi
# Rancher post-delete hook
postDelete:
enabled: true
image:
# Optional: Image-specific registry override
# registry: ""
repository: rancher/shell
tag: v0.6.2
# Optional: Image-specific pullPolicy Override
# options: Always, Never, IfNotPresent
# pullPolicy: "Always"
namespaceList:
- cattle-fleet-system
- cattle-system
- rancher-operator-system
# Number of seconds to wait for an app to be uninstalled
timeout: 120
# by default, the job will fail if it fail to uninstall any of the apps
ignoreTimeoutError: false
preUpgrade:
image:
# Optional: Image-specific registry override
# registry: ""
repository: rancher/shell
tag: v0.6.2
# Optional: Image-specific pull policy override
# pullPolicy: "Always"
# Set a bootstrap password. If leave empty, a random password will be generated.
bootstrapPassword: ""
startupProbe:
## should be ready within 2 minutes
timeoutSeconds: 5
periodSeconds: 10
failureThreshold: 12
# Additional taints to tolerate
extraTolerations: {}
# Additional node selector terms for the rancher deployment
# Ex:
# - key: topology.kubernetes.io/zone
# operator: In
# values:
# - us-north-42
extraNodeSelectorTerms: {}
livenessProbe:
timeoutSeconds: 5
periodSeconds: 30
failureThreshold: 5
readinessProbe:
timeoutSeconds: 5
periodSeconds: 30
failureThreshold: 5
# Enable host networking for Rancher pods.
# Required for EKS clusters using non-VPC CNIs (e.g. Calico).
hostNetwork: false
# helm values to use when installing the rancher-webhook chart.
# helm values set here will override all other global values used when installing the webhook such as priorityClassName and systemRegistry settings.
webhook: ""
# helm values to use when installing the fleet chart.
# helm values set here will override all other global values used when installing the fleet chart.
fleet: ""
# Create a dynamic manifests via values:
# Beware: There will be no validation on these resource manifests in `extraObjects` - they must be valid k8s resources.
# If you encounter issues installing/upgrading rancher while using these, please investigate these first.
extraObjects: []
# - apiVersion: "networking.k8s.io/v1"
# kind: NetworkPolicy
# metadata:
# name: allow-https-444-to-rancher
# namespace: your-namespace # Change to the appropriate namespace
# spec:
# podSelector:
# matchLabels:
# app: rancher # Selects pods labeled with "app: rancher"
# policyTypes:
# - Ingress # Controls inbound traffic to the selected pods
# ingress:
# - ports:
# - protocol: TCP
# port: 444 # Allows only TCP traffic on port 444 (custom HTTPS port)
# # Since no other ingress rules are defined, all other traffic is denied by default.
# - apiVersion: "networking.k8s.io/v1"
# kind: NetworkPolicy
# metadata:
# name: rancher-deny-ingress
# namespace: cattle-system
# spec:
# podSelector:
# matchLabels:
# app: rancher
# policyTypes:
# - Ingress