OpenStaticFish/HetznerTerra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: vendor Rancher chart for bootstrap
Deploy Cluster / Terraform (push) Successful in 31s
Details
Deploy Cluster / Ansible (push) Has been cancelled
Details

Browse Source
This commit is contained in:
MichaelFisher1997
2026-04-25 23:08:26 +00:00
parent f3c96b65d2
commit b1eab6a0fa
33 changed files with 1818 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
infrastructure/charts/rancher/templates/deployment.yaml
+283
View File
@@ -0,0 +1,283 @@
kind: Deployment
apiVersion: apps/v1
metadata:
name: {{ template "rancher.fullname" . }}
annotations:
{{- if (lt (int .Values.replicas) 0) }}
management.cattle.io/scale-available: "{{ sub 0 (int .Values.replicas)}}"
{{- end }}
labels:
{{ include "rancher.labels" . | indent 4 }}
spec:
{{- if (gt (int .Values.replicas) 0) }}
replicas: {{ .Values.replicas }}
{{- end }}
selector:
matchLabels:
app: {{ template "rancher.fullname" . }}
strategy:
rollingUpdate:
maxSurge: 1
{{- if (eq (int .Values.replicas) 1) }}
maxUnavailable: 0
{{- else }}
maxUnavailable: 1
{{- end }}
type: RollingUpdate
template:
metadata:
labels:
app: {{ template "rancher.fullname" . }}
release: {{ .Release.Name }}
spec:
priorityClassName: {{ .Values.priorityClassName }}
serviceAccountName: {{ template "rancher.fullname" . }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
{{ toYaml .Values.imagePullSecrets | indent 6 }}
{{- end }}
affinity:
podAntiAffinity:
{{- if eq .Values.antiAffinity "required" }}
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- {{ template "rancher.fullname" . }}
topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }}
{{- else }}
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- {{ template "rancher.fullname" . }}
topologyKey: {{ .Values.topologyKey | default "kubernetes.io/hostname" }}
{{- end }}
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions: {{ include "linux-node-selector-terms" . | nindent 16 }}
{{- if .Values.extraNodeSelectorTerms }}
{{- toYaml .Values.extraNodeSelectorTerms | nindent 16 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.extraTolerations }}
{{- toYaml .Values.extraTolerations | nindent 8 }}
{{- end }}
{{- if .Values.hostNetwork }}
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
{{- end }}
containers:
- image: "{{ template "rancher.image" . }}:{{ template "rancher.imageTag" . }}"
imagePullPolicy: {{ include "rancher.imagePullPolicy" . }}
name: {{ template "rancher.name" . }}
ports:
- containerPort: 80
protocol: TCP
{{- if (and .Values.hostPort (gt (int .Values.hostPort) 0)) }}
- containerPort: 444
hostPort: {{ int .Values.hostPort }}
protocol: TCP
{{- end}}
- containerPort: 6666
protocol: TCP
args:
{{- if .Values.debug }}
- "--debug"
{{- end }}
{{- if .Values.privateCA }}
# Private CA - don't clear ca certs
{{- else if and (eq .Values.tls "ingress") (eq .Values.ingress.tls.source "rancher") }}
# Rancher self-signed - don't clear ca certs
{{- else }}
# Public trusted CA - clear ca certs
- "--no-cacerts"
{{- end }}
- "--http-listen-port=80"
- "--https-listen-port=443"
- "--add-local={{ .Values.addLocal }}"
env:
- name: CATTLE_NAMESPACE
value: {{ .Release.Namespace }}
- name: CATTLE_PEER_SERVICE
value: {{ template "rancher.fullname" . }}
{{- if .Values.features }}
- name: CATTLE_FEATURES
value: "{{ .Values.features }}"
{{- end}}
{{- if .Values.noDefaultAdmin }}
- name: CATTLE_NO_DEFAULT_ADMIN
value: "{{ .Values.noDefaultAdmin }}"
{{- end}}
{{- if .Values.auditLog.enabled }}
- name: AUDIT_LOG_ENABLED
value: "true"
- name: AUDIT_LEVEL
value: {{ .Values.auditLog.level | quote }}
- name: AUDIT_LOG_MAXAGE
value: {{ .Values.auditLog.maxAge | quote }}
- name: AUDIT_LOG_MAXBACKUP
value: {{ .Values.auditLog.maxBackup | quote }}
- name: AUDIT_LOG_MAXSIZE
value: {{ .Values.auditLog.maxSize | quote }}
{{- end }}
{{- if .Values.proxy }}
- name: HTTP_PROXY
value: {{ .Values.proxy }}
- name: HTTPS_PROXY
value: {{ .Values.proxy }}
- name: NO_PROXY
value: {{ .Values.noProxy }}
{{- end }}
{{- if .Values.systemDefaultRegistry }}
- name: CATTLE_SYSTEM_DEFAULT_REGISTRY
value: {{ .Values.systemDefaultRegistry }}
{{- end }}
{{- if .Values.useBundledSystemChart }}
- name: CATTLE_SYSTEM_CATALOG
value: bundled
{{- end }}
{{- if .Values.bootstrapPassword }}
- name: CATTLE_BOOTSTRAP_PASSWORD
valueFrom:
secretKeyRef:
name: "bootstrap-secret"
key: "bootstrapPassword"
{{- end }}
{{- if .Values.agentTLSMode }}
- name: CATTLE_AGENT_TLS_MODE
value: "{{ .Values.agentTLSMode }}"
{{- end }}
- name: IMPERATIVE_API_DIRECT
value: "true"
- name: IMPERATIVE_API_APP_SELECTOR
value: {{ template "rancher.fullname" . }}
{{- if .Values.aggregationRegistrationTimeout }}
- name: AGGREGATION_REGISTRATION_TIMEOUT
value: {{ .Values.aggregationRegistrationTimeout }}
{{- end }}
{{- if .Values.cacheSyncTimeout }}
- name: CACHE_SYNC_TIMEOUT
value: {{ .Values.cacheSyncTimeout }}
{{- end }}
{{- if .Values.extraEnv }}
{{ toYaml .Values.extraEnv | indent 8}}
{{- end }}
startupProbe:
httpGet:
path: /healthz
port: 80
timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
failureThreshold: {{ .Values.startupProbe.failureThreshold }}
periodSeconds: {{ .Values.startupProbe.periodSeconds }}
livenessProbe:
httpGet:
path: /healthz
port: 80
{{- with .Values.livenessProbe.initialDelaySeconds}}
initialDelaySeconds: {{ . }}
{{- end }}
timeoutSeconds: {{.Values.livenessProbe.timeoutSeconds }}
periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
failureThreshold: {{.Values.livenessProbe.failureThreshold }}
readinessProbe:
httpGet:
path: /healthz
port: 80
{{- with .Values.readinessProbe.initialDelaySeconds}}
initialDelaySeconds: {{ . }}
{{- end }}
timeoutSeconds: {{.Values.readinessProbe.timeoutSeconds }}
periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
failureThreshold: {{.Values.readinessProbe.failureThreshold }}
{{- if .Values.resources }}
resources: {{- toYaml .Values.resources | nindent 10 }}
{{- end }}
volumeMounts:
{{- if .Values.additionalTrustedCAs }}
- mountPath: /etc/pki/trust/anchors/ca-additional.pem
name: tls-ca-additional-volume
subPath: ca-additional.pem
readOnly: true
- mountPath: /etc/rancher/ssl/ca-additional.pem
name: tls-ca-additional-volume
subPath: ca-additional.pem
readOnly: true
{{- end }}
{{- if .Values.privateCA }}
# Pass CA cert into rancher for private CA
- mountPath: /etc/rancher/ssl/cacerts.pem
name: tls-ca-volume
subPath: cacerts.pem
readOnly: true
{{- end }}
{{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }}
# Mount rancher custom-logos volume
- mountPath: /usr/share/rancher/ui/assets/images/logos
name: custom-logos
subPath: {{ .Values.customLogos.volumeSubpaths.emberUi | default "ember" | quote }}
- mountPath: /usr/share/rancher/ui-dashboard/dashboard/_nuxt/assets/images/pl
name: custom-logos
subPath: {{ .Values.customLogos.volumeSubpaths.vueUi | default "vue" | quote }}
{{- end }}
{{- if .Values.auditLog.enabled }}
- mountPath: /var/log/auditlog
name: audit-log
{{- end }}
{{- if eq .Values.auditLog.destination "sidecar" }}
{{- if .Values.auditLog.enabled }}
# Make audit logs available for Rancher log collector tools.
- image: "{{ printf "%s%s" (include "defaultOrOverrideRegistry" (list . (default "" .Values.auditLog.image.registry))) (include "auditLog.image" .) }}"
imagePullPolicy: {{ default .Values.auditLog.image.pullPolicy .Values.busyboxImagePullPolicy }}
name: {{ template "rancher.name" . }}-audit-log
command: ["tail"]
args: ["-F", "/var/log/auditlog/rancher-api-audit.log"]
volumeMounts:
- mountPath: /var/log/auditlog
name: audit-log
{{- if .Values.auditLog.resources }}
resources: {{- toYaml .Values.auditLog.resources | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}
volumes:
{{- if .Values.additionalTrustedCAs }}
- name: tls-ca-additional-volume
secret:
defaultMode: 0400
secretName: tls-ca-additional
{{- end }}
{{- if .Values.privateCA }}
- name: tls-ca-volume
secret:
defaultMode: 0400
secretName: tls-ca
{{- end }}
{{- if .Values.auditLog.enabled }}
{{- if eq .Values.auditLog.destination "hostPath" }}
- name: audit-log
hostPath:
path: {{ .Values.auditLog.hostPath }}
type: DirectoryOrCreate
{{- else }}
- name: audit-log
emptyDir: {}
{{- end }}
{{- end }}
{{- if and .Values.customLogos.enabled (or (eq .Values.customLogos.volumeKind "persistentVolumeClaim") (and (eq .Values.customLogos.volumeKind "configMap") (.Values.customLogos.volumeName))) }}
- name: custom-logos
{{- if (eq .Values.customLogos.volumeKind "persistentVolumeClaim") }}
persistentVolumeClaim:
claimName: {{ .Values.customLogos.volumeName | default (printf "%s-custom-logos" (include "rancher.fullname" .)) }}
{{- else if (eq .Values.customLogos.volumeKind "configMap") }}
configMap:
name: {{ .Values.customLogos.volumeName }}
{{- end }}
{{- end }}