adding/updating chart and values

rancherfederal · Nov 28, 2023 · 8b5419d · 8b5419d
1 parent 293ccc3
commit 8b5419d
Show file tree

Hide file tree

Showing 8 changed files with 457 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -1,5 +1,7 @@
 # Rancher Cluster Templates
 
+> ⚠️ This project is still in active development. As we continued to develop it, there will be breaking changes.
+
 This project contains the Helm Chart for Rancher Cluster Templates, which provide declaritive manifests to deploy clusters with the [Rancher Multi-Cluster Manager](https://ranchergovernment.com/products/mcm). Please start with the Helm Chart [README](/charts/cluster-templates/README.md)!
 
 ## Configuration

diff --git a/...r-templates/templates/registry-creds.yaml → ...lates/templates/registry-credentials.yaml b/...r-templates/templates/registry-creds.yaml → ...lates/templates/registry-credentials.yaml
diff --git a/charts/cluster-templates/values-custom.yaml b/charts/cluster-templates/values-custom.yaml
diff --git a/examples/aws/README.md b/examples/aws/README.md
@@ -1,3 +1,7 @@
+## Notice
+
+> ⚠️ This project is still in active development. As we continued to develop it, there will be breaking changes.
+
 ### Required Variable Updates:
 
 - Provider Cloud Credentials (`cloudCredentialSecretName`)

diff --git a/examples/aws/values-aws-sts.yaml b/examples/aws/values-aws-sts.yaml
@@ -0,0 +1,329 @@
+cloudprovider: amazonec2
+
+rancher:
+  cattle:
+    url: rancher.ranchers.io
+
+cluster:
+  annotations: {}
+  labels: {}
+  name: aws-rke2-cluster
+  config:
+    systemDefaultRegistry: rgcrprod.azurecr.us
+    kubernetesVersion: v1.25.15+rke2r2
+    localClusterAuthEndpoint:
+      enabled: false
+    cni: canal
+    docker: false
+    disable_kube_proxy: false
+    etcd_expose_metrics: false
+    profile: cis-1.23
+    selinux: true
+    secrets_encryption: true
+    write_kubeconfig_mode: 0640
+    use_service_account_credentials: true
+    protect_kernel_defaults: true
+    kube_controller_manager_arg:
+      - bind-address=127.0.0.1
+      - use-service-account-credentials=true
+      - tls-min-version=VersionTLS12
+      - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+    kube_scheduler_arg:
+      - tls-min-version=VersionTLS12
+      - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+    kube_apiserver_arg:
+      - tls-min-version=VersionTLS12
+      - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+      - authorization-mode=RBAC,Node
+      - anonymous-auth=false
+      - audit-policy-file=/etc/rancher/rke2/audit-policy.yaml
+      - audit-log-mode=blocking-strict
+      - audit-log-maxage=30
+      - admission-control-config-file=/etc/rancher/rke2/rancher-pss.yaml
+    kubelet_arg:
+      - protect-kernel-defaults=true
+      - read-only-port=0
+      - authorization-mode=Webhook
+      - streaming-connection-idle-timeout=5m
+    registries:
+      enabled: true
+      configs:
+        - name: rgcrprod.azurecr.us
+          authConfigSecretName: registryconfig-auth-97gjm
+          caBundle: ''
+          insecureSkipVerify: false
+          tlsSecretName: ''
+      mirrors:
+        - name: docker.io
+          endpoints:
+            - rgcrprod.azurecr.us
+    upgradeStrategy:
+      controlPlaneConcurrency: 10%
+      controlPlaneDrainOptions:
+        enabled: false
+      workerConcurrency: 10%
+      workerDrainOptions:
+        enabled: false
+
+nodepools:
+  - etcd: true
+    controlplane: true
+    worker: false
+    labels: {}
+    taints: {}
+    quantity: 3
+    paused: false
+    name: control-plane-nodes
+    ami: ami-05a5f6298acdb05b6
+    accessKey: # accessKey
+    secretKey: # secretKey
+    sessionToken: # sessionToken
+    deviceName: /dev/sda1
+    encryptEbsVolume: false
+    endpoint: ''
+    iamInstanceProfile: 'aws-rgs-rke2-iam-profile-control' # required: replace with your iam instance profile name
+    insecureTransport: false
+    instanceType: m5.large
+    region: us-east-1
+    createSecurityGroup: true
+    securityGroups: ['']
+    keypairName: ''
+    securityGroupReadonly: false
+    sshKeyContents: ''
+    subnetId: subnet-0212fa8bf49d2f821 # required: replace with your subnet id
+    zone: a
+    monitoring: false
+    privateAddressOnly: true
+    requestSpotInstance: false
+    tags: provisioner,rancher,KeepRunning,true
+    retries: 5
+    rootSize: 64
+    sshUser: ec2-user
+    volumeType: gp3
+    vpcId: vpc-0e8fe916279b4bf8a # required: replace with your vpc id
+    useEbsOptimizedInstance: false
+    usePrivateAddress: true
+    userdata: |
+      #cloud-config
+      write_files:
+      - path: /etc/sysctl.conf
+        owner: root
+        content: |
+          vm.swappiness=0
+          vm.panic_on_oom=0
+          vm.overcommit_memory=1
+          kernel.panic=10
+          kernel.panic_on_oops=1
+          vm.max_map_count = 262144
+          net.ipv4.ip_local_port_range=1024 65000
+          net.core.somaxconn=10000
+          net.ipv4.tcp_tw_reuse=1
+          net.ipv4.tcp_fin_timeout=15
+          net.core.somaxconn=4096
+          net.core.netdev_max_backlog=4096
+          net.core.rmem_max=16777216
+          net.core.wmem_max=16777216
+          net.ipv4.tcp_max_syn_backlog=20480
+          net.ipv4.tcp_max_tw_buckets=400000
+          net.ipv4.tcp_no_metrics_save=1
+          net.ipv4.tcp_rmem=4096 87380 16777216
+          net.ipv4.tcp_syn_retries=2
+          net.ipv4.tcp_synack_retries=2
+          net.ipv4.tcp_wmem=4096 65536 16777216
+          net.ipv4.neigh.default.gc_thresh1=8096
+          net.ipv4.neigh.default.gc_thresh2=12288
+          net.ipv4.neigh.default.gc_thresh3=16384
+          net.ipv4.tcp_keepalive_time=600
+          net.ipv4.ip_forward=1
+          net.ipv6.conf.all.disable_ipv6 = 1
+          net.ipv6.conf.default.disable_ipv6 = 1
+          fs.inotify.max_user_instances=8192
+          fs.inotify.max_user_watches=1048576
+      - path: /etc/rancher/rke2/audit-policy.yaml
+        owner: root
+        content: |
+          apiVersion: audit.k8s.io/v1
+          kind: Policy
+          rules:
+          - level: RequestResponse
+      - path: /etc/rancher/rke2/rancher-pss.yaml
+        owner: root
+        content: |
+          apiVersion: apiserver.config.k8s.io/v1
+          kind: AdmissionConfiguration
+          plugins:
+            - name: PodSecurity
+              configuration:
+                apiVersion: pod-security.admission.config.k8s.io/v1
+                kind: PodSecurityConfiguration
+                defaults:
+                  enforce: "restricted"
+                  enforce-version: "latest"
+                  audit: "restricted"
+                  audit-version: "latest"
+                  warn: "restricted"
+                  warn-version: "latest"
+                exemptions:
+                  usernames: []
+                  runtimeClasses: []
+                  namespaces: [calico-apiserver,
+                              calico-system,
+                              carbide-docs-system,
+                              carbide-stigatron-system,
+                              cattle-alerting,
+                              cattle-csp-adapter-system,
+                              cattle-elemental-system,
+                              cattle-epinio-system,
+                              cattle-externalip-system,
+                              cattle-fleet-local-system,
+                              cattle-fleet-system,
+                              cattle-gatekeeper-system,
+                              cattle-global-data,
+                              cattle-global-nt,
+                              cattle-impersonation-system,
+                              cattle-istio,
+                              cattle-istio-system,
+                              cattle-logging,
+                              cattle-logging-system,
+                              cattle-monitoring-system,
+                              cattle-neuvector-system,
+                              cattle-prometheus,
+                              cattle-provisioning-capi-system,
+                              cattle-resources-system,
+                              cattle-sriov-system,
+                              cattle-system,
+                              cattle-ui-plugin-system,
+                              cattle-windows-gmsa-system,
+                              cert-manager,
+                              cis-operator-system,
+                              fleet-default,
+                              fleet-local,
+                              ingress-nginx,
+                              istio-system,
+                              kube-node-lease,
+                              kube-public,
+                              kube-system,
+                              longhorn-system,
+                              rancher-alerting-drivers,
+                              security-scan,
+                              tigera-operator]
+      runcmd:
+      - sudo sysctl -p > /dev/null 2>&1
+      - sudo yum install -y iptables container-selinux iptables libnetfilter_conntrack libnfnetlink libnftnl policycoreutils-python-utils cryptsetup nfs-utils iscsi-initiator-utils zip zstd tree jq
+      - sudo curl -#OL https://github.com/rancher/rke2-selinux/releases/download/v0.16.stable.1/rke2-selinux-0.16-1.el9.noarch.rpm && sudo rpm -i rke2-selinux-0.16-1.el9.noarch.rpm
+      - sudo echo "InitiatorName=$(/sbin/iscsi-iname)" > /etc/iscsi/initiatorname.iscsi && systemctl enable --now iscsid
+      - sudo systemctl stop firewalld; systemctl disable firewalld; systemctl stop nm-cloud-setup; systemctl disable nm-cloud-setup; systemctl stop nm-cloud-setup.timer; systemctl disable nm-cloud-setup.timer
+      - sudo echo -e "[keyfile]\nunmanaged-devices=interface-name:cali*;interface-name:flannel*" > /etc/NetworkManager/conf.d/rke2-canal.conf
+      - sudo mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/
+      - sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U
+  - etcd: false
+    controlplane: false
+    worker: true
+    labels: {}
+    taints: {}
+    quantity: 3
+    paused: false
+    name: worker-nodes
+    ami: ami-05a5f6298acdb05b6
+    accessKey: # accessKey
+    secretKey: # secretKey
+    sessionToken: # sessionToken
+    deviceName: /dev/sda1
+    encryptEbsVolume: false
+    endpoint: ''
+    iamInstanceProfile: 'aws-rgs-rke2-iam-profile-worker' # required: replace with your iam instance profile name
+    insecureTransport: false
+    instanceType: m5.xlarge
+    region: us-east-1
+    createSecurityGroup: true
+    securityGroups: ['']
+    keypairName: ''
+    securityGroupReadonly: false
+    sshKeyContents: ''
+    subnetId: subnet-0212fa8bf49d2f821 # required: replace with your subnet id
+    zone: a
+    monitoring: false
+    privateAddressOnly: true
+    requestSpotInstance: false
+    tags: provisioner,rancher,KeepRunning,true
+    retries: 5
+    rootSize: 128
+    sshUser: ec2-user
+    volumeType: gp3
+    vpcId: vpc-0e8fe916279b4bf8a # required: replace with your vpc id
+    useEbsOptimizedInstance: false
+    usePrivateAddress: true
+    userdata: |
+      #cloud-config
+      write_files:
+      - path: /etc/sysctl.conf
+        owner: root
+        content: |
+          vm.swappiness=0
+          vm.panic_on_oom=0
+          vm.overcommit_memory=1
+          kernel.panic=10
+          kernel.panic_on_oops=1
+          vm.max_map_count = 262144
+          net.ipv4.ip_local_port_range=1024 65000
+          net.core.somaxconn=10000
+          net.ipv4.tcp_tw_reuse=1
+          net.ipv4.tcp_fin_timeout=15
+          net.core.somaxconn=4096
+          net.core.netdev_max_backlog=4096
+          net.core.rmem_max=16777216
+          net.core.wmem_max=16777216
+          net.ipv4.tcp_max_syn_backlog=20480
+          net.ipv4.tcp_max_tw_buckets=400000
+          net.ipv4.tcp_no_metrics_save=1
+          net.ipv4.tcp_rmem=4096 87380 16777216
+          net.ipv4.tcp_syn_retries=2
+          net.ipv4.tcp_synack_retries=2
+          net.ipv4.tcp_wmem=4096 65536 16777216
+          net.ipv4.neigh.default.gc_thresh1=8096
+          net.ipv4.neigh.default.gc_thresh2=12288
+          net.ipv4.neigh.default.gc_thresh3=16384
+          net.ipv4.tcp_keepalive_time=600
+          net.ipv4.ip_forward=1
+          net.ipv6.conf.all.disable_ipv6 = 1
+          net.ipv6.conf.default.disable_ipv6 = 1
+          fs.inotify.max_user_instances=8192
+          fs.inotify.max_user_watches=1048576
+      runcmd:
+      - sudo sysctl -p > /dev/null 2>&1
+      - sudo yum install -y iptables container-selinux iptables libnetfilter_conntrack libnfnetlink libnftnl policycoreutils-python-utils cryptsetup nfs-utils iscsi-initiator-utils zip zstd tree jq
+      - sudo curl -#OL https://github.com/rancher/rke2-selinux/releases/download/v0.16.stable.1/rke2-selinux-0.16-1.el9.noarch.rpm && sudo rpm -i rke2-selinux-0.16-1.el9.noarch.rpm
+      - sudo echo "InitiatorName=$(/sbin/iscsi-iname)" > /etc/iscsi/initiatorname.iscsi && systemctl enable --now iscsid
+      - sudo systemctl stop firewalld; systemctl disable firewalld; systemctl stop nm-cloud-setup; systemctl disable nm-cloud-setup; systemctl stop nm-cloud-setup.timer; systemctl disable nm-cloud-setup.timer
+      - sudo echo -e "[keyfile]\nunmanaged-devices=interface-name:cali*;interface-name:flannel*" > /etc/NetworkManager/conf.d/rke2-canal.conf
+      - sudo mkdir -p /etc/rancher/rke2/
+
+addons:
+  monitoring:
+    enabled: true
+    values:
+      global:
+        cattle:
+          systemDefaultRegistry: rgcrprod.azurecr.us
+  longhorn:
+    enabled: true
+    values:
+      global:
+        cattle:
+          systemDefaultRegistry: rgcrprod.azurecr.us
+  neuvector:
+    enabled: true
+    values:
+      global:
+        cattle:
+          url: https://rancher.ranchers.io
+          systemDefaultRegistry: rgcrprod.azurecr.us
+      controller:
+        ranchersso:
+          enabled: true
+      k3s:
+        enabled: true
+      manager:
+        svc:
+          type: ClusterIP
+      rbac: true
diff --git a/examples/aws/values-aws.yaml b/examples/aws/values-aws.yaml
@@ -11,7 +11,7 @@ cluster:
   labels: {}
   name: aws-rke2-cluster
   config:
-    systemDefaultRegistry: docker.io
+    systemDefaultRegistry: rgcrprod.azurecr.us
     kubernetesVersion: v1.25.15+rke2r2
     localClusterAuthEndpoint:
       enabled: false

diff --git a/examples/custom/README.md b/examples/custom/README.md
@@ -0,0 +1,30 @@
+## Notice
+
+> ⚠️ This project is still in active development. As we continued to develop it, there will be breaking changes.
+
+## Installing the Chart
+
+```bash
+# fetch the values file (make sure to update variables)
+curl -#OL https://raw.githubusercontent.com/rancherfederal/rancher-cluster-templates/main/examples/custom/values-custom.yaml
+```
+
+```bash
+# add the helm chart
+helm repo add cluster-templates https://rancherfederal.github.io/rancher-cluster-templates
+
+# install the helm chart
+helm upgrade -i cluster cluster-templates/rancher-cluster-templates -n fleet-default -f values-custom.yaml
+```
+
+```bash
+# check the status of the helm chart
+helm status cluster -n fleet-default
+```
+
+## Uninstalling the Chart
+
+```bash
+# uninstall the helm chart
+helm delete cluster -n fleet-default
+```