From 8b5419d2a547ac90d59169040c76809c93374ed8 Mon Sep 17 00:00:00 2001 From: Zack Hodgson Brady Date: Tue, 28 Nov 2023 11:46:11 -0500 Subject: [PATCH] adding/updating chart and values --- README.md | 2 + ...y-creds.yaml => registry-credentials.yaml} | 0 charts/cluster-templates/values-custom.yaml | 0 examples/aws/README.md | 4 + examples/aws/values-aws-sts.yaml | 329 ++++++++++++++++++ examples/aws/values-aws.yaml | 2 +- examples/custom/README.md | 30 ++ examples/custom/values-custom.yaml | 91 +++++ 8 files changed, 457 insertions(+), 1 deletion(-) rename charts/cluster-templates/templates/{registry-creds.yaml => registry-credentials.yaml} (100%) create mode 100644 charts/cluster-templates/values-custom.yaml create mode 100644 examples/aws/values-aws-sts.yaml create mode 100644 examples/custom/README.md create mode 100644 examples/custom/values-custom.yaml diff --git a/README.md b/README.md index 87753b7..71606e7 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # Rancher Cluster Templates +> ⚠️ This project is still in active development. As we continued to develop it, there will be breaking changes. + This project contains the Helm Chart for Rancher Cluster Templates, which provide declaritive manifests to deploy clusters with the [Rancher Multi-Cluster Manager](https://ranchergovernment.com/products/mcm). Please start with the Helm Chart [README](/charts/cluster-templates/README.md)! ## Configuration diff --git a/charts/cluster-templates/templates/registry-creds.yaml b/charts/cluster-templates/templates/registry-credentials.yaml similarity index 100% rename from charts/cluster-templates/templates/registry-creds.yaml rename to charts/cluster-templates/templates/registry-credentials.yaml diff --git a/charts/cluster-templates/values-custom.yaml b/charts/cluster-templates/values-custom.yaml new file mode 100644 index 0000000..e69de29 diff --git a/examples/aws/README.md b/examples/aws/README.md index 2283147..f1f03ff 100644 --- a/examples/aws/README.md +++ b/examples/aws/README.md @@ -1,3 +1,7 @@ +## Notice + +> ⚠️ This project is still in active development. As we continued to develop it, there will be breaking changes. + ### Required Variable Updates: - Provider Cloud Credentials (`cloudCredentialSecretName`) diff --git a/examples/aws/values-aws-sts.yaml b/examples/aws/values-aws-sts.yaml new file mode 100644 index 0000000..6521bb2 --- /dev/null +++ b/examples/aws/values-aws-sts.yaml @@ -0,0 +1,329 @@ +cloudprovider: amazonec2 + +rancher: + cattle: + url: rancher.ranchers.io + +cluster: + annotations: {} + labels: {} + name: aws-rke2-cluster + config: + systemDefaultRegistry: rgcrprod.azurecr.us + kubernetesVersion: v1.25.15+rke2r2 + localClusterAuthEndpoint: + enabled: false + cni: canal + docker: false + disable_kube_proxy: false + etcd_expose_metrics: false + profile: cis-1.23 + selinux: true + secrets_encryption: true + write_kubeconfig_mode: 0640 + use_service_account_credentials: true + protect_kernel_defaults: true + kube_controller_manager_arg: + - bind-address=127.0.0.1 + - use-service-account-credentials=true + - tls-min-version=VersionTLS12 + - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + kube_scheduler_arg: + - tls-min-version=VersionTLS12 + - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + kube_apiserver_arg: + - tls-min-version=VersionTLS12 + - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - authorization-mode=RBAC,Node + - anonymous-auth=false + - audit-policy-file=/etc/rancher/rke2/audit-policy.yaml + - audit-log-mode=blocking-strict + - audit-log-maxage=30 + - admission-control-config-file=/etc/rancher/rke2/rancher-pss.yaml + kubelet_arg: + - protect-kernel-defaults=true + - read-only-port=0 + - authorization-mode=Webhook + - streaming-connection-idle-timeout=5m + registries: + enabled: true + configs: + - name: rgcrprod.azurecr.us + authConfigSecretName: registryconfig-auth-97gjm + caBundle: '' + insecureSkipVerify: false + tlsSecretName: '' + mirrors: + - name: docker.io + endpoints: + - rgcrprod.azurecr.us + upgradeStrategy: + controlPlaneConcurrency: 10% + controlPlaneDrainOptions: + enabled: false + workerConcurrency: 10% + workerDrainOptions: + enabled: false + +nodepools: + - etcd: true + controlplane: true + worker: false + labels: {} + taints: {} + quantity: 3 + paused: false + name: control-plane-nodes + ami: ami-05a5f6298acdb05b6 + accessKey: # accessKey + secretKey: # secretKey + sessionToken: # sessionToken + deviceName: /dev/sda1 + encryptEbsVolume: false + endpoint: '' + iamInstanceProfile: 'aws-rgs-rke2-iam-profile-control' # required: replace with your iam instance profile name + insecureTransport: false + instanceType: m5.large + region: us-east-1 + createSecurityGroup: true + securityGroups: [''] + keypairName: '' + securityGroupReadonly: false + sshKeyContents: '' + subnetId: subnet-0212fa8bf49d2f821 # required: replace with your subnet id + zone: a + monitoring: false + privateAddressOnly: true + requestSpotInstance: false + tags: provisioner,rancher,KeepRunning,true + retries: 5 + rootSize: 64 + sshUser: ec2-user + volumeType: gp3 + vpcId: vpc-0e8fe916279b4bf8a # required: replace with your vpc id + useEbsOptimizedInstance: false + usePrivateAddress: true + userdata: | + #cloud-config + write_files: + - path: /etc/sysctl.conf + owner: root + content: | + vm.swappiness=0 + vm.panic_on_oom=0 + vm.overcommit_memory=1 + kernel.panic=10 + kernel.panic_on_oops=1 + vm.max_map_count = 262144 + net.ipv4.ip_local_port_range=1024 65000 + net.core.somaxconn=10000 + net.ipv4.tcp_tw_reuse=1 + net.ipv4.tcp_fin_timeout=15 + net.core.somaxconn=4096 + net.core.netdev_max_backlog=4096 + net.core.rmem_max=16777216 + net.core.wmem_max=16777216 + net.ipv4.tcp_max_syn_backlog=20480 + net.ipv4.tcp_max_tw_buckets=400000 + net.ipv4.tcp_no_metrics_save=1 + net.ipv4.tcp_rmem=4096 87380 16777216 + net.ipv4.tcp_syn_retries=2 + net.ipv4.tcp_synack_retries=2 + net.ipv4.tcp_wmem=4096 65536 16777216 + net.ipv4.neigh.default.gc_thresh1=8096 + net.ipv4.neigh.default.gc_thresh2=12288 + net.ipv4.neigh.default.gc_thresh3=16384 + net.ipv4.tcp_keepalive_time=600 + net.ipv4.ip_forward=1 + net.ipv6.conf.all.disable_ipv6 = 1 + net.ipv6.conf.default.disable_ipv6 = 1 + fs.inotify.max_user_instances=8192 + fs.inotify.max_user_watches=1048576 + - path: /etc/rancher/rke2/audit-policy.yaml + owner: root + content: | + apiVersion: audit.k8s.io/v1 + kind: Policy + rules: + - level: RequestResponse + - path: /etc/rancher/rke2/rancher-pss.yaml + owner: root + content: | + apiVersion: apiserver.config.k8s.io/v1 + kind: AdmissionConfiguration + plugins: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1 + kind: PodSecurityConfiguration + defaults: + enforce: "restricted" + enforce-version: "latest" + audit: "restricted" + audit-version: "latest" + warn: "restricted" + warn-version: "latest" + exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [calico-apiserver, + calico-system, + carbide-docs-system, + carbide-stigatron-system, + cattle-alerting, + cattle-csp-adapter-system, + cattle-elemental-system, + cattle-epinio-system, + cattle-externalip-system, + cattle-fleet-local-system, + cattle-fleet-system, + cattle-gatekeeper-system, + cattle-global-data, + cattle-global-nt, + cattle-impersonation-system, + cattle-istio, + cattle-istio-system, + cattle-logging, + cattle-logging-system, + cattle-monitoring-system, + cattle-neuvector-system, + cattle-prometheus, + cattle-provisioning-capi-system, + cattle-resources-system, + cattle-sriov-system, + cattle-system, + cattle-ui-plugin-system, + cattle-windows-gmsa-system, + cert-manager, + cis-operator-system, + fleet-default, + fleet-local, + ingress-nginx, + istio-system, + kube-node-lease, + kube-public, + kube-system, + longhorn-system, + rancher-alerting-drivers, + security-scan, + tigera-operator] + runcmd: + - sudo sysctl -p > /dev/null 2>&1 + - sudo yum install -y iptables container-selinux iptables libnetfilter_conntrack libnfnetlink libnftnl policycoreutils-python-utils cryptsetup nfs-utils iscsi-initiator-utils zip zstd tree jq + - sudo curl -#OL https://github.com/rancher/rke2-selinux/releases/download/v0.16.stable.1/rke2-selinux-0.16-1.el9.noarch.rpm && sudo rpm -i rke2-selinux-0.16-1.el9.noarch.rpm + - sudo echo "InitiatorName=$(/sbin/iscsi-iname)" > /etc/iscsi/initiatorname.iscsi && systemctl enable --now iscsid + - sudo systemctl stop firewalld; systemctl disable firewalld; systemctl stop nm-cloud-setup; systemctl disable nm-cloud-setup; systemctl stop nm-cloud-setup.timer; systemctl disable nm-cloud-setup.timer + - sudo echo -e "[keyfile]\nunmanaged-devices=interface-name:cali*;interface-name:flannel*" > /etc/NetworkManager/conf.d/rke2-canal.conf + - sudo mkdir -p /opt/rke2-artifacts/ /etc/rancher/rke2/ /var/lib/rancher/rke2/server/manifests/ + - sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U + - etcd: false + controlplane: false + worker: true + labels: {} + taints: {} + quantity: 3 + paused: false + name: worker-nodes + ami: ami-05a5f6298acdb05b6 + accessKey: # accessKey + secretKey: # secretKey + sessionToken: # sessionToken + deviceName: /dev/sda1 + encryptEbsVolume: false + endpoint: '' + iamInstanceProfile: 'aws-rgs-rke2-iam-profile-worker' # required: replace with your iam instance profile name + insecureTransport: false + instanceType: m5.xlarge + region: us-east-1 + createSecurityGroup: true + securityGroups: [''] + keypairName: '' + securityGroupReadonly: false + sshKeyContents: '' + subnetId: subnet-0212fa8bf49d2f821 # required: replace with your subnet id + zone: a + monitoring: false + privateAddressOnly: true + requestSpotInstance: false + tags: provisioner,rancher,KeepRunning,true + retries: 5 + rootSize: 128 + sshUser: ec2-user + volumeType: gp3 + vpcId: vpc-0e8fe916279b4bf8a # required: replace with your vpc id + useEbsOptimizedInstance: false + usePrivateAddress: true + userdata: | + #cloud-config + write_files: + - path: /etc/sysctl.conf + owner: root + content: | + vm.swappiness=0 + vm.panic_on_oom=0 + vm.overcommit_memory=1 + kernel.panic=10 + kernel.panic_on_oops=1 + vm.max_map_count = 262144 + net.ipv4.ip_local_port_range=1024 65000 + net.core.somaxconn=10000 + net.ipv4.tcp_tw_reuse=1 + net.ipv4.tcp_fin_timeout=15 + net.core.somaxconn=4096 + net.core.netdev_max_backlog=4096 + net.core.rmem_max=16777216 + net.core.wmem_max=16777216 + net.ipv4.tcp_max_syn_backlog=20480 + net.ipv4.tcp_max_tw_buckets=400000 + net.ipv4.tcp_no_metrics_save=1 + net.ipv4.tcp_rmem=4096 87380 16777216 + net.ipv4.tcp_syn_retries=2 + net.ipv4.tcp_synack_retries=2 + net.ipv4.tcp_wmem=4096 65536 16777216 + net.ipv4.neigh.default.gc_thresh1=8096 + net.ipv4.neigh.default.gc_thresh2=12288 + net.ipv4.neigh.default.gc_thresh3=16384 + net.ipv4.tcp_keepalive_time=600 + net.ipv4.ip_forward=1 + net.ipv6.conf.all.disable_ipv6 = 1 + net.ipv6.conf.default.disable_ipv6 = 1 + fs.inotify.max_user_instances=8192 + fs.inotify.max_user_watches=1048576 + runcmd: + - sudo sysctl -p > /dev/null 2>&1 + - sudo yum install -y iptables container-selinux iptables libnetfilter_conntrack libnfnetlink libnftnl policycoreutils-python-utils cryptsetup nfs-utils iscsi-initiator-utils zip zstd tree jq + - sudo curl -#OL https://github.com/rancher/rke2-selinux/releases/download/v0.16.stable.1/rke2-selinux-0.16-1.el9.noarch.rpm && sudo rpm -i rke2-selinux-0.16-1.el9.noarch.rpm + - sudo echo "InitiatorName=$(/sbin/iscsi-iname)" > /etc/iscsi/initiatorname.iscsi && systemctl enable --now iscsid + - sudo systemctl stop firewalld; systemctl disable firewalld; systemctl stop nm-cloud-setup; systemctl disable nm-cloud-setup; systemctl stop nm-cloud-setup.timer; systemctl disable nm-cloud-setup.timer + - sudo echo -e "[keyfile]\nunmanaged-devices=interface-name:cali*;interface-name:flannel*" > /etc/NetworkManager/conf.d/rke2-canal.conf + - sudo mkdir -p /etc/rancher/rke2/ + +addons: + monitoring: + enabled: true + values: + global: + cattle: + systemDefaultRegistry: rgcrprod.azurecr.us + longhorn: + enabled: true + values: + global: + cattle: + systemDefaultRegistry: rgcrprod.azurecr.us + neuvector: + enabled: true + values: + global: + cattle: + url: https://rancher.ranchers.io + systemDefaultRegistry: rgcrprod.azurecr.us + controller: + ranchersso: + enabled: true + k3s: + enabled: true + manager: + svc: + type: ClusterIP + rbac: true diff --git a/examples/aws/values-aws.yaml b/examples/aws/values-aws.yaml index 85dc3f6..392bc45 100644 --- a/examples/aws/values-aws.yaml +++ b/examples/aws/values-aws.yaml @@ -11,7 +11,7 @@ cluster: labels: {} name: aws-rke2-cluster config: - systemDefaultRegistry: docker.io + systemDefaultRegistry: rgcrprod.azurecr.us kubernetesVersion: v1.25.15+rke2r2 localClusterAuthEndpoint: enabled: false diff --git a/examples/custom/README.md b/examples/custom/README.md new file mode 100644 index 0000000..a885855 --- /dev/null +++ b/examples/custom/README.md @@ -0,0 +1,30 @@ +## Notice + +> ⚠️ This project is still in active development. As we continued to develop it, there will be breaking changes. + +## Installing the Chart + +```bash +# fetch the values file (make sure to update variables) +curl -#OL https://raw.githubusercontent.com/rancherfederal/rancher-cluster-templates/main/examples/custom/values-custom.yaml +``` + +```bash +# add the helm chart +helm repo add cluster-templates https://rancherfederal.github.io/rancher-cluster-templates + +# install the helm chart +helm upgrade -i cluster cluster-templates/rancher-cluster-templates -n fleet-default -f values-custom.yaml +``` + +```bash +# check the status of the helm chart +helm status cluster -n fleet-default +``` + +## Uninstalling the Chart + +```bash +# uninstall the helm chart +helm delete cluster -n fleet-default +``` diff --git a/examples/custom/values-custom.yaml b/examples/custom/values-custom.yaml new file mode 100644 index 0000000..7aaf66f --- /dev/null +++ b/examples/custom/values-custom.yaml @@ -0,0 +1,91 @@ +cloudprovider: custom + +rancher: + cattle: + url: rancher.ranchers.io + +cluster: + annotations: {} + labels: {} + name: custom-rke2-cluster + config: + systemDefaultRegistry: docker.io + kubernetesVersion: v1.25.15+rke2r2 + localClusterAuthEndpoint: + enabled: false + cni: canal + docker: false + disable_kube_proxy: false + etcd_expose_metrics: false + profile: cis-1.23 + selinux: true + secrets_encryption: true + write_kubeconfig_mode: 0640 + use_service_account_credentials: true + protect_kernel_defaults: true + kube_controller_manager_arg: + - bind-address=127.0.0.1 + - use-service-account-credentials=true + - tls-min-version=VersionTLS12 + - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + kube_scheduler_arg: + - tls-min-version=VersionTLS12 + - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + kube_apiserver_arg: + - tls-min-version=VersionTLS12 + - tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - authorization-mode=RBAC,Node + - anonymous-auth=false + - audit-policy-file=/etc/rancher/rke2/audit-policy.yaml + - audit-log-mode=blocking-strict + - audit-log-maxage=30 + - admission-control-config-file=/etc/rancher/rke2/rancher-pss.yaml + kubelet_arg: + - protect-kernel-defaults=true + - read-only-port=0 + - authorization-mode=Webhook + - streaming-connection-idle-timeout=5m + registries: + configs: + rgcrprod.azurecr.us: + authConfigSecretName: registryconfig-auth-97gjm + caBundle: '' + insecureSkipVerify: false + tlsSecretName: '' + upgradeStrategy: + controlPlaneConcurrency: 10% + controlPlaneDrainOptions: + enabled: false + workerConcurrency: 10% + workerDrainOptions: + enabled: false + +addons: + monitoring: + enabled: true + values: + global: + cattle: + systemDefaultRegistry: rgcrprod.azurecr.us + longhorn: + enabled: true + values: + global: + cattle: + systemDefaultRegistry: rgcrprod.azurecr.us + neuvector: + enabled: true + values: + global: + cattle: + url: https://rancher.ranchers.io + systemDefaultRegistry: rgcrprod.azurecr.us + controller: + ranchersso: + enabled: true + k3s: + enabled: true + manager: + svc: + type: ClusterIP + rbac: true