updates for rancher v2.8.6 (#206)

* AUTOMATION: SSF Prod Chart Update for stigatron * AUTOMATION: SSF Prod Chart Update for stigatron * Add support for RKE2 v1.27 and v.28, update XCCDF for other versions (#195) * Add support for RKE2 v1.27 and v.28, update XCCDF for other versions * Enabled 1.29 * Update img/app/chart versions for stigatron --------- Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> Co-authored-by: Adam Martin <adam.martin@ranchergovernment.com> * update airgapped-docs to 0.1.6 (#198) Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> * updates for rancher v2.7.15 (#200) Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> * Rancher 2.8.6 (#202) * updates for rancher v2.8.6 Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> * readme update Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> --------- Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> * Fix merge issues (#205) * Add support for RKE2 v1.27 and v.28, update XCCDF for other versions (#197) * AUTOMATION: SSF Prod Chart Update for stigatron * AUTOMATION: SSF Prod Chart Update for stigatron * Add support for RKE2 v1.27 and v.28, update XCCDF for other versions (#195) * Add support for RKE2 v1.27 and v.28, update XCCDF for other versions * Enabled 1.29 * Update img/app/chart versions for stigatron --------- Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> Co-authored-by: Adam Martin <adam.martin@ranchergovernment.com> --------- Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> Co-authored-by: Carbide SSF <carbide@rancherfederal.com> Co-authored-by: Adam Toy <atoy3731@gmail.com> * update airgapped-docs to 0.1.6 (#199) * AUTOMATION: SSF Prod Chart Update for stigatron * AUTOMATION: SSF Prod Chart Update for stigatron * Add support for RKE2 v1.27 and v.28, update XCCDF for other versions (#195) * Add support for RKE2 v1.27 and v.28, update XCCDF for other versions * Enabled 1.29 * Update img/app/chart versions for stigatron --------- Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> Co-authored-by: Adam Martin <adam.martin@ranchergovernment.com> * update airgapped-docs to 0.1.6 (#198) Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> --------- Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> Co-authored-by: Carbide SSF <carbide@rancherfederal.com> Co-authored-by: Adam Toy <atoy3731@gmail.com> * updates for rancher v2.7.15 (#201) * AUTOMATION: SSF Prod Chart Update for stigatron * AUTOMATION: SSF Prod Chart Update for stigatron * Add support for RKE2 v1.27 and v.28, update XCCDF for other versions (#195) * Add support for RKE2 v1.27 and v.28, update XCCDF for other versions * Enabled 1.29 * Update img/app/chart versions for stigatron --------- Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> Co-authored-by: Adam Martin <adam.martin@ranchergovernment.com> * update airgapped-docs to 0.1.6 (#198) Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> * updates for rancher v2.7.15 (#200) Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> --------- Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> Co-authored-by: Carbide SSF <carbide@rancherfederal.com> Co-authored-by: Adam Toy <atoy3731@gmail.com> --------- Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> Co-authored-by: Carbide SSF <carbide@rancherfederal.com> Co-authored-by: Adam Toy <atoy3731@gmail.com> --------- Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com> Co-authored-by: Carbide SSF <carbide@rancherfederal.com> Co-authored-by: Adam Toy <atoy3731@gmail.com> Co-authored-by: Jacob Blain Christen <dweomer5@gmail.com>
rancherfederal · Aug 1, 2024 · 1f9c552 · 1f9c552
1 parent f6d20ca
commit 1f9c552
Show file tree

Hide file tree

Showing 6 changed files with 195 additions and 47 deletions.
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@
 NAME                            CHART VERSION   APP VERSION     DESCRIPTION
 carbide-charts/airgapped-docs   0.1.51          0.1.6           Rancher Government Airgapped Docs
 carbide-charts/heimdall2        0.1.45          0.1.1           Rancher Government Heimdall2 Tool
-carbide-charts/rancher          2.8.5           v2.8.5          Install Rancher Server to manage Kubernetes...
+carbide-charts/rancher          2.8.6           v2.8.6          Install Rancher Server to manage Kubernetes...
 carbide-charts/stigatron        0.2.5           0.2.2           Rancher Government Stigatron Extension
 carbide-charts/stigatron-ui     0.2.3           0.2.0           Rancher Government Stigatron UI Extension
 ```

diff --git a/charts/rancher/Chart.yaml b/charts/rancher/Chart.yaml
@@ -1,9 +1,9 @@
 apiVersion: v2
 name: rancher
 description: Install Rancher Server to manage Kubernetes clusters across providers
-version: 2.7.15
-appVersion: v2.7.15
-kubeVersion: < 1.28.0-0
+version: 2.8.6
+appVersion: v2.8.6
+kubeVersion: < 1.29.0-0
 home: https://rancher.com
 icon: https://github.com/rancher/ui/blob/master/public/assets/images/logos/welcome-cow.svg
 keywords:

diff --git a/charts/rancher/templates/deployment.yaml b/charts/rancher/templates/deployment.yaml
@@ -154,29 +154,40 @@ spec:
               name: "bootstrap-secret"
               key: "bootstrapPassword"
 {{- end }}
+{{- if .Values.agentTLSMode }}
+        - name: CATTLE_AGENT_TLS_MODE
+          value: "{{ .Values.agentTLSMode }}"
+{{- end }}
 {{- if .Values.extraEnv }}
 {{ toYaml .Values.extraEnv | indent 8}}
 {{- end }}
-        livenessProbe:
+        startupProbe:
           httpGet:
             path: /healthz
             port: 80
-          initialDelaySeconds: {{.Values.livenessProbe.initialDelaySeconds | default 60 }}
-          periodSeconds: {{ .Values.livenessProbe.periodSeconds | default 30 }}
-        readinessProbe:
+          timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }}
+          failureThreshold: {{ .Values.startupProbe.failureThreshold }}
+          periodSeconds: {{ .Values.startupProbe.periodSeconds }}
+        livenessProbe:
           httpGet:
             path: /healthz
             port: 80
-          initialDelaySeconds: {{.Values.readinessProbe.initialDelaySeconds | default  5}}
-          periodSeconds: {{ .Values.readinessProbe.periodSeconds | default 30}}
-{{- if .Values.startupProbe }}
-        startupProbe:
+          {{- with .Values.livenessProbe.initialDelaySeconds}}
+          initialDelaySeconds: {{ . }}
+          {{- end }}
+          timeoutSeconds: {{.Values.livenessProbe.timeoutSeconds }}
+          periodSeconds: {{ .Values.livenessProbe.periodSeconds }}
+          failureThreshold: {{.Values.livenessProbe.failureThreshold }}
+        readinessProbe:
           httpGet:
             path: /healthz
             port: 80
-          failureThreshold: {{.Values.startupProbe.failureThreshold | default 1}}
-          periodSeconds: {{ .Values.startupProbe.periodSeconds | default 30}}
-{{- end }}
+          {{- with .Values.readinessProbe.initialDelaySeconds}}
+          initialDelaySeconds: {{ . }}
+          {{- end }}
+          timeoutSeconds: {{.Values.readinessProbe.timeoutSeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          failureThreshold: {{.Values.readinessProbe.failureThreshold }}
         resources:
 {{ toYaml .Values.resources | indent 10 }}
         volumeMounts:

diff --git a/charts/rancher/tests/deployment_test.yaml b/charts/rancher/tests/deployment_test.yaml
@@ -349,26 +349,36 @@ tests:
     - equal:
         path: spec.template.spec.priorityClassName
         value: "rancher-critical"
-- it: should default livenessProbe initialDelaySeconds to 60
+- it: should not set a livenessProbe initialDelaySeconds by default
   asserts:
-    - equal:
+    - notExists:
         path: spec.template.spec.containers[0].livenessProbe.initialDelaySeconds
-        value: 60
-- it: should default livenessProbe periodSeconds to 30
+- it: should set livenessProbe periodSeconds defaults
   asserts:
     - equal:
         path: spec.template.spec.containers[0].livenessProbe.periodSeconds
         value: 30
-- it: should default readinessProbe initialDelaySeconds to 5
-  asserts:
     - equal:
-        path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
+        path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds
         value: 5
-- it: should default readinessProbe periodSeconds to 30
+    - equal:
+        path: spec.template.spec.containers[0].livenessProbe.failureThreshold
+        value: 5
+- it: should not set readinessProbe initialDelaySeconds by default
+  asserts:
+    - notExists:
+        path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds
+- it: should set readinessProbe periodSeconds defaults
   asserts:
     - equal:
         path: spec.template.spec.containers[0].readinessProbe.periodSeconds
         value: 30
+    - equal:
+        path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds
+        value: 5
+    - equal:
+        path: spec.template.spec.containers[0].readinessProbe.failureThreshold
+        value: 5
 - it: should set livenessProbe initialDelaySeconds to 90
   set:
     livenessProbe.initialDelaySeconds: 90
@@ -397,39 +407,141 @@ tests:
     - equal:
         path: spec.template.spec.containers[0].readinessProbe.periodSeconds
         value: 60
-- it: should set startupProbe periodSeconds to 60
-  set:
-    startupProbe.periodSeconds: 60
+- it: should always have a startupProbe
   asserts:
-    - equal:
-        path: spec.template.spec.containers[0].startupProbe.periodSeconds
-        value: 60
-    - equal:
-        path: spec.template.spec.containers[0].startupProbe.failureThreshold
-        value: 1
     - equal:
         path: spec.template.spec.containers[0].startupProbe.httpGet.port
         value: 80
     - equal:
         path: spec.template.spec.containers[0].startupProbe.httpGet.path
         value: /healthz
-- it: should set startupProbe failureThreshold to 10
+    - equal:
+        path: spec.template.spec.containers[0].startupProbe.timeoutSeconds
+        value: 5
+    - equal:
+        path: spec.template.spec.containers[0].startupProbe.failureThreshold
+        value: 12
+    - equal:
+        path: spec.template.spec.containers[0].startupProbe.periodSeconds
+        value: 10
+- it: allows configuring startupProbe values
   set:
+    startupProbe.timeoutSeconds: 2
     startupProbe.failureThreshold: 10
+    startupProbe.periodSeconds: 15
   asserts:
     - equal:
-        path: spec.template.spec.containers[0].startupProbe.periodSeconds
-        value: 30
+        path: spec.template.spec.containers[0].startupProbe.timeoutSeconds
+        value: 2
     - equal:
         path: spec.template.spec.containers[0].startupProbe.failureThreshold
         value: 10
     - equal:
-        path: spec.template.spec.containers[0].startupProbe.httpGet.port
-        value: 80
-    - equal:
-        path: spec.template.spec.containers[0].startupProbe.httpGet.path
-        value: /healthz
-- it: should not have startupProbe if no startupProbe fields set
-  asserts:
-    - isNull:
-        path: spec.template.spec.containers[0].startupProbe
+        path: spec.template.spec.containers[0].startupProbe.periodSeconds
+        value: 15
+- it: should add CATTLE_AGENT_TLS_MODE=strict to env and maintain default vars
+  set:
+    agentTLSMode: "strict"
+  asserts:
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_AGENT_TLS_MODE
+          value: "strict"
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_PEER_SERVICE
+          value: RELEASE-NAME-rancher
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_NAMESPACE
+          value: NAMESPACE
+- it: should add CATTLE_AGENT_TLS_MODE=system-store to env and maintain default vars
+  set:
+    agentTLSMode: "system-store"
+  asserts:
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_AGENT_TLS_MODE
+          value: "system-store"
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_PEER_SERVICE
+          value: RELEASE-NAME-rancher
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_NAMESPACE
+          value: NAMESPACE
+- it: should not add (null) CATTLE_AGENT_TLS_MODE to env and maintain default vars
+  set:
+    agentTLSMode: null
+  asserts:
+    - notContains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_AGENT_TLS_MODE
+          value: "strict"
+    - notContains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_AGENT_TLS_MODE
+          value: "system-store"
+    - notContains:
+            path: spec.template.spec.containers[0].env
+            content:
+              name: CATTLE_AGENT_TLS_MODE
+              value: ""
+    - notContains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_AGENT_TLS_MODE
+          value: null
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_PEER_SERVICE
+          value: RELEASE-NAME-rancher
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_NAMESPACE
+          value: NAMESPACE
+- it: should not add ("") CATTLE_AGENT_TLS_MODE to env and maintain default vars
+  set:
+    agentTLSMode: ""
+  asserts:
+    - notContains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_AGENT_TLS_MODE
+          value: "strict"
+    - notContains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_AGENT_TLS_MODE
+          value: "system-store"
+    - notContains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_AGENT_TLS_MODE
+          value: ""
+    - notContains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_AGENT_TLS_MODE
+          value: null
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_PEER_SERVICE
+          value: RELEASE-NAME-rancher
+    - contains:
+        path: spec.template.spec.containers[0].env
+        content:
+          name: CATTLE_NAMESPACE
+          value: NAMESPACE
diff --git a/charts/rancher/values.schema.json b/charts/rancher/values.schema.json
@@ -0,0 +1,13 @@
+{
+    "$schema": "https://json-schema.org/draft-07/schema#",
+    "properties": {
+      "agentTLSMode": {
+        "type": ["string", "null"],
+        "enum": ["strict", "system-store", "", null],
+        "description": "agentTLSMode must be 'strict' or 'system-store' or null (defaults to system-store)"
+      }
+    },
+    "required": [],
+    "title": "Rancher Chart Values",
+    "type": "object"
+  }
diff --git a/charts/rancher/values.yaml b/charts/rancher/values.yaml
@@ -37,6 +37,11 @@ debug: false
 # When starting Rancher for the first time, bootstrap the admin as restricted-admin
 restrictedAdmin: false
 
+# Control how the Rancher agents validate TLS connections
+# Valid options: strict, or system-store
+# Note, for new installations empty will default to strict on 2.9+, or system-store on 2.8 or older
+agentTLSMode: ""
+
 # Extra environment variables passed to the rancher pods.
 # extraEnv:
 # - name: CATTLE_TLS_MIN_VERSION
@@ -158,7 +163,7 @@ postDelete:
   enabled: true
   image:
     repository: rancher/shell
-    tag: v0.1.24
+    tag: v0.1.26
   namespaceList:
     - cattle-fleet-system
     - cattle-system
@@ -171,12 +176,19 @@ postDelete:
 # Set a bootstrap password. If leave empty, a random password will be generated.
 bootstrapPassword: ""
 
+startupProbe:
+  ## should be ready within 2 minutes
+  timeoutSeconds: 5
+  periodSeconds: 10
+  failureThreshold: 12
 livenessProbe:
-  initialDelaySeconds: 60
+  timeoutSeconds: 5
   periodSeconds: 30
+  failureThreshold: 5
 readinessProbe:
-  initialDelaySeconds: 5
+  timeoutSeconds: 5
   periodSeconds: 30
+  failureThreshold: 5
 
 global:
   cattle: