diff --git a/README.md b/README.md index d0f87c4..334bf26 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,7 @@ NAME CHART VERSION APP VERSION DESCRIPTION carbide-charts/airgapped-docs 0.1.51 0.1.6 Rancher Government Airgapped Docs carbide-charts/heimdall2 0.1.45 0.1.1 Rancher Government Heimdall2 Tool -carbide-charts/rancher 2.8.5 v2.8.5 Install Rancher Server to manage Kubernetes... +carbide-charts/rancher 2.8.6 v2.8.6 Install Rancher Server to manage Kubernetes... carbide-charts/stigatron 0.2.5 0.2.2 Rancher Government Stigatron Extension carbide-charts/stigatron-ui 0.2.3 0.2.0 Rancher Government Stigatron UI Extension ``` diff --git a/charts/rancher/Chart.yaml b/charts/rancher/Chart.yaml index 408bdca..90b3213 100644 --- a/charts/rancher/Chart.yaml +++ b/charts/rancher/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 name: rancher description: Install Rancher Server to manage Kubernetes clusters across providers -version: 2.7.15 -appVersion: v2.7.15 -kubeVersion: < 1.28.0-0 +version: 2.8.6 +appVersion: v2.8.6 +kubeVersion: < 1.29.0-0 home: https://rancher.com icon: https://github.com/rancher/ui/blob/master/public/assets/images/logos/welcome-cow.svg keywords: diff --git a/charts/rancher/templates/deployment.yaml b/charts/rancher/templates/deployment.yaml index 0246eae..05e20db 100644 --- a/charts/rancher/templates/deployment.yaml +++ b/charts/rancher/templates/deployment.yaml @@ -154,29 +154,40 @@ spec: name: "bootstrap-secret" key: "bootstrapPassword" {{- end }} +{{- if .Values.agentTLSMode }} + - name: CATTLE_AGENT_TLS_MODE + value: "{{ .Values.agentTLSMode }}" +{{- end }} {{- if .Values.extraEnv }} {{ toYaml .Values.extraEnv | indent 8}} {{- end }} - livenessProbe: + startupProbe: httpGet: path: /healthz port: 80 - initialDelaySeconds: {{.Values.livenessProbe.initialDelaySeconds | default 60 }} - periodSeconds: {{ .Values.livenessProbe.periodSeconds | default 30 }} - readinessProbe: + timeoutSeconds: {{ .Values.startupProbe.timeoutSeconds }} + failureThreshold: {{ .Values.startupProbe.failureThreshold }} + periodSeconds: {{ .Values.startupProbe.periodSeconds }} + livenessProbe: httpGet: path: /healthz port: 80 - initialDelaySeconds: {{.Values.readinessProbe.initialDelaySeconds | default 5}} - periodSeconds: {{ .Values.readinessProbe.periodSeconds | default 30}} -{{- if .Values.startupProbe }} - startupProbe: + {{- with .Values.livenessProbe.initialDelaySeconds}} + initialDelaySeconds: {{ . }} + {{- end }} + timeoutSeconds: {{.Values.livenessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.livenessProbe.periodSeconds }} + failureThreshold: {{.Values.livenessProbe.failureThreshold }} + readinessProbe: httpGet: path: /healthz port: 80 - failureThreshold: {{.Values.startupProbe.failureThreshold | default 1}} - periodSeconds: {{ .Values.startupProbe.periodSeconds | default 30}} -{{- end }} + {{- with .Values.readinessProbe.initialDelaySeconds}} + initialDelaySeconds: {{ . }} + {{- end }} + timeoutSeconds: {{.Values.readinessProbe.timeoutSeconds }} + periodSeconds: {{ .Values.readinessProbe.periodSeconds }} + failureThreshold: {{.Values.readinessProbe.failureThreshold }} resources: {{ toYaml .Values.resources | indent 10 }} volumeMounts: diff --git a/charts/rancher/tests/deployment_test.yaml b/charts/rancher/tests/deployment_test.yaml index 9831ad0..3b363cc 100644 --- a/charts/rancher/tests/deployment_test.yaml +++ b/charts/rancher/tests/deployment_test.yaml @@ -349,26 +349,36 @@ tests: - equal: path: spec.template.spec.priorityClassName value: "rancher-critical" -- it: should default livenessProbe initialDelaySeconds to 60 +- it: should not set a livenessProbe initialDelaySeconds by default asserts: - - equal: + - notExists: path: spec.template.spec.containers[0].livenessProbe.initialDelaySeconds - value: 60 -- it: should default livenessProbe periodSeconds to 30 +- it: should set livenessProbe periodSeconds defaults asserts: - equal: path: spec.template.spec.containers[0].livenessProbe.periodSeconds value: 30 -- it: should default readinessProbe initialDelaySeconds to 5 - asserts: - equal: - path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds + path: spec.template.spec.containers[0].livenessProbe.timeoutSeconds value: 5 -- it: should default readinessProbe periodSeconds to 30 + - equal: + path: spec.template.spec.containers[0].livenessProbe.failureThreshold + value: 5 +- it: should not set readinessProbe initialDelaySeconds by default + asserts: + - notExists: + path: spec.template.spec.containers[0].readinessProbe.initialDelaySeconds +- it: should set readinessProbe periodSeconds defaults asserts: - equal: path: spec.template.spec.containers[0].readinessProbe.periodSeconds value: 30 + - equal: + path: spec.template.spec.containers[0].readinessProbe.timeoutSeconds + value: 5 + - equal: + path: spec.template.spec.containers[0].readinessProbe.failureThreshold + value: 5 - it: should set livenessProbe initialDelaySeconds to 90 set: livenessProbe.initialDelaySeconds: 90 @@ -397,39 +407,141 @@ tests: - equal: path: spec.template.spec.containers[0].readinessProbe.periodSeconds value: 60 -- it: should set startupProbe periodSeconds to 60 - set: - startupProbe.periodSeconds: 60 +- it: should always have a startupProbe asserts: - - equal: - path: spec.template.spec.containers[0].startupProbe.periodSeconds - value: 60 - - equal: - path: spec.template.spec.containers[0].startupProbe.failureThreshold - value: 1 - equal: path: spec.template.spec.containers[0].startupProbe.httpGet.port value: 80 - equal: path: spec.template.spec.containers[0].startupProbe.httpGet.path value: /healthz -- it: should set startupProbe failureThreshold to 10 + - equal: + path: spec.template.spec.containers[0].startupProbe.timeoutSeconds + value: 5 + - equal: + path: spec.template.spec.containers[0].startupProbe.failureThreshold + value: 12 + - equal: + path: spec.template.spec.containers[0].startupProbe.periodSeconds + value: 10 +- it: allows configuring startupProbe values set: + startupProbe.timeoutSeconds: 2 startupProbe.failureThreshold: 10 + startupProbe.periodSeconds: 15 asserts: - equal: - path: spec.template.spec.containers[0].startupProbe.periodSeconds - value: 30 + path: spec.template.spec.containers[0].startupProbe.timeoutSeconds + value: 2 - equal: path: spec.template.spec.containers[0].startupProbe.failureThreshold value: 10 - equal: - path: spec.template.spec.containers[0].startupProbe.httpGet.port - value: 80 - - equal: - path: spec.template.spec.containers[0].startupProbe.httpGet.path - value: /healthz -- it: should not have startupProbe if no startupProbe fields set - asserts: - - isNull: - path: spec.template.spec.containers[0].startupProbe + path: spec.template.spec.containers[0].startupProbe.periodSeconds + value: 15 +- it: should add CATTLE_AGENT_TLS_MODE=strict to env and maintain default vars + set: + agentTLSMode: "strict" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_AGENT_TLS_MODE + value: "strict" + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_PEER_SERVICE + value: RELEASE-NAME-rancher + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_NAMESPACE + value: NAMESPACE +- it: should add CATTLE_AGENT_TLS_MODE=system-store to env and maintain default vars + set: + agentTLSMode: "system-store" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_AGENT_TLS_MODE + value: "system-store" + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_PEER_SERVICE + value: RELEASE-NAME-rancher + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_NAMESPACE + value: NAMESPACE +- it: should not add (null) CATTLE_AGENT_TLS_MODE to env and maintain default vars + set: + agentTLSMode: null + asserts: + - notContains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_AGENT_TLS_MODE + value: "strict" + - notContains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_AGENT_TLS_MODE + value: "system-store" + - notContains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_AGENT_TLS_MODE + value: "" + - notContains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_AGENT_TLS_MODE + value: null + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_PEER_SERVICE + value: RELEASE-NAME-rancher + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_NAMESPACE + value: NAMESPACE +- it: should not add ("") CATTLE_AGENT_TLS_MODE to env and maintain default vars + set: + agentTLSMode: "" + asserts: + - notContains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_AGENT_TLS_MODE + value: "strict" + - notContains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_AGENT_TLS_MODE + value: "system-store" + - notContains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_AGENT_TLS_MODE + value: "" + - notContains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_AGENT_TLS_MODE + value: null + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_PEER_SERVICE + value: RELEASE-NAME-rancher + - contains: + path: spec.template.spec.containers[0].env + content: + name: CATTLE_NAMESPACE + value: NAMESPACE \ No newline at end of file diff --git a/charts/rancher/values.schema.json b/charts/rancher/values.schema.json new file mode 100644 index 0000000..dbbfa62 --- /dev/null +++ b/charts/rancher/values.schema.json @@ -0,0 +1,13 @@ +{ + "$schema": "https://json-schema.org/draft-07/schema#", + "properties": { + "agentTLSMode": { + "type": ["string", "null"], + "enum": ["strict", "system-store", "", null], + "description": "agentTLSMode must be 'strict' or 'system-store' or null (defaults to system-store)" + } + }, + "required": [], + "title": "Rancher Chart Values", + "type": "object" + } \ No newline at end of file diff --git a/charts/rancher/values.yaml b/charts/rancher/values.yaml index 1f26b7f..218663b 100644 --- a/charts/rancher/values.yaml +++ b/charts/rancher/values.yaml @@ -37,6 +37,11 @@ debug: false # When starting Rancher for the first time, bootstrap the admin as restricted-admin restrictedAdmin: false +# Control how the Rancher agents validate TLS connections +# Valid options: strict, or system-store +# Note, for new installations empty will default to strict on 2.9+, or system-store on 2.8 or older +agentTLSMode: "" + # Extra environment variables passed to the rancher pods. # extraEnv: # - name: CATTLE_TLS_MIN_VERSION @@ -158,7 +163,7 @@ postDelete: enabled: true image: repository: rancher/shell - tag: v0.1.24 + tag: v0.1.26 namespaceList: - cattle-fleet-system - cattle-system @@ -171,12 +176,19 @@ postDelete: # Set a bootstrap password. If leave empty, a random password will be generated. bootstrapPassword: "" +startupProbe: + ## should be ready within 2 minutes + timeoutSeconds: 5 + periodSeconds: 10 + failureThreshold: 12 livenessProbe: - initialDelaySeconds: 60 + timeoutSeconds: 5 periodSeconds: 30 + failureThreshold: 5 readinessProbe: - initialDelaySeconds: 5 + timeoutSeconds: 5 periodSeconds: 30 + failureThreshold: 5 global: cattle: