diff --git a/assets/rancher-provisioning-capi/rancher-provisioning-capi-100.0.0+up0.0.1.tgz b/assets/rancher-provisioning-capi/rancher-provisioning-capi-100.0.0+up0.0.1.tgz new file mode 100644 index 000000000..3a408e613 Binary files /dev/null and b/assets/rancher-provisioning-capi/rancher-provisioning-capi-100.0.0+up0.0.1.tgz differ diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/Chart.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/Chart.yaml new file mode 100644 index 000000000..a9f2f7020 --- /dev/null +++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Rancher Provisioning CAPI Controller Manager + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>=1.23.0-0' + catalog.cattle.io/namespace: cattle-provisioning-capi-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: apps.deployment/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0' + catalog.cattle.io/release-name: rancher-provisioning-capi +apiVersion: v1 +appVersion: 1.4.4 +description: capi-controller-manager compatible with Rancher Provisioning +home: https://github.com/rancher/provisioning/blob/main/charts/capi/ +maintainers: +- email: chris.kim@suse.com + name: Chris Kim +name: rancher-provisioning-capi +sources: +- https://github.com/rancher/provisioning/blob/main/charts/capi/ +version: 100.0.0+up0.0.1 diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/NOTES.txt b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/NOTES.txt new file mode 100644 index 000000000..2070555e0 --- /dev/null +++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/NOTES.txt @@ -0,0 +1,2 @@ +{{ $.Chart.Name }} has been installed. Check its status by running: + kubectl --namespace {{ .Release.Namespace }} get pods" \ No newline at end of file diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/_helpers.tpl b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/_helpers.tpl new file mode 100644 index 000000000..d46154c54 --- /dev/null +++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/_helpers.tpl @@ -0,0 +1,18 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-capi-aggregated-manager-role.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-capi-aggregated-manager-role.yaml new file mode 100644 index 000000000..760c5f9a6 --- /dev/null +++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-capi-aggregated-manager-role.yaml @@ -0,0 +1,11 @@ +aggregationRule: + clusterRoleSelectors: + - matchLabels: + cluster.x-k8s.io/aggregate-to-manager: "true" +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + cluster.x-k8s.io/provider: cluster-api + name: capi-aggregated-manager-role +rules: [] diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-capi-manager-role.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-capi-manager-role.yaml new file mode 100644 index 000000000..d3d02e51a --- /dev/null +++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-capi-manager-role.yaml @@ -0,0 +1,323 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + cluster.x-k8s.io/aggregate-to-manager: "true" + cluster.x-k8s.io/provider: cluster-api + name: capi-manager-role +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - addons.cluster.x-k8s.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - addons.cluster.x-k8s.io + resources: + - clusterresourcesets/finalizers + - clusterresourcesets/status + verbs: + - get + - patch + - update + - apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - list + - watch + - apiGroups: + - bootstrap.cluster.x-k8s.io + - controlplane.cluster.x-k8s.io + - infrastructure.cluster.x-k8s.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - bootstrap.cluster.x-k8s.io + - infrastructure.cluster.x-k8s.io + resources: + - '*' + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - clusterclasses + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - clusterclasses + - clusterclasses/status + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - clusters + verbs: + - get + - list + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - clusters + - clusters/finalizers + - clusters/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - clusters + - clusters/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - machinedeployments + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - machinedeployments + - machinedeployments/finalizers + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - machinedeployments + - machinedeployments/finalizers + - machinedeployments/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - machinehealthchecks + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - machinehealthchecks + - machinehealthchecks/finalizers + - machinehealthchecks/status + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - machinepools + - machinepools/finalizers + - machinepools/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - machines + - machines/finalizers + - machines/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - machines + - machines/status + verbs: + - delete + - get + - list + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - machinesets + verbs: + - get + - list + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - machinesets + - machinesets/finalizers + verbs: + - get + - list + - patch + - update + - watch + - apiGroups: + - cluster.x-k8s.io + resources: + - machinesets + - machinesets/finalizers + - machinesets/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - patch + - watch + - apiGroups: + - ipam.cluster.x-k8s.io + resources: + - ipaddressclaims + verbs: + - get + - list + - watch + - apiGroups: + - runtime.cluster.x-k8s.io + resources: + - extensionconfigs + - extensionconfigs/status + verbs: + - get + - list + - patch + - update + - watch diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-cattle.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-cattle.yaml new file mode 100644 index 000000000..5beeafdda --- /dev/null +++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrole-cattle.yaml @@ -0,0 +1,21 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: provisioning-rke-cattle-io + labels: + cluster.x-k8s.io/aggregate-to-manager: "true" +rules: + - apiGroups: ["rke.cattle.io"] + resources: ["*"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: provisioning-rke-machine-cattle-io + labels: + cluster.x-k8s.io/aggregate-to-manager: "true" +rules: + - apiGroups: ["rke-machine.cattle.io"] + resources: ["*"] + verbs: ["*"] diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrolebinding-capi-manager-rolebinding.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrolebinding-capi-manager-rolebinding.yaml new file mode 100644 index 000000000..2fb193d4a --- /dev/null +++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/clusterrolebinding-capi-manager-rolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + cluster.x-k8s.io/provider: cluster-api + name: capi-manager-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: capi-aggregated-manager-role +subjects: + - kind: ServiceAccount + name: capi-manager + namespace: "{{ .Release.Namespace }}" diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/deployment-capi-controller-manager.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/deployment-capi-controller-manager.yaml new file mode 100644 index 000000000..edfd66fd7 --- /dev/null +++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/deployment-capi-controller-manager.yaml @@ -0,0 +1,106 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + cluster.x-k8s.io/provider: cluster-api + control-plane: controller-manager + name: capi-controller-manager + namespace: "{{ .Release.Namespace }}" +spec: + replicas: 1 + selector: + matchLabels: + cluster.x-k8s.io/provider: cluster-api + control-plane: controller-manager + template: + metadata: + labels: + cluster.x-k8s.io/provider: cluster-api + control-plane: controller-manager + spec: + containers: + - command: + - /manager + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_UID + valueFrom: + fieldRef: + fieldPath: metadata.uid +{{- if .Values.extraEnv }} +{{ toYaml .Values.extraEnv | indent 12 }} +{{- end }} + imagePullPolicy: "{{ .Values.image.imagePullPolicy }}" + livenessProbe: + httpGet: + path: /healthz + port: healthz + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + - containerPort: 9440 + name: healthz + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: healthz + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsGroup: 65532 + runAsUser: 65532 + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}' + args: + - --leader-elect +{{ toYaml .Values.args | indent 12 }} + securityContext: + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + serviceAccountName: capi-manager + terminationGracePeriodSeconds: 10 + volumes: + - name: cert + secret: + secretName: capi-webhook-service-cert + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + {{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 6 }} + {{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 6 }} + {{- else }} + - effect: NoSchedule + key: node-role.kubernetes.io/controlplane + value: "true" + - effect: NoSchedule + key: "node-role.kubernetes.io/control-plane" + operator: "Exists" + - effect: NoSchedule + key: "node-role.kubernetes.io/master" + operator: "Exists" + - effect: "NoExecute" + key: "node-role.kubernetes.io/etcd" + operator: "Exists" + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: "{{.Values.priorityClassName}}" + {{- end }} diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/hardened.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/hardened.yaml new file mode 100644 index 000000000..c56951b43 --- /dev/null +++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/hardened.yaml @@ -0,0 +1,81 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: rancher-provisioning-capi-patch-sa + namespace: {{ .Release.Namespace }} + labels: + app: rancher-provisioning-capi-patch-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + metadata: + name: rancher-provisioning-capi-patch-sa + labels: + app: rancher-provisioning-capi-patch-sa + spec: + serviceAccountName: rancher-provisioning-capi-patch-sa + securityContext: + runAsNonRoot: true + runAsUser: 1000 + restartPolicy: Never + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + containers: + - name: patch-sa-{{ .Release.Namespace }} + image: {{ template "system_default_registry" $ }}{{ $.Values.global.kubectl.repository }}:{{ $.Values.global.kubectl.tag }} + imagePullPolicy: {{ $.Values.global.kubectl.pullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", "{{ .Release.Namespace }}"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: rancher-provisioning-capi-patch-sa + labels: + app: rancher-provisioning-capi-patch-sa +rules: + - apiGroups: + - "" + resources: + - serviceaccounts + verbs: ['get', 'patch'] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: rancher-provisioning-capi-patch-sa + labels: + app: rancher-provisioning-capi-patch-sa +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: rancher-provisioning-capi-patch-sa +subjects: + - kind: ServiceAccount + name: rancher-provisioning-capi-patch-sa + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: rancher-provisioning-capi-patch-sa + namespace: {{ .Release.Namespace }} + labels: + app: rancher-provisioning-capi-patch-sa +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/role-capi-leader-election-role.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/role-capi-leader-election-role.yaml new file mode 100644 index 000000000..d1b53aafc --- /dev/null +++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/role-capi-leader-election-role.yaml @@ -0,0 +1,26 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + cluster.x-k8s.io/provider: cluster-api + name: capi-leader-election-role + namespace: "{{ .Release.Namespace }}" +rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/rolebinding-capi-leader-election-rolebinding.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/rolebinding-capi-leader-election-rolebinding.yaml new file mode 100644 index 000000000..28c91de65 --- /dev/null +++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/rolebinding-capi-leader-election-rolebinding.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + cluster.x-k8s.io/provider: cluster-api + name: capi-leader-election-rolebinding + namespace: "{{ .Release.Namespace }}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: capi-leader-election-role +subjects: + - kind: ServiceAccount + name: capi-manager + namespace: "{{ .Release.Namespace }}" diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/service-capi-webhook-service.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/service-capi-webhook-service.yaml new file mode 100644 index 000000000..109b368d4 --- /dev/null +++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/service-capi-webhook-service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + cluster.x-k8s.io/provider: cluster-api + name: capi-webhook-service + namespace: "{{ .Release.Namespace }}" + annotations: + need-a-cert.cattle.io/secret-name: capi-webhook-service-cert +spec: + ports: + - port: 443 + targetPort: webhook-server + selector: + cluster.x-k8s.io/provider: cluster-api diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/serviceaccount-capi-manager.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/serviceaccount-capi-manager.yaml new file mode 100644 index 000000000..afba51620 --- /dev/null +++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/templates/serviceaccount-capi-manager.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + cluster.x-k8s.io/provider: cluster-api + name: capi-manager + namespace: "{{ .Release.Namespace }}" diff --git a/charts/rancher-provisioning-capi/100.0.0+up0.0.1/values.yaml b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/values.yaml new file mode 100644 index 000000000..0be412e18 --- /dev/null +++ b/charts/rancher-provisioning-capi/100.0.0+up0.0.1/values.yaml @@ -0,0 +1,25 @@ +image: + repository: rancher/mirrored-cluster-api-controller + tag: v1.4.4 + imagePullPolicy: IfNotPresent + +global: + cattle: + systemDefaultRegistry: "" + kubectl: + repository: rancher/kubectl + tag: v1.20.2 + pullPolicy: IfNotPresent + +# tolerations for the capi-controller-manager deployment. See https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ for more info +tolerations: [] + +nodeSelector: {} + +## PriorityClassName assigned to deployment. +priorityClassName: "" + +extraEnv: [] +args: + - "--metrics-bind-addr=localhost:8080" + - "--feature-gates=MachinePool=false,ClusterResourceSet=false,ClusterTopology=false,RuntimeSDK=false,LazyRestmapper=false" diff --git a/index.yaml b/index.yaml index 0577b0821..94237c592 100755 --- a/index.yaml +++ b/index.yaml @@ -14164,6 +14164,32 @@ entries: urls: - assets/rancher-provisioning-capi/rancher-provisioning-capi-103.0.0+up0.0.1.tgz version: 103.0.0+up0.0.1 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Rancher Provisioning CAPI Controller Manager + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>=1.23.0-0' + catalog.cattle.io/namespace: cattle-provisioning-capi-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: apps.deployment/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0' + catalog.cattle.io/release-name: rancher-provisioning-capi + apiVersion: v1 + appVersion: 1.4.4 + created: "2023-09-21T15:20:40.064263-07:00" + description: capi-controller-manager compatible with Rancher Provisioning + digest: 40721dd822b35c4e8c8de0117f0989334a5dd4b19dfb274f6ffd52f8bb8fd7f0 + home: https://github.com/rancher/provisioning/blob/main/charts/capi/ + maintainers: + - email: chris.kim@suse.com + name: Chris Kim + name: rancher-provisioning-capi + sources: + - https://github.com/rancher/provisioning/blob/main/charts/capi/ + urls: + - assets/rancher-provisioning-capi/rancher-provisioning-capi-100.0.0+up0.0.1.tgz + version: 100.0.0+up0.0.1 rancher-pushprox: - annotations: catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index 4a79009d4..f6cd97dd6 100644 --- a/release.yaml +++ b/release.yaml @@ -19,6 +19,7 @@ fleet-crd: - 103.1.0+up0.9.0-rc.1 rancher-provisioning-capi: - 103.0.0+up0.0.1 + - 100.0.0+up0.0.1 rancher-webhook: - 103.0.0+up0.4.0-rc7 rancher-aks-operator: