From 4f6845e3949e1a5e9e454bfbe1b963debafb3472 Mon Sep 17 00:00:00 2001 From: Rayan Das Date: Mon, 26 Sep 2022 17:18:27 +0530 Subject: [PATCH] make charts PACKAGE=rancher-windows-upgrader --- .../rancher-wins-upgrader-101.0.0+up0.0.1.tgz | Bin 0 -> 5917 bytes .../101.0.0+up0.0.1/.helmignore | 23 ++++++ .../101.0.0+up0.0.1/Chart.yaml | 18 +++++ .../101.0.0+up0.0.1/README.md | 41 ++++++++++ .../101.0.0+up0.0.1/app-readme.md | 19 +++++ .../101.0.0+up0.0.1/scripts/noop.ps1 | 4 + .../101.0.0+up0.0.1/scripts/upgrade.ps1 | 72 ++++++++++++++++++ .../101.0.0+up0.0.1/templates/_helpers.tpl | 63 +++++++++++++++ .../101.0.0+up0.0.1/templates/configmap.yaml | 17 +++++ .../101.0.0+up0.0.1/templates/daemonset.yaml | 72 ++++++++++++++++++ .../101.0.0+up0.0.1/templates/rbac.yaml | 70 +++++++++++++++++ .../101.0.0+up0.0.1/values.yaml | 60 +++++++++++++++ index.yaml | 22 ++++++ 13 files changed, 481 insertions(+) create mode 100644 assets/rancher-wins-upgrader/rancher-wins-upgrader-101.0.0+up0.0.1.tgz create mode 100644 charts/rancher-wins-upgrader/101.0.0+up0.0.1/.helmignore create mode 100644 charts/rancher-wins-upgrader/101.0.0+up0.0.1/Chart.yaml create mode 100644 charts/rancher-wins-upgrader/101.0.0+up0.0.1/README.md create mode 100644 charts/rancher-wins-upgrader/101.0.0+up0.0.1/app-readme.md create mode 100644 charts/rancher-wins-upgrader/101.0.0+up0.0.1/scripts/noop.ps1 create mode 100644 charts/rancher-wins-upgrader/101.0.0+up0.0.1/scripts/upgrade.ps1 create mode 100644 charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/_helpers.tpl create mode 100644 charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/configmap.yaml create mode 100644 charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/daemonset.yaml create mode 100644 charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/rbac.yaml create mode 100644 charts/rancher-wins-upgrader/101.0.0+up0.0.1/values.yaml diff --git a/assets/rancher-wins-upgrader/rancher-wins-upgrader-101.0.0+up0.0.1.tgz b/assets/rancher-wins-upgrader/rancher-wins-upgrader-101.0.0+up0.0.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..377f36c899d2e94bf530349e74ba14524f7f01d1 GIT binary patch literal 5917 zcmV+&7vkt2iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKBhbK5ww=zQj{=qr0mcGje1J8@>U>$^7_XA;-u;j%L`cPmas z5ZRKj0RavG%GPFle*38gK#G**M;?<@&M_+`OC-?f2hcB|8O>xmMIE1UY2vb&XqKVw zJ)SaclR3-94`1Nw_xt_5`}f`7e!su`cYAy9;SbyQcj;gM{`T$<{p|<443w(?9e-d#q*RzLSedsVuWxNi&E5Qf8S@lO$!<3QV}_rKl|*bIb-1=E}-u@5>R! zGt`DFIe_l}-G}XDdoSt7efS$}Cp$azwY##bWI39Gr8oe8(@#b-Hx~1iJ(L;18JC$l zGb^7LsB>;jOzi}h<@wfit*a%_!hR=t7?9sde!LoYjRKj$m}saO)Lu*xEBG%J=-E!h zilYA6PqvfoC_|HKURZbQ1(R%o27GreCt#;Y)EY3TXQ(0I2~1{?DmmtpQacF(OSLiv zm=FJW-*mTvdAlYY|wb6ND0ezF~X>uG;?g=@9`pD|IQ`BDbp2K~Rc zy>owA|L^VY-s%6Zajn4tj#()zc$vdk>E`k#)e+-)p|nMvL~HPR$_;P>4F2`##q)Tq zbk3~B48~j_H8{XjFpV%{nzNBW16IKZpf23%U@6_drh5X_=UqG$~sH#J!lO@taT z5loU5NZ$awO$Zntnv zw&wI?FDqJ)x6@~sHIyrf;06b@tK=T^Bes%C_qgKJ21JGCqmJ+gd3QYReV5iK&ze{6@Hq!CNQR7*I zg)-bK;#QDuuYPFRWB@a7i|99*%}$U#an`eH0KdDZ8IH=y0LDxhbTU`e5|IXcWPtT^@;&X1SC(|`g(Ky+e>K;H0A3ju!39^Lb7q6fEB&p2tD)GbbHM2Us z4s@vZ#Rb~*G+=c~Se-VtUxMfOhmXFzvM$~DI#}eqfkETPR~emLMlI2zIURB7e#UNk ze5=s~+OIOSoN#&WKmYLYRAC)`W5J|Eku?T%ygpLewpQC;9{y#|{S3>YdX}pU2XMx0 zI^}W_ZdN}Di^11gsDXqv_{Y2&ZwrPCc`ii=LsI#}5n7g9)8>o|LE4_nRFtHnp{2_Q z@ZrLZc{r}s_!en=gDn+bfhi4U3B0mX)Mwn_7I0hP>g?h04SY}qbtBkM&bhJX0^SZI zXo4HSo43wzyZ z!4F6wg_3nxkc!e+YVXWPrf4{+ESRz&UEmF3m2qfb zGMWjM=nE%a67+2p?xk3^w^9(pV-0YA9ufWOWs>y@gLO zEnVXbZ9)ckZ4HiG>;@WH=0G1md35mNNs?zU!ZG;>R?l4krU0c!hXz!I4dK@o@NwlI zYynDB>R^WFssx_rm~m!N%qs>u>Ig<`XWNppgR?78v>&WYvOKl^-)z#%=~Sy?%ahJb<4K zg72n5ok`H#yied6Y9wK0noX26N#c0BAc?d`plabVtii9-Ih^JEU1e|n?(R14&^&ke zOHr@#RU-Aoj3gTrs|XV(Tyb|W&AKz3-`ozpP)5$2bK{7WCnO{HG|!U4hfc$E4c+mRa_-c z$xKx#$f<(8-FWxG{?1+!-RlJ*Rx^$i(9c2tBs8d>YwZkkOX}D5b{h(d=~_*MF~N1%|G#yYlf3Ef_oyv6S6X?F|8s+1Z0$+SnjR^QxC0`%jVGM3;~y#F%J z*y$Py^4%WcMWES2+ZLk6wGpo{1BpW+xTc*K#N{w+gQ`^eik^I2 zMFyRZA?}lixg>`W=HG$?L}14C?MH5=4O(l?U_L|rSmgy7j?UkS)pBB`{XW^%IdoEm#s)Sz|VVLN)y zWi|-gdoNfKRVx4?}f!s8%BT6^=WpgQ|L)ywy6hoSWkZ90!{K1Ep+^`57TS3>s$gN zl`3w8P&Hca9>;O5npbM(o7R8EFjvyx=bQ$+Vf{bY-Pyjp{_oCzeULK)2o;C zftwm9Xg^~~-_~_(Aob>L6+eALbwDvaQERIGA-5rxGn-DIe+tk&k5Gkq0M}rv+i3q3 z$Ul0>02Rt~Ep2UG1+VSOUV>W1lC47zAz)DdV!2p)RI8>Ro8EK-P;)0OV7;^-MpmHN z>i24-6{tC1_)0LVDQ>yCD+vxLd!PpOjHmc0O;suF%Ue(V&^@Gp+*!P8|JAP_(&zQ2 ztUnCW27G0Lj=+EN!g3=ei^C!vxO59HE(V_r-?B*!(z3~d6U2)=XQWo%bc!=G?QB6O z9@A$!=v}gMZ|iO|CCVIM5c^x(*q)8Spv3_|{Tv{t9)8<;F+h0ECAW{S6iquL^*J)S zinpK6pr#{nTOK)j3SQu9?wp<`r}Xsn((#^UAXjpCs*LSjN=kegSplG&T_)<;ljkqq z9Y6Wy@Z|8-%Xcq-e({ed#|?Li32D~NNi?q>t8;U>ae89CcZ1Y#z?>MY5 zJGUJ3(?)8F;ihGjRsmR({ht_rEkzYU22$CpoX9$L+j;B?4(cNce&?c;0*wJ?ftI2L zC9Ct9z!%3Rfy-6!JMCHdtsUy`?7Aub(<7FC?m6%q;=kR!%lp4O_wUYsf0e5l-Z@#b z(oU7;|8Y)m^8QDcKVGD9{7I8zCGZoXzU0%Qwd5nCwPZP3)1^Rn%$gPasa9oS2Jog^ zD8bWtm;9u9qtxHe45p>#cJ7*RG_KJM^~emI-h9(74Yqo^{lo#hxjL2#99Vc4Z=D|f zbOHQ>%Z$s(_ap};@EFI0XeEhjh>id*Pr8pH(UhZqV``n~J*bmb!1hNoY`rp;D^sFN zxO_iiT&Bn`q~2_MgqBs*9jWXjtfC|L{5vABN|h9v&$z%z^Y9|Mo-fg!DgC~E^YG|# z`^M4X!QzH4;ntdw=BY8M7CSkVd?V(1!7 zHQH|Vv-0ifhC9!US>+wOKC$zstLmQBp~KQChpU2uHmHvd3X;p2rjLNQ3eHto`akYk z?f)fH6gi(rrSS`lant_agWU(0>i_Qc|Gv((21m?V)Y6qDc#*@|6eWyGE?oU_!P56^ zf~Kzi3#9=D%oK%yiBKb-`sQ-71sVmje1>i%H10E*MQb2&;tz#w_|rC+`BU)!XEOm( z8ZP!LJW5cY2EipJQF3td?!+pMu2L}1m4sg&pFqa7iINGoJ@@I+kCM@UbkBWOH>Q&w zeN;cqO!gLlMl5|_7OsBLME4SNRz&xb5qlrqOKeWxmFAP^-hV}F@C(yil?DzEo|q^p zv?BK+N_d8>=bLNw?RAt!v9u7jRUjKC^#1|RkhV}n&cXv7dyZ`X6{`c!#_4!}; zl}iJag^Hp_^#h-yaYsO>OlATNyhki<_iBQwY}TEl-B6lL`es%8(0VliP`_1G4P1hm z%QS&Q3z>32ev;kQ9keuz79d zN_p{2%-yb;KQmm>BQsC3FS?y^=2TWyR$On28q#Me0-j@9+E6W4VdxI|I;7`d1Y!YW zrE!Kjaphjm)LDa4ay9=>0;ypWCGAZLNL9hnm(0}pvVif1A;sy^XKZl}W7Ah+UuMRs z?>2Ol>QWjQI(k#Vq0p(Ttchc%+&|D~Y?ad<7ZArxPYir0i;LkF84-;zOin`u*&8>r z-VS~7_)|rAPBhE?%yI+Of;>`ZsJ(TmWJ-<3${l8AvdVH+A{}wb^xU7B4hOJ@P0co} zcIuX@xLYsCAji`rQRM5L&fF1fFY1j{@J*Ul1v4hx3K+QC{*GS*#8*%{^W`{Ykx{79 zZqTSpqVE~zOlDs4A=HH)yi^&&vEOAQr{6@8GrrGI;v|s+tT& z&)gAwKb8Ex80x>miDlZx)tIq62HhS}>Bfv2!ju^pA8b=uY2$R zIf-I;U1_thaH{EaiJY!k=0t@vAvFBt>c^qeK3u}EE{;zcRq;c2uAT@B`pIKk5tB0M zO7T$e8EQ8XTvdW+NfaIWwNlN9xhh=+LrBGYbzT<}DCyT}S{keJ_B1+Ui#h<(f5-oP zvhDR|J#9kqXo$A9{6h0;K2!rRL2=^T%}GBcxi+>r760n-3GH2-sgpI!GG7`|I7G+r z#;E|Mtg)IE&M;Ngfn%~bS^XNFror*-afmqr0*P-orq&i_(CbaOotC2{Re8N}S^XUe zHR|Pz+V_Hc+zaPxdo?0SVYWAuD0-&ONVRW4h6TEmT{Tr(O=~&UJa+TX`QjuiQg+P|u8O+dBKD(M=iB8NLeEcw?I? znR0;x(qU`xg2|Ez_}S^cpteFeCpFD;ud-NCXhlnlgya+@vF5T$-hxqSiNJuEhg2G` zVTGD_NfM9eZLQ-J@T4vsZmjJD9*t=}3pJT|fe-{j##f6H!<~_q=#^`xAa`WBVqT}z zmqA8RvmkxxDKS8()U6p>;OXE>!|UlK3{p4q$qco1cCj#z;Z%SN-ZGSykLSVZ@%Jfw z0;VUWQ|_&ouv}v$H->RsxdExt8cm^OW+3zmBsm|TsdWd@a5!8b7i~O68$agxA*mR0 zhJNL8cjsNL;D6$RgwS=0ejhqbWIEl=gp?jVBd}5A+^JNNgJ6;3O!C~TS?(Y%kALi& zELoKHFz`E^SXESQ{7`GnntNB#d)xBo%`o3Xk@z25t-rGN{xi%^0*B5gfVB!teRx%&yZ1B;)MKUdx_o~)B}XR!8-Ceh_>ZoHPn?ciMZs%b;&7`? ztPox@3l$(ZDbo-Ncz?QW_p7%W_*WRXmD#G68T!Sxc=ZI1$Cz3^BaU0m)AyB$8#er$ zp7Jje`5=%qbz3+J$v#`cy7pAvitqMCePV zoU~@B`8d20uC{z0jix&CusAJpUIluZRtf_zk1@D2>5xt_eQ(O#w15$gb>u^Gx5>AT zt-ptBb^eDHMNIBlj$a}NbkqL-!w1Xx-@X3!{k#0n*SPNTKX>_`yZp~x{^u_LbC>`5 z!}34CT(Ir2_55}~!pjdb*x(5+UYN9#JV+k?dGmjF*67e3sI4O|gShmLvTc!b-|6oz`+pC1?&|-(%C-JPYo#BhG<%LT zj!{z_4g1hNv8w1s(HfjI9hC4QHDC*Gq-&~Nj6dk*-?cG9cqGo)+(c(nE^uRe6FyW5 z-T{ma?C$mZaCc(+TVB_%|3*F0XN+;f`oG`5zjNvQ_jdno{eO+?#`QlgrF#gz@FcEF zQKAq2CC`j}_>KA~;2U=XE$WRIOlHglRr|2+Qhi(C{Gy+<%8z(~E;+pq>sFVz`4-;z z7f`)jCuhe2+>G2GK8B6gXl(2pDgU|d-_!G9QGqvxjo7_OXk}CX{q?*+sKchsW`A(+ z+D-*B??)Q)K3$kI<^o&Ijxkp=j1Mj55FcY&YJ(8}MA1om$Od!a(4VdP9bT0-ep$Nz zqrqPnQTC@GlzDd##x?W7P3aM9jyDZdp7hI^Fu{ zP6x)`AW}z^KsK)EIUq-VA)xil*k{a;hqw<<(K=G-Mx*_rvC-+ZjZbvinmP;UiEoC# zHGsH#%d@2+EHAKz*w$q!1nk3ORm|J+tA~g90FC9+du|TEN^*Is8!0 z2AAs(E1cThu4o)xMC*-ns8!>Q?uY)(!ATe5aqAsf3$!j38rE2?7;R+-qP&IM0Vlzo z6oR*x@)E#S9}=nAoCJ@2ohwM-1CfK1_5ZbHK!ah`7Sdl8)zl^&} z7VUS+0%GrdxZlHWwez^YB!en1)$K&lubNwopQ(!1uSy&F=~!VCyMw3DN$!CzQb1C~ z14t=?+lQYen=vljE1femDeQwKuDF<$q9vgWmy=F4jT^&tPRf*GME^#~uskyV|4-mK zx6qF++<9<^&2wh#lXGq#)3~uj=&u5K?DPm`9zd&8190np801D^eZQHU@yu<_XiSmM z5b(Ufl)`sa+M={D)+&cOuhJNFJGyhv@2= 1.16.0-0 < 1.22.0-0' + catalog.cattle.io/namespace: cattle-wins-system + catalog.cattle.io/os: windows + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: rancher-wins-upgrader +apiVersion: v2 +appVersion: 0.1.1 +description: Manages upgrading the wins server version and configuration across all + of your Windows nodes +maintainers: +- email: arvind.iyengar@suse.com + name: aiyengar2 +name: rancher-wins-upgrader +type: application +version: 101.0.0+up0.0.1 diff --git a/charts/rancher-wins-upgrader/101.0.0+up0.0.1/README.md b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/README.md new file mode 100644 index 000000000..1789824f7 --- /dev/null +++ b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/README.md @@ -0,0 +1,41 @@ +# Rancher Wins Upgrader + +A Rancher chart that handles keeping the wins server version and config across some (or all) of the Windows nodes on a Kubernetes cluster in sync. It does this by running a simple script to replace the contents of the `\etc\rancher\wins` directory with the newly specified config and wins image via one or more DaemonSets. Once executed, the script will simply sleep forever. + +## How does this work? + +A DaemonSet of initContainers copies the provided config (stored in a ConfigMap) into `\etc\rancher\wins\config` and runs `wins cli prc run --path {path-to-wins} --args {up}`, where `.\wins up[grade]` is a Go program that runs a simple Powershell script that forces an upgrade of the binary used by the `rancher-wins` service across all of your Windows hosts. + +TLDR: we use wins (cli) to pass wins (upgrade) to wins (server) in order to update wins (server) on the host on demand. + +## Cluster / Node Requirements + +This Helm chart is intended to be used on a Windows cluster that meets the following two requirements: +- A Windows Service called `rancher-wins` is currently running on each Windows host (e.g. `.\wins srv app run --register; Start-Service -Name rancher-wins` or `.\wins up` has been run on the host) that is running a wins server version of v0.1.0+. +- The wins config used by each Windows host's `rancher-wins` Service has `{{ .Values.prefixPath }}etc\rancher\wins\wins-upgrade.exe` within `whiteList.processPath` so that the new wins version can be delivered onto the host + +If the cluster you are installing this chart on is a custom cluster that was created via RKE1 with Windows Support enabled, your nodes should already meet the first requirement; this should have been added as part of [the bootstrapping process for adding the Windows node onto your RKE1 cluster](https://github.com/rancher/rancher/blob/master/package/windows/bootstrap.ps1). + +However, depending on the bootstrap.ps1 version that was used when you spun up your Windows cluster, it is possible that the second requirement is not met yet. + +If the second requirement is not met, there are two options to reconcile: + +### Manual Update + +This is the recommended approach for updating your Windows hosts, but it requires the user to log onto every Windows host to upgrade the wins config. After logging onto each host, you will need to do manually update the wins config. + +By default, the wins config is located in `c:\etc\rancher\wins\config`, but you could use the following powershell command to identify the command line arguments passed into the `rancher-wins` service (`--config` corresponds to the config path on the host): +```powershell +(Get-CimInstance Win32_Service -Filter 'Name = "rancher-wins"').PathName +``` + +Once complete, restart the service: +```powershell +Restart-Service -Name "rancher-wins" | Stop-Service +``` + +### Masquerading (Use at your own risk. Here be dragons...) + +This option is *only* meant as a hack to allow users who are currently operating on Windows clusters that have not whitelisted `{{ .Values.prefixPath }}etc\rancher\wins\wins-upgrade.exe`. If you plan to use this option, please ensure that you immediately upgrade this chart with `masquerade.enabled=false` and perform another `helm upgrade` to avoid any unintentional consequences (e.g. failure to install the original process that you meant to whitelist on the host). + +If `masquerade.enabled=True`, this chart will have the wins client execute `wins-upgrade.exe` payload under the `masquerade.as` path provided, effectively tricking the `wins server` into running the binary although it has not been whitelisted. This relies on the fact that the wins server does not / cannot do any verification on the binary passed into wins since it does track a list of valid checksums on the binaries provided to it. \ No newline at end of file diff --git a/charts/rancher-wins-upgrader/101.0.0+up0.0.1/app-readme.md b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/app-readme.md new file mode 100644 index 000000000..6981c4453 --- /dev/null +++ b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/app-readme.md @@ -0,0 +1,19 @@ +# Rancher Wins Upgrader + +A Rancher chart that handles keeping the wins server version and config across some (or all) of the Windows nodes on a Kubernetes cluster in sync. It does this by running a simple script to replace the contents of the `\etc\rancher\wins` directory with the newly specified config and wins image via one or more DaemonSets. Once executed, the script will simply sleep forever. + +## How does this work? + +A DaemonSet of initContainers copies the provided config (stored in a ConfigMap) into `\etc\rancher\wins\config` and runs `wins cli prc run --path {path-to-wins} --args {up}`, where `.\wins up[grade]` is a Go program that runs a simple Powershell script that forces an upgrade of the binary used by the `rancher-wins` service across all of your Windows hosts. + +TLDR: we use wins (cli) to pass wins (upgrade) to wins (server) in order to update wins (server) on the host on demand. + +## Cluster / Node Requirements + +This Helm chart is intended to be used on a Windows cluster that meets the following two requirements: +- A Windows Service called `rancher-wins` is currently running on each Windows host (e.g. `.\wins srv app run --register; Start-Service -Name rancher-wins` or `.\wins up` has been run on the host) that is running a wins server version of v0.1.0+. +- The wins config used by each Windows host's `rancher-wins` Service has `{{ .Values.prefixPath }}etc\rancher\wins\wins-upgrade.exe` within `whiteList.processPath` so that the new wins version can be delivered onto the host + +If the cluster you are installing this chart on is a custom cluster that was created via RKE1 with Windows Support enabled after wins v0.1.0+ was released (i.e. Rancher 2.5.7+), your nodes should already meet the first requirement; this should have been added as part of [the bootstrapping process for adding the Windows node onto your RKE1 cluster](https://github.com/rancher/rancher/blob/master/package/windows/bootstrap.ps1). + +If not, please see the README.md for more information on how you can use this chart. \ No newline at end of file diff --git a/charts/rancher-wins-upgrader/101.0.0+up0.0.1/scripts/noop.ps1 b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/scripts/noop.ps1 new file mode 100644 index 000000000..d584f0521 --- /dev/null +++ b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/scripts/noop.ps1 @@ -0,0 +1,4 @@ +$ErrorActionPreference = 'Stop' + +# Sleep forever, since a DaemonSet's restartPolicy must be Always +while(1) { Start-Sleep -s 3600 } \ No newline at end of file diff --git a/charts/rancher-wins-upgrader/101.0.0+up0.0.1/scripts/upgrade.ps1 b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/scripts/upgrade.ps1 new file mode 100644 index 000000000..7d0c19a63 --- /dev/null +++ b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/scripts/upgrade.ps1 @@ -0,0 +1,72 @@ +$ErrorActionPreference = 'Stop' + +function Create-Directory +{ + param ( + [parameter(Mandatory = $false, ValueFromPipeline = $true)] [string]$Path + ) + + if (Test-Path -Path $Path) { + if (-not (Test-Path -Path $Path -PathType Container)) { + # clean the same path file + Remove-Item -Recurse -Force -Path $Path -ErrorAction Ignore | Out-Null + } + + return + } + + New-Item -Force -ItemType Directory -Path $Path | Out-Null +} + +function Transfer-File +{ + param ( + [parameter(Mandatory = $true)] [string]$Src, + [parameter(Mandatory = $true)] [string]$Dst + ) + + if (Test-Path -PathType leaf -Path $Dst) { + $dstHasher = Get-FileHash -Path $Dst + $srcHasher = Get-FileHash -Path $Src + if ($dstHasher.Hash -eq $srcHasher.Hash) { + return + } + } + + $null = Copy-Item -Force -Path $Src -Destination $Dst +} + +$prefixPath = 'c:\' +if ($env:CATTLE_PREFIX_PATH) { + $prefixPath = $env:CATTLE_PREFIX_PATH +} +$winsUpgradePath = $('{0}etc\rancher\wins\wins-upgrade.exe' -f $prefixPath) +if ($env:WINS_UPGRADE_PATH) { + $winsUpgradePath = $env:WINS_UPGRADE_PATH +} + + +$winsUpgradeDir = Split-Path -Path $winsUpgradePath +$winsUpgradeFilename = Split-Path -Path $winsUpgradePath -Leaf + +Create-Directory -Path $winsUpgradeDir +Transfer-File -Src "c:\Windows\wins.exe" -Dst $winsUpgradePath + +Create-Directory -Path "c:\host\etc\rancher\wins" +Transfer-File -Src $winsUpgradePath -Dst "c:\host\etc\rancher\wins\$winsUpgradeFilename" +Transfer-File -Src "c:\scripts\config" -Dst "c:\host\etc\rancher\wins\config" + +$winsOut = wins.exe cli prc run --path=$winsUpgradePath --args="up --wins-args=`'--config=$winsUpgradeDir\config`'" + +Write-Host $winsOut + +if ($winsOut -match ".* rpc error: code = Unavailable desc = transport is closing") { + Write-Host "Successfully upgraded" + exit 0 +} elseif ($LastExitCode -ne 0) { + Write-Host "Returned exit $LastExitCode" + exit $LastExitCode +} else { + Write-Host "Returned exit 0, but did not receive expected output from .\wins up" + exit 1 +} \ No newline at end of file diff --git a/charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/_helpers.tpl b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/_helpers.tpl new file mode 100644 index 000000000..9f44d6183 --- /dev/null +++ b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/_helpers.tpl @@ -0,0 +1,63 @@ +# Rancher + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- end -}} +{{- end -}} + +# General + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +The components in this chart create additional resources that expand the longest created name strings. +The longest name that gets created adds and extra 37 characters, so truncation should be 63-35=26. +*/}} +{{- define "winsUpgrader.name" -}} +wins-upgrader +{{- end -}} + +{{- define "winsUpgrader.namespace" -}} +{{- default .Release.Namespace .Values.namespaceOverride -}} +{{- end -}} + +{{- define "winsUpgrader.labels" -}} +k8s-app: {{ template "winsUpgrader.name" . }} +release: {{ .Release.Name }} +provider: kubernetes +{{- end -}} + +{{- define "winsUpgrader.validatePathPrefix" -}} +{{- if .Values.global.cattle.rkeWindowsPathPrefix -}} +{{- $prefixPath := (.Values.global.cattle.rkeWindowsPathPrefix | replace "/" "\\") -}} +{{- if (not (hasSuffix "\\" $prefixPath)) -}} +{{- fail (printf ".Values.global.cattle.rkeWindowsPathPrefix must end in '/' or '\\', found %s" $prefixPath) -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "winsUpgrader.winsHostPath" -}} +{{ default "c:\\" .Values.global.cattle.rkeWindowsPathPrefix | replace "\\\\" "\\" | replace "\\" "/" }}etc/rancher/wins +{{- end -}} + +{{- define "winsUpgrader.winsMasqueradePath" -}} +{{ tpl .Values.masquerade.as . | required "Must provide name for .Values.masquerade.as if enabled" | replace "\\\\" "\\" | replace "\\" "/" }} +{{- end -}} + +{{- define "winsUpgrader.winsMasqueradeHostPath" -}} +{{ include "winsUpgrader.winsMasqueradePath" . | dir }} +{{- end -}} + +{{- define "winsUpgrader.nodeSelector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: windows +{{- else -}} +kubernetes.io/os: windows +{{- end -}} +{{- end -}} + +{{- define "winsUpgrader.tolerations" -}} +- operator: Exists +{{- end -}} diff --git a/charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/configmap.yaml b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/configmap.yaml new file mode 100644 index 000000000..cc0b615f1 --- /dev/null +++ b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/configmap.yaml @@ -0,0 +1,17 @@ +{{ include "winsUpgrader.validatePathPrefix" . }} +{{- range .Values.winsConfigs }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "winsUpgrader.name" $ }}-{{ .name }} + namespace: {{ template "winsUpgrader.namespace" $ }} + labels: {{ include "winsUpgrader.labels" $ | nindent 4 }} +data: + config: |- +{{ tpl .config $ | indent 4 }} + upgrade.ps1: |- +{{ $.Files.Get "scripts/upgrade.ps1" | indent 4 }} + noop.ps1: |- +{{ $.Files.Get "scripts/noop.ps1" | indent 4 }} +--- +{{- end }} diff --git a/charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/daemonset.yaml b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/daemonset.yaml new file mode 100644 index 000000000..e6df52a31 --- /dev/null +++ b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/daemonset.yaml @@ -0,0 +1,72 @@ +{{- range .Values.winsConfigs }} +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ template "winsUpgrader.name" $ }}-{{ required "Must provide name for .Values.winsConfigs[].name" .name }} + namespace: {{ template "winsUpgrader.namespace" $ }} + labels: {{ include "winsUpgrader.labels" $ | nindent 4 }} +spec: + selector: + matchLabels: {{ include "winsUpgrader.labels" $ | nindent 6 }} + template: + metadata: + labels: {{ include "winsUpgrader.labels" $ | nindent 8 }} + spec: + nodeSelector: {{ include "winsUpgrader.nodeSelector" $ | nindent 8 }} +{{- if .nodeSelector }} +{{ toYaml .nodeSelector | indent 8 }} +{{- end }} +{{- if .tolerations }} + tolerations: {{ .tolerations | toYaml | nindent 8 }} +{{- else }} + tolerations: {{ include "winsUpgrader.tolerations" $ | nindent 8 }} +{{- end }} + serviceAccountName: {{ template "winsUpgrader.name" $ }} + containers: + - name: noop + image: {{ template "system_default_registry" $ }}{{ required "Must provide name for .Values.winsConfigs[].image.repository" .image.repository }}:{{ required "Must provide name for .Values.winsConfigs[].tag" .image.tag }} + command: ["pwsh", "-f", "c:/scripts/noop.ps1"] + volumeMounts: + - name: upgrade-scripts + mountPath: c:/scripts + initContainers: + - name: wins-upgrader + image: {{ template "system_default_registry" $ }}{{ .image.repository }}:{{ .image.tag }} + command: ["pwsh", "-f", "c:/scripts/upgrade.ps1"] + volumeMounts: + - name: wins-pipe + mountPath: \\.\pipe\rancher_wins + - name: wins + mountPath: c:/host/etc/rancher/wins + - name: upgrade-scripts + mountPath: c:/scripts + env: + - name: HELM_REVISION_NUMBER + value: {{ $.Release.Revision | quote }} + - name: CATTLE_PREFIX_PATH + value: {{ default "c:\\" $.Values.global.cattle.rkeWindowsPathPrefix | replace "/" "\\" }} +{{- if $.Values.masquerade.enabled }} + - name: WINS_UPGRADE_PATH + value: {{ include "winsUpgrader.winsMasqueradePath" $ }} +{{- end }} + volumes: + - name: wins-pipe + hostPath: + path: \\.\pipe\rancher_wins + - name: wins + hostPath: +{{- if $.Values.masquerade.enabled }} + path: {{ include "winsUpgrader.winsMasqueradeHostPath" $ }} + type: DirectoryOrCreate +{{- else }} + path: {{ include "winsUpgrader.winsHostPath" $ }} + type: DirectoryOrCreate +{{- end }} + - name: upgrade-scripts + configMap: + name: {{ template "winsUpgrader.name" $ }}-{{ .name }} +--- +{{- end }} +{{- if not .Values.winsConfigs }} +{{- fail "Cannot install chart unless at least one config is provided in .Values.winsConfigs" }} +{{- end }} \ No newline at end of file diff --git a/charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/rbac.yaml b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/rbac.yaml new file mode 100644 index 000000000..d2a36c6a7 --- /dev/null +++ b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/templates/rbac.yaml @@ -0,0 +1,70 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "winsUpgrader.name" . }} + namespace: {{ template "winsUpgrader.namespace" . }} + labels: {{ include "winsUpgrader.labels" . | nindent 4 }} +rules: +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: [{{ include "winsUpgrader.name" . | quote }}] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "winsUpgrader.name" . }} + namespace: {{ template "winsUpgrader.namespace" . }} + labels: {{ include "winsUpgrader.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "winsUpgrader.name" . }} +subjects: +- kind: ServiceAccount + name: {{ template "winsUpgrader.name" . }} + namespace: {{ template "winsUpgrader.namespace" $ }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "winsUpgrader.name" . }} + namespace: {{ template "winsUpgrader.namespace" . }} + labels: {{ include "winsUpgrader.labels" . | nindent 4 }} +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ template "winsUpgrader.name" . }} + namespace: {{ template "winsUpgrader.namespace" . }} + labels: {{ include "winsUpgrader.labels" . | nindent 4 }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 0 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 0 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'secret' + - 'hostPath' + allowedHostPaths: + - pathPrefix: \\.\pipe\rancher_wins +{{- if .Values.masquerade.enabled }} + - pathPrefix: {{ include "winsUpgrader.winsMasqueradeHostPath" . }} +{{- else }} + - pathPrefix: {{ include "winsUpgrader.winsHostPath" . }} +{{- end }} diff --git a/charts/rancher-wins-upgrader/101.0.0+up0.0.1/values.yaml b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/values.yaml new file mode 100644 index 000000000..8ff315ec6 --- /dev/null +++ b/charts/rancher-wins-upgrader/101.0.0+up0.0.1/values.yaml @@ -0,0 +1,60 @@ +# Default values for rancher-windows-exporter. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Configuration + +global: + cattle: + systemDefaultRegistry: "" + rkeWindowsPathPrefix: "c:\\" + +## One or more configurations for the wins server to be applied across all of the nodes based on the nodeSelector and tolerations provided +## +winsConfigs: +- name: default + image: + # TODO(aiyengar2): replace with an image that just contains wins + repository: rancher/wins + tag: v0.1.1 + os: "windows" + config: | + debug: false + listen: rancher_wins + proxy: rancher_wins_proxy + whiteList: + processPaths: + - {{ default "c:\\" .Values.global.cattle.rkeWindowsPathPrefix | replace "/" "\\" }}etc\rancher\wins\wins-upgrade.exe + - {{ default "c:\\" .Values.global.cattle.rkeWindowsPathPrefix | replace "/" "\\" }}etc\windows-exporter\windows-exporter.exe + - {{ default "c:\\" .Values.global.cattle.rkeWindowsPathPrefix | replace "/" "\\" }}etc\wmi-exporter\wmi-exporter.exe + - {{ default "c:\\" .Values.global.cattle.rkeWindowsPathPrefix | replace "/" "\\" }}etc\kubernetes\bin\kube-proxy.exe + - {{ default "c:\\" .Values.global.cattle.rkeWindowsPathPrefix | replace "/" "\\" }}etc\kubernetes\bin\kubelet.exe + - {{ default "c:\\" .Values.global.cattle.rkeWindowsPathPrefix | replace "/" "\\" }}etc\nginx\nginx.exe + - {{ default "c:\\" .Values.global.cattle.rkeWindowsPathPrefix | replace "/" "\\" }}opt\bin\flanneld.exe + proxyPorts: + - 9796 + upgrade: + mode: watching + watchingPath: {{ default "c:\\" .Values.global.cattle.rkeWindowsPathPrefix | replace "/" "\\" }}etc\rancher\wins\wins.exe + # By default, `kubernetes.io/os: windows` or `beta.kubernetes.io/os: windows` will be included + nodeSelector: {} + # If provided, these tolerations will be used. Otherwise, it defaults to `[ {operator: Exists} ]` + tolerations: [] + +## Masquerade is *only* meant as a hack to allow users who are currently operating on Windows clusters that do +## not support wins upgrades (e.g. those which have not whitelisted {{ .Values.prefixPath }}etc\rancher\wins\wins-upgrade.exe) +## to be able to masquerade the payload for this installer under another whitelisted process's name. +## +## Please read the README.md before trying to enable this option and, if applied, ensure that you immediately upgrade +## this chart with masquerade.enabled=false to avoid any unintentional consequences (e.g. failure to install the original +## process that you meant to whitelist on the host) +## +## TLDR: Use at your own risk. Here be dragons... +## +masquerade: + enabled: false + # Why wmi_exporter? + # wmi_exporter is the only default whitelisted process that may or may not be run on the host, since + # it is only ever deployed if the Windows cluster is also using Prometheus-based Windows monitoring (e.g. Rancher Monitoring V1) + # All of the other default whitelisted processes are required for the Kubernetes cluster to operate + as: '{{ default "c:\\" .Values.global.cattle.rkeWindowsPathPrefix | replace "/" "\\" }}etc\wmi-exporter\wmi-exporter.exe' diff --git a/index.yaml b/index.yaml index df4fce5bf..2311978fd 100755 --- a/index.yaml +++ b/index.yaml @@ -10069,6 +10069,28 @@ entries: - assets/rancher-windows-gmsa-crd/rancher-windows-gmsa-crd-1.0.0.tgz version: 1.0.0 rancher-wins-upgrader: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.22.0-0' + catalog.cattle.io/namespace: cattle-wins-system + catalog.cattle.io/os: windows + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: rancher-wins-upgrader + apiVersion: v2 + appVersion: 0.1.1 + created: "2022-09-26T17:16:20.143967885+05:30" + description: Manages upgrading the wins server version and configuration across + all of your Windows nodes + digest: 38772a5a03fc707ab9a8b1de306e23ad8f8502ca7aee6b32255c835d8d85b79c + maintainers: + - email: arvind.iyengar@suse.com + name: aiyengar2 + name: rancher-wins-upgrader + type: application + urls: + - assets/rancher-wins-upgrader/rancher-wins-upgrader-101.0.0+up0.0.1.tgz + version: 101.0.0+up0.0.1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.22.0-0'