Merge pull request #1273 from jiaqiluo/bump-backup-operator-dev-2.6

charts/rancher-backup-crd/rancher-backup-crd/2.0.0-rc1/Chart.yaml

@@ -4,8 +4,8 @@ annotations:
   catalog.cattle.io/namespace: cattle-resources-system
   catalog.cattle.io/release-name: rancher-backup-crd
 apiVersion: v2
-appVersion: 1.1.1
+appVersion: 2.0.0-rc1
 description: Installs the CRDs for rancher-backup.
 name: rancher-backup-crd
 type: application
-version: 100.0.0+up1.1.1
+version: 2.0.0-rc1

charts/rancher-backup/rancher-backup/2.0.0-rc1/Chart.yaml

@@ -9,7 +9,7 @@ annotations:
   catalog.cattle.io/scope: management
   catalog.cattle.io/ui-component: rancher-backup
 apiVersion: v2
-appVersion: 1.1.1
+appVersion: 2.0.0-rc1
 description: Provides ability to back up and restore the Rancher application running
   on any Kubernetes cluster
 icon: https://charts.rancher.io/assets/logos/backup-restore.svg
@@ -17,4 +17,4 @@ keywords:
 - applications
 - infrastructure
 name: rancher-backup
-version: 100.0.0+up1.1.1
+version: 2.0.0-rc1

charts/rancher-backup/rancher-backup/2.0.0-rc1/templates/_helpers.tpl

@@ -17,6 +17,13 @@ add below linux tolerations to workloads could be scheduled to those linux nodes
   operator: "Equal"
 {{- end -}}
 
+{{- define "linux-node-selector" -}}
+{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+beta.kubernetes.io/os: linux
+{{- else -}}
+kubernetes.io/os: linux
+{{- end -}}
+{{- end -}}
 
 {{/*
 Create a default fully qualified app name.

charts/rancher-backup/rancher-backup/2.0.0-rc1/templates/deployment.yaml

@@ -21,6 +21,9 @@ spec:
         checksum/pvc: {{ include (print $.Template.BasePath "/pvc.yaml") . | sha256sum }}
     spec:
       serviceAccountName: {{ include "backupRestore.serviceAccountName" . }}
+      {{- if .Values.priorityClassName }}
+      priorityClassName: {{ .Values.priorityClassName }}
+      {{- end }}
       containers:
       - name: {{ .Chart.Name }}
         image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}

charts/rancher-backup/rancher-backup/2.0.0-rc1/templates/hardened.yaml

@@ -0,0 +1,114 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "backupRestore.fullname" . }}-patch-sa
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "backupRestore.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      serviceAccountName: {{ include "backupRestore.fullname" . }}-patch-sa
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+      restartPolicy: Never
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+      containers:
+        - name: {{ include "backupRestore.fullname" . }}-patch-sa
+          image: {{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}
+          imagePullPolicy: IfNotPresent
+          command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "backupRestore.fullname" . }}-patch-sa
+  namespace: {{ .Release.Namespace }}
+  labels: {{ include "backupRestore.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "backupRestore.fullname" . }}-patch-sa
+  labels: {{ include "backupRestore.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+rules:
+  - apiGroups: [""]
+    resources: ["serviceaccounts"]
+    verbs: ["get", "patch"]
+  - apiGroups: ["policy"]
+    resources: ["podsecuritypolicies"]
+    verbs:     ["use"]
+    resourceNames:
+      - {{ include "backupRestore.fullname" . }}-patch-sa
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "backupRestore.fullname" . }}-patch-sa
+  labels: {{ include "backupRestore.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "backupRestore.fullname" . }}-patch-sa
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "backupRestore.fullname" . }}-patch-sa
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "backupRestore.fullname" . }}-patch-sa
+  labels: {{ include "backupRestore.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  privileged: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'secret'
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ include "backupRestore.fullname" . }}-default-allow-all
+  namespace: {{ .Release.Namespace }}
+spec:
+  podSelector: {}
+  egress:
+    - {}
+  policyTypes:
+    - Ingress
+    - Egress

charts/rancher-backup/rancher-backup/2.0.0-rc1/templates/psp.yaml

@@ -0,0 +1,29 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ include "backupRestore.fullname" . }}-psp
+  labels: {{ include "backupRestore.labels" . | nindent 4 }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAsNonRoot'
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+      - min: 1
+        max: 65535
+  readOnlyRootFilesystem: false
+  volumes:
+    - 'persistentVolumeClaim'
+    - 'secret'

charts/rancher-backup/rancher-backup/2.0.0-rc1/templates/serviceaccount.yaml

@@ -6,6 +6,6 @@ metadata:
   labels:
      {{- include "backupRestore.labels" . | nindent 4 }}
 {{- if .Values.serviceAccount.annotations }}
-   annotations:
+  annotations:
-     {{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
+    {{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
 {{- end }}

charts/rancher-backup/rancher-backup/2.0.0-rc1/values.yaml

@@ -1,6 +1,6 @@
 image:
   repository: rancher/backup-restore-operator
-  tag: v1.1.1
+  tag: v2.0.0-rc1
 
 ## Default s3 bucket for storing all backup files created by the backup-restore-operator
 s3:
@@ -41,6 +41,9 @@ persistence:
 global:
   cattle:
     systemDefaultRegistry: ""
+  kubectl:
+    repository: rancher/kubectl
+    tag: v2.0.0-rc1
 
 nodeSelector: {}
 
@@ -50,3 +53,5 @@ affinity: {}
 
 serviceAccount:
   annotations: {}
+
+priorityClassName: ""

packages/rancher-backup-crd/package.yaml

@@ -1,2 +1 @@
-url: https://github.com/rancher/backup-restore-operator/releases/download/v1.1.1/rancher-backup-crd-1.1.1.tgz
+url: https://github.com/rancher/backup-restore-operator/releases/download/v2.0.0-rc1/rancher-backup-crd-2.0.0-rc1.tgz
-version: 100.0.0

packages/rancher-backup/package.yaml

@@ -1,2 +1 @@
-url: https://github.com/rancher/backup-restore-operator/releases/download/v1.1.1/rancher-backup-1.1.1.tgz
+url: https://github.com/rancher/backup-restore-operator/releases/download/v2.0.0-rc1/rancher-backup-2.0.0-rc1.tgz
-version: 100.0.0