[fleet-agent] forward-port from v2.6 to v2.7

charts/fleet-agent/100.2.3+up0.5.3/Chart.yaml

@@ -0,0 +1,15 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.25.0-0'
+  catalog.cattle.io/namespace: cattle-fleet-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0'
+  catalog.cattle.io/release-name: fleet-agent
+apiVersion: v2
+appVersion: 0.5.3
+description: Fleet Manager Agent - GitOps at Scale
+icon: https://charts.rancher.io/assets/logos/fleet.svg
+name: fleet-agent
+version: 100.2.3+up0.5.3

charts/fleet-agent/100.2.3+up0.5.3/README.md

@@ -0,0 +1,3 @@
+Standalone Fleet users use this chart for agent-based registration [docs/agent-initiated.md](/docs/agent-initiated.md).
+Fleet in Rancher does not use this chart, but creates the agent deployments programmatically.
+

charts/fleet-agent/100.2.3+up0.5.3/templates/_helpers.tpl

@@ -0,0 +1,22 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}

charts/fleet-agent/100.2.3+up0.5.3/templates/configmap.yaml

@@ -0,0 +1,12 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: fleet-agent
+data:
+  config: |-
+    {
+      {{ if .Values.labels }}
+      "labels":{{toJson .Values.labels}},
+      {{ end }}
+      "clientID":"{{.Values.clientID}}"
+    }

charts/fleet-agent/100.2.3+up0.5.3/templates/deployment.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: fleet-agent
+spec:
+  selector:
+    matchLabels:
+      app: fleet-agent
+  template:
+    metadata:
+      labels:
+        app: fleet-agent
+    spec:
+      containers:
+      - env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: '{{ template "system_default_registry" . }}{{.Values.image.repository}}:{{.Values.image.tag}}'
+        name: fleet-agent
+        command:
+        - fleetagent
+        {{- if .Values.debug }}
+        - --debug
+        - --debug-level
+        - {{ quote .Values.debugLevel }}
+        {{- else }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+        {{- end }}
+      serviceAccountName: fleet-agent
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.fleetAgent.nodeSelector }}
+{{ toYaml .Values.fleetAgent.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.fleetAgent.tolerations }}
+{{ toYaml .Values.fleetAgent.tolerations | indent 8 }}
+{{- end }}
+{{- if not .Values.debug }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+{{- end }}

charts/fleet-agent/100.2.3+up0.5.3/templates/network_policy_allow_all.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-allow-all
+  namespace: {{ .Values.internal.systemNamespace }}
+spec:
+  podSelector: {}
+  ingress:
+  - {}
+  egress:
+  - {}
+  policyTypes:
+  - Ingress
+  - Egress

charts/fleet-agent/100.2.3+up0.5.3/templates/patch_default_serviceaccount.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: patch-fleet-sa
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  template:
+    spec:
+      serviceAccountName: fleet-agent
+      restartPolicy: Never
+      containers:
+      - name: sa
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
+        args: ["-n", {{ .Values.internal.systemNamespace }}]
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.kubectl.nodeSelector }}
+{{ toYaml .Values.kubectl.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.kubectl.tolerations }}
+{{ toYaml .Values.kubectl.tolerations | indent 8 }}
+{{- end }}
+  backoffLimit: 1

charts/fleet-agent/100.2.3+up0.5.3/templates/rbac.yaml

@@ -0,0 +1,25 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: fleet-agent-system-fleet-agent-role
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: fleet-agent-system-fleet-agent-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: fleet-agent-system-fleet-agent-role
+subjects:
+- kind: ServiceAccount
+  name: fleet-agent
+  namespace: {{.Release.Namespace}}

charts/fleet-agent/100.2.3+up0.5.3/templates/secret.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+data:
+  systemRegistrationNamespace: "{{b64enc .Values.systemRegistrationNamespace}}"
+  clusterNamespace: "{{b64enc .Values.clusterNamespace}}"
+  token: "{{b64enc .Values.token}}"
+  apiServerURL: "{{b64enc .Values.apiServerURL}}"
+  apiServerCA: "{{b64enc .Values.apiServerCA}}"
+kind: Secret
+metadata:
+  name: fleet-agent-bootstrap

charts/fleet-agent/100.2.3+up0.5.3/templates/serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fleet-agent

charts/fleet-agent/100.2.3+up0.5.3/templates/validate.yaml

@@ -0,0 +1,11 @@
+{{if ne .Release.Namespace .Values.internal.systemNamespace }}
+{{ fail (printf "This chart must be installed in the namespace %s as the release name fleet-agent" .Values.internal.systemNamespace) }}
+{{end}}
+
+{{if ne .Release.Name .Values.internal.managedReleaseName }}
+{{ fail (printf "This chart must be installed in the namespace %s as the release name fleet-agent" .Values.internal.managedReleaseName) }}
+{{end}}
+
+{{if not .Values.apiServerURL }}
+{{ fail "apiServerURL is required to be set, and most likely also apiServerCA" }}
+{{end}}

charts/fleet-agent/100.2.3+up0.5.3/values.yaml

@@ -0,0 +1,63 @@
+image:
+  os: "windows,linux"
+  repository: rancher/fleet-agent
+  tag: v0.5.3
+
+# The public URL of the Kubernetes API server running the Fleet Manager must be set here
+# Example: https://example.com:6443
+apiServerURL: ""
+
+# The the pem encoded value of the CA of the Kubernetes API server running the Fleet Manager.
+# If left empty it is assumed this Kubernetes API TLS is signed by a well known CA.
+apiServerCA: ""
+
+# The cluster registration value
+token: ""
+
+# Labels to add to the cluster upon registration only. They are not added after the fact.
+#labels:
+#  foo: bar
+
+# The client ID of the cluster to associate with
+clientID: ""
+
+# The namespace of the cluster we are register with
+clusterNamespace: ""
+
+# The namespace containing the clusters registration secrets
+systemRegistrationNamespace: cattle-fleet-clusters-system
+
+# Please do not change the below setting unless you really know what you are doing
+internal:
+  systemNamespace: cattle-fleet-system
+  managedReleaseName: fleet-agent
+
+# The nodeSelector and tolerations for the agent deployment
+fleetAgent:
+  ## Node labels for pod assignment
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+  ## List of node taints to tolerate (requires Kubernetes >= 1.6)
+  tolerations: []
+kubectl:
+  ## Node labels for pod assignment
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+  ## List of node taints to tolerate (requires Kubernetes >= 1.6)
+  tolerations:
+  - key: node.cloudprovider.kubernetes.io/uninitialized
+    operator: "Equal"
+    value: "true"
+    effect: NoSchedule
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+  kubectl:
+    repository: rancher/kubectl
+    tag: v1.21.5
+
+debug: false
+debugLevel: 0

index.yaml

@@ -756,6 +756,25 @@ entries:
     urls:
     - assets/fleet-agent/fleet-agent-101.0.0+up0.5.0.tgz
     version: 101.0.0+up0.5.0
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.25.0-0'
+      catalog.cattle.io/namespace: cattle-fleet-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0'
+      catalog.cattle.io/release-name: fleet-agent
+    apiVersion: v2
+    appVersion: 0.5.3
+    created: "2023-03-22T16:42:34.867398-04:00"
+    description: Fleet Manager Agent - GitOps at Scale
+    digest: 823c8b25e9cd35022794e65097425d4645f1eddcb47d7b7737b76cf11cfb56a9
+    icon: https://charts.rancher.io/assets/logos/fleet.svg
+    name: fleet-agent
+    urls:
+    - assets/fleet-agent/fleet-agent-100.2.3+up0.5.3.tgz
+    version: 100.2.3+up0.5.3
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"

release.yaml

@@ -13,6 +13,7 @@ fleet-agent:
   - 0.3.1000+up0.3.10-security1
   - 100.2.0+up0.5.1
   - 102.0.0+up0.6.0-rc.5
+  - 100.2.3+up0.5.3
 fleet-crd:
   - 0.3.1000+up0.3.10-security1
   - 100.2.0+up0.5.1