From 786c76594166b5e1b3d4e5be04c530944038fc91 Mon Sep 17 00:00:00 2001 From: Mauren Berti Date: Wed, 22 Mar 2023 16:42:59 -0400 Subject: [PATCH] [fleet-agent] forward-port from v2.6 to v2.7 --- .../fleet-agent-100.2.3+up0.5.3.tgz | Bin 0 -> 2877 bytes charts/fleet-agent/100.2.3+up0.5.3/Chart.yaml | 15 +++++ charts/fleet-agent/100.2.3+up0.5.3/README.md | 3 + .../100.2.3+up0.5.3/templates/_helpers.tpl | 22 ++++++ .../100.2.3+up0.5.3/templates/configmap.yaml | 12 ++++ .../100.2.3+up0.5.3/templates/deployment.yaml | 47 +++++++++++++ .../templates/network_policy_allow_all.yaml | 15 +++++ .../patch_default_serviceaccount.yaml | 28 ++++++++ .../100.2.3+up0.5.3/templates/rbac.yaml | 25 +++++++ .../100.2.3+up0.5.3/templates/secret.yaml | 10 +++ .../templates/serviceaccount.yaml | 4 ++ .../100.2.3+up0.5.3/templates/validate.yaml | 11 +++ .../fleet-agent/100.2.3+up0.5.3/values.yaml | 63 ++++++++++++++++++ index.yaml | 19 ++++++ release.yaml | 1 + 15 files changed, 275 insertions(+) create mode 100644 assets/fleet-agent/fleet-agent-100.2.3+up0.5.3.tgz create mode 100644 charts/fleet-agent/100.2.3+up0.5.3/Chart.yaml create mode 100644 charts/fleet-agent/100.2.3+up0.5.3/README.md create mode 100644 charts/fleet-agent/100.2.3+up0.5.3/templates/_helpers.tpl create mode 100644 charts/fleet-agent/100.2.3+up0.5.3/templates/configmap.yaml create mode 100644 charts/fleet-agent/100.2.3+up0.5.3/templates/deployment.yaml create mode 100644 charts/fleet-agent/100.2.3+up0.5.3/templates/network_policy_allow_all.yaml create mode 100644 charts/fleet-agent/100.2.3+up0.5.3/templates/patch_default_serviceaccount.yaml create mode 100644 charts/fleet-agent/100.2.3+up0.5.3/templates/rbac.yaml create mode 100644 charts/fleet-agent/100.2.3+up0.5.3/templates/secret.yaml create mode 100644 charts/fleet-agent/100.2.3+up0.5.3/templates/serviceaccount.yaml create mode 100644 charts/fleet-agent/100.2.3+up0.5.3/templates/validate.yaml create mode 100644 charts/fleet-agent/100.2.3+up0.5.3/values.yaml diff --git a/assets/fleet-agent/fleet-agent-100.2.3+up0.5.3.tgz b/assets/fleet-agent/fleet-agent-100.2.3+up0.5.3.tgz new file mode 100644 index 0000000000000000000000000000000000000000..7ba269e4fd12c733baec78a55a447a4b04ed39ba GIT binary patch literal 2877 zcmV-D3&QjtiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI_DZ{s%7-`DyS0|mvleIi+QoTLz*J0O=$i|u98MY8ST&@L9V zG`4x6NR_0Vx~{+bfutl$vJ&rZ)9khIyzn1#h8$9ynIA{wlp*SX%#iEB`J6}{E=k6o zJt{>}6rGI6_B)EA?)NY{89p11$I);+97V^c&!XYc(Mj|SqQ_OEp9-akd=~xgzPf|^ zlMvxtXrig$D)s;pq6rhTFd%yBKUt8hNENi^Lei*CmE`oBp8D$4BWa^OQkXE6%i^1MtSi| zZ*7h;qgn+u*Wn%Iskl?U+~vUA%8$ZI_fdFyzv>bh5`}>oLJSRa^GHsAs2W_1Jd)@2 z-zYo|kGvFBB5AH|(bq;2UJ*`aDB;Ys00DeM^>?`fqTwbX3_Y3{-nrJfiU)(l7_?xIF)W;K@DAY3 z93d|zj3)5?^(BZY=sChaiwR1O8Wo(qehCWY0wu_TbINCyqwU_ZLTQ*FDAX`ViQWNR z{6eyv;l{b4D+m*j#V6zOk@2TDw&CxuFJtiiN*&XDju{|NM2accWnO7^e)f?%hTZ|Z zoC3qC2F!B31ge25AW9V(rl99kb=!P%d1F`XBi)tdP{)`q%iG&i3a7XprbF434G>2A) z_OAFHTBV%A=D%yfR$guJKwnFV;F{3-xs^hyJ$QwQM6EoBA+8%$SNEWes+|gUcn9#> z26sq>oxEgD_{=T12{LhK)~_~N6r7<_uoMMIB#bTXBZs>=(YDYGG!>N3JjyjnPM9%C z*Uf#})YvDp3o^ZSK;vpFlvmRuQoKQii53zFH_L;e8?b_@aF5$cK#DmN%ghMdhAi4J z8XX+Kl}HiXaMUW(7@gV6+O9Rf`Hf zu<{9G)VZJT3j-~SiQk)dC7^Z|Nbbl^!fh>k-4^Tgdn)pv+mNTMJ4c^U>$kUB4ZigL<$&x4Oi;!wCMpN#oUHZp7VBDPsSZ8E;zGA8 zZpKJ0;7-U}CP=Cv5d}*vL@ga)3Acp8W{cjJgHpe0l5J&RqeG){H>T2Y`^_wdag>z< zu3>rQfBlUEHpScSyE8MrYN#?CIUU*|Vv|K_wDhUh?4BNv`u%?*_>|5vl0Ql^V2A&Y zj*hzi|73JB+WY^fpj*n*7|!kUens+jQgY~Js7XpRF&J$-Nm$jm=LNy+?xYLH+i> z*#JI<1K45zqwzTE+W+|UbZ`GpK}~xnd9DVFq33+Ui%k;XVK1O^Ol-QM+SXe0%ZN_q zmu1?>*)7TQwj@Bcs(V9a;s<3dWI)Se(?U?{e|7fi;^y_)`9)n* zqO7l_$l^vJz?33O&Bnh~T9&^idLGw$hjj|7=5_g1c)nWIV|@T`8QzA*f<7{~? zg#MZ`bdw%~mIbzZZ^jmdazPV3OA=9Vy`4-e=eeE5SpnqU)LKzSWG{<=;qAb}bbqsj7}H9GV8 zacE#C{y*uw{~Ha*!+rkeNhk<{7UnOXJms_S_A8qLr~$#1t9otML=Pq?!&zWgi}@^T z%9j_bRc*`FOOCMfhQk!cJkzu&m^ic!);5jTj18~n`Mq==}RYLe_yztpL)js zx2WI#a|7OLd{V|l;$q^5`+!~eKRWK(|7f(g|EHm@{ZGu3-`M=OV$x&jc6n5DaMUo($9e zr$S<2ixY{q-`a1qcNERd!TUiwiDp4)=jDvkTi6qCaL?|-O^BU@7U1_k1n_s0;^lj< z2J{Du{qN(`#2_QTt;6erv1%0Cq8*kd`mVML@S|UL;2(l-pSk(b_6DY;9G3YRvRybvG36<$P)!UN3@O zAiR(90c9s7xfRptCC#XgVYrW*e@W_(|8hc-$2$kO^Zjqs&Ho*bhR6H({}j}W{r0Jo zLeGVyzgh>ewFfwN?^CY@!-unio;OsYkO{U5 z7bqu<0HPCjY@i+lg~6wc~1U zVz#sW3d<8>VI4!)Yp>t_-PyRu@&LQ`|Hnt&^S{R@(RgqFPeGmceU(8xcqr0ettKa9 z=Ct00u-D0;Dj;C|-cZ;=I-;uEAZ0{F1KQsK5#Tld6;Ws8i zXfp@-p9C-6XaB!%$KR%1_CJie_J4Xb+Q1M-aD)>@sw#lOo4KH z$zXF)<1+@m*uFFIsYbJ{N#B4PFG8DOrm3{w zs-OzWI|KG$s=G^dXzzVwLTO<17TFRAQ=$om{AS;udTs9MkEf>pzrHwo@#-SX(ns!N z7ydgMop${H=yd=7=V|Ch6P^+#cy+z8P$-r8bT=5C^P36@<^F~!OxqXfezaGgT(!GU zq%jS%^zG+^duqN2J=YoKaP98;Kq^pKKiBU15GI8N`<4e)?-ex#xfC-=vW#e&5XP3F bw|8B8+S8u)w2S^500960@3SWo07w7;voE!P literal 0 HcmV?d00001 diff --git a/charts/fleet-agent/100.2.3+up0.5.3/Chart.yaml b/charts/fleet-agent/100.2.3+up0.5.3/Chart.yaml new file mode 100644 index 000000000..9865f7bf7 --- /dev/null +++ b/charts/fleet-agent/100.2.3+up0.5.3/Chart.yaml @@ -0,0 +1,15 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.25.0-0' + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0' + catalog.cattle.io/release-name: fleet-agent +apiVersion: v2 +appVersion: 0.5.3 +description: Fleet Manager Agent - GitOps at Scale +icon: https://charts.rancher.io/assets/logos/fleet.svg +name: fleet-agent +version: 100.2.3+up0.5.3 diff --git a/charts/fleet-agent/100.2.3+up0.5.3/README.md b/charts/fleet-agent/100.2.3+up0.5.3/README.md new file mode 100644 index 000000000..0f3446a38 --- /dev/null +++ b/charts/fleet-agent/100.2.3+up0.5.3/README.md @@ -0,0 +1,3 @@ +Standalone Fleet users use this chart for agent-based registration [docs/agent-initiated.md](/docs/agent-initiated.md). +Fleet in Rancher does not use this chart, but creates the agent deployments programmatically. + diff --git a/charts/fleet-agent/100.2.3+up0.5.3/templates/_helpers.tpl b/charts/fleet-agent/100.2.3+up0.5.3/templates/_helpers.tpl new file mode 100644 index 000000000..6cd96c3ac --- /dev/null +++ b/charts/fleet-agent/100.2.3+up0.5.3/templates/_helpers.tpl @@ -0,0 +1,22 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/fleet-agent/100.2.3+up0.5.3/templates/configmap.yaml b/charts/fleet-agent/100.2.3+up0.5.3/templates/configmap.yaml new file mode 100644 index 000000000..ce61a8756 --- /dev/null +++ b/charts/fleet-agent/100.2.3+up0.5.3/templates/configmap.yaml @@ -0,0 +1,12 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: fleet-agent +data: + config: |- + { + {{ if .Values.labels }} + "labels":{{toJson .Values.labels}}, + {{ end }} + "clientID":"{{.Values.clientID}}" + } diff --git a/charts/fleet-agent/100.2.3+up0.5.3/templates/deployment.yaml b/charts/fleet-agent/100.2.3+up0.5.3/templates/deployment.yaml new file mode 100644 index 000000000..ef6315c7a --- /dev/null +++ b/charts/fleet-agent/100.2.3+up0.5.3/templates/deployment.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: fleet-agent +spec: + selector: + matchLabels: + app: fleet-agent + template: + metadata: + labels: + app: fleet-agent + spec: + containers: + - env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: '{{ template "system_default_registry" . }}{{.Values.image.repository}}:{{.Values.image.tag}}' + name: fleet-agent + command: + - fleetagent + {{- if .Values.debug }} + - --debug + - --debug-level + - {{ quote .Values.debugLevel }} + {{- else }} + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + {{- end }} + serviceAccountName: fleet-agent + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.fleetAgent.nodeSelector }} +{{ toYaml .Values.fleetAgent.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.fleetAgent.tolerations }} +{{ toYaml .Values.fleetAgent.tolerations | indent 8 }} +{{- end }} +{{- if not .Values.debug }} + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 +{{- end }} diff --git a/charts/fleet-agent/100.2.3+up0.5.3/templates/network_policy_allow_all.yaml b/charts/fleet-agent/100.2.3+up0.5.3/templates/network_policy_allow_all.yaml new file mode 100644 index 000000000..a72109a06 --- /dev/null +++ b/charts/fleet-agent/100.2.3+up0.5.3/templates/network_policy_allow_all.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ .Values.internal.systemNamespace }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/fleet-agent/100.2.3+up0.5.3/templates/patch_default_serviceaccount.yaml b/charts/fleet-agent/100.2.3+up0.5.3/templates/patch_default_serviceaccount.yaml new file mode 100644 index 000000000..aad4eea41 --- /dev/null +++ b/charts/fleet-agent/100.2.3+up0.5.3/templates/patch_default_serviceaccount.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: patch-fleet-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + spec: + serviceAccountName: fleet-agent + restartPolicy: Never + containers: + - name: sa + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", {{ .Values.internal.systemNamespace }}] + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.kubectl.nodeSelector }} +{{ toYaml .Values.kubectl.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.kubectl.tolerations }} +{{ toYaml .Values.kubectl.tolerations | indent 8 }} +{{- end }} + backoffLimit: 1 diff --git a/charts/fleet-agent/100.2.3+up0.5.3/templates/rbac.yaml b/charts/fleet-agent/100.2.3+up0.5.3/templates/rbac.yaml new file mode 100644 index 000000000..805949bf2 --- /dev/null +++ b/charts/fleet-agent/100.2.3+up0.5.3/templates/rbac.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: fleet-agent-system-fleet-agent-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: fleet-agent-system-fleet-agent-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: fleet-agent-system-fleet-agent-role +subjects: +- kind: ServiceAccount + name: fleet-agent + namespace: {{.Release.Namespace}} diff --git a/charts/fleet-agent/100.2.3+up0.5.3/templates/secret.yaml b/charts/fleet-agent/100.2.3+up0.5.3/templates/secret.yaml new file mode 100644 index 000000000..471588204 --- /dev/null +++ b/charts/fleet-agent/100.2.3+up0.5.3/templates/secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + systemRegistrationNamespace: "{{b64enc .Values.systemRegistrationNamespace}}" + clusterNamespace: "{{b64enc .Values.clusterNamespace}}" + token: "{{b64enc .Values.token}}" + apiServerURL: "{{b64enc .Values.apiServerURL}}" + apiServerCA: "{{b64enc .Values.apiServerCA}}" +kind: Secret +metadata: + name: fleet-agent-bootstrap diff --git a/charts/fleet-agent/100.2.3+up0.5.3/templates/serviceaccount.yaml b/charts/fleet-agent/100.2.3+up0.5.3/templates/serviceaccount.yaml new file mode 100644 index 000000000..73e27f0be --- /dev/null +++ b/charts/fleet-agent/100.2.3+up0.5.3/templates/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: fleet-agent diff --git a/charts/fleet-agent/100.2.3+up0.5.3/templates/validate.yaml b/charts/fleet-agent/100.2.3+up0.5.3/templates/validate.yaml new file mode 100644 index 000000000..d53ff1c50 --- /dev/null +++ b/charts/fleet-agent/100.2.3+up0.5.3/templates/validate.yaml @@ -0,0 +1,11 @@ +{{if ne .Release.Namespace .Values.internal.systemNamespace }} +{{ fail (printf "This chart must be installed in the namespace %s as the release name fleet-agent" .Values.internal.systemNamespace) }} +{{end}} + +{{if ne .Release.Name .Values.internal.managedReleaseName }} +{{ fail (printf "This chart must be installed in the namespace %s as the release name fleet-agent" .Values.internal.managedReleaseName) }} +{{end}} + +{{if not .Values.apiServerURL }} +{{ fail "apiServerURL is required to be set, and most likely also apiServerCA" }} +{{end}} diff --git a/charts/fleet-agent/100.2.3+up0.5.3/values.yaml b/charts/fleet-agent/100.2.3+up0.5.3/values.yaml new file mode 100644 index 000000000..9dab69482 --- /dev/null +++ b/charts/fleet-agent/100.2.3+up0.5.3/values.yaml @@ -0,0 +1,63 @@ +image: + os: "windows,linux" + repository: rancher/fleet-agent + tag: v0.5.3 + +# The public URL of the Kubernetes API server running the Fleet Manager must be set here +# Example: https://example.com:6443 +apiServerURL: "" + +# The the pem encoded value of the CA of the Kubernetes API server running the Fleet Manager. +# If left empty it is assumed this Kubernetes API TLS is signed by a well known CA. +apiServerCA: "" + +# The cluster registration value +token: "" + +# Labels to add to the cluster upon registration only. They are not added after the fact. +#labels: +# foo: bar + +# The client ID of the cluster to associate with +clientID: "" + +# The namespace of the cluster we are register with +clusterNamespace: "" + +# The namespace containing the clusters registration secrets +systemRegistrationNamespace: cattle-fleet-clusters-system + +# Please do not change the below setting unless you really know what you are doing +internal: + systemNamespace: cattle-fleet-system + managedReleaseName: fleet-agent + +# The nodeSelector and tolerations for the agent deployment +fleetAgent: + ## Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## List of node taints to tolerate (requires Kubernetes >= 1.6) + tolerations: [] +kubectl: + ## Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## List of node taints to tolerate (requires Kubernetes >= 1.6) + tolerations: + - key: node.cloudprovider.kubernetes.io/uninitialized + operator: "Equal" + value: "true" + effect: NoSchedule + +global: + cattle: + systemDefaultRegistry: "" + kubectl: + repository: rancher/kubectl + tag: v1.21.5 + +debug: false +debugLevel: 0 diff --git a/index.yaml b/index.yaml index 90d3ebe3a..a8a59b61e 100755 --- a/index.yaml +++ b/index.yaml @@ -756,6 +756,25 @@ entries: urls: - assets/fleet-agent/fleet-agent-101.0.0+up0.5.0.tgz version: 101.0.0+up0.5.0 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.25.0-0' + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.6.0-0 < 2.7.0-0' + catalog.cattle.io/release-name: fleet-agent + apiVersion: v2 + appVersion: 0.5.3 + created: "2023-03-22T16:42:34.867398-04:00" + description: Fleet Manager Agent - GitOps at Scale + digest: 823c8b25e9cd35022794e65097425d4645f1eddcb47d7b7737b76cf11cfb56a9 + icon: https://charts.rancher.io/assets/logos/fleet.svg + name: fleet-agent + urls: + - assets/fleet-agent/fleet-agent-100.2.3+up0.5.3.tgz + version: 100.2.3+up0.5.3 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index 22130b8f4..67fbc446f 100644 --- a/release.yaml +++ b/release.yaml @@ -13,6 +13,7 @@ fleet-agent: - 0.3.1000+up0.3.10-security1 - 100.2.0+up0.5.1 - 102.0.0+up0.6.0-rc.5 + - 100.2.3+up0.5.3 fleet-crd: - 0.3.1000+up0.3.10-security1 - 100.2.0+up0.5.1