diff --git a/assets/fleet-agent/fleet-agent-0.3.1000+up0.3.10-security1.tgz b/assets/fleet-agent/fleet-agent-0.3.1000+up0.3.10-security1.tgz new file mode 100644 index 000000000..5cfcf0ca6 Binary files /dev/null and b/assets/fleet-agent/fleet-agent-0.3.1000+up0.3.10-security1.tgz differ diff --git a/charts/fleet-agent/0.3.1000+up0.3.10-security1/Chart.yaml b/charts/fleet-agent/0.3.1000+up0.3.10-security1/Chart.yaml new file mode 100644 index 000000000..cd07ba5a2 --- /dev/null +++ b/charts/fleet-agent/0.3.1000+up0.3.10-security1/Chart.yaml @@ -0,0 +1,13 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/release-name: fleet-agent +apiVersion: v2 +appVersion: 0.3.10-security1 +description: Fleet Manager Agent - GitOps at Scale +icon: https://charts.rancher.io/assets/logos/fleet.svg +name: fleet-agent +version: 0.3.1000+up0.3.10-security1 diff --git a/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/_helpers.tpl b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/_helpers.tpl new file mode 100644 index 000000000..6cd96c3ac --- /dev/null +++ b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/_helpers.tpl @@ -0,0 +1,22 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} \ No newline at end of file diff --git a/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/configmap.yaml b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/configmap.yaml new file mode 100644 index 000000000..ce61a8756 --- /dev/null +++ b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/configmap.yaml @@ -0,0 +1,12 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: fleet-agent +data: + config: |- + { + {{ if .Values.labels }} + "labels":{{toJson .Values.labels}}, + {{ end }} + "clientID":"{{.Values.clientID}}" + } diff --git a/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/deployment.yaml b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/deployment.yaml new file mode 100644 index 000000000..1bf359ef7 --- /dev/null +++ b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/deployment.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: fleet-agent +spec: + selector: + matchLabels: + app: fleet-agent + template: + metadata: + labels: + app: fleet-agent + spec: + containers: + - env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: '{{ template "system_default_registry" . }}{{.Values.image.repository}}:{{.Values.image.tag}}' + name: fleet-agent + command: + - fleetagent + {{- if .Values.debug }} + - --debug + - --debug-level + - {{ quote .Values.debugLevel }} + {{- end }} + serviceAccountName: fleet-agent + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.fleetAgent.nodeSelector }} +{{ toYaml .Values.fleetAgent.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.fleetAgent.tolerations }} +{{ toYaml .Values.fleetAgent.tolerations | indent 8 }} +{{- end }} \ No newline at end of file diff --git a/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/network_policy_allow_all.yaml b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/network_policy_allow_all.yaml new file mode 100644 index 000000000..a72109a06 --- /dev/null +++ b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/network_policy_allow_all.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ .Values.internal.systemNamespace }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/patch_default_serviceaccount.yaml b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/patch_default_serviceaccount.yaml new file mode 100644 index 000000000..aad4eea41 --- /dev/null +++ b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/patch_default_serviceaccount.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: patch-fleet-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + spec: + serviceAccountName: fleet-agent + restartPolicy: Never + containers: + - name: sa + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", {{ .Values.internal.systemNamespace }}] + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.kubectl.nodeSelector }} +{{ toYaml .Values.kubectl.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.kubectl.tolerations }} +{{ toYaml .Values.kubectl.tolerations | indent 8 }} +{{- end }} + backoffLimit: 1 diff --git a/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/rbac.yaml b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/rbac.yaml new file mode 100644 index 000000000..805949bf2 --- /dev/null +++ b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/rbac.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: fleet-agent-system-fleet-agent-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: fleet-agent-system-fleet-agent-role-binding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: fleet-agent-system-fleet-agent-role +subjects: +- kind: ServiceAccount + name: fleet-agent + namespace: {{.Release.Namespace}} diff --git a/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/secret.yaml b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/secret.yaml new file mode 100644 index 000000000..471588204 --- /dev/null +++ b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/secret.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + systemRegistrationNamespace: "{{b64enc .Values.systemRegistrationNamespace}}" + clusterNamespace: "{{b64enc .Values.clusterNamespace}}" + token: "{{b64enc .Values.token}}" + apiServerURL: "{{b64enc .Values.apiServerURL}}" + apiServerCA: "{{b64enc .Values.apiServerCA}}" +kind: Secret +metadata: + name: fleet-agent-bootstrap diff --git a/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/serviceaccount.yaml b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/serviceaccount.yaml new file mode 100644 index 000000000..73e27f0be --- /dev/null +++ b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/serviceaccount.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: fleet-agent diff --git a/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/validate.yaml b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/validate.yaml new file mode 100644 index 000000000..d53ff1c50 --- /dev/null +++ b/charts/fleet-agent/0.3.1000+up0.3.10-security1/templates/validate.yaml @@ -0,0 +1,11 @@ +{{if ne .Release.Namespace .Values.internal.systemNamespace }} +{{ fail (printf "This chart must be installed in the namespace %s as the release name fleet-agent" .Values.internal.systemNamespace) }} +{{end}} + +{{if ne .Release.Name .Values.internal.managedReleaseName }} +{{ fail (printf "This chart must be installed in the namespace %s as the release name fleet-agent" .Values.internal.managedReleaseName) }} +{{end}} + +{{if not .Values.apiServerURL }} +{{ fail "apiServerURL is required to be set, and most likely also apiServerCA" }} +{{end}} diff --git a/charts/fleet-agent/0.3.1000+up0.3.10-security1/values.yaml b/charts/fleet-agent/0.3.1000+up0.3.10-security1/values.yaml new file mode 100644 index 000000000..cfea00e66 --- /dev/null +++ b/charts/fleet-agent/0.3.1000+up0.3.10-security1/values.yaml @@ -0,0 +1,63 @@ +image: + os: "windows,linux" + repository: rancher/fleet-agent + tag: v0.3.10-security1 + +# The public URL of the Kubernetes API server running the Fleet Manager must be set here +# Example: https://example.com:6443 +apiServerURL: "" + +# The the pem encoded value of the CA of the Kubernetes API server running the Fleet Manager. +# If left empty it is assumed this Kubernetes API TLS is signed by a well known CA. +apiServerCA: "" + +# The cluster registration value +token: "" + +# Labels to add to the cluster upon registration only. They are not added after the fact. +#labels: +# foo: bar + +# The client ID of the cluster to associate with +clientID: "" + +# The namespace of the cluster we are register with +clusterNamespace: "" + +# The namespace containing the clusters registration secrets +systemRegistrationNamespace: fleet-clusters-system + +# Please do not change the below setting unless you really know what you are doing +internal: + systemNamespace: fleet-system + managedReleaseName: fleet-agent + +# The nodeSelector and tolerations for the agent deployment +fleetAgent: + ## Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## List of node taints to tolerate (requires Kubernetes >= 1.6) + tolerations: [] +kubectl: + ## Node labels for pod assignment + ## Ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## List of node taints to tolerate (requires Kubernetes >= 1.6) + tolerations: + - key: node.cloudprovider.kubernetes.io/uninitialized + operator: "Equal" + value: "true" + effect: NoSchedule + +global: + cattle: + systemDefaultRegistry: "" + kubectl: + repository: rancher/kubectl + tag: v1.21.5 + +debug: false +debugLevel: 0 diff --git a/index.yaml b/index.yaml index 4d922ea56..0bcfd5139 100755 --- a/index.yaml +++ b/index.yaml @@ -785,6 +785,23 @@ entries: urls: - assets/fleet-agent/fleet-agent-100.0.0+up0.3.6.tgz version: 100.0.0+up0.3.6 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-fleet-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/release-name: fleet-agent + apiVersion: v2 + appVersion: 0.3.10-security1 + created: "2023-02-13T14:32:51.229741-08:00" + description: Fleet Manager Agent - GitOps at Scale + digest: 06787ddfc540f4675af4d7622bc02ceea40dee9609f1510e4715e393eeaadfd2 + icon: https://charts.rancher.io/assets/logos/fleet.svg + name: fleet-agent + urls: + - assets/fleet-agent/fleet-agent-0.3.1000+up0.3.10-security1.tgz + version: 0.3.1000+up0.3.10-security1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index c354091d2..2c3380437 100644 --- a/release.yaml +++ b/release.yaml @@ -7,6 +7,8 @@ fleet: - 0.3.1000+up0.3.10-security1 fleet-agent: - 102.0.0+up0.6.0-rc.4 + - 101.1.0+up0.6.0-rc.2 + - 0.3.1000+up0.3.10-security1 fleet-crd: - 102.0.0+up0.6.0-rc.4 longhorn: