Endpoint auth

[joshmeranda]

replaces #2851

Issue:

rancher/rancher#43414
rancher/rancher#43387

Problem

In its current configuration, without using the proxies, which do not work with the upstream chart, users cannot authenticate to kubernetes api endpoints that require authentication to access them. Additionally, since the same endpoints do not expose certificates to any ip but 127.0.0.1, I've added the capability to honor the insecureSkipVerify flag if it is set. While I was there, I also fixed a bug in metricRelabelings where it would generate an empty list if not configured, it would generate an invalid list if not configured.

text copied for original PR

Solution

This adds the ability to use authentication on the clients to the kubernetes components. Added the ability to correctly set the http(s) scheme if not using the proxy feature. Fixed a bug so service monitors will honor the insecureSkipVerify flag if set by the client. Fixed a bug in metricRelabelings where it would generate an empty list if not configured. Added imagepullsecrets as a global field to be used whenever an image is pulled.

text copied for original PR

Testing

Engineering Testing

Manual Testing

Automated Testing

QA Testing Considerations

Regressions Considerations

Backporting considerations

2.7x and 2.6x

rancher/rancher#42716
rancher/rancher#42720

[rohitsakala]

Can you add the version and package to release.yaml as well ?

[github-actions]

Validation steps

• Ensure all container images have repository and tag on the same level to ensure that all container images are included in rancher-images.txt which are used by airgap customers.

  Ex:- 
    longhorn-controller:
      repository: rancher/hardened-sriov-cni
      tag: v2.6.3-build20230913
  

• Add a 👍 (thumbs up) reaction to this comment once done. CI won't pass without this reaction to the github-action bot's latest validation comment.
• Approve the PR to run the CI check.

[github-actions]

Validation steps

• Ensure all container images have repository and tag on the same level to ensure that all container images are included in rancher-images.txt which are used by airgap customers.

  Ex:- 
    longhorn-controller:
      repository: rancher/hardened-sriov-cni
      tag: v2.6.3-build20230913
  

• Add a 👍 (thumbs up) reaction to this comment once done. CI won't pass without this reaction to the github-action bot's latest validation comment.
• Approve the PR to run the CI check.

[github-actions]

Validation steps

• Ensure all container images have repository and tag on the same level to ensure that all container images are included in rancher-images.txt which are used by airgap customers.

  Ex:- 
    longhorn-controller:
      repository: rancher/hardened-sriov-cni
      tag: v2.6.3-build20230913
  

• Add a 👍 (thumbs up) reaction to this comment once done. CI won't pass without this reaction to the github-action bot's latest validation comment.
• Approve the PR to run the CI check.

[github-actions]

Validation steps

• Ensure all container images have repository and tag on the same level to ensure that all container images are included in rancher-images.txt which are used by airgap customers.

  Ex:- 
    longhorn-controller:
      repository: rancher/hardened-sriov-cni
      tag: v2.6.3-build20230913
  

• Add a 👍 (thumbs up) reaction to this comment once done. CI won't pass without this reaction to the github-action bot's latest validation comment.
• Approve the PR to run the CI check.

[github-actions]

Validation steps

• Ensure all container images have repository and tag on the same level to ensure that all container images are included in rancher-images.txt which are used by airgap customers.

  Ex:- 
    longhorn-controller:
      repository: rancher/hardened-sriov-cni
      tag: v2.6.3-build20230913
  

• Add a 👍 (thumbs up) reaction to this comment once done. CI won't pass without this reaction to the github-action bot's latest validation comment.
• Approve the PR to run the CI check.

[rohitsakala]

LGTM from mapps perspective.

[rohitsakala]

@joshmeranda Also, a general question, can customers install rancher-pushprox as a standalone chart?

[joshmeranda]

@rohitsakala They can, it can work on its own but it was designed to work with rancher-monitoring not the vanilla kube-prometheus-stack. So unless the user wants to go through the process of configuring their prometheus deployments to use it, it wouldn't do them much good. Even then its probably still not worth the effort. If they want to use the pushprox, they might as well just use rancher-monitoring.