diff --git a/assets/rancher-alerting-drivers/rancher-alerting-drivers-103.0.0.tgz b/assets/rancher-alerting-drivers/rancher-alerting-drivers-103.0.0.tgz new file mode 100644 index 0000000000..3349004576 Binary files /dev/null and b/assets/rancher-alerting-drivers/rancher-alerting-drivers-103.0.0.tgz differ diff --git a/assets/ui-plugin-operator-crd/ui-plugin-operator-crd-102.0.2+up0.2.1.tgz b/assets/ui-plugin-operator-crd/ui-plugin-operator-crd-102.0.2+up0.2.1.tgz new file mode 100644 index 0000000000..10be778338 Binary files /dev/null and b/assets/ui-plugin-operator-crd/ui-plugin-operator-crd-102.0.2+up0.2.1.tgz differ diff --git a/assets/ui-plugin-operator-crd/ui-plugin-operator-crd-103.0.1+up0.2.1.tgz b/assets/ui-plugin-operator-crd/ui-plugin-operator-crd-103.0.1+up0.2.1.tgz new file mode 100644 index 0000000000..4a82054d36 Binary files /dev/null and b/assets/ui-plugin-operator-crd/ui-plugin-operator-crd-103.0.1+up0.2.1.tgz differ diff --git a/assets/ui-plugin-operator/ui-plugin-operator-102.0.2+up0.2.1.tgz b/assets/ui-plugin-operator/ui-plugin-operator-102.0.2+up0.2.1.tgz new file mode 100644 index 0000000000..1b9c583c6a Binary files /dev/null and b/assets/ui-plugin-operator/ui-plugin-operator-102.0.2+up0.2.1.tgz differ diff --git a/assets/ui-plugin-operator/ui-plugin-operator-103.0.1+up0.2.1.tgz b/assets/ui-plugin-operator/ui-plugin-operator-103.0.1+up0.2.1.tgz new file mode 100644 index 0000000000..d68ef7240f Binary files /dev/null and b/assets/ui-plugin-operator/ui-plugin-operator-103.0.1+up0.2.1.tgz differ diff --git a/charts/rancher-alerting-drivers/103.0.0/Chart.yaml b/charts/rancher-alerting-drivers/103.0.0/Chart.yaml new file mode 100644 index 0000000000..a4cf58b546 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/Chart.yaml @@ -0,0 +1,27 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Alerting Drivers + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.28.0-0' + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-alerting-drivers + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 100.0.1 +apiVersion: v2 +appVersion: 1.16.0 +dependencies: +- condition: prom2teams.enabled + name: prom2teams + repository: file://./charts/prom2teams +- condition: sachet.enabled + name: sachet + repository: file://./charts/sachet +description: The manager for third-party webhook receivers used in Prometheus Alertmanager +icon: https://charts.rancher.io/assets/logos/alerting-drivers.svg +keywords: +- monitoring +- alertmanger +- webhook +name: rancher-alerting-drivers +version: 103.0.0 diff --git a/charts/rancher-alerting-drivers/103.0.0/README.md b/charts/rancher-alerting-drivers/103.0.0/README.md new file mode 100644 index 0000000000..ea3f118015 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/README.md @@ -0,0 +1,11 @@ +# Rancher Alerting Drivers + +This chart installs one or more [Alertmanager Webhook Receiver Integrations](https://prometheus.io/docs/operating/integrations/#alertmanager-webhook-receiver) (i.e. Drivers). + +Those Drivers can be targeted by an existing deployment of Alertmanager to send alerts to notification mechanisms that are not natively supported. + +Currently, this chart supports the following Drivers: +- Microsoft Teams, based on [prom2teams](https://github.com/idealista/prom2teams) +- SMS, based on [Sachet](https://github.com/messagebird/sachet) + +After installing rancher-alerting-drivers, please refer to the upstream documentation for each Driver for configuration options. \ No newline at end of file diff --git a/charts/rancher-alerting-drivers/103.0.0/app-readme.md b/charts/rancher-alerting-drivers/103.0.0/app-readme.md new file mode 100644 index 0000000000..fe228d96f7 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/app-readme.md @@ -0,0 +1,29 @@ +# Rancher Alerting Drivers + +This chart installs one or more [Alertmanager Webhook Receiver Integrations](https://prometheus.io/docs/operating/integrations/#alertmanager-webhook-receiver) (i.e. Drivers). + +Those Drivers can be targeted by an existing deployment of Alertmanager to send alerts to notification mechanisms that are not natively supported. + +Currently, this chart supports the following Drivers: +- Microsoft Teams, based on [prom2teams](https://github.com/idealista/prom2teams) +- SMS, based on [Sachet](https://github.com/messagebird/sachet) + +After installing rancher-alerting-drivers, please refer to the upstream documentation for each Driver for configuration options. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. +​ +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + ​ +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. +​ +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. \ No newline at end of file diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/.helmignore b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/.helmignore new file mode 100644 index 0000000000..50af031725 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/Chart.yaml b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/Chart.yaml new file mode 100644 index 0000000000..aeae0df709 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.cattle.io/release-name: rancher-prom2teams +apiVersion: v1 +appVersion: 4.2.1 +description: A Helm chart for Prom2Teams based on the upstream https://github.com/idealista/prom2teams +name: prom2teams +version: 0.2.0 diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/files/teams.j2 b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/files/teams.j2 new file mode 100644 index 0000000000..f1cf61d4ef --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/files/teams.j2 @@ -0,0 +1,44 @@ +{%- set + theme_colors = { + 'resolved' : '2DC72D', + 'critical' : '8C1A1A', + 'severe' : '8C1A1A', + 'warning' : 'FF9A0B', + 'unknown' : 'CCCCCC' + } +-%} + +{ + "@type": "MessageCard", + "@context": "http://schema.org/extensions", + "themeColor": "{% if status=='resolved' %} {{ theme_colors.resolved }} {% else %} {{ theme_colors[msg_text.severity] }} {% endif %}", + "summary": "{% if status=='resolved' %}(Resolved) {% endif %}{{ msg_text.summary }}", + "title": "Prometheus alert {% if status=='resolved' %}(Resolved) {% elif status=='unknown' %} (status unknown) {% endif %}", + "sections": [{ + "activityTitle": "{{ msg_text.summary }}", + "facts": [{% if msg_text.name %}{ + "name": "Alert", + "value": "{{ msg_text.name }}" + },{% endif %}{% if msg_text.instance %}{ + "name": "In host", + "value": "{{ msg_text.instance }}" + },{% endif %}{% if msg_text.severity %}{ + "name": "Severity", + "value": "{{ msg_text.severity }}" + },{% endif %}{% if msg_text.description %}{ + "name": "Description", + "value": "{{ msg_text.description }}" + },{% endif %}{ + "name": "Status", + "value": "{{ msg_text.status }}" + }{% if msg_text.extra_labels %}{% for key in msg_text.extra_labels %},{ + "name": "{{ key }}", + "value": "{{ msg_text.extra_labels[key] }}" + }{% endfor %}{% endif %} + {% if msg_text.extra_annotations %}{% for key in msg_text.extra_annotations %},{ + "name": "{{ key }}", + "value": "{{ msg_text.extra_annotations[key] }}" + }{% endfor %}{% endif %}], + "markdown": true + }] +} diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/NOTES.txt b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/NOTES.txt new file mode 100644 index 0000000000..a94c4132b6 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/NOTES.txt @@ -0,0 +1,2 @@ +Prom2Teams has been installed. Check its status by running: + kubectl --namespace {{ .Release.Namespace }} get pods -l "app.kubernetes.io/instance={{ .Release.Name }}" diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/_helpers.tpl b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/_helpers.tpl new file mode 100644 index 0000000000..ffc0fa3567 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/_helpers.tpl @@ -0,0 +1,73 @@ +{{/* vim: set filetype=mustache: */}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} + +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "prom2teams.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "prom2teams.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "prom2teams.namespace" -}} +{{ default .Release.Namespace .Values.global.namespaceOverride }} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "prom2teams.labels" -}} +app.kubernetes.io/name: {{ include "prom2teams.name" . }} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +app.kubernetes.io/instance: {{ .Release.Name }} +release: {{ .Release.Name }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/configmap.yaml b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/configmap.yaml new file mode 100644 index 0000000000..ccf38953e2 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/configmap.yaml @@ -0,0 +1,39 @@ +{{- $valid := list "DEBUG" "INFO" "WARNING" "ERROR" "CRITICAL" -}} +{{- if not (has .Values.prom2teams.loglevel $valid) -}} +{{- fail "Invalid log level"}} +{{- end -}} +{{- if and .Values.prom2teams.connector (hasKey .Values.prom2teams.connectors "Connector") -}} +{{- fail "Invalid configuration: prom2teams.connectors can't have a connector named Connector when prom2teams.connector is set"}} +{{- end -}} +{{/* Create the configmap when the operation is helm install and the target configmap does not exist. */}} +{{- if not (lookup "v1" "ConfigMap" (include "prom2teams.namespace" . ) (include "prom2teams.fullname" .)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ include "prom2teams.namespace" . }} + name: {{ include "prom2teams.fullname" . }} + labels: {{ include "prom2teams.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "3" + "helm.sh/resource-policy": keep +data: + config.ini: |- + [HTTP Server] + Host: {{ .Values.prom2teams.host }} + Port: {{ .Values.prom2teams.port }} + [Microsoft Teams] + {{- with .Values.prom2teams.connector }} + Connector: {{ . }} + {{- end }} + {{- range $key, $val := .Values.prom2teams.connectors }} + {{ $key }}: {{ $val }} + {{- end }} + [Group Alerts] + Field: {{ .Values.prom2teams.group_alerts_by }} + [Log] + Level: {{ .Values.prom2teams.loglevel }} + [Template] + Path: {{ .Values.prom2teams.templatepath }} + teams.j2: {{ .Files.Get "files/teams.j2" | quote }} + {{- end -}} diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/deployment.yaml b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/deployment.yaml new file mode 100644 index 0000000000..34f7d0f465 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/deployment.yaml @@ -0,0 +1,83 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "prom2teams.fullname" . }} + namespace: {{ include "prom2teams.namespace" . }} + labels: {{ include "prom2teams.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app.kubernetes.io/name: {{ include "prom2teams.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + template: + metadata: + labels: + app.kubernetes.io/name: {{ include "prom2teams.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + spec: + serviceAccountName: {{ include "prom2teams.fullname" . }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ include "prom2teams.fullname" . }} + containers: + - name: {{ .Chart.Name }} + image: {{ include "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8089 + protocol: TCP + volumeMounts: + - name: config + mountPath: /opt/prom2teams/helmconfig/ + env: + - name: APP_CONFIG_FILE + value: {{ .Values.prom2teams.config | quote }} + - name: PROM2TEAMS_PORT + value: {{ .Values.prom2teams.port | quote }} + - name: PROM2TEAMS_HOST + value: {{ .Values.prom2teams.host | quote }} + - name: PROM2TEAMS_CONNECTOR + value: {{ .Values.prom2teams.connector | quote }} + - name: PROM2TEAMS_GROUP_ALERTS_BY + value: {{ .Values.prom2teams.group_alerts_by | quote }} + - name: PROM2TEAMS_LOGLEVEL + value: {{ .Values.prom2teams.loglevel }} + {{- range $key, $value := .Values.prom2teams.extraEnv }} + - name: "{{ $key }}" + value: "{{ $value }}" + {{- end }} + resources: {{ toYaml .Values.resources | nindent 12 }} + {{- if .Values.securityContext.enabled }} + securityContext: + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + {{- if .Values.nodeSelector }} + {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: {{ toYaml . | nindent 8 }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + {{- if .Values.tolerations }} + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- if .Values.securityContext.enabled }} + securityContext: + runAsNonRoot: {{ if eq (int .Values.securityContext.runAsUser) 0 }}false{{ else }}true{{ end }} + runAsUser: {{ .Values.securityContext.runAsUser }} + runAsGroup: {{ .Values.securityContext.runAsGroup }} + fsGroup: {{ .Values.securityContext.fsGroup }} + {{- end }} + diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/psp.yaml b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/psp.yaml new file mode 100644 index 0000000000..3e49a6c5d4 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/psp.yaml @@ -0,0 +1,61 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "prom2teams.fullname" . }}-psp-{{ include "prom2teams.namespace" . }} + labels: {{ include "prom2teams.labels" . | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "prom2teams.fullname" . }}-psp + namespace: {{ include "prom2teams.namespace" . }} + labels: {{ include "prom2teams.labels" . | nindent 4 }} +rules: + - apiGroups: + - policy + resourceNames: + - {{ include "prom2teams.fullname" . }}-psp-{{ include "prom2teams.namespace" . }} + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "prom2teams.fullname" . }}-psp + namespace: {{ include "prom2teams.namespace" . }} + labels: {{ include "prom2teams.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "prom2teams.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: {{ include "prom2teams.fullname" . }} +{{- end }} diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/service-account.yaml b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/service-account.yaml new file mode 100644 index 0000000000..a9572c5cd9 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/service-account.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "prom2teams.fullname" . }} + namespace: {{ include "prom2teams.namespace" . }} + labels: {{ include "prom2teams.labels" . | nindent 4 }} diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/service.yaml b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/service.yaml new file mode 100644 index 0000000000..cc95cad355 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/templates/service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "prom2teams.fullname" . }} + namespace: {{ include "prom2teams.namespace" . }} + labels: +{{ include "prom2teams.labels" . | indent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: 8089 + protocol: TCP + name: http + selector: + app.kubernetes.io/name: {{ include "prom2teams.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/values.yaml b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/values.yaml new file mode 100644 index 0000000000..e53d361eea --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/prom2teams/values.yaml @@ -0,0 +1,69 @@ +# Default values for prom2teams. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + cattle: + psp: + enabled: false + systemDefaultRegistry: "" + namespaceOverride: "" + +nameOverride: "prom2teams" +fullnameOverride: "" + +replicaCount: 1 + +image: + repository: rancher/mirrored-idealista-prom2teams + tag: 4.2.1 + pullPolicy: IfNotPresent + +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 200m + memory: 200Mi + +service: + type: ClusterIP + port: 8089 + +prom2teams: + host: 0.0.0.0 + port: 8089 + connector: the-connector-url + connectors: {} + # group_alerts_by can be one of + # ("name" | "description" | "instance" | "severity" | "status" | "summary" | "fingerprint" | "runbook_url") + group_alerts_by: + # loglevel can be one of (DEBUG | INFO | WARNING | ERROR | CRITICAL) + loglevel: INFO + templatepath: /opt/prom2teams/helmconfig/teams.j2 + config: /opt/prom2teams/helmconfig/config.ini + extraEnv: {} + +# Security Context properties +securityContext: + # enabled is a flag to enable Security Context + enabled: true + # runAsUser is the user ID used to run the container + runAsUser: 101 + # runAsGroup is the primary group ID used to run all processes within any container of the pod + runAsGroup: 101 + # fsGroup is the group ID associated with the container + fsGroup: 101 + # readOnlyRootFilesystem is a flag to enable readOnlyRootFilesystem for the Hazelcast security context + readOnlyRootFilesystem: true + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +affinity: {} diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/sachet/.helmignore b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/.helmignore new file mode 100644 index 0000000000..0e8a0eb36f --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/sachet/Chart.yaml b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/Chart.yaml new file mode 100644 index 0000000000..dd0d706a60 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/Chart.yaml @@ -0,0 +1,11 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/os: linux + catalog.cattle.io/release-name: rancher-sachet +apiVersion: v2 +appVersion: 0.3.1 +description: A Helm chart for Sachet based on the upstream https://github.com/messagebird/sachet +name: sachet +type: application +version: 1.0.1 diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/sachet/files/template.tmpl b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/files/template.tmpl new file mode 100644 index 0000000000..08f24e1387 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/files/template.tmpl @@ -0,0 +1 @@ +# reference: https://github.com/messagebird/sachet/blob/master/examples/telegram.tmpl diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/NOTES.txt b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/NOTES.txt new file mode 100644 index 0000000000..247a91fc13 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/NOTES.txt @@ -0,0 +1,3 @@ +rancher-sachet is now installed on the cluster! +Please refer to the upstream documentation for configuration options: +https://github.com/messagebird/sachet diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/_helpers.tpl b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/_helpers.tpl new file mode 100644 index 0000000000..eaa61fee50 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} + +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts +*/}} +{{- define "sachet.namespace" -}} +{{ default .Release.Namespace .Values.global.namespaceOverride }} +{{- end }} + +{{/* +Expand the name of the chart. +*/}} +{{- define "sachet.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "sachet.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "sachet.labels" -}} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{ include "sachet.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "sachet.selectorLabels" -}} +app.kubernetes.io/name: {{ include "sachet.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + + diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/configmap-pre-install.yaml b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/configmap-pre-install.yaml new file mode 100644 index 0000000000..e8c63ac039 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/configmap-pre-install.yaml @@ -0,0 +1,34 @@ +{{/*This file is applied when the operation is helm install and the target confimap does not exist. */}} +{{- if not (lookup "v1" "ConfigMap" (include "sachet.namespace" . ) (include "sachet.fullname" .)) }} +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: {{ include "sachet.namespace" . }} + name: {{ include "sachet.fullname" . }} + labels: {{ include "sachet.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": pre-install, pre-upgrade + "helm.sh/hook-weight": "3" + "helm.sh/resource-policy": keep +data: + config.yaml: |- + {{- if and (not .Values.sachet.providers) (not .Values.sachet.receivers) }} + # please refer to the upstream documentation for configuration options: + # https://github.com/messagebird/sachet + # + # providers: + # aliyun: + # region_id: + # ... + # receivers: + # - name: 'team-sms' + # provider: 'aliyu' + # ... + {{- end }} + {{- with .Values.sachet.providers }} + providers: {{ toYaml . | nindent 6 }} + {{- end }} + {{- with .Values.sachet.receivers }} + receivers: {{ toYaml . | nindent 6 }} + {{- end }} +{{- end }} diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/deployment.yaml b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/deployment.yaml new file mode 100644 index 0000000000..17215eebd0 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/deployment.yaml @@ -0,0 +1,75 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "sachet.fullname" . }} + namespace: {{ include "sachet.namespace" . }} + labels: {{ include "sachet.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: {{ include "sachet.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: {{ toYaml . | nindent 8 }} + {{- end }} + labels: {{ include "sachet.selectorLabels" . | nindent 8 }} + spec: + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} + {{- if .Values.nodeSelector }} + {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} + {{- if .Values.tolerations }} + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: {{ toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{ toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "sachet.fullname" . }} + {{- with .Values.podSecurityContext }} + securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + securityContext: {{ toYaml .Values.securityContext | nindent 12 }} + image: {{ include "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 9876 + protocol: TCP + livenessProbe: + httpGet: + path: /-/live + port: http + readinessProbe: + httpGet: + path: /-/ready + port: http + volumeMounts: + - mountPath: /etc/sachet/ + name: config-volume + {{- with .Values.resources }} + resources: {{ toYaml .Values.resources | nindent 12 }} + {{- end }} + - name: config-reloader + securityContext: {{ toYaml .Values.securityContext | nindent 12 }} + image: {{ include "system_default_registry" . }}{{ .Values.configReloader.repository }}:{{ .Values.configReloader.tag }} + imagePullPolicy: {{ .Values.configReloader.pullPolicy }} + args: + - -volume-dir=/watch-config + - -webhook-method=POST + - -webhook-status-code=200 + - -webhook-url=http://127.0.0.1:{{ .Values.service.port }}/-/reload + volumeMounts: + - mountPath: /watch-config + name: config-volume + volumes: + - name: config-volume + configMap: + name: {{ include "sachet.fullname" . }} + defaultMode: 0777 diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/psp.yaml b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/psp.yaml new file mode 100644 index 0000000000..16ec9ba8e7 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/psp.yaml @@ -0,0 +1,61 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "sachet.fullname" . }}-psp-{{ include "sachet.namespace" . }} + labels: {{ include "sachet.labels" . | nindent 4 }} +spec: + privileged: false + allowPrivilegeEscalation: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'configMap' + - 'secret' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "sachet.fullname" . }}-psp + namespace: {{ include "sachet.namespace" . }} + labels: {{ include "sachet.labels" . | nindent 4 }} +rules: + - apiGroups: + - policy + resourceNames: + - {{ include "sachet.fullname" . }}-psp-{{ include "sachet.namespace" . }} + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "sachet.fullname" . }}-psp + namespace: {{ include "sachet.namespace" . }} + labels: {{ include "sachet.labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "sachet.fullname" . }}-psp +subjects: + - kind: ServiceAccount + name: {{ include "sachet.fullname" . }} +{{- end }} diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/service-account.yaml b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/service-account.yaml new file mode 100644 index 0000000000..8833f1b3b2 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/service-account.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "sachet.fullname" . }} + namespace: {{ include "sachet.namespace" . }} + labels: {{ include "sachet.labels" . | nindent 4 }} diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/service.yaml b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/service.yaml new file mode 100644 index 0000000000..216e8322ca --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/templates/service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "sachet.fullname" . }} + namespace: {{ include "sachet.namespace" . }} + labels: {{ include "sachet.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + {{- if contains "NodePort" .Values.service.type }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + selector: {{ include "sachet.selectorLabels" . | nindent 4 }} diff --git a/charts/rancher-alerting-drivers/103.0.0/charts/sachet/values.yaml b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/values.yaml new file mode 100644 index 0000000000..c9180b1430 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/charts/sachet/values.yaml @@ -0,0 +1,69 @@ +# Default values for sachet. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + cattle: + psp: + enabled: false + systemDefaultRegistry: "" + namespaceOverride: "" + +nameOverride: "sachet" +fullnameOverride: "" + +configReloader: + repository: rancher/mirrored-jimmidyson-configmap-reload + pullPolicy: IfNotPresent + tag: v0.8.0 + +sachet: + # reference: https://github.com/messagebird/sachet/blob/master/examples/config.yaml + providers: {} + + receivers: [] + +replicaCount: 1 + +image: + repository: rancher/mirrored-messagebird-sachet + pullPolicy: IfNotPresent + tag: 0.3.1 + +imagePullSecrets: [] + +podAnnotations: {} + +podSecurityContext: + +securityContext: + runAsUser: 1000 + runAsNonRoot: true + runAsGroup: 1000 + +service: + type: ClusterIP + port: 9876 + nodePort: 30001 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +affinity: {} diff --git a/charts/rancher-alerting-drivers/103.0.0/questions.yml b/charts/rancher-alerting-drivers/103.0.0/questions.yml new file mode 100644 index 0000000000..0eb043efdc --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/questions.yml @@ -0,0 +1,17 @@ +categories: + - monitoring +namespace: cattle-monitoring-system +questions: + - variable: prom2teams.enabled + label: Enable Microsoft Teams + type: boolean + group: "General" + - variable: sachet.enabled + label: Enable SMS + type: boolean + group: "General" + - variable: global.cattle.psp.enabled + description: "Flag to enable or disable the installation of PodSecurityPolicies by this chart in the target cluster. If the cluster is running Kubernetes 1.25+, you must update this value to false." + label: "Enable PodSecurityPolicies" + type: boolean + group: "Security Settings" diff --git a/charts/rancher-alerting-drivers/103.0.0/templates/NOTES.txt b/charts/rancher-alerting-drivers/103.0.0/templates/NOTES.txt new file mode 100644 index 0000000000..59c1415e09 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/templates/NOTES.txt @@ -0,0 +1,2 @@ +rancher-alerting-drivers is now installed on the cluster! +Please refer to the upstream documentation for each Driver for configuration options. \ No newline at end of file diff --git a/charts/rancher-alerting-drivers/103.0.0/templates/_helpers.tpl b/charts/rancher-alerting-drivers/103.0.0/templates/_helpers.tpl new file mode 100644 index 0000000000..e1dbe3370d --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/templates/_helpers.tpl @@ -0,0 +1,117 @@ +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} + +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "drivers.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "drivers.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "drivers.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "drivers.labels" -}} +helm.sh/chart: {{ include "drivers.chart" . }} +{{ include "drivers.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "drivers.selectorLabels" -}} +app.kubernetes.io/name: {{ include "drivers.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "drivers.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "drivers.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +https://github.com/helm/helm/issues/4535#issuecomment-477778391 +Usage: {{ include "call-nested" (list . "SUBCHART_NAME" "TEMPLATE") }} +e.g. {{ include "call-nested" (list . "grafana" "grafana.fullname") }} +*/}} +{{- define "call-nested" }} +{{- $dot := index . 0 }} +{{- $subchart := index . 1 | splitList "." }} +{{- $template := index . 2 }} +{{- $values := $dot.Values }} +{{- range $subchart }} +{{- $values = index $values . }} +{{- end }} +{{- include $template (dict "Chart" (dict "Name" (last $subchart)) "Values" $values "Release" $dot.Release "Capabilities" $dot.Capabilities) }} +{{- end }} + + +{{/* +Get the list of configMaps to be managed +*/}} +{{- define "drivers.configmapList" -}} +{{- if .Values.sachet.enabled -}} +- {{ include "call-nested" (list . "sachet" "sachet.fullname") }} +{{- end }} +{{- if .Values.prom2teams.enabled -}} +- {{ include "call-nested" (list . "prom2teams" "prom2teams.fullname") }} +{{- end }} +{{- end }} diff --git a/charts/rancher-alerting-drivers/103.0.0/templates/cluster-role.yaml b/charts/rancher-alerting-drivers/103.0.0/templates/cluster-role.yaml new file mode 100644 index 0000000000..9fa501af08 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/templates/cluster-role.yaml @@ -0,0 +1,50 @@ +{{- if and (not .Values.sachet.enabled) (not .Values.prom2teams.enabled) -}} +{{- fail "At least one Driver must be enabled to install the chart. " }} +{{- end -}} + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "drivers.fullname" . }}-admin-{{ .Release.Namespace }} + labels: {{ include "drivers.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-admin: "true" +rules: + - apiGroups: + - "" + resources: + - configmaps + resourceNames: {{ include "drivers.configmapList" . | nindent 6 }} + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "drivers.fullname" . }}-edit-{{ .Release.Namespace }} + labels: {{ include "drivers.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: + - "" + resources: + - configmaps + resourceNames: {{ include "drivers.configmapList" . | nindent 6 }} + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "drivers.fullname" . }}-view-{{ .Release.Namespace }} + labels: {{ include "drivers.labels" . | nindent 4 }} + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: + - apiGroups: + - "" + resources: + - configmaps + resourceNames: {{ include "drivers.configmapList" . | nindent 6 }} + verbs: + - 'get' + - 'list' + - 'watch' diff --git a/charts/rancher-alerting-drivers/103.0.0/templates/hardened.yaml b/charts/rancher-alerting-drivers/103.0.0/templates/hardened.yaml new file mode 100644 index 0000000000..be1ddc12a5 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/templates/hardened.yaml @@ -0,0 +1,126 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ include "drivers.fullname" . }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: {{ include "drivers.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + backoffLimit: 1 + template: + spec: + serviceAccountName: {{ include "drivers.fullname" . }}-patch-sa + securityContext: + runAsNonRoot: true + runAsUser: 1000 + restartPolicy: Never + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + containers: + - name: {{ include "drivers.fullname" . }}-patch-sa + image: "{{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: IfNotPresent + command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "drivers.fullname" . }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: {{ include "drivers.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "drivers.fullname" . }}-patch-sa + labels: {{ include "drivers.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +rules: + - apiGroups: [""] + resources: ["serviceaccounts"] + verbs: ["get", "patch"] + {{- if .Values.global.cattle.psp.enabled }} + - apiGroups: ["policy"] + resources: ["podsecuritypolicies"] + verbs: ["use"] + resourceNames: + - {{ include "drivers.fullname" . }}-patch-sa + {{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "drivers.fullname" . }}-patch-sa + labels: {{ include "drivers.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "drivers.fullname" . }}-patch-sa +subjects: + - kind: ServiceAccount + name: {{ include "drivers.fullname" . }}-patch-sa + namespace: {{ .Release.Namespace }} +--- +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "drivers.fullname" . }}-patch-sa + labels: {{ include "drivers.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'secret' +{{- end }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: {{ include "drivers.fullname" . }}-default-allow-all + namespace: {{ .Release.Namespace }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-alerting-drivers/103.0.0/templates/validate-psp-install.yaml b/charts/rancher-alerting-drivers/103.0.0/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-alerting-drivers/103.0.0/values.yaml b/charts/rancher-alerting-drivers/103.0.0/values.yaml new file mode 100644 index 0000000000..83d12f175a --- /dev/null +++ b/charts/rancher-alerting-drivers/103.0.0/values.yaml @@ -0,0 +1,29 @@ +# Default values for rancher-alerting-driver. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +global: + cattle: + psp: + enabled: false + # the registry where all images will be pulled from + systemDefaultRegistry: "" + kubectl: + repository: rancher/kubectl + tag: v1.20.2 + # set this value if you want the sub-charts to be installed into + # a namespace rather than where this chart is installed + namespaceOverride: "" + +prom2teams: + enabled: false + +sachet: + enabled: true + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] diff --git a/charts/ui-plugin-operator-crd/102.0.2+up0.2.1/Chart.yaml b/charts/ui-plugin-operator-crd/102.0.2+up0.2.1/Chart.yaml new file mode 100644 index 0000000000..c448f726dd --- /dev/null +++ b/charts/ui-plugin-operator-crd/102.0.2+up0.2.1/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-ui-plugin-system + catalog.cattle.io/release-name: ui-plugin-operator-crd +apiVersion: v1 +description: Installs the CRDs for ui-plugin-operator. +name: ui-plugin-operator-crd +type: application +version: 102.0.2+up0.2.1 diff --git a/charts/ui-plugin-operator-crd/102.0.2+up0.2.1/README.md b/charts/ui-plugin-operator-crd/102.0.2+up0.2.1/README.md new file mode 100644 index 0000000000..a68add8280 --- /dev/null +++ b/charts/ui-plugin-operator-crd/102.0.2+up0.2.1/README.md @@ -0,0 +1,2 @@ +# ui-plugin-operator-crd +A Rancher chart that installs the CRDs used by ui-plugin-operator. diff --git a/charts/ui-plugin-operator-crd/102.0.2+up0.2.1/templates/crds.yaml b/charts/ui-plugin-operator-crd/102.0.2+up0.2.1/templates/crds.yaml new file mode 100644 index 0000000000..18b71d5b01 --- /dev/null +++ b/charts/ui-plugin-operator-crd/102.0.2+up0.2.1/templates/crds.yaml @@ -0,0 +1,61 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: uiplugins.catalog.cattle.io +spec: + group: catalog.cattle.io + names: + kind: UIPlugin + plural: uiplugins + singular: uiplugin + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.release.name + name: Plugin Name + type: string + - jsonPath: .status.version + name: Version + type: string + - jsonPath: .status.state + name: State + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + plugin: + properties: + endpoint: + nullable: true + type: string + metadata: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + name: + nullable: true + type: string + noCache: + type: boolean + version: + nullable: true + type: string + type: object + type: object + status: + properties: + cacheState: + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/ui-plugin-operator-crd/103.0.1+up0.2.1/Chart.yaml b/charts/ui-plugin-operator-crd/103.0.1+up0.2.1/Chart.yaml new file mode 100644 index 0000000000..2460d5a627 --- /dev/null +++ b/charts/ui-plugin-operator-crd/103.0.1+up0.2.1/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-ui-plugin-system + catalog.cattle.io/release-name: ui-plugin-operator-crd +apiVersion: v1 +description: Installs the CRDs for ui-plugin-operator. +name: ui-plugin-operator-crd +type: application +version: 103.0.1+up0.2.1 diff --git a/charts/ui-plugin-operator-crd/103.0.1+up0.2.1/README.md b/charts/ui-plugin-operator-crd/103.0.1+up0.2.1/README.md new file mode 100644 index 0000000000..a68add8280 --- /dev/null +++ b/charts/ui-plugin-operator-crd/103.0.1+up0.2.1/README.md @@ -0,0 +1,2 @@ +# ui-plugin-operator-crd +A Rancher chart that installs the CRDs used by ui-plugin-operator. diff --git a/charts/ui-plugin-operator-crd/103.0.1+up0.2.1/templates/crds.yaml b/charts/ui-plugin-operator-crd/103.0.1+up0.2.1/templates/crds.yaml new file mode 100644 index 0000000000..18b71d5b01 --- /dev/null +++ b/charts/ui-plugin-operator-crd/103.0.1+up0.2.1/templates/crds.yaml @@ -0,0 +1,61 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: uiplugins.catalog.cattle.io +spec: + group: catalog.cattle.io + names: + kind: UIPlugin + plural: uiplugins + singular: uiplugin + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.release.name + name: Plugin Name + type: string + - jsonPath: .status.version + name: Version + type: string + - jsonPath: .status.state + name: State + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + plugin: + properties: + endpoint: + nullable: true + type: string + metadata: + additionalProperties: + nullable: true + type: string + nullable: true + type: object + name: + nullable: true + type: string + noCache: + type: boolean + version: + nullable: true + type: string + type: object + type: object + status: + properties: + cacheState: + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/ui-plugin-operator/102.0.2+up0.2.1/Chart.yaml b/charts/ui-plugin-operator/102.0.2+up0.2.1/Chart.yaml new file mode 100644 index 0000000000..ac412799da --- /dev/null +++ b/charts/ui-plugin-operator/102.0.2+up0.2.1/Chart.yaml @@ -0,0 +1,19 @@ +annotations: + catalog.cattle.io/auto-install: ui-plugin-operator-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: UI Plugin Operator + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0' + catalog.cattle.io/namespace: cattle-ui-plugin-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux, windows + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: ui-plugin-operator +apiVersion: v1 +appVersion: 0.1.1 +description: A UI Plugin Operator Chart for plugin management in Rancher +keywords: +- applications +- infrastructure +name: ui-plugin-operator +type: application +version: 102.0.2+up0.2.1 diff --git a/charts/ui-plugin-operator/102.0.2+up0.2.1/app-readme.md b/charts/ui-plugin-operator/102.0.2+up0.2.1/app-readme.md new file mode 100644 index 0000000000..3473271768 --- /dev/null +++ b/charts/ui-plugin-operator/102.0.2+up0.2.1/app-readme.md @@ -0,0 +1,21 @@ +# Rancher UI Plugin Operator + +This chart works together with the Rancher UI extensions feature to enable the ability to install UI extensions in your cluster. + +## Upgrading to Kubernetes v1.25+ + ​ +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + ​ +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. +​ +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + ​ +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. +​ +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. +​ +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/_helpers.tpl b/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/_helpers.tpl new file mode 100644 index 0000000000..0d41d827fc --- /dev/null +++ b/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/_helpers.tpl @@ -0,0 +1,89 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "ui-plugin-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "ui-plugin-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ui-plugin-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "ui-plugin-operator.labels" -}} +helm.sh/chart: {{ include "ui-plugin-operator.chart" . }} +{{ include "ui-plugin-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "ui-plugin-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ui-plugin-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "ui-plugin-operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "ui-plugin-operator.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} diff --git a/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/dashboardrole.yaml b/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/dashboardrole.yaml new file mode 100644 index 0000000000..e8b7c456cf --- /dev/null +++ b/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/dashboardrole.yaml @@ -0,0 +1,33 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Chart.Name }}-dashboard + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +rules: +- apiGroups: + - "" + resources: + - services/proxy + resourceNames: + - "http:{{ .Chart.Name }}:{{ .Values.service.port }}" + - "https:{{ .Chart.Name }}:{{ .Values.service.port }}" + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Chart.Name }}-dashboard + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Chart.Name }}-dashboard +subjects: +- kind: Group + name: system:authenticated + apiGroup: rbac.authorization.k8s.io diff --git a/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/deployment.yaml b/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/deployment.yaml new file mode 100644 index 0000000000..7cf9e5dc7e --- /dev/null +++ b/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/deployment.yaml @@ -0,0 +1,67 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Chart.Name }} + labels: + {{- include "ui-plugin-operator.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicas }} + {{- end }} + selector: + matchLabels: + {{- include "ui-plugin-operator.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "ui-plugin-operator.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + serviceAccountName: {{ .Chart.Name }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + args: + - {{ template "ui-plugin-operator.name" . }} +{{- if .Values.debug }} + - --debug + - --debug-level={{ .Values.debugLevel }} +{{- end }} +{{- if .Values.additionalArgs }} +{{- toYaml .Values.additionalArgs | nindent 10 }} +{{- end }} + # livenessProbe: + # httpGet: + # path: / + # port: http + # readinessProbe: + # httpGet: + # path: / + # port: http + resources: + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/hardened.yaml b/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/hardened.yaml new file mode 100644 index 0000000000..9d11df86cc --- /dev/null +++ b/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/hardened.yaml @@ -0,0 +1,123 @@ +{{- $namespaces := dict "_0" .Release.Namespace -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Chart.Name }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-patch-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + metadata: + name: {{ .Chart.Name }}-patch-sa + labels: + app: {{ .Chart.Name }}-patch-sa + spec: + serviceAccountName: {{ .Chart.Name }}-patch-sa + securityContext: + runAsNonRoot: true + runAsUser: 1000 + restartPolicy: Never + containers: + {{- range $_, $ns := $namespaces }} + - name: patch-sa-{{ $ns }} + image: {{ template "system_default_registry" $ }}{{ $.Values.global.kubectl.repository }}:{{ $.Values.global.kubectl.tag }} + imagePullPolicy: {{ $.Values.global.kubectl.pullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", "{{ $ns }}"] + {{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Chart.Name }}-patch-sa + labels: + app: {{ .Chart.Name }}-patch-sa +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: ['get', 'patch'] +{{- if .Values.global.cattle.psp.enabled }} +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ .Chart.Name }}-patch-sa +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Chart.Name }}-patch-sa + labels: + app: {{ .Chart.Name }}-patch-sa +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Chart.Name }}-patch-sa +subjects: +- kind: ServiceAccount + name: {{ .Chart.Name }}-patch-sa + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-patch-sa +--- +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ .Chart.Name }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-patch-sa +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'secret' +{{- end }} +{{- range $_, $ns := $namespaces }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ $ns }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress +{{- end }} diff --git a/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/service.yaml b/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/service.yaml new file mode 100644 index 0000000000..7c4e735e9d --- /dev/null +++ b/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Chart.Name }} + labels: + {{- include "ui-plugin-operator.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + protocol: TCP + name: http + selector: + {{- include "ui-plugin-operator.selectorLabels" . | nindent 4 }} diff --git a/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/serviceaccount.yaml b/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/serviceaccount.yaml new file mode 100644 index 0000000000..d43d0492b0 --- /dev/null +++ b/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/serviceaccount.yaml @@ -0,0 +1,101 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Chart.Name }} +subjects: +- kind: ServiceAccount + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +rules: +- apiGroups: ["catalog.cattle.io"] + resources: + - uiplugins + - uiplugins/status + verbs: ["*"] +- apiGroups: ["coordination.k8s.io"] + resources: + - leases + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Chart.Name }} +subjects: +- kind: ServiceAccount + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +--- +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'secret' +{{- end }} diff --git a/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/validate-psp-install.yaml b/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/ui-plugin-operator/102.0.2+up0.2.1/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/ui-plugin-operator/102.0.2+up0.2.1/values.yaml b/charts/ui-plugin-operator/102.0.2+up0.2.1/values.yaml new file mode 100644 index 0000000000..b2b4cf2d5a --- /dev/null +++ b/charts/ui-plugin-operator/102.0.2+up0.2.1/values.yaml @@ -0,0 +1,69 @@ +# Default values for sample. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: rancher/ui-plugin-operator + pullPolicy: Always + tag: "v0.1.1" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +service: + type: ClusterIP + port: 80 + targetPort: 8080 + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + +replicas: 1 + +resources: {} + +securityContext: + runAsNonRoot: true + runAsUser: 1000 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +podAnnotations: [] + +additionalArgs: [] + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false # PSP enablement should default to false + kubectl: + repository: rancher/kubectl + tag: v1.20.2 + pullPolicy: IfNotPresent + rbac: + ## Create RBAC resources for ServiceAccounts and users + ## + enabled: false + # create: true + # userRoles: + # ## Create default user ClusterRoles to allow users to interact with Prometheus CRs, ConfigMaps, and Secrets + # create: true + # ## Aggregate default user ClusterRoles into default k8s ClusterRoles + # aggregateToDefaultRoles: true + + # pspEnabled: true + # pspAnnotations: {} + +debug: false +debugLevel: 0 diff --git a/charts/ui-plugin-operator/103.0.1+up0.2.1/Chart.yaml b/charts/ui-plugin-operator/103.0.1+up0.2.1/Chart.yaml new file mode 100644 index 0000000000..100ef676ad --- /dev/null +++ b/charts/ui-plugin-operator/103.0.1+up0.2.1/Chart.yaml @@ -0,0 +1,19 @@ +annotations: + catalog.cattle.io/auto-install: ui-plugin-operator-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: UI Plugin Operator + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-ui-plugin-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux, windows + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: ui-plugin-operator +apiVersion: v1 +appVersion: 0.1.1 +description: A UI Plugin Operator Chart for plugin management in Rancher +keywords: +- applications +- infrastructure +name: ui-plugin-operator +type: application +version: 103.0.1+up0.2.1 diff --git a/charts/ui-plugin-operator/103.0.1+up0.2.1/app-readme.md b/charts/ui-plugin-operator/103.0.1+up0.2.1/app-readme.md new file mode 100644 index 0000000000..3473271768 --- /dev/null +++ b/charts/ui-plugin-operator/103.0.1+up0.2.1/app-readme.md @@ -0,0 +1,21 @@ +# Rancher UI Plugin Operator + +This chart works together with the Rancher UI extensions feature to enable the ability to install UI extensions in your cluster. + +## Upgrading to Kubernetes v1.25+ + ​ +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + ​ +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. +​ +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + ​ +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. +​ +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. +​ +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/_helpers.tpl b/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/_helpers.tpl new file mode 100644 index 0000000000..0d41d827fc --- /dev/null +++ b/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/_helpers.tpl @@ -0,0 +1,89 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "ui-plugin-operator.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "ui-plugin-operator.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ui-plugin-operator.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "ui-plugin-operator.labels" -}} +helm.sh/chart: {{ include "ui-plugin-operator.chart" . }} +{{ include "ui-plugin-operator.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "ui-plugin-operator.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ui-plugin-operator.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "ui-plugin-operator.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "ui-plugin-operator.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}} +beta.kubernetes.io/os: linux +{{- else -}} +kubernetes.io/os: linux +{{- end -}} +{{- end -}} diff --git a/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/dashboardrole.yaml b/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/dashboardrole.yaml new file mode 100644 index 0000000000..e8b7c456cf --- /dev/null +++ b/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/dashboardrole.yaml @@ -0,0 +1,33 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Chart.Name }}-dashboard + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +rules: +- apiGroups: + - "" + resources: + - services/proxy + resourceNames: + - "http:{{ .Chart.Name }}:{{ .Values.service.port }}" + - "https:{{ .Chart.Name }}:{{ .Values.service.port }}" + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Chart.Name }}-dashboard + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Chart.Name }}-dashboard +subjects: +- kind: Group + name: system:authenticated + apiGroup: rbac.authorization.k8s.io diff --git a/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/deployment.yaml b/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/deployment.yaml new file mode 100644 index 0000000000..b355b40ff6 --- /dev/null +++ b/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/deployment.yaml @@ -0,0 +1,67 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ .Chart.Name }} + labels: + {{- include "ui-plugin-operator.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicas }} + {{- end }} + selector: + matchLabels: + {{- include "ui-plugin-operator.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "ui-plugin-operator.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + serviceAccountName: {{ .Chart.Name }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 80 + protocol: TCP + args: + - {{ template "ui-plugin-operator.name" . }} +{{- if .Values.debug }} + - --debug + - --debug-level={{ .Values.debugLevel }} +{{- end }} +{{- if .Values.additionalArgs }} +{{- toYaml .Values.additionalArgs | nindent 10 }} +{{- end }} + # livenessProbe: + # httpGet: + # path: / + # port: http + # readinessProbe: + # httpGet: + # path: / + # port: http + resources: + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/hardened.yaml b/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/hardened.yaml new file mode 100644 index 0000000000..9d11df86cc --- /dev/null +++ b/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/hardened.yaml @@ -0,0 +1,123 @@ +{{- $namespaces := dict "_0" .Release.Namespace -}} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ .Chart.Name }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-patch-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + metadata: + name: {{ .Chart.Name }}-patch-sa + labels: + app: {{ .Chart.Name }}-patch-sa + spec: + serviceAccountName: {{ .Chart.Name }}-patch-sa + securityContext: + runAsNonRoot: true + runAsUser: 1000 + restartPolicy: Never + containers: + {{- range $_, $ns := $namespaces }} + - name: patch-sa-{{ $ns }} + image: {{ template "system_default_registry" $ }}{{ $.Values.global.kubectl.repository }}:{{ $.Values.global.kubectl.tag }} + imagePullPolicy: {{ $.Values.global.kubectl.pullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", "{{ $ns }}"] + {{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Chart.Name }}-patch-sa + labels: + app: {{ .Chart.Name }}-patch-sa +rules: +- apiGroups: + - "" + resources: + - serviceaccounts + verbs: ['get', 'patch'] +{{- if .Values.global.cattle.psp.enabled }} +- apiGroups: ['policy'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - {{ .Chart.Name }}-patch-sa +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Chart.Name }}-patch-sa + labels: + app: {{ .Chart.Name }}-patch-sa +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Chart.Name }}-patch-sa +subjects: +- kind: ServiceAccount + name: {{ .Chart.Name }}-patch-sa + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-patch-sa +--- +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicies" }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ .Chart.Name }}-patch-sa + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }}-patch-sa +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'secret' +{{- end }} +{{- range $_, $ns := $namespaces }} +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ $ns }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress +{{- end }} diff --git a/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/service.yaml b/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/service.yaml new file mode 100644 index 0000000000..7c4e735e9d --- /dev/null +++ b/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ .Chart.Name }} + labels: + {{- include "ui-plugin-operator.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + protocol: TCP + name: http + selector: + {{- include "ui-plugin-operator.selectorLabels" . | nindent 4 }} diff --git a/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/serviceaccount.yaml b/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/serviceaccount.yaml new file mode 100644 index 0000000000..d43d0492b0 --- /dev/null +++ b/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/serviceaccount.yaml @@ -0,0 +1,101 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ .Chart.Name }} +subjects: +- kind: ServiceAccount + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +rules: +- apiGroups: ["catalog.cattle.io"] + resources: + - uiplugins + - uiplugins/status + verbs: ["*"] +- apiGroups: ["coordination.k8s.io"] + resources: + - leases + verbs: ["*"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ .Chart.Name }} +subjects: +- kind: ServiceAccount + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +--- +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ .Chart.Name }} + namespace: {{ .Release.Namespace }} + labels: + app: {{ .Chart.Name }} +spec: + privileged: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAsNonRoot' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false + volumes: + - 'secret' +{{- end }} diff --git a/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/validate-psp-install.yaml b/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/validate-psp-install.yaml new file mode 100644 index 0000000000..a30c59d3b7 --- /dev/null +++ b/charts/ui-plugin-operator/103.0.1+up0.2.1/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/ui-plugin-operator/103.0.1+up0.2.1/values.yaml b/charts/ui-plugin-operator/103.0.1+up0.2.1/values.yaml new file mode 100644 index 0000000000..b2b4cf2d5a --- /dev/null +++ b/charts/ui-plugin-operator/103.0.1+up0.2.1/values.yaml @@ -0,0 +1,69 @@ +# Default values for sample. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: rancher/ui-plugin-operator + pullPolicy: Always + tag: "v0.1.1" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +service: + type: ClusterIP + port: 80 + targetPort: 8080 + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + +replicas: 1 + +resources: {} + +securityContext: + runAsNonRoot: true + runAsUser: 1000 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +podAnnotations: [] + +additionalArgs: [] + +global: + cattle: + systemDefaultRegistry: "" + psp: + enabled: false # PSP enablement should default to false + kubectl: + repository: rancher/kubectl + tag: v1.20.2 + pullPolicy: IfNotPresent + rbac: + ## Create RBAC resources for ServiceAccounts and users + ## + enabled: false + # create: true + # userRoles: + # ## Create default user ClusterRoles to allow users to interact with Prometheus CRs, ConfigMaps, and Secrets + # create: true + # ## Aggregate default user ClusterRoles into default k8s ClusterRoles + # aggregateToDefaultRoles: true + + # pspEnabled: true + # pspAnnotations: {} + +debug: false +debugLevel: 0 diff --git a/index.yaml b/index.yaml index 0176cbc824..fec2e28b4e 100755 --- a/index.yaml +++ b/index.yaml @@ -5924,6 +5924,38 @@ entries: - assets/rancher-aks-operator-crd/rancher-aks-operator-crd-100.0.0+up1.0.1.tgz version: 100.0.0+up1.0.1 rancher-alerting-drivers: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: Alerting Drivers + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.28.0-0' + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-alerting-drivers + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/upstream-version: 100.0.1 + apiVersion: v2 + appVersion: 1.16.0 + created: "2023-09-04T21:40:21.607057361+05:30" + dependencies: + - condition: prom2teams.enabled + name: prom2teams + repository: file://./charts/prom2teams + - condition: sachet.enabled + name: sachet + repository: file://./charts/sachet + description: The manager for third-party webhook receivers used in Prometheus + Alertmanager + digest: 392ee8c099e74e9a2b52c42d5f11cbeb158d9f79f99f66350ada13d1ad4b2d98 + icon: https://charts.rancher.io/assets/logos/alerting-drivers.svg + keywords: + - monitoring + - alertmanger + - webhook + name: rancher-alerting-drivers + urls: + - assets/rancher-alerting-drivers/rancher-alerting-drivers-103.0.0.tgz + version: 103.0.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: Alerting Drivers @@ -17169,6 +17201,52 @@ entries: - assets/system-upgrade-controller/system-upgrade-controller-100.0.0+up0.3.0.tgz version: 100.0.0+up0.3.0 ui-plugin-operator: + - annotations: + catalog.cattle.io/auto-install: ui-plugin-operator-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: UI Plugin Operator + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-ui-plugin-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux, windows + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: ui-plugin-operator + apiVersion: v1 + appVersion: 0.1.1 + created: "2023-08-23T21:53:32.665248158-03:00" + description: A UI Plugin Operator Chart for plugin management in Rancher + digest: 39b9ab5d48369ca88867b6d3d03e566f1eb34749ccfb3cbc5f56b482ffb3ad8b + keywords: + - applications + - infrastructure + name: ui-plugin-operator + type: application + urls: + - assets/ui-plugin-operator/ui-plugin-operator-103.0.1+up0.2.1.tgz + version: 103.0.1+up0.2.1 + - annotations: + catalog.cattle.io/auto-install: ui-plugin-operator-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: UI Plugin Operator + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0' + catalog.cattle.io/namespace: cattle-ui-plugin-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux, windows + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: ui-plugin-operator + apiVersion: v1 + appVersion: 0.1.1 + created: "2023-09-21T15:22:31.804227-07:00" + description: A UI Plugin Operator Chart for plugin management in Rancher + digest: ceec63170a1059a0d02796333fdd74734bf33683f03e65acf3e5a51532834249 + keywords: + - applications + - infrastructure + name: ui-plugin-operator + type: application + urls: + - assets/ui-plugin-operator/ui-plugin-operator-102.0.2+up0.2.1.tgz + version: 102.0.2+up0.2.1 - annotations: catalog.cattle.io/auto-install: ui-plugin-operator-crd=match catalog.cattle.io/certified: rancher @@ -17239,6 +17317,34 @@ entries: - assets/ui-plugin-operator/ui-plugin-operator-101.0.0+up0.1.0.tgz version: 101.0.0+up0.1.0 ui-plugin-operator-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-ui-plugin-system + catalog.cattle.io/release-name: ui-plugin-operator-crd + apiVersion: v1 + created: "2023-08-23T21:53:32.66555024-03:00" + description: Installs the CRDs for ui-plugin-operator. + digest: 9d77ee9bf9079ffed1c39342c4d5e84583e8675cf6877c2278039c7a23e6986a + name: ui-plugin-operator-crd + type: application + urls: + - assets/ui-plugin-operator-crd/ui-plugin-operator-crd-103.0.1+up0.2.1.tgz + version: 103.0.1+up0.2.1 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cattle-ui-plugin-system + catalog.cattle.io/release-name: ui-plugin-operator-crd + apiVersion: v1 + created: "2023-09-21T15:22:47.915957-07:00" + description: Installs the CRDs for ui-plugin-operator. + digest: 72e3b085c4c2b631fbbc59fbf456e24f1549e0af240af5fd129e134cfa280cb0 + name: ui-plugin-operator-crd + type: application + urls: + - assets/ui-plugin-operator-crd/ui-plugin-operator-crd-102.0.2+up0.2.1.tgz + version: 102.0.2+up0.2.1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/packages/rancher-alerting/rancher-alerting-drivers/charts/Chart.yaml b/packages/rancher-alerting/rancher-alerting-drivers/charts/Chart.yaml index 124089a0ad..0415f254ae 100644 --- a/packages/rancher-alerting/rancher-alerting-drivers/charts/Chart.yaml +++ b/packages/rancher-alerting/rancher-alerting-drivers/charts/Chart.yaml @@ -1,10 +1,10 @@ annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/display-name: Alerting Drivers - catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0' + catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.28.0-0' catalog.cattle.io/os: linux catalog.cattle.io/permits-os: linux,windows - catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' catalog.cattle.io/release-name: rancher-alerting-drivers catalog.cattle.io/type: cluster-tool catalog.cattle.io/upstream-version: 100.0.1 diff --git a/packages/rancher-alerting/rancher-alerting-drivers/package.yaml b/packages/rancher-alerting/rancher-alerting-drivers/package.yaml index a1a7c3492c..84703dfe63 100644 --- a/packages/rancher-alerting/rancher-alerting-drivers/package.yaml +++ b/packages/rancher-alerting/rancher-alerting-drivers/package.yaml @@ -1,2 +1,2 @@ url: local -version: 102.1.0 +version: 103.0.0 diff --git a/packages/rancher-alerting/rancher-prom2teams/package.yaml b/packages/rancher-alerting/rancher-prom2teams/package.yaml index 0512ee471a..642e7a5547 100644 --- a/packages/rancher-alerting/rancher-prom2teams/package.yaml +++ b/packages/rancher-alerting/rancher-prom2teams/package.yaml @@ -1,5 +1,5 @@ url: https://github.com/idealista/prom2teams.git subdirectory: helm commit: 5299de60c2af4e2b868bea28404faf132f52b764 # the commit points to the tag 4.2.1 -version: 102.0.1 +version: 103.0.0 doNotRelease: true diff --git a/packages/rancher-alerting/rancher-sachet/package.yaml b/packages/rancher-alerting/rancher-sachet/package.yaml index 6a35fe46c6..e4967dad8d 100644 --- a/packages/rancher-alerting/rancher-sachet/package.yaml +++ b/packages/rancher-alerting/rancher-sachet/package.yaml @@ -1,3 +1,3 @@ url: local -version: 102.0.1 +version: 103.0.0 doNotRelease: true diff --git a/packages/ui-plugin-operator/generated-changes/patch/Chart.yaml.patch b/packages/ui-plugin-operator/generated-changes/patch/Chart.yaml.patch new file mode 100644 index 0000000000..adac675a2b --- /dev/null +++ b/packages/ui-plugin-operator/generated-changes/patch/Chart.yaml.patch @@ -0,0 +1,16 @@ +--- charts-original/Chart.yaml ++++ charts/Chart.yaml +@@ -2,11 +2,11 @@ + catalog.cattle.io/auto-install: ui-plugin-operator-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: UI Plugin Operator +- catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.27.0-0' ++ catalog.cattle.io/kube-version: '>= 1.16.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cattle-ui-plugin-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux, windows +- catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' ++ catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: ui-plugin-operator + apiVersion: v1 + appVersion: 0.1.1 diff --git a/packages/ui-plugin-operator/package.yaml b/packages/ui-plugin-operator/package.yaml index 7faa901dde..5ad0ebbb84 100644 --- a/packages/ui-plugin-operator/package.yaml +++ b/packages/ui-plugin-operator/package.yaml @@ -1,7 +1,7 @@ url: https://github.com/rancher/ui-plugin-operator.git subdirectory: charts/ui-plugin-operator commit: 4f3ccc34f78f1cd828c83b6f37b6384e1ecb8d5f -version: 102.0.1 +version: 103.0.1 additionalCharts: - workingDir: charts-crd crdOptions: diff --git a/release.yaml b/release.yaml index 809383fc2f..5fb3be3a7a 100644 --- a/release.yaml +++ b/release.yaml @@ -1,14 +1,8 @@ -rancher-backup: - - 102.0.2+up3.1.2 - - 103.0.0+up4.0.0 -rancher-backup-crd: - - 102.0.2+up3.1.2 - - 103.0.0+up4.0.0 -rancher-gatekeeper: - - 103.1.0+up3.13.0 -rancher-gatekeeper-crd: - - 103.1.0+up3.13.0 -sriov: - - 103.0.0+up0.1.0 -sriov-crd: - - 103.0.0+up0.1.0 +rancher-alerting-drivers: + - 103.0.0 +ui-plugin-operator: + - 103.0.1+up0.2.1 + - 102.0.2+up0.2.1 +ui-plugin-operator-crd: + - 103.0.1+up0.2.1 + - 102.0.2+up0.2.1