updates for rancher v2.8.12 (#253)

rancherfederal · Jan 29, 2025 · 2b44cf9 · 2b44cf9
1 parent 4a7d365
commit 2b44cf9
Show file tree

Hide file tree

Showing 5 changed files with 83 additions and 10 deletions.
diff --git a/charts/rancher/Chart.yaml b/charts/rancher/Chart.yaml
@@ -1,9 +1,9 @@
 apiVersion: v2
 name: rancher
 description: Install Rancher Server to manage Kubernetes clusters across providers
-version: 2.10.1
-appVersion: v2.10.1
-kubeVersion: < 1.32.0-0
+version: 2.8.12
+appVersion: v2.8.12
+kubeVersion: < 1.29.0-0
 home: https://rancher.com
 icon: https://github.com/rancher/ui/blob/master/public/assets/images/logos/welcome-cow.svg
 keywords:

diff --git a/charts/rancher/templates/_helpers.tpl b/charts/rancher/templates/_helpers.tpl
@@ -77,6 +77,31 @@ add below linux tolerations to workloads could be scheduled to those linux nodes
 {{- end -}}
 {{- end -}}
 
+{{/*
+Define the chosen value for PSPs. If this value is "", then the user did not set the value. This will
+result in psps on <=1.24 and no psps on >=1.25. If the value is true/false, then the user specifically
+chose an option, and that option will be used. If it is set otherwise, then we fail so the user can correct
+the invalid value.
+*/}}
+
+{{- define "rancher.chart_psp_enabled" -}}
+{{- if kindIs "bool" .Values.global.cattle.psp.enabled -}}
+{{ .Values.global.cattle.psp.enabled }}
+{{- else if empty .Values.global.cattle.psp.enabled -}}
+  {{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+    {{- if (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") -}}
+true
+    {{- else -}}
+false
+    {{- end -}}
+  {{- else -}}
+true
+  {{- end -}}
+{{- else -}}
+{{- fail "Invalid value for .Values.global.cattle.psp.enabled - must be a bool of true, false, or \"\"" -}}
+{{- end -}}
+{{- end -}}
+
 {{/*
     Select correct auditLog image
 */}}

diff --git a/charts/rancher/templates/post-delete-hook-cluster-role.yaml b/charts/rancher/templates/post-delete-hook-cluster-role.yaml
@@ -30,6 +30,14 @@ rules:
   - apiGroups: [ "admissionregistration.k8s.io" ]
     resources: [ "validatingwebhookconfigurations", "mutatingwebhookconfigurations" ]
     verbs: [ "get", "list", "delete" ]
+  - apiGroups: [ "policy" ]
+    resources: [ "podsecuritypolicies" ]
+    verbs: ["delete", "create" ]
+{{- if eq (include "rancher.chart_psp_enabled" . ) "true" }}
+  - apiGroups: [ "policy" ]
+    resources: [ "podsecuritypolicies" ]
+    verbs: [ "use"]
+{{- end }}
   - apiGroups: [ "networking.k8s.io" ]
     resources: [ "ingresses" ]
     verbs: [ "delete" ]

diff --git a/charts/rancher/templates/post-delete-hook-psp.yaml b/charts/rancher/templates/post-delete-hook-psp.yaml
@@ -0,0 +1,34 @@
+{{- if eq (include "rancher.chart_psp_enabled" . ) "true" -}}
+ apiVersion: policy/v1beta1
+ kind: PodSecurityPolicy
+ metadata:
+   name: {{ include "rancher.fullname" . }}-post-delete
+   labels: {{ include "rancher.labels" . | nindent 4 }}
+   annotations:
+     "helm.sh/hook": post-delete
+     "helm.sh/hook-weight": "1"
+     "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded,hook-failed
+ spec:
+   privileged: false
+   hostNetwork: false
+   hostIPC: false
+   hostPID: false
+   runAsUser:
+     rule: 'RunAsAny'
+   seLinux:
+     rule: 'RunAsAny'
+   supplementalGroups:
+     rule: 'MustRunAs'
+     ranges:
+       - min: 1
+         max: 65535
+   fsGroup:
+     rule: 'MustRunAs'
+     ranges:
+       - min: 1
+         max: 65535
+   readOnlyRootFilesystem: false
+   volumes:
+     - 'secret'
+     - 'configMap'
+ {{- end }}
diff --git a/charts/rancher/values.yaml b/charts/rancher/values.yaml
@@ -65,6 +65,9 @@ ingress:
   includeDefaultExtraAnnotations: true
   extraAnnotations: {}
   ingressClassName: ""
+  # Certain ingress controllers will require the pathType or path to be set to a different value.
+  pathType: ImplementationSpecific
+  path: "/"
   # backend port number
   servicePort: 80
 
@@ -93,7 +96,7 @@ letsEncrypt:
     # options: traefik, nginx
     class: ""
 # If you are using certs signed by a private CA set to 'true' and set the 'tls-ca'
-# in the 'cattle-system' namespace. See the README.md for details
+# in the 'rancher-system' namespace. See the README.md for details
 privateCA: false
 
 # http[s] proxy server passed into rancher server.
@@ -160,7 +163,7 @@ postDelete:
   enabled: true
   image:
     repository: rancher/shell
-    tag: v0.3.0
+    tag: v0.2.1
   namespaceList:
     - cattle-fleet-system
     - cattle-system
@@ -178,10 +181,6 @@ startupProbe:
   timeoutSeconds: 5
   periodSeconds: 10
   failureThreshold: 12
-
-# Additional taints to tolerate
-extraTolerations: {}
-
 livenessProbe:
   timeoutSeconds: 5
   periodSeconds: 30
@@ -191,6 +190,13 @@ readinessProbe:
   periodSeconds: 30
   failureThreshold: 5
 
+global:
+  cattle:
+    psp:
+      # will default to true on 1.24 and below, and false for 1.25 and above
+      # can be changed manually to true or false to bypass version checks and force that option
+      enabled: ""
+
 # helm values to use when installing the rancher-webhook chart.
 # helm values set here will override all other global values used when installing the webhook such as priorityClassName and systemRegistry settings.
 webhook: ""
@@ -203,4 +209,4 @@ carbide:
   whitelabel:
     enabled: true
     image: carbide/carbide-whitelabel
-    tag: "0.1.5"
+    tag: "0.1.4"