unkin/puppet-prod
2
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases Wiki Activity
4e77fb7ee7
puppet-prod/modules/rke2/files/010_rancher.yaml
Ben Vincent 4e77fb7ee7 feat: manage rancher, purelb, cert-manager (#395) 
This change will install rancher, purelb and cert-manager, then
configure a dmz and common ip pool to be used by loadbalancers. The
nginx ingres controller is configured to use 198.18.200.0 (common) and
announce the ip from all nodes so that it becomes an anycast ip in ospf.

- manage the install of rancher, purelb and cert-manager
- add rancher ingress routes
- add nginx externalip/loadBalancer

Reviewed-on: #395
2025-09-14 20:59:39 +10:00

696 lines
19 KiB
YAML
Raw Blame History

# Source: rancher/templates/priorityClass.yaml
apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
name: rancher-critical
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
value: 1000000000
globalDefault: false
description: Priority class used by pods critical to rancher's functionality.
---
# Source: rancher/templates/serviceAccount.yaml
kind: ServiceAccount
apiVersion: v1
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
---
# Source: rancher/templates/configMap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: rancher-config
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
app.kubernetes.io/part-of: rancher
data:
priorityClassName: rancher-critical
---
# Source: rancher/templates/clusterRoleBinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
subjects:
- kind: ServiceAccount
name: rancher
namespace: cattle-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
---
# Source: rancher/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
spec:
ports:
- port: 80
targetPort: 80
protocol: TCP
name: http
- port: 443
targetPort: 444
protocol: TCP
name: https-internal
selector:
app: rancher
---
# Source: rancher/templates/deployment.yaml
kind: Deployment
apiVersion: apps/v1
metadata:
name: rancher
annotations:
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
spec:
replicas: 3
selector:
matchLabels:
app: rancher
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app: rancher
release: rancher
spec:
priorityClassName: rancher-critical
serviceAccountName: rancher
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values: [rancher]
topologyKey: kubernetes.io/hostname
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/os
operator: NotIn
values: [windows]
tolerations:
- key: cattle.io/os
value: linux
effect: NoSchedule
operator: Equal
containers:
- image: docker.io/rancher/rancher:v2.12.1
imagePullPolicy: IfNotPresent
name: rancher
ports:
- containerPort: 80
protocol: TCP
- containerPort: 6666
protocol: TCP
args:
# Public trusted CA - clear ca certs
- --no-cacerts
- --http-listen-port=80
- --https-listen-port=443
- --add-local=true
env:
- name: CATTLE_NAMESPACE
value: cattle-system
- name: CATTLE_PEER_SERVICE
value: rancher
- name: CATTLE_BOOTSTRAP_PASSWORD
valueFrom:
secretKeyRef:
name: bootstrap-secret
key: bootstrapPassword
- name: IMPERATIVE_API_DIRECT
value: 'true'
- name: IMPERATIVE_API_APP_SELECTOR
value: rancher
startupProbe:
httpGet:
path: /healthz
port: 80
timeoutSeconds: 5
failureThreshold: 12
periodSeconds: 10
livenessProbe:
httpGet:
path: /healthz
port: 80
timeoutSeconds: 5
periodSeconds: 30
failureThreshold: 5
readinessProbe:
httpGet:
path: /healthz
port: 80
timeoutSeconds: 5
periodSeconds: 30
failureThreshold: 5
volumeMounts:
volumes:
---
# Source: rancher/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rancher
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
annotations:
nginx.ingress.kubernetes.io/proxy-connect-timeout: '30'
nginx.ingress.kubernetes.io/proxy-read-timeout: '1800'
nginx.ingress.kubernetes.io/proxy-send-timeout: '1800'
spec:
rules:
- host: rancher.main.unkin.net # hostname to access rancher server
http:
paths:
- backend:
service:
name: rancher
port:
number: 80
pathType: ImplementationSpecific
path: /
tls:
- hosts: [rancher.main.unkin.net]
secretName: tls-rancher-ingress
---
# Source: rancher/templates/post-delete-hook-service-account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: rancher-post-delete
namespace: cattle-system
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
annotations:
helm.sh/hook: post-delete
helm.sh/hook-weight: '1'
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
---
# Source: rancher/templates/pre-upgrade-hook-service-account.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: rancher-pre-upgrade
namespace: cattle-system
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
annotations:
helm.sh/hook: pre-upgrade
helm.sh/hook-weight: '-1'
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
---
# Source: rancher/templates/secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: bootstrap-secret
namespace: cattle-system
annotations:
helm.sh/hook: pre-install,pre-upgrade
helm.sh/hook-weight: '-5'
helm.sh/resource-policy: keep
type: Opaque
data:
bootstrapPassword: YWRtaW4=
---
# Source: rancher/templates/post-delete-hook-config-map.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: rancher-post-delete
namespace: cattle-system
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
annotations:
helm.sh/hook: post-delete
helm.sh/hook-weight: '1'
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
data:
post-delete-hook.sh: |-
#!/bin/bash
set -e
namespaces="${NAMESPACES}"
rancher_namespace="${RANCHER_NAMESPACE}"
timeout="${TIMEOUT}"
ignoreTimeoutError="${IGNORETIMEOUTERROR}"
if [[ -z ${namespaces} ]]; then
echo "No namespace is provided."
exit 1
fi
if [[ -z ${rancher_namespace} ]]; then
echo "No rancher namespace is provided."
exit 1
fi
if [[ -z ${timeout} ]]; then
echo "No timeout value is provided."
exit 1
fi
if [[ -z ${ignoreTimeoutError} ]]; then
echo "No ignoreTimeoutError value is provided."
exit 1
fi
succeeded=()
failed=()
get_pod_count() {
kubectl get pods --selector app="${1}" -n "${2}" -o json | jq '.items | length'
}
echo "Uninstalling Rancher resources in the following namespaces: ${namespaces}"
for namespace in ${namespaces}; do
for app in $(helm list -n "${namespace}" -q); do
if [[ ${app} =~ .crd$ ]]; then
echo "--- Skip the app [${app}] in the namespace [${namespace}]"
continue
fi
echo "--- Deleting the app [${app}] in the namespace [${namespace}]"
if [[ ! $(helm uninstall "${app}" -n "${namespace}") ]]; then
failed=("${failed[@]}" "${app}")
continue
fi
t=0
while true; do
if [[ $(get_pod_count "${app}" "${namespace}") -eq 0 ]]; then
echo "successfully uninstalled [${app}] in the namespace [${namespace}]"
succeeded=("${succeeded[@]}" "${app}")
break
fi
if [[ ${t} -ge ${timeout} ]]; then
echo "timeout uninstalling [${app}] in the namespace [${namespace}]"
failed=("${failed[@]}" "${app}")
break
fi
# by default, wait 120 seconds in total for an app to be uninstalled
echo "waiting 5 seconds for pods of [${app}] to be terminated ..."
sleep 5
t=$((t + 5))
done
done
# delete the helm operator pods
for pod in $(kubectl get pods -n "${namespace}" -o name); do
if [[ ${pod} =~ ^pod\/helm-operation-* ]]; then
echo "--- Deleting the pod [${pod}] in the namespace [${namespace}]"
kubectl delete "${pod}" -n "${namespace}"
fi
done
done
echo "Removing Rancher bootstrap secret in the following namespace: ${rancher_namespace}"
kubectl --ignore-not-found=true delete secret bootstrap-secret -n "${rancher_namespace}"
echo "------ Summary ------"
if [[ ${#succeeded[@]} -ne 0 ]]; then
echo "Succeeded to uninstall the following apps:" "${succeeded[@]}"
fi
if [[ ${#failed[@]} -ne 0 ]]; then
echo "Failed to uninstall the following apps:" "${failed[@]}"
if [[ "${ignoreTimeoutError}" == "false" ]]; then
exit 2
fi
else
echo "Cleanup finished successfully."
fi
---
# Source: rancher/templates/pre-upgrade-hook-config-map.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: rancher-pre-upgrade
namespace: cattle-system
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
annotations:
helm.sh/hook: pre-upgrade
helm.sh/hook-weight: '-1'
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
data:
pre-upgrade-hook.sh: |-
#!/bin/bash
set -eo pipefail
# Global counters
declare -A COUNTS
RESOURCES_FOUND=false
check_prerequisites() {
if ! command -v kubectl &>/dev/null; then
echo "Missing required tool: kubectl"
exit 1
fi
}
print_resource_table() {
local kind="$1"
local items="$2"
local -a headers=("${@:3}")
local count
count=$(wc -l <<< "$items")
COUNTS["$kind"]=$count
RESOURCES_FOUND=true
echo "Found $count $kind resource(s):"
echo
IFS=$'\n' read -r -d '' -a lines < <(printf '%s\0' "$items")
# Initialize max_lengths array with header lengths
local -a max_lengths
for i in "${!headers[@]}"; do
max_lengths[i]=${#headers[i]}
done
# Calculate max width for each column
for line in "${lines[@]}"; do
IFS=$'\t' read -r -a cols <<< "$line"
for i in "${!cols[@]}"; do
(( ${#cols[i]} > max_lengths[i] )) && max_lengths[i]=${#cols[i]}
done
done
for i in "${!headers[@]}"; do
printf "%-${max_lengths[i]}s " "${headers[i]}"
done
printf "\n"
for i in "${!headers[@]}"; do
printf "%-${max_lengths[i]}s " "$(printf '%*s' "${max_lengths[i]}" '' | tr ' ' '-')"
done
printf "\n"
for line in "${lines[@]}"; do
IFS=$'\t' read -r -a cols <<< "$line"
for i in "${!cols[@]}"; do
printf "%-${max_lengths[i]}s " "${cols[i]}"
done
printf "\n"
done
echo
}
detect_resource() {
local crd="$1"
local kind="$2"
local jsonpath="$3"
local -a headers=("${@:4}")
echo "Checking for $kind resources..."
local output
if ! output=$(kubectl get "$crd" --all-namespaces -o=jsonpath="$jsonpath" 2>&1); then
if grep -q "the server doesn't have a resource type" <<< "$output"; then
echo "Resource type $crd not found. Skipping."
echo
return 0
else
echo "Error retrieving $kind resources: $output"
exit 1
fi
fi
if [ -z "$output" ]; then
echo "No $kind resources found."
echo
else
print_resource_table "$kind" "$output" "${headers[@]}"
fi
}
print_summary() {
echo "===== SUMMARY ====="
local total=0
for kind in "${!COUNTS[@]}"; do
local count=${COUNTS[$kind]}
echo "$kind: $count"
total=$((total + count))
done
echo "Total resources detected: $total"
if [ "$RESOURCES_FOUND" = true ]; then
echo "Error: Rancher v2.12+ does not support RKE1.
Detected RKE1-related resources (listed above).
Please migrate these clusters to RKE2 or K3s, or delete the related resources.
More info: https://www.suse.com/c/rke-end-of-life-by-july-2025-replatform-to-rke2-or-k3s"
exit 1
else
echo "No RKE related resources found."
fi
}
main() {
check_prerequisites
detect_resource "clusters.management.cattle.io" "RKE Management Cluster" \
'{range .items[?(@.spec.rancherKubernetesEngineConfig)]}{.metadata.name}{"\t"}{.spec.displayName}{"\n"}{end}' \
"NAME" "DISPLAY NAME"
detect_resource "nodetemplates.management.cattle.io" "NodeTemplate" \
'{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\t"}{.spec.displayName}{"\n"}{end}' \
"NAMESPACE" "NAME" "DISPLAY NAME"
detect_resource "clustertemplates.management.cattle.io" "ClusterTemplate" \
'{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\t"}{.spec.displayName}{"\n"}{end}' \
"NAMESPACE" "NAME" "DISPLAY NAME"
print_summary
}
main
---
# Source: rancher/templates/post-delete-hook-cluster-role.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rancher-post-delete
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
annotations:
helm.sh/hook: post-delete
helm.sh/hook-weight: '1'
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
rules:
- apiGroups: [extensions, apps]
resources: [deployments]
verbs: [get, list, delete]
- apiGroups: [batch]
resources: [jobs]
verbs: [get, list, watch, delete, create]
- apiGroups: [rbac.authorization.k8s.io]
resources: [clusterroles, clusterrolebindings, roles, rolebindings]
verbs: [get, list, delete, create]
- apiGroups: ['']
resources: [pods, secrets, services, configmaps]
verbs: [get, list, delete]
- apiGroups: ['']
resources: [serviceaccounts]
verbs: [get, list, delete, create]
- apiGroups: [networking.k8s.io]
resources: [networkpolicies]
verbs: [get, list, delete]
- apiGroups: [admissionregistration.k8s.io]
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs: [get, list, delete]
- apiGroups: [networking.k8s.io]
resources: [ingresses]
verbs: [delete]
- apiGroups: [cert-manager.io]
resources: [issuers]
verbs: [delete]
---
# Source: rancher/templates/pre-upgrade-hook-cluster-role.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: rancher-pre-upgrade
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
annotations:
helm.sh/hook: pre-upgrade
helm.sh/hook-weight: '-1'
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
rules:
- apiGroups: [management.cattle.io]
resources: [clusters, nodetemplates, clustertemplates]
verbs: [get, list]
---
# Source: rancher/templates/post-delete-hook-cluster-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: rancher-post-delete
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
annotations:
helm.sh/hook: post-delete
helm.sh/hook-weight: '2'
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded,hook-failed
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rancher-post-delete
subjects:
- kind: ServiceAccount
name: rancher-post-delete
namespace: cattle-system
---
# Source: rancher/templates/pre-upgrade-hook-cluster-role-binding.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: rancher-pre-upgrade
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
annotations:
helm.sh/hook: pre-upgrade
helm.sh/hook-weight: '-1'
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rancher-pre-upgrade
subjects:
- kind: ServiceAccount
name: rancher-pre-upgrade
namespace: cattle-system
---
# Source: rancher/templates/post-delete-hook-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: rancher-post-delete
namespace: cattle-system
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
annotations:
helm.sh/hook: post-delete
helm.sh/hook-weight: '3'
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
spec:
backoffLimit: 3
template:
metadata:
name: rancher-post-delete
labels:
app: rancher
chart: rancher-2.12.1
heritage: Helm
release: rancher
spec:
serviceAccountName: rancher-post-delete
restartPolicy: OnFailure
containers:
- name: rancher-post-delete
image: rancher/shell:v0.5.0
imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 0
command: [/scripts/post-delete-hook.sh]
volumeMounts:
- mountPath: /scripts
name: config-volume
env:
- name: NAMESPACES
value: cattle-fleet-system cattle-system rancher-operator-system
- name: RANCHER_NAMESPACE
value: cattle-system
- name: TIMEOUT
value: '120'
- name: IGNORETIMEOUTERROR
value: 'false'
volumes:
- name: config-volume
configMap:
name: rancher-post-delete
defaultMode: 0777
---
# Source: rancher/templates/pre-upgrade-hook-job.yaml
apiVersion: batch/v1
kind: Job
metadata:
name: rancher-pre-upgrade
namespace: cattle-system
labels:
app: rancher-pre-upgrade
chart: rancher-2.12.1
heritage: Helm
release: rancher
annotations:
helm.sh/hook: pre-upgrade
helm.sh/hook-weight: '-1'
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
spec:
backoffLimit: 3
template:
metadata:
name: rancher-pre-upgrade
labels:
app: rancher-pre-upgrade
chart: rancher-2.12.1
heritage: Helm
release: rancher
spec:
serviceAccountName: rancher-pre-upgrade
restartPolicy: Never
containers:
- name: rancher-pre-upgrade
image: rancher/shell:v0.5.0
imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 0
command: [/scripts/pre-upgrade-hook.sh]
volumeMounts:
- mountPath: /scripts
name: config-volume
volumes:
- name: config-volume
configMap:
name: rancher-pre-upgrade
defaultMode: 0777
Reference in New Issue View Git Blame Copy Permalink