Merge branch 'features/rocky-frsca' into 'rocky/main'

Features/rocky frsca See merge request ADLS/infrastructure/adls.osrancher!16

Merge branch 'features/rocky-frsca' into 'rocky/main'
bdc5c1e4 · Rödig, Constanze · 0ea50edd · eebebc97 · bdc5c1e4 · bdc5c1e4
Commit bdc5c1e4 authored 3 years ago by Rödig, Constanze
--- a/roles/rke2/tasks/setup_host.yml
+++ b/roles/rke2/tasks/setup_host.yml
@@ -7,6 +7,11 @@
    backup: yes
  loop: "{{ groups['all'] }}"

+- name: dnf upgrade all
+  dnf:
+    name: "*"
+    state: latest
+
 - name: install RHEL packages
  dnf:
    name:
@@ -97,10 +102,7 @@
    semodule -i /etc/selinux/targeted/policy/my-openstack-ccm.cil /etc/selinux/targeted/policy/base-container.cil
  when: ( 'control-plane' in group_names )

- name: Disable SELinux
-  selinux:
-    policy: targeted
-    state: permissive
+

 - name: Ensure /var/lib/rancher/rke2/server/manifests
  file:
@@ -114,8 +116,4 @@
    state: directory
    recurse: yes

- name: Enable SELinux
-  selinux:
-    policy: targeted
-    state: enforcing

--- a/roles/rke2/templates/manifests/config-nginx-ingress.j2
+++ b/roles/rke2/templates/manifests/config-nginx-ingress.j2
@@ -10,8 +10,10 @@ spec:
      image:
        repository: k8s.gcr.io/defaultbackend-amd64
        tag: "1.5"
+{% if item.value.psp == true  %}
    podSecurityPolicy:
      enabled: true
+{% endif %}
    controller:
      hostNetwork: {{ item.value.hostNetwork | bool | string | lower }}
      reportNodeInternalIp: {{ item.value.reportNodeInternalIp | bool | string | lower }}

--- a/roles/rke2/templates/manifests/deploy-azure-workload-identity.j2
+++ b/roles/rke2/templates/manifests/deploy-azure-workload-identity.j2
@@ -15,7 +15,7 @@ metadata:
 spec:
  repo: https://azure.github.io/azure-workload-identity/charts
  chart: workload-identity-webhook
-  version: {{ item.value.version | default("0.12.0") }}
+  version: {{ item.value.version | default("0.13.0") }}
  targetNamespace: azure-workload-identity-system
  set:
    azureTenantID: {{ item.value.azureTenantID }}
--- a/roles/rke2/templates/manifests/deploy-oauth2.j2
+++ b/roles/rke2/templates/manifests/deploy-oauth2.j2
+---
+
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: oauth2
+  
+---
+
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: oauth2
+  namespace: kube-system
+spec:
+  repo: {{ item.value.repo | default("https://charts.bitnami.com/bitnami") }}
+  chart: oauth2-proxy
+  version: {{ item.value.version | default("3.3.3") }}
+  targetNamespace: oauth2
+  valuesContent: |-
+    serviceAccount: 
+      create: true
+    replicaCount: 1
+    extraArgs:
+      - --provider=oidc
+      - --oidc-issuer-url=https://login.microsoftonline.com/{{ item.value.azureTenantID | default("1e8a0c86-2410-4f48-91c3-dc1d164680ca") }}/v2.0
+      - --whitelist-domain={{ item.value.tld | default(".austrianopencloudcommunity.org") }}
+      - --cookie-refresh=1h
+      - --cookie-domain={{ item.value.tld | default(".austrianopencloudcommunity.org") }}
+      - --set-xauthrequest 
+    configuration:
+      clientID: "{{ item.value.clientID  }}"
+      clientSecret: "{{ item.value.clientSecret }}"
+      cookieSecret: "fb6379f21e17c305875a8eff0ade41f5"
+      google:
+        enabled: false
+    redis:
+      enabled: false 
+    ingress: 
+      enabled: true
+      hostname: {{ item.value.hostname }}
+      annotations: 
+        kubernetes.io/ingress.class: nginx
+        cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+        nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
+        nginx.ingress.kubernetes.io/proxy-body-size: 8M
+        nginx.ingress.kubernetes.io/client-body-buffer-size: 1M
+      tls: true
+      extraTls:
+      - hosts:
+         - {{ item.value.hostname }}
+        secretName: oauth2-proxy-ingress-tls-cert
+
+
+
--- a/roles/rke2/templates/manifests/deploy-rancher-neuvector.j2
+++ b/roles/rke2/templates/manifests/deploy-rancher-neuvector.j2
@@ -4,24 +4,9 @@ kind: Namespace
 apiVersion: v1
 metadata:
  name: cattle-neuvector-system
-  name: kube-system #! it has  ALOT of priviledged stuff, hostMounts etc going on, getting it to run in user space is a mess
-
-

 ---

-apiVersion: helm.cattle.io/v1
-kind: HelmChart
-metadata:
-  name: cattle-neuvector-crd
-  namespace: kube-system
-spec:
-  repo: {{ item.value.repo | default("https://charts.rancher.io") }}
-  chart: neuvector-crd
-  version: {{ item.value.version | default("100.0.0+up2.2.0") }}
-  targetNamespace: cattle-neuvector-system
---
-
 apiVersion: helm.cattle.io/v1
 kind: HelmChart
 metadata:
@@ -30,11 +15,43 @@ metadata:
 spec:
  repo: {{ item.value.repo | default("https://charts.rancher.io") }}
  chart: neuvector
-  version: {{ item.value.version | default("100.0.0+up2.2.0") }}
+  version: {{ item.value.version | default("100.0.2+up2.2.3") }}
  targetNamespace: cattle-neuvector-system
-  set:
-    psp: true
  valuesContent: |-
+    global:
+      cattle:
+        systemDefaultRegistry: ""
+    serviceAccount: neuvector
+    psp: true
+    serviceAccount: neuvector
+    controller:
+      replicas: 1
+      ranchersso:
+        enabled: true
+    manager:
+      runAsUser: 1000
+      route:
+        enabled: false
+      ingress:
+        enabled: true
+        host: neuvector.{{ item.value.hostname }}
+        ingressClassName: "nginx"
+        path: "/"
+        annotations:
+          nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+          nginx.ingress.kubernetes.io/auth-url: "https://oauth.{{ item.value.hostname }}/oauth2/auth"
+          nginx.ingress.kubernetes.io/auth-signin: "https://oauth.{{ item.value.hostname }}/oauth2/start?rd=https://$host$request_uri" 
+          cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+          nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1"
+          nginx.ingress.kubernetes.io/rewrite-target: /
+          nginx.ingress.kubernetes.io/enable-rewrite-log: "true"
+        tls: true
+        secretName: neuvector-tls-secret
+    cve:
+      scanner:
+        runAsUser: 1000
+      updater:
+        runAsUser: 1000
    docker:
      enabled: false
    k3s:
@@ -46,227 +63,13 @@ spec:

 ---

-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
 metadata:
-  name: psp-neuvector-system-unrestricted
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: system-unrestricted-psp-role
-subjects:
- kind: ServiceAccount
-  name: neuvector
-  namespace: cattle-neuvector-system
-
-
-maanger and scanner pods are failing
-for manager, you also need to put 
-securityContext:
-  runAsNonRoot: true
-  runAsUser: 1000
-
-admissionwebhook:
-  type: ClusterIP
-bottlerocket:
-  enabled: false
-  runtimePath: /run/dockershim.sock
-containerd:
-  enabled: true
-  path: /run/k3s/containerd/containerd.sock
-controller:
-  affinity:
-    podAntiAffinity:
-      preferredDuringSchedulingIgnoredDuringExecution:
-        - podAffinityTerm:
-            labelSelector:
-              matchExpressions:
-                - key: app
-                  operator: In
-                  values:
-                    - neuvector-controller-pod
-            topologyKey: kubernetes.io/hostname
-          weight: 100
-  apisvc:
-    annotations: {}
-    route:
-      enabled: false
-      host: null
-      termination: passthrough
-    type: null
-  azureFileShare:
-    enabled: false
-    secretName: null
-    shareName: null
-  certificate:
-    keyFile: tls.key
-    pemFile: tls.pem
-    secret: null
-  configmap:
-    data: null
-    enabled: false
-  disruptionbudget: 0
-  enabled: true
-  env: null
-  federation:
-    managedsvc:
-      ingress:
-        annotations:
-          ingress.kubernetes.io/protocol: https
-        enabled: false
-        host: null
-        path: /
-        secretName: null
-        tls: false
-      route:
-        enabled: false
-        host: null
-        termination: passthrough
-      type: null
-    mastersvc:
-      ingress:
-        annotations:
-          ingress.kubernetes.io/protocol: https
-        enabled: false
-        host: null
-        path: /
-        secretName: null
-        tls: false
-      route:
-        enabled: false
-        host: null
-        termination: passthrough
-      type: null
-  image:
-    hash: null
-    repository: rancher/mirrored-neuvector-controller
-    tag: 5.0.0
-  ingress:
-    annotations:
-      ingress.kubernetes.io/protocol: https
-    enabled: false
-    host: null
-    path: /
-    secretName: null
-    tls: false
-  nodeSelector: {}
-  priorityClassName: null
-  pvc:
-    accessModes:
-      - ReadWriteMany
-    capacity: null
-    enabled: false
-    storageClass: null
-  ranchersso:
-    enabled: true
-  replicas: 3
-  resources: {}
-  schedulerName: null
-  secret:
-    data: {}
-    enabled: false
-  strategy:
-    rollingUpdate:
-      maxSurge: 1
-      maxUnavailable: 0
-    type: RollingUpdate
-  tolerations: null
-crdwebhook:
-  enabled: true
-  type: ClusterIP
-crio:
-  enabled: false
-  path: /var/run/crio/crio.sock
-cve:
-  scanner:
-    affinity: {}
-    dockerPath: ''
-    enabled: true
-    image:
-      hash: null
-      repository: rancher/mirrored-neuvector-scanner
-      tag: latest
-    nodeSelector: {}
-    priorityClassName: null
-    replicas: 3
-    resources: {}
-    strategy:
-      rollingUpdate:
-        maxSurge: 1
-        maxUnavailable: 0
-      type: RollingUpdate
-    tolerations: null
-  updater:
-    enabled: true
-    image:
-      hash: null
-      repository: rancher/mirrored-neuvector-updater
-      tag: latest
-    priorityClassName: null
-    schedule: 0 0 * * *
-    secure: false
-docker:
-  path: /var/run/docker.sock
-  enabled: false
-enforcer:
-  enabled: true
-  image:
-    hash: null
-    repository: rancher/mirrored-neuvector-enforcer
-    tag: 5.0.0
-  priorityClassName: null
-  resources: {}
-  tolerations:
-    - effect: NoSchedule
-      key: node-role.kubernetes.io/master
-k3s:
-  enabled: false
-  runtimePath: /run/k3s/containerd/containerd.sock
-manager:
-  affinity: {}
-  certificate:
-    keyFile: tls.key
-    pemFile: tls.pem
-    secret: null
-  enabled: true
-  env:
-    ssl: true
-  image:
-    hash: null
-    repository: rancher/mirrored-neuvector-manager
-    tag: 5.0.0
-  ingress:
-    annotations: {}
-    enabled: false
-    host: null
-    path: /
-    secretName: null
-    tls: false
-  nodeSelector: {}
-  priorityClassName: null
-  resources: {}
-  route:
-    enabled: true
-    host: null
-    termination: passthrough
-  svc:
-    annotations: {}
-    loadBalancerIP: null
-    type: NodePort
-  tolerations: null
-oem: null
-openshift: false
-psp: false
-registry: docker.io
-resources: {}
-serviceAccount: neuvector
-global:
-  cattle:
-    clusterId: local
-    clusterName: local
-    rkePathPrefix: ''
-    rkeWindowsPathPrefix: ''
-    systemDefaultRegistry: ''
-    systemProjectId: p-fkh6w
-    url: ''
-  systemDefaultRegistry: ''
\ No newline at end of file
+  name: cattle-neuvector-crd
+  namespace: kube-system
+spec:
+  repo: {{ item.value.repo | default("https://charts.rancher.io") }}
+  chart: neuvector-crd
+  version: {{ item.value.version | default("100.0.2+up2.2.3") }}
+  targetNamespace: cattle-neuvector-system
--- a/roles/rke2/templates/manifests/deploy-smb-csi-driver.j2
+++ b/roles/rke2/templates/manifests/deploy-smb-csi-driver.j2
-
-apiVersion: helm.cattle.io/v1
-kind: HelmChart
-metadata:
-  name: csi-driver-smb
-  namespace: kube-system
-spec:
-  repo: {{ item.value.repo | default("https://raw.githubusercontent.com/kubernetes-csi/csi-driver-smb/master/charts") }}
-  chart: csi-driver-smb
-  version: {{ item.value.version | default("v1.5.0") }}
-  targetNamespace: kube-system
-