rancher oidc

ildoc · ildoc · commit 5cba0e1d543a · 2025-10-11T12:45:13.000Z
diff --git a/kubernetes/infra/manifests/infra-secrets/rancher-secrets.yaml b/kubernetes/infra/manifests/infra-secrets/rancher-secrets.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: rancher-oidc-credentials
+  namespace: cattle-system
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: vault-kubernetes-secret-store
+    kind: ClusterSecretStore
+  target:
+    name: rancher-oidc-credentials
+    creationPolicy: Owner
+  data:
+  - secretKey: clientId
+    remoteRef:
+      key: kubernetes/data/rancher
+      property: oidc-client-id
+  - secretKey: clientSecret
+    remoteRef:
+      key: kubernetes/data/rancher
+      property: oidc-client-secret
diff --git a/kubernetes/infra/manifests/ingresses/rancher.yaml b/kubernetes/infra/manifests/ingresses/rancher.yaml
@@ -4,6 +4,8 @@ kind: HTTPRoute
 metadata:
   name: rancher
   namespace: cattle-system
+  labels:
+    app.kubernetes.io/name: rancher
 spec:
   parentRefs:
     - name: cilium-gateway
@@ -18,4 +20,4 @@ spec:
             value: /
       backendRefs:
         - name: rancher
-          port: 80 
+          port: 80
diff --git a/kubernetes/infra/manifests/rancher/Chart.yaml b/kubernetes/infra/manifests/rancher/Chart.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: v2
+name: rancher
+version: 1.0.0
+dependencies:
+  - name: rancher
+    version: "2.12.1"
+    repository: https://releases.rancher.com/server-charts/stable
diff --git a/kubernetes/infra/manifests/rancher/values.yaml b/kubernetes/infra/manifests/rancher/values.yaml
@@ -0,0 +1,76 @@
+---
+# =============================================================================
+# RANCHER CORE CONFIGURATION
+# =============================================================================
+rancher:
+  # Hostname per Rancher
+  hostname: rancher.local.ildoc.it
+  
+  # Numero di repliche
+  replicas: 2
+  
+  # TLS configuration - external perché gestiamo TLS al gateway
+  tls: external
+  
+  # Private CA - se usi certificati self-signed
+  privateCA: false
+  
+  # Ingress - disabilitato, usiamo HTTPRoute in ingresses/
+  ingress:
+    enabled: false
+  
+  # Resources
+  resources:
+    requests:
+      cpu: 250m
+      memory: 512Mi
+    limits:
+      cpu: 1000m
+      memory: 2Gi
+  
+  # Anti-affinity per distribuire i pod
+  affinity:
+    podAntiAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+        - weight: 100
+          podAffinityTerm:
+            labelSelector:
+              matchLabels:
+                app: rancher
+            topologyKey: kubernetes.io/hostname
+  
+  # Liveness e Readiness probes
+  livenessProbe:
+    initialDelaySeconds: 60
+    periodSeconds: 30
+    timeoutSeconds: 5
+    failureThreshold: 3
+  
+  readinessProbe:
+    initialDelaySeconds: 30
+    periodSeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 3
+  
+  # Bootstrap password - IMPORTANTE: cambialo al primo accesso
+  bootstrapPassword: "admin"
+  
+  # Features
+  extraEnv:
+    # Proxy configuration per headers
+    - name: HTTP_PROXY
+      value: ""
+    - name: HTTPS_PROXY
+      value: ""
+    - name: NO_PROXY
+      value: "127.0.0.0/8,10.0.0.0/8,cattle-system.svc,172.16.0.0/12,192.168.0.0/16,.svc,.cluster.local"
+  
+  # Audit log
+  auditLog:
+    level: 0
+    maxAge: 10
+    maxBackup: 10
+    maxSize: 100
+  
+  # Additional trusted CAs (se necessario)
+  additionalTrustedCAs: false
diff --git a/kubernetes/infra/rancher.yaml b/kubernetes/infra/rancher.yaml
@@ -6,32 +6,21 @@ metadata:
   namespace: argocd
   finalizers:
     - resources-finalizer.argocd.argoproj.io
-    - post-delete-finalizer.argocd.argoproj.io
-    - post-delete-finalizer.argocd.argoproj.io/cleanup
   annotations:
     argocd.argoproj.io/sync-wave: "-70"
-    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
-    argocd.argoproj.io/wait: "true"
 spec:
   project: default
   source:
-    repoURL: https://releases.rancher.com/server-charts/stable
-    chart: rancher
-    targetRevision: 2.12.1
-    helm:
-      parameters:
-        - name: "ingress.enabled"
-          value: "false"
-        - name: "tls"
-          value: "external"  # IMPORTANTE: Disabilita TLS interno
-        - name: "hostname"
-          value: "rancher.local.ildoc.it"
+    repoURL: https://gitlab.local.ildoc.it/ildoc/homelab.git
+    targetRevision: HEAD
+    path: kubernetes/infra/manifests/rancher
   destination:
     server: https://kubernetes.default.svc
     namespace: cattle-system
   syncPolicy:
     syncOptions:
       - CreateNamespace=true
+      - ServerSideApply=true
     automated:
       prune: true
       selfHeal: true
