(rke2/rancher.ls) migrate config to rke2

cbarria · cbarria · commit b20729545353 · 2025-06-10T09:38:26.000-04:00
diff --git a/rke2/rancher.ls/cert-manager/.gitignore b/rke2/rancher.ls/cert-manager/.gitignore
@@ -0,0 +1 @@
+secret-aws.yaml
diff --git a/rke2/rancher.ls/cert-manager/cert-manager.sh b/rke2/rancher.ls/cert-manager/cert-manager.sh
@@ -0,0 +1 @@
+../../../template/cert-manager/cert-manager.sh
diff --git a/rke2/rancher.ls/cert-manager/clusterissuer-letsencrypt.yaml b/rke2/rancher.ls/cert-manager/clusterissuer-letsencrypt.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+  namespace: cert-manager
+spec:
+  acme:
+    email: rubinobs-it-las@lsst.org
+    privateKeySecretRef:
+      name: letsencrypt
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+    - dns01:
+        route53:
+          accessKeyIDSecretRef:
+            key: AWS_ACCESS_KEY_ID
+            name: route53
+          hostedZoneID: ZPIEHXTK3ZPMR
+          region: us-east-1
+          secretAccessKeySecretRef:
+            key: AWS_SECRET_ACCESS_KEY
+            name: route53
+      selector:
+        dnsZones:
+        - ls.lsst.org
diff --git a/rke2/rancher.ls/cert-manager/fetch-credentials.sh b/rke2/rancher.ls/cert-manager/fetch-credentials.sh
@@ -0,0 +1 @@
+../../../template/cert-manager/fetch-credentials.sh
diff --git a/rke2/rancher.ls/cert-manager/onepass_item.sh b/rke2/rancher.ls/cert-manager/onepass_item.sh
@@ -0,0 +1,2 @@
+# shellcheck shell=sh
+export ITEM_NAME="it-dns-ls (aws)"
diff --git a/rke2/rancher.ls/external-secrets/.gitignore b/rke2/rancher.ls/external-secrets/.gitignore
@@ -0,0 +1,2 @@
+secret-onepassword-connect-token.yaml
+secret-onepassword-token.yaml
diff --git a/rke2/rancher.ls/external-secrets/README.md b/rke2/rancher.ls/external-secrets/README.md
@@ -0,0 +1 @@
+../../../template/external-secrets/README.md
diff --git a/rke2/rancher.ls/external-secrets/clustersecretstore-onepassword.yaml b/rke2/rancher.ls/external-secrets/clustersecretstore-onepassword.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: onepassword
+spec:
+  provider:
+    onepassword:
+      auth:
+        secretRef:
+          connectTokenSecretRef:
+            key: token
+            name: onepassword-connect-token
+            namespace: external-secrets
+      connectHost: https://connect.ls.lsst.org
+      vaults:
+        k8s-common: 3
+        k8s-ls: 2
+        rancher.ls: 1
diff --git a/rke2/rancher.ls/external-secrets/deploy-external.sh b/rke2/rancher.ls/external-secrets/deploy-external.sh
@@ -0,0 +1 @@
+../../../template/external-secrets/deploy-external.sh
diff --git a/rke2/rancher.ls/external-secrets/external-secrets.sh b/rke2/rancher.ls/external-secrets/external-secrets.sh
@@ -0,0 +1 @@
+../../../template/external-secrets/external-secrets.sh
diff --git a/rke2/rancher.ls/external-secrets/fetch-credentials.sh b/rke2/rancher.ls/external-secrets/fetch-credentials.sh
@@ -0,0 +1 @@
+../../../template/external-secrets/fetch-credentials.sh
diff --git a/rke2/rancher.ls/external-secrets/onepass_item.sh b/rke2/rancher.ls/external-secrets/onepass_item.sh
@@ -0,0 +1,2 @@
+# shellcheck shell=sh
+export ONEPASS_ITEM="connect.ls.lsst.org Access Token: rancher.ls.lsst.org"
diff --git a/rke2/rancher.ls/fleet/gitrepo-rancher.yaml b/rke2/rancher.ls/fleet/gitrepo-rancher.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: fleet.cattle.io/v1alpha1
+kind: GitRepo
+metadata:
+  name: rancher
+  namespace: fleet-local
+spec:
+  repo: https://github.com/lsst-it/k8s-cookbook
+  branch: master
+  keepResources: true
+  paths:
+    - fleet/s/ls/c/rancher/*
+  targets:
+    - name: rancher
+      clusterName: local
+  correctDrift:
+    enabled: true
diff --git a/rke2/rancher.ls/ingress-nginx/ingress-nginx.sh b/rke2/rancher.ls/ingress-nginx/ingress-nginx.sh
@@ -0,0 +1 @@
+../../../template/ingress-nginx/ingress-nginx.sh
diff --git a/rke2/rancher.ls/ingress-nginx/values.yaml b/rke2/rancher.ls/ingress-nginx/values.yaml
@@ -0,0 +1,14 @@
+controller:
+  kind: DaemonSet
+  allowSnippetAnnotations: true
+  ingressClass: nginx
+  ingressClassByName: true
+  ingressClassResource:
+    name: nginx
+    enabled: true
+    controllerValue: k8s.io/ingress-nginx
+  service:
+    annotations:
+      metallb.universe.tf/address-pool: ingress
+rbac:
+  create: true
diff --git a/rke2/rancher.ls/metallb/ipaddresspool-ingress.yaml b/rke2/rancher.ls/metallb/ipaddresspool-ingress.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: ingress
+  namespace: metallb-system
+spec:
+  addresses:
+    - 139.229.135.35/32
+  autoAssign: false
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: ingress
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+    - ingress
diff --git a/rke2/rancher.ls/metallb/metallb.sh b/rke2/rancher.ls/metallb/metallb.sh
@@ -0,0 +1 @@
+../../../template/metallb/metallb.sh
diff --git a/rke2/rancher.ls/onepassword/.gitignore b/rke2/rancher.ls/onepassword/.gitignore
@@ -0,0 +1,2 @@
+1password-credentials.json
+secret-op-credentials.yaml
diff --git a/rke2/rancher.ls/onepassword/README.md b/rke2/rancher.ls/onepassword/README.md
@@ -0,0 +1 @@
+../../../template/onepassword/README.md
diff --git a/rke2/rancher.ls/onepassword/fetch-credentials.sh b/rke2/rancher.ls/onepassword/fetch-credentials.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+
+if ! env | grep OP_SESSION_ > /dev/null 2>&1; then
+  eval "$(op signin)"
+fi
+
+ONEPASS_CREDS="$(op read "op://1pass connect/connect.ls.lsst.org Credentials File/1password-credentials.json")"
+
+# Base64 encode and remove newlines (works on both macOS and Linux)
+ENCODED_CREDS=$(echo "${ONEPASS_CREDS}" | base64 | tr -d '\n')
+
+cat > secret-op-credentials.yaml <<END
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: op-credentials
+  namespace: onepassword-connect
+type: Opaque
+# The credentials end up being double base64 encoded...
+stringData:
+  1password-credentials.json: ${ENCODED_CREDS}
+END
diff --git a/rke2/rancher.ls/onepassword/onepassword-connect.sh b/rke2/rancher.ls/onepassword/onepassword-connect.sh
@@ -0,0 +1 @@
+../../../template/onepassword/onepassword-connect.sh
diff --git a/rke2/rancher.ls/onepassword/openconnect.sh b/rke2/rancher.ls/onepassword/openconnect.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -xe
+
+helm upgrade --install onepassword-connect connect \
+  --repo https://1password.github.io/connect-helm-charts \
+  --version 1.17.0 \
+  --namespace onepassword-connect --create-namespace \
+  -f values.yaml \
+  --timeout 60s --wait
diff --git a/rke2/rancher.ls/onepassword/values.yaml b/rke2/rancher.ls/onepassword/values.yaml
@@ -0,0 +1,17 @@
+connect:
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt
+    hosts:
+      - host: connect.ls.lsst.org
+        paths:
+          - /
+    pathType: Prefix
+    tls:
+      - secretName: connect-ingress-tls
+        hosts:
+          - connect.ls.lsst.org
+
+  serviceType: ClusterIP
diff --git a/rke2/rancher.ls/rancher-backup/README.md b/rke2/rancher.ls/rancher-backup/README.md
@@ -0,0 +1 @@
+../../../template/rancher-backup/README.md
diff --git a/rke2/rancher.ls/rancher-backup/externalsecret-rancher-bkp.yaml b/rke2/rancher.ls/rancher-backup/externalsecret-rancher-bkp.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: rancher-bkp
+  namespace: cattle-resources-system
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword
+  data:
+    - secretKey: accessKey
+      remoteRef:
+        key: rancher-backup
+        property: username
+    - secretKey: secretKey
+      remoteRef:
+        key: rancher-backup
+        property: password
diff --git a/rke2/rancher.ls/rancher-backup/rancher-backup.sh b/rke2/rancher.ls/rancher-backup/rancher-backup.sh
@@ -0,0 +1 @@
+../../../template/rancher-backup/rancher-backup.sh
diff --git a/rke2/rancher.ls/rancher-backup/restore-rancher-backup.yaml b/rke2/rancher.ls/rancher-backup/restore-rancher-backup.yaml
@@ -0,0 +1,7 @@
+apiVersion: resources.cattle.io/v1
+kind: Restore
+metadata:
+  name: s3-recurring
+spec:
+  prune: false
+  backupFilename: s3-recurring-d731407e-da9f-49c6-a6bc-d9d371d40b0d-2025-05-27T13-44-18Z.tar.gz
diff --git a/rke2/rancher.ls/rancher-backup/values.yaml b/rke2/rancher.ls/rancher-backup/values.yaml
@@ -0,0 +1,13 @@
+## Default s3 bucket for storing all backup files created by the backup-restore-operator
+s3:
+  enabled: true
+  credentialSecretName: rancher-bkp
+  credentialSecretNamespace: cattle-resources-system
+  region: us-east-1
+  bucketName: rancher-bkp-ls
+  folder: ls
+  endpoint: s3.us-east-1.amazonaws.com
+
+# Add log level flags to backup-restore
+debug: true
+trace: false
diff --git a/rke2/rancher.ls/rancher/README.md b/rke2/rancher.ls/rancher/README.md
@@ -0,0 +1,71 @@
+Rancher Configuration
+=====================
+
+create ldap bind user
+---------------------
+
+_XXX broken_
+
+as root on an ipa master...
+
+```bash
+cd files
+# edit <password> in rancher-binddn.update to match 1pass `rancher ldap bind user`
+ipa-ldap-updater rancher-binddn.update
+```
+
+Configure rancher free ipa integration
+--------------------------------------
+
+Logon to https://rancher.ls.lsst.org
+
+Security -> Authentication
+
+### Configure an FreeIPA server
+
+Hostname or IP Address
+`ipa1.ls.lsst.org`
+
+Port
+`636` TLS [X]
+
+CA Certificate
+`file:ipa-ca.pem`
+
+Service Account Distinguished Name
+_XXX binding seems to only work with Directory Manager.  It is not working with
+read-only ldap only users or regular ipa user accounts._
+XXX cn=rancher
+cn=Directory Manager
+
+Service Account Password
+`<value from 1pass>`
+
+User Search Base
+`cn=accounts,dc=lsst,dc=cloud`
+
+Group Search Base
+`<blank>`
+
+### Customize Schema
+
+`<no changes from defaults>`
+
+### Test and enable authentication
+
+Your Username
+`<your username>`
+
+Your Password
+`<your pass>`
+
+`<submit>`
+
+### Next dialog
+
+Site Access:
+
+`[x]  Allow members of Clusters, Projects, plus Authorized Users and Organizations`
+
+Authorized Users and Organizations
+`admins (group)`
diff --git a/rke2/rancher.ls/rancher/files/ipa-ca.pem b/rke2/rancher.ls/rancher/files/ipa-ca.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDiDCCAnCgAwIBAgIBATANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKDApMU1NU
+LkNMT1VEMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTkxMDMx
+MjIwNDQyWhcNMzkxMDMxMjIwNDQyWjA1MRMwEQYDVQQKDApMU1NULkNMT1VEMR4w
+HAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQC20KYqim+3/uIEH+TagySW+oEYFjk2zGIlBkeb9xD6bxq2
+ACGe5jvMCSScBsHPF4IIu1p3UERJxByQs0j7HQAfMIeyBIygsaBlLGaON/9Wg7UZ
+UPDd8qqS0B+3+rrl4bL1k/tLtuktbI/8ONEUEiayKI0HtoFcGOTDipy3Jws6/rfs
+VJb6lJWkKM47bP/r5gYZrMpNBmrCwxu5AWYxD3lWcJ1F1CvchH3HOg3xDg9k4L8e
+EbmzZZkfj7vPu9KFyr8zEUWBLQ+1oqD50v7YFBteL7ldKNTp1AMm5juKDds3LjTE
+wdkspF4RqdssjJpDRaJUjx11VqlFI55S5PAbb0AjAgMBAAGjgaIwgZ8wHwYDVR0j
+BBgwFoAUeJ3l30vNhPXSShQ0JdDiupfFzEEwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
+HQ8BAf8EBAMCAcYwHQYDVR0OBBYEFHid5d9LzYT10koUNCXQ4rqXxcxBMDwGCCsG
+AQUFBwEBBDAwLjAsBggrBgEFBQcwAYYgaHR0cDovL2lwYS1jYS5sc3N0LmNsb3Vk
+L2NhL29jc3AwDQYJKoZIhvcNAQELBQADggEBAGSLE4rHdmd9N+2yOOmEPMGIEak5
+3gwF49J0YTZobs16GUdcEUs8iYuZq2i/xOG4hCl8+f/yT2aCrGr4m1kdgCnI6ezP
+Ag86KxiUF49fxJyX2iSUEcP+PwgcdYP4rwlI3x+m1V//NuwId3krpm1E+jFrs4F0
+F7UUVvniXAKGJy6kGBoMYl6kUDVWfyFR1NSHiLhlcg5UDQ8J0Bvd6grlRllBYXEz
+vK1fSfFbOOorKrVJA2L/7uxpW6VkTwoAbeNt9fCSqxDoAvQKG8gF74O0bHQlZsJf
+9otVpzrVrWqJevTP6+M83juQ8oubaSbkzuNYqpBAsWAIOMYI5MXhiazWugc=
+-----END CERTIFICATE-----
diff --git a/rke2/rancher.ls/rancher/files/rancher-binddn.update b/rke2/rancher.ls/rancher/files/rancher-binddn.update
@@ -0,0 +1,7 @@
+dn: uid=rancher,cn=sysaccounts,cn=etc,dc=lsst,dc=cloud
+add:objectclass:account
+add:objectclass:simplesecurityobject
+add:uid:rancher
+add:userPassword:<password>
+add:passwordExpirationTime:20380119031407Z
+add:nsIdleTimeout:0
diff --git a/rke2/rancher.ls/rancher/rancher.sh b/rke2/rancher.ls/rancher/rancher.sh
@@ -0,0 +1 @@
+../../../template/rancher/rancher.sh
diff --git a/rke2/rancher.ls/rancher/values.yaml b/rke2/rancher.ls/rancher/values.yaml
@@ -0,0 +1,13 @@
+---
+hostname: rancher.ls.lsst.org
+ingress:
+  enabled: true
+  ingressClassName: nginx
+  tls:
+    source: secret
+  extraAnnotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+extraEnv:
+  # version strings from https://github.com/rancher/charts/tree/dev-v2.9/charts/fleet
+  - name: CATTLE_FLEET_MIN_VERSION
+    value: 106.0.0+up0.12.0

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+../../../template/cert-manager/cert-manager.sh`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+../../../template/cert-manager/fetch-credentials.sh`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# shellcheck shell=sh`
	`2`	`+export ITEM_NAME="it-dns-ls (aws)"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+secret-onepassword-connect-token.yaml`
	`2`	`+secret-onepassword-token.yaml`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+../../../template/external-secrets/README.md`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+../../../template/external-secrets/deploy-external.sh`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+../../../template/external-secrets/external-secrets.sh`