# be sure to add all "required" values... # amazonec2, azure, digitalocean, harvester, vsphere, custom # https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider cloudprovider: harvester # required # cloud provider credentials (example: aws-creds) cloudCredentialSecretName: cc-9ktwg # required # rancher manager url rancher: cattle: url: rancher.bessems.lan #(example: rancher.example.com) # cluster values cluster: # labels: # key: value # annotations: # key: value name: lab-k8s-001 # required (example: rke2-cluster-001) config: kubernetesVersion: v1.34.2+rke2r1 # https://github.com/rancher/rke2/releases enableNetworkPolicy: true localClusterAuthEndpoint: enabled: false additionalManifests: |- apiVersion: helm.cattle.io/v1 kind: HelmChart metadata: name: traefik namespace: kube-system spec: chart: traefik repo: https://traefik.github.io/charts set: global.clusterCIDR: 10.42.0.0/16 global.clusterCIDRv4: 10.42.0.0/16 global.clusterDNS: 10.43.0.10 global.clusterDomain: cluster.local global.rke2DataDir: /var/lib/rancher/rke2 global.serviceCIDR: 10.43.0.0/16 global.systemDefaultIngressClass: ingress-nginx targetNamespace: kube-system valuesContent: |- core: defaultRuleSyntax: v2 additionalArguments: - "--providers.file.directory=/etc/traefik/dynamic" - "--providers.file.watch=true" - "--entryPoints.websecure.transport.respondingTimeouts.readTimeout=300s" certificatesResolvers: default: acme: email: letsencrypt.org.danny@spamasaurus.com storage: /data/acme.json dnsChallenge: provider: cloudflare delayBeforeCheck: 5m0s resolvers: - 1.1.1.1:53 - 1.0.0.1:53 deployment: initContainers: - name: volume-permissions image: busybox:latest command: [ "sh", "-c", "touch /data/acme.json; chown 65532 /data/acme.json; chmod -v 600 /data/acme.json", ] securityContext: runAsNonRoot: false runAsGroup: 0 runAsUser: 0 volumeMounts: - name: traefik-data mountPath: /data env: - name: CF_API_EMAIL valueFrom: secretKeyRef: name: traefik-cloudflare key: CF_API_EMAIL - name: CF_API_KEY valueFrom: secretKeyRef: name: traefik-cloudflare key: CF_API_KEY extraObjects: - apiVersion: v1 kind: ConfigMap metadata: name: traefik-file-provider namespace: kube-system data: config.yml: | http: middlewares: 2fa-authentication: forwardAuth: address: "https://auth.spamasaurus.com/api/verify?rd=https://auth.spamasaurus.com/" trustForwardHeader: true security-headers: headers: forceSTSHeader: true stsSeconds: 315360000 stsIncludeSubdomains: true stsPreload: true tls: options: defaults: minVersion: VersionTLS12 sniStrict: false curvePreferences: - secp521r1 - secp384r1 - secp256r1 cipherSuites: - TLS_AES_128_GCM_SHA256 - TLS_AES_256_GCM_SHA384 - TLS_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - TLS_FALLBACK_SCSV ingressRoute: dashboard: enabled: true entryPoints: - websecure matchRule: Host(`ingress.lab.spamasaurus.com`) middlewares: - name: 2fa-authentication@file - name: security-headers@file logs: general: level: INFO persistence: enabled: true name: traefik-data path: /data ports: web: redirections: entryPoint: to: websecure scheme: https permanent: true websecure: forwardedHeaders: insecure: true tls: options: defaults@file certResolver: default domains: - main: '*.pvr.spamasaurus.com' - main: '*.lab.spamasaurus.com' - main: '*.spamasaurus.com' sans: - 'spamasaurus.com' - main: '*.bessems.com' sans: - 'bessems.com' - main: '*.bessems.eu' sans: - 'bessems.eu' - main: '*.gabaldon.eu' sans: - 'gabaldon.eu' - main: '*.gabaldon.nl' sans: - 'gabaldon.nl' - main: '*.itch.fyi' sans: - 'itch.fyi' updateStrategy: type: Recreate rollingUpdate: null volumes: - name: traefik-file-provider type: configMap mountPath: /etc/traefik/dynamic # agentEnvVars: # - name: A # value: B # defaultClusterRoleForProjectMembers: '' # defaultPodSecurityAdmissionConfigurationTemplateName: '' # defaultPodSecurityPolicyTemplateName: '' # etcd: # disableSnapshots: false # snapshotRetention: 5 # snapshotScheduleCron: 0 */5 * * * # s3: # bucket: rancherbackups # cloudCredentialSecretName: minio-creds # folder: rancher # region: dummyregion # skipSSLVerify: false # endpoint: # minio.example.com # endpointCA: |- # -----BEGIN CERTIFICATE----- # -----END CERTIFICATE----- globalConfig: # systemDefaultRegistry: docker.io # default registry systemDefaultRegistry: code.spamasaurus.com # default registry cni: calico # canal, calico, cilium, multus,canal, multus,calico, multus,cilium # cluster-cidr: 10.42.0.0/16 # https://docs.rke2.io/networking/basic_network_options # service-cidr: 10.43.0.0/16 # https://docs.rke2.io/networking/basic_network_options docker: false # token: '' # tls_san: # - url # - ip disable: - rke2-ingress-nginx # - rke2-coredns # - rke2-metrics-server disable_scheduler: false disable_cloud_controller: false disable_kube_proxy: false etcd_expose_metrics: false profile: '' # cis, cis-1.23, or cis-1.6 # https://docs.rke2.io/security/hardening_guide selinux: false # rke2-selinux and container-selinux be installed on the nodes # https://docs.rke2.io/security/selinux secrets_encryption: false write_kubeconfig_mode: 0600 use_service_account_credentials: false protect_kernel_defaults: false cloud_provider_name: '' # https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-cloud-providers # cloud_provider_config: '' # cloud provider config secret here (example: secret://fleet-default:cloudprovider) # kube_controller_manager_arg: # - kube controller manager arguments here (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager) # kube_scheduler_arg: # - kube scheduler arguments here (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler) # kube_apiserver_arg: # - kube apiserver arguments here (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver) # kube_proxy_arg: # - kube proxy arguments here (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy) # kubelet_arg: # - kubelet arguments here (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet) # controlPlaneConfig: # same options as globalConfig # only will apply to the control plane nodes # workerConfig: # same options as globalConfig # only will apply to the worker nodes registries: enabled: false # configs: # - name: registry.example.com # authConfigSecretName: registry-creds # caBundle: '' # insecureSkipVerify: false # tlsSecretName: '' # mirrors: # - name: "code.spamasaurus.com" # endpoints: # - "https://code.spamasaurus.com" # rewrite: # "^([^/]+.*)": "default/$1" upgradeStrategy: controlPlaneConcurrency: 10% controlPlaneDrainOptions: enabled: false # deleteEmptyDirData: true # disableEviction: false # force: false # gracePeriod: -1 # ignoreDaemonSets: true # ignoreErrors: false # skipWaitForDeleteTimeoutSeconds: 0 # timeout: 120 workerConcurrency: 10% workerDrainOptions: enabled: false # deleteEmptyDirData: true # disableEviction: false # force: false # gracePeriod: -1 # ignoreDaemonSets: true # ignoreErrors: false # skipWaitForDeleteTimeoutSeconds: 0 # timeout: 120 # node and nodepool(s) values nodepools: - name: np # displayName: np quantity: 1 etcd: true controlplane: true worker: true # labels: # key: value # taints: # effect: value # key: value # value: value paused: false # drainBeforeDelete: true # drainBeforeDeleteTimeout: 30s # unhealthyNodeTimeout: 60s # machineDeploymentLabels: # key: value # machineDeploymentAnnotations: # key: value # rollingUpdate: # maxUnavailable: 1 # maxSurge: 1 # clusterId: # only needed if not using cloudCredentialSecretName # clusterType: # only needed if not using cloudCredentialSecretName # kubeconfigContent: # only needed if not using cloudCredentialSecretName cpuCount: 2 #required (example: 4) # diskBus: virtio # diskInfo: '' diskSize: 40 #(example: 64) imageName: default/image-9vmc2 #(example: default/image-abcdefg) # keyPairName: '' memorySize: 4 # required (example: 8) # networkInfo: '' # networkModel: virtio networkName: default/vmn-lan # required (example: default/default) # networkType: '' # sshPassword: '' # sshPort: 22 # sshPrivateKeyPath: '' sshUser: rancher # required (example: rocky) # vmAffinity: '' # vmNamespace: default # networkData: | #cloud-config userData: | #cloud-config package_update: true packages: - qemu-guest-agent runcmd: - systemctl enable '--now' qemu-guest-agent.service write_files: - path: /etc/dhcpcd.conf permissions: '0644' append: true content: | # Only accept Harvester Managed DHCP lease offers whitelist 192.168.154.99 # addons values addons: # https://github.com/rancher/charts/tree/release-v2.9/charts/rancher-monitoring/104.1.2%2Bup57.0.3 monitoring: enabled: false # version: 104.1.2+up57.0.3 # values: # values here # https://github.com/rancher/charts/tree/release-v2.9/charts/rancher-logging/104.1.2%2Bup4.8.0 logging: enabled: false # version: 104.1.2+up4.8.0 # values: # values here # https://github.com/rancher/charts/tree/release-v2.9/charts/longhorn/104.2.1%2Bup1.7.2 longhorn: enabled: false # version: 104.2.1+up1.7.2 # values: # values here # https://github.com/rancher/charts/tree/release-v2.9/charts/neuvector/104.0.2%2Bup2.8.0 neuvector: enabled: false # version: 104.0.2+up2.8.0 # values: # values here