djpbessems/GitOps.Rancher
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
5e87ddfc0845893a54895ee59fec287fcefbb15d
GitOps.Rancher/lab-rke2-001/values.yaml

380 lines
13 KiB
YAML
Raw Blame History

# be sure to add all "required" values...
# amazonec2, azure, digitalocean, harvester, vsphere, custom
# https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/launch-kubernetes-with-rancher/use-new-nodes-in-an-infra-provider
cloudprovider: harvester # required
# cloud provider credentials (example: aws-creds)
cloudCredentialSecretName: cc-9ktwg # required
# rancher manager url
rancher:
cattle:
url: rancher.bessems.lan #(example: rancher.example.com)
# cluster values
cluster:
# labels:
# key: value
# annotations:
# key: value
name: test-rke2-001 # required (example: rke2-cluster-001)
config:
kubernetesVersion: v1.34.2+rke2r1 # https://github.com/rancher/rke2/releases
enableNetworkPolicy: true
localClusterAuthEndpoint:
enabled: false
additionalManifests: |-
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: traefik
namespace: kube-system
spec:
chart: traefik
repo: https://traefik.github.io/charts
set:
global.clusterCIDR: 10.42.0.0/16
global.clusterCIDRv4: 10.42.0.0/16
global.clusterDNS: 10.43.0.10
global.clusterDomain: cluster.local
global.rke2DataDir: /var/lib/rancher/rke2
global.serviceCIDR: 10.43.0.0/16
global.systemDefaultIngressClass: ingress-nginx
targetNamespace: kube-system
valuesContent: |-
core:
defaultRuleSyntax: v2
additionalArguments:
- "--providers.file.directory=/etc/traefik/dynamic"
- "--providers.file.watch=true"
- "--entryPoints.websecure.transport.respondingTimeouts.readTimeout=300s"
certificatesResolvers:
default:
acme:
email: letsencrypt.org.danny@spamasaurus.com
storage: /data/acme.json
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 5m0s
resolvers:
- 1.1.1.1:53
- 1.0.0.1:53
deployment:
initContainers:
- name: volume-permissions
image: busybox:latest
command:
[
"sh",
"-c",
"touch /data/acme.json; chown 65532 /data/acme.json; chmod -v 600 /data/acme.json",
]
securityContext:
runAsNonRoot: false
runAsGroup: 0
runAsUser: 0
volumeMounts:
- name: traefik-data
mountPath: /data
env:
- name: CF_API_EMAIL
valueFrom:
secretKeyRef:
name: traefik-cloudflare
key: CF_API_EMAIL
- name: CF_API_KEY
valueFrom:
secretKeyRef:
name: traefik-cloudflare
key: CF_API_KEY
extraObjects:
- apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-file-provider
namespace: kube-system
data:
config.yml: |
http:
middlewares:
2fa-authentication:
forwardAuth:
address: "https://auth.spamasaurus.com/api/verify?rd=https://auth.spamasaurus.com/"
trustForwardHeader: true
security-headers:
headers:
forceSTSHeader: true
stsSeconds: 315360000
stsIncludeSubdomains: true
stsPreload: true
tls:
options:
defaults:
minVersion: VersionTLS12
sniStrict: false
curvePreferences:
- secp521r1
- secp384r1
- secp256r1
cipherSuites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_FALLBACK_SCSV
ingressRoute:
dashboard:
enabled: true
entryPoints:
- websecure
matchRule: Host(`ingress.lab.spamasaurus.com`)
middlewares:
- name: 2fa-authentication@file
- name: security-headers@file
logs:
general:
level: INFO
persistence:
enabled: true
name: traefik-data
path: /data
ports:
web:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
forwardedHeaders:
insecure: true
tls:
options: defaults@file
certResolver: default
domains:
- main: '*.pvr.spamasaurus.com'
- main: '*.lab.spamasaurus.com'
- main: '*.spamasaurus.com'
sans:
- 'spamasaurus.com'
- main: '*.bessems.com'
sans:
- 'bessems.com'
- main: '*.bessems.eu'
sans:
- 'bessems.eu'
- main: '*.gabaldon.eu'
sans:
- 'gabaldon.eu'
- main: '*.gabaldon.nl'
sans:
- 'gabaldon.nl'
- main: '*.itch.fyi'
sans:
- 'itch.fyi'
updateStrategy:
type: Recreate
rollingUpdate: null
volumes:
- name: traefik-file-provider
type: configMap
mountPath: /etc/traefik/dynamic
# agentEnvVars:
# - name: A
# value: B
# defaultClusterRoleForProjectMembers: ''
# defaultPodSecurityAdmissionConfigurationTemplateName: ''
# defaultPodSecurityPolicyTemplateName: ''
# etcd:
# disableSnapshots: false
# snapshotRetention: 5
# snapshotScheduleCron: 0 */5 * * *
# s3:
# bucket: rancherbackups
# cloudCredentialSecretName: minio-creds
# folder: rancher
# region: dummyregion
# skipSSLVerify: false
# endpoint: # minio.example.com
# endpointCA: |-
# -----BEGIN CERTIFICATE-----
# -----END CERTIFICATE-----
globalConfig:
# systemDefaultRegistry: docker.io # default registry
systemDefaultRegistry: code.spamasaurus.com # default registry
cni: calico # canal, calico, cilium, multus,canal, multus,calico, multus,cilium
# cluster-cidr: 10.42.0.0/16 # https://docs.rke2.io/networking/basic_network_options
# service-cidr: 10.43.0.0/16 # https://docs.rke2.io/networking/basic_network_options
docker: false
# token: ''
# tls_san:
# - url
# - ip
disable:
- rke2-ingress-nginx
# - rke2-coredns
# - rke2-metrics-server
disable_scheduler: false
disable_cloud_controller: false
disable_kube_proxy: false
etcd_expose_metrics: false
profile: '' # cis, cis-1.23, or cis-1.6 # https://docs.rke2.io/security/hardening_guide
selinux: false # rke2-selinux and container-selinux be installed on the nodes # https://docs.rke2.io/security/selinux
secrets_encryption: false
write_kubeconfig_mode: 0600
use_service_account_credentials: false
protect_kernel_defaults: false
cloud_provider_name: '' # https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/kubernetes-clusters-in-rancher-setup/set-up-cloud-providers
# cloud_provider_config: '' # cloud provider config secret here (example: secret://fleet-default:cloudprovider)
# kube_controller_manager_arg:
# - kube controller manager arguments here (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager)
# kube_scheduler_arg:
# - kube scheduler arguments here (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler)
# kube_apiserver_arg:
# - kube apiserver arguments here (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver)
# kube_proxy_arg:
# - kube proxy arguments here (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-proxy)
# kubelet_arg:
# - kubelet arguments here (https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet)
# controlPlaneConfig:
# same options as globalConfig
# only will apply to the control plane nodes
# workerConfig:
# same options as globalConfig
# only will apply to the worker nodes
registries:
enabled: false
# configs:
# - name: registry.example.com
# authConfigSecretName: registry-creds
# caBundle: ''
# insecureSkipVerify: false
# tlsSecretName: ''
# mirrors:
# - name: "code.spamasaurus.com"
# endpoints:
# - "https://code.spamasaurus.com"
# rewrite:
# "^([^/]+.*)": "default/$1"
upgradeStrategy:
controlPlaneConcurrency: 10%
controlPlaneDrainOptions:
enabled: false
# deleteEmptyDirData: true
# disableEviction: false
# force: false
# gracePeriod: -1
# ignoreDaemonSets: true
# ignoreErrors: false
# skipWaitForDeleteTimeoutSeconds: 0
# timeout: 120
workerConcurrency: 10%
workerDrainOptions:
enabled: false
# deleteEmptyDirData: true
# disableEviction: false
# force: false
# gracePeriod: -1
# ignoreDaemonSets: true
# ignoreErrors: false
# skipWaitForDeleteTimeoutSeconds: 0
# timeout: 120
# node and nodepool(s) values
nodepools:
- name: np
# displayName: np
quantity: 1
etcd: true
controlplane: true
worker: true
# labels:
# key: value
# taints:
# effect: value
# key: value
# value: value
paused: false
# drainBeforeDelete: true
# drainBeforeDeleteTimeout: 30s
# unhealthyNodeTimeout: 60s
# machineDeploymentLabels:
# key: value
# machineDeploymentAnnotations:
# key: value
# rollingUpdate:
# maxUnavailable: 1
# maxSurge: 1
# clusterId: # only needed if not using cloudCredentialSecretName
# clusterType: # only needed if not using cloudCredentialSecretName
# kubeconfigContent: # only needed if not using cloudCredentialSecretName
cpuCount: 2 #required (example: 4)
# diskBus: virtio
# diskInfo: ''
diskSize: 40 #(example: 64)
imageName: default/image-9vmc2 #(example: default/image-abcdefg)
# keyPairName: ''
memorySize: 4 # required (example: 8)
# networkInfo: ''
# networkModel: virtio
networkName: default/vmn-lan # required (example: default/default)
# networkType: ''
# sshPassword: ''
# sshPort: 22
# sshPrivateKeyPath: ''
sshUser: rancher # required (example: rocky)
# vmAffinity: ''
# vmNamespace: default
# networkData: |
#cloud-config
userData: |
#cloud-config
package_update: true
packages:
- qemu-guest-agent
runcmd:
- systemctl enable '--now' qemu-guest-agent.service
write_files:
- path: /etc/dhcpcd.conf
permissions: '0644'
append: true
content: |
# Only accept Harvester Managed DHCP lease offers
whitelist 192.168.154.99
# addons values
addons:
# https://github.com/rancher/charts/tree/release-v2.9/charts/rancher-monitoring/104.1.2%2Bup57.0.3
monitoring:
enabled: false
# version: 104.1.2+up57.0.3
# values:
# values here
# https://github.com/rancher/charts/tree/release-v2.9/charts/rancher-logging/104.1.2%2Bup4.8.0
logging:
enabled: false
# version: 104.1.2+up4.8.0
# values:
# values here
# https://github.com/rancher/charts/tree/release-v2.9/charts/longhorn/104.2.1%2Bup1.7.2
longhorn:
enabled: false
# version: 104.2.1+up1.7.2
# values:
# values here
# https://github.com/rancher/charts/tree/release-v2.9/charts/neuvector/104.0.2%2Bup2.8.0
neuvector:
enabled: false
# version: 104.0.2+up2.8.0
# values:
# values here
Reference in New Issue View Git Blame Copy Permalink