# ---------------------------------------------------------------- # BASE TEMPLATE (internal/templates/base_values.yaml) # ---------------------------------------------------------------- _defaults: helmChart: repo: "" name: "oci://ghcr.io/rancherfederal/charts/rancher-cluster-templates" version: "0.7.2" controlPlaneProfile: cpuCores: 4 memoryGb: 8 diskGb: 40 userData: &userData | #cloud-config package_update: false package_upgrade: false snap: commands: 00: snap refresh --hold=forever package_reboot_if_required: true packages: - yq - jq disable_root: true ssh_pwauth: false write_files: - path: /root/updates.sh permissions: '0550' content: | #!/bin/bash export DEBIAN_FRONTEND=noninteractive apt-mark hold linux-headers-generic apt-mark hold linux-headers-virtual apt-mark hold linux-image-virtual apt-mark hold linux-virtual apt-get update apt-get upgrade -y apt-get autoremove -y users: - name: rancher gecos: Rancher service account hashed_passwd: $6$Mas.x2i7B2cefjUy$59363FmEuoU.LiTLNRZmtemlH2W0D0SWsig22KSZ3QzOmfxeZXxdSx5wIw9wO7GXF/M9W.9SHoKVBOYj1HPX3. lock_passwd: false shell: /bin/bash groups: [users, sudo, docker] sudo: ALL=(ALL:ALL) ALL ssh_authorized_keys: - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEwWnnOTAu0LlAZRczQ0Z0KvNlUdPhGQhpZie+nF1O3s' disable_root: true ssh_pwauth: true runcmd: # - systemctl enable --now qemu-guest-agent - sysctl --system - /root/updates.sh # Immediate run of fix script bootcmd: - sudo bash /root/networking.sh final_message: | VI_CNV_CLOUD_INIT has been applied successfully. Node ready for Rancher! # amazonec2, azure, digitalocean, harvester, vsphere, custom cloudprovider: vsphere # cloud provider credentials cloudCredentialSecretName: cc-lhtl9 # rancher manager url rancher: cattle: url: rancher.tst.vanderlande.com # cluster values cluster: name: default-cluster-005 # labels: # key: value config: kubernetesVersion: v1.31.12+rke2r1 enableNetworkPolicy: true localClusterAuthEndpoint: enabled: false # Pod Security Standard (Replaces PSP) # defaultPodSecurityAdmissionConfigurationTemplateName: "rancher-restricted" globalConfig: systemDefaultRegistry: docker.io cni: canal docker: false disable_scheduler: false disable_cloud_controller: false disable_kube_proxy: false etcd_expose_metrics: false profile: '' selinux: false secrets_encryption: false write_kubeconfig_mode: 0600 use_service_account_credentials: false protect_kernel_defaults: false cloud_provider_name: '' # kube_apiserver_arg: # - "service-account-extend-token-expiration=false" # - "anonymous-auth=false" # - "enable-admission-plugins=NodeRestriction,PodSecurity,EventRateLimit,DenyServiceExternalIPs" # - "admission-control-config-file=/etc/rancher/rke2/rke2-admission.yaml" # - "audit-policy-file=/etc/rancher/rke2/audit-policy.yaml" # - "audit-log-path=/var/lib/rancher/rke2/server/logs/audit.log" # - "audit-log-maxage=30" # - "audit-log-maxbackup=10" # - "audit-log-maxsize=100" # kubelet_arg: # # Strong Ciphers (CIS 4.2.12) # - "tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" # # PID Limit (CIS 4.2.13) # - "pod-max-pids=4096" # # Seccomp Default (CIS 4.2.14) # - "seccomp-default=true" # - "protect-kernel-defaults=true" # - "make-iptables-util-chains=true" upgradeStrategy: controlPlaneConcurrency: 10% controlPlaneDrainOptions: enabled: false workerConcurrency: 10% workerDrainOptions: enabled: false addons: monitoring: enabled: false logging: enabled: false longhorn: enabled: true neuvector: enabled: false # node and nodepool(s) values # ---------------------------------------------------------------- # MANUAL TESTING SECTION # The Operator will DELETE and OVERWRITE this section at runtime. # These values are only used if you run 'helm install' manually. # ---------------------------------------------------------------- nodepools: - name: control-plane-nodes displayName: cp-nodes quantity: 1 etcd: true controlplane: true worker: false paused: false # VSPHERE SPECIFIC FIELDS cpuCount: 2 memorySize: 8192 diskSize: 40000 vcenter: "vcenter.vanderlande.com" datacenter: "NL001" folder: "ICT Digitalisation - Rancher" pool: "NL001 Development - Rancher/Resources" datastoreCluster: "NL001 Development - Rancher SDRS" # Matches your SDRS input network: - "nl001.vDS.Distri.Vlan.1542" # Provisioning Source creationType: "template" cloneFrom: "nl001-cp-ubuntu-22.04-amd64-20250327-5.15.0-135-rke2-k3s" cloudConfig: *userData # Using the anchor from your base file - name: worker-storage-nodes displayName: wk-nodes quantity: 2 etcd: false controlplane: false worker: true paused: false # VSPHERE SPECIFIC FIELDS cpuCount: 4 memorySize: 8192 diskSize: 100000 vcenter: "vcenter.vanderlande.com" datacenter: "NL001" folder: "ICT Digitalisation - Rancher" pool: "NL001 Development - Rancher/Resources" datastoreCluster: "NL001 Development - Rancher SDRS" # Matches your SDRS input network: - "nl001.vDS.Distri.Vlan.1542" # Provisioning Source creationType: "template" cloneFrom: "nl001-cp-ubuntu-22.04-amd64-20250327-5.15.0-135-rke2-k3s" cloudConfig: *userData # Using the anchor from your base file