Merge pull request #943 from lsst-it/IT-6041_rke2_rancher.ls

ranchers standardize and migration of base instance.

Author: cbarria

rancher.ls/external-secrets/README.md

@@ -0,0 +1 @@
+../../../template/cert-manager/cert-manager.sh

rancher.ls/external-secrets/external-secrets.sh

@@ -6,21 +6,21 @@ metadata:
   namespace: cert-manager
 spec:
   acme:
-    server: https://acme-v02.api.letsencrypt.org/directory
-    privateKeySecretRef:
-    name: letsencrypt
     email: rubinobs-it-las@lsst.org
+    privateKeySecretRef:
+      name: letsencrypt
+    server: https://acme-v02.api.letsencrypt.org/directory
     solvers:
-    - selector:
-        dnsZones:
-        - dev.lsst.org
-      dns01:
+    - dns01:
         route53:
-          region: us-east-1
-          hostedZoneID: ZQGNOYQYRNW0C
           accessKeyIDSecretRef:
-            name: route53
             key: AWS_ACCESS_KEY_ID
-          secretAccessKeySecretRef:
             name: route53
+          hostedZoneID: ZQGNOYQYRNW0C
+          region: us-east-1
+          secretAccessKeySecretRef:
             key: AWS_SECRET_ACCESS_KEY
+            name: route53
+      selector:
+        dnsZones:
+        - dev.lsst.org

rancher.ls/external-secrets/fetch-credentials.sh

@@ -0,0 +1 @@
+../../../template/external-secrets/deploy-external.sh

rancher.ls/onepassword/README.md

@@ -0,0 +1 @@
+../../../template/ingress-nginx/ingress-nginx.sh

rancher.ls/onepassword/onepassword-connect.sh

@@ -0,0 +1 @@
+../../../template/metallb/metallb.sh

rancher.ls/rke/.gitignore

@@ -5,8 +5,12 @@ set -e
 if ! env | grep OP_SESSION_ > /dev/null 2>&1; then
   eval "$(op signin)"
 fi
+
 ONEPASS_CREDS="$(op read "op://1pass connect/connect.dev.lsst.org Credentials File/1password-credentials.json")"
 
+# Base64 encode and remove newlines (works on both macOS and Linux)
+ENCODED_CREDS=$(echo "${ONEPASS_CREDS}" | base64 | tr -d '\n')
+
 cat > secret-op-credentials.yaml <<END
 ---
 apiVersion: v1
@@ -17,5 +21,5 @@ metadata:
 type: Opaque
 # The credentials end up being double base64 encoded...
 stringData:
-  1password-credentials.json: $(echo "${ONEPASS_CREDS}" | base64 -w 0)
+  1password-credentials.json: ${ENCODED_CREDS}
 END

rancher.ls/rke/Makefile

@@ -0,0 +1 @@
+../../../template/rancher-backup/rancher-backup.sh

rancher.ls/rke/cluster.yml

@@ -0,0 +1 @@
+../../../template/rancher/rancher.sh

rke2/rancher.dev/cert-manager/cert-manager.crds.yaml

@@ -0,0 +1 @@
+secret-aws.yaml

rke2/rancher.dev/cert-manager/cert-manager.sh

@@ -0,0 +1 @@
+../../../template/cert-manager/cert-manager.sh

rke2/rancher.dev/cert-manager/cert-manager.sh

@@ -0,0 +1,26 @@
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+  namespace: cert-manager
+spec:
+  acme:
+    email: rubinobs-it-las@lsst.org
+    privateKeySecretRef:
+      name: letsencrypt
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+    - dns01:
+        route53:
+          accessKeyIDSecretRef:
+            key: AWS_ACCESS_KEY_ID
+            name: route53
+          hostedZoneID: ZPIEHXTK3ZPMR
+          region: us-east-1
+          secretAccessKeySecretRef:
+            key: AWS_SECRET_ACCESS_KEY
+            name: route53
+      selector:
+        dnsZones:
+        - ls.lsst.org

rke2/rancher.dev/cert-manager/clusterissuer-letsencrypt.yaml

@@ -0,0 +1 @@
+../../../template/cert-manager/fetch-credentials.sh

rke2/rancher.dev/external-secrets/deploy-external.sh

@@ -0,0 +1,2 @@
+# shellcheck shell=sh
+export ITEM_NAME="it-dns-ls (aws)"

rke2/rancher.dev/external-secrets/deploy-external.sh

@@ -0,0 +1,19 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: onepassword
+spec:
+  provider:
+    onepassword:
+      auth:
+        secretRef:
+          connectTokenSecretRef:
+            key: token
+            name: onepassword-connect-token
+            namespace: external-secrets
+      connectHost: https://connect.ls.lsst.org
+      vaults:
+        k8s-common: 3
+        k8s-ls: 2
+        rancher.ls: 1

rke2/rancher.dev/ingress-nginx/ingress-nginx.sh

@@ -0,0 +1 @@
+../../../template/external-secrets/deploy-external.sh

rke2/rancher.dev/ingress-nginx/ingress-nginx.sh

@@ -0,0 +1 @@
+../../../template/external-secrets/external-secrets.sh

rke2/rancher.dev/metallb/metallb.sh

@@ -0,0 +1 @@
+../../../template/external-secrets/fetch-credentials.sh

rke2/rancher.dev/metallb/metallb.sh

@@ -0,0 +1,17 @@
+---
+apiVersion: fleet.cattle.io/v1alpha1
+kind: GitRepo
+metadata:
+  name: rancher
+  namespace: fleet-local
+spec:
+  repo: https://github.com/lsst-it/k8s-cookbook
+  branch: master
+  keepResources: true
+  paths:
+    - fleet/s/ls/c/rancher/*
+  targets:
+    - name: rancher
+      clusterName: local
+  correctDrift:
+    enabled: true

rke2/rancher.dev/onepassword/fetch-credentials.sh

@@ -0,0 +1 @@
+../../../template/ingress-nginx/ingress-nginx.sh

rke2/rancher.dev/rancher-backup/README.md

@@ -0,0 +1,14 @@
+controller:
+  kind: DaemonSet
+  allowSnippetAnnotations: true
+  ingressClass: nginx
+  ingressClassByName: true
+  ingressClassResource:
+    name: nginx
+    enabled: true
+    controllerValue: k8s.io/ingress-nginx
+  service:
+    annotations:
+      metallb.universe.tf/address-pool: ingress
+rbac:
+  create: true

rke2/rancher.dev/rancher-backup/rancher-backup.sh

@@ -0,0 +1,19 @@
+---
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: ingress
+  namespace: metallb-system
+spec:
+  addresses:
+    - 139.229.135.35/32
+  autoAssign: false
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: ingress
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+    - ingress

rke2/rancher.dev/rancher-backup/rancher-backup.sh

@@ -0,0 +1 @@
+../../../template/metallb/metallb.sh

rke2/rancher.dev/rancher/rancher.sh

@@ -5,8 +5,12 @@ set -e
 if ! env | grep OP_SESSION_ > /dev/null 2>&1; then
   eval "$(op signin)"
 fi
+
 ONEPASS_CREDS="$(op read "op://1pass connect/connect.ls.lsst.org Credentials File/1password-credentials.json")"
 
+# Base64 encode and remove newlines (works on both macOS and Linux)
+ENCODED_CREDS=$(echo "${ONEPASS_CREDS}" | base64 | tr -d '\n')
+
 cat > secret-op-credentials.yaml <<END
 ---
 apiVersion: v1
@@ -17,5 +21,5 @@ metadata:
 type: Opaque
 # The credentials end up being double base64 encoded...
 stringData:
-  1password-credentials.json: $(echo "${ONEPASS_CREDS}" | base64 -w 0)
+  1password-credentials.json: ${ENCODED_CREDS}
 END

rke2/rancher.dev/rancher/rancher.sh

@@ -0,0 +1 @@
+../../../template/onepassword/onepassword-connect.sh

rke2/rancher.ls/cert-manager/.gitignore

@@ -0,0 +1,9 @@
+#!/bin/bash
+set -xe
+
+helm upgrade --install onepassword-connect connect \
+  --repo https://1password.github.io/connect-helm-charts \
+  --version 1.17.0 \
+  --namespace onepassword-connect --create-namespace \
+  -f values.yaml \
+  --timeout 60s --wait