[release-v2.10] batch release (#5015)

Co-authored-by: rancherbot <[email protected]>

.github/workflows/regsync-config.yaml

@@ -32,20 +32,37 @@ jobs:
     needs: onLabelAndApproval
     if: needs.onLabelAndApproval.outputs.is_approved == 'true'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     steps:
+      - name: Read App Secrets
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/github/app-credentials appId | APP_ID ;
+            secret/data/github/repo/${{ github.repository }}/github/app-credentials privateKey | PRIVATE_KEY
+      - name: Create App Token
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ env.APP_ID }}
+          private-key: ${{ env.PRIVATE_KEY }}
+
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          token: ${{ secrets.PUSH_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
 
       - name: Set-up Ruby 3.2
         uses: ruby/setup-ruby@v1
         with:
           ruby-version: '3.2' # Not needed with a .ruby-version file
 
       - name: Generate RegSync
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
-          echo ${{ secrets.PUSH_TOKEN }} | gh auth login --with-token
           gh pr checkout ${{ github.event.pull_request.number }}
           git config --global user.email "${{ secrets.USER_GITHUB }}"
           git config --global user.name "rancherbot"

charts/fleet-agent/105.0.3+up0.11.3/Chart.yaml

@@ -0,0 +1,15 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/kube-version: '>= 1.28.0-0 < 1.32.0-0'
+  catalog.cattle.io/namespace: cattle-fleet-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0'
+  catalog.cattle.io/release-name: fleet-agent
+apiVersion: v2
+appVersion: 0.11.3
+description: Fleet Agent - GitOps at Scale
+icon: https://charts.rancher.io/assets/logos/fleet.svg
+name: fleet-agent
+version: 105.0.3+up0.11.3

charts/fleet-agent/105.0.3+up0.11.3/README.md

@@ -0,0 +1,8 @@
+## Fleet Agent Helm Chart
+
+Every Fleet-managed downstream cluster will run an agent that communicates back to the Fleet controller. This agent is just another set of Kubernetes controllers running in the downstream cluster.
+
+Standalone Fleet users use this chart for agent-initiated registration. For more details see [agent-initiated registration](https://fleet.rancher.io/cluster-registration#agent-initiated).
+Fleet in Rancher does not use this chart, but creates the agent deployments programmatically.
+
+The Fleet documentation is centralized in the [doc website](https://fleet.rancher.io/).

charts/fleet-agent/105.0.3+up0.11.3/templates/_helpers.tpl

@@ -0,0 +1,22 @@
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}

charts/fleet-agent/105.0.3+up0.11.3/templates/configmap.yaml

@@ -0,0 +1,16 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: fleet-agent
+data:
+  config: |-
+    {
+      {{ if .Values.labels }}
+      "labels":{{toJson .Values.labels}},
+      {{ end }}
+      "clientID":"{{.Values.clientID}}",
+      {{ if .Values.garbageCollectionInterval }}
+      "garbageCollectionInterval": "{{.Values.garbageCollectionInterval}}",
+      {{ end }}
+      "agentTLSMode": "{{.Values.agentTLSMode}}"
+    }

charts/fleet-agent/105.0.3+up0.11.3/templates/deployment.yaml

@@ -0,0 +1,119 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: fleet-agent
+spec:
+  serviceName: fleet-agent
+  selector:
+    matchLabels:
+      app: fleet-agent
+  template:
+    metadata:
+      labels:
+        app: fleet-agent
+    spec:
+      initContainers:
+      - env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: '{{ template "system_default_registry" . }}{{.Values.image.repository}}:{{.Values.image.tag}}'
+        name: fleet-agent-register
+        command:
+        - fleetagent
+        - register
+        {{- if .Values.debug }}
+        - --debug
+        - --debug-level
+        - {{ quote .Values.debugLevel }}
+        {{- end }}
+        {{- if not .Values.disableSecurityContext }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          privileged: false
+          capabilities:
+            drop:
+            - ALL
+        {{- end }}
+      containers:
+      - env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        {{- if $.Values.agent.reconciler.workers.bundledeployment }}
+        - name: BUNDLEDEPLOYMENT_RECONCILER_WORKERS
+          value: {{ quote $.Values.agent.reconciler.workers.bundledeployment }}
+        {{- end }}
+        {{- if $.Values.agent.reconciler.workers.drift }}
+        - name: DRIFT_RECONCILER_WORKERS
+          value: {{ quote $.Values.agent.reconciler.workers.drift }}
+        {{- end }}
+        image: '{{ template "system_default_registry" . }}{{.Values.image.repository}}:{{.Values.image.tag}}'
+        name: fleet-agent
+        command:
+        - fleetagent
+        {{- if .Values.debug }}
+        - --debug
+        - --debug-level
+        - {{ quote .Values.debugLevel }}
+        {{- end }}
+        {{- if not .Values.disableSecurityContext }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          privileged: false
+          capabilities:
+            drop:
+            - ALL
+        {{- end }}
+        volumeMounts:
+          - mountPath: /.kube
+            name: kube
+      - env:
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        image: '{{ template "system_default_registry" . }}{{.Values.image.repository}}:{{.Values.image.tag}}'
+        name: fleet-agent-clusterstatus
+        command:
+        - fleetagent
+        - clusterstatus
+        {{- if .Values.debug }}
+        - --debug
+        - --debug-level
+        - {{ quote .Values.debugLevel }}
+        {{- end }}
+        {{- if not .Values.disableSecurityContext }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
+          privileged: false
+          capabilities:
+            drop:
+            - ALL
+        {{- end }}
+      volumes:
+        - name: kube
+          emptyDir: {}
+      serviceAccountName: fleet-agent
+      {{- if .Values.fleetAgent.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.fleetAgent.nodeSelector }}
+{{ toYaml .Values.fleetAgent.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.fleetAgent.tolerations }}
+{{ toYaml .Values.fleetAgent.tolerations | indent 8 }}
+{{- end }}
+{{- if not .Values.disableSecurityContext }}
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
+{{- end }}

charts/fleet-agent/105.0.3+up0.11.3/templates/network_policy_allow_all.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-allow-all
+  namespace: {{ .Values.internal.systemNamespace }}
+spec:
+  podSelector: {}
+  ingress:
+  - {}
+  egress:
+  - {}
+  policyTypes:
+  - Ingress
+  - Egress

charts/fleet-agent/105.0.3+up0.11.3/templates/patch_default_serviceaccount.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: patch-fleet-sa
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  template:
+    spec:
+      serviceAccountName: fleet-agent
+      restartPolicy: Never
+      containers:
+      - name: sa
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
+        args: ["-n", {{ .Values.internal.systemNamespace }}]
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.kubectl.nodeSelector }}
+{{ toYaml .Values.kubectl.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.kubectl.tolerations }}
+{{ toYaml .Values.kubectl.tolerations | indent 8 }}
+{{- end }}
+  backoffLimit: 1

charts/fleet-agent/105.0.3+up0.11.3/templates/rbac.yaml

@@ -0,0 +1,28 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: fleet-agent-system-fleet-agent-role
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
+- nonResourceURLs:
+  - "*"
+  verbs:
+  - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: fleet-agent-system-fleet-agent-role-binding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: fleet-agent-system-fleet-agent-role
+subjects:
+- kind: ServiceAccount
+  name: fleet-agent
+  namespace: {{.Release.Namespace}}

charts/fleet-agent/105.0.3+up0.11.3/templates/secret.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+data:
+  systemRegistrationNamespace: "{{b64enc .Values.systemRegistrationNamespace}}"
+  clusterNamespace: "{{b64enc .Values.clusterNamespace}}"
+  token: "{{b64enc .Values.token}}"
+  apiServerURL: "{{b64enc .Values.apiServerURL}}"
+  apiServerCA: "{{b64enc .Values.apiServerCA}}"
+kind: Secret
+metadata:
+  name: fleet-agent-bootstrap

charts/fleet-agent/105.0.3+up0.11.3/templates/service.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: fleet-agent
+spec:
+    type: ClusterIP
+    clusterIP: None
+    selector:
+      app: fleet-agent

charts/fleet-agent/105.0.3+up0.11.3/templates/serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: fleet-agent

charts/fleet-agent/105.0.3+up0.11.3/templates/validate.yaml

@@ -0,0 +1,11 @@
+{{if ne .Release.Namespace .Values.internal.systemNamespace }}
+{{ fail (printf "This chart must be installed in the namespace %s as the release name fleet-agent" .Values.internal.systemNamespace) }}
+{{end}}
+
+{{if ne .Release.Name .Values.internal.managedReleaseName }}
+{{ fail (printf "This chart must be installed in the namespace %s as the release name fleet-agent" .Values.internal.managedReleaseName) }}
+{{end}}
+
+{{if not .Values.apiServerURL }}
+{{ fail "apiServerURL is required to be set, and most likely also apiServerCA" }}
+{{end}}