add server chart to build

.drone.yml

@@ -7,6 +7,8 @@ pipeline:
     - /var/run/docker.sock:/var/run/docker.sock
     commands:
     - dapper ci
+    when:
+      event: [ push, pull_request, tag ]
 
   stage-binaries:
     image: rancher/dapper:1.11.2
@@ -102,3 +104,26 @@ pipeline:
       event: tag
       ref:
         exclude: [ refs/tags/*rc*, refs/tags/*alpha* ]
+
+  chart-promote:
+    image: rancher/dapper:1.11.2
+    commands:
+      - dapper charts/copy
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    when:
+      event: deployment
+      environment: promote-stable
+
+  chart-publish:
+    image: plugins/gcs
+    source: bin/chart
+    target: releases.rancher.com/server-charts
+    acl:
+      - allUsers:READER
+    cache_control: public,no-cache,proxy-revalidate
+    secrets:
+      - source: google_auth_key
+        target: GOOGLE_CREDENTIALS
+    when:
+      event: [ tag, deployment ]

Dockerfile.dapper

@@ -22,7 +22,9 @@ ENV DOCKER_URL_amd64=https://get.docker.com/builds/Linux/x86_64/docker-1.10.3 \
 
 RUN curl -sLf https://github.com/rancher/helm/releases/download/${CATTLE_HELM_VERSION}/helm > /usr/bin/helm && \
     curl -sLf https://github.com/rancher/helm/releases/download/${CATTLE_HELM_VERSION}/tiller > /usr/bin/tiller && \
-    chmod +x /usr/bin/helm /usr/bin/tiller
+    chmod +x /usr/bin/helm /usr/bin/tiller && \
+    helm init -c && \
+    helm plugin install https://github.com/lrills/helm-unittest
 
 RUN wget -O - ${!DOCKER_URL} > /usr/bin/docker && chmod +x /usr/bin/docker
 
@@ -35,6 +37,7 @@ RUN wget -O - ${KUBECTL_URL_amd64} > /usr/bin/kubectl && chmod +x /usr/bin/kubec
 RUN apt-get update && \
     apt-get install -y tox python3.7
 
+ENV HELM_HOME /root/.helm
 ENV DAPPER_ENV REPO TAG DRONE_TAG
 ENV DAPPER_SOURCE /go/src/github.com/rancher/rancher/
 ENV DAPPER_OUTPUT ./bin ./dist

chart/.helmignore

+tests

chart/Chart.yaml

+apiVersion: v1
+name: rancher
+description: Install Rancher Server to manage Kubernetes clusters across providers.
+version: %VERSION%
+appVersion: %APP_VERSION%
+home: https://rancher.com
+icon: https://github.com/rancher/ui/blob/master/public/assets/images/logos/welcome-cow.svg
+keywords:
+  - rancher
+sources:
+  - https://github.com/rancher/rancher
+  - https://github.com/rancher/server-chart
+maintainers:
+  - name: Rancher Labs
+    email: charts@rancher.com

chart/templates/NOTES.txt

+Rancher Server has been installed.
+
+NOTE: Rancher may take several minutes to fully initialize. Please standby while Certificates are being issued and Ingress comes up.
+
+Check out our docs at https://rancher.com/docs/rancher/v2.x/en/
+
+Browse to https://{{ .Values.hostname }}
+
+Happy Containering!

chart/templates/_helpers.tpl

+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "rancher.name" -}}
+  {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "rancher.fullname" -}}
+  {{- $name := default .Chart.Name .Values.nameOverride -}}
+  {{- if contains $name .Release.Name -}}
+    {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+  {{- else -}}
+    {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+  {{- end -}}
+{{- end -}}

chart/templates/clusterRoleBinding.yaml

+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "rancher.fullname" . }}
+  labels:
+    app: {{ template "rancher.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+subjects:
+- kind: ServiceAccount
+  name: {{ template "rancher.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io

chart/templates/deployment.yaml

+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name: {{ template "rancher.fullname" . }}
+  labels:
+    app: {{ template "rancher.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  replicas: {{ .Values.replicas }}
+  selector:
+    matchLabels:
+      app: {{ template "rancher.fullname" . }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "rancher.fullname" . }}
+        release: {{ .Release.Name }}
+    spec:
+      serviceAccountName: {{ template "rancher.fullname" . }}
+{{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 6 }}
+{{- end }}
+      affinity:
+        podAntiAffinity:
+{{- if eq .Values.antiAffinity "required" }}
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: app
+                operator: In
+                values:
+                - {{ template "rancher.fullname" . }}
+            topologyKey: kubernetes.io/hostname
+{{- else }}
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 100
+            podAffinityTerm:
+              labelSelector:
+                matchExpressions:
+                - key: app
+                  operator: In
+                  values:
+                  - {{ template "rancher.fullname" . }}
+              topologyKey: kubernetes.io/hostname
+{{- end }}
+      containers:
+      - image: {{ .Values.rancherImage }}:{{ default .Chart.AppVersion .Values.rancherImageTag }}
+        name: {{ template "rancher.name" . }}
+        ports:
+        - containerPort: 80
+          protocol: TCP
+        args:
+{{- if .Values.debug }}
+        - "--debug"
+{{- end }}
+{{- if .Values.privateCA }}
+        # Private CA - don't clear ca certs
+{{- else if eq .Values.ingress.tls.source "rancher" }}
+        # Rancher self-signed - don't clear ca certs
+{{- else }}
+        # Public trusted CA - clear ca certs
+        - "--no-cacerts"
+{{- end }}
+        - "--http-listen-port=80"
+        - "--https-listen-port=443"
+        - "--add-local={{ .Values.addLocal }}"
+        env:
+        - name: CATTLE_NAMESPACE
+          value: {{ .Release.Namespace }}
+        - name: CATTLE_PEER_SERVICE
+          value: {{ template "rancher.fullname" . }}
+{{- if gt .Values.auditLog.level 0.0 }}
+        - name: AUDIT_LEVEL
+          value: {{ .Values.auditLog.level | quote }}
+        - name: AUDIT_LOG_MAXAGE
+          value: {{ .Values.auditLog.maxAge | quote }}
+        - name: AUDIT_LOG_MAXBACKUP
+          value: {{ .Values.auditLog.maxBackup | quote }}
+        - name: AUDIT_LOG_MAXSIZE
+          value: {{ .Values.auditLog.maxSize | quote }}
+{{- end }}
+{{- if .Values.proxy }}
+        - name: HTTP_PROXY
+          value: {{ .Values.proxy }}
+        - name: HTTPS_PROXY
+          value: {{ .Values.proxy }}
+        - name: NO_PROXY
+          value: {{ .Values.noProxy }}
+{{- end }}
+        livenessProbe:
+          tcpSocket:
+            port: 80
+          initialDelaySeconds: 60
+          periodSeconds: 30
+        readinessProbe:
+          tcpSocket:
+            port: 80
+          initialDelaySeconds: 5
+          periodSeconds: 30
+        resources:
+{{ toYaml .Values.resources | indent 10 }}
+        volumeMounts:
+{{- if .Values.additionalTrustedCAs }}
+        - mountPath: /etc/rancher/ssl/ca-additional.pem
+          name: tls-ca-additional-volume
+          subPath: ca-additional.pem
+          readOnly: true
+{{- end }}
+{{- if .Values.privateCA }}
+        # Pass CA cert into rancher for private CA
+        - mountPath: /etc/rancher/ssl
+          name: tls-ca-volume
+          subPath: cacerts.pem
+          readOnly: true
+{{- end }}
+{{- if gt .Values.auditLog.level 0.0 }}
+        - mountPath: /var/log/auditlog
+          name: audit-log
+{{- end }}
+{{- if gt .Values.auditLog.level 0.0 }}
+      # Make audit logs avalible for Rancher log collecter tools.
+      - image: busybox
+        name: {{ template "rancher.name" . }}-audit-log
+        command: ["tail"]
+        args: ["-F", "/var/log/auditlog/rancher-api-audit.log"]
+        volumeMounts:
+        - mountPath: /var/log/auditlog
+          name: audit-log
+{{- end }}
+      volumes:
+{{- if .Values.additionalTrustedCAs }}
+      - name: tls-ca-additional-volume
+        secret:
+          defaultMode: 0400
+          secretName: tls-ca-additional
+{{- end }}
+{{- if .Values.privateCA }}
+      - name: tls-ca-volume
+        secret:
+          defaultMode: 0400
+          secretName: tls-ca
+{{- end }}
+{{- if gt .Values.auditLog.level 0.0 }}
+  {{- if eq .Values.auditLog.destination "hostPath" }}
+      - name: audit-log
+        hostPath:
+          path: {{ .Values.auditLog.hostPath }}
+          type: DirectoryOrCreate
+  {{- else }}
+      - name: audit-log
+        emptyDir: {}
+  {{- end }}
+{{- end }}
+

chart/templates/ingress.yaml

+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: {{ template "rancher.fullname" . }}
+  labels:
+    app: {{ template "rancher.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  annotations:
+{{- if eq .Values.tls "external" }}
+    nginx.ingress.kubernetes.io/ssl-redirect: "false" # turn off ssl redirect for external.
+{{- else }}
+  {{- if ne .Values.ingress.tls.source "secret" }}
+    certmanager.k8s.io/issuer: {{ template "rancher.fullname" . }}
+  {{- end }}
+{{- end }}
+{{- if .Values.ingress.extraAnnotations }}
+{{ toYaml .Values.ingress.extraAnnotations | indent 4 }}
+{{- end }}
+spec:
+  rules:
+  - host: {{ .Values.hostname }}  # hostname to access rancher server
+    http:
+      paths:
+      - backend:
+          serviceName: {{ template "rancher.fullname" . }}
+          servicePort: 80
+{{- if eq .Values.tls "ingress" }}
+  tls:
+  - hosts:
+    - {{ .Values.hostname }}
+    secretName: tls-rancher-ingress
+{{- end }}

chart/templates/issuer-letsEncrypt.yaml

+{{- if eq .Values.tls "ingress" -}}
+  {{- if eq .Values.ingress.tls.source "letsEncrypt" -}}
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: {{ template "rancher.fullname" . }}
+  labels:
+    app: {{ template "rancher.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  acme:
+    {{- if eq .Values.letsEncrypt.environment "production" }}
+    server: https://acme-v02.api.letsencrypt.org/directory
+    {{- end }}
+    {{- if eq .Values.letsEncrypt.environment "staging" }}
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    {{- end }}
+    email: {{ .Values.letsEncrypt.email }}
+    privateKeySecretRef:
+      name: letsencrypt-{{ .Values.letsEncrypt.environment }}
+    http01: {}
+  {{- end -}}
+{{- end -}}

chart/templates/issuer-rancher.yaml

+{{- if eq .Values.tls "ingress" -}}
+  {{- if eq .Values.ingress.tls.source "rancher" -}}
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: {{ template "rancher.fullname" . }}
+  labels:
+    app: {{ template "rancher.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  ca:
+    secretName: tls-rancher
+  {{- end -}}
+{{- end -}}

chart/templates/service.yaml

+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "rancher.fullname" . }}
+  labels:
+    app: {{ template "rancher.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+spec:
+  ports:
+  - port: 80
+    targetPort: 80
+    protocol: TCP
+    name: http
+  selector:
+    app: {{ template "rancher.fullname" . }}

chart/templates/serviceAccount.yaml

+kind: ServiceAccount
+apiVersion: v1
+metadata:
+  name: {{ template "rancher.fullname" . }}
+  labels:
+    app: {{ template "rancher.fullname" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}

chart/tests/deployment_test.yaml

+suite: Test Deployment
+templates:
+- deployment.yaml
+tests:
+- it: should set --add-local=false
+  set:
+    addLocal: "false"
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[0].args
+      content: "--add-local=false"
+- it: should default to --add-local=auto
+  asserts:
+  - contains:
+      path: spec.template.spec.containers[0].args
+      content: "--add-local=auto"

chart/tests/ingress_test.yaml

+suite: Test Ingress
+templates:
+- ingress.yaml
+tests:
+- it: should set external options
+  set:
+    tls: external
+  asserts:
+  - equal:
+      path: metadata.annotations.nginx\.ingress\.kubernetes\.io/ssl-redirect
+      value: "false"
+  - isNull:
+      path: metadata.annotations.certmanager\.k8s\.io/issuer
+  - isNull:
+      path: spec.tls
+- it: should set default annotations
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        certmanager.k8s.io/issuer: RELEASE-NAME-rancher
+        nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
+- it: should over write proxy-connect-timeout
+  set: 
+    ingress.extraAnnotations:
+      nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
+  asserts:
+  - equal:
+      path: metadata.annotations
+      value:
+        certmanager.k8s.io/issuer: RELEASE-NAME-rancher
+        nginx.ingress.kubernetes.io/proxy-connect-timeout: "15"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
+- it: should set source secret
+  set:
+    hostname: test
+    ingress.tls.source: secret
+  asserts:
+  - isNull: 
+      path: certmanager\.k8s\.io/issuer
+  - contains:
+      path: spec.tls
+      content:
+        hosts:
+        - test
+        secretName: tls-rancher-ingress

chart/tests/issuer_test.yaml

+suite: Test Issuers
+templates:
+- issuer-letsEncrypt.yaml
+- issuer-rancher.yaml
+tests:
+- it: should not render issuers - tls=external
+  set:
+    tls: external
+  asserts:
+  - hasDocuments:
+      count: 0
+    template: issuer-letsEncrypt.yaml
+  - hasDocuments:
+      count: 0
+    template: issuer-rancher.yaml
+- it: should not render issuers - ingress.tls.source=secret
+  set:
+    ingress.tls.source: secret
+  asserts:
+  - hasDocuments:
+      count: 0
+    template: issuer-letsEncrypt.yaml
+  - hasDocuments:
+      count: 0
+    template: issuer-rancher.yaml
+- it: should render letsEncrypt but not rancher
+  set:
+    ingress.tls.source: letsEncrypt
+  asserts:
+  - hasDocuments:
+      count: 1
+    template: issuer-letsEncrypt.yaml
+  - hasDocuments:
+      count: 0
+    template: issuer-rancher.yaml
+- it: should render rancher but not letsEncrypt
+  set:
+    ingress.tls.source: rancher
+  asserts:
+  - hasDocuments:
+      count: 0
+    template: issuer-letsEncrypt.yaml
+  - hasDocuments:
+      count: 1
+    template: issuer-rancher.yaml
+- it: should set letsEncrypt production by default
+  set:
+    ingress.tls.source: letsEncrypt
+  asserts:
+  - equal:
+      path: spec.acme.server
+      value: https://acme-v02.api.letsencrypt.org/directory
+    template: issuer-letsEncrypt.yaml
+- it: should set letsEncrypt staging
+  set:
+    ingress.tls.source: letsEncrypt
+    letsEncrypt.environment: staging
+  asserts:
+  - equal:
+      path: spec.acme.server
+      value: https://acme-staging-v02.api.letsencrypt.org/directory
+    template: issuer-letsEncrypt.yaml
+- it: should set letsEncrypt email address
+  set:
+    ingress.tls.source: letsEncrypt
+    letsEncrypt.email: test@test.org
+  asserts:
+  - equal:
+      path: spec.acme.email
+      value: test@test.org
+    template: issuer-letsEncrypt.yaml

chart/values.yaml

+# Additional Trusted CAs.
+# Enable this flag and add your CA certs as a secret named tls-ca-additional in the namespace.
+# See README.md for details.
+additionalTrustedCAs: false
+
+antiAffinity: preferred
+
+# Audit Logs https://rancher.com/docs/rancher/v2.x/en/installation/api-auditing/
+# The audit log is piped to the console of the rancher-audit-log container in the rancher pod.
+# https://rancher.com/docs/rancher/v2.x/en/installation/api-auditing/
+# destination stream to sidecar container console or hostPath volume
+# level: Verbosity of logs, 0 to 3. 0 is off 3 is a lot.
+auditLog:
+  destination: sidecar
+  hostPath: /var/log/rancher/audit/
+  level: 0
+  maxAge: 1
+  maxBackup: 1
+  maxSize: 100
+
+# Have Rancher detect and import the "local" Rancher server cluster
+# Adding the "local" cluster available in the GUI can be convenient, but any user with access to this cluster has "root" on any of the clusters that Rancher manages.
+# options; "auto", "false". (auto pretty much means true)
+addLocal: "auto"
+# Add debug flag to Rancher server
+debug: false
+
+# Fully qualified name to reach your Rancher server
+# hostname: rancher.my.org
+
+## Optional array of imagePullSecrets containing private registry credentials
+## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+imagePullSecrets: []
+# - name: secretName
+
+### ingress ###
+# Readme for details and instruction on adding tls secrets.
+ingress:
+  extraAnnotations: 
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "1800"
+  tls:
+    # rancher, letsEncrypt, secrets
+    source: rancher
+
+### LetsEncrypt config ###
+# ProTip: The production environment only allows you to register a name 5 times a week.
+#         Use staging until you have your config right.
+letsEncrypt:
+  # email: none@example.com
+  environment: production
+
+# If you are using certs signed by a private CA set to 'true' and set the 'tls-ca'
+# in the 'rancher-system' namespace. See the README.md for details
+privateCA: false
+
+# http[s] proxy server passed into rancher server.
+# proxy: http://<username>@<password>:<url>:<port>
+
+# comma separated list of domains or ip addresses that will not use the proxy 
+noProxy: 127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 
+
+# Override rancher image location for Air Gap installs
+rancherImage: rancher/rancher
+# rancher/rancher image tag. https://hub.docker.com/r/rancher/rancher/tags/
+# Defaults to .Chart.appVersion
+# rancherImageTag: v2.0.7
+
+# Number of Rancher server replicas.
+replicas: 3
+
+# Set pod resource requests/limits for Rancher.
+resources: {}
+
+# 
+# tls
+#   Where to offload the TLS/SSL encryption
+# - ingress (default)
+# - external
+tls: ingress

scripts/chart/build

+#!/usr/bin/env bash
+
+set -e
+
+echo "-- chart/build --"
+
+cd $(dirname $0)/../..
+. ./scripts/version
+
+rm -rf /tmp/chart
+mkdir -p /tmp/chart/
+cp -Rf ./chart /tmp/chart/rancher
+
+sed -i -e "s/%VERSION%/${CHART_VERSION}/g" /tmp/chart/rancher/Chart.yaml
+sed -i -e "s/%APP_VERSION%/${VERSION}/g" /tmp/chart/rancher/Chart.yaml

scripts/chart/ci

+#!/bin/bash
+set -e
+
+cd $(dirname $0)
+
+./build
+./validate
+./test
+./package

scripts/chart/copy

+#!/usr/bin/env bash
+
+set -e
+
+echo "-- chart/copy --"
+
+cd $(dirname $0)/../..
+. ./scripts/version
+
+# A Promotion is from Latest to Stable.
+if [[ -z "${DRONE_TAG}" ]]; then
+    echo "We can only promote Tags from the 'latest' chart repo to 'stable'"
+    exit 1
+fi
+
+if [[ "${CHART_REPO}" != "latest" ]]; then
+    echo "We can only promote Tags from the 'latest' chart repo to 'stable'"
+    exit 1
+fi
+
+# Remove any existing charts.
+rm -rf ./bin/chart
+
+mkdir -p ./bin/chart/stable
+
+curl -f -H 'Cache-Control: max-age=0,no-cache' -H 'Host: releases.rancher.com' "https://c.storage.googleapis.com/server-charts/latest/rancher-${CHART_VERSION}.tgz?$(date +%s%N)" -o ./bin/chart/stable/rancher-${CHART_VERSION}.tgz
+
+./scripts/chart/index stable