Update Rancher cluster template and add charts (Epinio, Podinfo, Ranc…

…her CIS Benchmark) (#28)

* Update comments in vsphere values and dump chart version to 0.1.4

* Small changes

* Add Rancher CIS Benchmark

* Add helm repos

* Add Podinfo chart

* Add stackrox/kube-linter

* Disable kube-linter (not working with subcharts)

* Add Epinio chart

.github/workflows/ci.yml

@@ -54,6 +54,13 @@ jobs:
           fi
       - name: Lint charts
         run: ct lint $CHARTS_DIRECTORIES_ARG --target-branch ${{ github.event.repository.default_branch }}
+      # TODO: Enable when https://github.com/stackrox/kube-linter/issues/575 is fixed
+      # - name: Scan yamls
+      #   id: kube-lint-scan
+      #   uses: stackrox/kube-linter-action@v1
+      #   with:
+      #     directory: charts
+      #     config: .kube-linter.yaml
       # TODO: debug & fix
       # - name: Create kind cluster
       #   uses: helm/kind-action@v1.4.0

.kube-linter.yaml

@@ -0,0 +1,7 @@
+checks:
+  addAllBuiltIn: true
+  exclude:
+    - "no-read-only-root-fs"
+    - "unset-cpu-requirements"
+    - "unset-memory-requirements"
+  ignorePaths: []

README.md

@@ -13,9 +13,10 @@ Helm charts to ease the deployment of containers on Kubernetes clusters and get
 
 * Applications
   * [Cow Demo](charts/cow-demo/README.md) 🗸
+  * [Devpro Sales Portal](charts/devpro-salesportal/README.md) 🗸
   * [Drupal](charts/drupal/README.md)
   * [E Corp Demo](charts/ecorp-demo/README.md) 🗸
-  * [Devpro Sales Portal](charts/devpro-salesportal/README.md) 🗸
+  * [Podinfo](charts/podinfo/README.md) 🗸
   * [WordPress](charts/wordpress/README.md) 🗸
 * Authentication / Identity
   * [Keycloak](charts/keycloak/README.md) 🗸
@@ -59,6 +60,7 @@ Helm charts to ease the deployment of containers on Kubernetes clusters and get
   * [Sealed Secrets](charts/sealed-secrets/README.md) 🗸
 * Security
   * [NeuVector](charts/neuvector/README.md) 🗸
+  * [Rancher CIS Benchmark](charts/rancher-cis-benchmark/README.md) 🗸
 * Serverless
   * [Knative](charts/knative/README.md)
 * Storage
@@ -182,8 +184,15 @@ helm:
 * Lint charts with [helm/chart-testing](https://github.com/helm/chart-testing)
 
 ```bash
-# runs Docker image (with workaround described at https://github.com/helm/chart-testing/issues/464)
-sudo docker run --rm -it --workdir=/data --volume $(pwd):/data quay.io/helmpack/chart-testing:v3.7.1 /bin/sh -c "git config --global --add safe.directory /data ; ./scripts/add_helm_repo.sh ; ct lint --target-branch main"
+# runs in a container (with workaround described at https://github.com/helm/chart-testing/issues/464)
+docker run --rm -it --workdir=/data --volume $(pwd):/data quay.io/helmpack/chart-testing:v3.7.1 /bin/sh -c "git config --global --add safe.directory /data ; ./scripts/add_helm_repo.sh ; ct lint --target-branch main"
+```
+
+* (not yet available because of [Issue #575](https://github.com/stackrox/kube-linter/issues/575)) Lint charts with [stackrox/kube-linter](https://github.com/stackrox/kube-linter) ([docs](https://docs.kubelinter.io/))
+
+```bash
+# runs in a container
+docker run --rm -v $(pwd)/charts:/charts -v $(pwd)/.kube-linter.yaml:/etc/config.yaml stackrox/kube-linter lint /charts --config /etc/config.yaml
 ```
 
 ## References
@@ -194,6 +203,7 @@ sudo docker run --rm -it --workdir=/data --volume $(pwd):/data quay.io/helmpack/
   * [Rancher How-to Guides > Helm Charts > Creating Apps](https://ranchermanager.docs.rancher.com/how-to-guides/new-user-guides/helm-charts-in-rancher/create-apps)
 * Examples
   * [argoproj/argocd-example-apps](https://github.com/argoproj/argocd-example-apps)
+  * [helm/charts](https://github.com/helm/charts)
   * [rancher/rodeo](https://github.com/rancher/rodeo)
 * Official repositories
   * [argoproj/argo-helm](https://github.com/argoproj/argo-helm)

charts/epinio/CONTRIBUTING.md

@@ -0,0 +1,49 @@
+# Contribute to Epinio Helm chart
+
+## How to update the dependencies
+
+```bash
+# makes sure the repository has been added and refreshed
+helm repo add epinio https://epinio.github.io/helm-charts
+helm repo update
+
+# searches for the latest version
+helm search repo -l epinio --versions
+
+# manual: update version number in Chart.yaml
+
+# updates Chart.lock
+helm dependency update
+```
+
+## How to check the manifest code quality
+
+```bash
+# checks code style
+helm lint
+
+# checks the Kubernetes objects generated from the chart
+helm template epinio . -f values.yaml --namespace epinio > temp.yaml
+```
+
+## How to deploy the chart from the sources
+
+### With NGINX Ingress Controller and Let's Encrypt
+
+```bash
+# retrieves public IP
+NGINX_PUBLIC_IP=`kubectl get service -n ingress-nginx ingress-nginx-controller --output jsonpath='{.status.loadBalancer.ingress[0].ip}'`
+
+# installs on a cluster
+helm upgrade --install epinio . -f values.yaml --create-namespace \
+--set epinio.global.domain=${NGINX_PUBLIC_IP}.sslip.io \
+--set epinio.global.tlsIssuer=letsencrypt-prod \
+--set epinio.global.tlsIssuerEmail=<my_email_address> \
+--namespace epinio
+
+# logs in Epinio (default password is "password")
+epinio login -u admin 'https://epinio.${NGINX_PUBLIC_IP}.sslip.io'
+
+# displays instance information
+epinio settings show
+```

charts/epinio/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: epinio
+  repository: https://epinio.github.io/helm-charts
+  version: 1.9.0
+digest: sha256:2a7d9a9dbaeb719ba930fb014df9a01629cff73c4cd4e1f4afd7c600f0cfcbc3
+generated: "2023-09-18T16:11:52.6692354+02:00"

charts/epinio/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: epinio
+description: Helm chart for managing Epinio
+type: application
+version: "0.1.0"
+appVersion: "1.9.0"
+dependencies:
+  # https://github.com/epinio/helm-charts/tree/main/chart/epinio
+  - name: epinio
+    version: 1.9.0
+    repository: https://epinio.github.io/helm-charts
+maintainers:
+  - name: devpro
+    email: bertrand@devpro.fr
+home: https://github.com/devpro/helm-charts/tree/main/charts/epinio

charts/epinio/README.md

@@ -0,0 +1,34 @@
+# Helm chart for Epinio
+
+This Helm chart will install [Epinio](https://epinio.io/) on a Kubernetes cluster.
+It is based on the [official Helm chart](https://artifacthub.io/packages/helm/epinio/epinio).
+
+## Introduction
+
+> Epinio is an application Platform. It deploys on Kubernetes and allows application developers and operators to work together without stepping on each others work. ([docs.epinio.io](https://docs.epinio.io/))
+
+## Quick start
+
+- Install Epinio in a Kubernetes cluster
+
+💡 `cert-manager` must be installed
+
+```bash
+# makes sure devpro helm repository has been added
+helm repo add devpro https://devpro.github.io/helm-charts
+helm repo update
+
+# installs the chart with default parameters
+helm upgrade --install epinio devpro/epinio --create-namespace --namespace epinio
+
+# removes the installation
+helm uninstall epinio -n epinio
+kubectl delete ns epinio
+```
+
+- Download [`epinio` (Epinio CLI)](https://github.com/epinio/epinio/releases/) and use it to manage workload
+
+
+## Going further
+
+Look at the [Contributing](CONTRIBUTING.md) page.

charts/epinio/values.yaml

@@ -0,0 +1,2 @@
+# https://github.com/epinio/helm-charts/blob/main/chart/epinio/values.yaml
+epinio: {}

charts/podinfo/CONTRIBUTING.md

@@ -0,0 +1,36 @@
+# Contribute to Podinfo Helm chart
+
+## How to update the dependencies
+
+```bash
+# makes sure the repository has been added and refreshed
+helm repo add podinfo https://stefanprodan.github.io/podinfo
+helm repo update
+
+# searches for the latest version
+helm search repo -l podinfo --versions
+
+# manual: update version number in Chart.yaml
+
+# updates Chart.lock
+helm dependency update
+```
+
+## How to check the manifest code quality
+
+```bash
+# checks code style
+helm lint
+
+# checks the Kubernetes objects generated from the chart on a specific case defined in values_mine.yaml
+helm template podinfo . -f values.yaml -f values_mine.yaml --namespace podinfo > temp.yaml
+```
+
+## How to deploy the chart from the sources
+
+```bash
+# installs on a cluster
+helm upgrade --install podinfo . -f values.yaml --create-namespace \
+  --namespace podinfo \
+  # --debug
+```

charts/podinfo/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: podinfo
+  repository: https://stefanprodan.github.io/podinfo
+  version: 6.4.1
+digest: sha256:46b2ac4138ca6e33049a9310de51d0fef372031dabc892fc01dab7ce92022db4
+generated: "2023-09-13T11:15:47.918467272+02:00"

charts/podinfo/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: podinfo
+description: Helm chart for managing Podinfo
+type: application
+version: "0.1.0"
+appVersion: "6.4.1"
+dependencies:
+  # https://github.com/stefanprodan/podinfo/tree/master/charts/podinfo
+  - name: podinfo
+    version: 6.4.1
+    repository: https://stefanprodan.github.io/podinfo
+maintainers:
+  - name: devpro
+    email: bertrand@devpro.fr
+home: https://github.com/devpro/helm-charts/tree/main/charts/podinfo

charts/podinfo/README.md

@@ -0,0 +1,29 @@
+# Helm chart for Podinfo
+
+This Helm chart will install [Podinfo](https://github.com/stefanprodan/podinfo) on a Kubernetes cluster.
+It is based on [the official Helm chart](https://github.com/stefanprodan/podinfo/tree/master/charts/podinfo).
+
+## Introduction
+
+> Podinfo is a tiny web application made with Go that showcases best practices of running microservices in Kubernetes. Podinfo is used by CNCF projects like Flux and Flagger for end-to-end testing and workshops. ([github.com](https://github.com/stefanprodan/podinfo))
+
+See also [golang.ch](https://golang.ch/a-tiny-web-application-golang-showcases-best-practices-of-running-microservices-in-kubernetes/)
+
+## Quick start
+
+```bash
+# makes sure devpro helm repository has been added
+helm repo add devpro https://devpro.github.io/helm-charts
+helm repo update
+
+# installs the chart with default parameters
+helm upgrade --install podinfo devpro/podinfo --create-namespace --namespace podinfo
+
+# removes the installation
+helm uninstall podinfo -n podinfo
+kubectl delete ns podinfo
+```
+
+## Going further
+
+Look at the [Contibuting](CONTRIBUTING.md) page.

charts/podinfo/values.yaml

@@ -0,0 +1,2 @@
+# https://github.com/stefanprodan/podinfo/blob/master/charts/podinfo/values.yaml
+podinfo: {}

charts/rancher-cis-benchmark/Chart.yaml

@@ -0,0 +1,13 @@
+apiVersion: v2
+name: rancher-cis-benchmark
+description: Helm chart for managing Rancher CIS Benchmark
+type: application
+version: "0.1.0"
+appVersion: "4.1.0"
+dependencies:
+  - name: rancher-cis-benchmark
+    version: 4.1.0
+    repository: https://charts.rancher.io/
+maintainers:
+  - name: devpro
+    email: bertrand@devpro.fr

charts/rancher-cis-benchmark/README.md

@@ -0,0 +1,17 @@
+# Rancher CIS Benchmark
+
+## How to update the chart
+
+```bash
+# adds helm chart repository
+helm repo add rancher-charts https://charts.rancher.io
+helm repo update
+
+# searches for the latest version
+helm search repo -l rancher-cis-benchmark
+
+# manual: update version number in Chart.yaml
+
+# updates Chart.lock
+helm dependency update
+```

charts/rancher-cis-benchmark/values.yaml

@@ -0,0 +1,2 @@
+# Ref. https://github.com/rancher/charts/blob/release-v2.7/charts/rancher-cis-benchmark/4.1.0/values.yaml
+rancher-cis-benchmark: {}

charts/rancher-cluster-templates/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: rancher-cluster-templates
 description: Helm chart for managing Rancher cluster templates
 type: application
-version: "0.1.3"
+version: "0.1.4"
 appVersion: "0.1.0"
 annotations:
   catalog.cattle.io/type: cluster-template

charts/rancher-cluster-templates/examples/values_vsphere.yaml

@@ -33,11 +33,11 @@ nodepools:
     # folder: ""                  # folder for the docker VM, which must already exist in the datacenter
     # hostsystem: ""              # compute resource where the docker VM will be instantiated, this can be omitted if using a cluster with DRS
     # memorySize: "2048"          # in MB
-    # network: ""                 # vSphere network where the virtual machine will be attached
+    # network: []                 # vSphere network where the virtual machine will be attached
     # pool: ""                    # resource pool
     sshPort: "22"                 # if using a non-B2D image
     sshUserGroup: staff           # if using a non-B2D image the uploaded keys will need chown'ed, defaults to staff e.g. docker:staff
-    # tag:
+    # tags:
     #   - "urn:xxx"
     # vappIpallocationpolicy: ""  # supported: dhcp, fixed, transient and fixedAllocated
     # vappIpprotocol: ""          # supported: IPv4 and IPv6)

charts/rancher-cluster-templates/templates/managedcharts.yaml

@@ -3,7 +3,7 @@
 apiVersion: management.cattle.io/v3
 kind: ManagedChart
 metadata:
-  name: monitoring-crd-{{ .Values.cluster.name }}
+  name: {{ .Values.cluster.name }}-managed-monitoring-crd
   namespace: fleet-default
 spec:
   chart: "rancher-monitoring-crd"
@@ -12,7 +12,7 @@ spec:
   version: {{ .Values.monitoring.version }}
   {{- if .Values.monitoring.values }}
   values:
-{{ toYaml .Values.monitoring.values | indent 4 }}
+    {{- toYaml .Values.monitoring.values | indent 4 }}
   {{- end }}
   defaultNamespace: "cattle-monitoring-system"
   targets:
@@ -21,7 +21,7 @@ spec:
 apiVersion: management.cattle.io/v3
 kind: ManagedChart
 metadata:
-  name: monitoring-{{ .Values.cluster.name }}
+  name: {{ .Values.cluster.name }}-managed-monitoring
   namespace: fleet-default
 spec:
   chart: "rancher-monitoring"
@@ -30,7 +30,7 @@ spec:
   version: {{ .Values.monitoring.version }}
   {{- if .Values.monitoring.values }}
   values:
-{{ toYaml .Values.monitoring.values | indent 4 }}
+    {{- toYaml .Values.monitoring.values | indent 4 }}
   {{- end }}
   diff:
     comparePatches:

charts/rancher-cluster-templates/values.yaml

@@ -29,10 +29,8 @@ rke:
 
 monitoring:
   enabled: false
-  # specify which version to install, can be semver range. If version is empty or is semver range, it will pick up the latest version.
-  # version: ""
-  # specify cutsom values set
-  # values:
+  # version: ""   # if version is empty or is semver range, the latest version will be used
+  # values:       # custom values
   #   foo: bar
 
 nodepools: []

scripts/add_helm_repo.sh

@@ -6,6 +6,7 @@ helm repo add bitnami               https://charts.bitnami.com/bitnami
 helm repo add blob-csi-driver       https://raw.githubusercontent.com/kubernetes-sigs/blob-csi-driver/master/charts
 helm repo add cloudbees             https://public-charts.artifacts.cloudbees.com/repository/public
 helm repo add elastic               https://helm.elastic.co
+helm repo add epinio                https://epinio.github.io/helm-charts
 helm repo add gitlab                https://charts.gitlab.io/
 helm repo add ingress-nginx         https://kubernetes.github.io/ingress-nginx
 helm repo add harbor                https://helm.goharbor.io
@@ -19,9 +20,11 @@ helm repo add mongodb               https://mongodb.github.io/helm-charts
 helm repo add neuvector             https://neuvector.github.io/neuvector-helm
 helm repo add open-telemetry        https://open-telemetry.github.io/opentelemetry-helm-charts
 helm repo add ory                   https://k8s.ory.sh/helm/charts
+helm repo add podinfo               https://stefanprodan.github.io/podinfo
 helm repo add prometheus-community  https://prometheus-community.github.io/helm-charts
 helm repo add promyze               https://promyze.github.io/helm-charts
 helm repo add r2devops              https://charts.r2devops.io
+helm repo add rancher-charts        https://charts.rancher.io
 helm repo add rancher-latest        https://releases.rancher.com/server-charts/latest
 helm repo add reportportal          https://reportportal.github.io/kubernetes
 helm repo add s3gw                  https://aquarist-labs.github.io/s3gw-charts