-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
bf7ef7b
commit 1c14be6
Showing
45 changed files
with
543 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
annotations: | ||
catalog.cattle.io/certified: rancher | ||
catalog.cattle.io/kube-version: '>= v1.16.0-0 < v1.31.0-0' | ||
catalog.cattle.io/namespace: cattle-ui-plugin-system | ||
catalog.cattle.io/os: linux | ||
catalog.cattle.io/permits-os: linux, windows | ||
catalog.cattle.io/rancher-version: '>= 2.9.0-0' | ||
catalog.cattle.io/scope: management | ||
catalog.cattle.io/ui-component: plugins | ||
catalog.cattle.io/ui-extension-version: '>= 2.0.0' | ||
apiVersion: v2 | ||
appVersion: 2.0.0-rc.1 | ||
description: Kubewarden extension for Rancher Manager | ||
name: kubewarden | ||
type: application | ||
version: 2.0.0-rc.1 | ||
icon: >- | ||
https://raw.githubusercontent.com/kubewarden/ui/main/pkg/kubewarden/assets/icon-kubewarden.svg |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
# Kubewarden Extension for Rancher Manager | ||
|
||
An extension for Rancher Manager which allows you to interact with Kubewarden. | ||
|
||
After installation, go to a cluster and you will see a new side navigation entry 'Kubewarden'. This will allow you to install Kubewarden into the cluster and manage Kubewarden resources and configuration. | ||
|
||
For more information see https://www.kubewarden.io/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
{{/* | ||
Expand the name of the chart. | ||
*/}} | ||
{{- define "extension-server.name" -}} | ||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
|
||
{{/* | ||
Create a default fully qualified app name. | ||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). | ||
If release name contains chart name it will be used as a full name. | ||
*/}} | ||
{{- define "extension-server.fullname" -}} | ||
{{- if .Values.fullnameOverride }} | ||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} | ||
{{- else }} | ||
{{- $name := default .Chart.Name .Values.nameOverride }} | ||
{{- if contains $name .Release.Name }} | ||
{{- .Release.Name | trunc 63 | trimSuffix "-" }} | ||
{{- else }} | ||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
{{- end }} | ||
{{- end }} | ||
|
||
|
||
{{/* | ||
Create chart name and version as used by the chart label. | ||
*/}} | ||
{{- define "extension-server.chart" -}} | ||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} | ||
{{- end }} | ||
|
||
{{/* | ||
Common labels | ||
*/}} | ||
{{- define "extension-server.labels" -}} | ||
helm.sh/chart: {{ include "extension-server.chart" . }} | ||
{{ include "extension-server.selectorLabels" . }} | ||
{{- if .Chart.AppVersion }} | ||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} | ||
{{- end }} | ||
app.kubernetes.io/managed-by: {{ .Release.Service }} | ||
{{- end }} | ||
|
||
{{/* | ||
Selector labels | ||
*/}} | ||
{{- define "extension-server.selectorLabels" -}} | ||
app.kubernetes.io/name: {{ include "extension-server.name" . }} | ||
app.kubernetes.io/instance: {{ .Release.Name }} | ||
{{- end }} | ||
|
||
{{/* | ||
Pkg annotations | ||
*/}} | ||
{{- define "extension-server.pluginMetadata" -}} | ||
{{- with .Values.plugin.metadata }} | ||
{{- range $key, $value := . }} | ||
{{ $key }}: {{ $value | quote }} | ||
{{- end }} | ||
{{- end }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: catalog.cattle.io/v1 | ||
kind: UIPlugin | ||
metadata: | ||
name: {{ include "extension-server.fullname" . }} | ||
namespace: {{ .Release.Namespace }} | ||
labels: {{ include "extension-server.labels" . | nindent 4 }} | ||
spec: | ||
plugin: | ||
name: {{ include "extension-server.fullname" . }} | ||
version: {{ (semver (default .Chart.AppVersion .Values.plugin.versionOverride)).Original }} | ||
endpoint: https://raw.githubusercontent.com/rancher/kubewarden-ui/gh-pages/extensions/kubewarden/2.0.0-rc.1 | ||
noCache: {{ .Values.plugin.noCache }} | ||
noAuth: {{ .Values.plugin.noAuth }} | ||
metadata: {{ include "extension-server.pluginMetadata" . | indent 6 }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
nameOverride: "" | ||
fullnameOverride: "" | ||
plugin: | ||
enabled: true | ||
versionOverride: "" | ||
noCache: false | ||
noAuth: false | ||
metadata: | ||
catalog.cattle.io/kube-version: ">= v1.16.0-0 < v1.31.0-0" | ||
catalog.cattle.io/rancher-version: ">= 2.9.0-0" | ||
catalog.cattle.io/ui-extension-version: ">= 2.0.0" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
plugin/assets/airgap-installation.md | ||
plugin/img/harvester.765f68bd.png | ||
plugin/img/icon-kubewarden.3c183b75.svg | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.0.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.0.js.map | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.13.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.13.js.map | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.14.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.14.js.map | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.15.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.15.js.map | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.airgap-docs.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.airgap-docs.js.map | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.detail.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.detail.js.map | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.dialog.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.dialog.js.map | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.edit.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.edit.js.map | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.formatters.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.formatters.js.map | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.js.map | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.list.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.list.js.map | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.policyDashboard0.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.policyDashboard0.js.map | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.policyDashboard1.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.policyDashboard1.js.map | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.vendors~detail.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.vendors~detail.js.map | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.vendors~edit.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.vendors~edit.js.map | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.vendors~markdown.js | ||
plugin/kubewarden-2.0.0-rc.1.umd.min.vendors~markdown.js.map | ||
plugin/package.json |
155 changes: 155 additions & 0 deletions
155
extensions/kubewarden/2.0.0-rc.1/plugin/assets/airgap-installation.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,155 @@ | ||
# Air gap installation | ||
|
||
This guide will show you how to install Kubewarden in air-gapped environments. In an air-gapped installation of Kubewarden, | ||
you will need a private OCI registry accessible by your Kubernetes cluster. Kubewarden Policies | ||
are WebAssembly modules; therefore, they can be stored inside an OCI-compliant registry as OCI artifacts. | ||
You need to add Kubewarden's images and policies to this OCI registry. Let's see how to do that. | ||
|
||
## Requirements | ||
|
||
1. Private registry that supports OCI artifacts, [here](../../distributing-policies/oci-registries-support) you can find a list of supported OCI registries. It will be used for storing the container images and policies. | ||
2. [kwctl](https://github.com/kubewarden/kwctl) 1.3.1 or above | ||
3. docker v20.10.6 or above | ||
|
||
## Save container images in your workstation | ||
|
||
1. Download `kubewarden-images.txt` from the Kubewarden [release page](https://github.com/kubewarden/helm-charts/releases/). Alternatively, the `imagelist.txt` and `policylist.txt` files are shipped inside the helm charts containing the used container images and policy wasm modules, respectively. | ||
|
||
>**Note:** Optionally, you can verify the signatures of the [helm charts](../../security/verifying-kubewarden#helm-charts) and [container images](../../security/verifying-kubewarden#container-images) | ||
2. Add `cert-manager` if it is not available in your private registry. | ||
|
||
``` | ||
helm repo add jetstack https://charts.jetstack.io | ||
helm repo update | ||
helm pull jetstack/cert-manager | ||
helm template ./cert-manager-<Version>.tgz | \ | ||
awk '$1 ~ /image:/ {print $2}' | sed s/\"//g >> ./kubewarden-images.txt | ||
``` | ||
|
||
3. Download `kubewarden-save-images.sh` and `kubewarden-load-images.sh` from the [utils repository](https://github.com/kubewarden/utils). | ||
4. Save Kubewarden container images into a .tar.gz file: | ||
|
||
``` | ||
./kubewarden-save-images.sh \ | ||
--image-list ./kubewarden-images.txt \ | ||
--images kubewarden-images.tar.gz | ||
``` | ||
|
||
Docker begins pulling the images used for an air gap install. Be patient. This process takes a few minutes. | ||
When the process completes, your current directory will output a tarball named `kubewarden-images.tar.gz`. It will be present in the same directory where you executed the command. | ||
|
||
## Save policies in your workstation | ||
|
||
1. Add all the policies you want to use in a `policies.txt` file. A file with a list of the default policies can be found in the Kubewarden defaults [release page](https://github.com/kubewarden/helm-charts/releases/) | ||
2. Download `kubewarden-save-policies.sh` and `kubewarden-load-policies.sh` from the [kwctl repository](https://github.com/kubewarden/kwctl/tree/main/scripts) | ||
3. Save policies into a .tar.gz file: | ||
|
||
``` | ||
./kubewarden-save-policies.sh --policies-list policies.txt | ||
``` | ||
|
||
kwctl downloads all the policies and stores them as `kubewarden-policies.tar.gz` archive. | ||
|
||
## Helm charts | ||
|
||
You need to download the following helm charts in your workstation: | ||
|
||
``` | ||
helm pull kubewarden/kubewarden-crds | ||
helm pull kubewarden/kubewarden-controller | ||
helm pull kubewarden/kubewarden-defaults | ||
``` | ||
|
||
Download `cert-manager` if it is not installed in the air gap cluster. | ||
|
||
``` | ||
helm pull jetstack/cert-manager | ||
``` | ||
|
||
## Populate private registry | ||
|
||
Move `kubewarden-policies.tar.gz`, `kubewarden-images.tar.gz`, `kubewarden-load-images.sh`, `kubewarden-load-policies.sh` and `policies.txt` | ||
to the air gap environment. | ||
|
||
1. Load Kubewarden images into the private registry. Docker client must be authenticated against the local registry | ||
``` | ||
./kubewarden-load-images.sh \ | ||
--image-list ./kubewarden-images.txt \ | ||
--images kubewarden-images.tar.gz \ | ||
--registry <REGISTRY.YOURDOMAIN.COM:PORT> | ||
``` | ||
2. Load Kubewarden policies into the private registry. Kwctl must be authenticated against the local registry (`kwctl` uses the same mechanism to authenticate as `docker`, a `~/.docker/config.json` file) | ||
``` | ||
./kubewarden-load-policies.sh \ | ||
--policies-list policies.txt \ | ||
--policies kubewarden-policies.tar.gz \ | ||
--registry <REGISTRY.YOURDOMAIN.COM:PORT> \ | ||
--sources-path sources.yml | ||
``` | ||
|
||
>***Caution:*** | ||
>The `sources.yaml` file is needed by kwctl to connect to registries that fall into these categories: | ||
> | ||
>* Authentication is required | ||
>* Self signed certificate is being used | ||
>* No TLS termination is done | ||
> | ||
>Please refer to [the section on custom certificate authorities](../../distributing-policies/custom-certificate-authorities.md) in our documentation to learn more about configuring the `sources.yaml` file | ||
|
||
## Install Kubewarden | ||
|
||
Let's install Kubewarden now that we have everything we need in our private registry. The only difference with a normal | ||
Kubewarden installation is that we need to change the registry in the container images and policies to our private registry. | ||
|
||
Install `cert-manager` if it is not already installed in the air gap cluster: | ||
|
||
``` | ||
helm install --create-namespace cert-manager ./cert-manager-<Version>.tgz \ | ||
-n kubewarden \ | ||
--set installCRDs=true \ | ||
--set image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-controller \ | ||
--set webhook.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-webhook \ | ||
--set cainjector.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-cainjector \ | ||
--set startupapicheck.image.repository=<REGISTRY.YOURDOMAIN.COM:PORT>/jetstack/cert-manager-ctl | ||
``` | ||
|
||
Let's install the Kubewarden stack: | ||
|
||
``` | ||
helm install --wait -n kubewarden \ | ||
kubewarden-crds kubewarden-crds.tgz | ||
``` | ||
|
||
``` | ||
helm install --wait -n kubewarden \ | ||
kubewarden-controller kubewarden-controller.tgz \ | ||
--set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> | ||
``` | ||
|
||
``` | ||
helm install --wait -n kubewarden \ | ||
kubewarden-defaults kubewarden-defaults.tgz \ | ||
--set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> | ||
``` | ||
|
||
>***Caution*** | ||
>To download the recommended policies installed by the `kubewarden-defaults` Helm | ||
>Chart from a registry other than `global.cattle.systemDefaultRegistry`, you can | ||
>utilize the `recommendedPolicies.defaultPoliciesRegistry` configuration. This | ||
>configuration allows users to specify a registry dedicated to pulling the OCI | ||
>artifacts of the policies. It is particularly useful when their container image | ||
>repository does not support OCI artifacts. | ||
> | ||
>To install and wait for the installation to complete, use the following command: | ||
> | ||
>```console | ||
>helm install --wait -n kubewarden \ | ||
> kubewarden-defaults kubewarden-defaults.tgz \ | ||
> --set global.cattle.systemDefaultRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> \ | ||
> --set recommendedPolicies.defaultPoliciesRegistry=<REGISTRY.YOURDOMAIN.COM:PORT> | ||
>``` | ||
> | ||
>If the `recommendedPolicies.defaultPoliciesRegistry` configuration is not set, | ||
>the `global.cattle.systemDefaultRegistry` will be used as the default registry. |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 1 addition & 0 deletions
1
extensions/kubewarden/2.0.0-rc.1/plugin/img/icon-kubewarden.3c183b75.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
2 changes: 2 additions & 0 deletions
2
extensions/kubewarden/2.0.0-rc.1/plugin/kubewarden-2.0.0-rc.1.umd.min.0.js
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.