Merge branch 'main' into dependabot/github_actions/aws-actions/configure-aws-credentials-6

Author: matttrach

.github/workflows/fossa.yml

@@ -0,0 +1,34 @@
+name: FOSSA Scanning
+
+on:
+  push:
+    branches: ["main", "master", "release/**"]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  fossa-scanning:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+    - name: Checkout
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+
+    # The FOSSA token is shared between all repos in Rancher's GH org. It can be
+    # used directly and there is no need to request specific access to EIO.
+    - name: Read FOSSA token
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/org/rancher/fossa/push token | FOSSA_API_KEY_PUSH_ONLY
+
+    - name: FOSSA scan
+      uses: fossas/fossa-action@main
+      with:
+        api-key: ${{ env.FOSSA_API_KEY_PUSH_ONLY }}
+        # Only runs the scan and do not provide/returns any results back to the
+        # pipeline.
+        run-tests: false

examples/downstream/main.tf

@@ -67,7 +67,7 @@ module "rancher" {
   # rke2
   rke2_version    = local.rke2_version
   local_file_path = local.local_file_path
-  install_method  = "rpm" # rpm only for now, need to figure out local helm chart installs otherwise
+  install_method  = "rpm"
   cni             = "canal"
   node_configuration = {
     "rancher" = {

examples/downstream_splitrole/main.tf

@@ -67,7 +67,7 @@ module "rancher" {
   # rke2
   rke2_version    = local.rke2_version
   local_file_path = local.local_file_path
-  install_method  = "rpm" # rpm only for now, need to figure out local helm chart installs otherwise
+  install_method  = "rpm"
   cni             = "canal"
   node_configuration = {
     "rancher" = {

examples/one/main.tf

@@ -56,7 +56,7 @@ module "rancher" {
   # rke2
   rke2_version    = local.rke2_version
   local_file_path = local.local_file_path
-  install_method  = "rpm" # rpm only for now, need to figure out local helm chart installs otherwise
+  install_method  = "tar" # this installs RKE using the tar method, but it isn't an air-gapped install, Rancher install still uses public helm chart
   cni             = "canal"
   node_configuration = {
     "rancher" = {

examples/prod/main.tf

@@ -87,7 +87,7 @@ module "rancher" {
   # rke2
   rke2_version    = local.rke2_version
   local_file_path = local.local_file_path
-  install_method  = "rpm" # rpm only for now, need to figure out local helm chart installs otherwise
+  install_method  = "tar" # tar install, but not air-gapped
   cni             = "canal"
   node_configuration = {
     "initial" = {

examples/three/main.tf

@@ -124,7 +124,7 @@ module "rancher" {
   # rke2
   rke2_version       = local.rke2_version
   local_file_path    = local.local_file_path
-  install_method     = "rpm" # rpm only for now, need to figure out local helm chart installs otherwise
+  install_method     = "tar" # tar install, but not air-gapped
   cni                = "canal"
   node_configuration = local.node_configuration
   # rancher

flake.lock

@@ -190,7 +190,7 @@ data "kubernetes_secret_v1" "certificate" {
 
 # we need to create the tls-ca and tls-ca-additional secrets while the rancher pod is starting up
 # the rancher pod will fail a few times, but once the secrets are in place it will start and everything will start to work
-resource "kubernetes_secret" "rancher_tls_ca" {
+resource "kubernetes_secret_v1" "rancher_tls_ca" {
   depends_on = [
     time_sleep.settle_before_rancher,
     terraform_data.wait_for_nginx,
@@ -203,7 +203,7 @@ resource "kubernetes_secret" "rancher_tls_ca" {
     name      = "tls-ca"
     namespace = "cattle-system"
   }
-  type = "generic"
+  type = "Opaque" # "generic" https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
   data = {
     "cacerts.pem" = data.kubernetes_secret_v1.certificate.data["tls.crt"], # don't base64 encode
   }
@@ -214,7 +214,7 @@ resource "kubernetes_secret" "rancher_tls_ca" {
   }
 }
 
-resource "kubernetes_secret" "rancher_tls_ca_additional" {
+resource "kubernetes_secret_v1" "rancher_tls_ca_additional" {
   depends_on = [
     time_sleep.settle_before_rancher,
     terraform_data.wait_for_nginx,
@@ -227,7 +227,7 @@ resource "kubernetes_secret" "rancher_tls_ca_additional" {
     name      = "tls-ca-additional"
     namespace = "cattle-system"
   }
-  type = "generic"
+  type = "Opaque" # "generic" https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
   data = {
     "ca-additional.pem" = data.kubernetes_secret_v1.certificate.data["tls.crt"], # don't base64 encode
   }
@@ -246,8 +246,8 @@ resource "terraform_data" "wait_for_rancher" {
     kubernetes_manifest.issuer,
     helm_release.rancher,
     data.kubernetes_secret_v1.certificate,
-    kubernetes_secret.rancher_tls_ca,
-    kubernetes_secret.rancher_tls_ca_additional,
+    kubernetes_secret_v1.rancher_tls_ca,
+    kubernetes_secret_v1.rancher_tls_ca_additional,
   ]
   provisioner "local-exec" {
     command = <<-EOT
@@ -268,8 +268,8 @@ resource "terraform_data" "get_public_cert_info" {
     kubernetes_manifest.issuer,
     helm_release.rancher,
     data.kubernetes_secret_v1.certificate,
-    kubernetes_secret.rancher_tls_ca,
-    kubernetes_secret.rancher_tls_ca_additional,
+    kubernetes_secret_v1.rancher_tls_ca,
+    kubernetes_secret_v1.rancher_tls_ca_additional,
     terraform_data.wait_for_rancher,
   ]
   provisioner "local-exec" {

modules/install_rancher/rancher/main.tf

@@ -109,7 +109,7 @@ resource "terraform_data" "cattle-system" {
   }
 }
 
-resource "kubernetes_secret" "tls_rancher_ingress" {
+resource "kubernetes_secret_v1" "tls_rancher_ingress" {
   depends_on = [
     time_sleep.settle_before_rancher,
     terraform_data.wait_for_nginx,
@@ -119,7 +119,7 @@ resource "kubernetes_secret" "tls_rancher_ingress" {
     name      = "tls-rancher-ingress"
     namespace = "cattle-system"
   }
-  type = "kubernetes.io/tls"
+  type = "kubernetes.io/tls" #https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
   data = {
     "tls.crt" = local.full_chain,
     "tls.key" = local.private_key,
@@ -131,18 +131,18 @@ resource "kubernetes_secret" "tls_rancher_ingress" {
   }
 }
 
-resource "kubernetes_secret" "rancher_tls_ca" {
+resource "kubernetes_secret_v1" "rancher_tls_ca" {
   depends_on = [
     time_sleep.settle_before_rancher,
     terraform_data.wait_for_nginx,
     terraform_data.cattle-system,
-    kubernetes_secret.tls_rancher_ingress,
+    kubernetes_secret_v1.tls_rancher_ingress,
   ]
   metadata {
     name      = "tls-ca"
     namespace = "cattle-system"
   }
-  type = "generic"
+  type = "Opaque" #https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
   data = {
     "cacerts.pem" = local.ca_certs
   }
@@ -153,19 +153,19 @@ resource "kubernetes_secret" "rancher_tls_ca" {
   }
 }
 
-resource "kubernetes_secret" "rancher_tls_ca_additional" {
+resource "kubernetes_secret_v1" "rancher_tls_ca_additional" {
   depends_on = [
     time_sleep.settle_before_rancher,
     terraform_data.wait_for_nginx,
     terraform_data.cattle-system,
-    kubernetes_secret.tls_rancher_ingress,
-    kubernetes_secret.rancher_tls_ca,
+    kubernetes_secret_v1.tls_rancher_ingress,
+    kubernetes_secret_v1.rancher_tls_ca,
   ]
   metadata {
     name      = "tls-ca-additional"
     namespace = "cattle-system"
   }
-  type = "generic"
+  type = "Opaque" #"generic" https://kubernetes.io/docs/concepts/configuration/secret/#secret-types
   data = {
     "ca-additional.pem" = local.ca_certs,
   }
@@ -182,9 +182,9 @@ resource "helm_release" "rancher" {
     time_sleep.settle_before_rancher,
     terraform_data.wait_for_nginx,
     terraform_data.cattle-system,
-    kubernetes_secret.tls_rancher_ingress,
-    kubernetes_secret.rancher_tls_ca,
-    kubernetes_secret.rancher_tls_ca_additional,
+    kubernetes_secret_v1.tls_rancher_ingress,
+    kubernetes_secret_v1.rancher_tls_ca,
+    kubernetes_secret_v1.rancher_tls_ca_additional,
   ]
   name             = "rancher"
   chart            = "${local.rancher_helm_repo}/${local.rancher_helm_channel}/rancher-${local.rancher_version}.tgz"
@@ -211,9 +211,9 @@ resource "terraform_data" "wait_for_rancher" {
     time_sleep.settle_before_rancher,
     terraform_data.wait_for_nginx,
     terraform_data.cattle-system,
-    kubernetes_secret.tls_rancher_ingress,
-    kubernetes_secret.rancher_tls_ca,
-    kubernetes_secret.rancher_tls_ca_additional,
+    kubernetes_secret_v1.tls_rancher_ingress,
+    kubernetes_secret_v1.rancher_tls_ca,
+    kubernetes_secret_v1.rancher_tls_ca_additional,
     helm_release.rancher,
   ]
   provisioner "local-exec" {
@@ -231,9 +231,9 @@ resource "terraform_data" "get_public_cert_info" {
     time_sleep.settle_before_rancher,
     terraform_data.wait_for_nginx,
     terraform_data.cattle-system,
-    kubernetes_secret.tls_rancher_ingress,
-    kubernetes_secret.rancher_tls_ca,
-    kubernetes_secret.rancher_tls_ca_additional,
+    kubernetes_secret_v1.tls_rancher_ingress,
+    kubernetes_secret_v1.rancher_tls_ca,
+    kubernetes_secret_v1.rancher_tls_ca_additional,
     helm_release.rancher,
     terraform_data.wait_for_rancher,
   ]