updates for rancher 2.9.3 (#240)

Signed-off-by: Adam Martin <adam.martin@ranchergovernment.com>

README.md

@@ -4,9 +4,9 @@
 
 ```bash
 NAME                            CHART VERSION   APP VERSION     DESCRIPTION
-carbide-charts/airgapped-docs   0.1.51          0.1.6           Rancher Government Airgapped Docs
+carbide-charts/airgapped-docs   0.1.53          0.1.7           Rancher Government Airgapped Docs
 carbide-charts/heimdall2        0.1.45          0.1.1           Rancher Government Heimdall2 Tool
-carbide-charts/rancher          2.9.2           v2.9.2          Install Rancher Server to manage Kubernetes...
+carbide-charts/rancher          2.9.3           v2.9.3          Install Rancher Server to manage Kubernetes...
 carbide-charts/stigatron        0.2.5           0.2.2           Rancher Government Stigatron Extension
 carbide-charts/stigatron-ui     0.2.3           0.2.0           Rancher Government Stigatron UI Extension
 ```

charts/rancher/Chart.yaml

@@ -1,9 +1,9 @@
 apiVersion: v2
 name: rancher
 description: Install Rancher Server to manage Kubernetes clusters across providers
-version: 2.8.9
-appVersion: v2.8.9
-kubeVersion: < 1.29.0-0
+version: 2.9.3
+appVersion: v2.9.3
+kubeVersion: < 1.31.0-0
 home: https://rancher.com
 icon: https://github.com/rancher/ui/blob/master/public/assets/images/logos/welcome-cow.svg
 keywords:

charts/rancher/templates/_helpers.tpl

@@ -77,31 +77,6 @@ add below linux tolerations to workloads could be scheduled to those linux nodes
 {{- end -}}
 {{- end -}}
 
-{{/*
-Define the chosen value for PSPs. If this value is "", then the user did not set the value. This will
-result in psps on <=1.24 and no psps on >=1.25. If the value is true/false, then the user specifically
-chose an option, and that option will be used. If it is set otherwise, then we fail so the user can correct
-the invalid value.
-*/}}
-
-{{- define "rancher.chart_psp_enabled" -}}
-{{- if kindIs "bool" .Values.global.cattle.psp.enabled -}}
-{{ .Values.global.cattle.psp.enabled }}
-{{- else if empty .Values.global.cattle.psp.enabled -}}
-  {{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
-    {{- if (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") -}}
-true
-    {{- else -}}
-false
-    {{- end -}}
-  {{- else -}}
-true
-  {{- end -}}
-{{- else -}}
-{{- fail "Invalid value for .Values.global.cattle.psp.enabled - must be a bool of true, false, or \"\"" -}}
-{{- end -}}
-{{- end -}}
-
 {{/*
     Select correct auditLog image
 */}}

charts/rancher/templates/deployment.yaml

@@ -227,16 +227,8 @@ spec:
 {{- if eq .Values.auditLog.destination "sidecar" }}
   {{- if gt (int .Values.auditLog.level) 0 }}
       # Make audit logs available for Rancher log collector tools.
-      {{- if .Values.busyboxImage }}
-      - image: {{ .Values.busyboxImage}}
-      {{- else }}
-      - image: {{ .Values.auditLog.image.repository }}:{{.Values.auditLog.image.tag}}
-      {{- end }}
-      {{- if .Values.busyboxImagePullPolicy }}
-        imagePullPolicy: {{ .Values.busyboxImagePullPolicy }}
-      {{- else }}
-        imagePullPolicy: {{ .Values.auditLog.image.pullPolicy }}
-      {{- end }}
+      - image: {{ include "auditLog_image" . }}
+        imagePullPolicy: {{ default .Values.auditLog.image.pullPolicy .Values.busyboxImagePullPolicy }}
         name: {{ template "rancher.name" . }}-audit-log
         command: ["tail"]
         args: ["-F", "/var/log/auditlog/rancher-api-audit.log"]

charts/rancher/templates/post-delete-hook-cluster-role.yaml

@@ -30,14 +30,6 @@ rules:
   - apiGroups: [ "admissionregistration.k8s.io" ]
     resources: [ "validatingwebhookconfigurations", "mutatingwebhookconfigurations" ]
     verbs: [ "get", "list", "delete" ]
-  - apiGroups: [ "policy" ]
-    resources: [ "podsecuritypolicies" ]
-    verbs: ["delete", "create" ]
-{{- if eq (include "rancher.chart_psp_enabled" . ) "true" }}
-  - apiGroups: [ "policy" ]
-    resources: [ "podsecuritypolicies" ]
-    verbs: [ "use"]
-{{- end }}
   - apiGroups: [ "networking.k8s.io" ]
     resources: [ "ingresses" ]
     verbs: [ "delete" ]

charts/rancher/values.yaml

@@ -6,11 +6,11 @@ additionalTrustedCAs: false
 antiAffinity: preferred
 topologyKey: kubernetes.io/hostname
 
-# Audit Logs https://rancher.com/docs/rancher/v2.x/en/installation/api-auditing/
+# Audit Logs
+# Source: https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log
 # The audit log is piped to the console of the rancher-audit-log container in the rancher pod.
-# https://rancher.com/docs/rancher/v2.x/en/installation/api-auditing/
-# destination stream to sidecar container console or hostPath volume
-# level: Verbosity of logs, 0 to 3. 0 is off 3 is a lot.
+# level: Verbosity of logs, 0 to 3. 0 is off, 3 most verbose.
+# Docs: https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/enable-api-audit-log#audit-log-levels
 auditLog:
   destination: sidecar
   hostPath: /var/log/rancher/audit/
@@ -23,7 +23,7 @@ auditLog:
   # Important: update pkg/image/export/resolve.go when this default image is changed, so that it's reflected accordingly in rancher-images.txt generated for air-gapped setups.
   image:
     repository: "rancher/mirrored-bci-micro"
-    tag: 15.4.14.3
+    tag: 15.6.24.2
     # Override imagePullPolicy image
     # options: Always, Never, IfNotPresent
     pullPolicy: "IfNotPresent"
@@ -163,7 +163,7 @@ postDelete:
   enabled: true
   image:
     repository: rancher/shell
-    tag: v0.1.26
+    tag: v0.2.2
   namespaceList:
     - cattle-fleet-system
     - cattle-system
@@ -190,13 +190,6 @@ readinessProbe:
   periodSeconds: 30
   failureThreshold: 5
 
-global:
-   cattle:
-     psp:
-       # will default to true on 1.24 and below, and false for 1.25 and above
-       # can be changed manually to true or false to bypass version checks and force that option
-       enabled: ""
-
 # helm values to use when installing the rancher-webhook chart.
 # helm values set here will override all other global values used when installing the webhook such as priorityClassName and systemRegistry settings.
 webhook: ""