I've deployed Stigatron to our cluster, but it appears that the rancher-cluster-id-finder initContainer for stigatron-heimdall2 is unable to get the cluster id from Rancher. I'm seeing the following error

Error: rancher cluster id not found
Usage:
  rcidf id [flags]

Flags:
  -h, --help   help for id

Global Flags:
      --configmap-key string         key in configmap
       --configmap-name string        name of configmap to create
      --configmap-namespace string   namespace of configmap
       --debug                        enable debug logging
      --kubeconfig string            path to kubeconfig file
       --write-file string            path to write output

rancher cluster id not found

We are running in an environment where we have to set HTTP(S)_PROXY and NO_PROXY env vars, and I've manually added those after deploying with no luck. I also manually added the --debug flag to the initContainer, but it doesn't appear to provide any additional information.

STIG profiles for STIGATRON need to be updated with latest fixes prior to IOC.

In one of the recents updates/releases of stigatron, support for nats was added. When reviewing the upstream and public nats helm chart, there is the ability to add a private registry for the nats images. When adding the nats private registry value to the helm chart, it fails to pull the images from the carbide registry.

Are the nats images supposed to be available and a part of the carbide images registry/pipeline? If not, are we able to add the images and update default values for stigatron?

https://github.com/zackbradys/rgs-carbide/blob/b7d2e5016d719ed697304bdb82316dacc0a2ee92/fleet/carbide/stigatron/stigatron-values.yaml:

nats:
  global:
    image:
      registry: rgcrprod.azurecr.us

In my first attempt, when I modified the downstream cluster global repository, it caused a new node to be spun up. It did set the repository up on my existing node (after a rke2-restart), but then when it tried to pull a new etcd pod, it failed to find one in your registry.

With the registry setting all messed up, that new node wouldn’t come up cleanly, so I abandoned it all together.

On my other downstream cluster, instead of creating a global registry, I just added a second registry to that individual node (one node cluster) via registries.yaml.

Once the containers all came up, the following links didn’t work:
Carbide-Offline-Docs – Coming Soon
Elemental-Offline-Docs – Coming Soon
Harvester-Offline-Docs – 503, ServiceUnavailable
Hauler-Offline-Docs – 404, services not found
NeuVector-Offline-Docs – 404, services not found
Rancher-Offline-Docs – Coming Soon

Here’s the commands I ran to get this to work:

yum install -y git
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash

cp ssh key (id_rsa)
git clone [email protected]:rancherfederal/carbide-charts.git

cd carbide-charts
#Need to specify namespace as carbide-system doesn't exist
helm upgrade --install offline-docs ./charts/offline-docs/ -n carbide-system --create-namespace

#registries.yaml:
configs:
"rgcrprod.azurecr.us":
auth:
username: internal-tester-read
password:

When disabling Carbide whitelabels, the UI reverts to Rancher Prime

Issue Description: There is a formatting mismatch of the Helm "Chart Version" for Rancher in carbide-charts/rancher when comparing to rancher-latest/rancher (and the other Rancher Helm Repos).

In the Helm Chart for Rancher in rancher-latest/rancher, the chart version is formatted as X.X.X, but in carbide-charts/rancher, the chart version is formatted as vX.X.X.

Issue Troubleshooting:

[root@ip-10-0-40-140 rocky]# helm search repo rancher-latest/rancher
NAME                    CHART VERSION   APP VERSION     DESCRIPTION                                       
rancher-latest/rancher  2.7.4           v2.7.4          Install Rancher Server to manage Kubernetes clu...

[root@ip-10-0-40-140 rocky]# helm search repo carbide-charts/rancher
NAME                    CHART VERSION   APP VERSION     DESCRIPTION                                       
carbide-charts/rancher  v2.7.3          v2.7.3          Install Rancher Server to manage Kubernetes clu...

Issue Resolution: Update the Chart Version for carbide-charts/rancher to match the upstream chart.

I've deployed the airgapped-docs chart to an RKE2 cluster that was not created by Rancher, but is managed by it. The pods appear to be healthy, and when I visit any of the links created for them, I see the following message

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "error trying to reach service: proxy error from 127.0.0.1:9345 while dialing 10.42.0.23:80, code 503: 503 Service Unavailable",
  "reason": "ServiceUnavailable",
  "code": 503
}

Looking at the pod logs, I see a constant stream of

nginx: [warn] the "user" directive makes sense only if the master process runs with super-user privileges, ignored in /etc/nginx/nginx.conf:1
nginx: [emerg] bind() to 0.0.0.0:80 failed (13: Permission denied)

There's only one pod with this error that doesn't report as healthy, and its the neuvector-offline-docs pod, which is in a CrashLoopBackoff because of the above error.

Some background on the cluster:

• Cloud env: AWS
• Version: v1.25.8+rke2r1
• CIS profile: cis-1.23
• Image registry: ECR (manually added imagePullSecrets to grab these images, quicker than rolling nodes)

I also had to manually update the carbide-docs-system namespace with the labels

pod-security.kubernetes.io/audit: baseline
pod-security.kubernetes.io/audit-version: latest
pod-security.kubernetes.io/enforce: baseline
pod-security.kubernetes.io/enforce-version: latest
pod-security.kubernetes.io/warn: baseline
pod-security.kubernetes.io/warn-version: latest

Which is odd because I would've expected the deployment manifest to set the necessary security permissions if it's only serving docs.

Currently, we only publish the typical helm chart repository for customers. It would be really helpful and easier, for some customers, to have the ability to use OCI Artifacts for each of the Carbide Charts.

Possible implementation like rancher-cluster-templates github actions workflow.

Rancher 2.7.5 kubeVersion needs updated to support K8s < 1.27.

CC @clemenko