Master-to-staging

content/k3s/latest/en/upgrades/_index.md

@@ -3,12 +3,22 @@ title: "Upgrades"
 weight: 25
 ---
 
-This section describes how to upgrade your K3s cluster.
+### Upgrading your K3s cluster
 
 [Upgrade basics]({{< baseurl >}}/k3s/latest/en/upgrades/basic/) describes several techniques for upgrading your cluster manually. It can also be used as a basis for upgrading through third-party Infrastructure-as-Code tools like [Terraform](https://www.terraform.io/).
 
 [Automated upgrades]({{< baseurl >}}/k3s/latest/en/upgrades/automated/) describes how to perform Kubernetes-native automated upgrades using Rancher's [system-upgrade-controller](https://github.com/rancher/system-upgrade-controller).
 
-> If Traefik is not disabled K3s versions 1.20 and earlier will have installed Traefik v1, while K3s versions 1.21 and later will install Traefik v2 if v1 is not already present.  To upgrade Traefik, please refer to the [Traefik documentation](https://doc.traefik.io/traefik/migration/v1-to-v2/) and use the [migration tool](https://github.com/traefik/traefik-migration-tool) to migrate from the older Traefik v1 to Traefik v2.
+### Version-specific caveats
 
-> The experimental embedded Dqlite data store was deprecated in K3s v1.19.1. Please note that upgrades from experimental Dqlite to experimental embedded etcd are not supported. If you attempt an upgrade it will not succeed and data will be lost.
+- **Traefik:** If Traefik is not disabled, K3s versions 1.20 and earlier will install Traefik v1, while K3s versions 1.21 and later will install Traefik v2, if v1 is not already present. To upgrade from the older Traefik v1 to Traefik v2, please refer to the [Traefik documentation](https://doc.traefik.io/traefik/migration/v1-to-v2/) and use the [migration tool](https://github.com/traefik/traefik-migration-tool).
+
+- **K3s bootstrap data:** If you are using K3s in an HA configuration with an external SQL datastore, and your server (control-plane) nodes were not started with the `--token` CLI flag, you will no longer be able to add additional K3s servers to the cluster without specifying the token. Ensure that you retain a copy of this token, as it is required when restoring from backup. Previously, K3s did not enforce the use of a token when using external SQL datastores. 
+    - The affected versions are <= v1.19.12+k3s1, v1.20.8+k3s1, v1.21.2+k3s1; the patched versions are v1.19.13+k3s1, v1.20.9+k3s1, v1.21.3+k3s1.
+
+    - You may retrieve the token value from any server already joined to the cluster as follows:
+```
+cat /var/lib/rancher/k3s/server/token
+```
+
+- **Experimental Dqlite:** The experimental embedded Dqlite data store was deprecated in K3s v1.19.1. Please note that upgrades from experimental Dqlite to experimental embedded etcd are not supported. If you attempt an upgrade, it will not succeed, and data will be lost.

content/rancher/v2.0-v2.4/en/installation/install-rancher-on-k8s/_index.md

@@ -231,7 +231,7 @@ helm install rancher rancher-<CHART_REPO>/rancher \
 If you are using a Private CA signed certificate , add `--set privateCA=true` to the command:
 
 ```
-helm install rancher rancher-latest/rancher \
+helm install rancher rancher-<CHART_REPO>/rancher \
   --namespace cattle-system \
   --set hostname=rancher.my.org \
   --set ingress.tls.source=secret \

content/rancher/v2.5/en/cluster-provisioning/hosted-kubernetes-clusters/eks/permissions/_index.md

@@ -24,6 +24,7 @@ Resource targeting uses `*` as the ARN of many of the resources created cannot b
                 "ec2:RunInstances",
                 "ec2:RevokeSecurityGroupIngress",
                 "ec2:RevokeSecurityGroupEgress",
+                "ec2:DescribeRegions",
                 "ec2:DescribeVpcs",
                 "ec2:DescribeTags",
                 "ec2:DescribeSubnets",
@@ -123,31 +124,6 @@ Resource targeting uses `*` as the ARN of many of the resources created cannot b
 
 ### Service Role Permissions
 
-Rancher will create a service role with the following trust policy:
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "eks.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-```
-
-This role will also have two role policy attachments with the following policies ARNs:
-
-```
-arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
-arn:aws:iam::aws:policy/AmazonEKSServicePolicy
-```
-
 Permissions required for Rancher to create service role on users behalf during the EKS cluster creation process.
 
 ```json
@@ -182,36 +158,66 @@ Permissions required for Rancher to create service role on users behalf during t
 }
 ```
 
+When an EKS cluster is created, Rancher will create a service role with the following trust policy:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "eks.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+```
+
+This role will also have two role policy attachments with the following policies ARNs:
+
+```
+arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
+arn:aws:iam::aws:policy/AmazonEKSServicePolicy
+```
+
 ### VPC Permissions
 
 Permissions required for Rancher to create VPC and associated resources.
 
 ```json
 {
-  "Sid": "VPCPermissions",
-  "Effect": "Allow",
-  "Action": [
-     "ec2:ReplaceRoute",
-     "ec2:ModifyVpcAttribute",
-     "ec2:ModifySubnetAttribute",
-     "ec2:DisassociateRouteTable",
-     "ec2:DetachInternetGateway",
-     "ec2:DescribeVpcs",
-     "ec2:DeleteVpc",
-     "ec2:DeleteTags",
-     "ec2:DeleteSubnet",
-     "ec2:DeleteRouteTable",
-     "ec2:DeleteRoute",
-     "ec2:DeleteInternetGateway",
-     "ec2:CreateVpc",
-     "ec2:CreateSubnet",
-     "ec2:CreateSecurityGroup",
-     "ec2:CreateRouteTable",
-     "ec2:CreateRoute",
-     "ec2:CreateInternetGateway",
-     "ec2:AttachInternetGateway",
-     "ec2:AssociateRouteTable"
-  ],
-  "Resource": "*"
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "VPCPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:ReplaceRoute",
+        "ec2:ModifyVpcAttribute",
+        "ec2:ModifySubnetAttribute",
+        "ec2:DisassociateRouteTable",
+        "ec2:DetachInternetGateway",
+        "ec2:DescribeVpcs",
+        "ec2:DeleteVpc",
+        "ec2:DeleteTags",
+        "ec2:DeleteSubnet",
+        "ec2:DeleteRouteTable",
+        "ec2:DeleteRoute",
+        "ec2:DeleteInternetGateway",
+        "ec2:CreateVpc",
+        "ec2:CreateSubnet",
+        "ec2:CreateSecurityGroup",
+        "ec2:CreateRouteTable",
+        "ec2:CreateRoute",
+        "ec2:CreateInternetGateway",
+        "ec2:AttachInternetGateway",
+        "ec2:AssociateRouteTable"
+      ],
+      "Resource": "*"
+    }
+  ]
 }
-```
+```

content/rancher/v2.5/en/helm-charts/_index.md

@@ -50,6 +50,27 @@ From the left sidebar select _"Repositories"_.
 
 These items represent helm repositories, and can be either traditional helm endpoints which have an index.yaml, or git repositories which will be cloned and can point to a specific branch. In order to use custom charts, simply add your repository here and they will become available in the Charts tab under the name of the repository.
 
+To add a private CA for Helm Chart repositories:
+
+- **HTTP-based chart repositories**: You must add a base64 encoded copy of the CA certificate in DER format to the spec.caBundle field of the chart repo, such as `openssl x509 -outform der -in ca.pem | base64 -w0`. Click **Edit YAML** for the chart repo and set, as in the following example:</br>
+    ```
+    [...]
+    spec:
+      caBundle:
+    MIIFXzCCA0egAwIBAgIUWNy8WrvSkgNzV0zdWRP79j9cVcEwDQYJKoZIhvcNAQELBQAwPzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMRQwEgYDVQQKDAtNeU9yZywgSW5jLjENMAsGA1UEAwwEcm9vdDAeFw0yMTEyMTQwODMyMTdaFw0yNDEwMDMwODMyMT
+    ...
+    nDxZ/tNXt/WPJr/PgEB3hQdInDWYMg7vGO0Oz00G5kWg0sJ0ZTSoA10ZwdjIdGEeKlj1NlPyAqpQ+uDnmx6DW+zqfYtLnc/g6GuLLVPamraqN+gyU8CHwAWPNjZonFN9Vpg0PIk1I2zuOc4EHifoTAXSpnjfzfyAxCaZsnTptimlPFJJqAMj+FfDArGmr4=
+    [...]
+    ```
+
+- **Git-based chart repositories**: It is not currently possible to add a private CA. For git-based chart repositories with a certificate signed by a private CA, you must disable TLS verification. Click **Edit YAML** for the chart repo, and add the key/value pair as follows: 
+    ```
+    [...]
+    spec:
+      insecureSkipTLSVerify: true
+    [...]
+    ```
+
 > **Note:** Helm chart repositories with authentication
 >
 > As of Rancher v2.5.12, a new value `disableSameOriginCheck` has been added to the Repo.Spec. This allows users to bypass the same origin checks, sending the repository Authentication information as a Basic Auth Header with all API calls. This is not recommended but can be used as a temporary solution in cases of non-standard Helm chart repositories such as those that have redirects to a different origin URL. 
@@ -61,7 +82,7 @@ These items represent helm repositories, and can be either traditional helm endp
 spec:
   disableSameOriginCheck: true
 [...]
-```
+```    
 
 ### Helm Compatibility
 

content/rancher/v2.5/en/installation/install-rancher-on-k8s/_index.md

@@ -245,7 +245,7 @@ helm install rancher rancher-<CHART_REPO>/rancher \
 If you are using a Private CA signed certificate , add `--set privateCA=true` to the command:
 
 ```
-helm install rancher rancher-latest/rancher \
+helm install rancher rancher-<CHART_REPO>/rancher \
   --namespace cattle-system \
   --set hostname=rancher.my.org \
   --set ingress.tls.source=secret \

content/rancher/v2.5/en/monitoring-alerting/configuration/servicemonitor-podmonitor/_index.md

@@ -26,6 +26,6 @@ For more information about how ServiceMonitors work, refer to the [Prometheus Op
 
 This pseudo-CRD maps to a section of the Prometheus custom resource configuration. It declaratively specifies how group of pods should be monitored. 
 
-When a PodMonitor is created, the Prometheus Operator updates the Prometheus scrape configuration to include the PodMonitor configuration. Then Prometheus begins scraping metrics from the endpoint defined in the ServiceMonitor.
+When a PodMonitor is created, the Prometheus Operator updates the Prometheus scrape configuration to include the PodMonitor configuration. Then Prometheus begins scraping metrics from the endpoint defined in the PodMonitor.
 
 Any Pods in your cluster that match the labels located within the PodMonitor `selector` field will be monitored based on the `podMetricsEndpoints` specified on the PodMonitor. For more information on what fields can be specified, please look at the [spec](https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#podmonitorspec) provided by Prometheus Operator.

content/rancher/v2.6/en/cluster-provisioning/hosted-kubernetes-clusters/eks/permissions/_index.md

@@ -24,6 +24,7 @@ Resource targeting uses `*` as the ARN of many of the resources created cannot b
                 "ec2:RunInstances",
                 "ec2:RevokeSecurityGroupIngress",
                 "ec2:RevokeSecurityGroupEgress",
+                "ec2:DescribeRegions",
                 "ec2:DescribeVpcs",
                 "ec2:DescribeTags",
                 "ec2:DescribeSubnets",
@@ -123,31 +124,6 @@ Resource targeting uses `*` as the ARN of many of the resources created cannot b
 
 ### Service Role Permissions
 
-Rancher will create a service role with the following trust policy:
-
-```json
-{
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Action": "sts:AssumeRole",
-      "Principal": {
-        "Service": "eks.amazonaws.com"
-      },
-      "Effect": "Allow",
-      "Sid": ""
-    }
-  ]
-}
-```
-
-This role will also have two role policy attachments with the following policies ARNs:
-
-```
-arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
-arn:aws:iam::aws:policy/AmazonEKSServicePolicy
-```
-
 Permissions required for Rancher to create service role on users behalf during the EKS cluster creation process.
 
 ```json
@@ -182,36 +158,66 @@ Permissions required for Rancher to create service role on users behalf during t
 }
 ```
 
+When an EKS cluster is created, Rancher will create a service role with the following trust policy:
+
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "eks.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+```
+
+This role will also have two role policy attachments with the following policies ARNs:
+
+```
+arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
+arn:aws:iam::aws:policy/AmazonEKSServicePolicy
+```
+
 ### VPC Permissions
 
 Permissions required for Rancher to create VPC and associated resources.
 
 ```json
 {
-  "Sid": "VPCPermissions",
-  "Effect": "Allow",
-  "Action": [
-     "ec2:ReplaceRoute",
-     "ec2:ModifyVpcAttribute",
-     "ec2:ModifySubnetAttribute",
-     "ec2:DisassociateRouteTable",
-     "ec2:DetachInternetGateway",
-     "ec2:DescribeVpcs",
-     "ec2:DeleteVpc",
-     "ec2:DeleteTags",
-     "ec2:DeleteSubnet",
-     "ec2:DeleteRouteTable",
-     "ec2:DeleteRoute",
-     "ec2:DeleteInternetGateway",
-     "ec2:CreateVpc",
-     "ec2:CreateSubnet",
-     "ec2:CreateSecurityGroup",
-     "ec2:CreateRouteTable",
-     "ec2:CreateRoute",
-     "ec2:CreateInternetGateway",
-     "ec2:AttachInternetGateway",
-     "ec2:AssociateRouteTable"
-  ],
-  "Resource": "*"
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid": "VPCPermissions",
+      "Effect": "Allow",
+      "Action": [
+        "ec2:ReplaceRoute",
+        "ec2:ModifyVpcAttribute",
+        "ec2:ModifySubnetAttribute",
+        "ec2:DisassociateRouteTable",
+        "ec2:DetachInternetGateway",
+        "ec2:DescribeVpcs",
+        "ec2:DeleteVpc",
+        "ec2:DeleteTags",
+        "ec2:DeleteSubnet",
+        "ec2:DeleteRouteTable",
+        "ec2:DeleteRoute",
+        "ec2:DeleteInternetGateway",
+        "ec2:CreateVpc",
+        "ec2:CreateSubnet",
+        "ec2:CreateSecurityGroup",
+        "ec2:CreateRouteTable",
+        "ec2:CreateRoute",
+        "ec2:CreateInternetGateway",
+        "ec2:AttachInternetGateway",
+        "ec2:AssociateRouteTable"
+      ],
+      "Resource": "*"
+    }
+  ]
 }
-```
+```