From 146ea71033d432250ab1c716392267d426a965b8 Mon Sep 17 00:00:00 2001 From: bryopsida <8363252+bryopsida@users.noreply.github.com> Date: Sat, 20 Apr 2024 07:57:36 -0500 Subject: [PATCH] Add pass through options for extra side cars and service ports (#53) --- ci/test-with-extra-sidecar.yaml | 83 +++++++++++++++++++ helm/wireguard/Chart.yaml | 2 +- helm/wireguard/README.md | 7 +- helm/wireguard/templates/deployment.yaml | 6 ++ .../templates/extra-config-maps.yaml | 11 +++ helm/wireguard/templates/extra-storage.yaml | 24 ++++++ helm/wireguard/templates/service.yaml | 15 ++-- helm/wireguard/values.yaml | 20 +++++ 8 files changed, 160 insertions(+), 8 deletions(-) create mode 100644 ci/test-with-extra-sidecar.yaml create mode 100644 helm/wireguard/templates/extra-config-maps.yaml create mode 100644 helm/wireguard/templates/extra-storage.yaml diff --git a/ci/test-with-extra-sidecar.yaml b/ci/test-with-extra-sidecar.yaml new file mode 100644 index 0000000..e8c3477 --- /dev/null +++ b/ci/test-with-extra-sidecar.yaml @@ -0,0 +1,83 @@ +# with host network used, a service object is not needed +service: + enabled: false +replicaCount: 1 +autoscaling: + enabled: false +deploymentStrategy: + type: "Recreate" +# create storage volumes for wg-portal sql lite database +extraStorage: + - name: wg-portal-data + storage: 8Gi + # omitting storage class and using default, if you need + # to target a particular storage class specify this + # storageClassName: some-storage-class + accessModes: + # ReadWriteOnce is used for easy testing, + # if you are going to run multiple pods this needs to be + # ReadWriteMany and you'll need a storage system that supports this + - ReadWriteOnce + volumeMode: Filesystem +# wg-portal docs use host network and NET_ADMIN +runPodOnHostNetwork: true +extraConfigMaps: + - name: wg-portal-config + data: + # this is from the sample config file in the wg-portal repo + # as a placeholder in testing + # be sure to adjust the external_url to something appropriate for your + # network + config.yml: | + advanced: + log_level: trace + + core: + admin_user: admin + admin_password: wgportal + create_default_peer: true + create_default_peer_on_creation: false + + web: + external_url: http://localhost:8888 + request_logging: true +# we need to mount/attach the storage to the pod +volumes: + - name: wg-portal-data + persistentVolumeClaim: + claimName: wg-portal-data + - name: wg-portal-config + configMap: + name: wg-portal-config +# add wg-portal side car +extraSideCars: + - name: wg-portal + image: wgportal/wg-portal + imagePullPolicy: Always + securityContext: + # wg-portal runs as root and enumerates devices + # as far as I can tell it requires high level access to the node + # to function + runAsNonRoot: false + capabilities: + add: + - NET_ADMIN + ports: + - containerPort: 8888 + protocol: TCP + name: http + # we need to mount the pod volume into the side car + volumeMounts: + - mountPath: "/app/config" + name: wg-portal-config + - mountPath: "/app/data" + name: wg-portal-data + # assuming the generated wg key secret is used + # and the default wg0.conf management is used + # need to project the following into /etc/wireguard for wg-portal + - name: config + mountPath: /etc/wireguard/wg0.conf + subPath: wg0.conf + - name: privatekey + mountPath: /etc/wireguard/privatekey + subPath: privatekey diff --git a/helm/wireguard/Chart.yaml b/helm/wireguard/Chart.yaml index 507801c..c1c2985 100644 --- a/helm/wireguard/Chart.yaml +++ b/helm/wireguard/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: wireguard description: A Helm chart for managing a wireguard vpn in kubernetes type: application -version: 0.22.0 +version: 0.23.0 appVersion: "0.0.0" maintainers: - name: bryopsida diff --git a/helm/wireguard/README.md b/helm/wireguard/README.md index b5bea21..b27efef 100644 --- a/helm/wireguard/README.md +++ b/helm/wireguard/README.md @@ -1,6 +1,6 @@ # wireguard -![Version: 0.22.0](https://img.shields.io/badge/Version-0.22.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square) +![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square) A Helm chart for managing a wireguard vpn in kubernetes @@ -29,7 +29,10 @@ A Helm chart for managing a wireguard vpn in kubernetes | disablePrivateKeyManagement | bool | `false` | Disable creation and any mounting of a private key, this assumes another mechanism is provided/used at the container level to fetch the private key | | disruptionBudget.enabled | bool | `true` | | | disruptionBudget.minAvailable | int | `2` | | +| extraConfigMaps | list | `[]` | Create additional configmaps that may be used in sidecars | | extraEnv | object | `{}` | Provide additional environment variables to the wireguard container | +| extraSideCars | list | `[]` | Provide additional sidecars to the wireguard pod, these are directly attached to the pod and must be well formed ContainerSpec | +| extraStorage | list | `[]` | Create storage claims that can be used by side cars | | healthSideCar.enabled | bool | `false` | Opt in side car to expose a http health end point for external load balancers that are not kubernetes aware, in most cases this is not needed | | healthSideCar.hostPort | int | `13000` | When useHostPort is true this is the host port defined | | healthSideCar.image.pullPolicy | string | `"Always"` | Pull Policy always to avoid cached rolling tags, if you change this you should use a non rolling tag | @@ -103,6 +106,7 @@ A Helm chart for managing a wireguard vpn in kubernetes | resources.limits.memory | string | `"256Mi"` | | | resources.requests.cpu | string | `"100m"` | | | resources.requests.memory | string | `"256Mi"` | | +| runPodOnHostNetwork | bool | `false` | Run pod on host network | | runtimeClassName | string | `nil` | Override the default runtime class of the container, if not provided `runc` will most likely be used | | secretName | string | `nil` | Name of a secret with a wireguard private key on key privatekey, if not provided on first install a hook generates one. | | securityContext.allowPrivilegeEscalation | bool | `true` | | @@ -113,6 +117,7 @@ A Helm chart for managing a wireguard vpn in kubernetes | service.annotations | object | `{}` | Annotations | | service.enabled | bool | `true` | Whether the service will be created or not | | service.externalTrafficPolicy | string | `""` | External Traffic Policy for the service | +| service.extraPorts | list | `[]` | Extra ports that can be attached to the service object, these are passed directly to the port array on the service and must be well formed to the specification | | service.loadBalancerIP | string | `""` | IP to assign to the LoadBalancer service | | service.nodePort | int | `31820` | Node port, only valid with service type: NodePort | | service.port | int | `51820` | Service port, default is 51820 UDP | diff --git a/helm/wireguard/templates/deployment.yaml b/helm/wireguard/templates/deployment.yaml index 5ea10c6..3e7def9 100644 --- a/helm/wireguard/templates/deployment.yaml +++ b/helm/wireguard/templates/deployment.yaml @@ -105,6 +105,9 @@ spec: - pod-template-hash {{- end }} automountServiceAccountToken: {{ .Values.healthSideCar.enabled }} + {{- if .Values.runPodOnHostNetwork }} + hostNetwork: true + {{- end }} securityContext: fsGroup: {{ .Values.securityContext.runAsUser | default 1000 }} fsGroupChangePolicy: "OnRootMismatch" @@ -265,6 +268,9 @@ spec: hostPort: {{ .Values.healthSideCar.hostPort }} {{- end }} {{- end }} + {{- if .Values.extraSideCars }} + {{- .Values.extraSideCars | toYaml | nindent 8 }} + {{- end }} volumes: - name: run emptyDir: {} diff --git a/helm/wireguard/templates/extra-config-maps.yaml b/helm/wireguard/templates/extra-config-maps.yaml new file mode 100644 index 0000000..29b109d --- /dev/null +++ b/helm/wireguard/templates/extra-config-maps.yaml @@ -0,0 +1,11 @@ +{{- if .Values.extraConfigMaps }} +{{- range .Values.extraConfigMaps }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .name }} + namespace: {{ $.Release.Namespace }} +data: {{ .data | toYaml | nindent 2 }} +{{- end }} +{{- end }} diff --git a/helm/wireguard/templates/extra-storage.yaml b/helm/wireguard/templates/extra-storage.yaml new file mode 100644 index 0000000..0536e9e --- /dev/null +++ b/helm/wireguard/templates/extra-storage.yaml @@ -0,0 +1,24 @@ +{{- if .Values.extraStorage }} +{{- range .Values.extraStorage }} +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ .name }} + namespace: {{ $.Release.Namespace }} + annotations: + "helm.sh/resource-policy": keep +spec: + {{- if .storageClassName }} + storageClassName: {{ .storageClassName }} + {{- end }} + {{- if .volumeName }} + volumeName: {{ .volumeName }} + {{- end }} + accessModes: {{ .accessModes | toYaml | nindent 4 }} + volumeMode: {{ .volumeMode }} + resources: + requests: + storage: {{ .storage }} +{{- end }} +{{- end }} diff --git a/helm/wireguard/templates/service.yaml b/helm/wireguard/templates/service.yaml index fc561f7..1c80b68 100644 --- a/helm/wireguard/templates/service.yaml +++ b/helm/wireguard/templates/service.yaml @@ -12,12 +12,15 @@ metadata: spec: type: {{ .Values.service.type }} ports: - - name: wg - protocol: UDP - port: {{ .Values.service.port }} - targetPort: 51820 - {{- if .Values.service.type | eq "NodePort" }} - nodePort: {{ .Values.service.nodePort }} + - name: wg + protocol: UDP + port: {{ .Values.service.port }} + targetPort: 51820 + {{- if .Values.service.type | eq "NodePort" }} + nodePort: {{ .Values.service.nodePort }} + {{- end }} + {{- if .Values.service.extraPorts }} + {{- .Values.service.extraPorts | toYaml | nindent 4 }} {{- end }} selector: app: "{{ .Release.Name }}-wireguard" diff --git a/helm/wireguard/values.yaml b/helm/wireguard/values.yaml index 46ddf96..ba35430 100644 --- a/helm/wireguard/values.yaml +++ b/helm/wireguard/values.yaml @@ -30,6 +30,8 @@ keygenJob: extraEnv: {} podAnnotations: {} labels: {} +# -- Run pod on host network +runPodOnHostNetwork: false # -- Expose VPN service on hostPort useHostPort: false # -- Host port to expose the VPN service on @@ -72,6 +74,8 @@ service: loadBalancerIP: "" # -- Annotations annotations: {} + # -- Extra ports that can be attached to the service object, these are passed directly to the port array on the service and must be well formed to the specification + extraPorts: [] # -- Name of a secret with a wireguard private key on key privatekey, if not provided on first install a hook generates one. secretName: ~ replicaCount: 3 @@ -100,6 +104,22 @@ autoscaling: # -- Provide additional environment variables to the wireguard container extraEnv: {} # TEST_ENV_VAR: test-value +# -- Provide additional sidecars to the wireguard pod, these are directly attached to the pod and must be well formed ContainerSpec +extraSideCars: [] +# -- Create storage claims that can be used by side cars +extraStorage: [] +# - name: conf +# storageClassName: default +# storage: 8Gi +# accessModes: +# - ReadWriteMany +# volumeMode: Filesystem +# -- Create additional configmaps that may be used in sidecars +extraConfigMaps: [] +# - name: some-config +# data: +# key1: | +# some config file data # -- If provided, this secret will be used instead of the config created from the helm value scope configSecretName: ~ # -- The property/key on the secret holding the wireguard configuration file