From 4ed7ef311004e2f7767f34dffa98009a68f13505 Mon Sep 17 00:00:00 2001 From: Stavros Kois <47820033+stavros-k@users.noreply.github.com> Date: Fri, 28 Oct 2022 02:06:40 +0300 Subject: [PATCH] fix(kasm): rework (#4208) --- charts/incubator/kasm/Chart.yaml | 4 +- charts/incubator/kasm/questions.yaml | 121 +++++------ charts/incubator/kasm/values.yaml | 63 ++++-- charts/incubator/meshcentral/Chart.yaml | 2 +- charts/incubator/meshcentral/questions.yaml | 214 ++++++++++++++------ charts/incubator/meshcentral/values.yaml | 19 +- 6 files changed, 264 insertions(+), 159 deletions(-) diff --git a/charts/incubator/kasm/Chart.yaml b/charts/incubator/kasm/Chart.yaml index 6a4530ae278..e9eaf764df8 100644 --- a/charts/incubator/kasm/Chart.yaml +++ b/charts/incubator/kasm/Chart.yaml @@ -9,7 +9,7 @@ dependencies: repository: https://library-charts.truecharts.org version: 10.7.7 deprecated: false -description: "Kasm(https://www.kasmweb.com/) Workspaces is a Chart container streaming platform for delivering browser-based access to desktops, applications, and web services. Kasm uses devops-enabled Containerized Desktop Infrastructure (CDI) to create on-demand, disposable, Chart Charts that are accessible via web browser. Example use-cases include Remote Browser Isolation (RBI), Data Loss Prevention (DLP), Desktop as a Service (DaaS), Secure Remote Access Services (RAS), and Open Source Intelligence (OSINT) collections.\n" +description: Kasm Workspaces is a streaming platform for delivering browser-based access to desktops, applications, and web services. home: https://truecharts.org/docs/charts/incubator/kasm icon: https://truecharts.org/img/hotlink-ok/chart-icons/kasm.png keywords: @@ -27,4 +27,4 @@ sources: - https://github.com/orgs/linuxserver/packages/container/package/kasm - https://github.com/linuxserver/docker-kasm#readme type: application -version: 0.0.42 +version: 1.0.0 diff --git a/charts/incubator/kasm/questions.yaml b/charts/incubator/kasm/questions.yaml index c97483400e9..4ce3b06f97f 100644 --- a/charts/incubator/kasm/questions.yaml +++ b/charts/incubator/kasm/questions.yaml @@ -2,6 +2,13 @@ portals: open: # Include{portalLink} + admin: + protocols: + - "$kubernetes-resource_configmap_portal_protocol" + host: + - "$kubernetes-resource_configmap_portal_host" + ports: + - "$variable-service.admin.ports.admin.port" questions: # Include{global} # Include{controller} @@ -12,42 +19,31 @@ questions: # Include{recreate} # Include{controllerExpert} # Include{controllerExpertExtraArgs} - - variable: env - group: "Container Configuration" - label: "Image Environment" + - variable: secretEnv + group: Container Configuration + label: Image Secrets schema: additional_attrs: true type: dict attrs: - - variable: KASM_PORT - label: "KASM_PORT" - description: "Specify the port you bind to the outside for Kasm Workspaces." - schema: - type: string - default: "" - variable: DOCKER_HUB_USERNAME - label: "DOCKER_HUB_USERNAME" - description: "Optionally specify a DockerHub Username to pull private images." + label: Docker Hub Username + description: Optionally specify a DockerHub Username to pull private images. schema: type: string default: "" - variable: DOCKER_HUB_PASSWORD - label: "DOCKER_HUB_PASSWORD" - description: "Optionally specify a DockerHub password to pull private images." - schema: - type: string - default: "" - - variable: UMASK - label: "UMASK" - description: "Container Variable UMASK" + label: Docker Hub Password + description: Optionally specify a DockerHub password to pull private images. schema: type: string + private: true default: "" # Include{containerConfig} # Include{serviceRoot} - variable: main - label: "Main Service" - description: "The Primary service on which the healthcheck runs, often the webUI" + label: Main Service + description: The Primary service on which the healthcheck runs, often the webUI schema: additional_attrs: true type: dict @@ -55,71 +51,62 @@ questions: # Include{serviceSelectorLoadBalancer} # Include{serviceSelectorExtras} - variable: main - label: "Main Service Port Configuration" + label: Main Service Port Configuration schema: additional_attrs: true type: dict attrs: - variable: port - label: "Port" - description: "This port exposes the container port on the service" + label: Port + description: This port exposes the container port on the service schema: type: int - default: 3000 + default: 10350 required: true -# Include{advancedPortHTTP} +# Include{advancedPortHTTPS} - variable: targetPort - label: "Target Port" - description: "The internal(!) port on the container the Application runs on" + label: Target Port + description: The internal(!) port on the container the Application runs on schema: type: int - default: 3000 - - variable: port6333 - label: 'port6333 service' - description: "Kasm Workspaces interface. (https)" + default: 10350 + - variable: admin + label: Admin Service + description: The Admin service schema: additional_attrs: true type: dict attrs: # Include{serviceSelectorLoadBalancer} # Include{serviceSelectorExtras} - - variable: port6333 - label: "port6333 Service Port Configuration" + - variable: admin + label: Admin Service Port Configuration schema: additional_attrs: true type: dict attrs: - variable: port - label: "Port" - description: "This port exposes the container port on the service" + label: Port + description: This port exposes the container port on the service schema: type: int - default: 6333 + default: 10351 required: true -# Include{advancedPortTCP} +# Include{advancedPortHTTPS} - variable: targetPort - label: "Target Port" - description: "The internal(!) port on the container the Application runs on" + label: Target Port + description: The internal(!) port on the container the Application runs on schema: type: int - default: 6333 + default: 3000 # Include{serviceExpertRoot} default: false # Include{serviceExpert} # Include{serviceList} # Include{persistenceRoot} - - variable: pathopt - label: "pathopt Storage" - description: "Docker and installation storage. (requires mntcacheappdatapath or direct disk mount)" - schema: - additional_attrs: true - type: dict - attrs: -# Include{persistenceBasic} -# Include{persistenceAdvanced} - - variable: pathprofiles - label: "pathprofiles Storage" - description: "Optionally specify a path for persistent profile storage." + - variable: data + label: Data Storage + description: /opt Storage schema: additional_attrs: true type: dict @@ -129,7 +116,7 @@ questions: # Include{persistenceList} # Include{ingressRoot} - variable: main - label: "Main Ingress" + label: Main Ingress schema: additional_attrs: true type: dict @@ -142,45 +129,45 @@ questions: # Include{security} # Include{securityContextAdvancedRoot} - variable: privileged - label: "Privileged mode" + label: Privileged mode schema: type: boolean - default: false + default: true - variable: readOnlyRootFilesystem - label: "ReadOnly Root Filesystem" + label: ReadOnly Root Filesystem schema: type: boolean default: false - variable: allowPrivilegeEscalation - label: "Allow Privilege Escalation" + label: Allow Privilege Escalation schema: type: boolean - default: false + default: true - variable: runAsNonRoot - label: "runAsNonRoot" + label: runAsNonRoot schema: type: boolean default: false # Include{securityContextAdvanced} # Include{podSecurityContextRoot} - variable: runAsUser - label: "runAsUser" - description: "The UserID of the user running the application" + label: runAsUser + description: The UserID of the user running the application schema: type: int default: 0 - variable: runAsGroup - label: "runAsGroup" - description: The groupID this App of the user running the application" + label: runAsGroup + description: The groupID this App of the user running the application schema: type: int default: 0 - variable: fsGroup - label: "fsGroup" - description: "The group that should own ALL storage." + label: fsGroup + description: The group that should own ALL storage. schema: type: int - default: 568 + default: 0 # Include{podSecurityContextAdvanced} # Include{resources} # Include{advanced} diff --git a/charts/incubator/kasm/values.yaml b/charts/incubator/kasm/values.yaml index 4faf188c1ee..6fc020ddda5 100644 --- a/charts/incubator/kasm/values.yaml +++ b/charts/incubator/kasm/values.yaml @@ -1,40 +1,61 @@ -env: - DOCKER_HUB_PASSWORD: "" - DOCKER_HUB_USERNAME: "" - KASM_PORT: "" - UMASK: "" image: pullPolicy: IfNotPresent repository: tccr.io/truecharts/kasm - tag: latest@sha256:73ea3cf977959343c4d6812e234ebc99453c6934f512f7bda51a38ffe965c562 -persistence: - pathopt: - enabled: true - mountPath: /opt - pathprofiles: - enabled: true - mountPath: /profiles + tag: 1.1.0@sha256:fe25f667de3f1e4c1d5774c9108216dc433ea621516df8e9138eeb517858aeca + podSecurityContext: runAsGroup: 0 runAsUser: 0 + fsGroup: 0 + securityContext: readOnlyRootFilesystem: false runAsNonRoot: false + allowPrivilegeEscalation: true + privileged: true + +secretEnv: + DOCKER_HUB_PASSWORD: "" + DOCKER_HUB_USERNAME: "" + +env: + KASM_PORT: "{{ .Values.service.main.ports.main.port }}" + +probes: + liveness: + type: HTTPS + path: / + port: "{{ .Values.service.admin.ports.admin.targetPort }}" + readiness: + type: HTTPS + path: / + port: "{{ .Values.service.admin.ports.admin.targetPort }}" + startup: + type: HTTPS + path: / + port: "{{ .Values.service.admin.ports.admin.targetPort }}" + service: main: ports: main: - port: 3000 - protocol: HTTP - targetPort: 3000 - port6333: + port: 10350 + protocol: HTTPS + admin: enabled: true ports: - port6333: + admin: enabled: true - port: 6333 - protocol: TCP - targetPort: 6333 + port: 10351 + protocol: HTTPS + targetPort: 3000 + +persistence: + data: + enabled: true + mountPath: /opt + varrun: + enabled: true portal: enabled: true diff --git a/charts/incubator/meshcentral/Chart.yaml b/charts/incubator/meshcentral/Chart.yaml index 3de535c3287..c012bdecb3e 100644 --- a/charts/incubator/meshcentral/Chart.yaml +++ b/charts/incubator/meshcentral/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 kubeVersion: ">=1.16.0-0" name: meshcentral appVersion: "1.0.90" -version: 5.0.12 +version: 5.0.13 description: MeshCentral is a full computer management web site type: application deprecated: false diff --git a/charts/incubator/meshcentral/questions.yaml b/charts/incubator/meshcentral/questions.yaml index f04b34b459e..2c11f0e86f6 100644 --- a/charts/incubator/meshcentral/questions.yaml +++ b/charts/incubator/meshcentral/questions.yaml @@ -37,18 +37,21 @@ questions: description: Set this to the primary DNS name of this MeshCentral server. schema: type: string + required: true default: "" - variable: tlsOffload label: tlsOffload description: When true, indicates that a TLS offloader is in front of the MeshCentral server. More typically, set this to the IP address of the reverse proxy or TLS offloader so that IP forwarding headers will be trusted. For example traefik.ix-traefik.svc.cluster.local schema: type: string + required: true default: "" - variable: trustedProxy label: trustedProxy description: Trust forwarded headers from these IPs or domains. Providing the magic string "CloudFlare" will cause the server to download the IP address list of trusted CloudFlare proxies directly from CloudFlare on each server start. For example traefik.ix-traefik.svc.cluster.local schema: type: string + required: true default: "" - variable: WANonly label: WANonly @@ -121,30 +124,35 @@ questions: description: When specified, sends data to the browser at x seconds interval and expects a response from the browser. schema: type: int + required: true default: -99 - variable: browserPong label: browserPong description: When specified, sends data to the browser at x seconds interval. schema: type: int + required: true default: -99 - variable: agentPing label: agentPing description: When specified, sends data to the agent at x seconds interval and expects a response from the agent. schema: type: int + required: true default: -99 - variable: agentPong label: agentPong description: When specified, sends data to the agent at x seconds interval. schema: type: int + required: true default: -99 - variable: agentIdleTimeout label: agentIdleTimeout description: How much time in seconds with no traffic from an agent before dropping the agent connection. schema: type: int + required: true default: -99 - variable: maxInvalidLogin label: Section @@ -157,18 +165,21 @@ questions: description: Time in minutes over which the a maximum number of invalid login attempts is allowed from an IP address. schema: type: int + required: true default: 10 - variable: count label: count description: Maximum number of invalid login attempts from an IP address in the time period. schema: type: int + required: true default: 10 - variable: coolofftime label: coolofftime description: Additional time in minute that login attempts will be denied once the invalid login limit is reached. schema: type: int + required: true default: 30 - variable: exclude label: exclude @@ -187,18 +198,21 @@ questions: description: Time in minutes over which the a maximum number of invalid 2FA attempts is allowed from an IP address. schema: type: int + required: true default: 10 - variable: count label: count description: Maximum number of invalid 2FA attempts from an IP address in the time period. schema: type: int + required: true default: 10 - variable: coolofftime label: coolofftime description: Additional time in minute that 2FA attempts will be denied once the invalid login limit is reached. schema: type: int + required: true default: 30 - variable: exclude label: exclude @@ -231,8 +245,9 @@ questions: type: string private: true default: "" - - variable: setupWebDav + - variable: _setupWebDav label: Backup to Web DAV + description: Enabled automated upload of the server backups to a WebDAV account. schema: type: boolean default: false @@ -299,6 +314,73 @@ questions: schema: type: boolean default: false + - variable: _setupMessaging + label: Setup Messaging + description: This section allow MeshCentral to send messages over user messaging networks like Discord + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: messaging + label: Section + schema: + additional_attrs: true + type: dict + attrs: + - variable: _setupTelegram + label: Setup Telegram + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: telegram + label: telegram + description: Configure Telegram messaging system + schema: + additional_attrs: true + type: dict + attrs: + - variable: apiid + label: apiid + schema: + type: string + default: "" + - variable: apihash + label: apihash + schema: + type: string + default: "" + - variable: session + label: session + schema: + type: string + default: "" + - variable: _setupDiscord + label: Setup Discord + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: discord + label: discord + description: Configure Discord messaging system + schema: + additional_attrs: true + type: dict + attrs: + - variable: serverurl + label: serverurl + schema: + type: string + default: "" + - variable: token + label: token + schema: + type: string + default: "" - variable: domains label: Section schema: @@ -316,7 +398,7 @@ questions: description: HTTPS URL when to get the TLS certificate that MeshAgent's will see when connecting to this server. This setting is used when a reverse proxy like Traefik is used in front of MeshCentral. schema: type: string - # required: true + required: true default: "" - variable: title label: title @@ -324,14 +406,14 @@ questions: schema: type: string required: true - default: TrueCharts MeshCentral + default: MeshCentral - variable: title2 label: title2 description: Secondary title text that is placed on the upper right on the title on many web pages. schema: type: string required: true - default: TrueCharts MeshCentral + default: TrueCharts - variable: welcomeText label: welcomeText description: Text that will be shown on the login screen. @@ -417,66 +499,74 @@ questions: schema: type: boolean default: true - - variable: agentCustomization - label: Section + - variable: _setupAgentCustomization + label: Setup Agent Customization + description: Use this section to customize the agent branding. schema: - additional_attrs: true - type: dict - attrs: - - variable: displayName - label: displayName - description: The name of the agent as displayed to the user. + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: agentCustomization + label: Section schema: - type: string - default: MeshCentral Agent - - variable: description - label: description - description: The description of the agent as displayed to the user. - schema: - type: string - default: Mesh Agent Background Service - - variable: companyName - label: companyName - description: This will be used as the path to install the agent, by default this is 'Mesh Agent' in Windows and 'meshagent' in other OS's. - schema: - type: string - default: Mesh Agent - - variable: serviceName - label: serviceName - description: The name of the background service, by default this is 'Mesh Agent' in Windows and 'meshagent' in other OS's but should be set to an all lower case, no space string. - schema: - type: string - default: Mesh Agent - - variable: installText - label: installText - description: Text string to show in the agent installation dialog box. - schema: - type: string - default: "" - - variable: image - label: image - description: The filename of a image file in .png format located in meshcentral-data to display in the MeshCentral Agent installation dialog, image should be square and from 64x64 to 200x200. - schema: - type: string - default: "" - - variable: fileName - label: fileName - description: The agent filename. - schema: - type: string - default: meshagent - - variable: foregroundColor - label: foregroundColor - description: 'Foreground text color, valid values are RBG in format 0,0,0 to 255,255,255 or format "#000000" to "#FFFFFF".' - schema: - type: string - default: "" - - variable: backgroundColor - label: backgroundColor - description: 'Background color, valid values are RBG in format 0,0,0 to 255,255,255 or format "#000000" to "#FFFFFF".' - schema: - type: string - default: "" + additional_attrs: true + type: dict + attrs: + - variable: displayName + label: displayName + description: The name of the agent as displayed to the user. + schema: + type: string + default: MeshCentral Agent + - variable: description + label: description + description: The description of the agent as displayed to the user. + schema: + type: string + default: Mesh Agent Background Service + - variable: companyName + label: companyName + description: This will be used as the path to install the agent, by default this is 'Mesh Agent' in Windows and 'meshagent' in other OS's. + schema: + type: string + default: Mesh Agent + - variable: serviceName + label: serviceName + description: The name of the background service, by default this is 'Mesh Agent' in Windows and 'meshagent' in other OS's but should be set to an all lower case, no space string. + schema: + type: string + default: Mesh Agent + - variable: installText + label: installText + description: Text string to show in the agent installation dialog box. + schema: + type: string + default: "" + - variable: image + label: image + description: The filename of a image file in .png format located in meshcentral-data to display in the MeshCentral Agent installation dialog, image should be square and from 64x64 to 200x200. + schema: + type: string + default: "" + - variable: fileName + label: fileName + description: The agent filename. + schema: + type: string + default: meshagent + - variable: foregroundColor + label: foregroundColor + description: 'Foreground text color, valid values are RBG in format 0,0,0 to 255,255,255 or format "#000000" to "#FFFFFF".' + schema: + type: string + default: "" + - variable: backgroundColor + label: backgroundColor + description: 'Background color, valid values are RBG in format 0,0,0 to 255,255,255 or format "#000000" to "#FFFFFF".' + schema: + type: string + default: "" # Include{containerConfig} # Include{serviceRoot} - variable: main diff --git a/charts/incubator/meshcentral/values.yaml b/charts/incubator/meshcentral/values.yaml index 49bf9e5ed68..81830586768 100644 --- a/charts/incubator/meshcentral/values.yaml +++ b/charts/incubator/meshcentral/values.yaml @@ -280,10 +280,17 @@ meshcentral: # - This section allow MeshCentral to send messages over user messaging networks like Telegram _messaging: # - Configure Telegram messaging system - telegram: - apiid: null - apihash: null - session: null + _telegram: + apiid: "" + apihash: "" + session: "" + # - Configure Discord messaging system + _discord: + # - An optional HTTP link to the discord server the user must join to get notifications. + serverurl: "" + # - A Discord bot token that MeshCentral will use to login to Discord. + token: "" + # - Any settings in this section is used as default setting for all domains _domaindefaults: title: Default Title @@ -292,9 +299,9 @@ meshcentral: # - HTTPS URL when to get the TLS certificate that MeshAgent's will see when connecting to this server. This setting is used when a reverse proxy like Traefik is used in front of MeshCentral. certUrl: https://mc.domain.com # - The title of this web site. All web pages will have this title. - title: TrueCharts MeshCentral + title: MeshCentral # - Secondary title text that is placed on the upper right on the title on many web pages. - title2: TrueCharts MeshCentral + title2: TrueCharts # - When enabled, the server will send reduced sized web pages. minify: true # - 0 = User selects day/night mode, 1 = Always night mode, 2 = Always day mode