feat(firezone) add firezone (#9402)

**Description**
Add FireZone
⚒️ Fixes  # <!--(issue)-->

**⚙️ Type of change**

- [X] ⚙️ Feature/App addition
- [ ] 🪛 Bugfix
- [ ] ⚠️ Breaking change (fix or feature that would cause existing
functionality to not work as expected)
- [ ] 🔃 Refactor of current code

**🧪 How Has This Been Tested?**
<!--
Please describe the tests that you ran to verify your changes. Provide
instructions so we can reproduce. Please also list any relevant details
for your test configuration
-->

**📃 Notes:**
<!-- Please enter any other relevant information here -->

**✔️ Checklist:**

- [X] ⚖️ My code follows the style guidelines of this project
- [X] 👀 I have performed a self-review of my own code
- [ ] #️⃣ I have commented my code, particularly in hard-to-understand
areas
- [ ] 📄 I have made corresponding changes to the documentation
- [ ] ⚠️ My changes generate no new warnings
- [ ] 🧪 I have added tests to this description that prove my fix is
effective or that my feature works
- [ ] ⬆️ I increased versions for any altered app according to semantic
versioning

** App addition**

If this PR is an app addition please make sure you have done the
following.

- [X] 🪞 I have opened a PR on
[truecharts/containers](https://github.com/truecharts/containers) adding
the container to TrueCharts mirror repo.
- [X] 🖼️ I have added an icon in the Chart's root directory called
`icon.png`

---

_Please don't blindly check all the boxes. Read them and only check
those that apply.
Those checkboxes are there for the reviewer to see what is this all
about and
the status of this PR with a quick glance._

---------

Signed-off-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com>
Co-authored-by: Stavros Kois <47820033+stavros-k@users.noreply.github.com>
This commit is contained in:
Xstar97TheNoob
2023-06-16 03:01:34 -04:00
committed by GitHub
parent 23ddf1dd05
commit f22e45146f
10 changed files with 581 additions and 0 deletions

View File

@@ -0,0 +1,30 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# OWNERS file for Kubernetes
OWNERS
# helm-docs templates
*.gotmpl
# docs folder
/docs
# icon
icon.png

View File

@@ -0,0 +1 @@
# Changelog

View File

@@ -0,0 +1,30 @@
apiVersion: v2
appVersion: "0.7.30"
dependencies:
- name: common
repository: https://library-charts.truecharts.org
version: 12.14.2
deprecated: false
description: WireGuard-based VPN server and egress firewall
home: https://truecharts.org/charts/incubator/firezone
icon: https://truecharts.org/img/hotlink-ok/chart-icons/firezone.png
keywords:
- firezone
- wireguard
- vpn
kubeVersion: ">=1.16.0-0"
maintainers:
- email: info@truecharts.org
name: TrueCharts
url: https://truecharts.org
name: firezone
sources:
- https://github.com/truecharts/charts/tree/master/charts/incubator/firezone
- https://github.com/firezone/firezone
type: application
version: 0.0.1
annotations:
truecharts.org/catagories: |
- vpn
- security
truecharts.org/SCALE-support: "true"

View File

@@ -0,0 +1 @@
# README

Binary file not shown.

After

Width:  |  Height:  |  Size: 12 KiB

View File

@@ -0,0 +1,341 @@
# Include{groups}
portals:
open:
# Include{portalLink}
questions:
# Include{global}
# Include{workload}
# Include{workloadDeployment}
# Include{replicas1}
# Include{podSpec}
# Include{containerMain}
- variable: env
label: Image Environment
schema:
additional_attrs: true
type: dict
attrs:
- variable: EXTERNAL_URL
label: External Url
description: Must be a valid and public FQDN for ACME SSL issuance to function.
schema:
type: string
required: true
default: ""
- variable: DEFAULT_ADMIN_EMAIL
label: Default Admin Email
description: Primary administrator email.
schema:
type: string
required: true
default: ""
- variable: DEFAULT_ADMIN_PASSWORD
label: Default Admin Password
description: Primary administrator password.
schema:
type: string
required: true
private: true
default: ""
- variable: RESET_ADMIN_ON_BOOT
label: Reset Admin On Boot
description: to create or reset the admin password every time FireZone starts.
schema:
type: boolean
default: false
- variable: TELEMETRY_ENABLED
label: Telemetry Enabled
description: Enable or disable the FireZone telemetry collection.
schema:
type: boolean
default: false
- variable: devices
label: Devices Settings
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: ALLOW_UNPRIVILEGED_DEVICE_MANAGEMENT
label: Allow Unprivileged Devices
description: Enable or disable management of devices on unprivileged accounts.
schema:
type: boolean
default: true
- variable: ALLOW_UNPRIVILEGED_DEVICE_CONFIGURATION
label: Allow Unprivileged Device Configuration
description: Enable or disable configuration of device network settings for unprivileged users.
schema:
type: boolean
default: true
- variable: VPN_SESSION_DURATION
label: VPN Session Duration
description: Optionally require users to periodically authenticate to the FireZone, Interval for WireGuard persistent keepalive.
schema:
type: int
default: 0
- variable: DEFAULT_CLIENT_PERSISTENT_KEEPALIVE
label: Default Client Persistent KeepAlive
description: send a keepalive packet every 25 seconds. Otherwise, keep it disabled with a 0 default value.
schema:
type: int
default: 25
- variable: DEFAULT_CLIENT_MTU
label: Default Client MTU
description: WireGuard interface MTU for devices.
schema:
type: int
default: 1280
- variable: DEFAULT_CLIENT_ENDPOINT
label: Default Client EndPoint
description: IPv4, IPv6 address, or FQDN that devices will be configured to connect to. Defaults to this server's FQDN.
schema:
type: string
default: ""
- variable: DEFAULT_CLIENT_DNS
label: Default Client DNS
description: Comma-separated list of DNS servers to use for devices.
schema:
type: string
default: "1.1.1.1,1.0.0.1"
- variable: DEFAULT_CLIENT_ALLOWED_IPS
label: Default Client Allowed IPs
description: AllowedIPs determines which destination IPs get routed through FireZone.
schema:
type: string
default: "0.0.0.0/0,::/0"
- variable: MAX_DEVICES_PER_USER
label: Max Devices Per User
description: Changes how many devices a user can have at a time.
schema:
type: int
default: 10
- variable: authorization
label: Authorization Settings
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: LOCAL_AUTH_ENABLED
label: Local Auth Enabled
description: Enable or disable the local authentication method for all users.
schema:
type: boolean
default: true
- variable: DISABLE_VPN_ON_OIDC_ERROR
label: Disable VPN On OIDC Error
description: Enable or disable auto disabling VPN connection on OIDC refresh error.
schema:
type: boolean
default: false
- variable: wireguard
label: Wireguard Settings
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: WIREGUARD_IPV4_ENABLED
label: WireGuard IPV4 Enabled
description: Enable or disable IPv4 support for WireGuard.
schema:
type: boolean
default: true
- variable: WIREGUARD_IPV6_ENABLED
label: WireGuard IPV6 Enabled
description: Enable or disable IPv6 support for WireGuard.
schema:
type: boolean
default: false
- variable: outbound
label: OutBound Email Settings
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: OUTBOUND_EMAIL_FROM
label: Outbound Email From
description: From address to use for sending outbound emails.
schema:
type: string
default: ""
- variable: OUTBOUND_EMAIL_ADAPTER
label: Outbound Email Adapter
description: Method to use for sending outbound email.
schema:
type: string
default: "Elixir.FzHttpWeb.Mailer.NoopAdapter"
enum:
- value: "Elixir.FzHttpWeb.Mailer.AmazonSES"
description: "AmazonSES"
- value: "Elixir.FzHttpWeb.Mailer.CustomerIO"
description: CustomerIO"
- value: "Elixir.FzHttpWeb.Mailer.Dyn"
description: Dyn
- value: "Elixir.FzHttpWeb.Mailer.ExAwsAmazonSES"
description: ExAwsAmazonSES"
- value: "Elixir.FzHttpWeb.Mailer.Gmail"
description: Gmail"
- value: "Elixir.FzHttpWeb.Mailer.MailPace"
description: MailPace"
- value: "Elixir.FzHttpWeb.Mailer.Mailgun"
description: Mailgun"
- value: "Elixir.FzHttpWeb.Mailer.Mailjet"
description: MailJet"
- value: "Elixir.FzHttpWeb.Mailer.Mandrill"
description: Mandrill"
- value: "Elixir.FzHttpWeb.Mailer.Postmark"
description: Postmark"
- value: "Elixir.FzHttpWeb.Mailer.ProtonBridge"
description: ProtonBridge"
- value: "Elixir.FzHttpWeb.Mailer.SMTP"
description: SMTP"
- value: "Elixir.FzHttpWeb.Mailer.SMTP2GO"
description: SMTP2GO"
- value: "Elixir.FzHttpWeb.Mailer.Sendgrid"
description: SendGrid"
- value: "Elixir.FzHttpWeb.Mailer.Sendinblue"
description: "SendInBlue"
- value: "Elixir.FzHttpWeb.Mailer.Sendmail"
description: "Sendmail"
- value: "Elixir.FzHttpWeb.Mailer.SocketLabs"
description: "SocketLabs"
- value: "Elixir.FzHttpWeb.Mailer.SparkPost"
description: "SparkPost"
- value: "Elixir.FzHttpWeb.Mailer.NoopAdapter"
description: "NoopAdapter"
- variable: OUTBOUND_EMAIL_ADAPTER_OPTS
label: Outbound Email Adapter OPTS
description: Adapter configuration, see https://github.com/swoosh/swoosh#adapters.
schema:
type: string
default: ""
- variable: connectivity
label: Connectivity Settings
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: CONNECTIVITY_CHECKS_ENABLED
label: Connectivity Checks Enabled
description: Enable / disable periodic checking for egress connectivity. Determines the instance's public IP to populate Endpoint fields.
schema:
type: boolean
default: true
- variable: CONNECTIVITY_CHECKS_INTERVAL
label: Connectivity Checks Interval
description: Periodicity in seconds to check for egress connectivity.
schema:
type: int
default: 43200
# Include{containerBasic}
# Include{containerAdvanced}
# Include{containerConfig}
# Include{podOptions}
# Include{serviceRoot}
- variable: main
label: Main Service
description: The Primary service on which the healthcheck runs, often the webUI
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelectorLoadBalancer}
# Include{serviceSelectorExtras}
- variable: main
label: Main Service Port Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: Port
description: This port exposes the container port on the service
schema:
type: int
default: 13000
required: true
- variable: wireguard
label: Wireguard Service
description: The Wireguard service
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelectorLoadBalancer}
# Include{serviceSelectorExtras}
- variable: wireguard
label: Wireguard Service Port Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: Port
description: This port exposes the container port on the service
schema:
type: int
default: 51820
required: true
# Include{serviceExpertRoot}
# Include{serviceExpert}
# Include{serviceList}
# Include{persistenceRoot}
- variable: config
label: App Config Storage
description: Stores the Application Config.
schema:
additional_attrs: true
type: dict
attrs:
# Include{persistenceBasic}
# Include{persistenceList}
# Include{ingressRoot}
- variable: main
label: Main Ingress
schema:
additional_attrs: true
type: dict
attrs:
# Include{ingressDefault}
# Include{ingressTLS}
# Include{ingressTraefik}
# Include{ingressList}
# Include{securityContextRoot}
- variable: runAsUser
label: runAsUser
description: The UserID of the user running the application
schema:
type: int
default: 0
- variable: runAsGroup
label: runAsGroup
description: The groupID of the user running the application
schema:
type: int
default: 0
# Include{securityContextContainer}
# Include{securityContextAdvanced}
# Include{securityContextPod}
- variable: fsGroup
label: fsGroup
description: The group that should own ALL storage.
schema:
type: int
default: 568
# Include{resources}
# Include{metrics}
# Include{prometheusRule}
# Include{advanced}
# Include{addons}
# Include{codeserver}
# Include{netshoot}
# Include{vpn}
# Include{documentation}

View File

@@ -0,0 +1 @@
{{- include "tc.v1.common.lib.chart.notes" $ -}}

View File

@@ -0,0 +1,26 @@
{{/* Define the secrets */}}
{{- define "firezone.secrets" -}}
{{- $secretName := (printf "%s-firezone-secrets" (include "tc.v1.common.lib.chart.names.fullname" $)) -}}
{{- $keyGuardian := randAlphaNum 32 -}}
{{- $keyDatabase := randAlphaNum 32 -}}
{{- $keySecret := randAlphaNum 32 -}}
{{- $keyLive := randAlphaNum 32 -}}
{{- $keyCookieSigning := randAlphaNum 32 -}}
{{- $keyCookieEncrypt := randAlphaNum 32 -}}
{{- with (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
{{- $keyGuardian = index .data "GUARDIAN_SECRET_KEY" | b64dec -}}
{{- $keyDatabase = index .data "DATABASE_ENCRYPTION_KEY" | b64dec -}}
{{- $keySecret = index .data "SECRET_KEY_BASE" | b64dec -}}
{{- $keyLive = index .data "LIVE_VIEW_SIGNING_SALT" | b64dec -}}
{{- $keyCookieSigning = index .data "COOKIE_SIGNING_SALT" | b64dec -}}
{{- $keyCookieEncrypt = index .data "COOKIE_ENCRYPTION_SALT" | b64dec -}}
{{- end }}
enabled: true
data:
GUARDIAN_SECRET_KEY: {{ $keyGuardian }}
DATABASE_ENCRYPTION_KEY: {{ $keyDatabase }}
SECRET_KEY_BASE: {{ $keySecret }}
LIVE_VIEW_SIGNING_SALT: {{ $keyLive }}
COOKIE_SIGNING_SALT: {{ $keyCookieSigning }}
COOKIE_ENCRYPTION_SALT: {{ $keyCookieEncrypt }}
{{- end -}}

View File

@@ -0,0 +1,11 @@
{{/* Make sure all variables are set properly */}}
{{- include "tc.v1.common.loader.init" . }}
{{/* Render secrets for firezone */}}
{{- $secrets := include "firezone.secrets" . | fromYaml -}}
{{- if $secrets -}}
{{- $_ := set .Values.secret "secrets" $secrets -}}
{{- end -}}
{{/* Render the templates */}}
{{ include "tc.v1.common.loader.apply" . }}

View File

@@ -0,0 +1,140 @@
image:
repository: tccr.io/truecharts/firezone
pullPolicy: IfNotPresent
tag: v0.7.30@sha256:e22dc7a9be93a804bbe0e3d301c883625463a3649d856c8b41f80a2257214667
securityContext:
container:
readOnlyRootFilesystem: false
runAsNonRoot: false
PUID: 0
runAsUser: 0
runAsGroup: 0
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
workload:
main:
podSpec:
containers:
main:
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
env:
# web
PHOENIX_HTTP_PORT: "{{ .Values.service.main.ports.main.port }}"
EXTERNAL_URL: "https://app.mydomain.com"
# PHOENIX_SECURE_COOKIES: true
# PHOENIX_HTTP_PROTOCOL_OPTIONS: "{}"
# PHOENIX_EXTERNAL_TRUSTED_PROXIES: "[]"
# PHOENIX_PRIVATE_CLIENTS: "[]"
# DB
DATABASE_HOST:
secretKeyRef:
name: cnpg-main-urls
key: host
DATABASE_PORT: 5432
DATABASE_NAME: "{{ .Values.cnpg.main.database }}"
DATABASE_USER: "{{ .Values.cnpg.main.user }}"
DATABASE_PASSWORD:
secretKeyRef:
name: cnpg-main-user
key: password
# DATABASE_POOL_SIZE
DATABASE_SSL_ENABLED: false
# DATABASE_SSL_OPTS: "{}"
# Admin
RESET_ADMIN_ON_BOOT: false
DEFAULT_ADMIN_EMAIL: "admin@email.com"
DEFAULT_ADMIN_PASSWORD: "1234567890"
# Secrets and Encryption
GUARDIAN_SECRET_KEY:
secretKeyRef:
name: secrets
key: GUARDIAN_SECRET_KEY
DATABASE_ENCRYPTION_KEY:
secretKeyRef:
name: secrets
key: DATABASE_ENCRYPTION_KEY
SECRET_KEY_BASE:
secretKeyRef:
name: secrets
key: SECRET_KEY_BASE
LIVE_VIEW_SIGNING_SALT:
secretKeyRef:
name: secrets
key: LIVE_VIEW_SIGNING_SALT
COOKIE_SIGNING_SALT:
secretKeyRef:
name: secrets
key: COOKIE_SIGNING_SALT
COOKIE_ENCRYPTION_SALT:
secretKeyRef:
name: secrets
key: COOKIE_ENCRYPTION_SALT
# Devices
ALLOW_UNPRIVILEGED_DEVICE_MANAGEMENT: true
ALLOW_UNPRIVILEGED_DEVICE_CONFIGURATION: true
VPN_SESSION_DURATION: 0
DEFAULT_CLIENT_PERSISTENT_KEEPALIVE: 25
DEFAULT_CLIENT_MTU: 1280
# DEFAULT_CLIENT_ENDPOINT: ""
DEFAULT_CLIENT_DNS: "1.1.1.1,1.0.0.1"
DEFAULT_CLIENT_ALLOWED_IPS: "0.0.0.0/0, ::/0"
# Limits
MAX_DEVICES_PER_USER: 10
# Authorization
LOCAL_AUTH_ENABLED: true
DISABLE_VPN_ON_OIDC_ERROR: false
SAML_ENTITY_ID: "urn:firezone.dev:firezone-app"
# SAML_KEYFILE_PATH: "/var/firezone/saml.key"
# SAML_CERTFILE_PATH: "/var/firezone/saml.crt"
# OPENID_CONNECT_PROVIDERS: "[]"
# SAML_IDENTITY_PROVIDERS: "[]"
# WireGuard
WIREGUARD_PORT: "{{ .Values.service.wireguard.ports.wireguard.port }}"
WIREGUARD_IPV4_ENABLED: true
WIREGUARD_IPV6_ENABLED: false
# Outbound Emails
OUTBOUND_EMAIL_FROM: ""
OUTBOUND_EMAIL_ADAPTER: "Elixir.FzHttpWeb.Mailer.NoopAdapter"
# OUTBOUND_EMAIL_ADAPTER_OPTS: "{}"
# Connectivity Checks
CONNECTIVITY_CHECKS_ENABLED: true
CONNECTIVITY_CHECKS_INTERVAL: 43200
# Telemetry
TELEMETRY_ENABLED: false
service:
main:
ports:
main:
protocol: http
port: 13000
wireguard:
ports:
wireguard:
protocol: udp
port: 51820
persistence:
config:
enabled: true
mountPath: "/var/firezone"
cnpg:
main:
enabled: true
user: firezone
database: firezone
portal:
open:
enabled: true