diff --git a/charts/incubator/firezone/.helmignore b/charts/incubator/firezone/.helmignore new file mode 100644 index 00000000000..77ca5567b26 --- /dev/null +++ b/charts/incubator/firezone/.helmignore @@ -0,0 +1,30 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# OWNERS file for Kubernetes +OWNERS +# helm-docs templates +*.gotmpl +# docs folder +/docs +# icon +icon.png diff --git a/charts/incubator/firezone/CHANGELOG.md b/charts/incubator/firezone/CHANGELOG.md new file mode 100644 index 00000000000..825c32f0d03 --- /dev/null +++ b/charts/incubator/firezone/CHANGELOG.md @@ -0,0 +1 @@ +# Changelog diff --git a/charts/incubator/firezone/Chart.yaml b/charts/incubator/firezone/Chart.yaml new file mode 100644 index 00000000000..33329e5feac --- /dev/null +++ b/charts/incubator/firezone/Chart.yaml @@ -0,0 +1,30 @@ +apiVersion: v2 +appVersion: "0.7.30" +dependencies: + - name: common + repository: https://library-charts.truecharts.org + version: 12.14.2 +deprecated: false +description: WireGuard-based VPN server and egress firewall +home: https://truecharts.org/charts/incubator/firezone +icon: https://truecharts.org/img/hotlink-ok/chart-icons/firezone.png +keywords: + - firezone + - wireguard + - vpn +kubeVersion: ">=1.16.0-0" +maintainers: + - email: info@truecharts.org + name: TrueCharts + url: https://truecharts.org +name: firezone +sources: + - https://github.com/truecharts/charts/tree/master/charts/incubator/firezone + - https://github.com/firezone/firezone +type: application +version: 0.0.1 +annotations: + truecharts.org/catagories: | + - vpn + - security + truecharts.org/SCALE-support: "true" diff --git a/charts/incubator/firezone/README.md b/charts/incubator/firezone/README.md new file mode 100644 index 00000000000..7e59600739c --- /dev/null +++ b/charts/incubator/firezone/README.md @@ -0,0 +1 @@ +# README diff --git a/charts/incubator/firezone/logo.png b/charts/incubator/firezone/logo.png new file mode 100644 index 00000000000..7983abea3a4 Binary files /dev/null and b/charts/incubator/firezone/logo.png differ diff --git a/charts/incubator/firezone/questions.yaml b/charts/incubator/firezone/questions.yaml new file mode 100644 index 00000000000..beda409b783 --- /dev/null +++ b/charts/incubator/firezone/questions.yaml @@ -0,0 +1,341 @@ +# Include{groups} +portals: + open: +# Include{portalLink} +questions: +# Include{global} +# Include{workload} +# Include{workloadDeployment} + +# Include{replicas1} +# Include{podSpec} +# Include{containerMain} + + - variable: env + label: Image Environment + schema: + additional_attrs: true + type: dict + attrs: + - variable: EXTERNAL_URL + label: External Url + description: Must be a valid and public FQDN for ACME SSL issuance to function. + schema: + type: string + required: true + default: "" + - variable: DEFAULT_ADMIN_EMAIL + label: Default Admin Email + description: Primary administrator email. + schema: + type: string + required: true + default: "" + - variable: DEFAULT_ADMIN_PASSWORD + label: Default Admin Password + description: Primary administrator password. + schema: + type: string + required: true + private: true + default: "" + - variable: RESET_ADMIN_ON_BOOT + label: Reset Admin On Boot + description: to create or reset the admin password every time FireZone starts. + schema: + type: boolean + default: false + - variable: TELEMETRY_ENABLED + label: Telemetry Enabled + description: Enable or disable the FireZone telemetry collection. + schema: + type: boolean + default: false + - variable: devices + label: Devices Settings + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: ALLOW_UNPRIVILEGED_DEVICE_MANAGEMENT + label: Allow Unprivileged Devices + description: Enable or disable management of devices on unprivileged accounts. + schema: + type: boolean + default: true + - variable: ALLOW_UNPRIVILEGED_DEVICE_CONFIGURATION + label: Allow Unprivileged Device Configuration + description: Enable or disable configuration of device network settings for unprivileged users. + schema: + type: boolean + default: true + - variable: VPN_SESSION_DURATION + label: VPN Session Duration + description: Optionally require users to periodically authenticate to the FireZone, Interval for WireGuard persistent keepalive. + schema: + type: int + default: 0 + - variable: DEFAULT_CLIENT_PERSISTENT_KEEPALIVE + label: Default Client Persistent KeepAlive + description: send a keepalive packet every 25 seconds. Otherwise, keep it disabled with a 0 default value. + schema: + type: int + default: 25 + - variable: DEFAULT_CLIENT_MTU + label: Default Client MTU + description: WireGuard interface MTU for devices. + schema: + type: int + default: 1280 + - variable: DEFAULT_CLIENT_ENDPOINT + label: Default Client EndPoint + description: IPv4, IPv6 address, or FQDN that devices will be configured to connect to. Defaults to this server's FQDN. + schema: + type: string + default: "" + - variable: DEFAULT_CLIENT_DNS + label: Default Client DNS + description: Comma-separated list of DNS servers to use for devices. + schema: + type: string + default: "1.1.1.1,1.0.0.1" + - variable: DEFAULT_CLIENT_ALLOWED_IPS + label: Default Client Allowed IPs + description: AllowedIPs determines which destination IPs get routed through FireZone. + schema: + type: string + default: "0.0.0.0/0,::/0" + - variable: MAX_DEVICES_PER_USER + label: Max Devices Per User + description: Changes how many devices a user can have at a time. + schema: + type: int + default: 10 + - variable: authorization + label: Authorization Settings + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: LOCAL_AUTH_ENABLED + label: Local Auth Enabled + description: Enable or disable the local authentication method for all users. + schema: + type: boolean + default: true + - variable: DISABLE_VPN_ON_OIDC_ERROR + label: Disable VPN On OIDC Error + description: Enable or disable auto disabling VPN connection on OIDC refresh error. + schema: + type: boolean + default: false + - variable: wireguard + label: Wireguard Settings + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: WIREGUARD_IPV4_ENABLED + label: WireGuard IPV4 Enabled + description: Enable or disable IPv4 support for WireGuard. + schema: + type: boolean + default: true + - variable: WIREGUARD_IPV6_ENABLED + label: WireGuard IPV6 Enabled + description: Enable or disable IPv6 support for WireGuard. + schema: + type: boolean + default: false + - variable: outbound + label: OutBound Email Settings + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: OUTBOUND_EMAIL_FROM + label: Outbound Email From + description: From address to use for sending outbound emails. + schema: + type: string + default: "" + - variable: OUTBOUND_EMAIL_ADAPTER + label: Outbound Email Adapter + description: Method to use for sending outbound email. + schema: + type: string + default: "Elixir.FzHttpWeb.Mailer.NoopAdapter" + enum: + - value: "Elixir.FzHttpWeb.Mailer.AmazonSES" + description: "AmazonSES" + - value: "Elixir.FzHttpWeb.Mailer.CustomerIO" + description: CustomerIO" + - value: "Elixir.FzHttpWeb.Mailer.Dyn" + description: Dyn + - value: "Elixir.FzHttpWeb.Mailer.ExAwsAmazonSES" + description: ExAwsAmazonSES" + - value: "Elixir.FzHttpWeb.Mailer.Gmail" + description: Gmail" + - value: "Elixir.FzHttpWeb.Mailer.MailPace" + description: MailPace" + - value: "Elixir.FzHttpWeb.Mailer.Mailgun" + description: Mailgun" + - value: "Elixir.FzHttpWeb.Mailer.Mailjet" + description: MailJet" + - value: "Elixir.FzHttpWeb.Mailer.Mandrill" + description: Mandrill" + - value: "Elixir.FzHttpWeb.Mailer.Postmark" + description: Postmark" + - value: "Elixir.FzHttpWeb.Mailer.ProtonBridge" + description: ProtonBridge" + - value: "Elixir.FzHttpWeb.Mailer.SMTP" + description: SMTP" + - value: "Elixir.FzHttpWeb.Mailer.SMTP2GO" + description: SMTP2GO" + - value: "Elixir.FzHttpWeb.Mailer.Sendgrid" + description: SendGrid" + - value: "Elixir.FzHttpWeb.Mailer.Sendinblue" + description: "SendInBlue" + - value: "Elixir.FzHttpWeb.Mailer.Sendmail" + description: "Sendmail" + - value: "Elixir.FzHttpWeb.Mailer.SocketLabs" + description: "SocketLabs" + - value: "Elixir.FzHttpWeb.Mailer.SparkPost" + description: "SparkPost" + - value: "Elixir.FzHttpWeb.Mailer.NoopAdapter" + description: "NoopAdapter" + - variable: OUTBOUND_EMAIL_ADAPTER_OPTS + label: Outbound Email Adapter OPTS + description: Adapter configuration, see https://github.com/swoosh/swoosh#adapters. + schema: + type: string + default: "" + - variable: connectivity + label: Connectivity Settings + schema: + type: boolean + default: false + show_subquestions_if: true + subquestions: + - variable: CONNECTIVITY_CHECKS_ENABLED + label: Connectivity Checks Enabled + description: Enable / disable periodic checking for egress connectivity. Determines the instance's public IP to populate Endpoint fields. + schema: + type: boolean + default: true + - variable: CONNECTIVITY_CHECKS_INTERVAL + label: Connectivity Checks Interval + description: Periodicity in seconds to check for egress connectivity. + schema: + type: int + default: 43200 + +# Include{containerBasic} +# Include{containerAdvanced} + +# Include{containerConfig} +# Include{podOptions} +# Include{serviceRoot} + - variable: main + label: Main Service + description: The Primary service on which the healthcheck runs, often the webUI + schema: + additional_attrs: true + type: dict + attrs: +# Include{serviceSelectorLoadBalancer} +# Include{serviceSelectorExtras} + - variable: main + label: Main Service Port Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + description: This port exposes the container port on the service + schema: + type: int + default: 13000 + required: true + - variable: wireguard + label: Wireguard Service + description: The Wireguard service + schema: + additional_attrs: true + type: dict + attrs: +# Include{serviceSelectorLoadBalancer} +# Include{serviceSelectorExtras} + - variable: wireguard + label: Wireguard Service Port Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: port + label: Port + description: This port exposes the container port on the service + schema: + type: int + default: 51820 + required: true +# Include{serviceExpertRoot} +# Include{serviceExpert} +# Include{serviceList} +# Include{persistenceRoot} + - variable: config + label: App Config Storage + description: Stores the Application Config. + schema: + additional_attrs: true + type: dict + attrs: +# Include{persistenceBasic} +# Include{persistenceList} +# Include{ingressRoot} + - variable: main + label: Main Ingress + schema: + additional_attrs: true + type: dict + attrs: +# Include{ingressDefault} +# Include{ingressTLS} +# Include{ingressTraefik} +# Include{ingressList} +# Include{securityContextRoot} + - variable: runAsUser + label: runAsUser + description: The UserID of the user running the application + schema: + type: int + default: 0 + - variable: runAsGroup + label: runAsGroup + description: The groupID of the user running the application + schema: + type: int + default: 0 +# Include{securityContextContainer} +# Include{securityContextAdvanced} +# Include{securityContextPod} + - variable: fsGroup + label: fsGroup + description: The group that should own ALL storage. + schema: + type: int + default: 568 +# Include{resources} +# Include{metrics} +# Include{prometheusRule} +# Include{advanced} +# Include{addons} +# Include{codeserver} +# Include{netshoot} +# Include{vpn} +# Include{documentation} diff --git a/charts/incubator/firezone/templates/NOTES.txt b/charts/incubator/firezone/templates/NOTES.txt new file mode 100644 index 00000000000..efcb74cb772 --- /dev/null +++ b/charts/incubator/firezone/templates/NOTES.txt @@ -0,0 +1 @@ +{{- include "tc.v1.common.lib.chart.notes" $ -}} diff --git a/charts/incubator/firezone/templates/_secrets.tpl b/charts/incubator/firezone/templates/_secrets.tpl new file mode 100644 index 00000000000..8390618aad5 --- /dev/null +++ b/charts/incubator/firezone/templates/_secrets.tpl @@ -0,0 +1,26 @@ +{{/* Define the secrets */}} +{{- define "firezone.secrets" -}} +{{- $secretName := (printf "%s-firezone-secrets" (include "tc.v1.common.lib.chart.names.fullname" $)) -}} +{{- $keyGuardian := randAlphaNum 32 -}} +{{- $keyDatabase := randAlphaNum 32 -}} +{{- $keySecret := randAlphaNum 32 -}} +{{- $keyLive := randAlphaNum 32 -}} +{{- $keyCookieSigning := randAlphaNum 32 -}} +{{- $keyCookieEncrypt := randAlphaNum 32 -}} +{{- with (lookup "v1" "Secret" .Release.Namespace $secretName) -}} + {{- $keyGuardian = index .data "GUARDIAN_SECRET_KEY" | b64dec -}} + {{- $keyDatabase = index .data "DATABASE_ENCRYPTION_KEY" | b64dec -}} + {{- $keySecret = index .data "SECRET_KEY_BASE" | b64dec -}} + {{- $keyLive = index .data "LIVE_VIEW_SIGNING_SALT" | b64dec -}} + {{- $keyCookieSigning = index .data "COOKIE_SIGNING_SALT" | b64dec -}} + {{- $keyCookieEncrypt = index .data "COOKIE_ENCRYPTION_SALT" | b64dec -}} +{{- end }} +enabled: true +data: + GUARDIAN_SECRET_KEY: {{ $keyGuardian }} + DATABASE_ENCRYPTION_KEY: {{ $keyDatabase }} + SECRET_KEY_BASE: {{ $keySecret }} + LIVE_VIEW_SIGNING_SALT: {{ $keyLive }} + COOKIE_SIGNING_SALT: {{ $keyCookieSigning }} + COOKIE_ENCRYPTION_SALT: {{ $keyCookieEncrypt }} +{{- end -}} diff --git a/charts/incubator/firezone/templates/common.yaml b/charts/incubator/firezone/templates/common.yaml new file mode 100644 index 00000000000..3a972e62863 --- /dev/null +++ b/charts/incubator/firezone/templates/common.yaml @@ -0,0 +1,11 @@ +{{/* Make sure all variables are set properly */}} +{{- include "tc.v1.common.loader.init" . }} + +{{/* Render secrets for firezone */}} +{{- $secrets := include "firezone.secrets" . | fromYaml -}} +{{- if $secrets -}} + {{- $_ := set .Values.secret "secrets" $secrets -}} +{{- end -}} + +{{/* Render the templates */}} +{{ include "tc.v1.common.loader.apply" . }} diff --git a/charts/incubator/firezone/values.yaml b/charts/incubator/firezone/values.yaml new file mode 100644 index 00000000000..822722ffcac --- /dev/null +++ b/charts/incubator/firezone/values.yaml @@ -0,0 +1,140 @@ +image: + repository: tccr.io/truecharts/firezone + pullPolicy: IfNotPresent + tag: v0.7.30@sha256:e22dc7a9be93a804bbe0e3d301c883625463a3649d856c8b41f80a2257214667 + +securityContext: + container: + readOnlyRootFilesystem: false + runAsNonRoot: false + PUID: 0 + runAsUser: 0 + runAsGroup: 0 + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + +workload: + main: + podSpec: + containers: + main: + probes: + liveness: + enabled: false + readiness: + enabled: false + startup: + enabled: false + env: + # web + PHOENIX_HTTP_PORT: "{{ .Values.service.main.ports.main.port }}" + EXTERNAL_URL: "https://app.mydomain.com" + # PHOENIX_SECURE_COOKIES: true + # PHOENIX_HTTP_PROTOCOL_OPTIONS: "{}" + # PHOENIX_EXTERNAL_TRUSTED_PROXIES: "[]" + # PHOENIX_PRIVATE_CLIENTS: "[]" + # DB + DATABASE_HOST: + secretKeyRef: + name: cnpg-main-urls + key: host + DATABASE_PORT: 5432 + DATABASE_NAME: "{{ .Values.cnpg.main.database }}" + DATABASE_USER: "{{ .Values.cnpg.main.user }}" + DATABASE_PASSWORD: + secretKeyRef: + name: cnpg-main-user + key: password + # DATABASE_POOL_SIZE + DATABASE_SSL_ENABLED: false + # DATABASE_SSL_OPTS: "{}" + # Admin + RESET_ADMIN_ON_BOOT: false + DEFAULT_ADMIN_EMAIL: "admin@email.com" + DEFAULT_ADMIN_PASSWORD: "1234567890" + # Secrets and Encryption + GUARDIAN_SECRET_KEY: + secretKeyRef: + name: secrets + key: GUARDIAN_SECRET_KEY + DATABASE_ENCRYPTION_KEY: + secretKeyRef: + name: secrets + key: DATABASE_ENCRYPTION_KEY + SECRET_KEY_BASE: + secretKeyRef: + name: secrets + key: SECRET_KEY_BASE + LIVE_VIEW_SIGNING_SALT: + secretKeyRef: + name: secrets + key: LIVE_VIEW_SIGNING_SALT + COOKIE_SIGNING_SALT: + secretKeyRef: + name: secrets + key: COOKIE_SIGNING_SALT + COOKIE_ENCRYPTION_SALT: + secretKeyRef: + name: secrets + key: COOKIE_ENCRYPTION_SALT + # Devices + ALLOW_UNPRIVILEGED_DEVICE_MANAGEMENT: true + ALLOW_UNPRIVILEGED_DEVICE_CONFIGURATION: true + VPN_SESSION_DURATION: 0 + DEFAULT_CLIENT_PERSISTENT_KEEPALIVE: 25 + DEFAULT_CLIENT_MTU: 1280 + # DEFAULT_CLIENT_ENDPOINT: "" + DEFAULT_CLIENT_DNS: "1.1.1.1,1.0.0.1" + DEFAULT_CLIENT_ALLOWED_IPS: "0.0.0.0/0, ::/0" + # Limits + MAX_DEVICES_PER_USER: 10 + # Authorization + LOCAL_AUTH_ENABLED: true + DISABLE_VPN_ON_OIDC_ERROR: false + SAML_ENTITY_ID: "urn:firezone.dev:firezone-app" + # SAML_KEYFILE_PATH: "/var/firezone/saml.key" + # SAML_CERTFILE_PATH: "/var/firezone/saml.crt" + # OPENID_CONNECT_PROVIDERS: "[]" + # SAML_IDENTITY_PROVIDERS: "[]" + # WireGuard + WIREGUARD_PORT: "{{ .Values.service.wireguard.ports.wireguard.port }}" + WIREGUARD_IPV4_ENABLED: true + WIREGUARD_IPV6_ENABLED: false + # Outbound Emails + OUTBOUND_EMAIL_FROM: "" + OUTBOUND_EMAIL_ADAPTER: "Elixir.FzHttpWeb.Mailer.NoopAdapter" + # OUTBOUND_EMAIL_ADAPTER_OPTS: "{}" + # Connectivity Checks + CONNECTIVITY_CHECKS_ENABLED: true + CONNECTIVITY_CHECKS_INTERVAL: 43200 + # Telemetry + TELEMETRY_ENABLED: false + +service: + main: + ports: + main: + protocol: http + port: 13000 + wireguard: + ports: + wireguard: + protocol: udp + port: 51820 + +persistence: + config: + enabled: true + mountPath: "/var/firezone" + +cnpg: + main: + enabled: true + user: firezone + database: firezone + +portal: + open: + enabled: true