work on vpn addons with targetSelector support

This commit is contained in:
Kjeld Schouten-Lebbing
2023-02-20 16:59:35 +01:00
parent 7b8b4f01ad
commit e75dc86757
13 changed files with 492 additions and 181 deletions

View File

@@ -0,0 +1,78 @@
service:
main:
enabled: true
primary: true
ports:
main:
enabled: true
primary: true
protocol: http
port: 8080
workload:
main:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
main:
enabled: true
primary: true
args:
- --port
- "8080"
probes:
liveness:
enabled: true
type: http
port: "{{ .Values.service.main.ports.main.port }}"
readiness:
enabled: true
type: http
port: "{{ .Values.service.main.ports.main.port }}"
startup:
enabled: true
type: http
port: "{{ .Values.service.main.ports.main.port }}"
args:
- --port
- '8080'
manifestManager:
enabled: false
staging: false
# -- The common chart supports several add-ons. These can be configured under this key.
# @default -- See below
addons:
# -- The common chart supports adding a VPN add-on. It can be configured under this key.
# For more info, check out [our docs](http://docs.k8s-at-home.com/our-helm-charts/common-library-add-ons/#wireguard-vpn)
# @default -- See values.yaml
vpn:
# -- Specify the VPN type. Valid options are disabled, gluetun or tailscale
type: tailscale
# -- All variables specified here will be added to the vpn sidecar container
# See the documentation of the VPN image for all config values
env:
something: UTC
# -- you can directly specify the config file here
config: "fdgdfsg"
scripts:
# -- you can directly specify the upscript here
up: "sffds"
# some script
# -- you can directly specify the downscript here
down: "fsdfds"
# some script
# -- select pods to bind vpn addon to
targetSelector:
- main

View File

@@ -0,0 +1,78 @@
service:
main:
enabled: true
primary: true
ports:
main:
enabled: true
primary: true
protocol: http
port: 8080
workload:
main:
enabled: true
primary: true
type: Deployment
podSpec:
containers:
main:
enabled: true
primary: true
args:
- --port
- "8080"
probes:
liveness:
enabled: true
type: http
port: "{{ .Values.service.main.ports.main.port }}"
readiness:
enabled: true
type: http
port: "{{ .Values.service.main.ports.main.port }}"
startup:
enabled: true
type: http
port: "{{ .Values.service.main.ports.main.port }}"
args:
- --port
- '8080'
manifestManager:
enabled: false
staging: false
# -- The common chart supports several add-ons. These can be configured under this key.
# @default -- See below
addons:
# -- The common chart supports adding a VPN add-on. It can be configured under this key.
# For more info, check out [our docs](http://docs.k8s-at-home.com/our-helm-charts/common-library-add-ons/#wireguard-vpn)
# @default -- See values.yaml
vpn:
# -- Specify the VPN type. Valid options are disabled, gluetun or tailscale
type: tailscale
# -- All variables specified here will be added to the vpn sidecar container
# See the documentation of the VPN image for all config values
env:
something: UTC
# -- you can directly specify the config file here
config: "fdgdfsg"
scripts:
# -- you can directly specify the upscript here
up: "sffds"
# some script
# -- you can directly specify the downscript here
down: "fsdfds"
# some script
# -- select pods to bind vpn addon to
targetSelector:
- main

View File

@@ -0,0 +1,16 @@
{{/*
The VPN config and scripts to be included.
*/}}
{{- define "tc.v1.common.addon.vpn.configmap" -}}
enabled: true
data:
{{- with .Values.addons.vpn.scripts.up }}
up.sh: |-
{{- . | nindent 4 }}
{{- end }}
{{- with .Values.addons.vpn.scripts.down }}
down.sh: |-
{{- . | nindent 4 }}
{{- end -}}
{{- end -}}

View File

@@ -0,0 +1,42 @@
{{/*
The gluetun sidecar container to be inserted.
*/}}
{{- define "tc.v1.common.addon.vpn.gluetun.containers" -}}
{{- range .Values.addons.vpn.targetSelector }}
{{ . }}:
podSpec:
containers:
gluetun:
imageSelector: gluetunImage
securityContext:
runAsUser: 568
runAsGroup: 568
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
{{- with $.Values.addons.vpn.env }}
env:
{{- . | toYaml | nindent 10 }}
{{- end }}
{{- range $envList := $.Values.addons.vpn.envList -}}
{{- if and $envList.name $envList.value }}
{{ $envList.name }}: {{ $envList.value | quote }}
{{- else -}}
{{- fail "Please specify name/value for VPN environment variable" -}}
{{- end -}}
{{- end -}}
{{- with $.Values.addons.vpn.args }}
args:
{{- . | toYaml | nindent 10 }}
{{- end }}
{{- with $.Values.addons.vpn.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 10 }}
{{- end -}}
{{- end }}
{{- end -}}

View File

@@ -0,0 +1,9 @@
{{/*
The OpenVPN config secret to be included.
*/}}
{{- define "tc.v1.common.addon.vpn.secret" -}}
enabled: true
data:
vpn.conf: |-
{{- .Values.addons.vpn.config | nindent 4 }}
{{- end -}}

View File

@@ -0,0 +1,91 @@
{{/*
The Tailscale sidecar container to be inserted.
*/}}
{{- define "tc.v1.common.addon.vpn.tailscale.containers" -}}
{{- range .Values.addons.vpn.targetSelector }}
{{ . }}:
podSpec:
containers:
tailscale:
imageSelector: "tailscaleImage"
imagePullPolicy: {{ $.Values.tailscaleImage.pullPolicy }}
command:
- /usr/local/bin/containerboot
securityContext:
{{- if $.Values.addons.vpn.tailscale.userspace }}
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: true
{{- else }}
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
{{- end }}
capabilities:
add:
- NET_ADMIN
envFrom:
- secretRef:
name: tailscale-secret
{{/*
Set KUBE_SECRET to empty string to force tailscale
to use the filesystem for state tracking.
With secret for state tracking you can't always
know if the app that uses this sidecard will
use a custom ServiceAccount and will lead to falure.
*/}}
env:
TS_KUBE_SECRET: ""
TS_SOCKET: /var/run/tailscale/tailscaled.sock
TS_STATE_DIR: /var/lib/tailscale
TS_AUTH_ONCE: {{ $.Values.addons.vpn.tailscale.auth_once | quote }}
TS_USERSPACE: {{ $.Values.addons.vpn.tailscale.userspace | quote }}
TS_ACCEPT_DNS: {{ $.Values.addons.vpn.tailscale.accept_dns | quote }}
{{- with $.Values.addons.vpn.tailscale.outbound_http_proxy_listen }}
TS_OUTBOUND_HTTP_PROXY_LISTEN: {{ . }}
{{- end -}}
{{- with $.Values.addons.vpn.tailscale.routes }}
TS_ROUTES: {{ . }}
{{- end -}}
{{- with $.Values.addons.vpn.tailscale.dest_ip }}
TS_DEST_IP: {{ . }}
{{- end -}}
{{- with $.Values.addons.vpn.tailscale.sock5_server }}
TS_SOCKS5_SERVER: {{ . }}
{{- end -}}
{{- with $.Values.addons.vpn.tailscale.extra_args }}
TS_EXTRA_ARGS: {{ . | quote }}
{{- end -}}
{{- with $.Values.addons.vpn.tailscale.daemon_extra_args }}
TS_TAILSCALED_EXTRA_ARGS: {{ . | quote }}
{{- end -}}
{{- with $.Values.addons.vpn.tailscale.authkey }}
TS_AUTH_KEY: {{ . | b64enc }}
{{- end }}
{{- range $envList := $.Values.addons.vpn.envList -}}
{{- if and $envList.name $envList.value }}
{{ $envList.name }}: {{ $envList.value | quote }}
{{- else -}}
{{- fail "Please specify name/value for VPN environment variable" -}}
{{- end -}}
{{- end -}}
{{- with $.Values.addons.vpn.env -}}
{{- range $k, $v := . }}
{{ $k }}: {{ $v | quote }}
{{- end -}}
{{- end }}
{{- with $.Values.addons.vpn.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 10 }}
{{- end -}}
{{- end }}
{{- end -}}

View File

@@ -0,0 +1,92 @@
{{/*
The volume (referencing VPN scripts) to be inserted into persistence.
*/}}
{{- define "tc.v1.common.addon.vpn.volume.scripts" -}}
enabled: true
type: configmap
objectName: vpnscripts
expandObjectName: false
defaultMode: "0777"
items:
{{- if .Values.addons.vpn.scripts.up }}
- key: up.sh
path: up.sh
mode: 0777
{{- end }}
{{- if .Values.addons.vpn.scripts.down }}
- key: down.sh
path: down.sh
mode: 0777
{{- end }}
targetSelector:
{{- range .Values.addons.vpn.targetSelector }}
{{ . }}:
vpn:
mountPath: /vpn/
{{- end }}
{{- end -}}
{{/*
The volume (referencing VPN config) to be inserted into persistence.
*/}}
{{- define "tc.v1.common.addon.vpn.volume.config" -}}
enabled: true
{{- if or .Values.addons.vpn.config .Values.addons.vpn.existingSecret }}
type: secret
defaultMode: "0777"
items:
- key: vpn.conf
path: vpn.conf
{{ if .Values.addons.vpn.existingSecret }}
objectName: {{ .Values.addons.vpn.existingSecret }}
expandObjectName: false
{{ else }}
objectName: vpnconfig
expandObjectName: true
{{ end }}
{{ else }}
type: hostPath
hostPath: {{ .Values.addons.vpn.configFile | default "/vpn/" }}
hostPathType: "File"
{{- end -}}
targetSelector:
{{- range .Values.addons.vpn.targetSelector }}
{{ . }}:
vpn:
mountPath: /vpn/
{{- end }}
{{- end -}}
{{/*
The volume (referencing VPN config folder) to be inserted into persistence.
*/}}
{{- define "tc.v1.common.addon.vpn.volume.folder" -}}
enabled: true
type: hostPath
hostPath: '{{ .Values.addons.vpn.configFolder }}'
targetSelector:
{{- range .Values.addons.vpn.targetSelector }}
{{ . }}:
vpn:
mountPath: /vpn/
{{- end }}
{{- end -}}
{{/*
The empty tailscale folder
*/}}
{{- define "tc.v1.common.addon.vpn.volume.tailscale" -}}
enabled: true
type: emptyDir
targetSelector:
{{- range .Values.addons.vpn.targetSelector }}
{{ . }}:
vpn:
mountPath: /vpn/
{{- end }}
{{- end -}}

View File

@@ -5,13 +5,70 @@ It will include / inject the required templates based on the given values.
{{- define "tc.v1.common.addon.vpn" -}}
{{- if ne "disabled" .Values.addons.vpn.type -}}
{{- if .Values.addons.vpn.config -}}
{{/* Append the vpn config secret to the secrets */}}
{{- $secret := include "tc.v1.common.addon.vpn.secret" . | fromYaml -}}
{{- if $secret -}}
{{- $_ := set .Values.secret "vpnconfig" $secret -}}
{{- end -}}
{{- end }}
{{- if or .Values.addons.vpn.scripts.up .Values.addons.vpn.scripts.down -}}
{{/* Append the vpn up/down scripts to the configmaps */}}
{{- $configmap := include "tc.v1.common.addon.vpn.configmap" . | fromYaml -}}
{{- if $configmap -}}
{{- $_ := set .Values.secret "vpnscripts" $configmap -}}
{{- end -}}
{{- end }}
{{- if or .Values.addons.vpn.configFile .Values.addons.vpn.config .Values.addons.vpn.configSecret -}}
{{/* Append the vpn config to the persistence */}}
{{- $configper := include "tc.v1.common.addon.vpn.volume.config" . | fromYaml -}}
{{- if $configper -}}
{{- $_ := set .Values.persistence "vpnconfig" $configper -}}
{{- end -}}
{{- end -}}
{{- if or .Values.addons.vpn.scripts.up .Values.addons.vpn.scripts.down -}}
{{/* Append the vpn scripts to the persistence */}}
{{- $scriptsper := include "tc.v1.common.addon.vpn.volume.scripts" . | fromYaml -}}
{{- if $scriptsper -}}
{{- $_ := set .Values.persistence "vpnscripts" $scriptsper -}}
{{- end -}}
{{- end -}}
{{- if or .Values.addons.vpn.configFolder -}}
{{/* Append the vpn folder to the persistence */}}
{{- $folderper := include "tc.v1.common.addon.vpn.volume.scripts" . | fromYaml -}}
{{- if $folderper -}}
{{- $_ := set .Values.persistence "vpnfolder" $folderper -}}
{{- end -}}
{{- end -}}
{{- if eq "gluetun" .Values.addons.vpn.type -}}
{{- include "tc.v1.common.addon.gluetun" . }}
{{/* Append the code-server container to the additionalContainers */}}
{{- $containers := include "tc.v1.common.addon.vpn.gluetun.containers" . | fromYaml -}}
{{- if $containers -}}
{{- $newworkloads := merge $.Values.workload $containers }}
{{- $_ := set $.Values "workload" $newworkloads -}}
{{- end -}}
{{- else if ( eq "tailscale" .Values.addons.vpn.type ) -}}
{{/* Append the code-server container to the additionalContainers */}}
{{- $containers := include "tc.v1.common.addon.vpn.tailscale.containers" . | fromYaml -}}
{{- if $containers -}}
{{- $newworkloads := merge $.Values.workload $containers }}
{{- $_ := set $.Values "workload" $newworkloads -}}
{{- end -}}
{{/* Append the empty tailscale folder to the persistence */}}
{{- $tailscaleper := include "tc.v1.common.addon.vpn.volume.tailscale" . | fromYaml -}}
{{- if $tailscaleper -}}
{{- $_ := set .Values.persistence "tailscale" $tailscaleper -}}
{{- end -}}
{{- end -}}
{{- if eq "tailscale" .Values.addons.vpn.type -}}
{{- include "tc.v1.common.addon.tailscale" . }}
{{- end -}}
{{- end -}}
{{- end -}}

View File

@@ -1,11 +0,0 @@
{{/*
Template to render gluetun addon. It will add a container to the main pod.
*/}}
*/}}
{{- define "tc.v1.common.addon.vpn.gluetun" -}}
{{/* Append the code-server container to the additionalContainers */}}
{{- $container := include "tc.v1.common.addon.vpn.gluetun.container" . | fromYaml -}}
{{- if $container -}}
{{- $_ := set .Values.workload.main.podSpec.containers "vpn" $container -}}
{{- end -}}
{{- end -}}

View File

@@ -1,38 +0,0 @@
{{/*
The gluetun sidecar container to be inserted.
*/}}
{{- define "tc.v1.common.addon.vpn.gluetun.container" -}}
name: gluetun
imageSelector: gluetunImage
securityContext:
runAsUser: 568
runAsGroup: 568
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
{{- with .Values.addons.vpn.env }}
env:
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- range $envList := .Values.addons.vpn.envList -}}
{{- if and $envList.name $envList.value }}
{{ $envList.name }}: {{ $envList.value | quote }}
{{- else -}}
{{- fail "Please specify name/value for VPN environment variable" -}}
{{- end -}}
{{- end -}}
{{- with .Values.addons.vpn.args }}
args:
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- with .Values.addons.vpn.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 2 }}
{{- end -}}
{{- end -}}

View File

@@ -1,11 +0,0 @@
{{/*
Template to render Tailscale addon. It will add the container to the list of additionalContainers.
*/}}
{{- define "tc.v1.common.addon.vpn.tailscale" -}}
{{/* Append the code-server container to the additionalContainers */}}
{{- $container := include "tc.v1.common.addon.vpn.tailscale.container" . | fromYaml -}}
{{- if $container -}}
{{- $_ := set .Values.workload.main.podSpec.containers "vpn" $container -}}
{{- end -}}
{{- end -}}

View File

@@ -1,87 +0,0 @@
{{/*
The Tailscale sidecar container to be inserted.
*/}}
{{- define "tc.v1.common.addon.vpn.tailscale.container" -}}
name: tailscale
imageSelector: "tailscaleImage"
imagePullPolicy: {{ .Values.tailscaleImage.pullPolicy }}
command:
- /usr/local/bin/containerboot
securityContext:
{{- if .Values.addons.vpn.tailscale.userspace }}
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
readOnlyRootFilesystem: true
{{- else }}
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
{{- end }}
capabilities:
add:
- NET_ADMIN
envFrom:
- secretRef:
name: tailscale-secret
{{/*
Set KUBE_SECRET to empty string to force tailscale
to use the filesystem for state tracking.
With secret for state tracking you can't always
know if the app that uses this sidecard will
use a custom ServiceAccount and will lead to falure.
*/}}
env:
TS_KUBE_SECRET: ""
TS_SOCKET: /var/run/tailscale/tailscaled.sock
TS_STATE_DIR: /var/lib/tailscale
TS_AUTH_ONCE: {{ .Values.addons.vpn.tailscale.auth_once | quote }}
TS_USERSPACE: {{ .Values.addons.vpn.tailscale.userspace | quote }}
TS_ACCEPT_DNS: {{ .Values.addons.vpn.tailscale.accept_dns | quote }}
{{- with .Values.addons.vpn.tailscale.outbound_http_proxy_listen }}
TS_OUTBOUND_HTTP_PROXY_LISTEN: {{ . }}
{{- end -}}
{{- with .Values.addons.vpn.tailscale.routes }}
TS_ROUTES: {{ . }}
{{- end -}}
{{- with .Values.addons.vpn.tailscale.dest_ip }}
TS_DEST_IP: {{ . }}
{{- end -}}
{{- with .Values.addons.vpn.tailscale.sock5_server }}
TS_SOCKS5_SERVER: {{ . }}
{{- end -}}
{{- with .Values.addons.vpn.tailscale.extra_args }}
TS_EXTRA_ARGS: {{ . | quote }}
{{- end -}}
{{- with .Values.addons.vpn.tailscale.daemon_extra_args }}
TS_TAILSCALED_EXTRA_ARGS: {{ . | quote }}
{{- end -}}
{{- with .Values.addons.vpn.tailscale.authkey }}
TS_AUTH_KEY: {{ . | b64enc }}
{{- end }}
{{- range $envList := .Values.addons.vpn.envList -}}
{{- if and $envList.name $envList.value }}
{{ $envList.name }}: {{ $envList.value | quote }}
{{- else -}}
{{- fail "Please specify name/value for VPN environment variable" -}}
{{- end -}}
{{- end -}}
{{- with .Values.addons.vpn.env -}}
{{- range $k, $v := . }}
{{ $k }}: {{ $v | quote }}
{{- end -}}
{{- end }}
{{- with .Values.addons.vpn.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 2 }}
{{- end -}}
{{- end -}}

View File

@@ -199,30 +199,7 @@ persistence:
type: emptyDir
mountPath: /dev/shm
targetSelectAll: true
vpnconfig:
enabled: '{{ if or ( eq .Values.addons.vpn.type "gluetun" ) ( eq .Values.addons.vpn.type "tailscale" ) }}true{{ else }}false{{ end }}'
type: hostPath
hostPath: '{{ .Values.addons.vpn.configFile | default "/vpn/vpn.conf" }}'
hostPathType: "File"
targetSelector:
main:
vpn:
mountPath: /vpn/vpn.conf
vpnfolder:
enabled: '{{ if and ( or ( eq .Values.addons.vpn.type "gluetun" ) ( eq .Values.addons.vpn.type "tailscale" )) ( .Values.addons.vpn.configFolder ) }}true{{ else }}false{{ end }}'
type: hostPath
hostPath: '{{ .Values.addons.vpn.configFolder | default "/vpn/mnt/" }}'
targetSelector:
main:
vpn:
mountPath: /vpn/mnt/
tailscale:
enabled: '{{ if eq .Values.addons.vpn.type "tailscale" }}'
type: emptyDir
targetSelector:
main:
vpn:
mountPath: /var/lib/tailscale
# -- Injected from SCALE middleware
@@ -504,16 +481,34 @@ addons:
# - name: someenv
# value: somevalue
# -- Provide a customized vpn configuration file to be used by the VPN.
# -- you can directly specify the config file here
config: ""
scripts:
# -- you can directly specify the upscript here
up: ""
# some script
# -- you can directly specify the downscript here
down: ""
# some script
# -- Provide a customized vpn configuration file location to be used by the VPN.
configFile: ""
# -- Provide a customized vpn configuration folder to be added to the VPN container
# -- Provide a customized vpn configuration folder location to be added to the VPN container
# The config file needs to be mounted seperately
# the upscript and downscript need to be named: upscript.sh and downscript.sh respectively
configFolder: ""
## TODO to be implemented
# -- Reference an existing secret that contains the VPN configuration file
# The chart expects it to be present under the `vpnConfigfile` key.
# configFileSecret:
# -- Provide an existing secret for vpn config storage
existingSecret: ""
# -- select pods to bind vpn addon to
targetSelector:
- main
# -- The common library supports adding a code-server add-on to access files. It can be configured under this key.
# For more info, check out [our docs](http://docs.k8s-at-home.com/our-helm-charts/common-library-add-ons/#code-server)