diff --git a/incubator/firezone/0.0.8/app-changelog.md b/incubator/firezone/0.0.8/app-changelog.md deleted file mode 100644 index 841d5b52338..00000000000 --- a/incubator/firezone/0.0.8/app-changelog.md +++ /dev/null @@ -1,9 +0,0 @@ - - -## [firezone-0.0.8](https://github.com/truecharts/charts/compare/firezone-1.0.0...firezone-0.0.8) (2023-08-16) - -### Fix - -- Update common / questions ([#11584](https://github.com/truecharts/charts/issues/11584)) - - \ No newline at end of file diff --git a/incubator/firezone/0.0.8/charts/common-14.0.1.tgz b/incubator/firezone/0.0.8/charts/common-14.0.1.tgz deleted file mode 100644 index 656c64047b2..00000000000 Binary files a/incubator/firezone/0.0.8/charts/common-14.0.1.tgz and /dev/null differ diff --git a/incubator/firezone/0.0.8/ix_values.yaml b/incubator/firezone/0.0.8/ix_values.yaml deleted file mode 100644 index 183285d4591..00000000000 --- a/incubator/firezone/0.0.8/ix_values.yaml +++ /dev/null @@ -1,142 +0,0 @@ -image: - repository: tccr.io/truecharts/firezone - pullPolicy: IfNotPresent - tag: v0.7.30@sha256:e22dc7a9be93a804bbe0e3d301c883625463a3649d856c8b41f80a2257214667 - -securityContext: - container: - readOnlyRootFilesystem: false - runAsNonRoot: false - PUID: 0 - runAsUser: 0 - runAsGroup: 0 - capabilities: - add: - - NET_ADMIN - - SYS_MODULE - -workload: - main: - podSpec: - containers: - main: - probes: - liveness: - enabled: false - readiness: - enabled: false - startup: - enabled: false - env: - # web - PHOENIX_HTTP_PORT: "{{ .Values.service.main.ports.main.port }}" - EXTERNAL_URL: "https://app.mydomain.com" - # PHOENIX_SECURE_COOKIES: true - # PHOENIX_HTTP_PROTOCOL_OPTIONS: "{}" - # PHOENIX_EXTERNAL_TRUSTED_PROXIES: "[]" - # PHOENIX_PRIVATE_CLIENTS: "[]" - # DB - DATABASE_HOST: - secretKeyRef: - name: cnpg-main-urls - key: host - DATABASE_PORT: 5432 - DATABASE_NAME: "{{ .Values.cnpg.main.database }}" - DATABASE_USER: "{{ .Values.cnpg.main.user }}" - DATABASE_PASSWORD: - secretKeyRef: - name: cnpg-main-user - key: password - # DATABASE_POOL_SIZE - DATABASE_SSL_ENABLED: false - # DATABASE_SSL_OPTS: "{}" - # Admin - RESET_ADMIN_ON_BOOT: false - DEFAULT_ADMIN_EMAIL: "admin@email.com" - DEFAULT_ADMIN_PASSWORD: "1234567890" - # Secrets and Encryption - GUARDIAN_SECRET_KEY: - secretKeyRef: - name: secrets - key: GUARDIAN_SECRET_KEY - DATABASE_ENCRYPTION_KEY: - secretKeyRef: - name: secrets - key: DATABASE_ENCRYPTION_KEY - SECRET_KEY_BASE: - secretKeyRef: - name: secrets - key: SECRET_KEY_BASE - LIVE_VIEW_SIGNING_SALT: - secretKeyRef: - name: secrets - key: LIVE_VIEW_SIGNING_SALT - COOKIE_SIGNING_SALT: - secretKeyRef: - name: secrets - key: COOKIE_SIGNING_SALT - COOKIE_ENCRYPTION_SALT: - secretKeyRef: - name: secrets - key: COOKIE_ENCRYPTION_SALT - # Devices - ALLOW_UNPRIVILEGED_DEVICE_MANAGEMENT: true - ALLOW_UNPRIVILEGED_DEVICE_CONFIGURATION: true - VPN_SESSION_DURATION: 0 - DEFAULT_CLIENT_PERSISTENT_KEEPALIVE: 25 - DEFAULT_CLIENT_MTU: 1280 - # DEFAULT_CLIENT_ENDPOINT: "" - DEFAULT_CLIENT_DNS: "1.1.1.1,1.0.0.1" - DEFAULT_CLIENT_ALLOWED_IPS: "0.0.0.0/0, ::/0" - # Limits - MAX_DEVICES_PER_USER: 10 - # Authorization - LOCAL_AUTH_ENABLED: true - DISABLE_VPN_ON_OIDC_ERROR: false - SAML_ENTITY_ID: "urn:firezone.dev:firezone-app" - # SAML_KEYFILE_PATH: "/var/firezone/saml.key" - # SAML_CERTFILE_PATH: "/var/firezone/saml.crt" - # OPENID_CONNECT_PROVIDERS: "[]" - # SAML_IDENTITY_PROVIDERS: "[]" - # WireGuard - WIREGUARD_PORT: "{{ .Values.service.wireguard.ports.wireguard.port }}" - WIREGUARD_IPV4_ENABLED: true - WIREGUARD_IPV6_ENABLED: false - # Outbound Emails - OUTBOUND_EMAIL_FROM: "" - OUTBOUND_EMAIL_ADAPTER: "Elixir.FzHttpWeb.Mailer.NoopAdapter" - # OUTBOUND_EMAIL_ADAPTER_OPTS: "{}" - # Connectivity Checks - CONNECTIVITY_CHECKS_ENABLED: true - CONNECTIVITY_CHECKS_INTERVAL: 43200 - # Telemetry - TELEMETRY_ENABLED: false - -service: - main: - ports: - main: - protocol: http - port: 13000 - wireguard: - enabled: true - ports: - wireguard: - enabled: true - protocol: udp - port: 51820 - -persistence: - config: - enabled: true - mountPath: "/var/firezone" - -cnpg: - main: - enabled: true - user: firezone - database: firezone - -portal: - open: - enabled: true diff --git a/incubator/firezone/0.0.8/logo.png b/incubator/firezone/0.0.8/logo.png deleted file mode 100644 index 7983abea3a4..00000000000 Binary files a/incubator/firezone/0.0.8/logo.png and /dev/null differ diff --git a/incubator/firezone/0.0.8/CHANGELOG.md b/incubator/firezone/0.1.0/CHANGELOG.md similarity index 93% rename from incubator/firezone/0.0.8/CHANGELOG.md rename to incubator/firezone/0.1.0/CHANGELOG.md index 12aa7a570d2..68ac66f1cbc 100644 --- a/incubator/firezone/0.0.8/CHANGELOG.md +++ b/incubator/firezone/0.1.0/CHANGELOG.md @@ -4,6 +4,11 @@ +## [firezone-0.1.0](https://github.com/truecharts/charts/compare/firezone-0.0.8...firezone-0.1.0) (2023-09-07) + + + + ## [firezone-0.0.8](https://github.com/truecharts/charts/compare/firezone-1.0.0...firezone-0.0.8) (2023-08-16) ### Fix diff --git a/incubator/firezone/0.0.8/Chart.yaml b/incubator/firezone/0.1.0/Chart.yaml similarity index 92% rename from incubator/firezone/0.0.8/Chart.yaml rename to incubator/firezone/0.1.0/Chart.yaml index 764a2e73b24..97232aad8d9 100644 --- a/incubator/firezone/0.0.8/Chart.yaml +++ b/incubator/firezone/0.1.0/Chart.yaml @@ -1,9 +1,9 @@ apiVersion: v2 -appVersion: "0.7.30" +appVersion: "0.7.35" dependencies: - name: common repository: https://library-charts.truecharts.org - version: 14.0.1 + version: 14.0.3 deprecated: false description: WireGuard-based VPN server and egress firewall home: https://truecharts.org/charts/incubator/firezone @@ -22,7 +22,7 @@ sources: - https://github.com/truecharts/charts/tree/master/charts/incubator/firezone - https://github.com/firezone/firezone type: application -version: 0.0.8 +version: 0.1.0 annotations: truecharts.org/catagories: | - vpn diff --git a/incubator/firezone/0.0.8/README.md b/incubator/firezone/0.1.0/README.md similarity index 100% rename from incubator/firezone/0.0.8/README.md rename to incubator/firezone/0.1.0/README.md diff --git a/incubator/firezone/0.1.0/app-changelog.md b/incubator/firezone/0.1.0/app-changelog.md new file mode 100644 index 00000000000..734433f77d7 --- /dev/null +++ b/incubator/firezone/0.1.0/app-changelog.md @@ -0,0 +1,4 @@ + + +## [firezone-0.1.0](https://github.com/truecharts/charts/compare/firezone-0.0.8...firezone-0.1.0) (2023-09-07) + diff --git a/incubator/firezone/0.0.8/app-readme.md b/incubator/firezone/0.1.0/app-readme.md similarity index 100% rename from incubator/firezone/0.0.8/app-readme.md rename to incubator/firezone/0.1.0/app-readme.md diff --git a/incubator/firezone/0.1.0/charts/common-14.0.3.tgz b/incubator/firezone/0.1.0/charts/common-14.0.3.tgz new file mode 100644 index 00000000000..9dab2456ffc Binary files /dev/null and b/incubator/firezone/0.1.0/charts/common-14.0.3.tgz differ diff --git a/incubator/firezone/0.1.0/ix_values.yaml b/incubator/firezone/0.1.0/ix_values.yaml new file mode 100644 index 00000000000..5dd22c4db75 --- /dev/null +++ b/incubator/firezone/0.1.0/ix_values.yaml @@ -0,0 +1,170 @@ +image: + repository: tccr.io/truecharts/firezone + pullPolicy: IfNotPresent + tag: v0.7.35@sha256:53c08baeb65dde8689ebb3bd1fc9fbb034970dfdc9bceb005c4ffa03fe2b3e93 + +securityContext: + container: + readOnlyRootFilesystem: false + runAsNonRoot: false + PUID: 0 + runAsUser: 0 + runAsGroup: 0 + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + +service: + main: + ports: + main: + protocol: http + port: 13000 + wireguard: + enabled: true + ports: + wireguard: + enabled: true + protocol: udp + port: 51820 + +firezone: + web: + external_url: "https://example.com" + trusted_proxies: [] + private_clients: [] + admin: + reset_admin_on_boot: false + default_email: "admin@email.com" + default_password: "1234567890" + devices: + allow_unprivileged_device_management: true + allow_unprivileged_device_config: true + vpn_session_duration: 0 + client_persistent_keepalive: 25 + default_client_mtu: 1280 + client_endpoint: "" + client_dns: + - 1.1.1.1 + - 1.0.0.1 + client_allowed_ips: + - 0.0.0.0/0 + max_devices_per_user: 10 + authorization: + local_auth_enabled: true + disable_vpn_on_oidc_error: false + wireguard: + ipv4_masquerade_enabled: true + connectivity: + checks_enabled: true + checks_interval: 43200 + other: + telemetry_enabled: false + +workload: + main: + podSpec: + containers: + main: + env: + # web + PHOENIX_HTTP_PORT: "{{ .Values.service.main.ports.main.port }}" + EXTERNAL_URL: "{{ .Values.firezone.web.external_url }}" + PHOENIX_SECURE_COOKIES: "{{ .Values.firezone.web.secure_cookies }}" + # PHOENIX_HTTP_PROTOCOL_OPTIONS: "{}" + PHOENIX_EXTERNAL_TRUSTED_PROXIES: "{{ toJson .Values.firezone.web.trusted_proxies }}" + PHOENIX_PRIVATE_CLIENTS: "{{ toJson .Values.firezone.web.private_clients }}" + # DB + DATABASE_HOST: + secretKeyRef: + name: cnpg-main-urls + key: host + DATABASE_PORT: 5432 + DATABASE_NAME: "{{ .Values.cnpg.main.database }}" + DATABASE_USER: "{{ .Values.cnpg.main.user }}" + DATABASE_PASSWORD: + secretKeyRef: + name: cnpg-main-user + key: password + # DATABASE_POOL_SIZE + DATABASE_SSL_ENABLED: false + # DATABASE_SSL_OPTS: "{}" + # Admin + RESET_ADMIN_ON_BOOT: "{{ .Values.firezone.admin.reset_admin_on_boot }}" + DEFAULT_ADMIN_EMAIL: "{{ .Values.firezone.admin.default_email }}" + DEFAULT_ADMIN_PASSWORD: "{{ .Values.firezone.admin.default_password }}" + # Secrets and Encryption + GUARDIAN_SECRET_KEY: + secretKeyRef: + name: firezone-secrets + key: GUARDIAN_SECRET_KEY + DATABASE_ENCRYPTION_KEY: + secretKeyRef: + name: firezone-secrets + key: DATABASE_ENCRYPTION_KEY + SECRET_KEY_BASE: + secretKeyRef: + name: firezone-secrets + key: SECRET_KEY_BASE + LIVE_VIEW_SIGNING_SALT: + secretKeyRef: + name: firezone-secrets + key: LIVE_VIEW_SIGNING_SALT + COOKIE_SIGNING_SALT: + secretKeyRef: + name: firezone-secrets + key: COOKIE_SIGNING_SALT + COOKIE_ENCRYPTION_SALT: + secretKeyRef: + name: firezone-secrets + key: COOKIE_ENCRYPTION_SALT + # Devices + ALLOW_UNPRIVILEGED_DEVICE_MANAGEMENT: "{{ .Values.firezone.devices.allow_unprivileged_device_management }}" + ALLOW_UNPRIVILEGED_DEVICE_CONFIGURATION: "{{ .Values.firezone.devices.allow_unprivileged_device_config }}" + VPN_SESSION_DURATION: "{{ .Values.firezone.devices.vpn_session_duration }}" + DEFAULT_CLIENT_PERSISTENT_KEEPALIVE: "{{ .Values.firezone.devices.client_persistent_keepalive }}" + DEFAULT_CLIENT_MTU: "{{ .Values.firezone.devices.default_client_mtu }}" + DEFAULT_CLIENT_ENDPOINT: "{{ .Values.firezone.devices.client_endpoint }}" + DEFAULT_CLIENT_DNS: '{{ join "," .Values.firezone.devices.client_dns }}' + DEFAULT_CLIENT_ALLOWED_IPS: '{{ join "," .Values.firezone.devices.client_allowed_ips }}' + # Limits + MAX_DEVICES_PER_USER: "{{ .Values.firezone.devices.max_devices_per_user }}" + # Authorization + LOCAL_AUTH_ENABLED: "{{ .Values.firezone.authorization.local_auth_enabled }}" + DISABLE_VPN_ON_OIDC_ERROR: "{{ .Values.firezone.authorization.disable_vpn_on_oidc_error }}" + # SAML_ENTITY_ID: "urn:firezone.dev:firezone-app" + # SAML_KEYFILE_PATH: "/var/firezone/saml.key" + # SAML_CERTFILE_PATH: "/var/firezone/saml.crt" + # OPENID_CONNECT_PROVIDERS: "[]" + # SAML_IDENTITY_PROVIDERS: "[]" + # WireGuard + WIREGUARD_PORT: "{{ .Values.service.wireguard.ports.wireguard.port }}" + WIREGUARD_IPV4_ENABLED: true + WIREGUARD_IPV4_MASQUERADE: "{{ .Values.firezone.wireguard.ipv4_masquerade_enabled }}" + WIREGUARD_IPV6_ENABLED: false + WIREGUARD_IPV6_MASQUERADE: false + # Outbound Emails + # OUTBOUND_EMAIL_FROM: "" + # OUTBOUND_EMAIL_ADAPTER: "Elixir.FzHttpWeb.Mailer.NoopAdapter" + # OUTBOUND_EMAIL_ADAPTER_OPTS: "{}" + # Connectivity Checks + CONNECTIVITY_CHECKS_ENABLED: "{{ .Values.firezone.connectivity.checks_enabled }}" + CONNECTIVITY_CHECKS_INTERVAL: "{{ .Values.firezone.connectivity.checks_interval }}" + # Telemetry + TELEMETRY_ENABLED: "{{ .Values.firezone.other.telemetry_enabled }}" + +persistence: + config: + enabled: true + mountPath: "/var/firezone" + +cnpg: + main: + enabled: true + user: firezone + database: firezone + +portal: + open: + enabled: true diff --git a/incubator/firezone/0.0.8/questions.yaml b/incubator/firezone/0.1.0/questions.yaml similarity index 84% rename from incubator/firezone/0.0.8/questions.yaml rename to incubator/firezone/0.1.0/questions.yaml index b355bb5ac4c..64584b67662 100644 --- a/incubator/firezone/0.0.8/questions.yaml +++ b/incubator/firezone/0.1.0/questions.yaml @@ -101,229 +101,6 @@ questions: type: dict attrs: - - variable: env - label: Image Environment - schema: - additional_attrs: true - type: dict - attrs: - - variable: EXTERNAL_URL - label: External Url - description: Must be a valid and public FQDN for ACME SSL issuance to function. Include https:// - schema: - type: string - required: true - default: "" - - variable: DEFAULT_ADMIN_EMAIL - label: Default Admin Email - description: Primary administrator email. - schema: - type: string - required: true - default: "" - - variable: DEFAULT_ADMIN_PASSWORD - label: Default Admin Password - description: Primary administrator password. - schema: - type: string - required: true - private: true - default: "" - - variable: RESET_ADMIN_ON_BOOT - label: Reset Admin On Boot - description: to create or reset the admin password every time FireZone starts. - schema: - type: boolean - default: false - - variable: TELEMETRY_ENABLED - label: Telemetry Enabled - description: Enable or disable the FireZone telemetry collection. - schema: - type: boolean - default: false - - variable: devices - label: Devices Settings - schema: - type: boolean - default: false - show_subquestions_if: true - subquestions: - - variable: ALLOW_UNPRIVILEGED_DEVICE_MANAGEMENT - label: Allow Unprivileged Devices - description: Enable or disable management of devices on unprivileged accounts. - schema: - type: boolean - default: true - - variable: ALLOW_UNPRIVILEGED_DEVICE_CONFIGURATION - label: Allow Unprivileged Device Configuration - description: Enable or disable configuration of device network settings for unprivileged users. - schema: - type: boolean - default: true - - variable: VPN_SESSION_DURATION - label: VPN Session Duration - description: Optionally require users to periodically authenticate to the FireZone, Interval for WireGuard persistent keepalive. - schema: - type: int - default: 0 - - variable: DEFAULT_CLIENT_PERSISTENT_KEEPALIVE - label: Default Client Persistent KeepAlive - description: send a keepalive packet every 25 seconds. Otherwise, keep it disabled with a 0 default value. - schema: - type: int - default: 25 - - variable: DEFAULT_CLIENT_MTU - label: Default Client MTU - description: WireGuard interface MTU for devices. - schema: - type: int - default: 1280 - - variable: DEFAULT_CLIENT_ENDPOINT - label: Default Client EndPoint - description: IPv4, IPv6 address, or FQDN that devices will be configured to connect to. Defaults to this server's FQDN. - schema: - type: string - default: "" - - variable: DEFAULT_CLIENT_DNS - label: Default Client DNS - description: Comma-separated list of DNS servers to use for devices. - schema: - type: string - default: "1.1.1.1,1.0.0.1" - - variable: DEFAULT_CLIENT_ALLOWED_IPS - label: Default Client Allowed IPs - description: AllowedIPs determines which destination IPs get routed through FireZone. - schema: - type: string - default: "0.0.0.0/0,::/0" - - variable: MAX_DEVICES_PER_USER - label: Max Devices Per User - description: Changes how many devices a user can have at a time. - schema: - type: int - default: 10 - - variable: authorization - label: Authorization Settings - schema: - type: boolean - default: false - show_subquestions_if: true - subquestions: - - variable: LOCAL_AUTH_ENABLED - label: Local Auth Enabled - description: Enable or disable the local authentication method for all users. - schema: - type: boolean - default: true - - variable: DISABLE_VPN_ON_OIDC_ERROR - label: Disable VPN On OIDC Error - description: Enable or disable auto disabling VPN connection on OIDC refresh error. - schema: - type: boolean - default: false - - variable: wireguard - label: Wireguard Settings - schema: - type: boolean - default: false - show_subquestions_if: true - subquestions: - - variable: WIREGUARD_IPV4_ENABLED - label: WireGuard IPV4 Enabled - description: Enable or disable IPv4 support for WireGuard. - schema: - type: boolean - default: true - - variable: WIREGUARD_IPV6_ENABLED - label: WireGuard IPV6 Enabled - description: Enable or disable IPv6 support for WireGuard. - schema: - type: boolean - default: false - - variable: outbound - label: OutBound Email Settings - schema: - type: boolean - default: false - show_subquestions_if: true - subquestions: - - variable: OUTBOUND_EMAIL_FROM - label: Outbound Email From - description: From address to use for sending outbound emails. - schema: - type: string - default: "" - - variable: OUTBOUND_EMAIL_ADAPTER - label: Outbound Email Adapter - description: Method to use for sending outbound email. - schema: - type: string - default: "Elixir.FzHttpWeb.Mailer.NoopAdapter" - enum: - - value: "Elixir.FzHttpWeb.Mailer.AmazonSES" - description: "AmazonSES" - - value: "Elixir.FzHttpWeb.Mailer.CustomerIO" - description: CustomerIO" - - value: "Elixir.FzHttpWeb.Mailer.Dyn" - description: Dyn - - value: "Elixir.FzHttpWeb.Mailer.ExAwsAmazonSES" - description: ExAwsAmazonSES" - - value: "Elixir.FzHttpWeb.Mailer.Gmail" - description: Gmail" - - value: "Elixir.FzHttpWeb.Mailer.MailPace" - description: MailPace" - - value: "Elixir.FzHttpWeb.Mailer.Mailgun" - description: Mailgun" - - value: "Elixir.FzHttpWeb.Mailer.Mailjet" - description: MailJet" - - value: "Elixir.FzHttpWeb.Mailer.Mandrill" - description: Mandrill" - - value: "Elixir.FzHttpWeb.Mailer.Postmark" - description: Postmark" - - value: "Elixir.FzHttpWeb.Mailer.ProtonBridge" - description: ProtonBridge" - - value: "Elixir.FzHttpWeb.Mailer.SMTP" - description: SMTP" - - value: "Elixir.FzHttpWeb.Mailer.SMTP2GO" - description: SMTP2GO" - - value: "Elixir.FzHttpWeb.Mailer.Sendgrid" - description: SendGrid" - - value: "Elixir.FzHttpWeb.Mailer.Sendinblue" - description: "SendInBlue" - - value: "Elixir.FzHttpWeb.Mailer.Sendmail" - description: "Sendmail" - - value: "Elixir.FzHttpWeb.Mailer.SocketLabs" - description: "SocketLabs" - - value: "Elixir.FzHttpWeb.Mailer.SparkPost" - description: "SparkPost" - - value: "Elixir.FzHttpWeb.Mailer.NoopAdapter" - description: "NoopAdapter" - - variable: OUTBOUND_EMAIL_ADAPTER_OPTS - label: Outbound Email Adapter OPTS - description: Adapter configuration, see https://github.com/swoosh/swoosh#adapters. - schema: - type: string - default: "" - - variable: connectivity - label: Connectivity Settings - schema: - type: boolean - default: false - show_subquestions_if: true - subquestions: - - variable: CONNECTIVITY_CHECKS_ENABLED - label: Connectivity Checks Enabled - description: Enable / disable periodic checking for egress connectivity. Determines the instance's public IP to populate Endpoint fields. - schema: - type: boolean - default: true - - variable: CONNECTIVITY_CHECKS_INTERVAL - label: Connectivity Checks Interval - description: Periodicity in seconds to check for egress connectivity. - schema: - type: int - default: 43200 - - variable: envList label: Extra Environment Variables description: "Please be aware that some variables are set in the background, adding duplicates here might cause issues or prevent the app from starting..." @@ -374,6 +151,224 @@ questions: schema: type: string + - variable: firezone + group: App Configuration + label: FireZone + schema: + additional_attrs: true + type: dict + attrs: + - variable: web + label: Web Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: external_url + label: External Url + description: Must be a valid and public FQDN for ACME SSL issuance to function. Include https:// + schema: + type: string + required: true + default: "" + - variable: trusted_proxies + label: Trusted Proxies + description: List of trusted reverse proxies. + schema: + type: list + default: [] + items: + - variable: proxy + label: Proxy IP + schema: + type: string + required: true + default: "" + - variable: private_clients + label: Private Clients + description: List of trusted clients. + schema: + type: list + default: [] + items: + - variable: client_ip + label: Client IP + schema: + type: string + required: true + default: "" + - variable: secure_cookies + label: Secure Cookies + description: Enable or disable requiring secure cookies. Required for HTTPS. + schema: + type: boolean + default: true + - variable: admin + label: Admin Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: reset_admin_on_boot + label: Reset Admin On Boot + description: to create or reset the admin password every time Firezone starts. By default, the admin password is only set when Firezone is installed. + schema: + type: boolean + default: false + - variable: default_email + label: Default Email + description: Primary administrator email. + schema: + type: string + required: true + default: "" + - variable: default_password + label: Default Password + description: Default password that will be used for creating or resetting the primary administrator account. + schema: + type: string + required: true + private: true + default: "" + - variable: devices + label: Devices Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: allow_unprivileged_device_management + label: Allow Unprivileged Device Management + description: Enable or disable management of devices on unprivileged accounts. + schema: + type: boolean + default: true + - variable: allow_unprivileged_device_config + label: Allow Unprivileged Device Configuration + description: Enable or disable configuration of device network settings for unprivileged users. + schema: + type: boolean + default: true + - variable: vpn_session_duration + label: VPN Session Duration + description: Optionally require users to periodically authenticate to the Firezone web UI in order to keep their VPN sessions active. + schema: + type: int + default: 0 + - variable: client_persistent_keepalive + label: Client Persistent KeepAlive + description: If you experience NAT or firewall traversal problems, you can enable this to send a keepalive packet every 25 seconds, disabled by setting it to 0. + schema: + type: int + default: 0 + - variable: default_client_mtu + label: Default Client MTU + description: WireGuard interface MTU for devices. + schema: + type: int + default: 1280 + - variable: client_endpoint + label: Client Endpoint + description: IPv4, IPv6 address, or FQDN that devices will be configured to connect to. + schema: + type: string + default: "" + - variable: client_dns + label: Client DNS + description: List of DNS servers to use for devices. + schema: + type: list + empty: false + required: true + default: + - 1.1.1.1 + - 1.0.0.1 + items: + - variable: dns + label: DNS + schema: + type: string + required: true + default: "" + - variable: client_allowed_ips + label: Client Allowed Ips + description: Configures the default AllowedIPs setting for devices. + schema: + type: list + default: [] + items: + - variable: dns + label: DNS + schema: + type: string + required: true + default: "" + - variable: max_devices_per_user + label: Max Devices Per User + description: Changes how many devices a user can have at a time. + schema: + type: int + default: 10 + - variable: authorization + label: Authorization Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: local_auth_enabled + label: Local Auth Enabled + description: Enable or disable the local authentication method for all users. + schema: + type: boolean + default: true + - variable: disable_vpn_on_oidc_error + label: Disable VPN On OIDC Error + description: Enable or disable auto disabling VPN connection on OIDC refresh error. + schema: + type: boolean + default: false + - variable: wireguard + label: Wireguard Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: ipv4_masquerade_enabled + label: IPv4 Masquerade Enabled + description: Enable or disable IPv4 masqeurading. + schema: + type: boolean + default: true + - variable: connectivity + label: Connectivity Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: checks_enabled + label: Checks Enabled + description: Enable / disable periodic checking for egress connectivity. + schema: + type: boolean + default: true + - variable: checks_interval + label: Checks Interval + description: Periodicity in seconds to check for egress connectivity. + schema: + type: int + default: 43200 + - variable: other + label: Other Configuration + schema: + additional_attrs: true + type: dict + attrs: + - variable: telemetry_enabled + label: Telemetry Enabled + description: Enable or disable the Firezone telemetry collection. + schema: + type: boolean + default: false + - variable: TZ label: Timezone group: "General Settings" diff --git a/incubator/firezone/0.0.8/templates/NOTES.txt b/incubator/firezone/0.1.0/templates/NOTES.txt similarity index 100% rename from incubator/firezone/0.0.8/templates/NOTES.txt rename to incubator/firezone/0.1.0/templates/NOTES.txt diff --git a/incubator/firezone/0.0.8/templates/_secrets.tpl b/incubator/firezone/0.1.0/templates/_secrets.tpl similarity index 63% rename from incubator/firezone/0.0.8/templates/_secrets.tpl rename to incubator/firezone/0.1.0/templates/_secrets.tpl index 8e3a689c668..0813312160a 100644 --- a/incubator/firezone/0.0.8/templates/_secrets.tpl +++ b/incubator/firezone/0.1.0/templates/_secrets.tpl @@ -17,10 +17,12 @@ {{- end }} enabled: true data: - GUARDIAN_SECRET_KEY: {{ $keyGuardian }} - DATABASE_ENCRYPTION_KEY: {{ $keyDatabase }} - SECRET_KEY_BASE: {{ $keySecret }} - LIVE_VIEW_SIGNING_SALT: {{ $keyLive }} - COOKIE_SIGNING_SALT: {{ $keyCookieSigning }} - COOKIE_ENCRYPTION_SALT: {{ $keyCookieEncrypt }} + # firezone requires all these keys to be in base 64 format presented in the container, so this b64enc here is intentional + # https://www.firezone.dev/docs/reference/env-vars#secrets-and-encryption + GUARDIAN_SECRET_KEY: {{ $keyGuardian | b64enc }} + DATABASE_ENCRYPTION_KEY: {{ $keyDatabase | b64enc }} + SECRET_KEY_BASE: {{ $keySecret | b64enc }} + LIVE_VIEW_SIGNING_SALT: {{ $keyLive | b64enc }} + COOKIE_SIGNING_SALT: {{ $keyCookieSigning | b64enc }} + COOKIE_ENCRYPTION_SALT: {{ $keyCookieEncrypt | b64enc }} {{- end -}} diff --git a/incubator/firezone/0.0.8/templates/common.yaml b/incubator/firezone/0.1.0/templates/common.yaml similarity index 82% rename from incubator/firezone/0.0.8/templates/common.yaml rename to incubator/firezone/0.1.0/templates/common.yaml index 3a972e62863..c10db0499d4 100644 --- a/incubator/firezone/0.0.8/templates/common.yaml +++ b/incubator/firezone/0.1.0/templates/common.yaml @@ -4,7 +4,7 @@ {{/* Render secrets for firezone */}} {{- $secrets := include "firezone.secrets" . | fromYaml -}} {{- if $secrets -}} - {{- $_ := set .Values.secret "secrets" $secrets -}} + {{- $_ := set .Values.secret "firezone-secrets" $secrets -}} {{- end -}} {{/* Render the templates */}} diff --git a/incubator/firezone/0.0.8/values.yaml b/incubator/firezone/0.1.0/values.yaml similarity index 100% rename from incubator/firezone/0.0.8/values.yaml rename to incubator/firezone/0.1.0/values.yaml