Cloned2Preserve
/
TrueChartsClone
mirror of https://github.com/truecharts/charts.git
1
0
Fork 0
Code

feat(wireguard): add standalone wireguard (#3575) 

* feat(wireguard): add standalone wireguard

* hmm

* try

* empty space

* configmap

* formatting

* mount

* full priv for testing

* lint

* see files

* lint

* actually mount it

* see content

* allow native helm users to pass conf file directly and update UI

* test secret mount

* disable /tmp

* default mode

* hmm

* lets see

* defaultMdoe

* root for testing

* configfilehostpath is required for scale

* fix def mode

* string

* render secret

* quote

* first encode then ident

* octal

* try hostpath

* rootless test

* fake config

* test normal run

* root

* rofs

* fake key

* fake key

* add keys for ci

* remvoe ci values
This commit is contained in:
Stavros Kois 2022-08-29 02:41:44 +03:00 committed by GitHub
parent f23adecd0c
commit ff2570df89
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 347 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
charts/incubator/wireguard/.helmignore Normal file
View File

@ -0,0 +1,30 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
# OWNERS file for Kubernetes
OWNERS
# helm-docs templates
*.gotmpl
# docs folder
/docs
# icon
icon.png

26
charts/incubator/wireguard/Chart.yaml Normal file
View File

@ -0,0 +1,26 @@
apiVersion: v2
appVersion: "10.6.2"
dependencies:
- name: common
repository: https://library-charts.truecharts.org
version: 10.5.0
description: WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.
home: https://truecharts.org/docs/charts/stable/wireguard
icon: https://truecharts.org/img/hotlink-ok/chart-icons/wireguard.png
keywords:
- wireguard
- vpn
kubeVersion: ">=1.16.0-0"
maintainers:
- email: info@truecharts.org
name: TrueCharts
url: https://truecharts.org
name: wireguard
sources:
- https://github.com/k8s-at-home/container-images/tree/main/apps/wireguard
version: 0.0.1
annotations:
truecharts.org/catagories: |
- network
truecharts.org/SCALE-support: "true"
truecharts.org/grade: U

0
charts/incubator/wireguard/README.md Normal file
View File

BIN
charts/incubator/wireguard/icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

151
charts/incubator/wireguard/questions.yaml Normal file
View File

@ -0,0 +1,151 @@
# Include{groups}
portals:
open:
# Include{portalLink}
questions:
# Include{global}
# Include{controller}
# Include{controllerDeployment}
# Include{replicas}
# Include{replica1}
# Include{strategy}
# Include{recreate}
# Include{controllerExpert}
# Include{controllerExpertExtraArgs}
- variable: wg
group: Container Configuration
label: Wireguard Configuration
schema:
additional_attrs: true
type: dict
attrs:
- variable: configFileHostPath
label: Config File Host Path
schema:
type: string
required: true
default: ""
- variable: killswitch
label: Killswitch
description: Enable a killswitch that kills all traffic when the VPN is not connected
schema:
type: boolean
default: false
- variable: excludedIP4networks
label: Killswitch Excluded IPv4 networks
description: List of Killswitch Excluded IPv4 Addresses
schema:
type: list
default: []
items:
- variable: networkv4
label: IPv4 Network
schema:
type: string
required: true
- variable: excludedIP6networks
label: Killswitch Excluded IPv6 networks
description: List of Killswitch Excluded IPv6 Addresses
schema:
type: list
default: []
items:
- variable: networkv6
label: IPv6 Network
schema:
type: string
required: true
# Include{containerConfig}
# Include{serviceRoot}
- variable: main
label: "Main Service"
description: "The Primary service on which the healthcheck runs, often the webUI"
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelector}
- variable: main
label: "Main Service Port Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: "Port"
description: "This port exposes the container port on the service"
schema:
type: int
default: 51820
required: true
# Include{advancedPortUDP}
- variable: targetPort
label: "Target Port"
description: "The internal(!) port on the container the Application runs on"
schema:
type: int
default: 51820
# Include{serviceExpertRoot}
default: false
# Include{serviceExpert}
# Include{serviceList}
# Include{persistenceList}
# Include{ingressRoot}
- variable: main
label: "Main Ingress"
schema:
additional_attrs: true
type: dict
attrs:
# Include{ingressDefault}
# Include{ingressTLS}
# Include{ingressTraefik}
# Include{ingressExpert}
# Include{ingressList}
# Include{security}
# Include{securityContextAdvancedRoot}
- variable: privileged
label: "Privileged mode"
schema:
type: boolean
default: false
- variable: readOnlyRootFilesystem
label: "ReadOnly Root Filesystem"
schema:
type: boolean
default: false
- variable: allowPrivilegeEscalation
label: "Allow Privilege Escalation"
schema:
type: boolean
default: false
- variable: runAsNonRoot
label: "runAsNonRoot"
schema:
type: boolean
default: false
# Include{securityContextAdvanced}
# Include{podSecurityContextRoot}
- variable: runAsUser
label: "runAsUser"
description: "The UserID of the user running the application"
schema:
type: int
default: 0
- variable: runAsGroup
label: "runAsGroup"
description: "The groupID this App of the user running the application"
schema:
type: int
default: 0
- variable: fsGroup
label: "fsGroup"
description: "The group that should own ALL storage."
schema:
type: int
default: 568
# Include{podSecurityContextAdvanced}
# Include{resources}
# Include{advanced}
# Include{addons}
# Include{documentation}

23
charts/incubator/wireguard/templates/_configfilemount.tpl Normal file
View File

@ -0,0 +1,23 @@
{{- define "wireguard.configfile" -}}
{{- if and .Values.wg.configFileHostPath ( not .Values.wg.config.enable ) }}
enabled: true
type: hostPath
readOnly: true
hostPathType: File
hostPath: {{ .Values.wg.configFileHostPath }}
mountPath: /etc/wireguard/wg0.conf
{{- end }}
{{- if .Values.wg.config.enabled }}
enabled: true
type: secret
readOnly: true
defaultMode: "0600"
objectName: '{{ printf "%s-wg-config-secret" (include "tc.common.names.fullname" .) }}'
mountPath: /etc/wireguard
items:
- key: wg0.conf
path: wg0.conf
{{- end }}
{{- end -}}

28
charts/incubator/wireguard/templates/_configmap.tpl Normal file
View File

@ -0,0 +1,28 @@
{{/* Define the secrets */}}
{{- define "wg.env.configmap" -}}
{{- $configName := printf "%s-wg-env-config" (include "tc.common.names.fullname" .) }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ $configName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
SEPARATOR: ";"
IPTABLES_BACKEND: nft
KILLSWITCH: {{ .Values.wg.killswitch | quote }}
{{- if .Values.wg.killswitch }}
{{- $excludedIP4net := "172.16.0.0/12" }}
{{- range .Values.wg.excludedIP4networks }}
{{- $excludedIP4net = ( printf "%v;%v" $excludedIP4net . ) }}
{{- end }}
KILLSWITCH_EXCLUDEDNETWORKS_IPV4: {{ $excludedIP4net | quote }}
{{- $excludedIP6net := "" }}
{{- range .Values.wg.excludedIP6networks }}
{{- $excludedIP6net = ( printf "%v;%v" $excludedIP6net . ) }}
{{- end }}
KILLSWITCH_EXCLUDEDNETWORKS_IPV6: {{ $excludedIP4net | quote }}
{{- end }}
{{- end -}}

16
charts/incubator/wireguard/templates/_secret.tpl Normal file
View File

@ -0,0 +1,16 @@
{{/* Define the secrets */}}
{{- define "wg.config-secret" -}}
{{- $secretName := printf "%s-wg-config-secret" (include "tc.common.names.fullname" .) }}
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ $secretName }}
labels:
{{- include "tc.common.labels" . | nindent 4 }}
data:
wg0.conf: |
{{ .Values.wg.config.data | b64enc | indent 4 }}
{{- end -}}

12
charts/incubator/wireguard/templates/common.yaml Normal file
View File

@ -0,0 +1,12 @@
{{/* Make sure all variables are set properly */}}
{{- include "tc.common.loader.init" . }}
{{/* Render config */}}
{{- include "wg.env.configmap" . }}
{{/* Render secret */}}
{{- include "wg.config-secret" . }}
{{- $_ := set .Values.persistence "configfile" (include "wireguard.configfile" . | fromYaml) -}}
{{/* Render the templates */}}
{{ include "tc.common.loader.apply" . }}

59
charts/incubator/wireguard/values.yaml Normal file
View File

@ -0,0 +1,59 @@
image:
repository: tccr.io/truecharts/wireguard
tag: v1.0.20210914@sha256:9f56e5660e8df8d4d38521ed73a4cc29fa24bf578007bfbe633e00184e2ebfbc
pullPolicy: IfNotPresent
podSecurityContext:
runAsUser: 0
runAsGroup: 0
securityContext:
runAsNonRoot: false
readOnlyRootFilesystem: false
capabilities:
add:
- NET_ADMIN
- SYS_MODULE
wg:
killswitch: false
excludedIP4networks: []
excludedIP6networks: []
# Leave empty if you going to use the paste your config bellow
configFileHostPath: ""
config:
enabled: false
# Your wg config here eg:
data: |
[Interface]
Address = 10.0.0.1/24
ListenPort = 51820
PrivateKey = PRIVATE_KEY
[Peer]
PublicKey = PUBLIC_KEY
AllowedIPs = 10.0.0.0/24
Endpoint = wg.example:51820
envFrom:
- configMapRef:
name: '{{ include "tc.common.names.fullname" . }}-wg-env-config'
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
service:
main:
ports:
main:
port: 51820
targetPort: 51820
protocol: UDP
portal:
enabled: false

2
cspell.config.yaml
View File

@ -1,5 +1,6 @@
version: "0.2"
words:
- airsonic
- aliasgroup
- allowtransparency
- APITOKEN
@ -89,6 +90,7 @@ words:
- multihost
- neko
- netdata
- networkv
- nextcloud
- nobind
- nodeport