Merge pull request #16 from bryopsida/add-security-context-override

Add values for securityContext override

Makefile

@@ -0,0 +1,7 @@
+CHART_PATH = helm/wireguard
+
+lint:
+	helm lint $(CHART_PATH)
+
+template:
+	helm template --debug  --disable-openapi-validation $(CHART_PATH)

helm/wireguard/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: wireguard
 description: A Helm chart for managing a wireguard vpn in kubernetes
 type: application
-version: 0.7.0
+version: 0.8.0
 appVersion: "0.0.0"
 maintainers:
   - name: bryopsida

helm/wireguard/README.md

@@ -1,6 +1,6 @@
 # wireguard
 
-![Version: 0.7.0](https://img.shields.io/badge/Version-0.7.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square)
+![Version: 0.8.0](https://img.shields.io/badge/Version-0.8.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square)
 
 A Helm chart for managing a wireguard vpn in kubernetes
 
@@ -26,12 +26,19 @@ A Helm chart for managing a wireguard vpn in kubernetes
 | image.pullPolicy | string | `"Always"` |  |
 | image.repository | string | `"ghcr.io/bryopsida/wireguard"` |  |
 | image.tag | string | `"main"` |  |
+| labels | object | `{}` |  |
+| podAnnotations | object | `{}` |  |
 | replicaCount | int | `3` |  |
 | resources.limits.cpu | string | `"100m"` |  |
 | resources.limits.memory | string | `"256Mi"` |  |
 | resources.requests.cpu | string | `"100m"` |  |
 | resources.requests.memory | string | `"256Mi"` |  |
 | secretName | string | `nil` | Name of a secret with a wireguard private key on key privatekey, if not provided on first install a hook generates one. |
+| securityContext.allowPrivilegeEscalation | bool | `true` |  |
+| securityContext.privileged | bool | `false` |  |
+| securityContext.readOnlyRootFilesystem | bool | `true` |  |
+| securityContext.runAsNonRoot | bool | `true` |  |
+| securityContext.runAsUser | int | `1000` |  |
 | service.enabled | bool | `true` | Whether the service will be created or not |
 | service.port | int | `51280` | Service port, default is 51280 UDP |
 | service.type | string | `"LoadBalancer"` | Service type, to keep internal to cluster use ClusterIP |

helm/wireguard/templates/deployment.yaml

@@ -5,6 +5,7 @@ exec:
   - -c
   - 'ip link show dev wg0 | grep -s up'
 {{- end -}}
+
 {{- define "core.securitycontext" -}}
 capabilities:
   drop:
@@ -15,25 +16,35 @@ capabilities:
     - SETUID
     - SETGID
 {{- end -}}
+
 {{- define "wg.securitycontext" -}}
 {{ include "core.securitycontext" . }}
-runAsNonRoot: true
-runAsUser: 1000
-readOnlyRootFilesystem: true
-allowPrivilegeEscalation: true
-privileged: false
+runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default true }}
+runAsUser: {{ .Values.securityContext.runAsUser | default 1000 }}
+readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default true }}
+allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default true }}
+privileged: {{ .Values.securityContext.privileged | default false }}
 {{- end -}}
+
 {{- define "init.securitycontext" -}}
 {{ include "core.securitycontext" . }}
 runAsNonRoot: false
 privileged: true
 {{- end -}}
+
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: "{{ .Release.Name }}-wireguard"
   labels:
     role: vpn
+    {{- if .Values.labels }}
+    {{- range $key, $value := .Values.labels  }}
+    {{ $key }}: {{ $value | quote }}
+    {{- end }}
+    {{- end }}
+
 spec:
   {{- if not .Values.autoscaling.enabled }}
   replicas: {{ .Values.replicaCount }}
@@ -46,9 +57,19 @@ spec:
     metadata:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
+        {{- if .Values.podAnnotations }}
+        {{- range $key, $value := .Values.podAnnotations  }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
+        {{- end }}
       labels:
         app: "{{ .Release.Name }}-wireguard"
         role: vpn
+        {{- if .Values.labels }}
+        {{- range $key, $value := .Values.labels }}
+        {{ $key }}: {{ $value | quote }}
+        {{- end }}
+        {{- end }}
     spec:
       serviceAccountName: {{ .Release.Name }}-sa
       topologySpreadConstraints:
@@ -57,9 +78,9 @@ spec:
           whenUnsatisfiable: ScheduleAnyway
       automountServiceAccountToken: false
       securityContext:
-        fsGroup: 1000
+        fsGroup: {{ .Values.securityContext.runAsUser | default 1000 }}
         fsGroupChangePolicy: "OnRootMismatch"
-        runAsNonRoot: true
+        runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default true }}
       {{- if .Values.image.pullSecret }}
       imagePullSecrets:
         - name: "{{ .Values.image.pullSecret }}"

helm/wireguard/values.yaml

@@ -2,13 +2,21 @@ image:
   repository: ghcr.io/bryopsida/wireguard
   tag: main
   pullPolicy: Always
+podAnnotations: {}
+labels: {}
 wireguard:
   # -- Address of the VPN server
   serverAddress: 10.34.0.1/24
   #  -- Subnet for your VPN, take care not to clash with cluster POD cidr
   serverCidr: 10.34.0.0/24
   # -- A collection of clients that will be added to wg0.conf, accepts objects with keys PublicKey and AllowedIPs, stored in secret
   clients: []
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  readOnlyRootFilesystem: true
+  allowPrivilegeEscalation: true
+  privileged: false
 service:
   # -- Whether the service will be created or not
   enabled: true