From 5929db46ae0a995fbc7433630b8f9eeb41901979 Mon Sep 17 00:00:00 2001 From: bryopsida <8363252+bryopsida@users.noreply.github.com> Date: Sat, 10 Feb 2024 18:41:06 -0600 Subject: [PATCH] Add optional sidecar to expose a http health check (#44) --- ...with-healthsidecar-daemonset-hostport.yaml | 9 ++++ ci/test-with-healthsidecar-nodeport.yaml | 7 +++ helm/wireguard/Chart.yaml | 2 +- helm/wireguard/README.md | 14 +++++- helm/wireguard/templates/deployment.yaml | 16 ++++++- helm/wireguard/templates/sa.yaml | 26 ++++++++++- .../templates/service-health-endpoint.yaml | 28 ++++++++++++ helm/wireguard/values.yaml | 44 +++++++++++++++++++ 8 files changed, 142 insertions(+), 4 deletions(-) create mode 100644 ci/test-with-healthsidecar-daemonset-hostport.yaml create mode 100644 ci/test-with-healthsidecar-nodeport.yaml create mode 100644 helm/wireguard/templates/service-health-endpoint.yaml diff --git a/ci/test-with-healthsidecar-daemonset-hostport.yaml b/ci/test-with-healthsidecar-daemonset-hostport.yaml new file mode 100644 index 0000000..658ef57 --- /dev/null +++ b/ci/test-with-healthsidecar-daemonset-hostport.yaml @@ -0,0 +1,9 @@ +healthSideCar: + enabled: true + service: + enabled: false + useHostPort: true + hostPort: 10000 +autoscaling: + enabled: false +daemonSet: true diff --git a/ci/test-with-healthsidecar-nodeport.yaml b/ci/test-with-healthsidecar-nodeport.yaml new file mode 100644 index 0000000..d532656 --- /dev/null +++ b/ci/test-with-healthsidecar-nodeport.yaml @@ -0,0 +1,7 @@ +healthSideCar: + enabled: true +autoscaling: + enabled: false +replicaCount: 1 +deploymentStrategy: + type: Recreate diff --git a/helm/wireguard/Chart.yaml b/helm/wireguard/Chart.yaml index b9c3def..9487d76 100644 --- a/helm/wireguard/Chart.yaml +++ b/helm/wireguard/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: wireguard description: A Helm chart for managing a wireguard vpn in kubernetes type: application -version: 0.19.0 +version: 0.20.0 appVersion: "0.0.0" maintainers: - name: bryopsida diff --git a/helm/wireguard/README.md b/helm/wireguard/README.md index d5a361f..1bbc41a 100644 --- a/helm/wireguard/README.md +++ b/helm/wireguard/README.md @@ -1,6 +1,6 @@ # wireguard -![Version: 0.19.0](https://img.shields.io/badge/Version-0.19.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square) +![Version: 0.20.0](https://img.shields.io/badge/Version-0.20.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square) A Helm chart for managing a wireguard vpn in kubernetes @@ -30,6 +30,18 @@ A Helm chart for managing a wireguard vpn in kubernetes | disruptionBudget.enabled | bool | `true` | | | disruptionBudget.minAvailable | int | `2` | | | extraEnv | object | `{}` | Provide additional environment variables to the wireguard container | +| healthSideCar.enabled | bool | `false` | Opt in side car to expose a http health end point for external load balancers that are not kubernetes aware, in most cases this is not needed | +| healthSideCar.hostPort | int | `13000` | When useHostPort is true this is the host port defined | +| healthSideCar.image.pullPolicy | string | `"Always"` | Pull Policy always to avoid cached rolling tags, if you change this you should use a non rolling tag | +| healthSideCar.image.repository | string | `"ghcr.io/bryopsida/http-healthcheck-sidecar"` | Override repo if you prefer to use your own image | +| healthSideCar.image.tag | string | `"main"` | Rolling tag used by default to take patches automatically | +| healthSideCar.resources | object | `{"limits":{"cpu":"100m","memory":"256Mi"},"requests":{"cpu":"100m","memory":"256Mi"}}` | set resource constraints, set to nil to remove | +| healthSideCar.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsGroup":10001,"runAsNonRoot":true,"runAsUser":10001,"seccompProfile":{"type":"RuntimeDefault"}}` | Secure settings by default, can be overriden to reduce security posture if needed | +| healthSideCar.service.enabled | bool | `true` | Toggle to enable the service, if the pod is a daemonset healthSideCar.useHostPort can be used instead | +| healthSideCar.service.nodePort | int | `31313` | The port for the service exposed on each node | +| healthSideCar.service.port | int | `3000` | Override service port if needed | +| healthSideCar.service.type | string | `"NodePort"` | Service type, given the use case, in most cases this should be NodePort | +| healthSideCar.useHostPort | bool | `false` | When enabled the container will define a host port, in most cases this should only be used when deploying with daemonSet: true | | hostPort | int | `51820` | Host port to expose the VPN service on | | image.pullPolicy | string | `"Always"` | | | image.repository | string | `"ghcr.io/bryopsida/wireguard"` | | diff --git a/helm/wireguard/templates/deployment.yaml b/helm/wireguard/templates/deployment.yaml index 9d66673..5ea10c6 100644 --- a/helm/wireguard/templates/deployment.yaml +++ b/helm/wireguard/templates/deployment.yaml @@ -104,7 +104,7 @@ spec: matchLabelKeys: - pod-template-hash {{- end }} - automountServiceAccountToken: false + automountServiceAccountToken: {{ .Values.healthSideCar.enabled }} securityContext: fsGroup: {{ .Values.securityContext.runAsUser | default 1000 }} fsGroupChangePolicy: "OnRootMismatch" @@ -251,6 +251,20 @@ spec: {{- .Values.volumeMounts | toYaml | nindent 10 }} {{- end }} {{- end }} + {{- if .Values.healthSideCar.enabled }} + - name: health + image: "{{ .Values.healthSideCar.image.repository }}:{{ .Values.healthSideCar.image.tag }}" + imagePullPolicy: "{{ .Values.healthSideCar.image.pullPolicy }}" + resources: {{ .Values.healthSideCar.resources | toYaml | nindent 12 }} + securityContext: {{ .Values.healthSideCar.securityContext | toYaml | nindent 12 }} + ports: + - containerPort: 3000 + protocol: TCP + name: wg-health-ep + {{- if .Values.healthSideCar.useHostPort }} + hostPort: {{ .Values.healthSideCar.hostPort }} + {{- end }} + {{- end }} volumes: - name: run emptyDir: {} diff --git a/helm/wireguard/templates/sa.yaml b/helm/wireguard/templates/sa.yaml index 766cd1a..6a99da1 100644 --- a/helm/wireguard/templates/sa.yaml +++ b/helm/wireguard/templates/sa.yaml @@ -1,5 +1,29 @@ +--- apiVersion: v1 kind: ServiceAccount metadata: name: {{ .Release.Name }}-sa -automountServiceAccountToken: false \ No newline at end of file +automountServiceAccountToken: false +{{- if .Values.healthSideCar.enabled }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ .Release.Name }}-pod-reader +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ .Release.Name }}-read-pods +subjects: +- kind: ServiceAccount + name: {{ .Release.Name }}-sa +roleRef: + kind: Role + name: {{ .Release.Name }}-pod-reader + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/helm/wireguard/templates/service-health-endpoint.yaml b/helm/wireguard/templates/service-health-endpoint.yaml new file mode 100644 index 0000000..58c0eff --- /dev/null +++ b/helm/wireguard/templates/service-health-endpoint.yaml @@ -0,0 +1,28 @@ +{{- if and .Values.healthSideCar.enabled .Values.healthSideCar.service.enabled }} +kind: Service +apiVersion: v1 +metadata: + name: "{{ .Release.Name }}-healthcheck" + labels: + app: "{{ .Release.Name }}-healthcheck" + app.kubernetes.io/component: health + {{- if .Values.healthSideCar.service.labels }} + {{- toYaml .Values.healthSideCar.service.labels | nindent 4 }} + {{- end }} + {{- if .Values.healthSideCar.service.annotations }} + annotations: + {{- toYaml .Values.healthSideCar.service.annotations | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.healthSideCar.service.type }} + ports: + - name: + protocol: TCP + port: {{ .Values.healthSideCar.service.port }} + targetPort: 3000 + {{- if eq .Values.healthSideCar.service.type "NodePort" }} + nodePort: {{ .Values.healthSideCar.service.nodePort }} + {{- end }} + selector: + app: "{{ .Release.Name }}-wireguard" +{{- end }} diff --git a/helm/wireguard/values.yaml b/helm/wireguard/values.yaml index 98ffd3e..a46d7a8 100644 --- a/helm/wireguard/values.yaml +++ b/helm/wireguard/values.yaml @@ -228,3 +228,47 @@ metrics: # -- Grafana dashboard annotations annotations: {} # k8s-sidecar-target-directory: /tmp/dashboards/Other +## Health sidecar configuration +healthSideCar: + # -- Opt in side car to expose a http health end point for external load balancers that are not kubernetes aware, in most cases this is not needed + enabled: false + # -- Secure settings by default, can be overriden to reduce security posture if needed + securityContext: + capabilities: + drop: + - ALL + runAsGroup: 10001 + runAsUser: 10001 + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + # -- set resource constraints, set to nil to remove + resources: + requests: + memory: 256Mi + cpu: "100m" + limits: + memory: 256Mi + cpu: "100m" + image: + # -- Override repo if you prefer to use your own image + repository: ghcr.io/bryopsida/http-healthcheck-sidecar + # -- Rolling tag used by default to take patches automatically + tag: main + # -- Pull Policy always to avoid cached rolling tags, if you change this you should use a non rolling tag + pullPolicy: Always + service: + # -- Override service port if needed + port: 3000 + # -- Toggle to enable the service, if the pod is a daemonset healthSideCar.useHostPort can be used instead + enabled: true + # -- Service type, given the use case, in most cases this should be NodePort + type: NodePort + # -- The port for the service exposed on each node + nodePort: 31313 + # -- When enabled the container will define a host port, in most cases this should only be used when deploying with daemonSet: true + useHostPort: false + # -- When useHostPort is true this is the host port defined + hostPort: 13000