From 643d87f27a9d6b39e26ef0dd6946bc072bfa3262 Mon Sep 17 00:00:00 2001 From: bryopsida <8363252+bryopsida@users.noreply.github.com> Date: Sat, 17 Aug 2024 09:26:17 -0500 Subject: [PATCH] Add client connect test (#55) --- .devcontainer/devcontainer.json | 41 +++++++ .github/workflows/helm-qa.yml | 12 ++- Makefile | 9 ++ ci/test-with-1-replica.yaml | 5 + helm/wireguard/.helmignore | 1 + helm/wireguard/Chart.yaml | 2 +- helm/wireguard/README.md | 4 +- helm/wireguard/ci/README.md | 5 + helm/wireguard/ci/default-values.yaml | 15 +++ .../templates/tests/client-connect.yaml | 100 ++++++++++++++++++ 10 files changed, 189 insertions(+), 5 deletions(-) create mode 100644 .devcontainer/devcontainer.json create mode 100644 ci/test-with-1-replica.yaml create mode 100644 helm/wireguard/ci/README.md create mode 100644 helm/wireguard/ci/default-values.yaml create mode 100644 helm/wireguard/templates/tests/client-connect.yaml diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json new file mode 100644 index 0000000..64c6c88 --- /dev/null +++ b/.devcontainer/devcontainer.json @@ -0,0 +1,41 @@ +{ + "name": "WG-Chart Dev Container", + "image": "mcr.microsoft.com/vscode/devcontainers/go:latest", + "features": { + "ghcr.io/devcontainers/features/github-cli:1": {}, + "ghcr.io/devcontainers/features/common-utils:2": {}, + "ghcr.io/devcontainers/features/docker-in-docker:2": {}, + "ghcr.io/devcontainers/features/kubectl-helm-minikube:1": {}, + "ghcr.io/mpriscella/features/kind:1": {}, + "ghcr.io/devcontainers-contrib/features/apt-packages:1": { + "packages": "wireguard" + } + }, + "customizations": { + "vscode": { + "extensions": [ + "ms-kubernetes-tools.vscode-kubernetes-tools", + "redhat.vscode-yaml", + "github.vscode-pull-request-github", + "github.vscode-github-actions", + "ms-azuretools.vscode-docker", + "johnpapa.vscode-peacock", + "ms-vscode.makefile-tools" + ], + "settings": { + "editor.tabSize": 2, + "terminal.integrated.defaultProfile.linux": "zsh", + "terminal.integrated.profiles.linux": { + "bash": { + "path": "bash", + "icon": "terminal-bash" + }, + "zsh": { + "path": "zsh" + } + } + } + }, + "postStartCommand": "git config --global --add safe.directory ${containerWorkspaceFolder} && curl -sS https://webinstall.dev/k9s | bash" + } +} \ No newline at end of file diff --git a/.github/workflows/helm-qa.yml b/.github/workflows/helm-qa.yml index 0ddc0b6..775986a 100644 --- a/.github/workflows/helm-qa.yml +++ b/.github/workflows/helm-qa.yml @@ -9,8 +9,16 @@ on: - '.github/workflows/helm-qa.yml' jobs: test: - name: 'Helm' + strategy: + matrix: + suite: + - name: default + ct_extra_args: >- + --upgrade + --helm-extra-set-args='--set=service.type=ClusterIP' + name: 'Helm (${{ matrix.suite.name }})' uses: curium-rocks/flows/.github/workflows/helm-qa.yml@main with: charts_dir: 'helm' - helm_extra_sets: '--set service.type=ClusterIP' + ct_extra_args: ${{ matrix.suite.ct_extra_args }} + run-kubeval: false diff --git a/Makefile b/Makefile index 3eaa426..06d4928 100644 --- a/Makefile +++ b/Makefile @@ -13,6 +13,15 @@ template: deploy: helm --namespace $(HELM_NAMESPACE) upgrade --install $(HELM_RELEASE_NAME) ./helm/wireguard/ -f $(OVERRIDE_PATH) $(HELM_EXTRA_ARGS) +test: + helm --namespace $(HELM_NAMESPACE) test $(HELM_RELEASE_NAME) + +cluster: + kind create cluster + +cluster-go-away: + kind delete cluster + clean-secret: kubectl --namespace $(HELM_NAMESPACE) delete secret $(HELM_RELEASE_NAME)-wg-generated diff --git a/ci/test-with-1-replica.yaml b/ci/test-with-1-replica.yaml new file mode 100644 index 0000000..d4aa90d --- /dev/null +++ b/ci/test-with-1-replica.yaml @@ -0,0 +1,5 @@ +service: + type: ClusterIP +replicaCount: 1 +autoscaling: + enabled: false \ No newline at end of file diff --git a/helm/wireguard/.helmignore b/helm/wireguard/.helmignore index 0e8a0eb..c97e2bc 100644 --- a/helm/wireguard/.helmignore +++ b/helm/wireguard/.helmignore @@ -21,3 +21,4 @@ .idea/ *.tmproj .vscode/ +ci diff --git a/helm/wireguard/Chart.yaml b/helm/wireguard/Chart.yaml index c1c2985..143867d 100644 --- a/helm/wireguard/Chart.yaml +++ b/helm/wireguard/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: wireguard description: A Helm chart for managing a wireguard vpn in kubernetes type: application -version: 0.23.0 +version: 0.24.0 appVersion: "0.0.0" maintainers: - name: bryopsida diff --git a/helm/wireguard/README.md b/helm/wireguard/README.md index b27efef..6280507 100644 --- a/helm/wireguard/README.md +++ b/helm/wireguard/README.md @@ -1,6 +1,6 @@ # wireguard -![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square) +![Version: 0.24.0](https://img.shields.io/badge/Version-0.24.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square) A Helm chart for managing a wireguard vpn in kubernetes @@ -132,4 +132,4 @@ A Helm chart for managing a wireguard vpn in kubernetes | wireguard.serverCidr | string | `"10.34.0.0/24"` | Subnet for your VPN, take care not to clash with cluster POD cidr | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) +Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2) diff --git a/helm/wireguard/ci/README.md b/helm/wireguard/ci/README.md new file mode 100644 index 0000000..08928d8 --- /dev/null +++ b/helm/wireguard/ci/README.md @@ -0,0 +1,5 @@ +# What is this? + +This is a set of value files that will be tested in the CI pipeline. + +You can read more about the behavior [here](https://github.com/helm/charts/blob/master/test/README.md#providing-custom-test-values) diff --git a/helm/wireguard/ci/default-values.yaml b/helm/wireguard/ci/default-values.yaml new file mode 100644 index 0000000..fa7eefe --- /dev/null +++ b/helm/wireguard/ci/default-values.yaml @@ -0,0 +1,15 @@ +# kics-scan ignore +service: + type: ClusterIP +wireguard: + clients: + - AllowedIPs: 172.32.32.2/32 + # used for testing only + PublicKey: NzYmaNXHi8+3NBpg7uoRFw7wO+fLG65gZToKqtecLAo= + serverAddress: 172.32.32.1/24 + serverCidr: 172.32.32.0/24 +replicaCount: 1 +autoscaling: + enabled: false +deploymentStrategy: + type: Recreate diff --git a/helm/wireguard/templates/tests/client-connect.yaml b/helm/wireguard/templates/tests/client-connect.yaml new file mode 100644 index 0000000..23d675c --- /dev/null +++ b/helm/wireguard/templates/tests/client-connect.yaml @@ -0,0 +1,100 @@ +# kics-scan ignore +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: wireguard-client-test + namespace: {{ .Release.Namespace }} + annotations: + helm.sh/hook: test +spec: + template: + spec: + automountServiceAccountToken: false + initContainers: + - name: sysctls + image: busybox:stable + command: + - sh + - -c + - sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1 + securityContext: + runAsNonRoot: false + privileged: true + resources: + requests: + memory: 64Mi + cpu: "100m" + limits: + memory: 64Mi + cpu: "100m" + containers: + - name: wireguard-client + image: ghcr.io/bryopsida/wireguard:main + securityContext: + runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default true }} + runAsUser: {{ .Values.securityContext.runAsUser | default 1000 }} + readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default true }} + allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default true }} + privileged: {{ .Values.securityContext.privileged | default false }} + capabilities: + drop: + - ALL + add: + - NET_ADMIN + - NET_RAW + - SETUID + - SETGID + env: + - name: WG_PRIVATE_KEY + value: "gILClOGWPR+w9q4f0A7hlTKdQHC0vHwXPrGLHPKJi2o=" + - name: WG_SERVER + value: "{{ .Release.Name }}-wireguard.{{ .Release.Namespace }}.svc" + - name: WG_SERVER_PORT + value: "{{ .Values.service.port }}" + - name: WG_SERVER_CIDR + value: "{{ .Values.wireguard.serverCidr }}" + - name: WG_CLIENT_IP + value: "172.32.32.2/32" + resources: + requests: + cpu: "100m" + memory: "128Mi" + limits: + cpu: "500m" + memory: "256Mi" + command: + - /bin/sh + args: + - -c + - | + set -e + + cat < /tmp/wg0.conf + [Interface] + PrivateKey = ${WG_PRIVATE_KEY} + Address = ${WG_CLIENT_IP} + + [Peer] + PublicKey = $(cat /etc/wireguard-server/privatekey | wg pubkey) + Endpoint = ${WG_SERVER}:${WG_SERVER_PORT} + AllowedIPs = ${WG_SERVER_CIDR} + EOF + + wg-quick up /tmp/wg0.conf + sleep 5 + sudo ping -c 1 -W 1 172.32.32.1 + volumeMounts: + - name: wireguard-server-secret + mountPath: /etc/wireguard-server/ + readOnly: true + - name: tmp-volume + mountPath: /tmp + volumes: + - name: wireguard-server-secret + secret: + secretName: {{ .Release.Name }}-wg-generated + - name: tmp-volume + emptyDir: {} + restartPolicy: Never + backoffLimit: 4