From 1f9afaf0491a74fb40f047590a1541ca9bfcd9e1 Mon Sep 17 00:00:00 2001 From: bryopsida <8363252+bryopsida@users.noreply.github.com> Date: Wed, 21 Sep 2022 13:15:11 -0500 Subject: [PATCH 1/6] add auto scaling and rollout controls --- helm/wireguard/templates/deployment.yaml | 28 ++++++++++++++++++------ helm/wireguard/templates/hpa.yaml | 14 ++++++++++++ helm/wireguard/templates/pdb.yaml | 11 ++++++++++ helm/wireguard/values.yaml | 21 ++++++++++++++++++ 4 files changed, 67 insertions(+), 7 deletions(-) create mode 100644 helm/wireguard/templates/hpa.yaml create mode 100644 helm/wireguard/templates/pdb.yaml diff --git a/helm/wireguard/templates/deployment.yaml b/helm/wireguard/templates/deployment.yaml index 2dafae2..5c85e50 100644 --- a/helm/wireguard/templates/deployment.yaml +++ b/helm/wireguard/templates/deployment.yaml @@ -1,3 +1,10 @@ +{{- define "execprobe" -}} +exec: + command: + - /bin/sh + - -c + - 'ip link show dev wg0 | grep -s up' +{{- end -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -5,10 +12,13 @@ metadata: labels: role: vpn spec: - replicas: 1 + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} selector: matchLabels: app: "{{ .Release.Name }}-wireguard" + strategy: {{ .Values.deploymentStrategy | toYaml | nindent 4 }} template: metadata: labels: @@ -50,12 +60,16 @@ spec: add: - NET_ADMIN privileged: true - resources: - requests: - memory: 64Mi - cpu: "100m" - limits: - memory: 256Mi + resources: {{ .Values.resources | toYaml | nindent 12 }} + startupProbe: {{ include "execprobe" . | nindent 12 }} + periodSeconds: 2 + failureThreshold: 15 + readinessProbe: {{ include "execprobe" . | nindent 12 }} + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: {{ include "execprobe" . | nindent 12 }} + initialDelaySeconds: 20 + periodSeconds: 10 volumeMounts: - name: config mountPath: /etc/wireguard/wg0.conf diff --git a/helm/wireguard/templates/hpa.yaml b/helm/wireguard/templates/hpa.yaml new file mode 100644 index 0000000..63d15a3 --- /dev/null +++ b/helm/wireguard/templates/hpa.yaml @@ -0,0 +1,14 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ .Release.Name }}-wireguard +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ .Release.Name }}-wireguard + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + targetCPUUtilizationPercentage: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} +{{- end }} \ No newline at end of file diff --git a/helm/wireguard/templates/pdb.yaml b/helm/wireguard/templates/pdb.yaml new file mode 100644 index 0000000..a799a10 --- /dev/null +++ b/helm/wireguard/templates/pdb.yaml @@ -0,0 +1,11 @@ +{{- if .Values.disruptionBudget.enabled }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ .Release.Name }}-pdb +spec: + minAvailable: {{ .Values.disruptionBudget.minAvailable }} + selector: + matchLabels: + app: "{{ .Release.Name }}-wireguard" +{{- end }} \ No newline at end of file diff --git a/helm/wireguard/values.yaml b/helm/wireguard/values.yaml index 53de268..bdd3f02 100644 --- a/helm/wireguard/values.yaml +++ b/helm/wireguard/values.yaml @@ -16,3 +16,24 @@ service: port: 51280 # -- Name of a secret with a wireguard private key on key privatekey, if not provided on first install a hook generates one. secretName: ~ +replicaCount: 3 +resources: + requests: + memory: 256Mi + cpu: "500m" + limits: + memory: 256Mi + cpu: "500m" +deploymentStrategy: + type: 'RollingUpdate' + rollingUpdate: + maxUnavailable: 0 + maxSurge: 1 +disruptionBudget: + enabled: true + minAvailable: 2 +autoscaling: + enabled: true + minReplicas: 3 + maxReplicas: 10 + targetCPUUtilizationPercentage: 75 \ No newline at end of file From 1c3bc556f4f10d30097366b7281e453036a02800 Mon Sep 17 00:00:00 2001 From: bryopsida <8363252+bryopsida@users.noreply.github.com> Date: Wed, 21 Sep 2022 13:15:31 -0500 Subject: [PATCH 2/6] update docs --- helm/wireguard/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/helm/wireguard/README.md b/helm/wireguard/README.md index 3730382..7661353 100644 --- a/helm/wireguard/README.md +++ b/helm/wireguard/README.md @@ -14,9 +14,23 @@ A Helm chart for managing a wireguard vpn in kubernetes | Key | Type | Default | Description | |-----|------|---------|-------------| +| autoscaling.enabled | bool | `true` | | +| autoscaling.maxReplicas | int | `10` | | +| autoscaling.minReplicas | int | `3` | | +| autoscaling.targetCPUUtilizationPercentage | int | `75` | | +| deploymentStrategy.rollingUpdate.maxSurge | int | `1` | | +| deploymentStrategy.rollingUpdate.maxUnavailable | int | `0` | | +| deploymentStrategy.type | string | `"RollingUpdate"` | | +| disruptionBudget.enabled | bool | `true` | | +| disruptionBudget.minAvailable | int | `2` | | | image.pullPolicy | string | `"Always"` | | | image.repository | string | `"ghcr.io/bryopsida/wireguard"` | | | image.tag | string | `"latest"` | | +| replicaCount | int | `3` | | +| resources.limits.cpu | string | `"500m"` | | +| resources.limits.memory | string | `"256Mi"` | | +| resources.requests.cpu | string | `"500m"` | | +| resources.requests.memory | string | `"256Mi"` | | | secretName | string | `nil` | Name of a secret with a wireguard private key on key privatekey, if not provided on first install a hook generates one. | | service.enabled | bool | `true` | Whether the service will be created or not | | service.port | int | `51280` | Service port, default is 51280 UDP | From 4bd5aded3855bb810b7f9bfeb310ded9c2de5e58 Mon Sep 17 00:00:00 2001 From: bryopsida <8363252+bryopsida@users.noreply.github.com> Date: Wed, 21 Sep 2022 13:16:01 -0500 Subject: [PATCH 3/6] update docs and chart version --- helm/wireguard/Chart.yaml | 2 +- helm/wireguard/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/helm/wireguard/Chart.yaml b/helm/wireguard/Chart.yaml index 5fbbaeb..58ed15f 100644 --- a/helm/wireguard/Chart.yaml +++ b/helm/wireguard/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: wireguard description: A Helm chart for managing a wireguard vpn in kubernetes type: application -version: 0.2.0 +version: 0.3.0 appVersion: "0.0.0" maintainers: - name: bryopsida diff --git a/helm/wireguard/README.md b/helm/wireguard/README.md index 7661353..6336ce9 100644 --- a/helm/wireguard/README.md +++ b/helm/wireguard/README.md @@ -1,6 +1,6 @@ # wireguard -![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square) +![Version: 0.3.0](https://img.shields.io/badge/Version-0.3.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square) A Helm chart for managing a wireguard vpn in kubernetes From a0d099dfee472532734115da397dc6d344125bdc Mon Sep 17 00:00:00 2001 From: bryopsida <8363252+bryopsida@users.noreply.github.com> Date: Wed, 21 Sep 2022 13:19:00 -0500 Subject: [PATCH 4/6] add new lines --- helm/wireguard/templates/hpa.yaml | 2 +- helm/wireguard/templates/pdb.yaml | 2 +- helm/wireguard/values.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/helm/wireguard/templates/hpa.yaml b/helm/wireguard/templates/hpa.yaml index 63d15a3..32f93d8 100644 --- a/helm/wireguard/templates/hpa.yaml +++ b/helm/wireguard/templates/hpa.yaml @@ -11,4 +11,4 @@ spec: minReplicas: {{ .Values.autoscaling.minReplicas }} maxReplicas: {{ .Values.autoscaling.maxReplicas }} targetCPUUtilizationPercentage: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm/wireguard/templates/pdb.yaml b/helm/wireguard/templates/pdb.yaml index a799a10..77623a0 100644 --- a/helm/wireguard/templates/pdb.yaml +++ b/helm/wireguard/templates/pdb.yaml @@ -8,4 +8,4 @@ spec: selector: matchLabels: app: "{{ .Release.Name }}-wireguard" -{{- end }} \ No newline at end of file +{{- end }} diff --git a/helm/wireguard/values.yaml b/helm/wireguard/values.yaml index bdd3f02..530d174 100644 --- a/helm/wireguard/values.yaml +++ b/helm/wireguard/values.yaml @@ -36,4 +36,4 @@ autoscaling: enabled: true minReplicas: 3 maxReplicas: 10 - targetCPUUtilizationPercentage: 75 \ No newline at end of file + targetCPUUtilizationPercentage: 75 From 906124109ead572d6696629b037fba698bbafec2 Mon Sep 17 00:00:00 2001 From: bryopsida <8363252+bryopsida@users.noreply.github.com> Date: Wed, 21 Sep 2022 13:50:07 -0500 Subject: [PATCH 5/6] cleanup some popeye warnings --- helm/wireguard/README.md | 6 +++--- helm/wireguard/templates/deployment.yaml | 27 ++++++++++++++---------- helm/wireguard/values.yaml | 6 +++--- 3 files changed, 22 insertions(+), 17 deletions(-) diff --git a/helm/wireguard/README.md b/helm/wireguard/README.md index 6336ce9..98ac969 100644 --- a/helm/wireguard/README.md +++ b/helm/wireguard/README.md @@ -25,11 +25,11 @@ A Helm chart for managing a wireguard vpn in kubernetes | disruptionBudget.minAvailable | int | `2` | | | image.pullPolicy | string | `"Always"` | | | image.repository | string | `"ghcr.io/bryopsida/wireguard"` | | -| image.tag | string | `"latest"` | | +| image.tag | string | `"main"` | | | replicaCount | int | `3` | | -| resources.limits.cpu | string | `"500m"` | | +| resources.limits.cpu | string | `"100m"` | | | resources.limits.memory | string | `"256Mi"` | | -| resources.requests.cpu | string | `"500m"` | | +| resources.requests.cpu | string | `"100m"` | | | resources.requests.memory | string | `"256Mi"` | | | secretName | string | `nil` | Name of a secret with a wireguard private key on key privatekey, if not provided on first install a hook generates one. | | service.enabled | bool | `true` | Whether the service will be created or not | diff --git a/helm/wireguard/templates/deployment.yaml b/helm/wireguard/templates/deployment.yaml index 5c85e50..f263e43 100644 --- a/helm/wireguard/templates/deployment.yaml +++ b/helm/wireguard/templates/deployment.yaml @@ -5,6 +5,12 @@ exec: - -c - 'ip link show dev wg0 | grep -s up' {{- end -}} +{{- define "securitycontext" -}} +capabilities: + add: + - NET_ADMIN +privileged: true +{{- end -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -34,16 +40,19 @@ spec: {{- end }} initContainers: - name: sysctls - image: busybox + image: busybox:stable command: - sh - -c - sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1 - securityContext: - capabilities: - add: - - NET_ADMIN - privileged: true + securityContext: {{ include "securitycontext" . | nindent 12 }} + resources: + requests: + memory: 64Mi + cpu: "100m" + limits: + memory: 64Mi + cpu: "100m" containers: - name: wireguard image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" @@ -55,11 +64,7 @@ spec: env: - name: LOG_LEVEL value: info - securityContext: - capabilities: - add: - - NET_ADMIN - privileged: true + securityContext: {{ include "securitycontext" . | nindent 12 }} resources: {{ .Values.resources | toYaml | nindent 12 }} startupProbe: {{ include "execprobe" . | nindent 12 }} periodSeconds: 2 diff --git a/helm/wireguard/values.yaml b/helm/wireguard/values.yaml index 530d174..f5a2cab 100644 --- a/helm/wireguard/values.yaml +++ b/helm/wireguard/values.yaml @@ -1,6 +1,6 @@ image: repository: ghcr.io/bryopsida/wireguard - tag: latest + tag: main pullPolicy: Always wireguard: # -- Subnet for your VPN, take care not to clash with cluster POD cidr @@ -20,10 +20,10 @@ replicaCount: 3 resources: requests: memory: 256Mi - cpu: "500m" + cpu: "100m" limits: memory: 256Mi - cpu: "500m" + cpu: "100m" deploymentStrategy: type: 'RollingUpdate' rollingUpdate: From 76ad2fd9d1f7e8221c08057e0b6fd23f8046d0e8 Mon Sep 17 00:00:00 2001 From: bryopsida <8363252+bryopsida@users.noreply.github.com> Date: Wed, 21 Sep 2022 14:14:58 -0500 Subject: [PATCH 6/6] more popeye fixes --- helm/wireguard/templates/deployment.yaml | 23 ++++++++++++++++--- .../templates/privatekey-gen-job.yaml | 7 ++++++ helm/wireguard/templates/sa.yaml | 5 ++++ 3 files changed, 32 insertions(+), 3 deletions(-) create mode 100644 helm/wireguard/templates/sa.yaml diff --git a/helm/wireguard/templates/deployment.yaml b/helm/wireguard/templates/deployment.yaml index f263e43..759ebdf 100644 --- a/helm/wireguard/templates/deployment.yaml +++ b/helm/wireguard/templates/deployment.yaml @@ -5,12 +5,22 @@ exec: - -c - 'ip link show dev wg0 | grep -s up' {{- end -}} -{{- define "securitycontext" -}} +{{- define "core.securitycontext" -}} capabilities: add: - NET_ADMIN privileged: true {{- end -}} +{{- define "wg.securitycontext" -}} +{{ include "core.securitycontext" . }} +runAsNonRoot: true +runAsUser: 1000 +readOnlyRootFilesystem: true +{{- end -}} +{{- define "init.securitycontext" -}} +{{ include "core.securitycontext" . }} +runAsNonRoot: false +{{- end -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -31,9 +41,12 @@ spec: app: "{{ .Release.Name }}-wireguard" role: vpn spec: + serviceAccountName: {{ .Release.Name }}-sa + automountServiceAccountToken: false securityContext: fsGroup: 1000 fsGroupChangePolicy: "OnRootMismatch" + runAsNonRoot: true {{- if .Values.image.pullSecret }} imagePullSecrets: - name: "{{ .Values.image.pullSecret }}" @@ -45,7 +58,7 @@ spec: - sh - -c - sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1 - securityContext: {{ include "securitycontext" . | nindent 12 }} + securityContext: {{ include "init.securitycontext" . | nindent 12 }} resources: requests: memory: 64Mi @@ -64,7 +77,7 @@ spec: env: - name: LOG_LEVEL value: info - securityContext: {{ include "securitycontext" . | nindent 12 }} + securityContext: {{ include "wg.securitycontext" . | nindent 12 }} resources: {{ .Values.resources | toYaml | nindent 12 }} startupProbe: {{ include "execprobe" . | nindent 12 }} periodSeconds: 2 @@ -76,6 +89,8 @@ spec: initialDelaySeconds: 20 periodSeconds: 10 volumeMounts: + - name: run + mountPath: /run - name: config mountPath: /etc/wireguard/wg0.conf subPath: wg0.conf @@ -83,6 +98,8 @@ spec: mountPath: /etc/wireguard/privatekey subPath: privatekey volumes: + - name: run + emptyDir: {} - name: config secret: secretName: "{{ .Release.Name }}-wg-config" diff --git a/helm/wireguard/templates/privatekey-gen-job.yaml b/helm/wireguard/templates/privatekey-gen-job.yaml index e75cbf5..dd46719 100644 --- a/helm/wireguard/templates/privatekey-gen-job.yaml +++ b/helm/wireguard/templates/privatekey-gen-job.yaml @@ -116,6 +116,13 @@ spec: name: keygen-job image: "ghcr.io/curium-rocks/wg-kubectl:latest" imagePullPolicy: Always + resources: + requests: + memory: 64Mi + cpu: "100m" + limits: + memory: 64Mi + cpu: "100m" env: - name: SECRET_NAME value: "{{ .Release.Name }}-wg-generated" diff --git a/helm/wireguard/templates/sa.yaml b/helm/wireguard/templates/sa.yaml new file mode 100644 index 0000000..766cd1a --- /dev/null +++ b/helm/wireguard/templates/sa.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ .Release.Name }}-sa +automountServiceAccountToken: false \ No newline at end of file