Skip to content

Commit

Permalink
Bring your own config support (#18)
Browse files Browse the repository at this point in the history
* bring your own config support

* add option to disable config/and or secret mounts

* update docs

* add volume pass through capability
bryopsida authored May 2, 2023

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
1 parent d8a4b17 commit b88d1e9
Showing 13 changed files with 61 additions and 9 deletions.
8 changes: 6 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
CHART_PATH = helm/wireguard
OVERRIDE_PATH ?= ci/default.yaml

lint:
helm lint $(CHART_PATH)
helm lint $(CHART_PATH) -f $(OVERRIDE_PATH)

template:
helm template --debug --disable-openapi-validation $(CHART_PATH)
helm template --debug --disable-openapi-validation $(CHART_PATH) -f $(OVERRIDE_PATH)

docs-update:
docker run --rm --volume "$$PWD:/helm-docs" jnorwood/helm-docs:latest
Empty file added ci/default.yaml
Empty file.
2 changes: 2 additions & 0 deletions ci/test-with-byoc.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
configSecretName: my-super-duper-config-secret
configSecretProperty: not-wg0.conf
1 change: 1 addition & 0 deletions ci/test-with-byos.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
secretName: my-super-duper-secret
1 change: 1 addition & 0 deletions ci/test-with-disabled-config-mgmt.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
disableConfigManagement: true
1 change: 1 addition & 0 deletions ci/test-with-disabled-secret-mgmt.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
disablePrivateKeyManagement: true
7 changes: 7 additions & 0 deletions ci/test-with-volumes.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
volumes:
- name: vol
hostPath:
path: /any/path/it/will/be/replaced
volumeMounts:
- name: vol
mountPath: /mount-in-container
2 changes: 1 addition & 1 deletion helm/wireguard/Chart.yaml
Original file line number Diff line number Diff line change
@@ -2,7 +2,7 @@ apiVersion: v2
name: wireguard
description: A Helm chart for managing a wireguard vpn in kubernetes
type: application
version: 0.9.0
version: 0.10.0
appVersion: "0.0.0"
maintainers:
- name: bryopsida
8 changes: 7 additions & 1 deletion helm/wireguard/README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# wireguard

![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square)
![Version: 0.10.0](https://img.shields.io/badge/Version-0.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square)

A Helm chart for managing a wireguard vpn in kubernetes

@@ -18,9 +18,13 @@ A Helm chart for managing a wireguard vpn in kubernetes
| autoscaling.maxReplicas | int | `10` | |
| autoscaling.minReplicas | int | `3` | |
| autoscaling.targetCPUUtilizationPercentage | int | `75` | |
| configSecretName | string | `nil` | If provided, this secret will be used instead of the config created from the helm value scope |
| configSecretProperty | string | `"wg0.conf"` | The property/key on the secret holding the wireguard configuration file |
| deploymentStrategy.rollingUpdate.maxSurge | int | `1` | |
| deploymentStrategy.rollingUpdate.maxUnavailable | int | `0` | |
| deploymentStrategy.type | string | `"RollingUpdate"` | |
| disableConfigManagement | bool | `false` | Disable creation and any mount of the wireguard confifugration file, this assumes another mechanism is provided/used to manage a configuration file |
| disablePrivateKeyManagement | bool | `false` | Disable creation and any mounting of a private key, this assumes another mechanism is provided/used at the container level to fetch the private key |
| disruptionBudget.enabled | bool | `true` | |
| disruptionBudget.minAvailable | int | `2` | |
| extraEnv | object | `{}` | Provide additional environment variables to the wireguard container |
@@ -43,6 +47,8 @@ A Helm chart for managing a wireguard vpn in kubernetes
| service.enabled | bool | `true` | Whether the service will be created or not |
| service.port | int | `51280` | Service port, default is 51280 UDP |
| service.type | string | `"LoadBalancer"` | Service type, to keep internal to cluster use ClusterIP |
| volumeMounts | object | `{}` | Passthrough pod volume mounts |
| volumes | object | `{}` | Passthrough pod volumes |
| wireguard.clients | list | `[]` | A collection of clients that will be added to wg0.conf, accepts objects with keys PublicKey and AllowedIPs, stored in secret |
| wireguard.serverAddress | string | `"10.34.0.1/24"` | Address of the VPN server |
| wireguard.serverCidr | string | `"10.34.0.0/24"` | |
2 changes: 2 additions & 0 deletions helm/wireguard/templates/config.yaml
Original file line number Diff line number Diff line change
@@ -17,9 +17,11 @@ PresharedKey = {{ .PresharedKey }}
{{- end }}
# End Clients
{{- end -}}
{{- if and (not .Values.configSecretName) (not .Values.disableConfigManagement) }}
kind: Secret
apiVersion: v1
metadata:
name: "{{ .Release.Name }}-wg-config"
data:
wg0.conf: {{ include "wg-config-template" . | b64enc }}
{{- end }}
24 changes: 20 additions & 4 deletions helm/wireguard/templates/deployment.yaml
Original file line number Diff line number Diff line change
@@ -56,7 +56,9 @@ spec:
template:
metadata:
annotations:
{{- if not .Values.configSecretName }}
checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }}
{{- end }}
{{- if .Values.podAnnotations }}
{{- range $key, $value := .Values.podAnnotations }}
{{ $key }}: {{ $value | quote }}
@@ -110,7 +112,7 @@ spec:
name: wireguard
env:
- name: LOG_LEVEL
value: info
value: {{ default "info" .Values.logLevel }}
{{- range $key, $value := .Values.extraEnv }}
- name: {{ $key }}
value: {{ $value | quote }}
@@ -129,18 +131,32 @@ spec:
volumeMounts:
- name: run
mountPath: /run
{{- if not .Values.disableConfigManagement }}
- name: config
mountPath: /etc/wireguard/wg0.conf
subPath: wg0.conf
subPath: {{ .Values.configSecretProperty | quote }}
{{- end }}
{{- if not .Values.disablePrivateKeyManagement }}
- name: privatekey
mountPath: /etc/wireguard/privatekey
subPath: privatekey
{{- end }}
{{- if .Values.volumeMounts }}
{{- .Values.volumeMounts | toYaml | nindent 10 }}
{{- end }}
volumes:
- name: run
emptyDir: {}
{{- if not .Values.disableConfigManagement }}
- name: config
secret:
secretName: "{{ .Release.Name }}-wg-config"
secretName: "{{ coalesce .Values.configSecretName (printf "%s-wg-config" .Release.Name) }}"
{{- end }}
{{- if not .Values.disablePrivateKeyManagement }}
- name: privatekey
secret:
secretName: {{ coalesce .Values.secretName (printf "%s-wg-generated" .Release.Name) }}
secretName: "{{ coalesce .Values.secretName (printf "%s-wg-generated" .Release.Name) }}"
{{- end }}
{{- if .Values.volumes }}
{{- .Values.volumes | toYaml | nindent 6 }}
{{- end }}
2 changes: 1 addition & 1 deletion helm/wireguard/templates/privatekey-gen-job.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if not .Values.secretName }}
{{- if and (not .Values.secretName) (not .Values.disablePrivateKeyManagement) }}
{{- /* Only needed if a secret isn't provided */}}

{{- /* Create role for the hook job so it can create a secret */}}
12 changes: 12 additions & 0 deletions helm/wireguard/values.yaml
Original file line number Diff line number Diff line change
@@ -50,3 +50,15 @@ autoscaling:
# -- Provide additional environment variables to the wireguard container
extraEnv: {}
# TEST_ENV_VAR: test-value
# -- If provided, this secret will be used instead of the config created from the helm value scope
configSecretName: ~
# -- The property/key on the secret holding the wireguard configuration file
configSecretProperty: wg0.conf
# -- Disable creation and any mounting of a private key, this assumes another mechanism is provided/used at the container level to fetch the private key
disablePrivateKeyManagement: false
# -- Disable creation and any mount of the wireguard confifugration file, this assumes another mechanism is provided/used to manage a configuration file
disableConfigManagement: false
# -- Passthrough pod volumes
volumes: {}
# -- Passthrough pod volume mounts
volumeMounts: {}

0 comments on commit b88d1e9

Please sign in to comment.