diff --git a/helm/Chart.yaml b/helm/Chart.yaml index 726b874..bb6862e 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -3,8 +3,8 @@ apiVersion: v2 name: openvpn description: A Helm chart for deploying OpenVPN type: application -version: 1.0.6 -appVersion: "2.6.5" +version: 1.0.7 +appVersion: 2.6.5 sources: - https://git.badhouseplants.net/allanger/container-openvpn-xor diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml index fc270c3..d3db544 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/deployment.yaml @@ -39,7 +39,6 @@ spec: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} - resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: @@ -48,8 +47,10 @@ spec: - mountPath: /scripts name: pki-scripts env: - - name: OVPN_SERVER - value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}" + - name: OVPN_SERVER + value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}" + - name: OPENVPN + value: "/etc/openvpn" securityContext: capabilities: add: @@ -60,6 +61,7 @@ spec: # ---------------------------------------------------------------------- - name: 0-ovpn-genconfig image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} volumeMounts: - mountPath: "/etc/openvpn" name: pvc-openvpn @@ -67,7 +69,9 @@ spec: - name: OVPN_SERVER_URL value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}" - name: OVPN_DATA - value: "/etc/openvpn" + value: "/etc/openvpn" + - name: OPENVPN + value: "/etc/openvpn" command: - sh - -c @@ -76,6 +80,8 @@ spec: env: - name: OVPN_DATA value: /etc/openvpn + - name: OPENVPN + value: "/etc/openvpn" - name: EASYRSA_REQ_CN value: {{ .Values.easyrsa.cn }} - name: EASYRSA_REQ_COUNTRY @@ -104,6 +110,7 @@ spec: - mountPath: /scripts name: pki-scripts image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} command: - bash - /scripts/init_pki.sh diff --git a/helm/templates/tests/test-connection.yaml b/helm/templates/tests/test-connection.yaml index e4d90ed..a419802 100644 --- a/helm/templates/tests/test-connection.yaml +++ b/helm/templates/tests/test-connection.yaml @@ -1,15 +1,200 @@ + +{{- $version := semver .Capabilities.KubeVersion.Version }} +{{- if .Values.tests.enabled }} +# --------------------------------------------------------------------- +# -- Test that CRDs are installed +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "openvpn-chart.fullname" . }}-test-script + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "6" +data: + get_config.sh: |- + #!/bin/bash + kubectl rollout status deployment/{{ include "openvpn-chart.fullname" . }} + kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_genclientcert test nopass + kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_getclient test > /data/test.ovpn + test_connection.sh : |- + sed -i "s/127.0.0.1/{{ include "openvpn-chart.fullname" . }}/g" /data/test.ovpn + mkdir -p /dev/net + mknod /dev/net/tun c 10 200 + chmod 600 /dev/net/tun + openvpn --config /data/test.ovpn --daemon --log-append /tmp/ovpnlog + tail -n0 -f /tmp/ovpnlog | sed '/Initialization Sequence Completed/ q' + +--- +# --------------------------------------------------------------------- +# -- Prepare roles and bindings to access k8s resources from the test +# --------------------------------------------------------------------- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "openvpn-chart.fullname" . }}-test-role + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "1" +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "1" +automountServiceAccountToken: true + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-rb + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "1" +subjects: +- kind: ServiceAccount + name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "openvpn-chart.fullname" . }}-test-role + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "openvpn-chart.fullname" . }}-test + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "7" + labels: + {{- include "openvpn-chart.labels" . | nindent 4 }} +spec: + storageClassName: {{ .Values.storage.class }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 512Mi + +--- apiVersion: v1 kind: Pod metadata: - name: "{{ include "openvpn-chart.fullname" . }}-test-connection" + name: {{ include "openvpn-chart.fullname" . }}-test labels: - {{- include "openvpn-chart.labels" . | nindent 4 }} + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} annotations: "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "7" spec: + serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa + automountServiceAccountToken: true + volumes: + - name: test-script + configMap: + name: {{ include "openvpn-chart.fullname" . }}-test-script + - name: data + persistentVolumeClaim: + claimName: {{ include "openvpn-chart.fullname" . }}-test containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "openvpn-chart.fullname" . }}:{{ .Values.service.port }}'] + - name: tester + image: alpine/k8s:{{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }} + volumeMounts: + - name: test-script + readOnly: true + mountPath: /get_config.sh + subPath: get_config.sh + - name: data + readOnly: false + mountPath: /data + command: + - bash + args: + - -e + - /get_config.sh restartPolicy: Never + +--- +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "openvpn-chart.fullname" . }}-test-connection + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "7" +spec: + serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa + automountServiceAccountToken: true + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ include "openvpn-chart.fullname" . }}-test + - name: test-script + configMap: + name: {{ include "openvpn-chart.fullname" . }}-test-script + containers: + - name: tester + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: data + readOnly: false + mountPath: /data + - name: test-script + readOnly: true + mountPath: /test_connection.sh + subPath: test_connection.sh + command: + - bash + args: + - -e + - /test_connection.sh + securityContext: + capabilities: + add: + - NET_ADMIN + + restartPolicy: Never + +{{- end }} diff --git a/helm/values.yaml b/helm/values.yaml index 9842ad6..5ceddaa 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -1,19 +1,27 @@ # Default values for openvpn-chart. image: - repository: git.badhouseplants.net/allanger/container-openvpn - pullPolicy: IfNotPresent + # repository: git.badhouseplants.net/allanger/container-openvpn + repository: openvpn + pullPolicy: Never # ------------------------------------------- # -- TODO: Switch to proper versions # ------------------------------------------- - tag: v2.6.6 + # tag: v2.6.6 + tag: latest # ----------------------------- # -- Open VPN configuration # ----------------------------- openvpn: - proto: udp + proto: tcp host: 127.0.0.1 port: 1194 +# --------------------------------------- +# -- Deploy OpenVPN admin +# -- https://github.com/flant/ovpn-admin +# --------------------------------------- +openvpn_admin: + enabled: true # ----------------------------- # -- Easy RSA configuration # ----------------------------- @@ -35,7 +43,7 @@ imagePullSecrets: [] nameOverride: "" fullnameOverride: "" storage: - class: microk8s-hostpath + class: local-path size: 1Gi serviceAccount: # Specifies whether a service account should be created @@ -60,8 +68,9 @@ securityContext: {} # runAsUser: 1000 service: - type: LoadBalancer + type: ClusterIP port: 1194 + protocol: TCP resources: {} @@ -74,7 +83,7 @@ resources: {} # memory: 128Mi # requests: # cpu: 100m - # memory: 128Mi +# memory: 128Mi autoscaling: enabled: false @@ -88,3 +97,7 @@ nodeSelector: {} tolerations: [] affinity: {} + +tests: + enabled: true + cleanup: true \ No newline at end of file