softplayer/softplayer-apps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity

Add more charts

Browse Source
This commit is contained in:
Nikolai Rodionov
2024-07-13 22:24:41 +02:00
parent 5132ad1c1b
commit f6320fb990
33 changed files with 1733 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
charts/openvpn-xor/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

26
charts/openvpn-xor/Chart.yaml Normal file
View File

@@ -0,0 +1,26 @@
---
apiVersion: v2
name: openvpn-xor
description: A Helm chart for deploying OpenVPN with the XOR patch
type: application
version: 1.4.4
appVersion: v2.6.9
sources:
- https://git.badhouseplants.net/allanger/container-openvpn
- https://github.com/kylemanna/docker-openvpn
- https://github.com/Tunnelblick/Tunnelblick
- https://github.com/OpenVPN/openvpn
maintainers:
- name: allanger
email: allanger@zohomail.com
url: https://badhouseplants.net
keywords:
- OpenVPN
- VPN
- XOR
annotations:
xor_version: 4.0.1

1
charts/openvpn-xor/templates/NOTES.txt Normal file
View File

@@ -0,0 +1 @@
1. Get the application URL by running these commands:

82
charts/openvpn-xor/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,82 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "chart.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "chart.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{- printf "lala" }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "chart.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "chart.labels" -}}
helm.sh/chart: {{ include "chart.chart" . }}
{{ include "chart.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "chart.selectorLabels" -}}
app.kubernetes.io/name: {{ include "chart.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "chart.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "chart.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}
{{/*
Build image tag for the XOR image
*/}}
{{- define "chart.imageTag" -}}
{{- if .Values.image.tag }}
{{- .Values.image.tag }}
{{- else }}
{{- printf "%s-xor-%s" .Chart.AppVersion .Chart.Annotations.xor_version }}
{{- end }}
{{- end }}
{{/*
Build the whole image name
*/}}
{{- define "chart.image" -}}
{{- printf "%s:%s" .Values.image.repository (include "chart.imageTag" .) }}
{{- end }}

128
charts/openvpn-xor/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,128 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "chart.fullname" . }}
labels:
{{- include "chart.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "chart.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "chart.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: pvc-openvpn
persistentVolumeClaim:
claimName: {{ include "chart.fullname" . }}
- name: pki-scripts
configMap:
name: {{ include "chart.fullname" . }}-pki-scripts
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
containers:
- name: {{ .Chart.Name }}
image: {{ include "chart.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
- mountPath: /scripts
name: pki-scripts
env:
- name: OVPN_SERVER
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
- name: OPENVPN
value: "/etc/openvpn"
securityContext:
capabilities:
add:
- NET_ADMIN
initContainers:
# ----------------------------------------------------------------------
# -- This init container is generating the basic configuration
# ----------------------------------------------------------------------
- name: 0-ovpn-genconfig
image: {{ include "chart.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
env:
- name: OVPN_SERVER_URL
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
- name: OVPN_DATA
value: "/etc/openvpn"
- name: OPENVPN
value: "/etc/openvpn"
command:
- sh
- -c
- 'if ! [ -f "/etc/openvpn/ovpn_env.sh" ]; then ovpn_genconfig -u $OVPN_SERVER_URL && touch /etc/openvpn/.init; fi'
- name: 1-ovpn-initpki
env:
- name: OVPN_DATA
value: /etc/openvpn
- name: OPENVPN
value: "/etc/openvpn"
- name: EASYRSA_REQ_CN
value: {{ .Values.easyrsa.cn }}
- name: EASYRSA_REQ_COUNTRY
value: {{ .Values.easyrsa.country }}
- name: EASYRSA_REQ_PROVINCE
value: {{ .Values.easyrsa.province }}
- name: EASYRSA_REQ_CITY
value: {{ .Values.easyrsa.city }}
- name: EASYRSA_REQ_ORG
value: {{ .Values.easyrsa.org }}
- name: EASYRSA_REQ_EMAIL
value: {{ .Values.easyrsa.email }}
- name: EASYRSA_REQ_OU
value: {{ .Values.easyrsa.ou }}
- name: EASYRSA_ALGO
value: {{ .Values.easyrsa.algo }}
- name: EASYRSA_DIGEST
value: {{ .Values.easyrsa.digest }}
- name: EASYRSA_BATCH
value: "yes"
- name: OVPN_SERVER_URL
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
- mountPath: /scripts
name: pki-scripts
image: {{ include "chart.image" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bash
- /scripts/init_pki.sh
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

30
charts/openvpn-xor/templates/pki-generate-scripts.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "chart.fullname" . }}-pki-scripts
labels:
{{- include "chart.labels" . | nindent 4 }}
data:
init_pki.sh: |
if [ ! -d /etc/openvpn/pki ]; then
source "$OPENVPN/ovpn_env.sh"
OVPN_DIR=/etc/openvpn
PKI_DIR=$OVPN_DIR/pki
cd $OVPN_DIR
export EASYRSA_BATCH=yes
unset EASYRSA_VARS_FILE
/usr/share/easy-rsa/easyrsa init-pki
/usr/share/easy-rsa/easyrsa build-ca nopass
/usr/share/easy-rsa/easyrsa build-server-full {{ .Values.openvpn.host }} nopass
/usr/share/easy-rsa/easyrsa gen-dh
cd $PKI_DIR
openvpn --genkey tls-crypt-v2-server private/{{ .Values.openvpn.host }}.pem
openvpn --genkey secret > ta.key
fi
gen_client.sh: |
source "$OPENVPN/ovpn_env.sh"
CLIENTNAME=$1
PASSWORD=$2
OVPN_DIR=/etc/openvpn
cd $OVPN_DIR
/usr/share/easy-rsa/easyrsa build-client-full $CLIENTNAME $PASSWORD

19
charts/openvpn-xor/templates/pvc.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "chart.fullname" . }}
labels:
{{- include "chart.labels" . | nindent 4 }}
spec:
{{- if .Values.storage.class }}
{{- if (eq "-" .Values.storage.class) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.storage.class }}"
{{- end }}
{{- end }}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.storage.size }}

18
charts/openvpn-xor/templates/service.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "chart.fullname" . }}
labels:
{{- include "chart.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
{{- if .Values.service.nodePort }}
nodePort: {{ int .Values.service.nodePort }}
{{- end}}
targetPort: {{ .Values.service.port | default 1194 }}
protocol: {{ .Values.service.protocol | default "UDP" | quote }}
name: openvpn-xor
selector:
{{- include "chart.selectorLabels" . | nindent 4 }}

13
charts/openvpn-xor/templates/tcp_route.yaml Normal file
View File

@@ -0,0 +1,13 @@
---
{{- if $.Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" -}}
{{- if .Values.tcproute.enabled }}
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: {{ include "chart.fullname" . }}
labels:
{{- include "chart.labels" . | nindent 4 }}
spec:
{{ tpl (.Values.tcproute.spec | toYaml | indent 2 | toString) $ }}
{{- end }}
{{- end }}

200
charts/openvpn-xor/templates/tests/test-connection.yaml Normal file
View File

@@ -0,0 +1,200 @@
{{- $version := semver .Capabilities.KubeVersion.Version }}
{{- if .Values.tests.enabled }}
# ---------------------------------------------------------------------
# -- Test that CRDs are installed
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test-script
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "6"
data:
get_config.sh: |-
#!/bin/bash
kubectl rollout status deployment/{{ include "openvpn-chart.fullname" . }}
kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_genclientcert test nopass
kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_getclient test > /data/test.ovpn
test_connection.sh : |-
sed -i "s/127.0.0.1/{{ include "openvpn-chart.fullname" . }}/g" /data/test.ovpn
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
openvpn --config /data/test.ovpn --daemon --log-append /tmp/ovpnlog
tail -n0 -f /tmp/ovpnlog | sed '/Initialization Sequence Completed/ q'
---
# ---------------------------------------------------------------------
# -- Prepare roles and bindings to access k8s resources from the test
# ---------------------------------------------------------------------
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test-role
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "1"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "1"
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-rb
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "1"
subjects:
- kind: ServiceAccount
name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ include "openvpn-chart.fullname" . }}-test-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "7"
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
storageClassName: {{ .Values.storage.class }}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 512Mi
---
apiVersion: v1
kind: Pod
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "7"
spec:
serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
automountServiceAccountToken: true
volumes:
- name: test-script
configMap:
name: {{ include "openvpn-chart.fullname" . }}-test-script
- name: data
persistentVolumeClaim:
claimName: {{ include "openvpn-chart.fullname" . }}-test
containers:
- name: tester
image: alpine/k8s:{{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}
volumeMounts:
- name: test-script
readOnly: true
mountPath: /get_config.sh
subPath: get_config.sh
- name: data
readOnly: false
mountPath: /data
command:
- bash
args:
- -e
- /get_config.sh
restartPolicy: Never
---
apiVersion: v1
kind: Pod
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test-connection
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "7"
spec:
serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
automountServiceAccountToken: true
volumes:
- name: data
persistentVolumeClaim:
claimName: {{ include "openvpn-chart.fullname" . }}-test
- name: test-script
configMap:
name: {{ include "openvpn-chart.fullname" . }}-test-script
containers:
- name: tester
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: data
readOnly: false
mountPath: /data
- name: test-script
readOnly: true
mountPath: /test_connection.sh
subPath: test_connection.sh
command:
- bash
args:
- -e
- /test_connection.sh
securityContext:
capabilities:
add:
- NET_ADMIN
restartPolicy: Never
{{- end }}

89
charts/openvpn-xor/values.yaml Normal file
View File

@@ -0,0 +1,89 @@
# Default values for openvpn-chart.
image:
repository: git.badhouseplants.net/allanger/container-openvpn
pullPolicy: Always
# -------------------------------------------
# -- TODO: Switch to proper versions
# -------------------------------------------
# tag: check
# -----------------------------
# -- Open VPN configuration
# -----------------------------
openvpn:
proto: tcp
host: 127.0.0.1
port: 1194
# ---------------------------------------
# -- Deploy OpenVPN admin
# -- https://github.com/flant/ovpn-admin
# ---------------------------------------
openvpn_admin:
enabled: true
# -----------------------------
# -- Easy RSA configuration
# -----------------------------
easyrsa:
cn: . # -- EASYRSA_REQ_CN
country: . # -- EASYRSA_REQ_COUNTRY
province: . # -- EASYRSA_REQ_PROVINCE
city: . # -- EASYRSA_REQ_CITY
org: . # -- EASYRSA_REQ_ORG
email: . # -- EASYRSA_REQ_EMAIL
ou: Community # -- EASYRSA_REQ_OU
algo: ec # -- EASYRSA_ALGO
digest: sha512 # -- EASYRSA_DIGEST
replicaCount: 1
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
storage:
class: ""
size: 1Gi
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 1194
protocol: TCP
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
tests:
enabled: false
cleanup: true

23
charts/openvpn/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

20
charts/openvpn/Chart.yaml Normal file
View File

@@ -0,0 +1,20 @@
---
apiVersion: v2
name: openvpn
description: A Helm chart for deploying OpenVPN
type: application
version: 1.3.3
appVersion: v2.6.10
sources:
- https://git.badhouseplants.net/allanger/container-openvpn-xor
- https://github.com/kylemanna/docker-openvpn
maintainers:
- name: allanger
email: allanger@zohomail.com
url: https://badhouseplants.net
keywords:
- OpenVPN
- VPN

1
charts/openvpn/templates/NOTES.txt Normal file
View File

@@ -0,0 +1 @@
1. Get the application URL by running these commands:

62
charts/openvpn/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "openvpn-chart.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "openvpn-chart.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "openvpn-chart.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "openvpn-chart.labels" -}}
helm.sh/chart: {{ include "openvpn-chart.chart" . }}
{{ include "openvpn-chart.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "openvpn-chart.selectorLabels" -}}
app.kubernetes.io/name: {{ include "openvpn-chart.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "openvpn-chart.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "openvpn-chart.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

128
charts/openvpn/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,128 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "openvpn-chart.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: pvc-openvpn
persistentVolumeClaim:
claimName: {{ include "openvpn-chart.fullname" . }}
- name: pki-scripts
configMap:
name: {{ include "openvpn-chart.fullname" . }}-pki-scripts
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
- mountPath: /scripts
name: pki-scripts
env:
- name: OVPN_SERVER
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
- name: OPENVPN
value: "/etc/openvpn"
securityContext:
capabilities:
add:
- NET_ADMIN
initContainers:
# ----------------------------------------------------------------------
# -- This init container is generating the basic configuration
# ----------------------------------------------------------------------
- name: 0-ovpn-genconfig
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
env:
- name: OVPN_SERVER_URL
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
- name: OVPN_DATA
value: "/etc/openvpn"
- name: OPENVPN
value: "/etc/openvpn"
command:
- sh
- -c
- 'if ! [ -f "/etc/openvpn/ovpn_env.sh" ]; then ovpn_genconfig -u $OVPN_SERVER_URL && touch /etc/openvpn/.init; fi'
- name: 1-ovpn-initpki
env:
- name: OVPN_DATA
value: /etc/openvpn
- name: OPENVPN
value: "/etc/openvpn"
- name: EASYRSA_REQ_CN
value: {{ .Values.easyrsa.cn }}
- name: EASYRSA_REQ_COUNTRY
value: {{ .Values.easyrsa.country }}
- name: EASYRSA_REQ_PROVINCE
value: {{ .Values.easyrsa.province }}
- name: EASYRSA_REQ_CITY
value: {{ .Values.easyrsa.city }}
- name: EASYRSA_REQ_ORG
value: {{ .Values.easyrsa.org }}
- name: EASYRSA_REQ_EMAIL
value: {{ .Values.easyrsa.email }}
- name: EASYRSA_REQ_OU
value: {{ .Values.easyrsa.ou }}
- name: EASYRSA_ALGO
value: {{ .Values.easyrsa.algo }}
- name: EASYRSA_DIGEST
value: {{ .Values.easyrsa.digest }}
- name: EASYRSA_BATCH
value: "yes"
- name: OVPN_SERVER_URL
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
- mountPath: /scripts
name: pki-scripts
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bash
- /scripts/init_pki.sh
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

30
charts/openvpn/templates/pki-generate-scripts.yaml Normal file
View File

@@ -0,0 +1,30 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "openvpn-chart.fullname" . }}-pki-scripts
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
data:
init_pki.sh: |
if [ ! -d /etc/openvpn/pki ]; then
source "$OPENVPN/ovpn_env.sh"
OVPN_DIR=/etc/openvpn
PKI_DIR=$OVPN_DIR/pki
cd $OVPN_DIR
export EASYRSA_BATCH=yes
unset EASYRSA_VARS_FILE
/usr/share/easy-rsa/easyrsa init-pki
/usr/share/easy-rsa/easyrsa build-ca nopass
/usr/share/easy-rsa/easyrsa build-server-full {{ .Values.openvpn.host }} nopass
/usr/share/easy-rsa/easyrsa gen-dh
cd $PKI_DIR
openvpn --genkey tls-crypt-v2-server private/{{ .Values.openvpn.host }}.pem
openvpn --genkey secret > ta.key
fi
gen_client.sh: |
source "$OPENVPN/ovpn_env.sh"
CLIENTNAME=$1
PASSWORD=$2
OVPN_DIR=/etc/openvpn
cd $OVPN_DIR
/usr/share/easy-rsa/easyrsa build-client-full $CLIENTNAME $PASSWORD

19
charts/openvpn/templates/pvc.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
{{- if .Values.storage.class }}
{{- if (eq "-" .Values.storage.class) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.storage.class }}"
{{- end }}
{{- end }}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.storage.size }}

18
charts/openvpn/templates/service.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
{{- if .Values.service.nodePort }}
nodePort: {{ int .Values.service.nodePort }}
{{- end}}
targetPort: {{ .Values.service.port | default 1194 }}
protocol: {{ .Values.service.protocol | default "UDP" | quote }}
name: openvpn
selector:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}

13
charts/openvpn/templates/tcp_route.yaml Normal file
View File

@@ -0,0 +1,13 @@
---
{{- if $.Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" -}}
{{- if .Values.tcproute.enabled }}
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
{{ tpl (.Values.tcproute.spec | toYaml | indent 2 | toString) $ }}
{{- end }}
{{- end }}

200
charts/openvpn/templates/tests/test-connection.yaml Normal file
View File

@@ -0,0 +1,200 @@
{{- $version := semver .Capabilities.KubeVersion.Version }}
{{- if .Values.tests.enabled }}
# ---------------------------------------------------------------------
# -- Test that CRDs are installed
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test-script
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "6"
data:
get_config.sh: |-
#!/bin/bash
kubectl rollout status deployment/{{ include "openvpn-chart.fullname" . }}
kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_genclientcert test nopass
kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_getclient test > /data/test.ovpn
test_connection.sh : |-
sed -i "s/127.0.0.1/{{ include "openvpn-chart.fullname" . }}/g" /data/test.ovpn
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
openvpn --config /data/test.ovpn --daemon --log-append /tmp/ovpnlog
tail -n0 -f /tmp/ovpnlog | sed '/Initialization Sequence Completed/ q'
---
# ---------------------------------------------------------------------
# -- Prepare roles and bindings to access k8s resources from the test
# ---------------------------------------------------------------------
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test-role
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "1"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "1"
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-rb
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "1"
subjects:
- kind: ServiceAccount
name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ include "openvpn-chart.fullname" . }}-test-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "7"
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
storageClassName: {{ .Values.storage.class }}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 512Mi
---
apiVersion: v1
kind: Pod
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "7"
spec:
serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
automountServiceAccountToken: true
volumes:
- name: test-script
configMap:
name: {{ include "openvpn-chart.fullname" . }}-test-script
- name: data
persistentVolumeClaim:
claimName: {{ include "openvpn-chart.fullname" . }}-test
containers:
- name: tester
image: alpine/k8s:{{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}
volumeMounts:
- name: test-script
readOnly: true
mountPath: /get_config.sh
subPath: get_config.sh
- name: data
readOnly: false
mountPath: /data
command:
- bash
args:
- -e
- /get_config.sh
restartPolicy: Never
---
apiVersion: v1
kind: Pod
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test-connection
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "7"
spec:
serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
automountServiceAccountToken: true
volumes:
- name: data
persistentVolumeClaim:
claimName: {{ include "openvpn-chart.fullname" . }}-test
- name: test-script
configMap:
name: {{ include "openvpn-chart.fullname" . }}-test-script
containers:
- name: tester
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: data
readOnly: false
mountPath: /data
- name: test-script
readOnly: true
mountPath: /test_connection.sh
subPath: test_connection.sh
command:
- bash
args:
- -e
- /test_connection.sh
securityContext:
capabilities:
add:
- NET_ADMIN
restartPolicy: Never
{{- end }}

89
charts/openvpn/values.yaml Normal file
View File

@@ -0,0 +1,89 @@
# Default values for openvpn-chart.
image:
repository: git.badhouseplants.net/allanger/container-openvpn
pullPolicy: Always
# -------------------------------------------
# -- TODO: Switch to proper versions
# -------------------------------------------
# tag: ""
# -----------------------------
# -- Open VPN configuration
# -----------------------------
openvpn:
proto: tcp
host: 127.0.0.1
port: 1194
# ---------------------------------------
# -- Deploy OpenVPN admin
# -- https://github.com/flant/ovpn-admin
# ---------------------------------------
openvpn_admin:
enabled: true
# -----------------------------
# -- Easy RSA configuration
# -----------------------------
easyrsa:
cn: . # -- EASYRSA_REQ_CN
country: . # -- EASYRSA_REQ_COUNTRY
province: . # -- EASYRSA_REQ_PROVINCE
city: . # -- EASYRSA_REQ_CITY
org: . # -- EASYRSA_REQ_ORG
email: . # -- EASYRSA_REQ_EMAIL
ou: Community # -- EASYRSA_REQ_OU
algo: ec # -- EASYRSA_ALGO
digest: sha512 # -- EASYRSA_DIGEST
replicaCount: 1
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
storage:
class: ""
size: 1Gi
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 1194
protocol: TCP
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
tests:
enabled: false
cleanup: true

23
charts/vaultwarden/.helmignore Normal file
View File

@@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

17
charts/vaultwarden/Chart.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v2
name: vaultwarden
description: Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs
type: application
version: 1.2.0
appVersion: 1.30.5
maintainers:
- name: allanger
email: allanger@zohomail.com
url: https://badhouseplants.net
sources:
- https://github.com/dani-garcia/vaultwarden/tree/main
keywords:
- vaultwarden
- bitwarden
- bitwarden_rs
home: https://github.com/dani-garcia/vaultwarden/tree/main

22
charts/vaultwarden/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,22 @@
1. Get the application URL by running these commands:
{{- if .Values.ingress.enabled }}
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "vaultwarden.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "vaultwarden.fullname" . }}'
export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "vaultwarden.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
echo http://$SERVICE_IP:{{ .Values.service.port }}
{{- else if contains "ClusterIP" .Values.service.type }}
export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "vaultwarden.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
{{- end }}

62
charts/vaultwarden/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "vaultwarden.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "vaultwarden.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "vaultwarden.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "vaultwarden.labels" -}}
helm.sh/chart: {{ include "vaultwarden.chart" . }}
{{ include "vaultwarden.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "vaultwarden.selectorLabels" -}}
app.kubernetes.io/name: {{ include "vaultwarden.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "vaultwarden.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "vaultwarden.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

46
charts/vaultwarden/templates/configmap.yaml Normal file
View File

@@ -0,0 +1,46 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "vaultwarden.fullname" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
data:
DOMAIN: {{ .Values.vaultwarden.domain | quote }}
{{- if and .Values.vaultwarden.smtp.host .Values.vaultwarden.smtp.from | quote }}
SMTP_HOST: {{ .Values.vaultwarden.smtp.host | quote }}
SMTP_SECURITY: {{ .Values.vaultwarden.smtp.security | quote }}
SMTP_PORT: {{ .Values.vaultwarden.smtp.port | quote }}
{{- if .Values.vaultwarden.smtp.authMechanism }}
SMTP_AUTH_MECHANISM: {{ .Values.vaultwarden.smtp.authMechanism | quote }}
{{- end }}
SMTP_FROM: {{ .Values.vaultwarden.smtp.from | quote }}
SMTP_FROM_NAME: {{ default "Vaultwarden" .Values.vaultwarden.smtp.fromName | quote }}
SMTP_DEBUG: {{ .Values.vaultwarden.smtp.debug | quote }}
SMTP_ACCEPT_INVALID_HOSTNAMES: {{ .Values.vaultwarden.smtp.acceptInvalidHostnames | quote }}
SMTP_ACCEPT_INVALID_CERTS: {{ .Values.vaultwarden.smtp.acceptInvalidCerts | quote }}
SMTP_USERNAME: {{ .Values.vaultwarden.smtp.username | quote }}
{{- end }}
{{- if .Values.vaultwarden.websocket.enabled }}
WEBSOCKET_ENABLED: "true"
WEBSOCKET_ADDRESS: {{ .Values.vaultwarden.websocket.address | quote }}
WEBSOCKET_PORT: {{ .Values.vaultwarden.websocket.port | quote }}
{{- end }}
DATA_FOLDER: {{ .Values.vaultwarden.storage.dataDir | quote }}
ROCKET_PORT: {{ .Values.vaultwarden.rocket.port | quote }}
ROCKET_WORKERS: {{ .Values.vaultwarden.rocket.workers | quote }}
SHOW_PASSWORD_HINT: {{ .Values.vaultwarden.showPassHint | quote }}
SIGNUPS_ALLOWED: {{ .Values.vaultwarden.signupsAllowed | quote }}
INVITATIONS_ALLOWED: {{ .Values.vaultwarden.invitationsAllowed | quote }}
SIGNUPS_DOMAINS_WHITELIST: {{ .Values.vaultwarden.signupDomains | quote }}
SIGNUPS_VERIFY: {{ .Values.vaultwarden.signupsVerify | quote }}
WEB_VAULT_ENABLED: {{ .Values.vaultwarden.webVaultEnabled | quote }}
{{- if .Values.vaultwarden.logging.enabled }}
LOG_FILE: {{ .Values.vaultwarden.logging.logfile | quote }}
LOG_LEVEL: {{ .Values.vaultwarden.logging.loglevel | quote }}
{{- end }}
DB_CONNECTION_RETRIES: {{ .Values.vaultwarden.database.connectionRetries | quote }}
DATABASE_MAX_CONNS: {{ .Values.vaultwarden.database.maxConnections | quote }}
# -------------------------------------------------------------------
ORG_GROUPS_ENABLED: {{ .Values.vaultwarden.organizations.enabled | quote }}
ORG_EVENTS_ENABLED: {{ .Values.vaultwarden.organizations.orgEvents | quote }}
ORG_CREATION_USERS: {{ .Values.vaultwarden.organizations.crationUsers | quote }}

96
charts/vaultwarden/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,96 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "vaultwarden.fullname" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
spec:
replicas: 1
selector:
matchLabels:
{{- include "vaultwarden.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
{{- end }}
labels:
{{- include "vaultwarden.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
securityContext:
{{- toYaml .Values.podSecurityContext | nindent 8 }}
{{- if .Values.vaultwarden.storage.enabled }}
volumes:
- name: data
persistentVolumeClaim:
claimName: {{ include "vaultwarden.fullname" . }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
livenessProbe:
exec:
command:
- sh
- /healthcheck.sh
readinessProbe:
exec:
command:
- sh
- /healthcheck.sh
resources:
{{- toYaml .Values.resources | nindent 12 }}
envFrom:
- configMapRef:
name: {{ include "vaultwarden.fullname" . }}
env:
{{- if or (.Values.vaultwarden.smtp.password.value) (.Values.vaultwarden.smtp.password.existingSecretKey )}}
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.smtp.password.existingSecret | default ( printf "%s-smtp" ( include "vaultwarden.fullname" . )) }}
key: {{ default "SMTP_PASSWORD" .Values.vaultwarden.smtp.password.existingSecretKey }}
{{- end }}
- name: ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.adminToken.existingSecret | default ( printf "%s-admin-token" ( include "vaultwarden.fullname" . )) }}
key: {{ default "ADMIN_TOKEN" .Values.vaultwarden.adminToken.existingSecretKey }}
{{- if ne "default" .Values.vaultwarden.database.type }}
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: {{ .Values.vaultwarden.database.existingSecret | default ( printf "%s-db-creds" ( include "vaultwarden.fullname" . )) }}
key: {{ default "DATABASE_URL" .Values.vaultwarden.database.existingSecretKey }}
{{- end }}
{{- if .Values.vaultwarden.storage.enabled }}
volumeMounts:
- mountPath: {{ .Values.vaultwarden.storage.dataDir }}
name: data
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

61
charts/vaultwarden/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,61 @@
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "vaultwarden.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
{{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
{{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
name: {{ $fullName }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
{{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
pathType: {{ .pathType }}
{{- end }}
backend:
{{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
service:
name: {{ $fullName }}
port:
number: {{ $svcPort }}
{{- else }}
serviceName: {{ $fullName }}
servicePort: {{ $svcPort }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

15
charts/vaultwarden/templates/pvc.yaml Normal file
View File

@@ -0,0 +1,15 @@
{{- if .Values.vaultwarden.storage.enabled }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "vaultwarden.fullname" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.vaultwarden.storage.size }}
storageClassName: {{ .Values.vaultwarden.storage.class }}
{{- end }}

38
charts/vaultwarden/templates/secret.yaml Normal file
View File

@@ -0,0 +1,38 @@
{{- if not .Values.vaultwarden.adminToken.existingSecret }}
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ include "vaultwarden.fullname" . }}-admin-token
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
data:
ADMIN_TOKEN: {{ .Values.vaultwarden.adminToken.value | b64enc | quote }}
{{- end }}
{{- if not .Values.vaultwarden.database.existingSecret }}
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ include "vaultwarden.fullname" . }}-db-creds
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
data:
DATABASE_URL: {{ .Values.vaultwarden.database.connectionString | b64enc | quote }}
{{- end }}
{{- if not .Values.vaultwarden.smtp.password.existingSecret }}
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: {{ include "vaultwarden.fullname" . }}-smtp
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
data:
SMTP_PASSWORD: {{ .Values.vaultwarden.smtp.password.value | b64enc | quote }}
{{- end }}

15
charts/vaultwarden/templates/service.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "vaultwarden.fullname" . }}
labels:
{{- include "vaultwarden.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "vaultwarden.selectorLabels" . | nindent 4 }}

106
charts/vaultwarden/values.yaml Normal file
View File

@@ -0,0 +1,106 @@
image:
repository: registry.hub.docker.com/vaultwarden/server
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 8080
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
hosts:
- host: chart-example.local
paths:
- path: /
pathType: ImplementationSpecific
tls: []
# - secretName: chart-example-tls
# hosts:
# - chart-example.local
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
vaultwarden:
smtp:
host: ""
security: "starttls"
port: 25
from: vaultwarden@badhouseplants.net
fromName: vaultwarden
username: vaultwarden
password:
value: "VerySecurePassword"
existingSecret: ""
existingSecretKey: ""
authMechanism: "Plain"
acceptInvalidHostnames: "false"
acceptInvalidCerts: "false"
debug: false
adminToken:
existingSecret: ""
existingSecretKey: ""
value: "R@ndomToken$tring"
domain: "https://badhouseplants.vaultwarden.com"
websocket:
enabled: true
address: "0.0.0.0"
port: 3012
rocket:
port: "8080"
workers: "10"
webVaultEnabled: "true"
signupsAllowed: true
invitationsAllowed: true
signupDomains: "https://badhouseplants.vaultwarden.com"
signupsVerify: "true"
showPassHint: "false"
database:
connectionString: "data/db.sqlite3"
existingSecret: ""
existingSecretKey: ""
connectionRetries: 15
maxConnections: 10
storage:
enabled: false
size: 1Gi
class: default
dataDir: /data
logging:
enabled: false
logfile: "/data/vaultwarden.log"
loglevel: "warn"
organizations:
enabled: false
orgEvents: false # -- ORG_GROUPS_ENABLED
crationUsers: "" # -- ORG_CREATION_USERS