diff --git a/charts/openvpn-xor/.helmignore b/charts/openvpn-xor/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/openvpn-xor/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/openvpn-xor/Chart.yaml b/charts/openvpn-xor/Chart.yaml new file mode 100644 index 0000000..38582dc --- /dev/null +++ b/charts/openvpn-xor/Chart.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: v2 +name: openvpn-xor +description: A Helm chart for deploying OpenVPN with the XOR patch +type: application +version: 1.4.4 +appVersion: v2.6.9 + +sources: + - https://git.badhouseplants.net/allanger/container-openvpn + - https://github.com/kylemanna/docker-openvpn + - https://github.com/Tunnelblick/Tunnelblick + - https://github.com/OpenVPN/openvpn + +maintainers: + - name: allanger + email: allanger@zohomail.com + url: https://badhouseplants.net + +keywords: + - OpenVPN + - VPN + - XOR + +annotations: + xor_version: 4.0.1 diff --git a/charts/openvpn-xor/templates/NOTES.txt b/charts/openvpn-xor/templates/NOTES.txt new file mode 100644 index 0000000..7d790da --- /dev/null +++ b/charts/openvpn-xor/templates/NOTES.txt @@ -0,0 +1 @@ +1. Get the application URL by running these commands: diff --git a/charts/openvpn-xor/templates/_helpers.tpl b/charts/openvpn-xor/templates/_helpers.tpl new file mode 100644 index 0000000..8e14004 --- /dev/null +++ b/charts/openvpn-xor/templates/_helpers.tpl @@ -0,0 +1,82 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "chart.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "chart.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} +{{- printf "lala" }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "chart.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "chart.labels" -}} +helm.sh/chart: {{ include "chart.chart" . }} +{{ include "chart.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "chart.selectorLabels" -}} +app.kubernetes.io/name: {{ include "chart.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "chart.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "chart.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +Build image tag for the XOR image +*/}} +{{- define "chart.imageTag" -}} +{{- if .Values.image.tag }} +{{- .Values.image.tag }} +{{- else }} +{{- printf "%s-xor-%s" .Chart.AppVersion .Chart.Annotations.xor_version }} +{{- end }} +{{- end }} + +{{/* +Build the whole image name +*/}} +{{- define "chart.image" -}} +{{- printf "%s:%s" .Values.image.repository (include "chart.imageTag" .) }} +{{- end }} diff --git a/charts/openvpn-xor/templates/deployment.yaml b/charts/openvpn-xor/templates/deployment.yaml new file mode 100644 index 0000000..ed1e442 --- /dev/null +++ b/charts/openvpn-xor/templates/deployment.yaml @@ -0,0 +1,128 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "chart.fullname" . }} + labels: + {{- include "chart.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "chart.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "chart.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: pvc-openvpn + persistentVolumeClaim: + claimName: {{ include "chart.fullname" . }} + - name: pki-scripts + configMap: + name: {{ include "chart.fullname" . }}-pki-scripts + securityContext: + sysctls: + - name: net.ipv4.ip_forward + value: "1" + containers: + - name: {{ .Chart.Name }} + image: {{ include "chart.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - mountPath: "/etc/openvpn" + name: pvc-openvpn + - mountPath: /scripts + name: pki-scripts + env: + - name: OVPN_SERVER + value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}" + - name: OPENVPN + value: "/etc/openvpn" + securityContext: + capabilities: + add: + - NET_ADMIN + initContainers: + # ---------------------------------------------------------------------- + # -- This init container is generating the basic configuration + # ---------------------------------------------------------------------- + - name: 0-ovpn-genconfig + image: {{ include "chart.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - mountPath: "/etc/openvpn" + name: pvc-openvpn + env: + - name: OVPN_SERVER_URL + value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}" + - name: OVPN_DATA + value: "/etc/openvpn" + - name: OPENVPN + value: "/etc/openvpn" + command: + - sh + - -c + - 'if ! [ -f "/etc/openvpn/ovpn_env.sh" ]; then ovpn_genconfig -u $OVPN_SERVER_URL && touch /etc/openvpn/.init; fi' + - name: 1-ovpn-initpki + env: + - name: OVPN_DATA + value: /etc/openvpn + - name: OPENVPN + value: "/etc/openvpn" + - name: EASYRSA_REQ_CN + value: {{ .Values.easyrsa.cn }} + - name: EASYRSA_REQ_COUNTRY + value: {{ .Values.easyrsa.country }} + - name: EASYRSA_REQ_PROVINCE + value: {{ .Values.easyrsa.province }} + - name: EASYRSA_REQ_CITY + value: {{ .Values.easyrsa.city }} + - name: EASYRSA_REQ_ORG + value: {{ .Values.easyrsa.org }} + - name: EASYRSA_REQ_EMAIL + value: {{ .Values.easyrsa.email }} + - name: EASYRSA_REQ_OU + value: {{ .Values.easyrsa.ou }} + - name: EASYRSA_ALGO + value: {{ .Values.easyrsa.algo }} + - name: EASYRSA_DIGEST + value: {{ .Values.easyrsa.digest }} + - name: EASYRSA_BATCH + value: "yes" + - name: OVPN_SERVER_URL + value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}" + volumeMounts: + - mountPath: "/etc/openvpn" + name: pvc-openvpn + - mountPath: /scripts + name: pki-scripts + image: {{ include "chart.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - bash + - /scripts/init_pki.sh + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/openvpn-xor/templates/pki-generate-scripts.yaml b/charts/openvpn-xor/templates/pki-generate-scripts.yaml new file mode 100644 index 0000000..b24bb46 --- /dev/null +++ b/charts/openvpn-xor/templates/pki-generate-scripts.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "chart.fullname" . }}-pki-scripts + labels: + {{- include "chart.labels" . | nindent 4 }} +data: + init_pki.sh: | + if [ ! -d /etc/openvpn/pki ]; then + source "$OPENVPN/ovpn_env.sh" + OVPN_DIR=/etc/openvpn + PKI_DIR=$OVPN_DIR/pki + cd $OVPN_DIR + export EASYRSA_BATCH=yes + unset EASYRSA_VARS_FILE + /usr/share/easy-rsa/easyrsa init-pki + /usr/share/easy-rsa/easyrsa build-ca nopass + /usr/share/easy-rsa/easyrsa build-server-full {{ .Values.openvpn.host }} nopass + /usr/share/easy-rsa/easyrsa gen-dh + cd $PKI_DIR + openvpn --genkey tls-crypt-v2-server private/{{ .Values.openvpn.host }}.pem + openvpn --genkey secret > ta.key + fi + gen_client.sh: | + source "$OPENVPN/ovpn_env.sh" + CLIENTNAME=$1 + PASSWORD=$2 + OVPN_DIR=/etc/openvpn + cd $OVPN_DIR + /usr/share/easy-rsa/easyrsa build-client-full $CLIENTNAME $PASSWORD diff --git a/charts/openvpn-xor/templates/pvc.yaml b/charts/openvpn-xor/templates/pvc.yaml new file mode 100644 index 0000000..404eb7a --- /dev/null +++ b/charts/openvpn-xor/templates/pvc.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "chart.fullname" . }} + labels: + {{- include "chart.labels" . | nindent 4 }} +spec: + {{- if .Values.storage.class }} + {{- if (eq "-" .Values.storage.class) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.storage.class }}" + {{- end }} + {{- end }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.storage.size }} diff --git a/charts/openvpn-xor/templates/service.yaml b/charts/openvpn-xor/templates/service.yaml new file mode 100644 index 0000000..8e24d62 --- /dev/null +++ b/charts/openvpn-xor/templates/service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "chart.fullname" . }} + labels: + {{- include "chart.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + {{- if .Values.service.nodePort }} + nodePort: {{ int .Values.service.nodePort }} + {{- end}} + targetPort: {{ .Values.service.port | default 1194 }} + protocol: {{ .Values.service.protocol | default "UDP" | quote }} + name: openvpn-xor + selector: + {{- include "chart.selectorLabels" . | nindent 4 }} diff --git a/charts/openvpn-xor/templates/tcp_route.yaml b/charts/openvpn-xor/templates/tcp_route.yaml new file mode 100644 index 0000000..1657d96 --- /dev/null +++ b/charts/openvpn-xor/templates/tcp_route.yaml @@ -0,0 +1,13 @@ +--- +{{- if $.Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" -}} +{{- if .Values.tcproute.enabled }} +apiVersion: traefik.io/v1alpha1 +kind: IngressRouteTCP +metadata: + name: {{ include "chart.fullname" . }} + labels: + {{- include "chart.labels" . | nindent 4 }} +spec: +{{ tpl (.Values.tcproute.spec | toYaml | indent 2 | toString) $ }} +{{- end }} +{{- end }} diff --git a/charts/openvpn-xor/templates/tests/test-connection.yaml b/charts/openvpn-xor/templates/tests/test-connection.yaml new file mode 100644 index 0000000..a419802 --- /dev/null +++ b/charts/openvpn-xor/templates/tests/test-connection.yaml @@ -0,0 +1,200 @@ + +{{- $version := semver .Capabilities.KubeVersion.Version }} +{{- if .Values.tests.enabled }} +# --------------------------------------------------------------------- +# -- Test that CRDs are installed +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "openvpn-chart.fullname" . }}-test-script + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "6" +data: + get_config.sh: |- + #!/bin/bash + kubectl rollout status deployment/{{ include "openvpn-chart.fullname" . }} + kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_genclientcert test nopass + kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_getclient test > /data/test.ovpn + test_connection.sh : |- + sed -i "s/127.0.0.1/{{ include "openvpn-chart.fullname" . }}/g" /data/test.ovpn + mkdir -p /dev/net + mknod /dev/net/tun c 10 200 + chmod 600 /dev/net/tun + openvpn --config /data/test.ovpn --daemon --log-append /tmp/ovpnlog + tail -n0 -f /tmp/ovpnlog | sed '/Initialization Sequence Completed/ q' + +--- +# --------------------------------------------------------------------- +# -- Prepare roles and bindings to access k8s resources from the test +# --------------------------------------------------------------------- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "openvpn-chart.fullname" . }}-test-role + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "1" +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "1" +automountServiceAccountToken: true + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-rb + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "1" +subjects: +- kind: ServiceAccount + name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "openvpn-chart.fullname" . }}-test-role + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "openvpn-chart.fullname" . }}-test + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "7" + labels: + {{- include "openvpn-chart.labels" . | nindent 4 }} +spec: + storageClassName: {{ .Values.storage.class }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 512Mi + +--- +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "openvpn-chart.fullname" . }}-test + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "7" +spec: + serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa + automountServiceAccountToken: true + volumes: + - name: test-script + configMap: + name: {{ include "openvpn-chart.fullname" . }}-test-script + - name: data + persistentVolumeClaim: + claimName: {{ include "openvpn-chart.fullname" . }}-test + containers: + - name: tester + image: alpine/k8s:{{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }} + volumeMounts: + - name: test-script + readOnly: true + mountPath: /get_config.sh + subPath: get_config.sh + - name: data + readOnly: false + mountPath: /data + command: + - bash + args: + - -e + - /get_config.sh + restartPolicy: Never + +--- +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "openvpn-chart.fullname" . }}-test-connection + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "7" +spec: + serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa + automountServiceAccountToken: true + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ include "openvpn-chart.fullname" . }}-test + - name: test-script + configMap: + name: {{ include "openvpn-chart.fullname" . }}-test-script + containers: + - name: tester + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: data + readOnly: false + mountPath: /data + - name: test-script + readOnly: true + mountPath: /test_connection.sh + subPath: test_connection.sh + command: + - bash + args: + - -e + - /test_connection.sh + securityContext: + capabilities: + add: + - NET_ADMIN + + restartPolicy: Never + +{{- end }} diff --git a/charts/openvpn-xor/values.yaml b/charts/openvpn-xor/values.yaml new file mode 100644 index 0000000..a1091d9 --- /dev/null +++ b/charts/openvpn-xor/values.yaml @@ -0,0 +1,89 @@ +# Default values for openvpn-chart. +image: + repository: git.badhouseplants.net/allanger/container-openvpn + pullPolicy: Always + # ------------------------------------------- + # -- TODO: Switch to proper versions + # ------------------------------------------- + # tag: check +# ----------------------------- +# -- Open VPN configuration +# ----------------------------- +openvpn: + proto: tcp + host: 127.0.0.1 + port: 1194 +# --------------------------------------- +# -- Deploy OpenVPN admin +# -- https://github.com/flant/ovpn-admin +# --------------------------------------- +openvpn_admin: + enabled: true +# ----------------------------- +# -- Easy RSA configuration +# ----------------------------- +easyrsa: + cn: . # -- EASYRSA_REQ_CN + country: . # -- EASYRSA_REQ_COUNTRY + province: . # -- EASYRSA_REQ_PROVINCE + city: . # -- EASYRSA_REQ_CITY + org: . # -- EASYRSA_REQ_ORG + email: . # -- EASYRSA_REQ_EMAIL + ou: Community # -- EASYRSA_REQ_OU + algo: ec # -- EASYRSA_ALGO + digest: sha512 # -- EASYRSA_DIGEST +replicaCount: 1 +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" +storage: + class: "" + size: 1Gi +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" +podAnnotations: {} +podSecurityContext: {} +# fsGroup: 2000 + +securityContext: {} +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# runAsUser: 1000 + +service: + type: ClusterIP + port: 1194 + protocol: TCP +resources: {} +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 +nodeSelector: {} +tolerations: [] +affinity: {} +tests: + enabled: false + cleanup: true diff --git a/charts/openvpn/.helmignore b/charts/openvpn/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/openvpn/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/openvpn/Chart.yaml b/charts/openvpn/Chart.yaml new file mode 100644 index 0000000..18534f3 --- /dev/null +++ b/charts/openvpn/Chart.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: v2 +name: openvpn +description: A Helm chart for deploying OpenVPN +type: application +version: 1.3.3 +appVersion: v2.6.10 + +sources: + - https://git.badhouseplants.net/allanger/container-openvpn-xor + - https://github.com/kylemanna/docker-openvpn + +maintainers: + - name: allanger + email: allanger@zohomail.com + url: https://badhouseplants.net + +keywords: + - OpenVPN + - VPN diff --git a/charts/openvpn/templates/NOTES.txt b/charts/openvpn/templates/NOTES.txt new file mode 100644 index 0000000..7d790da --- /dev/null +++ b/charts/openvpn/templates/NOTES.txt @@ -0,0 +1 @@ +1. Get the application URL by running these commands: diff --git a/charts/openvpn/templates/_helpers.tpl b/charts/openvpn/templates/_helpers.tpl new file mode 100644 index 0000000..e4d932c --- /dev/null +++ b/charts/openvpn/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "openvpn-chart.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "openvpn-chart.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "openvpn-chart.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "openvpn-chart.labels" -}} +helm.sh/chart: {{ include "openvpn-chart.chart" . }} +{{ include "openvpn-chart.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "openvpn-chart.selectorLabels" -}} +app.kubernetes.io/name: {{ include "openvpn-chart.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "openvpn-chart.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "openvpn-chart.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/openvpn/templates/deployment.yaml b/charts/openvpn/templates/deployment.yaml new file mode 100644 index 0000000..0eb0564 --- /dev/null +++ b/charts/openvpn/templates/deployment.yaml @@ -0,0 +1,128 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "openvpn-chart.fullname" . }} + labels: + {{- include "openvpn-chart.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "openvpn-chart.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: pvc-openvpn + persistentVolumeClaim: + claimName: {{ include "openvpn-chart.fullname" . }} + - name: pki-scripts + configMap: + name: {{ include "openvpn-chart.fullname" . }}-pki-scripts + securityContext: + sysctls: + - name: net.ipv4.ip_forward + value: "1" + containers: + - name: {{ .Chart.Name }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - mountPath: "/etc/openvpn" + name: pvc-openvpn + - mountPath: /scripts + name: pki-scripts + env: + - name: OVPN_SERVER + value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}" + - name: OPENVPN + value: "/etc/openvpn" + securityContext: + capabilities: + add: + - NET_ADMIN + initContainers: + # ---------------------------------------------------------------------- + # -- This init container is generating the basic configuration + # ---------------------------------------------------------------------- + - name: 0-ovpn-genconfig + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - mountPath: "/etc/openvpn" + name: pvc-openvpn + env: + - name: OVPN_SERVER_URL + value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}" + - name: OVPN_DATA + value: "/etc/openvpn" + - name: OPENVPN + value: "/etc/openvpn" + command: + - sh + - -c + - 'if ! [ -f "/etc/openvpn/ovpn_env.sh" ]; then ovpn_genconfig -u $OVPN_SERVER_URL && touch /etc/openvpn/.init; fi' + - name: 1-ovpn-initpki + env: + - name: OVPN_DATA + value: /etc/openvpn + - name: OPENVPN + value: "/etc/openvpn" + - name: EASYRSA_REQ_CN + value: {{ .Values.easyrsa.cn }} + - name: EASYRSA_REQ_COUNTRY + value: {{ .Values.easyrsa.country }} + - name: EASYRSA_REQ_PROVINCE + value: {{ .Values.easyrsa.province }} + - name: EASYRSA_REQ_CITY + value: {{ .Values.easyrsa.city }} + - name: EASYRSA_REQ_ORG + value: {{ .Values.easyrsa.org }} + - name: EASYRSA_REQ_EMAIL + value: {{ .Values.easyrsa.email }} + - name: EASYRSA_REQ_OU + value: {{ .Values.easyrsa.ou }} + - name: EASYRSA_ALGO + value: {{ .Values.easyrsa.algo }} + - name: EASYRSA_DIGEST + value: {{ .Values.easyrsa.digest }} + - name: EASYRSA_BATCH + value: "yes" + - name: OVPN_SERVER_URL + value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}" + volumeMounts: + - mountPath: "/etc/openvpn" + name: pvc-openvpn + - mountPath: /scripts + name: pki-scripts + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + command: + - bash + - /scripts/init_pki.sh + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/openvpn/templates/pki-generate-scripts.yaml b/charts/openvpn/templates/pki-generate-scripts.yaml new file mode 100644 index 0000000..d211fe1 --- /dev/null +++ b/charts/openvpn/templates/pki-generate-scripts.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "openvpn-chart.fullname" . }}-pki-scripts + labels: + {{- include "openvpn-chart.labels" . | nindent 4 }} +data: + init_pki.sh: | + if [ ! -d /etc/openvpn/pki ]; then + source "$OPENVPN/ovpn_env.sh" + OVPN_DIR=/etc/openvpn + PKI_DIR=$OVPN_DIR/pki + cd $OVPN_DIR + export EASYRSA_BATCH=yes + unset EASYRSA_VARS_FILE + /usr/share/easy-rsa/easyrsa init-pki + /usr/share/easy-rsa/easyrsa build-ca nopass + /usr/share/easy-rsa/easyrsa build-server-full {{ .Values.openvpn.host }} nopass + /usr/share/easy-rsa/easyrsa gen-dh + cd $PKI_DIR + openvpn --genkey tls-crypt-v2-server private/{{ .Values.openvpn.host }}.pem + openvpn --genkey secret > ta.key + fi + gen_client.sh: | + source "$OPENVPN/ovpn_env.sh" + CLIENTNAME=$1 + PASSWORD=$2 + OVPN_DIR=/etc/openvpn + cd $OVPN_DIR + /usr/share/easy-rsa/easyrsa build-client-full $CLIENTNAME $PASSWORD diff --git a/charts/openvpn/templates/pvc.yaml b/charts/openvpn/templates/pvc.yaml new file mode 100644 index 0000000..96c3dd7 --- /dev/null +++ b/charts/openvpn/templates/pvc.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "openvpn-chart.fullname" . }} + labels: + {{- include "openvpn-chart.labels" . | nindent 4 }} +spec: + {{- if .Values.storage.class }} + {{- if (eq "-" .Values.storage.class) }} + storageClassName: "" + {{- else }} + storageClassName: "{{ .Values.storage.class }}" + {{- end }} + {{- end }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.storage.size }} diff --git a/charts/openvpn/templates/service.yaml b/charts/openvpn/templates/service.yaml new file mode 100644 index 0000000..e84818f --- /dev/null +++ b/charts/openvpn/templates/service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "openvpn-chart.fullname" . }} + labels: + {{- include "openvpn-chart.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + {{- if .Values.service.nodePort }} + nodePort: {{ int .Values.service.nodePort }} + {{- end}} + targetPort: {{ .Values.service.port | default 1194 }} + protocol: {{ .Values.service.protocol | default "UDP" | quote }} + name: openvpn + selector: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} diff --git a/charts/openvpn/templates/tcp_route.yaml b/charts/openvpn/templates/tcp_route.yaml new file mode 100644 index 0000000..b8e40ab --- /dev/null +++ b/charts/openvpn/templates/tcp_route.yaml @@ -0,0 +1,13 @@ +--- +{{- if $.Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" -}} +{{- if .Values.tcproute.enabled }} +apiVersion: traefik.io/v1alpha1 +kind: IngressRouteTCP +metadata: + name: {{ include "openvpn-chart.fullname" . }} + labels: + {{- include "openvpn-chart.labels" . | nindent 4 }} +spec: +{{ tpl (.Values.tcproute.spec | toYaml | indent 2 | toString) $ }} +{{- end }} +{{- end }} diff --git a/charts/openvpn/templates/tests/test-connection.yaml b/charts/openvpn/templates/tests/test-connection.yaml new file mode 100644 index 0000000..a419802 --- /dev/null +++ b/charts/openvpn/templates/tests/test-connection.yaml @@ -0,0 +1,200 @@ + +{{- $version := semver .Capabilities.KubeVersion.Version }} +{{- if .Values.tests.enabled }} +# --------------------------------------------------------------------- +# -- Test that CRDs are installed +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "openvpn-chart.fullname" . }}-test-script + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "6" +data: + get_config.sh: |- + #!/bin/bash + kubectl rollout status deployment/{{ include "openvpn-chart.fullname" . }} + kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_genclientcert test nopass + kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_getclient test > /data/test.ovpn + test_connection.sh : |- + sed -i "s/127.0.0.1/{{ include "openvpn-chart.fullname" . }}/g" /data/test.ovpn + mkdir -p /dev/net + mknod /dev/net/tun c 10 200 + chmod 600 /dev/net/tun + openvpn --config /data/test.ovpn --daemon --log-append /tmp/ovpnlog + tail -n0 -f /tmp/ovpnlog | sed '/Initialization Sequence Completed/ q' + +--- +# --------------------------------------------------------------------- +# -- Prepare roles and bindings to access k8s resources from the test +# --------------------------------------------------------------------- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "openvpn-chart.fullname" . }}-test-role + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "1" +rules: +- apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "1" +automountServiceAccountToken: true + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-rb + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "1" +subjects: +- kind: ServiceAccount + name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa + namespace: {{ .Release.Namespace }} +roleRef: + kind: ClusterRole + name: {{ include "openvpn-chart.fullname" . }}-test-role + apiGroup: rbac.authorization.k8s.io + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "openvpn-chart.fullname" . }}-test + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "7" + labels: + {{- include "openvpn-chart.labels" . | nindent 4 }} +spec: + storageClassName: {{ .Values.storage.class }} + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 512Mi + +--- +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "openvpn-chart.fullname" . }}-test + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "7" +spec: + serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa + automountServiceAccountToken: true + volumes: + - name: test-script + configMap: + name: {{ include "openvpn-chart.fullname" . }}-test-script + - name: data + persistentVolumeClaim: + claimName: {{ include "openvpn-chart.fullname" . }}-test + containers: + - name: tester + image: alpine/k8s:{{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }} + volumeMounts: + - name: test-script + readOnly: true + mountPath: /get_config.sh + subPath: get_config.sh + - name: data + readOnly: false + mountPath: /data + command: + - bash + args: + - -e + - /get_config.sh + restartPolicy: Never + +--- +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "openvpn-chart.fullname" . }}-test-connection + labels: + {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} + annotations: + "helm.sh/hook": test + {{- if .Values.tests.cleanup }} + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + {{- end }} + "helm.sh/hook-weight": "7" +spec: + serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa + automountServiceAccountToken: true + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ include "openvpn-chart.fullname" . }}-test + - name: test-script + configMap: + name: {{ include "openvpn-chart.fullname" . }}-test-script + containers: + - name: tester + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + volumeMounts: + - name: data + readOnly: false + mountPath: /data + - name: test-script + readOnly: true + mountPath: /test_connection.sh + subPath: test_connection.sh + command: + - bash + args: + - -e + - /test_connection.sh + securityContext: + capabilities: + add: + - NET_ADMIN + + restartPolicy: Never + +{{- end }} diff --git a/charts/openvpn/values.yaml b/charts/openvpn/values.yaml new file mode 100644 index 0000000..1b7d882 --- /dev/null +++ b/charts/openvpn/values.yaml @@ -0,0 +1,89 @@ +# Default values for openvpn-chart. +image: + repository: git.badhouseplants.net/allanger/container-openvpn + pullPolicy: Always + # ------------------------------------------- + # -- TODO: Switch to proper versions + # ------------------------------------------- + # tag: "" +# ----------------------------- +# -- Open VPN configuration +# ----------------------------- +openvpn: + proto: tcp + host: 127.0.0.1 + port: 1194 +# --------------------------------------- +# -- Deploy OpenVPN admin +# -- https://github.com/flant/ovpn-admin +# --------------------------------------- +openvpn_admin: + enabled: true +# ----------------------------- +# -- Easy RSA configuration +# ----------------------------- +easyrsa: + cn: . # -- EASYRSA_REQ_CN + country: . # -- EASYRSA_REQ_COUNTRY + province: . # -- EASYRSA_REQ_PROVINCE + city: . # -- EASYRSA_REQ_CITY + org: . # -- EASYRSA_REQ_ORG + email: . # -- EASYRSA_REQ_EMAIL + ou: Community # -- EASYRSA_REQ_OU + algo: ec # -- EASYRSA_ALGO + digest: sha512 # -- EASYRSA_DIGEST +replicaCount: 1 +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" +storage: + class: "" + size: 1Gi +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" +podAnnotations: {} +podSecurityContext: {} +# fsGroup: 2000 + +securityContext: {} +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# runAsUser: 1000 + +service: + type: ClusterIP + port: 1194 + protocol: TCP +resources: {} +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 +nodeSelector: {} +tolerations: [] +affinity: {} +tests: + enabled: false + cleanup: true diff --git a/charts/vaultwarden/.helmignore b/charts/vaultwarden/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/vaultwarden/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/vaultwarden/Chart.yaml b/charts/vaultwarden/Chart.yaml new file mode 100644 index 0000000..c265afe --- /dev/null +++ b/charts/vaultwarden/Chart.yaml @@ -0,0 +1,17 @@ +apiVersion: v2 +name: vaultwarden +description: Unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs +type: application +version: 1.2.0 +appVersion: 1.30.5 +maintainers: + - name: allanger + email: allanger@zohomail.com + url: https://badhouseplants.net +sources: + - https://github.com/dani-garcia/vaultwarden/tree/main +keywords: + - vaultwarden + - bitwarden + - bitwarden_rs +home: https://github.com/dani-garcia/vaultwarden/tree/main diff --git a/charts/vaultwarden/templates/NOTES.txt b/charts/vaultwarden/templates/NOTES.txt new file mode 100644 index 0000000..4dd323d --- /dev/null +++ b/charts/vaultwarden/templates/NOTES.txt @@ -0,0 +1,22 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "vaultwarden.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "vaultwarden.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "vaultwarden.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "vaultwarden.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT +{{- end }} diff --git a/charts/vaultwarden/templates/_helpers.tpl b/charts/vaultwarden/templates/_helpers.tpl new file mode 100644 index 0000000..fce649b --- /dev/null +++ b/charts/vaultwarden/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "vaultwarden.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "vaultwarden.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "vaultwarden.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "vaultwarden.labels" -}} +helm.sh/chart: {{ include "vaultwarden.chart" . }} +{{ include "vaultwarden.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "vaultwarden.selectorLabels" -}} +app.kubernetes.io/name: {{ include "vaultwarden.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "vaultwarden.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "vaultwarden.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/vaultwarden/templates/configmap.yaml b/charts/vaultwarden/templates/configmap.yaml new file mode 100644 index 0000000..079aa18 --- /dev/null +++ b/charts/vaultwarden/templates/configmap.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "vaultwarden.fullname" . }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} +data: + DOMAIN: {{ .Values.vaultwarden.domain | quote }} + {{- if and .Values.vaultwarden.smtp.host .Values.vaultwarden.smtp.from | quote }} + SMTP_HOST: {{ .Values.vaultwarden.smtp.host | quote }} + SMTP_SECURITY: {{ .Values.vaultwarden.smtp.security | quote }} + SMTP_PORT: {{ .Values.vaultwarden.smtp.port | quote }} + {{- if .Values.vaultwarden.smtp.authMechanism }} + SMTP_AUTH_MECHANISM: {{ .Values.vaultwarden.smtp.authMechanism | quote }} + {{- end }} + SMTP_FROM: {{ .Values.vaultwarden.smtp.from | quote }} + SMTP_FROM_NAME: {{ default "Vaultwarden" .Values.vaultwarden.smtp.fromName | quote }} + SMTP_DEBUG: {{ .Values.vaultwarden.smtp.debug | quote }} + SMTP_ACCEPT_INVALID_HOSTNAMES: {{ .Values.vaultwarden.smtp.acceptInvalidHostnames | quote }} + SMTP_ACCEPT_INVALID_CERTS: {{ .Values.vaultwarden.smtp.acceptInvalidCerts | quote }} + SMTP_USERNAME: {{ .Values.vaultwarden.smtp.username | quote }} + {{- end }} + {{- if .Values.vaultwarden.websocket.enabled }} + WEBSOCKET_ENABLED: "true" + WEBSOCKET_ADDRESS: {{ .Values.vaultwarden.websocket.address | quote }} + WEBSOCKET_PORT: {{ .Values.vaultwarden.websocket.port | quote }} + {{- end }} + DATA_FOLDER: {{ .Values.vaultwarden.storage.dataDir | quote }} + ROCKET_PORT: {{ .Values.vaultwarden.rocket.port | quote }} + ROCKET_WORKERS: {{ .Values.vaultwarden.rocket.workers | quote }} + SHOW_PASSWORD_HINT: {{ .Values.vaultwarden.showPassHint | quote }} + SIGNUPS_ALLOWED: {{ .Values.vaultwarden.signupsAllowed | quote }} + INVITATIONS_ALLOWED: {{ .Values.vaultwarden.invitationsAllowed | quote }} + SIGNUPS_DOMAINS_WHITELIST: {{ .Values.vaultwarden.signupDomains | quote }} + SIGNUPS_VERIFY: {{ .Values.vaultwarden.signupsVerify | quote }} + WEB_VAULT_ENABLED: {{ .Values.vaultwarden.webVaultEnabled | quote }} + {{- if .Values.vaultwarden.logging.enabled }} + LOG_FILE: {{ .Values.vaultwarden.logging.logfile | quote }} + LOG_LEVEL: {{ .Values.vaultwarden.logging.loglevel | quote }} + {{- end }} + DB_CONNECTION_RETRIES: {{ .Values.vaultwarden.database.connectionRetries | quote }} + DATABASE_MAX_CONNS: {{ .Values.vaultwarden.database.maxConnections | quote }} + # ------------------------------------------------------------------- + ORG_GROUPS_ENABLED: {{ .Values.vaultwarden.organizations.enabled | quote }} + ORG_EVENTS_ENABLED: {{ .Values.vaultwarden.organizations.orgEvents | quote }} + ORG_CREATION_USERS: {{ .Values.vaultwarden.organizations.crationUsers | quote }} diff --git a/charts/vaultwarden/templates/deployment.yaml b/charts/vaultwarden/templates/deployment.yaml new file mode 100644 index 0000000..9eca719 --- /dev/null +++ b/charts/vaultwarden/templates/deployment.yaml @@ -0,0 +1,96 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "vaultwarden.fullname" . }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} +spec: + replicas: 1 + selector: + matchLabels: + {{- include "vaultwarden.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }} + {{- end }} + labels: + {{- include "vaultwarden.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- if .Values.vaultwarden.storage.enabled }} + volumes: + - name: data + persistentVolumeClaim: + claimName: {{ include "vaultwarden.fullname" . }} + {{- end }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + livenessProbe: + exec: + command: + - sh + - /healthcheck.sh + readinessProbe: + exec: + command: + - sh + - /healthcheck.sh + resources: + {{- toYaml .Values.resources | nindent 12 }} + envFrom: + - configMapRef: + name: {{ include "vaultwarden.fullname" . }} + env: + {{- if or (.Values.vaultwarden.smtp.password.value) (.Values.vaultwarden.smtp.password.existingSecretKey )}} + - name: SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: {{ .Values.vaultwarden.smtp.password.existingSecret | default ( printf "%s-smtp" ( include "vaultwarden.fullname" . )) }} + key: {{ default "SMTP_PASSWORD" .Values.vaultwarden.smtp.password.existingSecretKey }} + {{- end }} + - name: ADMIN_TOKEN + valueFrom: + secretKeyRef: + name: {{ .Values.vaultwarden.adminToken.existingSecret | default ( printf "%s-admin-token" ( include "vaultwarden.fullname" . )) }} + key: {{ default "ADMIN_TOKEN" .Values.vaultwarden.adminToken.existingSecretKey }} + {{- if ne "default" .Values.vaultwarden.database.type }} + - name: DATABASE_URL + valueFrom: + secretKeyRef: + name: {{ .Values.vaultwarden.database.existingSecret | default ( printf "%s-db-creds" ( include "vaultwarden.fullname" . )) }} + key: {{ default "DATABASE_URL" .Values.vaultwarden.database.existingSecretKey }} + {{- end }} + {{- if .Values.vaultwarden.storage.enabled }} + volumeMounts: + - mountPath: {{ .Values.vaultwarden.storage.dataDir }} + name: data + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/vaultwarden/templates/ingress.yaml b/charts/vaultwarden/templates/ingress.yaml new file mode 100644 index 0000000..d12ebf3 --- /dev/null +++ b/charts/vaultwarden/templates/ingress.yaml @@ -0,0 +1,61 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "vaultwarden.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} + {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} + {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} + {{- end }} +{{- end }} +{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1 +{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} +apiVersion: networking.k8s.io/v1beta1 +{{- else -}} +apiVersion: extensions/v1beta1 +{{- end }} +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ .path }} + {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} + pathType: {{ .pathType }} + {{- end }} + backend: + {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} + service: + name: {{ $fullName }} + port: + number: {{ $svcPort }} + {{- else }} + serviceName: {{ $fullName }} + servicePort: {{ $svcPort }} + {{- end }} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/vaultwarden/templates/pvc.yaml b/charts/vaultwarden/templates/pvc.yaml new file mode 100644 index 0000000..f5463e7 --- /dev/null +++ b/charts/vaultwarden/templates/pvc.yaml @@ -0,0 +1,15 @@ +{{- if .Values.vaultwarden.storage.enabled }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "vaultwarden.fullname" . }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.vaultwarden.storage.size }} + storageClassName: {{ .Values.vaultwarden.storage.class }} +{{- end }} diff --git a/charts/vaultwarden/templates/secret.yaml b/charts/vaultwarden/templates/secret.yaml new file mode 100644 index 0000000..6b88f00 --- /dev/null +++ b/charts/vaultwarden/templates/secret.yaml @@ -0,0 +1,38 @@ +{{- if not .Values.vaultwarden.adminToken.existingSecret }} +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ include "vaultwarden.fullname" . }}-admin-token + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} +data: + ADMIN_TOKEN: {{ .Values.vaultwarden.adminToken.value | b64enc | quote }} +{{- end }} + +{{- if not .Values.vaultwarden.database.existingSecret }} +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ include "vaultwarden.fullname" . }}-db-creds + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} +data: + DATABASE_URL: {{ .Values.vaultwarden.database.connectionString | b64enc | quote }} +{{- end }} + +{{- if not .Values.vaultwarden.smtp.password.existingSecret }} +--- +apiVersion: v1 +kind: Secret +type: Opaque +metadata: + name: {{ include "vaultwarden.fullname" . }}-smtp + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} +data: + SMTP_PASSWORD: {{ .Values.vaultwarden.smtp.password.value | b64enc | quote }} +{{- end }} diff --git a/charts/vaultwarden/templates/service.yaml b/charts/vaultwarden/templates/service.yaml new file mode 100644 index 0000000..1f21b2c --- /dev/null +++ b/charts/vaultwarden/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "vaultwarden.fullname" . }} + labels: + {{- include "vaultwarden.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "vaultwarden.selectorLabels" . | nindent 4 }} diff --git a/charts/vaultwarden/values.yaml b/charts/vaultwarden/values.yaml new file mode 100644 index 0000000..7ed6839 --- /dev/null +++ b/charts/vaultwarden/values.yaml @@ -0,0 +1,106 @@ +image: + repository: registry.hub.docker.com/vaultwarden/server + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" +podAnnotations: {} +podSecurityContext: {} +# fsGroup: 2000 + +securityContext: {} +# capabilities: +# drop: +# - ALL +# readOnlyRootFilesystem: true +# runAsNonRoot: true +# runAsUser: 1000 + +service: + type: ClusterIP + port: 8080 +ingress: + enabled: false + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local +resources: {} +# We usually recommend not to specify default resources and to leave this as a conscious +# choice for the user. This also increases chances charts run on environments with little +# resources, such as Minikube. If you do want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +# limits: +# cpu: 100m +# memory: 128Mi +# requests: +# cpu: 100m +# memory: 128Mi + +nodeSelector: {} +tolerations: [] +affinity: {} +vaultwarden: + smtp: + host: "" + security: "starttls" + port: 25 + from: vaultwarden@badhouseplants.net + fromName: vaultwarden + username: vaultwarden + password: + value: "VerySecurePassword" + existingSecret: "" + existingSecretKey: "" + authMechanism: "Plain" + acceptInvalidHostnames: "false" + acceptInvalidCerts: "false" + debug: false + adminToken: + existingSecret: "" + existingSecretKey: "" + value: "R@ndomToken$tring" + domain: "https://badhouseplants.vaultwarden.com" + websocket: + enabled: true + address: "0.0.0.0" + port: 3012 + rocket: + port: "8080" + workers: "10" + webVaultEnabled: "true" + signupsAllowed: true + invitationsAllowed: true + signupDomains: "https://badhouseplants.vaultwarden.com" + signupsVerify: "true" + showPassHint: "false" + database: + connectionString: "data/db.sqlite3" + existingSecret: "" + existingSecretKey: "" + connectionRetries: 15 + maxConnections: 10 + storage: + enabled: false + size: 1Gi + class: default + dataDir: /data + logging: + enabled: false + logfile: "/data/vaultwarden.log" + loglevel: "warn" + organizations: + enabled: false + orgEvents: false # -- ORG_GROUPS_ENABLED + crationUsers: "" # -- ORG_CREATION_USERS