new way of doin

2023-11-16 19:42:02 +10:00
parent 77ec717184
commit 1eaf295724
341 changed files with 19416 additions and 0 deletions
--- a/helm-charts/dashy/charts/common/templates/addons/code-server/_codeserver.tpl
+++ b/helm-charts/dashy/charts/common/templates/addons/code-server/_codeserver.tpl
@@ -0,0 +1,53 @@
+{{/*
+Template to render code-server addon
+It will include / inject the required templates based on the given values.
+*/}}
+{{- define "tc.v1.common.addon.codeserver" -}}
+{{- $targetSelector := "main" -}}
+{{- if $.Values.addons.codeserver.targetSelector -}}
+  {{- $targetSelector = $.Values.addons.codeserver.targetSelector -}}
+{{- end -}}
+{{- if .Values.addons.codeserver.enabled -}}
+  {{/* Append the code-server container to the workloads */}}
+  {{- $container := include "tc.v1.common.addon.codeserver.container" . | fromYaml -}}
+  {{- if $container -}}
+    {{- $workload := get $.Values.workload $targetSelector -}}
+    {{- $_ := set $workload.podSpec.containers "codeserver" $container -}}
+  {{- end -}}
+
+  {{- $hasPrimaryService := false -}}
+  {{- range $svcName, $svcValues := .Values.service -}}
+    {{- if $svcValues.enabled -}}
+      {{- if $svcValues.primary -}}
+        {{- $hasPrimaryService = true -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{/* Add the code-server service */}}
+  {{- if .Values.addons.codeserver.service.enabled -}}
+    {{- $serviceValues := .Values.addons.codeserver.service -}}
+    {{- $_ := set $serviceValues "targetSelector" $targetSelector -}}
+    {{- if not $hasPrimaryService -}}
+      {{- $_ := set $serviceValues "primary" true -}}
+    {{- end -}}
+    {{- $_ := set .Values.service "codeserver" $serviceValues -}}
+  {{- end -}}
+
+  {{/* Add the code-server ingress */}}
+  {{- if .Values.addons.codeserver.ingress.enabled -}}
+    {{- $ingressValues := .Values.addons.codeserver.ingress -}}
+    {{- $_ := set $ingressValues "nameOverride" "codeserver" -}}
+
+    {{/* Determine the target service name & port */}}
+    {{- $svcName := printf "%v-codeserver" (include "tc.v1.common.names.fullname" .) -}}
+    {{- $svcPort := .Values.addons.codeserver.service.ports.codeserver.port -}}
+    {{- range $_, $host := $ingressValues.hosts -}}
+      {{- $_ := set (index $host.paths 0) "service" (dict "name" $svcName "port" $svcPort) -}}
+    {{- end -}}
+    {{- $_ := set $ "ObjectValues" (dict "ingress" $ingressValues) -}}
+    {{- include "tc.v1.common.class.ingress" $ -}}
+    {{- $_ := unset $ "ObjectValues" -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
--- a/helm-charts/dashy/charts/common/templates/addons/code-server/_container.tpl
+++ b/helm-charts/dashy/charts/common/templates/addons/code-server/_container.tpl
@@ -0,0 +1,46 @@
+{{/*
+The code-server sidecar container to be inserted.
+*/}}
+{{- define "tc.v1.common.addon.codeserver.container" -}}
+enabled: true
+probes:
+  liveness:
+    enabled: true
+    port: {{ .Values.addons.codeserver.service.ports.codeserver.port }}
+    path: "/"
+  readiness:
+    enabled: true
+    port: {{ .Values.addons.codeserver.service.ports.codeserver.port }}
+    path: "/"
+  startup:
+    enabled: true
+    port: {{ .Values.addons.codeserver.service.ports.codeserver.port }}
+    path: "/"
+imageSelector: "codeserverImage"
+imagePullPolicy: {{ .Values.codeserverImage.pullPolicy }}
+securityContext:
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  readOnlyRootFilesystem: false
+env:
+{{- range $envList := .Values.addons.codeserver.envList -}}
+  {{- if and $envList.name $envList.value }}
+  {{ $envList.name }}: {{ $envList.value | quote }}
+  {{- else }}
+    {{- fail "Please specify name/value for codeserver environment variable" -}}
+  {{- end -}}
+{{- end -}}
+{{- with .Values.addons.codeserver.env -}}
+{{- range $k, $v := . }}
+  {{ $k }}: {{ $v | quote }}
+{{- end -}}
+{{- end }}
+args:
+{{- range .Values.addons.codeserver.args }}
+- {{ . | quote }}
+{{- end }}
+- "--port"
+- "{{ .Values.addons.codeserver.service.ports.codeserver.port }}"
+- {{ .Values.addons.codeserver.workingDir | default "/" }}
+{{- end -}}
--- a/helm-charts/dashy/charts/common/templates/addons/netshoot/_container.tpl
+++ b/helm-charts/dashy/charts/common/templates/addons/netshoot/_container.tpl
@@ -0,0 +1,44 @@
+{{/*
+The code-server sidecar container to be inserted.
+*/}}
+{{- define "tc.v1.common.addon.netshoot.container" -}}
+enabled: true
+command:
+  - /bin/sh
+  - -c
+  - sleep infinity
+probes:
+  liveness:
+    enabled: false
+  readiness:
+    enabled: false
+  startup:
+    enabled: false
+imageSelector: "netshootImage"
+securityContext:
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: false
+  readOnlyRootFilesystem: false
+  capabilities:
+    add:
+      - NET_ADMIN
+      - NET_RAW
+env:
+{{- range $envList := $.Values.addons.netshoot.envList -}}
+  {{- if and $envList.name $envList.value }}
+  {{ $envList.name }}: {{ $envList.value | quote }}
+  {{- else }}
+    {{- fail "Please specify name/value for netshoot environment variable" -}}
+  {{- end -}}
+{{- end -}}
+{{- with $.Values.addons.netshoot.env -}}
+{{- range $k, $v := . }}
+  {{ $k }}: {{ $v | quote }}
+{{- end -}}
+{{- end }}
+args:
+{{- range $.Values.addons.netshoot.args }}
+- {{ . | quote }}
+{{- end }}
+{{- end -}}
--- a/helm-charts/dashy/charts/common/templates/addons/netshoot/_netshoot.tpl
+++ b/helm-charts/dashy/charts/common/templates/addons/netshoot/_netshoot.tpl
@@ -0,0 +1,15 @@
+{{/*
+Template to render code-server addon
+It will include / inject the required templates based on the given values.
+*/}}
+{{- define "tc.v1.common.addon.netshoot" -}}
+{{- $targetSelector := "main" -}}
+{{- if .Values.addons.netshoot.enabled -}}
+  {{/* Append the code-server container to the workloads */}}
+  {{- $container := include "tc.v1.common.addon.netshoot.container" . | fromYaml -}}
+  {{- if $container -}}
+    {{- $workload := get $.Values.workload $targetSelector -}}
+    {{- $_ := set $workload.podSpec.containers "netshoot" $container -}}
+  {{- end -}}
+{{- end -}}
+{{- end -}}
--- a/helm-charts/dashy/charts/common/templates/addons/vpn/_configmap.tpl
+++ b/helm-charts/dashy/charts/common/templates/addons/vpn/_configmap.tpl
@@ -0,0 +1,16 @@
+{{/*
+The VPN config and scripts to be included.
+*/}}
+{{- define "tc.v1.common.addon.vpn.configmap" -}}
+enabled: true
+data:
+{{- with .Values.addons.vpn.scripts.up }}
+  up.sh: |-
+    {{- . | nindent 4 }}
+{{- end -}}
+
+{{- with .Values.addons.vpn.scripts.down }}
+  down.sh: |-
+    {{- . | nindent 4 }}
+{{- end -}}
+{{- end -}}
--- a/helm-charts/dashy/charts/common/templates/addons/vpn/_gluetunContainer.tpl
+++ b/helm-charts/dashy/charts/common/templates/addons/vpn/_gluetunContainer.tpl
@@ -0,0 +1,64 @@
+{{/*
+The gluetun sidecar container to be inserted.
+*/}}
+{{- define "tc.v1.common.addon.vpn.gluetun.container" -}}
+enabled: true
+imageSelector: gluetunImage
+probes:
+{{- if $.Values.addons.vpn.livenessProbe }}
+  liveness:
+  {{- toYaml . | nindent 2 }}
+{{- else }}
+  liveness:
+    enabled: false
+{{- end }}
+  readiness:
+    enabled: false
+  startup:
+    enabled: false
+securityContext:
+  runAsUser: 0
+  runAsNonRoot: false
+  readOnlyRootFilesystem: false
+  runAsGroup: 568
+  capabilities:
+    add:
+      - NET_ADMIN
+      - NET_RAW
+      - MKNOD
+      - SYS_MODULE
+
+env:
+  DNS_KEEP_NAMESERVER: "on"
+  DOT: "off"
+{{- if $.Values.addons.vpn.killSwitch }}
+{{- $excludednetworks := ( printf "%v,%v" $.Values.chartContext.podCIDR $.Values.chartContext.svcCIDR ) -}}
+{{- range $.Values.addons.vpn.excludedNetworks_IPv4 -}}
+  {{- $excludednetworks = ( printf "%v,%v" $excludednetworks . ) -}}
+{{- end }}
+{{- range $.Values.addons.vpn.excludedNetworks_IPv6 -}}
+  {{- $excludednetworksv6 = ( printf "%v,%v" $excludednetworks . ) -}}
+{{- end }}
+  FIREWALL: "on"
+  FIREWALL_OUTBOUND_SUBNETS: {{ $excludednetworks | quote }}
+{{- else }}
+  FIREWALL: "off"
+{{- end }}
+
+{{- with $.Values.addons.vpn.env }}
+  {{- . | toYaml | nindent 2 }}
+{{- end -}}
+
+{{- range $envList := $.Values.addons.vpn.envList -}}
+  {{- if and $envList.name $envList.value }}
+  {{ $envList.name }}: {{ $envList.value | quote }}
+  {{- else -}}
+    {{- fail "Please specify name/value for VPN environment variable" -}}
+  {{- end -}}
+{{- end -}}
+
+{{- with $.Values.addons.vpn.args }}
+args:
+  {{- . | toYaml | nindent 2 }}
+{{- end }}
+{{- end -}}
--- a/helm-charts/dashy/charts/common/templates/addons/vpn/_openvpnContainer.tpl
+++ b/helm-charts/dashy/charts/common/templates/addons/vpn/_openvpnContainer.tpl
@@ -0,0 +1,73 @@
+{{/*
+The gluetun sidecar container to be inserted.
+*/}}
+{{- define "tc.v1.common.addon.vpn.openvpn.container" -}}
+enabled: true
+imageSelector: openvpnImage
+probes:
+{{- if $.Values.addons.vpn.livenessProbe }}
+  liveness:
+  {{- toYaml . | nindent 2 }}
+{{- else }}
+  liveness:
+    enabled: false
+{{- end }}
+  readiness:
+    enabled: false
+  startup:
+    enabled: false
+securityContext:
+  runAsUser: 0
+  runAsGroup: 0
+  capabilities:
+    add:
+      - NET_ADMIN
+      - NET_RAW
+      - MKNOD
+      - SYS_MODULE
+
+env:
+{{- with $.Values.addons.vpn.env }}
+  {{- . | toYaml | nindent 2 }}
+{{- end }}
+  {{- if and $.Values.addons.vpn.openvpn.username $.Values.addons.vpn.openvpn.password }}
+  VPN_AUTH: {{ (printf "%v;%v" $.Values.addons.vpn.openvpn.username $.Values.addons.vpn.openvpn.password) }}
+  {{- end -}}
+{{- if $.Values.addons.vpn.killSwitch }}
+{{- $ipv4list := $.Values.addons.vpn.excludedNetworks_IPv4 }}
+
+{{- if $.Values.chartContext.podCIDR }}
+{{- $ipv4list = append $ipv4list $.Values.chartContext.podCIDR }}
+{{- end }}
+{{- if $.Values.chartContext.svcCIDR }}
+{{- $ipv4list = append $ipv4list $.Values.chartContext.svcCIDR }}
+{{- end }}
+
+  FIREWALL: "ON"
+  {{- range $index, $value := $ipv4list }}
+  ROUTE_{{ add $index 1 }}: {{ $value | quote }}
+  {{- end }}
+{{- if $.Values.addons.vpn.excludedNetworks_IPv6 }}
+  {{- $excludednetworksv6 := "" -}}
+  {{- range $.Values.addons.vpn.excludedNetworks_IPv4 -}}
+    {{- $excludednetworksv6 = ( printf "%v;%v" $excludednetworksv6 . ) -}}
+  {{- end }}
+  {{- range $index, $value := $.Values.addons.vpn.excludedNetworks_IPv6 }}
+  ROUTE6_{{ add $index 1 }}: {{ $value | quote }}
+  {{- end }}
+{{- end }}
+{{- end -}}
+
+{{- range $envList := $.Values.addons.vpn.envList -}}
+  {{- if and $envList.name $envList.value }}
+  {{ $envList.name }}: {{ $envList.value | quote }}
+  {{- else -}}
+    {{- fail "Please specify name/value for VPN environment variable" -}}
+  {{- end -}}
+{{- end -}}
+
+{{- with $.Values.addons.vpn.args }}
+args:
+  {{- . | toYaml | nindent 2 }}
+{{- end -}}
+{{- end -}}
--- a/helm-charts/dashy/charts/common/templates/addons/vpn/_secret.tpl
+++ b/helm-charts/dashy/charts/common/templates/addons/vpn/_secret.tpl
@@ -0,0 +1,9 @@
+{{/*
+The OpenVPN config secret to be included.
+*/}}
+{{- define "tc.v1.common.addon.vpn.secret" -}}
+enabled: true
+data:
+  vpn.conf: |-
+    {{- .Values.addons.vpn.config | nindent 4 }}
+{{- end -}}
--- a/helm-charts/dashy/charts/common/templates/addons/vpn/_tailscaleContainer.tpl
+++ b/helm-charts/dashy/charts/common/templates/addons/vpn/_tailscaleContainer.tpl
@@ -0,0 +1,87 @@
+{{/*
+The Tailscale sidecar container to be inserted.
+*/}}
+{{- define "tc.v1.common.addon.vpn.tailscale.container" -}}
+enabled: true
+imageSelector: "tailscaleImage"
+probes:
+{{- if $.Values.addons.vpn.livenessProbe }}
+  liveness:
+  {{- toYaml . | nindent 2 }}
+{{- else }}
+  liveness:
+    enabled: false
+{{- end }}
+  readiness:
+    enabled: false
+  startup:
+    enabled: false
+command:
+  - /usr/local/bin/containerboot
+securityContext:
+  {{- if $.Values.addons.vpn.tailscale.userspace }}
+  runAsUser: 1000
+  runAsGroup: 1000
+  runAsNonRoot: false
+  readOnlyRootFilesystem: true
+  {{- else }}
+  runAsUser: 0
+  runAsGroup: 0
+  runAsNonRoot: true
+  readOnlyRootFilesystem: false
+  {{- end }}
+  capabilities:
+    add:
+      - NET_ADMIN
+      - NET_RAW
+
+{{/*
+Set KUBE_SECRET to empty string to force tailscale
+to use the filesystem for state tracking.
+With secret for state tracking you can't always
+know if the app that uses this sidecard will
+use a custom ServiceAccount and will lead to falure.
+*/}}
+env:
+  TS_KUBE_SECRET: ""
+  TS_SOCKET: /var/run/tailscale/tailscaled.sock
+  TS_STATE_DIR: /var/lib/tailscale/state
+  TS_AUTH_ONCE: {{ $.Values.addons.vpn.tailscale.auth_once | quote }}
+  TS_USERSPACE: {{ $.Values.addons.vpn.tailscale.userspace | quote }}
+  TS_ACCEPT_DNS: {{ $.Values.addons.vpn.tailscale.accept_dns | quote }}
+  {{- with $.Values.addons.vpn.tailscale.outbound_http_proxy_listen }}
+  TS_OUTBOUND_HTTP_PROXY_LISTEN: {{ . }}
+  {{- end -}}
+  {{- with $.Values.addons.vpn.tailscale.routes }}
+  TS_ROUTES: {{ . }}
+  {{- end -}}
+  {{- with $.Values.addons.vpn.tailscale.dest_ip }}
+  TS_DEST_IP: {{ . }}
+  {{- end -}}
+  {{- with $.Values.addons.vpn.tailscale.sock5_server }}
+  TS_SOCKS5_SERVER: {{ . }}
+  {{- end -}}
+  {{- with $.Values.addons.vpn.tailscale.extra_args }}
+  TS_EXTRA_ARGS: {{ . | quote }}
+  {{- end -}}
+  {{- with $.Values.addons.vpn.tailscale.daemon_extra_args }}
+  TS_TAILSCALED_EXTRA_ARGS: {{ . | quote }}
+  {{- end -}}
+  {{- with $.Values.addons.vpn.tailscale.authkey }}
+  TS_AUTH_KEY: {{ . }}
+  {{- end }}
+
+{{- range $envList := $.Values.addons.vpn.envList -}}
+  {{- if and $envList.name $envList.value }}
+  {{ $envList.name }}: {{ $envList.value | quote }}
+  {{- else -}}
+    {{- fail "Please specify name/value for VPN environment variable" -}}
+  {{- end -}}
+{{- end -}}
+
+{{- with $.Values.addons.vpn.env -}}
+  {{- range $k, $v := . }}
+  {{ $k }}: {{ $v | quote }}
+  {{- end -}}
+{{- end }}
+{{- end -}}
--- a/helm-charts/dashy/charts/common/templates/addons/vpn/_volume.tpl
+++ b/helm-charts/dashy/charts/common/templates/addons/vpn/_volume.tpl
@@ -0,0 +1,112 @@
+{{/*
+The volume (referencing VPN scripts) to be inserted into persistence.
+*/}}
+{{- define "tc.v1.common.addon.vpn.volume.scripts" -}}
+{{- $basePath := (include "tc.v1.common.addon.vpn.volume.basePath" .) }}
+enabled: true
+type: configmap
+objectName: vpnscripts
+expandObjectName: false
+defaultMode: "0777"
+items:
+{{- if .Values.addons.vpn.scripts.up }}
+- key: up.sh
+  path: up.sh
+{{- end -}}
+{{- if .Values.addons.vpn.scripts.down }}
+- key: down.sh
+  path: down.sh
+{{- end }}
+targetSelector:
+  {{- range .Values.addons.vpn.targetSelector }}
+  {{ . }}:
+    vpn:
+      mountPath: {{ $basePath }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+The volume (referencing VPN config) to be inserted into persistence.
+*/}}
+{{- define "tc.v1.common.addon.vpn.volume.config" -}}
+{{- $basePath := (include "tc.v1.common.addon.vpn.volume.basePath" .) }}
+{{- $mountPath := $basePath }}
+
+enabled: true
+{{- if or .Values.addons.vpn.config .Values.addons.vpn.existingSecret }}
+type: secret
+defaultMode: "0777"
+items:
+  - key: vpn.conf
+    path: vpn.conf
+{{- if .Values.addons.vpn.existingSecret }}
+objectName: {{ .Values.addons.vpn.existingSecret }}
+expandObjectName: false
+{{- else }}
+objectName: vpnconfig
+expandObjectName: true
+{{- end -}}
+{{- else }}
+{{- $mountPath = (printf "%s/vpn.conf" $basePath) }}
+type: hostPath
+hostPath: {{ .Values.addons.vpn.configFile | default "/vpn" }}
+hostPathType: "File"
+autoPermissions:
+  enabled: true
+  chown: true
+  user: 568
+  group: 568
+{{- end }}
+targetSelector:
+  {{- range .Values.addons.vpn.targetSelector }}
+  {{ . }}:
+    vpn:
+      mountPath: {{ $mountPath }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+The volume (referencing VPN config folder) to be inserted into persistence.
+*/}}
+{{- define "tc.v1.common.addon.vpn.volume.folder" -}}
+{{- $basePath := (include "tc.v1.common.addon.vpn.volume.basePath" .) }}
+enabled: true
+type: hostPath
+hostPath: {{ .Values.addons.vpn.configFolder | quote }}
+autoPermissions:
+  enabled: true
+  chown: true
+  user: 568
+  group: 568
+targetSelector:
+  {{- range .Values.addons.vpn.targetSelector }}
+  {{ . }}:
+    vpn:
+      mountPath: {{ $basePath }}
+  {{- end -}}
+{{- end -}}
+
+
+{{/*
+The empty tailscale folder
+*/}}
+{{- define "tc.v1.common.addon.vpn.volume.tailscale" -}}
+enabled: true
+type: emptyDir
+targetSelector:
+  {{- range .Values.addons.vpn.targetSelector }}
+  {{ . }}:
+    tailscale:
+      mountPath: /var/lib/tailscale
+  {{- end -}}
+{{- end -}}
+
+{{- define "tc.v1.common.addon.vpn.volume.basePath" -}}
+  {{- $basePath := "/vpn" -}} {{/* Base Path for OVPN */}}
+  {{- if eq .Values.addons.vpn.type "wireguard" -}}
+    {{- $basePath = "/etc/wireguard" -}} {{/* Base Path for Wireguard */}}
+  {{- else if eq .Values.addons.vpn.type "gluetun" -}}
+    {{- $basePath = "/gluetun" -}} {{/* Base Path for Gluetun */}}
+  {{- end -}}
+  {{- $basePath -}}
+{{- end -}}
--- a/helm-charts/dashy/charts/common/templates/addons/vpn/_vpn.tpl
+++ b/helm-charts/dashy/charts/common/templates/addons/vpn/_vpn.tpl
@@ -0,0 +1,94 @@
+{{/*
+Template to render VPN addon
+It will include / inject the required templates based on the given values.
+*/}}
+{{- define "tc.v1.common.addon.vpn" -}}
+{{- if ne "disabled" .Values.addons.vpn.type -}}
+
+  {{- if .Values.addons.vpn.config -}}
+    {{/* Append the vpn config secret to the secrets */}}
+    {{- $secret := include "tc.v1.common.addon.vpn.secret" . | fromYaml -}}
+    {{- if $secret -}}
+      {{- $_ := set .Values.secret "vpnconfig" $secret -}}
+    {{- end -}}
+  {{- end }}
+
+  {{- if or .Values.addons.vpn.scripts.up .Values.addons.vpn.scripts.down -}}
+    {{/* Append the vpn up/down scripts to the configmaps */}}
+    {{- $configmap := include "tc.v1.common.addon.vpn.configmap" . | fromYaml -}}
+    {{- if $configmap -}}
+      {{- $_ := set .Values.configmap "vpnscripts" $configmap -}}
+    {{- end -}}
+  {{- end }}
+
+  {{- if or .Values.addons.vpn.configFile .Values.addons.vpn.config .Values.addons.vpn.existingSecret -}}
+    {{/* Append the vpn config to the persistence */}}
+    {{- $configper := include "tc.v1.common.addon.vpn.volume.config" . | fromYaml -}}
+    {{- if $configper -}}
+      {{- $_ := set .Values.persistence "vpnconfig" $configper -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- if or .Values.addons.vpn.scripts.up .Values.addons.vpn.scripts.down -}}
+    {{/* Append the vpn scripts to the persistence */}}
+    {{- $scriptsper := include "tc.v1.common.addon.vpn.volume.scripts" . | fromYaml -}}
+    {{- if $scriptsper -}}
+      {{- $_ := set .Values.persistence "vpnscripts" $scriptsper -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- if .Values.addons.vpn.configFolder -}}
+    {{/* Append the vpn folder to the persistence */}}
+    {{- $folderper := include "tc.v1.common.addon.vpn.volume.folder" . | fromYaml -}}
+    {{- if $folderper -}}
+      {{- $_ := set .Values.persistence "vpnfolder" $folderper -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{/* Ensure target Selector defaults to main pod even if unset */}}
+  {{- $targetSelector := list "main" -}}
+  {{- if $.Values.addons.codeserver.targetSelector -}}
+    {{- $targetSelector = $.Values.addons.codeserver.targetSelector -}}
+  {{- end -}}
+
+  {{/* Append the vpn container to the containers */}}
+  {{- range $targetSelector -}}
+    {{- if eq "gluetun" $.Values.addons.vpn.type -}}
+      {{- $container := include "tc.v1.common.addon.vpn.gluetun.container" $ | fromYaml -}}
+      {{- if $container -}}
+        {{- $workload := get $.Values.workload . -}}
+        {{- $_ := set $workload.podSpec.containers "vpn" $container -}}
+      {{- end -}}
+    {{- else if eq "tailscale" $.Values.addons.vpn.type -}}
+      {{/* FIXME: https://github.com/tailscale/tailscale/issues/8188 */}}
+      {{- $_ := set $.Values.podOptions "automountServiceAccountToken" true -}}
+      {{- $container := include "tc.v1.common.addon.vpn.tailscale.container" $ | fromYaml -}}
+      {{- if $container -}}
+        {{- $workload := get $.Values.workload . -}}
+        {{- $_ := set $workload.podSpec.containers "tailscale" $container -}}
+      {{- end -}}
+    {{- else if eq "openvpn" $.Values.addons.vpn.type -}}
+      {{- $container := include "tc.v1.common.addon.vpn.openvpn.container" $ | fromYaml -}}
+      {{- if $container -}}
+        {{- $workload := get $.Values.workload . -}}
+        {{- $_ := set $workload.podSpec.containers "vpn" $container -}}
+      {{- end -}}
+    {{- else if eq "wireguard" $.Values.addons.vpn.type -}}
+      {{- $container := include "tc.v1.common.addon.vpn.wireguard.container" $ | fromYaml -}}
+      {{- if $container -}}
+        {{- $workload := get $.Values.workload . -}}
+        {{- $_ := set $workload.podSpec.containers "vpn" $container -}}
+      {{- end -}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- if eq "tailscale" $.Values.addons.vpn.type -}}
+    {{/* Append the empty tailscale folder to the persistence */}}
+    {{- $tailscaledir := include "tc.v1.common.addon.vpn.volume.tailscale" . | fromYaml -}}
+    {{- if $tailscaledir -}}
+      {{- $_ := set .Values.persistence "tailscalestate" $tailscaledir -}}
+    {{- end -}}
+  {{- end -}}
+
+{{- end -}}
+{{- end -}}
--- a/helm-charts/dashy/charts/common/templates/addons/vpn/_wireguardContainer.tpl
+++ b/helm-charts/dashy/charts/common/templates/addons/vpn/_wireguardContainer.tpl
@@ -0,0 +1,66 @@
+{{/*
+The gluetun sidecar container to be inserted.
+*/}}
+{{- define "tc.v1.common.addon.vpn.wireguard.container" -}}
+enabled: true
+imageSelector: wireguardImage
+probes:
+{{- if $.Values.addons.vpn.livenessProbe }}
+  liveness:
+  {{- toYaml . | nindent 2 }}
+{{- else }}
+  liveness:
+    enabled: false
+{{- end }}
+  readiness:
+    enabled: false
+  startup:
+    enabled: false
+securityContext:
+  runAsUser: 568
+  runAsGroup: 568
+  readOnlyRootFilesystem: false
+  allowPrivilegeEscalation: true
+  capabilities:
+    add:
+      - AUDIT_WRITE
+      - NET_ADMIN
+      - SETUID
+      - SETGID
+      - SYS_MODULE
+
+env:
+{{- with $.Values.addons.vpn.env }}
+  {{- . | toYaml | nindent 2 }}
+{{- end }}
+  SEPARATOR: ";"
+  IPTABLES_BACKEND: "nft"
+{{- if $.Values.addons.vpn.killSwitch }}
+  KILLSWITCH: "true"
+  {{- $excludednetworksv4 := ( printf "%v;%v" $.Values.chartContext.podCIDR $.Values.chartContext.svcCIDR ) -}}
+  {{- range $.Values.addons.vpn.excludedNetworks_IPv4 -}}
+    {{- $excludednetworksv4 = ( printf "%v;%v" $excludednetworksv4 . ) -}}
+  {{- end }}
+  KILLSWITCH_EXCLUDEDNETWORKS_IPV4: {{ $excludednetworksv4 | quote }}
+{{- if $.Values.addons.vpn.excludedNetworks_IPv6 -}}
+  {{- $excludednetworksv6 := "" -}}
+  {{- range $.Values.addons.vpn.excludedNetworks_IPv4 -}}
+    {{- $excludednetworksv6 = ( printf "%v;%v" $excludednetworksv6 . ) -}}
+  {{- end }}
+  KILLSWITCH_EXCLUDEDNETWORKS_IPV6: {{ $.Values.addons.vpn.excludedNetworks_IPv6 | quote }}
+{{- end -}}
+{{- end -}}
+
+{{- range $envList := $.Values.addons.vpn.envList -}}
+  {{- if and $envList.name $envList.value }}
+  {{ $envList.name }}: {{ $envList.value | quote }}
+  {{- else -}}
+    {{- fail "Please specify name/value for VPN environment variable" -}}
+  {{- end -}}
+{{- end -}}
+
+{{- with $.Values.addons.vpn.args }}
+args:
+  {{- . | toYaml | nindent 2 }}
+{{- end -}}
+{{- end -}}