hogweed1/k8s
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

new way of doin
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source
This commit is contained in:
root
2023-11-16 19:42:02 +10:00
parent 77ec717184
commit 1eaf295724
341 changed files with 19416 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
helm-charts/dashy/charts/common/templates/addons/vpn/_configmap.tpl Normal file
View File

@@ -0,0 +1,16 @@
{{/*
The VPN config and scripts to be included.
*/}}
{{- define "tc.v1.common.addon.vpn.configmap" -}}
enabled: true
data:
{{- with .Values.addons.vpn.scripts.up }}
up.sh: |-
{{- . | nindent 4 }}
{{- end -}}
{{- with .Values.addons.vpn.scripts.down }}
down.sh: |-
{{- . | nindent 4 }}
{{- end -}}
{{- end -}}

64
helm-charts/dashy/charts/common/templates/addons/vpn/_gluetunContainer.tpl Normal file
View File

@@ -0,0 +1,64 @@
{{/*
The gluetun sidecar container to be inserted.
*/}}
{{- define "tc.v1.common.addon.vpn.gluetun.container" -}}
enabled: true
imageSelector: gluetunImage
probes:
{{- if $.Values.addons.vpn.livenessProbe }}
liveness:
{{- toYaml . | nindent 2 }}
{{- else }}
liveness:
enabled: false
{{- end }}
readiness:
enabled: false
startup:
enabled: false
securityContext:
runAsUser: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
runAsGroup: 568
capabilities:
add:
- NET_ADMIN
- NET_RAW
- MKNOD
- SYS_MODULE
env:
DNS_KEEP_NAMESERVER: "on"
DOT: "off"
{{- if $.Values.addons.vpn.killSwitch }}
{{- $excludednetworks := ( printf "%v,%v" $.Values.chartContext.podCIDR $.Values.chartContext.svcCIDR ) -}}
{{- range $.Values.addons.vpn.excludedNetworks_IPv4 -}}
{{- $excludednetworks = ( printf "%v,%v" $excludednetworks . ) -}}
{{- end }}
{{- range $.Values.addons.vpn.excludedNetworks_IPv6 -}}
{{- $excludednetworksv6 = ( printf "%v,%v" $excludednetworks . ) -}}
{{- end }}
FIREWALL: "on"
FIREWALL_OUTBOUND_SUBNETS: {{ $excludednetworks | quote }}
{{- else }}
FIREWALL: "off"
{{- end }}
{{- with $.Values.addons.vpn.env }}
{{- . | toYaml | nindent 2 }}
{{- end -}}
{{- range $envList := $.Values.addons.vpn.envList -}}
{{- if and $envList.name $envList.value }}
{{ $envList.name }}: {{ $envList.value | quote }}
{{- else -}}
{{- fail "Please specify name/value for VPN environment variable" -}}
{{- end -}}
{{- end -}}
{{- with $.Values.addons.vpn.args }}
args:
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- end -}}

73
helm-charts/dashy/charts/common/templates/addons/vpn/_openvpnContainer.tpl Normal file
View File

@@ -0,0 +1,73 @@
{{/*
The gluetun sidecar container to be inserted.
*/}}
{{- define "tc.v1.common.addon.vpn.openvpn.container" -}}
enabled: true
imageSelector: openvpnImage
probes:
{{- if $.Values.addons.vpn.livenessProbe }}
liveness:
{{- toYaml . | nindent 2 }}
{{- else }}
liveness:
enabled: false
{{- end }}
readiness:
enabled: false
startup:
enabled: false
securityContext:
runAsUser: 0
runAsGroup: 0
capabilities:
add:
- NET_ADMIN
- NET_RAW
- MKNOD
- SYS_MODULE
env:
{{- with $.Values.addons.vpn.env }}
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- if and $.Values.addons.vpn.openvpn.username $.Values.addons.vpn.openvpn.password }}
VPN_AUTH: {{ (printf "%v;%v" $.Values.addons.vpn.openvpn.username $.Values.addons.vpn.openvpn.password) }}
{{- end -}}
{{- if $.Values.addons.vpn.killSwitch }}
{{- $ipv4list := $.Values.addons.vpn.excludedNetworks_IPv4 }}
{{- if $.Values.chartContext.podCIDR }}
{{- $ipv4list = append $ipv4list $.Values.chartContext.podCIDR }}
{{- end }}
{{- if $.Values.chartContext.svcCIDR }}
{{- $ipv4list = append $ipv4list $.Values.chartContext.svcCIDR }}
{{- end }}
FIREWALL: "ON"
{{- range $index, $value := $ipv4list }}
ROUTE_{{ add $index 1 }}: {{ $value | quote }}
{{- end }}
{{- if $.Values.addons.vpn.excludedNetworks_IPv6 }}
{{- $excludednetworksv6 := "" -}}
{{- range $.Values.addons.vpn.excludedNetworks_IPv4 -}}
{{- $excludednetworksv6 = ( printf "%v;%v" $excludednetworksv6 . ) -}}
{{- end }}
{{- range $index, $value := $.Values.addons.vpn.excludedNetworks_IPv6 }}
ROUTE6_{{ add $index 1 }}: {{ $value | quote }}
{{- end }}
{{- end }}
{{- end -}}
{{- range $envList := $.Values.addons.vpn.envList -}}
{{- if and $envList.name $envList.value }}
{{ $envList.name }}: {{ $envList.value | quote }}
{{- else -}}
{{- fail "Please specify name/value for VPN environment variable" -}}
{{- end -}}
{{- end -}}
{{- with $.Values.addons.vpn.args }}
args:
{{- . | toYaml | nindent 2 }}
{{- end -}}
{{- end -}}

9
helm-charts/dashy/charts/common/templates/addons/vpn/_secret.tpl Normal file
View File

@@ -0,0 +1,9 @@
{{/*
The OpenVPN config secret to be included.
*/}}
{{- define "tc.v1.common.addon.vpn.secret" -}}
enabled: true
data:
vpn.conf: |-
{{- .Values.addons.vpn.config | nindent 4 }}
{{- end -}}

87
helm-charts/dashy/charts/common/templates/addons/vpn/_tailscaleContainer.tpl Normal file
View File

@@ -0,0 +1,87 @@
{{/*
The Tailscale sidecar container to be inserted.
*/}}
{{- define "tc.v1.common.addon.vpn.tailscale.container" -}}
enabled: true
imageSelector: "tailscaleImage"
probes:
{{- if $.Values.addons.vpn.livenessProbe }}
liveness:
{{- toYaml . | nindent 2 }}
{{- else }}
liveness:
enabled: false
{{- end }}
readiness:
enabled: false
startup:
enabled: false
command:
- /usr/local/bin/containerboot
securityContext:
{{- if $.Values.addons.vpn.tailscale.userspace }}
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: false
readOnlyRootFilesystem: true
{{- else }}
runAsUser: 0
runAsGroup: 0
runAsNonRoot: true
readOnlyRootFilesystem: false
{{- end }}
capabilities:
add:
- NET_ADMIN
- NET_RAW
{{/*
Set KUBE_SECRET to empty string to force tailscale
to use the filesystem for state tracking.
With secret for state tracking you can't always
know if the app that uses this sidecard will
use a custom ServiceAccount and will lead to falure.
*/}}
env:
TS_KUBE_SECRET: ""
TS_SOCKET: /var/run/tailscale/tailscaled.sock
TS_STATE_DIR: /var/lib/tailscale/state
TS_AUTH_ONCE: {{ $.Values.addons.vpn.tailscale.auth_once | quote }}
TS_USERSPACE: {{ $.Values.addons.vpn.tailscale.userspace | quote }}
TS_ACCEPT_DNS: {{ $.Values.addons.vpn.tailscale.accept_dns | quote }}
{{- with $.Values.addons.vpn.tailscale.outbound_http_proxy_listen }}
TS_OUTBOUND_HTTP_PROXY_LISTEN: {{ . }}
{{- end -}}
{{- with $.Values.addons.vpn.tailscale.routes }}
TS_ROUTES: {{ . }}
{{- end -}}
{{- with $.Values.addons.vpn.tailscale.dest_ip }}
TS_DEST_IP: {{ . }}
{{- end -}}
{{- with $.Values.addons.vpn.tailscale.sock5_server }}
TS_SOCKS5_SERVER: {{ . }}
{{- end -}}
{{- with $.Values.addons.vpn.tailscale.extra_args }}
TS_EXTRA_ARGS: {{ . | quote }}
{{- end -}}
{{- with $.Values.addons.vpn.tailscale.daemon_extra_args }}
TS_TAILSCALED_EXTRA_ARGS: {{ . | quote }}
{{- end -}}
{{- with $.Values.addons.vpn.tailscale.authkey }}
TS_AUTH_KEY: {{ . }}
{{- end }}
{{- range $envList := $.Values.addons.vpn.envList -}}
{{- if and $envList.name $envList.value }}
{{ $envList.name }}: {{ $envList.value | quote }}
{{- else -}}
{{- fail "Please specify name/value for VPN environment variable" -}}
{{- end -}}
{{- end -}}
{{- with $.Values.addons.vpn.env -}}
{{- range $k, $v := . }}
{{ $k }}: {{ $v | quote }}
{{- end -}}
{{- end }}
{{- end -}}

112
helm-charts/dashy/charts/common/templates/addons/vpn/_volume.tpl Normal file
View File

@@ -0,0 +1,112 @@
{{/*
The volume (referencing VPN scripts) to be inserted into persistence.
*/}}
{{- define "tc.v1.common.addon.vpn.volume.scripts" -}}
{{- $basePath := (include "tc.v1.common.addon.vpn.volume.basePath" .) }}
enabled: true
type: configmap
objectName: vpnscripts
expandObjectName: false
defaultMode: "0777"
items:
{{- if .Values.addons.vpn.scripts.up }}
- key: up.sh
path: up.sh
{{- end -}}
{{- if .Values.addons.vpn.scripts.down }}
- key: down.sh
path: down.sh
{{- end }}
targetSelector:
{{- range .Values.addons.vpn.targetSelector }}
{{ . }}:
vpn:
mountPath: {{ $basePath }}
{{- end -}}
{{- end -}}
{{/*
The volume (referencing VPN config) to be inserted into persistence.
*/}}
{{- define "tc.v1.common.addon.vpn.volume.config" -}}
{{- $basePath := (include "tc.v1.common.addon.vpn.volume.basePath" .) }}
{{- $mountPath := $basePath }}
enabled: true
{{- if or .Values.addons.vpn.config .Values.addons.vpn.existingSecret }}
type: secret
defaultMode: "0777"
items:
- key: vpn.conf
path: vpn.conf
{{- if .Values.addons.vpn.existingSecret }}
objectName: {{ .Values.addons.vpn.existingSecret }}
expandObjectName: false
{{- else }}
objectName: vpnconfig
expandObjectName: true
{{- end -}}
{{- else }}
{{- $mountPath = (printf "%s/vpn.conf" $basePath) }}
type: hostPath
hostPath: {{ .Values.addons.vpn.configFile | default "/vpn" }}
hostPathType: "File"
autoPermissions:
enabled: true
chown: true
user: 568
group: 568
{{- end }}
targetSelector:
{{- range .Values.addons.vpn.targetSelector }}
{{ . }}:
vpn:
mountPath: {{ $mountPath }}
{{- end -}}
{{- end -}}
{{/*
The volume (referencing VPN config folder) to be inserted into persistence.
*/}}
{{- define "tc.v1.common.addon.vpn.volume.folder" -}}
{{- $basePath := (include "tc.v1.common.addon.vpn.volume.basePath" .) }}
enabled: true
type: hostPath
hostPath: {{ .Values.addons.vpn.configFolder | quote }}
autoPermissions:
enabled: true
chown: true
user: 568
group: 568
targetSelector:
{{- range .Values.addons.vpn.targetSelector }}
{{ . }}:
vpn:
mountPath: {{ $basePath }}
{{- end -}}
{{- end -}}
{{/*
The empty tailscale folder
*/}}
{{- define "tc.v1.common.addon.vpn.volume.tailscale" -}}
enabled: true
type: emptyDir
targetSelector:
{{- range .Values.addons.vpn.targetSelector }}
{{ . }}:
tailscale:
mountPath: /var/lib/tailscale
{{- end -}}
{{- end -}}
{{- define "tc.v1.common.addon.vpn.volume.basePath" -}}
{{- $basePath := "/vpn" -}} {{/* Base Path for OVPN */}}
{{- if eq .Values.addons.vpn.type "wireguard" -}}
{{- $basePath = "/etc/wireguard" -}} {{/* Base Path for Wireguard */}}
{{- else if eq .Values.addons.vpn.type "gluetun" -}}
{{- $basePath = "/gluetun" -}} {{/* Base Path for Gluetun */}}
{{- end -}}
{{- $basePath -}}
{{- end -}}

94
helm-charts/dashy/charts/common/templates/addons/vpn/_vpn.tpl Normal file
View File

@@ -0,0 +1,94 @@
{{/*
Template to render VPN addon
It will include / inject the required templates based on the given values.
*/}}
{{- define "tc.v1.common.addon.vpn" -}}
{{- if ne "disabled" .Values.addons.vpn.type -}}
{{- if .Values.addons.vpn.config -}}
{{/* Append the vpn config secret to the secrets */}}
{{- $secret := include "tc.v1.common.addon.vpn.secret" . | fromYaml -}}
{{- if $secret -}}
{{- $_ := set .Values.secret "vpnconfig" $secret -}}
{{- end -}}
{{- end }}
{{- if or .Values.addons.vpn.scripts.up .Values.addons.vpn.scripts.down -}}
{{/* Append the vpn up/down scripts to the configmaps */}}
{{- $configmap := include "tc.v1.common.addon.vpn.configmap" . | fromYaml -}}
{{- if $configmap -}}
{{- $_ := set .Values.configmap "vpnscripts" $configmap -}}
{{- end -}}
{{- end }}
{{- if or .Values.addons.vpn.configFile .Values.addons.vpn.config .Values.addons.vpn.existingSecret -}}
{{/* Append the vpn config to the persistence */}}
{{- $configper := include "tc.v1.common.addon.vpn.volume.config" . | fromYaml -}}
{{- if $configper -}}
{{- $_ := set .Values.persistence "vpnconfig" $configper -}}
{{- end -}}
{{- end -}}
{{- if or .Values.addons.vpn.scripts.up .Values.addons.vpn.scripts.down -}}
{{/* Append the vpn scripts to the persistence */}}
{{- $scriptsper := include "tc.v1.common.addon.vpn.volume.scripts" . | fromYaml -}}
{{- if $scriptsper -}}
{{- $_ := set .Values.persistence "vpnscripts" $scriptsper -}}
{{- end -}}
{{- end -}}
{{- if .Values.addons.vpn.configFolder -}}
{{/* Append the vpn folder to the persistence */}}
{{- $folderper := include "tc.v1.common.addon.vpn.volume.folder" . | fromYaml -}}
{{- if $folderper -}}
{{- $_ := set .Values.persistence "vpnfolder" $folderper -}}
{{- end -}}
{{- end -}}
{{/* Ensure target Selector defaults to main pod even if unset */}}
{{- $targetSelector := list "main" -}}
{{- if $.Values.addons.codeserver.targetSelector -}}
{{- $targetSelector = $.Values.addons.codeserver.targetSelector -}}
{{- end -}}
{{/* Append the vpn container to the containers */}}
{{- range $targetSelector -}}
{{- if eq "gluetun" $.Values.addons.vpn.type -}}
{{- $container := include "tc.v1.common.addon.vpn.gluetun.container" $ | fromYaml -}}
{{- if $container -}}
{{- $workload := get $.Values.workload . -}}
{{- $_ := set $workload.podSpec.containers "vpn" $container -}}
{{- end -}}
{{- else if eq "tailscale" $.Values.addons.vpn.type -}}
{{/* FIXME: https://github.com/tailscale/tailscale/issues/8188 */}}
{{- $_ := set $.Values.podOptions "automountServiceAccountToken" true -}}
{{- $container := include "tc.v1.common.addon.vpn.tailscale.container" $ | fromYaml -}}
{{- if $container -}}
{{- $workload := get $.Values.workload . -}}
{{- $_ := set $workload.podSpec.containers "tailscale" $container -}}
{{- end -}}
{{- else if eq "openvpn" $.Values.addons.vpn.type -}}
{{- $container := include "tc.v1.common.addon.vpn.openvpn.container" $ | fromYaml -}}
{{- if $container -}}
{{- $workload := get $.Values.workload . -}}
{{- $_ := set $workload.podSpec.containers "vpn" $container -}}
{{- end -}}
{{- else if eq "wireguard" $.Values.addons.vpn.type -}}
{{- $container := include "tc.v1.common.addon.vpn.wireguard.container" $ | fromYaml -}}
{{- if $container -}}
{{- $workload := get $.Values.workload . -}}
{{- $_ := set $workload.podSpec.containers "vpn" $container -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if eq "tailscale" $.Values.addons.vpn.type -}}
{{/* Append the empty tailscale folder to the persistence */}}
{{- $tailscaledir := include "tc.v1.common.addon.vpn.volume.tailscale" . | fromYaml -}}
{{- if $tailscaledir -}}
{{- $_ := set .Values.persistence "tailscalestate" $tailscaledir -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}

66
helm-charts/dashy/charts/common/templates/addons/vpn/_wireguardContainer.tpl Normal file
View File

@@ -0,0 +1,66 @@
{{/*
The gluetun sidecar container to be inserted.
*/}}
{{- define "tc.v1.common.addon.vpn.wireguard.container" -}}
enabled: true
imageSelector: wireguardImage
probes:
{{- if $.Values.addons.vpn.livenessProbe }}
liveness:
{{- toYaml . | nindent 2 }}
{{- else }}
liveness:
enabled: false
{{- end }}
readiness:
enabled: false
startup:
enabled: false
securityContext:
runAsUser: 568
runAsGroup: 568
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
capabilities:
add:
- AUDIT_WRITE
- NET_ADMIN
- SETUID
- SETGID
- SYS_MODULE
env:
{{- with $.Values.addons.vpn.env }}
{{- . | toYaml | nindent 2 }}
{{- end }}
SEPARATOR: ";"
IPTABLES_BACKEND: "nft"
{{- if $.Values.addons.vpn.killSwitch }}
KILLSWITCH: "true"
{{- $excludednetworksv4 := ( printf "%v;%v" $.Values.chartContext.podCIDR $.Values.chartContext.svcCIDR ) -}}
{{- range $.Values.addons.vpn.excludedNetworks_IPv4 -}}
{{- $excludednetworksv4 = ( printf "%v;%v" $excludednetworksv4 . ) -}}
{{- end }}
KILLSWITCH_EXCLUDEDNETWORKS_IPV4: {{ $excludednetworksv4 | quote }}
{{- if $.Values.addons.vpn.excludedNetworks_IPv6 -}}
{{- $excludednetworksv6 := "" -}}
{{- range $.Values.addons.vpn.excludedNetworks_IPv4 -}}
{{- $excludednetworksv6 = ( printf "%v;%v" $excludednetworksv6 . ) -}}
{{- end }}
KILLSWITCH_EXCLUDEDNETWORKS_IPV6: {{ $.Values.addons.vpn.excludedNetworks_IPv6 | quote }}
{{- end -}}
{{- end -}}
{{- range $envList := $.Values.addons.vpn.envList -}}
{{- if and $envList.name $envList.value }}
{{ $envList.name }}: {{ $envList.value | quote }}
{{- else -}}
{{- fail "Please specify name/value for VPN environment variable" -}}
{{- end -}}
{{- end -}}
{{- with $.Values.addons.vpn.args }}
args:
{{- . | toYaml | nindent 2 }}
{{- end -}}
{{- end -}}