From 047489d781d96bf4a45d794addff77d76fe2a3d6 Mon Sep 17 00:00:00 2001 From: Angel Nunez Mencias Date: Thu, 3 Jun 2021 17:49:56 +0200 Subject: [PATCH] Rename chart since it includes gateway now (#931) --- .github/ct-install.yaml | 2 +- charts/stable/pod-gateway-setter/README.md | 168 ------------- .../pod-gateway-setter/templates/common.yaml | 40 --- charts/stable/pod-gateway-setter/values.yaml | 92 ------- .../.helmignore | 0 .../Chart.yaml | 10 +- charts/stable/pod-gateway/README.md | 197 +++++++++++++++ .../README.md.gotmpl | 0 .../README_CHANGELOG.md.gotmpl | 5 +- .../README_CONFIG.md.gotmpl | 15 +- .../templates/NOTES.txt | 0 .../stable/pod-gateway/templates/common.yaml | 22 ++ .../pod-gateway/templates/configmap.yaml | 14 ++ .../webhook-admissionregistration.yaml} | 10 +- .../pod-gateway/templates/webhook-common.yaml | 64 +++++ .../templates/webhook-deployment.yaml | 103 ++++++++ .../templates/webhook-pki.yaml} | 26 +- .../templates/webhook-service.yaml | 32 +++ charts/stable/pod-gateway/values.yaml | 227 ++++++++++++++++++ 19 files changed, 695 insertions(+), 332 deletions(-) delete mode 100644 charts/stable/pod-gateway-setter/README.md delete mode 100644 charts/stable/pod-gateway-setter/templates/common.yaml delete mode 100644 charts/stable/pod-gateway-setter/values.yaml rename charts/stable/{pod-gateway-setter => pod-gateway}/.helmignore (100%) rename charts/stable/{pod-gateway-setter => pod-gateway}/Chart.yaml (68%) create mode 100644 charts/stable/pod-gateway/README.md rename charts/stable/{pod-gateway-setter => pod-gateway}/README.md.gotmpl (100%) rename charts/stable/{pod-gateway-setter => pod-gateway}/README_CHANGELOG.md.gotmpl (83%) rename charts/stable/{pod-gateway-setter => pod-gateway}/README_CONFIG.md.gotmpl (61%) rename charts/stable/{pod-gateway-setter => pod-gateway}/templates/NOTES.txt (100%) create mode 100644 charts/stable/pod-gateway/templates/common.yaml create mode 100644 charts/stable/pod-gateway/templates/configmap.yaml rename charts/stable/{pod-gateway-setter/templates/admissionregistration.yaml => pod-gateway/templates/webhook-admissionregistration.yaml} (73%) create mode 100644 charts/stable/pod-gateway/templates/webhook-common.yaml create mode 100644 charts/stable/pod-gateway/templates/webhook-deployment.yaml rename charts/stable/{pod-gateway-setter/templates/pki.yaml => pod-gateway/templates/webhook-pki.yaml} (58%) create mode 100644 charts/stable/pod-gateway/templates/webhook-service.yaml create mode 100644 charts/stable/pod-gateway/values.yaml diff --git a/.github/ct-install.yaml b/.github/ct-install.yaml index c78f2db8..62cbf538 100644 --- a/.github/ct-install.yaml +++ b/.github/ct-install.yaml @@ -14,7 +14,7 @@ excluded-charts: - charts/stable/zalando-postgres-cluster - charts/stable/zigbee2mqtt - charts/stable/founderyvtt -- charts/stable/pod-gateway-setter +- charts/stable/pod-gateway chart-repos: - bitnami=https://charts.bitnami.com/bitnami - k8s-at-home-libraries=https://library-charts.k8s-at-home.com diff --git a/charts/stable/pod-gateway-setter/README.md b/charts/stable/pod-gateway-setter/README.md deleted file mode 100644 index 91fb0b35..00000000 --- a/charts/stable/pod-gateway-setter/README.md +++ /dev/null @@ -1,168 +0,0 @@ -# pod-gateway-setter - -![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) - -Admision controller to change the default gateway and DNS server of PODs - -**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/k8s-at-home/charts/issues/new/choose)** - -## Source Code - -* - -## Requirements - -Kubernetes: `>=1.16.0-0` - -## Dependencies - -| Repository | Name | Version | -|------------|------|---------| -| https://library-charts.k8s-at-home.com | common | 2.5.0 | - -## TL;DR - -```console -helm repo add k8s-at-home https://k8s-at-home.com/charts/ -helm repo update -helm install pod-gateway-setter k8s-at-home/pod-gateway-setter -``` - -## Installing the Chart - -To install the chart with the release name `pod-gateway-setter` - -```console -helm install pod-gateway-setter k8s-at-home/pod-gateway-setter -``` - -## Uninstalling the Chart - -To uninstall the `pod-gateway-setter` deployment - -```console -helm uninstall pod-gateway-setter -``` - -The command removes all the Kubernetes components associated with the chart **including persistent volumes** and deletes the release. - -## Configuration - -Read through the [values.yaml](./values.yaml) file. It has several commented out suggested values. -Other values may be used from the [values.yaml](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml) from the [common library](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common). - -Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. - -```console -helm install pod-gateway-setter \ - --set env.TZ="America/New York" \ - k8s-at-home/pod-gateway-setter -``` - -Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. - -```console -helm install pod-gateway-setter k8s-at-home/pod-gateway-setter -f values.yaml -``` - -## Custom configuration - -You need to set `gateway` to the hostname or address of your gateway. Then -all PODs in namespaces with the matching label (`routed-gateway=true` by default) -will be processed by the webhook. - -The webhook by default changes all processed pods (remove `--setGatewayDefault` -if you want to change the default). You can also change the default for a -POD by adding a label or annotation (`setGateway` by default). - -Processed PODs will get their default gateway changed. DNS server will -also be set to the gateway (at least the option `--keepDNS` is used). - -Multiple instances of this chart might be installed that use different label -values. This is usufull, for example, to route multiple pod groups, each with -a different gateway. - -**IMPORTANT**: Do not deploy this chart to a namespace controlled by this -webhook. This would result in a likelly deathlock when upgrading the chart. - -**NOTE**: This char requires the cert-manager CRD to generate the required -certificates. - -## Values - -**Important**: When deploying an application Helm chart you can add more values from our common library chart [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common) - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| additionalVolumeMounts[0].mountPath | string | `"/tls"` | | -| additionalVolumeMounts[0].name | string | `"certs"` | | -| additionalVolumeMounts[0].readOnly | bool | `true` | | -| args[0] | string | `"--tls-cert-file-path=/tls/tls.crt"` | | -| args[1] | string | `"--tls-key-file-path=/tls/tls.key"` | | -| args[2] | string | `"--setGatewayDefault"` | | -| args[3] | string | `"--setGatewayLabel=setGateway"` | | -| args[4] | string | `"--setGatewayAnnotation=setGateway"` | | -| gateway | string | `"10.0.2.7"` | Gateway to route traffic to. Can be an hostname or an IP | -| image.pullPolicy | string | `"IfNotPresent"` | | -| image.repository | string | `"ghcr.io/k8s-at-home/gateway-admision-controller"` | | -| image.tag | string | `"v2.0.0"` | | -| ingress.enabled | bool | `false` | | -| namespaceSelector | object | `{"matchLabels":{"routed-gateway":"true"}}` | Selector for namespace. All pods in this namespace will get their default gateway changed | -| probes.liveness.custom | bool | `true` | | -| probes.liveness.enabled | bool | `true` | | -| probes.liveness.spec.failureThreshold | int | `5` | | -| probes.liveness.spec.httpGet.path | string | `"/wh/health"` | | -| probes.liveness.spec.httpGet.port | int | `8080` | | -| probes.liveness.spec.httpGet.scheme | string | `"HTTPS"` | | -| probes.liveness.spec.initialDelaySeconds | int | `1` | | -| probes.liveness.spec.timeoutSeconds | int | `10` | | -| probes.readiness.custom | bool | `true` | | -| probes.readiness.enabled | bool | `true` | | -| probes.readiness.spec.failureThreshold | int | `5` | | -| probes.readiness.spec.httpGet.path | string | `"/wh/health"` | | -| probes.readiness.spec.httpGet.port | int | `8080` | | -| probes.readiness.spec.httpGet.scheme | string | `"HTTPS"` | | -| probes.readiness.spec.initialDelaySeconds | int | `1` | | -| probes.readiness.spec.timeoutSeconds | int | `10` | | -| probes.startup.custom | bool | `true` | | -| probes.startup.enabled | bool | `true` | | -| probes.startup.spec.failureThreshold | int | `30` | | -| probes.startup.spec.httpGet.path | string | `"/wh/health"` | | -| probes.startup.spec.httpGet.port | int | `8080` | | -| probes.startup.spec.httpGet.scheme | string | `"HTTPS"` | | -| probes.startup.spec.periodSeconds | int | `1` | | -| service.port.path | string | `"/wh/mutating/setgateway"` | | -| service.port.port | int | `8080` | | -| strategy.type | string | `"RollingUpdate"` | | - -## Changelog - -All notable changes to this application Helm chart will be documented in this file but does not include changes from our common library. To read those click [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common#changelog). - -The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). - -### [1.0.0] - -#### Added - -- Initial version - -#### Changed - -- N/A - -#### Removed - -- N/A - -[1.0.0]: #1.0.0 - -## Support - -- See the [Docs](https://docs.k8s-at-home.com/our-helm-charts/getting-started/) -- Open an [issue](https://github.com/k8s-at-home/charts/issues/new/choose) -- Ask a [question](https://github.com/k8s-at-home/organization/discussions) -- Join our [Discord](https://discord.gg/sTMX7Vh) community - ----------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/charts/stable/pod-gateway-setter/templates/common.yaml b/charts/stable/pod-gateway-setter/templates/common.yaml deleted file mode 100644 index 53cae336..00000000 --- a/charts/stable/pod-gateway-setter/templates/common.yaml +++ /dev/null @@ -1,40 +0,0 @@ -{{/* Make sure all variables are set properly */}} -{{- include "common.values.setup" . }} - -{{- define "pod-gateway-setter.selfSignedIssuer" -}} -{{ printf "%s-selfsign" (include "common.names.fullname" .) }} -{{- end -}} - -{{- define "pod-gateway-setter.rootCAIssuer" -}} -{{ printf "%s-ca" (include "common.names.fullname" .) }} -{{- end -}} - -{{- define "pod-gateway-setter.rootCACertificate" -}} -{{ printf "%s-ca" (include "common.names.fullname" .) }} -{{- end -}} - -{{- define "pod-gateway-setter.servingCertificate" -}} -{{ printf "%s-webhook-tls" (include "common.names.fullname" .) }} -{{- end -}} - - -{{/* Append the cert secret to the additionalVolumes */}} -{{- define "pod-gateway-setter.servingCertificate.volume" -}} -name: certs -secret: - secretName: {{ include "pod-gateway-setter.servingCertificate" . }} -{{- end -}} - -{{- $volume := include "pod-gateway-setter.servingCertificate.volume" . | fromYaml -}} -{{- if $volume -}} - {{- $additionalVolumes := append .Values.additionalVolumes $volume }} - {{- $_ := set .Values "additionalVolumes" (deepCopy $additionalVolumes) -}} -{{- end -}} - - -{{/* Append generated args */}} -{{- $noop := printf "--webhook-listen-address=:%s" (.Values.service.port.port |toString) | append .Values.args | set .Values "args" -}} -{{- $noop := printf "--gateway=%s" .Values.gateway | append .Values.args | set .Values "args" -}} - -{{/* Render the templates */}} -{{ include "common.all" . }} diff --git a/charts/stable/pod-gateway-setter/values.yaml b/charts/stable/pod-gateway-setter/values.yaml deleted file mode 100644 index 53f89462..00000000 --- a/charts/stable/pod-gateway-setter/values.yaml +++ /dev/null @@ -1,92 +0,0 @@ -# -# IMPORTANT NOTE -# -# This chart inherits from our common library chart. You can check the default values/options here: -# https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml -# - -image: - repository: ghcr.io/k8s-at-home/gateway-admision-controller - pullPolicy: IfNotPresent - tag: v2.0.0 - -# -- Gateway to route traffic to. -# Can be an hostname or an IP -gateway: 10.0.2.7 - -# -- Selector for namespace. -# All pods in this namespace will get their default gateway changed -namespaceSelector: - matchLabels: - routed-gateway: "true" - # matchExpressions: - # - key: notTouch - # operator: NotIn - # values: ["1"] - -strategy: - type: RollingUpdate - -# Args for webhook -# See more information in the container git repository at -# https://github.com/k8s-at-home/gateway-admision-controller -args: -- --tls-cert-file-path=/tls/tls.crt -- --tls-key-file-path=/tls/tls.key -- --setGatewayDefault -- --setGatewayLabel=setGateway -- --setGatewayAnnotation=setGateway -# - --debug -# - --development -# - --keepDNS -# Set by Helm chart: -# --webhook-listen-address=: -# --gateway= - -service: - port: - path: /wh/mutating/setgateway - port: 8080 - -ingress: - enabled: false - -additionalVolumeMounts: -- name: certs - mountPath: /tls - readOnly: true - -# Probes configuration -probes: - liveness: - enabled: true - custom: true - spec: - httpGet: - scheme: HTTPS - port: 8080 - path: /wh/health - initialDelaySeconds: 1 - failureThreshold: 5 - timeoutSeconds: 10 - readiness: - enabled: true - custom: true - spec: - httpGet: - scheme: HTTPS - port: 8080 - path: /wh/health - initialDelaySeconds: 1 - failureThreshold: 5 - timeoutSeconds: 10 - startup: - enabled: true - custom: true - spec: - httpGet: - scheme: HTTPS - port: 8080 - path: /wh/health - failureThreshold: 30 - periodSeconds: 1 diff --git a/charts/stable/pod-gateway-setter/.helmignore b/charts/stable/pod-gateway/.helmignore similarity index 100% rename from charts/stable/pod-gateway-setter/.helmignore rename to charts/stable/pod-gateway/.helmignore diff --git a/charts/stable/pod-gateway-setter/Chart.yaml b/charts/stable/pod-gateway/Chart.yaml similarity index 68% rename from charts/stable/pod-gateway-setter/Chart.yaml rename to charts/stable/pod-gateway/Chart.yaml index 81833e95..4575eb97 100644 --- a/charts/stable/pod-gateway-setter/Chart.yaml +++ b/charts/stable/pod-gateway/Chart.yaml @@ -1,15 +1,15 @@ apiVersion: v2 appVersion: 1.0.0 description: Admision controller to change the default gateway and DNS server of PODs -name: pod-gateway-setter +name: pod-gateway version: 1.0.0 kubeVersion: ">=1.16.0-0" keywords: -- pod-gateway-setter -home: https://github.com/k8s-at-home/charts/tree/master/charts/stable/pod-gateway-setter -icon: https://pod-gateway-setter.org/icon +- pod-gateway +home: https://github.com/k8s-at-home/charts/tree/master/charts/stable/pod-gateway +icon: https://pod-gateway.org/icon sources: -- https://github.com/pod-gateway-setter/pod-gateway-setter-docker +- https://github.com/pod-gateway/pod-gateway-docker maintainers: - name: angelnu email: git@angelnu.com diff --git a/charts/stable/pod-gateway/README.md b/charts/stable/pod-gateway/README.md new file mode 100644 index 00000000..2260bed3 --- /dev/null +++ b/charts/stable/pod-gateway/README.md @@ -0,0 +1,197 @@ +# pod-gateway + +![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) + +Admision controller to change the default gateway and DNS server of PODs + +**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/k8s-at-home/charts/issues/new/choose)** + +## Source Code + +* + +## Requirements + +Kubernetes: `>=1.16.0-0` + +## Dependencies + +| Repository | Name | Version | +|------------|------|---------| +| https://library-charts.k8s-at-home.com | common | 2.5.0 | + +## TL;DR + +```console +helm repo add k8s-at-home https://k8s-at-home.com/charts/ +helm repo update +helm install pod-gateway k8s-at-home/pod-gateway +``` + +## Installing the Chart + +To install the chart with the release name `pod-gateway` + +```console +helm install pod-gateway k8s-at-home/pod-gateway +``` + +## Uninstalling the Chart + +To uninstall the `pod-gateway` deployment + +```console +helm uninstall pod-gateway +``` + +The command removes all the Kubernetes components associated with the chart **including persistent volumes** and deletes the release. + +## Configuration + +Read through the [values.yaml](./values.yaml) file. It has several commented out suggested values. +Other values may be used from the [values.yaml](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml) from the [common library](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common). + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. + +```console +helm install pod-gateway \ + --set env.TZ="America/New York" \ + k8s-at-home/pod-gateway +``` + +Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. + +```console +helm install pod-gateway k8s-at-home/pod-gateway -f values.yaml +``` + +## Custom configuration + +You need to add `routed-gateway=true` to the namespaces with PODs you +want to route through this POD gateway. If needed the label name can be changed +in .Values. + +The webhook by default changes all processed pods (remove `--setGatewayDefault` +if you want to change the default). You can also change the default for a +POD by adding a label or annotation (`setGateway` by default). + +Processed PODs will get their default gateway changed. DNS server will +also be set to the gateway (at least the option `--keepDNS` is used). + +If you want to use the VPN please follow the +[common chart VPN sidecar docummentation](https://github.com/k8s-at-home/library-charts/blob/main/charts/stable/common/values.yaml). +If you want to test without VPN client you can +set the `VPN_BLOCK_OTHER_TRAFFIC` to false. + +**IMPORTANT**: Do not deploy this chart to a namespace controlled by this +webhook. This would result in a likelly deathlock when upgrading the chart. + +**NOTE**: This char requires the cert-manager CRD to generate the required +certificates. It does not install it as dependency to avoid conflicts. + +## Values + +**Important**: When deploying an application Helm chart you can add more values from our common library chart [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common) + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| DNS | string | `"172.16.0.1"` | IP address of the DNS server within the vxlan tunnel. All mutated PODs will get this as their DNS server. It must match VXLAN_GATEWAY_IP in settings.sh | +| additionalContainers[0].command[0] | string | `"/bin/sh"` | | +| additionalContainers[0].command[1] | string | `"-c"` | | +| additionalContainers[0].command[2] | string | `"while true; do sleep 600 & wait $!; done"` | | +| additionalContainers[0].image | string | `"ghcr.io/k8s-at-home/pod-gateway:dev"` | | +| additionalContainers[0].imagePullPolicy | string | `nil` | | +| additionalContainers[0].name | string | `"test"` | | +| additionalContainers[0].securityContext.capabilities.add[0] | string | `"NET_ADMIN"` | | +| additionalContainers[0].volumeMounts[0].mountPath | string | `"/config"` | | +| additionalContainers[0].volumeMounts[0].name | string | `"config"` | | +| additionalContainers[0].volumeMounts[0].readOnly | bool | `true` | | +| additionalVolumeMounts[0].mountPath | string | `"/config"` | | +| additionalVolumeMounts[0].name | string | `"config"` | | +| additionalVolumeMounts[0].readOnly | bool | `true` | | +| clusterName | string | `"cluster.local"` | cluster name used to derive the gateway full name | +| command[0] | string | `"/bin/gateway_sidecar.sh"` | | +| configmap.data."nat.conf" | string | `"# Configure client PODs with static IP addresses\n# and ports exposed through NAT\n# static IPs must be bellow VXLAN_GATEWAY_FIRST_DYNAMIC_IP\n#\n# hostname IP ports(coma separated)\n# Example:\n# transmission 10 tcp:18289,udp:18289\n"` | settings to expose ports, usually through a VPN provider NOTE: if you change it you will need to manually restart all containers using it | +| configmap.data."settings.sh" | string | `"#!/bin/sh\n# hostname of the gateway - it must accept vxlan and DHCP traffic\n# clients get it as env variable\nGATEWAY_NAME=\"${gateway}\"\n# K8S DNS IP address\n# clients get it as env variable\nK8S_DNS_IPS=\"${K8S_DNS_ips}\"\n\n# Vxlan ID to use\nVXLAN_ID=\"42\"\n# VXLAN need an /24 IP range not conflicting with K8S and local IP ranges\nVXLAN_IP_NETWORK=\"172.16.0\"\n# Gateway IP within the VXLAN - client PODs will be routed through it\nVXLAN_GATEWAY_IP=\"${VXLAN_IP_NETWORK}.1\"\n# Keep a range of IPs for static assignment in nat.conf\nVXLAN_GATEWAY_FIRST_DYNAMIC_IP=20\n\n# If using a VPN, interface name created by it\nVPN_INTERFACE=tun0\n# Prevent non VPN traffic to leave the gateway\nVPN_BLOCK_OTHER_TRAFFIC=false\n# Traffic to these IPs will be send through the K8S gateway\nVPN_LOCAL_CIDRS=\"10.0.0.0/8 192.168.0.0/16\"\n\n# DNS queries to these domains will be resolved by K8S DNS instead of\n# the default (typcally the VPN client changes it)\nDNS_LOCAL_CIDRS=\"local\"\n"` | settings for gateway - defaults should usually be good NOTE: if you change it you will need to manually restart all containers using it | +| configmap.enabled | bool | `true` | configmap contains clients and gateway PODs setting | +| configmap.namespaces | list | `["kube-system","vpn"]` | Namespaces to create the configmap to. It must list all namespaces where client PODs get deployed to. The chart namespace is added automatically | +| image.pullPolicy | string | `"IfNotPresent"` | | +| image.repository | string | `"ghcr.io/k8s-at-home/pod-gateway"` | | +| image.tag | string | `"v1.1.0"` | | +| initContainers[0].command[0] | string | `"/bin/gateway_init.sh"` | | +| initContainers[0].image | string | `nil` | Will be set automatically | +| initContainers[0].imagePullPolicy | string | `nil` | Will be set automatically | +| initContainers[0].name | string | `"routes"` | | +| initContainers[0].securityContext.capabilities.add[0] | string | `"NET_ADMIN"` | | +| initContainers[0].volumeMounts[0].mountPath | string | `"/config"` | | +| initContainers[0].volumeMounts[0].name | string | `"config"` | | +| initContainers[0].volumeMounts[0].readOnly | bool | `true` | | +| probes.liveness.enabled | bool | `false` | | +| probes.readiness.enabled | bool | `false` | | +| probes.startup.enabled | bool | `false` | | +| securityContext.capabilities.add[0] | string | `"NET_ADMIN"` | | +| service.clusterIP | string | `"None"` | | +| service.port.port | int | `4789` | | +| service.port.protocol | string | `"UDP"` | | +| service.type | string | `"ClusterIP"` | | +| webhook.additionalVolumes | list | `[]` | | +| webhook.args[0] | string | `"--tls-cert-file-path=/tls/tls.crt"` | | +| webhook.args[1] | string | `"--tls-key-file-path=/tls/tls.key"` | | +| webhook.args[2] | string | `"--setGatewayDefault"` | | +| webhook.args[3] | string | `"--setGatewayLabel=setGateway"` | | +| webhook.args[4] | string | `"--setGatewayAnnotation=setGateway"` | | +| webhook.args[5] | string | `"--DNSPolicy=None"` | | +| webhook.image.pullPolicy | string | `"IfNotPresent"` | | +| webhook.image.repository | string | `"ghcr.io/k8s-at-home/gateway-admision-controller"` | | +| webhook.image.tag | string | `"v3.2.0"` | | +| webhook.inserted.init.cmd | string | `"/bin/client_init.sh"` | | +| webhook.inserted.init.mountPath | string | `"/config"` | | +| webhook.inserted.init.pullPolicy | string | `nil` | Will be set automatically | +| webhook.inserted.init.repository | string | `nil` | Will be set automatically | +| webhook.inserted.init.tag | string | `nil` | Will be set automatically | +| webhook.inserted.sidecar.cmd | string | `"/bin/client_sidecar.sh"` | | +| webhook.inserted.sidecar.mountPath | string | `"/config"` | | +| webhook.inserted.sidecar.pullPolicy | string | `nil` | Will be set automatically | +| webhook.inserted.sidecar.repository | string | `nil` | Will be set automatically | +| webhook.inserted.sidecar.tag | string | `nil` | Will be set automatically | +| webhook.namespaceSelector | object | `{"matchLabels":{"routed-gateway":"true"}}` | Selector for namespace. All pods in this namespace will get their default gateway changed | +| webhook.replicas | int | `1` | | +| webhook.service.port.path | string | `"/wh/mutating/setgateway"` | | +| webhook.service.port.port | int | `8080` | | +| webhook.service.port.protocol | string | `"HTTPS"` | | +| webhook.strategy.type | string | `"RollingUpdate"` | | + +## Changelog + +All notable changes to this application Helm chart will be documented in this file but does not include changes from our common library. To read those click [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common#changelog). + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +### [1.0.0] + +#### Added + +- renamed chart from `pod-gateway-setter` to `pod-gateway` +- sidecar support +- gatewaySufix +- init container uses now an image + +#### Changed + +- N/A + +#### Removed + +- N/A + +[1.0.0]: #1.0.0 + +## Support + +- See the [Docs](https://docs.k8s-at-home.com/our-helm-charts/getting-started/) +- Open an [issue](https://github.com/k8s-at-home/charts/issues/new/choose) +- Ask a [question](https://github.com/k8s-at-home/organization/discussions) +- Join our [Discord](https://discord.gg/sTMX7Vh) community + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0) diff --git a/charts/stable/pod-gateway-setter/README.md.gotmpl b/charts/stable/pod-gateway/README.md.gotmpl similarity index 100% rename from charts/stable/pod-gateway-setter/README.md.gotmpl rename to charts/stable/pod-gateway/README.md.gotmpl diff --git a/charts/stable/pod-gateway-setter/README_CHANGELOG.md.gotmpl b/charts/stable/pod-gateway/README_CHANGELOG.md.gotmpl similarity index 83% rename from charts/stable/pod-gateway-setter/README_CHANGELOG.md.gotmpl rename to charts/stable/pod-gateway/README_CHANGELOG.md.gotmpl index 99c5085f..8dcd2837 100644 --- a/charts/stable/pod-gateway-setter/README_CHANGELOG.md.gotmpl +++ b/charts/stable/pod-gateway/README_CHANGELOG.md.gotmpl @@ -13,7 +13,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), #### Added -- Initial version +- renamed chart from `pod-gateway-setter` to `pod-gateway` +- sidecar support +- gatewaySufix +- init container uses now an image #### Changed diff --git a/charts/stable/pod-gateway-setter/README_CONFIG.md.gotmpl b/charts/stable/pod-gateway/README_CONFIG.md.gotmpl similarity index 61% rename from charts/stable/pod-gateway-setter/README_CONFIG.md.gotmpl rename to charts/stable/pod-gateway/README_CONFIG.md.gotmpl index 9e696c38..650a160c 100644 --- a/charts/stable/pod-gateway-setter/README_CONFIG.md.gotmpl +++ b/charts/stable/pod-gateway/README_CONFIG.md.gotmpl @@ -5,9 +5,9 @@ {{- define "custom.custom.configuration" -}} {{ template "custom.custom.configuration.header" . }} -You need to set `gateway` to the hostname or address of your gateway. Then -all PODs in namespaces with the matching label (`routed-gateway=true` by default) -will be processed by the webhook. +You need to add `routed-gateway=true` to the namespaces with PODs you +want to route through this POD gateway. If needed the label name can be changed +in .Values. The webhook by default changes all processed pods (remove `--setGatewayDefault` if you want to change the default). You can also change the default for a @@ -16,14 +16,15 @@ POD by adding a label or annotation (`setGateway` by default). Processed PODs will get their default gateway changed. DNS server will also be set to the gateway (at least the option `--keepDNS` is used). -Multiple instances of this chart might be installed that use different label -values. This is usufull, for example, to route multiple pod groups, each with -a different gateway. +If you want to use the VPN please follow the +[common chart VPN sidecar docummentation](https://github.com/k8s-at-home/library-charts/blob/main/charts/stable/common/values.yaml). +If you want to test without VPN client you can +set the `VPN_BLOCK_OTHER_TRAFFIC` to false. **IMPORTANT**: Do not deploy this chart to a namespace controlled by this webhook. This would result in a likelly deathlock when upgrading the chart. **NOTE**: This char requires the cert-manager CRD to generate the required -certificates. +certificates. It does not install it as dependency to avoid conflicts. {{- end -}} diff --git a/charts/stable/pod-gateway-setter/templates/NOTES.txt b/charts/stable/pod-gateway/templates/NOTES.txt similarity index 100% rename from charts/stable/pod-gateway-setter/templates/NOTES.txt rename to charts/stable/pod-gateway/templates/NOTES.txt diff --git a/charts/stable/pod-gateway/templates/common.yaml b/charts/stable/pod-gateway/templates/common.yaml new file mode 100644 index 00000000..b9349d3f --- /dev/null +++ b/charts/stable/pod-gateway/templates/common.yaml @@ -0,0 +1,22 @@ +{{/* Make sure all variables are set properly */}} +{{- include "common.values.setup" . }} + +{{- $_ := set (first .Values.initContainers ) "image" (printf "%s:%s" .Values.image.repository .Values.image.tag ) -}} +{{- $_ := set (first .Values.initContainers ) "imagePullPolicy" .Values.image.pullPolicy -}} + +{{/* Append the cert secret to the additionalVolumes */}} +{{- define "pod-gateway.settings.volume" -}} +name: config +configMap: + name: {{ include "pod-gateway.configmap" . }} + defaultMode: 0555 +{{- end -}} + +{{- $volume := include "pod-gateway.settings.volume" . | fromYaml -}} +{{- if $volume -}} + {{- $additionalVolumes := append .Values.additionalVolumes $volume }} + {{- $_ := set .Values "additionalVolumes" (deepCopy $additionalVolumes) -}} +{{- end -}} + +{{/* Render the templates */}} +{{ include "common.all" . }} diff --git a/charts/stable/pod-gateway/templates/configmap.yaml b/charts/stable/pod-gateway/templates/configmap.yaml new file mode 100644 index 00000000..cebdba94 --- /dev/null +++ b/charts/stable/pod-gateway/templates/configmap.yaml @@ -0,0 +1,14 @@ +{{- if .Values.configmap.enabled -}} +{{- range $namespace := .Values.configmap.namespaces }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "pod-gateway.configmap" $ | quote }} + namespace: {{ $namespace }} + labels: + {{- include "common.labels" $ | nindent 4 }} +data: + {{- $.Values.configmap.data | toYaml | nindent 2 }} +{{- end -}} +{{- end -}} diff --git a/charts/stable/pod-gateway-setter/templates/admissionregistration.yaml b/charts/stable/pod-gateway/templates/webhook-admissionregistration.yaml similarity index 73% rename from charts/stable/pod-gateway-setter/templates/admissionregistration.yaml rename to charts/stable/pod-gateway/templates/webhook-admissionregistration.yaml index ead67e82..0178162a 100644 --- a/charts/stable/pod-gateway-setter/templates/admissionregistration.yaml +++ b/charts/stable/pod-gateway/templates/webhook-admissionregistration.yaml @@ -5,11 +5,11 @@ metadata: labels: {{- include "common.labels" . | nindent 4 }} annotations: - cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "pod-gateway-setter.servingCertificate" . }}" + cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "pod-gateway.servingCertificate" . }}" webhooks: - name: "{{ include "common.names.fullname" . }}.svc.cluster.local" namespaceSelector: - {{- with .Values.namespaceSelector }} + {{- with .Values.webhook.namespaceSelector }} {{ toYaml . | nindent 4 }} {{- end }} rules: @@ -21,9 +21,9 @@ webhooks: clientConfig: service: namespace: {{ .Release.Namespace | quote }} - name: {{ include "common.names.fullname" . | quote }} - path: {{ .Values.service.port.path | quote }} - port: {{ .Values.service.port.port }} + name: {{ include "common.names.fullname" . }}-webhook + path: {{ .Values.webhook.service.port.path | quote }} + port: {{ .Values.webhook.service.port.port }} admissionReviewVersions: ["v1", "v1beta1"] sideEffects: None timeoutSeconds: 5 diff --git a/charts/stable/pod-gateway/templates/webhook-common.yaml b/charts/stable/pod-gateway/templates/webhook-common.yaml new file mode 100644 index 00000000..b202d572 --- /dev/null +++ b/charts/stable/pod-gateway/templates/webhook-common.yaml @@ -0,0 +1,64 @@ +{{/* Make sure all variables are set properly */}} +{{- include "common.values.setup" . }} + +{{- $_ := set .Values.webhook.inserted.init "repository" .Values.image.repository -}} +{{- $_ := set .Values.webhook.inserted.init "tag" .Values.image.tag -}} +{{- $_ := set .Values.webhook.inserted.init "pullPolicy" .Values.image.pullPolicy -}} +{{- $_ := set .Values.webhook.inserted.sidecar "repository" .Values.image.repository -}} +{{- $_ := set .Values.webhook.inserted.sidecar "tag" .Values.image.tag -}} +{{- $_ := set .Values.webhook.inserted.sidecar "pullPolicy" .Values.image.pullPolicy -}} + +{{- define "pod-gateway.webhook-inserted-init-repository" -}} +{{ printf "%s:%s" ( .Values.image.repository | default .Values.webhook.inserted.init.repository ) ( .Values.image.tag | default .Values.webhook.inserted.init.tag ) }} +{{- end -}} + +{{- define "pod-gateway.webhook-inserted-init-pullPolicy" -}} +{{ .Values.webhook.inserted.init.pullPolicy | default .Values.image.pullPolicy }} +{{- end -}} + +{{- define "pod-gateway.webhook-inserted-sidecar-repository" -}} +{{ printf "%s:%s" ( .Values.image.repository | default .Values.webhook.inserted.sidecar.repository ) ( .Values.image.tag | default .Values.webhook.inserted.sidecar.tag ) }} +{{- end -}} + +{{- define "pod-gateway.webhook-inserted-sidecar-pullPolicy" -}} +{{ .Values.webhook.inserted.sidecar.pullPolicy | default .Values.image.pullPolicy }} +{{- end -}} + +{{- define "pod-gateway.gateway" -}} +{{ printf "%s.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterName }} +{{- end -}} + +{{- define "pod-gateway.init.image" -}} +{{ printf "%s:%s" .Values.webhook.inserted.init.repository (.Values.webhook.inserted.init.tag | default "latest" ) }} +{{- end -}} + +{{- define "pod-gateway.sidecar.image" -}} +{{ printf "%s:%s" .Values.webhook.inserted.sidecar.repository (.Values.webhook.inserted.sidecar.tag | default "latest" ) }} +{{- end -}} + +{{- define "pod-gateway.configmap" -}} +{{ include "common.names.fullname" . }} +{{- end -}} + + +{{- define "pod-gateway.selfSignedIssuer" -}} +{{ printf "%s-webhook-selfsign" (include "common.names.fullname" .) }} +{{- end -}} + +{{- define "pod-gateway.rootCAIssuer" -}} +{{ printf "%s-webhook-ca" (include "common.names.fullname" .) }} +{{- end -}} + +{{- define "pod-gateway.rootCACertificate" -}} +{{ printf "%s-webhook-ca" (include "common.names.fullname" .) }} +{{- end -}} + +{{- define "pod-gateway.servingCertificate" -}} +{{ printf "%s-webhook-tls" (include "common.names.fullname" .) }} +{{- end -}} + + +{{- define "pod-gateway.labels.selectorLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }}-webhook +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/charts/stable/pod-gateway/templates/webhook-deployment.yaml b/charts/stable/pod-gateway/templates/webhook-deployment.yaml new file mode 100644 index 00000000..53b05859 --- /dev/null +++ b/charts/stable/pod-gateway/templates/webhook-deployment.yaml @@ -0,0 +1,103 @@ +apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }} +kind: Deployment +metadata: + name: {{ include "common.names.fullname" . }}-webhook + labels: + {{- include "common.labels" . | nindent 4 }} + {{- with .Values.webhook.controllerLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.webhook.controllerAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.webhook.replicas }} + {{- with .Values.webhook.strategy }} + strategy: + {{- toYaml . | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{ include "pod-gateway.labels.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.webhook.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{ include "pod-gateway.labels.selectorLabels" . | nindent 8 }} + spec: + volumes: + - name: certs + secret: + secretName: {{ include "pod-gateway.servingCertificate" . }} + defaultMode: 420 + containers: + - name: foo-pod-gateway + image: {{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag }} + args: + - --webhook-listen-address=:{{ .Values.webhook.service.port.port |toString }} + - --gateway={{ include "pod-gateway.gateway" . }} + - --DNS={{ .Values.DNS }} + {{- if .Values.configmap.enabled }} + - --configmapName={{ include "pod-gateway.configmap" . }} + {{- end}} + {{- if ( include "pod-gateway.webhook-inserted-init-repository" . ) }} + - --initImage={{ include "pod-gateway.webhook-inserted-init-repository" . }} + - --initImagePullPol={{ include "pod-gateway.webhook-inserted-init-pullPolicy" . }} + - --initCmd={{ .Values.webhook.inserted.init.cmd }} + - --initMountPoint={{ .Values.webhook.inserted.init.mountPath }} + {{- end}} + {{- if ( include "pod-gateway.webhook-inserted-sidecar-repository" . ) }} + - --sidecarImage={{ include "pod-gateway.webhook-inserted-init-repository" . }} + - --sidecarImagePullPol={{ include "pod-gateway.webhook-inserted-sidecar-pullPolicy" . }} + - --sidecarCmd={{ .Values.webhook.inserted.sidecar.cmd }} + - --sidecarMountPoint={{ .Values.webhook.inserted.sidecar.mountPath }} + {{- end}} + {{ toYaml .Values.webhook.args | nindent 12 }} + ports: + - name: http + containerPort: {{ .Values.webhook.service.port.port }} + protocol: TCP + resources: {} + volumeMounts: + - name: certs + readOnly: true + mountPath: /tls + livenessProbe: + httpGet: + path: /wh/health + port: {{ .Values.webhook.service.port.port }} + scheme: {{ .Values.webhook.service.port.protocol }} + initialDelaySeconds: 1 + timeoutSeconds: 10 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /wh/health + port: {{ .Values.webhook.service.port.port }} + scheme: {{ .Values.webhook.service.port.protocol }} + initialDelaySeconds: 1 + timeoutSeconds: 10 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 5 + startupProbe: + httpGet: + path: /wh/health + port: {{ .Values.webhook.service.port.port }} + scheme: {{ .Values.webhook.service.port.protocol }} + timeoutSeconds: 1 + periodSeconds: 1 + successThreshold: 1 + failureThreshold: 30 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + imagePullPolicy: {{ .Values.webhook.image.pullPolicy }} + restartPolicy: Always + strategy: + type: {{ .Values.webhook.strategy.type }} diff --git a/charts/stable/pod-gateway-setter/templates/pki.yaml b/charts/stable/pod-gateway/templates/webhook-pki.yaml similarity index 58% rename from charts/stable/pod-gateway-setter/templates/pki.yaml rename to charts/stable/pod-gateway/templates/webhook-pki.yaml index 6b5f74da..37343d61 100644 --- a/charts/stable/pod-gateway-setter/templates/pki.yaml +++ b/charts/stable/pod-gateway/templates/webhook-pki.yaml @@ -4,7 +4,7 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: {{ include "pod-gateway-setter.selfSignedIssuer" . }} + name: {{ include "pod-gateway.selfSignedIssuer" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "common.labels" . | nindent 4 }} @@ -17,17 +17,17 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ include "pod-gateway-setter.rootCACertificate" . }} + name: {{ include "pod-gateway.rootCACertificate" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "common.labels" . | nindent 4 }} spec: - secretName: {{ include "pod-gateway-setter.rootCACertificate" . }} + secretName: {{ include "pod-gateway.rootCACertificate" . }} duration: 43800h # 5y issuerRef: - name: {{ include "pod-gateway-setter.selfSignedIssuer" . }} + name: {{ include "pod-gateway.selfSignedIssuer" . }} kind: Issuer - commonName: "ca.pod-gateway-setter.cert-manager" + commonName: "ca.pod-gateway.cert-manager" isCA: true --- @@ -36,13 +36,13 @@ spec: apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: {{ include "pod-gateway-setter.rootCAIssuer" . }} + name: {{ include "pod-gateway.rootCAIssuer" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "common.labels" . | nindent 4 }} spec: ca: - secretName: {{ include "pod-gateway-setter.rootCACertificate" . }} + secretName: {{ include "pod-gateway.rootCACertificate" . }} --- @@ -50,17 +50,17 @@ spec: apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: {{ include "pod-gateway-setter.servingCertificate" . }} + name: {{ include "pod-gateway.servingCertificate" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "common.labels" . | nindent 4 }} spec: - secretName: {{ include "pod-gateway-setter.servingCertificate" . }} + secretName: {{ include "pod-gateway.servingCertificate" . }} duration: 8760h # 1y issuerRef: - name: {{ include "pod-gateway-setter.rootCAIssuer" . }} + name: {{ include "pod-gateway.rootCAIssuer" . }} kind: Issuer dnsNames: - - {{ include "common.names.fullname" . }} - - {{ include "common.names.fullname" . }}.{{ .Release.Namespace }} - - {{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc + - {{ include "common.names.fullname" . }}-webhook + - {{ include "common.names.fullname" . }}-webhook.{{ .Release.Namespace }} + - {{ include "common.names.fullname" . }}-webhook.{{ .Release.Namespace }}.svc diff --git a/charts/stable/pod-gateway/templates/webhook-service.yaml b/charts/stable/pod-gateway/templates/webhook-service.yaml new file mode 100644 index 00000000..8377229c --- /dev/null +++ b/charts/stable/pod-gateway/templates/webhook-service.yaml @@ -0,0 +1,32 @@ +{{- $values := .Values.webhook.service -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "common.names.fullname" . }}-webhook + labels: + {{- include "common.labels" . | nindent 4 }} + {{- if $values.labels }} + {{ toYaml $values.labels | nindent 4 }} + {{- end }} + annotations: + {{- if eq ( $values.port.protocol | default "" ) "HTTPS" }} + traefik.ingress.kubernetes.io/service.serversscheme: https + {{- end }} + {{- with $values.annotations }} + {{ toYaml . | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + {{- if $values.clusterIP }} + clusterIP: {{ $values.clusterIP }} + {{end}} + {{- if $values.sessionAffinity }} + sessionAffinity: {{ $values.sessionAffinity }} + {{- if $values.sessionAffinityConfig }} + sessionAffinityConfig: + {{ toYaml $values.sessionAffinityConfig | nindent 4 }} + {{- end -}} + {{- end }} + {{- include "common.classes.service.ports" (dict "svcType" "ClusterIP" "values" $values ) | trim | nindent 2 }} + selector: + {{- include "pod-gateway.labels.selectorLabels" . | nindent 4 }} diff --git a/charts/stable/pod-gateway/values.yaml b/charts/stable/pod-gateway/values.yaml new file mode 100644 index 00000000..0cb16847 --- /dev/null +++ b/charts/stable/pod-gateway/values.yaml @@ -0,0 +1,227 @@ +# +# IMPORTANT NOTE +# +# This chart inherits from our common library chart. You can check the default values/options here: +# https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml +# + +image: + repository: ghcr.io/k8s-at-home/pod-gateway + pullPolicy: IfNotPresent + tag: v1.1.0 + +# -- IP address of the DNS server within the vxlan tunnel. +# All mutated PODs will get this as their DNS server. +# It must match VXLAN_GATEWAY_IP in settings.sh +DNS: 172.16.0.1 + +# -- cluster name used to derive the gateway full name +clusterName: "cluster.local" + +configmap: + # -- configmap contains clients and gateway PODs setting + enabled: true + # -- Namespaces to create the configmap to. + # It must list all namespaces where client PODs get deployed to. + # The chart namespace is added automatically + namespaces: + - kube-system + - vpn + data: + # -- settings for gateway - defaults should usually be good + # NOTE: if you change it you will need to manually restart all + # containers using it + settings.sh: | + #!/bin/sh + # hostname of the gateway - it must accept vxlan and DHCP traffic + # clients get it as env variable + GATEWAY_NAME="${gateway}" + # K8S DNS IP address + # clients get it as env variable + K8S_DNS_IPS="${K8S_DNS_ips}" + + # Vxlan ID to use + VXLAN_ID="42" + # VXLAN need an /24 IP range not conflicting with K8S and local IP ranges + VXLAN_IP_NETWORK="172.16.0" + # Gateway IP within the VXLAN - client PODs will be routed through it + VXLAN_GATEWAY_IP="${VXLAN_IP_NETWORK}.1" + # Keep a range of IPs for static assignment in nat.conf + VXLAN_GATEWAY_FIRST_DYNAMIC_IP=20 + + # If using a VPN, interface name created by it + VPN_INTERFACE=tun0 + # Prevent non VPN traffic to leave the gateway + VPN_BLOCK_OTHER_TRAFFIC=false + # Traffic to these IPs will be send through the K8S gateway + VPN_LOCAL_CIDRS="10.0.0.0/8 192.168.0.0/16" + + # DNS queries to these domains will be resolved by K8S DNS instead of + # the default (typcally the VPN client changes it) + DNS_LOCAL_CIDRS="local" + + # -- settings to expose ports, usually through a VPN provider + # NOTE: if you change it you will need to manually restart all + # containers using it + nat.conf: | + # Configure client PODs with static IP addresses + # and ports exposed through NAT + # static IPs must be bellow VXLAN_GATEWAY_FIRST_DYNAMIC_IP + # + # hostname IP ports(coma separated) + # Example: + # transmission 10 tcp:18289,udp:18289 + + +# You should not need to change the settings bellow this +# at least you have ready the webhook and pod-gateway containers +# documentation + +command: +- /bin/gateway_sidecar.sh + +securityContext: + capabilities: + add: + - NET_ADMIN + +additionalVolumeMounts: +- name: config + mountPath: /config + readOnly: true + +initContainers: +- name: "routes" + # -- Will be set automatically + # @default -- : + image: + # -- Will be set automatically + # @default -- + imagePullPolicy: + command: + - /bin/gateway_init.sh + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - name: config + mountPath: /config + readOnly: true + +additionalContainers: +- name: "test" + image: "ghcr.io/k8s-at-home/pod-gateway:dev" + imagePullPolicy: + command: + - /bin/sh + - -c + - while true; do + sleep 600 & + wait $!; + done + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - name: config + mountPath: /config + readOnly: true + +probes: + liveness: + enabled: false + readiness: + enabled: false + startup: + enabled: false +service: + type: ClusterIP + clusterIP: None + port: + port: 4789 + protocol: UDP + +webhook: + image: + repository: ghcr.io/k8s-at-home/gateway-admision-controller + pullPolicy: IfNotPresent + tag: v3.2.0 + + # -- Selector for namespace. + # All pods in this namespace will get their default gateway changed + namespaceSelector: + matchLabels: + routed-gateway: "true" + # matchExpressions: + # - key: notTouch + # operator: NotIn + # values: ["1"] + + additionalVolumes: [] + + + inserted: + init: + # -- Will be set automatically + # @default -- + repository: + # -- Will be set automatically + # @default -- + pullPolicy: + # -- Will be set automatically + # @default -- + tag: + cmd: /bin/client_init.sh + mountPath: /config + + sidecar: + # -- Will be set automatically + # @default -- + repository: + # -- Will be set automatically + # @default -- + pullPolicy: + # -- Will be set automatically + # @default -- + tag: + cmd: /bin/client_sidecar.sh + mountPath: /config + + replicas: 1 + + strategy: + type: RollingUpdate + + # Args for webhook + # See more information in the container git repository at + # https://github.com/k8s-at-home/gateway-admision-controller + args: + - --tls-cert-file-path=/tls/tls.crt + - --tls-key-file-path=/tls/tls.key + - --setGatewayDefault + - --setGatewayLabel=setGateway + - --setGatewayAnnotation=setGateway + - --DNSPolicy=None + # - --debug + # - --development + # Set by Helm chart: + # --webhook-listen-address=: + # --gateway= + # --DNS= + # --initImage + # --initImagePullPol + # --initCmd + # --initMountPoint + # --sidecarImage + # --sidecarImagePullPol + # --sidecarCmd + # --sidecarMountPoint + # --configmapName + + service: + port: + path: /wh/mutating/setgateway + protocol: HTTPS + port: 8080