master-group/charts
2
0
Fork 0
mirror of https://github.com/k8s-at-home/charts.git synced 2025-01-23 23:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Rename chart since it includes gateway now (#931)

Browse Source
This commit is contained in:
Angel Nunez Mencias 2021-06-03 17:49:56 +02:00 committed by GitHub
parent f10b49181a
commit 047489d781
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
19 changed files with 695 additions and 332 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.github/ct-install.yaml vendored
View File

@ -14,7 +14,7 @@ excluded-charts:
- charts/stable/zalando-postgres-cluster - charts/stable/zalando-postgres-cluster
- charts/stable/zigbee2mqtt - charts/stable/zigbee2mqtt
- charts/stable/founderyvtt - charts/stable/founderyvtt
- charts/stable/pod-gateway-setter - charts/stable/pod-gateway
chart-repos: chart-repos:
- bitnami=https://charts.bitnami.com/bitnami - bitnami=https://charts.bitnami.com/bitnami
- k8s-at-home-libraries=https://library-charts.k8s-at-home.com - k8s-at-home-libraries=https://library-charts.k8s-at-home.com

168
charts/stable/pod-gateway-setter/README.md
View File

@ -1,168 +0,0 @@
# pod-gateway-setter
![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
Admision controller to change the default gateway and DNS server of PODs
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/k8s-at-home/charts/issues/new/choose)**
## Source Code
* <https://github.com/pod-gateway-setter/pod-gateway-setter-docker>
## Requirements
Kubernetes: `>=1.16.0-0`
## Dependencies
| Repository | Name | Version |
|------------|------|---------|
| https://library-charts.k8s-at-home.com | common | 2.5.0 |
## TL;DR
```console
helm repo add k8s-at-home https://k8s-at-home.com/charts/
helm repo update
helm install pod-gateway-setter k8s-at-home/pod-gateway-setter
```
## Installing the Chart
To install the chart with the release name `pod-gateway-setter`
```console
helm install pod-gateway-setter k8s-at-home/pod-gateway-setter
```
## Uninstalling the Chart
To uninstall the `pod-gateway-setter` deployment
```console
helm uninstall pod-gateway-setter
```
The command removes all the Kubernetes components associated with the chart **including persistent volumes** and deletes the release.
## Configuration
Read through the [values.yaml](./values.yaml) file. It has several commented out suggested values.
Other values may be used from the [values.yaml](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml) from the [common library](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common).
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
```console
helm install pod-gateway-setter \
--set env.TZ="America/New York" \
k8s-at-home/pod-gateway-setter
```
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart.
```console
helm install pod-gateway-setter k8s-at-home/pod-gateway-setter -f values.yaml
```
## Custom configuration
You need to set `gateway` to the hostname or address of your gateway. Then
all PODs in namespaces with the matching label (`routed-gateway=true` by default)
will be processed by the webhook.
The webhook by default changes all processed pods (remove `--setGatewayDefault`
if you want to change the default). You can also change the default for a
POD by adding a label or annotation (`setGateway` by default).
Processed PODs will get their default gateway changed. DNS server will
also be set to the gateway (at least the option `--keepDNS` is used).
Multiple instances of this chart might be installed that use different label
values. This is usufull, for example, to route multiple pod groups, each with
a different gateway.
**IMPORTANT**: Do not deploy this chart to a namespace controlled by this
webhook. This would result in a likelly deathlock when upgrading the chart.
**NOTE**: This char requires the cert-manager CRD to generate the required
certificates.
## Values
**Important**: When deploying an application Helm chart you can add more values from our common library chart [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common)
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| additionalVolumeMounts[0].mountPath | string | `"/tls"` | |
| additionalVolumeMounts[0].name | string | `"certs"` | |
| additionalVolumeMounts[0].readOnly | bool | `true` | |
| args[0] | string | `"--tls-cert-file-path=/tls/tls.crt"` | |
| args[1] | string | `"--tls-key-file-path=/tls/tls.key"` | |
| args[2] | string | `"--setGatewayDefault"` | |
| args[3] | string | `"--setGatewayLabel=setGateway"` | |
| args[4] | string | `"--setGatewayAnnotation=setGateway"` | |
| gateway | string | `"10.0.2.7"` | Gateway to route traffic to. Can be an hostname or an IP |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"ghcr.io/k8s-at-home/gateway-admision-controller"` | |
| image.tag | string | `"v2.0.0"` | |
| ingress.enabled | bool | `false` | |
| namespaceSelector | object | `{"matchLabels":{"routed-gateway":"true"}}` | Selector for namespace. All pods in this namespace will get their default gateway changed |
| probes.liveness.custom | bool | `true` | |
| probes.liveness.enabled | bool | `true` | |
| probes.liveness.spec.failureThreshold | int | `5` | |
| probes.liveness.spec.httpGet.path | string | `"/wh/health"` | |
| probes.liveness.spec.httpGet.port | int | `8080` | |
| probes.liveness.spec.httpGet.scheme | string | `"HTTPS"` | |
| probes.liveness.spec.initialDelaySeconds | int | `1` | |
| probes.liveness.spec.timeoutSeconds | int | `10` | |
| probes.readiness.custom | bool | `true` | |
| probes.readiness.enabled | bool | `true` | |
| probes.readiness.spec.failureThreshold | int | `5` | |
| probes.readiness.spec.httpGet.path | string | `"/wh/health"` | |
| probes.readiness.spec.httpGet.port | int | `8080` | |
| probes.readiness.spec.httpGet.scheme | string | `"HTTPS"` | |
| probes.readiness.spec.initialDelaySeconds | int | `1` | |
| probes.readiness.spec.timeoutSeconds | int | `10` | |
| probes.startup.custom | bool | `true` | |
| probes.startup.enabled | bool | `true` | |
| probes.startup.spec.failureThreshold | int | `30` | |
| probes.startup.spec.httpGet.path | string | `"/wh/health"` | |
| probes.startup.spec.httpGet.port | int | `8080` | |
| probes.startup.spec.httpGet.scheme | string | `"HTTPS"` | |
| probes.startup.spec.periodSeconds | int | `1` | |
| service.port.path | string | `"/wh/mutating/setgateway"` | |
| service.port.port | int | `8080` | |
| strategy.type | string | `"RollingUpdate"` | |
## Changelog
All notable changes to this application Helm chart will be documented in this file but does not include changes from our common library. To read those click [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common#changelog).
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
### [1.0.0]
#### Added
- Initial version
#### Changed
- N/A
#### Removed
- N/A
[1.0.0]: #1.0.0
## Support
- See the [Docs](https://docs.k8s-at-home.com/our-helm-charts/getting-started/)
- Open an [issue](https://github.com/k8s-at-home/charts/issues/new/choose)
- Ask a [question](https://github.com/k8s-at-home/organization/discussions)
- Join our [Discord](https://discord.gg/sTMX7Vh) community
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

40
charts/stable/pod-gateway-setter/templates/common.yaml
View File

@ -1,40 +0,0 @@
{{/* Make sure all variables are set properly */}}
{{- include "common.values.setup" . }}
{{- define "pod-gateway-setter.selfSignedIssuer" -}}
{{ printf "%s-selfsign" (include "common.names.fullname" .) }}
{{- end -}}
{{- define "pod-gateway-setter.rootCAIssuer" -}}
{{ printf "%s-ca" (include "common.names.fullname" .) }}
{{- end -}}
{{- define "pod-gateway-setter.rootCACertificate" -}}
{{ printf "%s-ca" (include "common.names.fullname" .) }}
{{- end -}}
{{- define "pod-gateway-setter.servingCertificate" -}}
{{ printf "%s-webhook-tls" (include "common.names.fullname" .) }}
{{- end -}}
{{/* Append the cert secret to the additionalVolumes */}}
{{- define "pod-gateway-setter.servingCertificate.volume" -}}
name: certs
secret:
secretName: {{ include "pod-gateway-setter.servingCertificate" . }}
{{- end -}}
{{- $volume := include "pod-gateway-setter.servingCertificate.volume" . | fromYaml -}}
{{- if $volume -}}
{{- $additionalVolumes := append .Values.additionalVolumes $volume }}
{{- $_ := set .Values "additionalVolumes" (deepCopy $additionalVolumes) -}}
{{- end -}}
{{/* Append generated args */}}
{{- $noop := printf "--webhook-listen-address=:%s" (.Values.service.port.port |toString) | append .Values.args | set .Values "args" -}}
{{- $noop := printf "--gateway=%s" .Values.gateway | append .Values.args | set .Values "args" -}}
{{/* Render the templates */}}
{{ include "common.all" . }}

92
charts/stable/pod-gateway-setter/values.yaml
View File

@ -1,92 +0,0 @@
#
# IMPORTANT NOTE
#
# This chart inherits from our common library chart. You can check the default values/options here:
# https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml
#
image:
repository: ghcr.io/k8s-at-home/gateway-admision-controller
pullPolicy: IfNotPresent
tag: v2.0.0
# -- Gateway to route traffic to.
# Can be an hostname or an IP
gateway: 10.0.2.7
# -- Selector for namespace.
# All pods in this namespace will get their default gateway changed
namespaceSelector:
matchLabels:
routed-gateway: "true"
# matchExpressions:
# - key: notTouch
# operator: NotIn
# values: ["1"]
strategy:
type: RollingUpdate
# Args for webhook
# See more information in the container git repository at
# https://github.com/k8s-at-home/gateway-admision-controller
args:
- --tls-cert-file-path=/tls/tls.crt
- --tls-key-file-path=/tls/tls.key
- --setGatewayDefault
- --setGatewayLabel=setGateway
- --setGatewayAnnotation=setGateway
# - --debug
# - --development
# - --keepDNS
# Set by Helm chart:
# --webhook-listen-address=:<set to service port>
# --gateway=<set automatically to 'gateway'>
service:
port:
path: /wh/mutating/setgateway
port: 8080
ingress:
enabled: false
additionalVolumeMounts:
- name: certs
mountPath: /tls
readOnly: true
# Probes configuration
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
scheme: HTTPS
port: 8080
path: /wh/health
initialDelaySeconds: 1
failureThreshold: 5
timeoutSeconds: 10
readiness:
enabled: true
custom: true
spec:
httpGet:
scheme: HTTPS
port: 8080
path: /wh/health
initialDelaySeconds: 1
failureThreshold: 5
timeoutSeconds: 10
startup:
enabled: true
custom: true
spec:
httpGet:
scheme: HTTPS
port: 8080
path: /wh/health
failureThreshold: 30
periodSeconds: 1

0
charts/stable/pod-gateway-setter/.helmignore → charts/stable/pod-gateway/.helmignore
View File

10
charts/stable/pod-gateway-setter/Chart.yaml → charts/stable/pod-gateway/Chart.yaml
View File

@ -1,15 +1,15 @@
apiVersion: v2 apiVersion: v2
appVersion: 1.0.0 appVersion: 1.0.0
description: Admision controller to change the default gateway and DNS server of PODs description: Admision controller to change the default gateway and DNS server of PODs
name: pod-gateway-setter name: pod-gateway
version: 1.0.0 version: 1.0.0
kubeVersion: ">=1.16.0-0" kubeVersion: ">=1.16.0-0"
keywords: keywords:
- pod-gateway-setter - pod-gateway
home: https://github.com/k8s-at-home/charts/tree/master/charts/stable/pod-gateway-setter home: https://github.com/k8s-at-home/charts/tree/master/charts/stable/pod-gateway
icon: https://pod-gateway-setter.org/icon icon: https://pod-gateway.org/icon
sources: sources:
- https://github.com/pod-gateway-setter/pod-gateway-setter-docker - https://github.com/pod-gateway/pod-gateway-docker
maintainers: maintainers:
- name: angelnu - name: angelnu
email: git@angelnu.com email: git@angelnu.com

197
charts/stable/pod-gateway/README.md Normal file
View File

@ -0,0 +1,197 @@
# pod-gateway
![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square)
Admision controller to change the default gateway and DNS server of PODs
**This chart is not maintained by the upstream project and any issues with the chart should be raised [here](https://github.com/k8s-at-home/charts/issues/new/choose)**
## Source Code
* <https://github.com/pod-gateway/pod-gateway-docker>
## Requirements
Kubernetes: `>=1.16.0-0`
## Dependencies
| Repository | Name | Version |
|------------|------|---------|
| https://library-charts.k8s-at-home.com | common | 2.5.0 |
## TL;DR
```console
helm repo add k8s-at-home https://k8s-at-home.com/charts/
helm repo update
helm install pod-gateway k8s-at-home/pod-gateway
```
## Installing the Chart
To install the chart with the release name `pod-gateway`
```console
helm install pod-gateway k8s-at-home/pod-gateway
```
## Uninstalling the Chart
To uninstall the `pod-gateway` deployment
```console
helm uninstall pod-gateway
```
The command removes all the Kubernetes components associated with the chart **including persistent volumes** and deletes the release.
## Configuration
Read through the [values.yaml](./values.yaml) file. It has several commented out suggested values.
Other values may be used from the [values.yaml](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml) from the [common library](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common).
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
```console
helm install pod-gateway \
--set env.TZ="America/New York" \
k8s-at-home/pod-gateway
```
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart.
```console
helm install pod-gateway k8s-at-home/pod-gateway -f values.yaml
```
## Custom configuration
You need to add `routed-gateway=true` to the namespaces with PODs you
want to route through this POD gateway. If needed the label name can be changed
in .Values.
The webhook by default changes all processed pods (remove `--setGatewayDefault`
if you want to change the default). You can also change the default for a
POD by adding a label or annotation (`setGateway` by default).
Processed PODs will get their default gateway changed. DNS server will
also be set to the gateway (at least the option `--keepDNS` is used).
If you want to use the VPN please follow the
[common chart VPN sidecar docummentation](https://github.com/k8s-at-home/library-charts/blob/main/charts/stable/common/values.yaml).
If you want to test without VPN client you can
set the `VPN_BLOCK_OTHER_TRAFFIC` to false.
**IMPORTANT**: Do not deploy this chart to a namespace controlled by this
webhook. This would result in a likelly deathlock when upgrading the chart.
**NOTE**: This char requires the cert-manager CRD to generate the required
certificates. It does not install it as dependency to avoid conflicts.
## Values
**Important**: When deploying an application Helm chart you can add more values from our common library chart [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common)
| Key | Type | Default | Description |
|-----|------|---------|-------------|
| DNS | string | `"172.16.0.1"` | IP address of the DNS server within the vxlan tunnel. All mutated PODs will get this as their DNS server. It must match VXLAN_GATEWAY_IP in settings.sh |
| additionalContainers[0].command[0] | string | `"/bin/sh"` | |
| additionalContainers[0].command[1] | string | `"-c"` | |
| additionalContainers[0].command[2] | string | `"while true; do sleep 600 & wait $!; done"` | |
| additionalContainers[0].image | string | `"ghcr.io/k8s-at-home/pod-gateway:dev"` | |
| additionalContainers[0].imagePullPolicy | string | `nil` | |
| additionalContainers[0].name | string | `"test"` | |
| additionalContainers[0].securityContext.capabilities.add[0] | string | `"NET_ADMIN"` | |
| additionalContainers[0].volumeMounts[0].mountPath | string | `"/config"` | |
| additionalContainers[0].volumeMounts[0].name | string | `"config"` | |
| additionalContainers[0].volumeMounts[0].readOnly | bool | `true` | |
| additionalVolumeMounts[0].mountPath | string | `"/config"` | |
| additionalVolumeMounts[0].name | string | `"config"` | |
| additionalVolumeMounts[0].readOnly | bool | `true` | |
| clusterName | string | `"cluster.local"` | cluster name used to derive the gateway full name |
| command[0] | string | `"/bin/gateway_sidecar.sh"` | |
| configmap.data."nat.conf" | string | `"# Configure client PODs with static IP addresses\n# and ports exposed through NAT\n# static IPs must be bellow VXLAN_GATEWAY_FIRST_DYNAMIC_IP\n#\n# hostname IP ports(coma separated)\n# Example:\n# transmission 10 tcp:18289,udp:18289\n"` | settings to expose ports, usually through a VPN provider NOTE: if you change it you will need to manually restart all containers using it |
| configmap.data."settings.sh" | string | `"#!/bin/sh\n# hostname of the gateway - it must accept vxlan and DHCP traffic\n# clients get it as env variable\nGATEWAY_NAME=\"${gateway}\"\n# K8S DNS IP address\n# clients get it as env variable\nK8S_DNS_IPS=\"${K8S_DNS_ips}\"\n\n# Vxlan ID to use\nVXLAN_ID=\"42\"\n# VXLAN need an /24 IP range not conflicting with K8S and local IP ranges\nVXLAN_IP_NETWORK=\"172.16.0\"\n# Gateway IP within the VXLAN - client PODs will be routed through it\nVXLAN_GATEWAY_IP=\"${VXLAN_IP_NETWORK}.1\"\n# Keep a range of IPs for static assignment in nat.conf\nVXLAN_GATEWAY_FIRST_DYNAMIC_IP=20\n\n# If using a VPN, interface name created by it\nVPN_INTERFACE=tun0\n# Prevent non VPN traffic to leave the gateway\nVPN_BLOCK_OTHER_TRAFFIC=false\n# Traffic to these IPs will be send through the K8S gateway\nVPN_LOCAL_CIDRS=\"10.0.0.0/8 192.168.0.0/16\"\n\n# DNS queries to these domains will be resolved by K8S DNS instead of\n# the default (typcally the VPN client changes it)\nDNS_LOCAL_CIDRS=\"local\"\n"` | settings for gateway - defaults should usually be good NOTE: if you change it you will need to manually restart all containers using it |
| configmap.enabled | bool | `true` | configmap contains clients and gateway PODs setting |
| configmap.namespaces | list | `["kube-system","vpn"]` | Namespaces to create the configmap to. It must list all namespaces where client PODs get deployed to. The chart namespace is added automatically |
| image.pullPolicy | string | `"IfNotPresent"` | |
| image.repository | string | `"ghcr.io/k8s-at-home/pod-gateway"` | |
| image.tag | string | `"v1.1.0"` | |
| initContainers[0].command[0] | string | `"/bin/gateway_init.sh"` | |
| initContainers[0].image | string | `nil` | Will be set automatically |
| initContainers[0].imagePullPolicy | string | `nil` | Will be set automatically |
| initContainers[0].name | string | `"routes"` | |
| initContainers[0].securityContext.capabilities.add[0] | string | `"NET_ADMIN"` | |
| initContainers[0].volumeMounts[0].mountPath | string | `"/config"` | |
| initContainers[0].volumeMounts[0].name | string | `"config"` | |
| initContainers[0].volumeMounts[0].readOnly | bool | `true` | |
| probes.liveness.enabled | bool | `false` | |
| probes.readiness.enabled | bool | `false` | |
| probes.startup.enabled | bool | `false` | |
| securityContext.capabilities.add[0] | string | `"NET_ADMIN"` | |
| service.clusterIP | string | `"None"` | |
| service.port.port | int | `4789` | |
| service.port.protocol | string | `"UDP"` | |
| service.type | string | `"ClusterIP"` | |
| webhook.additionalVolumes | list | `[]` | |
| webhook.args[0] | string | `"--tls-cert-file-path=/tls/tls.crt"` | |
| webhook.args[1] | string | `"--tls-key-file-path=/tls/tls.key"` | |
| webhook.args[2] | string | `"--setGatewayDefault"` | |
| webhook.args[3] | string | `"--setGatewayLabel=setGateway"` | |
| webhook.args[4] | string | `"--setGatewayAnnotation=setGateway"` | |
| webhook.args[5] | string | `"--DNSPolicy=None"` | |
| webhook.image.pullPolicy | string | `"IfNotPresent"` | |
| webhook.image.repository | string | `"ghcr.io/k8s-at-home/gateway-admision-controller"` | |
| webhook.image.tag | string | `"v3.2.0"` | |
| webhook.inserted.init.cmd | string | `"/bin/client_init.sh"` | |
| webhook.inserted.init.mountPath | string | `"/config"` | |
| webhook.inserted.init.pullPolicy | string | `nil` | Will be set automatically |
| webhook.inserted.init.repository | string | `nil` | Will be set automatically |
| webhook.inserted.init.tag | string | `nil` | Will be set automatically |
| webhook.inserted.sidecar.cmd | string | `"/bin/client_sidecar.sh"` | |
| webhook.inserted.sidecar.mountPath | string | `"/config"` | |
| webhook.inserted.sidecar.pullPolicy | string | `nil` | Will be set automatically |
| webhook.inserted.sidecar.repository | string | `nil` | Will be set automatically |
| webhook.inserted.sidecar.tag | string | `nil` | Will be set automatically |
| webhook.namespaceSelector | object | `{"matchLabels":{"routed-gateway":"true"}}` | Selector for namespace. All pods in this namespace will get their default gateway changed |
| webhook.replicas | int | `1` | |
| webhook.service.port.path | string | `"/wh/mutating/setgateway"` | |
| webhook.service.port.port | int | `8080` | |
| webhook.service.port.protocol | string | `"HTTPS"` | |
| webhook.strategy.type | string | `"RollingUpdate"` | |
## Changelog
All notable changes to this application Helm chart will be documented in this file but does not include changes from our common library. To read those click [here](https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common#changelog).
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
### [1.0.0]
#### Added
- renamed chart from `pod-gateway-setter` to `pod-gateway`
- sidecar support
- gatewaySufix
- init container uses now an image
#### Changed
- N/A
#### Removed
- N/A
[1.0.0]: #1.0.0
## Support
- See the [Docs](https://docs.k8s-at-home.com/our-helm-charts/getting-started/)
- Open an [issue](https://github.com/k8s-at-home/charts/issues/new/choose)
- Ask a [question](https://github.com/k8s-at-home/organization/discussions)
- Join our [Discord](https://discord.gg/sTMX7Vh) community
----------------------------------------------
Autogenerated from chart metadata using [helm-docs v1.5.0](https://github.com/norwoodj/helm-docs/releases/v1.5.0)

0
charts/stable/pod-gateway-setter/README.md.gotmpl → charts/stable/pod-gateway/README.md.gotmpl
View File

5
charts/stable/pod-gateway-setter/README_CHANGELOG.md.gotmpl → charts/stable/pod-gateway/README_CHANGELOG.md.gotmpl
View File

@ -13,7 +13,10 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
#### Added #### Added
- Initial version - renamed chart from `pod-gateway-setter` to `pod-gateway`
- sidecar support
- gatewaySufix
- init container uses now an image
#### Changed #### Changed

15
charts/stable/pod-gateway-setter/README_CONFIG.md.gotmpl → charts/stable/pod-gateway/README_CONFIG.md.gotmpl
View File

@ -5,9 +5,9 @@
{{- define "custom.custom.configuration" -}} {{- define "custom.custom.configuration" -}}
{{ template "custom.custom.configuration.header" . }} {{ template "custom.custom.configuration.header" . }}
You need to set `gateway` to the hostname or address of your gateway. Then You need to add `routed-gateway=true` to the namespaces with PODs you
all PODs in namespaces with the matching label (`routed-gateway=true` by default) want to route through this POD gateway. If needed the label name can be changed
will be processed by the webhook. in .Values.
The webhook by default changes all processed pods (remove `--setGatewayDefault` The webhook by default changes all processed pods (remove `--setGatewayDefault`
if you want to change the default). You can also change the default for a if you want to change the default). You can also change the default for a
@ -16,14 +16,15 @@ POD by adding a label or annotation (`setGateway` by default).
Processed PODs will get their default gateway changed. DNS server will Processed PODs will get their default gateway changed. DNS server will
also be set to the gateway (at least the option `--keepDNS` is used). also be set to the gateway (at least the option `--keepDNS` is used).
Multiple instances of this chart might be installed that use different label If you want to use the VPN please follow the
values. This is usufull, for example, to route multiple pod groups, each with [common chart VPN sidecar docummentation](https://github.com/k8s-at-home/library-charts/blob/main/charts/stable/common/values.yaml).
a different gateway. If you want to test without VPN client you can
set the `VPN_BLOCK_OTHER_TRAFFIC` to false.
**IMPORTANT**: Do not deploy this chart to a namespace controlled by this **IMPORTANT**: Do not deploy this chart to a namespace controlled by this
webhook. This would result in a likelly deathlock when upgrading the chart. webhook. This would result in a likelly deathlock when upgrading the chart.
**NOTE**: This char requires the cert-manager CRD to generate the required **NOTE**: This char requires the cert-manager CRD to generate the required
certificates. certificates. It does not install it as dependency to avoid conflicts.
{{- end -}} {{- end -}}

0
charts/stable/pod-gateway-setter/templates/NOTES.txt → charts/stable/pod-gateway/templates/NOTES.txt
View File

22
charts/stable/pod-gateway/templates/common.yaml Normal file
View File

@ -0,0 +1,22 @@
{{/* Make sure all variables are set properly */}}
{{- include "common.values.setup" . }}
{{- $_ := set (first .Values.initContainers ) "image" (printf "%s:%s" .Values.image.repository .Values.image.tag ) -}}
{{- $_ := set (first .Values.initContainers ) "imagePullPolicy" .Values.image.pullPolicy -}}
{{/* Append the cert secret to the additionalVolumes */}}
{{- define "pod-gateway.settings.volume" -}}
name: config
configMap:
name: {{ include "pod-gateway.configmap" . }}
defaultMode: 0555
{{- end -}}
{{- $volume := include "pod-gateway.settings.volume" . | fromYaml -}}
{{- if $volume -}}
{{- $additionalVolumes := append .Values.additionalVolumes $volume }}
{{- $_ := set .Values "additionalVolumes" (deepCopy $additionalVolumes) -}}
{{- end -}}
{{/* Render the templates */}}
{{ include "common.all" . }}

14
charts/stable/pod-gateway/templates/configmap.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if .Values.configmap.enabled -}}
{{- range $namespace := .Values.configmap.namespaces }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "pod-gateway.configmap" $ | quote }}
namespace: {{ $namespace }}
labels:
{{- include "common.labels" $ | nindent 4 }}
data:
{{- $.Values.configmap.data | toYaml | nindent 2 }}
{{- end -}}
{{- end -}}

10
charts/stable/pod-gateway-setter/templates/admissionregistration.yaml → charts/stable/pod-gateway/templates/webhook-admissionregistration.yaml
View File

@ -5,11 +5,11 @@ metadata:
labels: labels:
{{- include "common.labels" . | nindent 4 }} {{- include "common.labels" . | nindent 4 }}
annotations: annotations:
cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "pod-gateway-setter.servingCertificate" . }}" cert-manager.io/inject-ca-from: "{{ .Release.Namespace }}/{{ include "pod-gateway.servingCertificate" . }}"
webhooks: webhooks:
- name: "{{ include "common.names.fullname" . }}.svc.cluster.local" - name: "{{ include "common.names.fullname" . }}.svc.cluster.local"
namespaceSelector: namespaceSelector:
{{- with .Values.namespaceSelector }} {{- with .Values.webhook.namespaceSelector }}
{{ toYaml . | nindent 4 }} {{ toYaml . | nindent 4 }}
{{- end }} {{- end }}
rules: rules:
@ -21,9 +21,9 @@ webhooks:
clientConfig: clientConfig:
service: service:
namespace: {{ .Release.Namespace | quote }} namespace: {{ .Release.Namespace | quote }}
name: {{ include "common.names.fullname" . | quote }} name: {{ include "common.names.fullname" . }}-webhook
path: {{ .Values.service.port.path | quote }} path: {{ .Values.webhook.service.port.path | quote }}
port: {{ .Values.service.port.port }} port: {{ .Values.webhook.service.port.port }}
admissionReviewVersions: ["v1", "v1beta1"] admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None sideEffects: None
timeoutSeconds: 5 timeoutSeconds: 5

64
charts/stable/pod-gateway/templates/webhook-common.yaml Normal file
View File

@ -0,0 +1,64 @@
{{/* Make sure all variables are set properly */}}
{{- include "common.values.setup" . }}
{{- $_ := set .Values.webhook.inserted.init "repository" .Values.image.repository -}}
{{- $_ := set .Values.webhook.inserted.init "tag" .Values.image.tag -}}
{{- $_ := set .Values.webhook.inserted.init "pullPolicy" .Values.image.pullPolicy -}}
{{- $_ := set .Values.webhook.inserted.sidecar "repository" .Values.image.repository -}}
{{- $_ := set .Values.webhook.inserted.sidecar "tag" .Values.image.tag -}}
{{- $_ := set .Values.webhook.inserted.sidecar "pullPolicy" .Values.image.pullPolicy -}}
{{- define "pod-gateway.webhook-inserted-init-repository" -}}
{{ printf "%s:%s" ( .Values.image.repository | default .Values.webhook.inserted.init.repository ) ( .Values.image.tag | default .Values.webhook.inserted.init.tag ) }}
{{- end -}}
{{- define "pod-gateway.webhook-inserted-init-pullPolicy" -}}
{{ .Values.webhook.inserted.init.pullPolicy | default .Values.image.pullPolicy }}
{{- end -}}
{{- define "pod-gateway.webhook-inserted-sidecar-repository" -}}
{{ printf "%s:%s" ( .Values.image.repository | default .Values.webhook.inserted.sidecar.repository ) ( .Values.image.tag | default .Values.webhook.inserted.sidecar.tag ) }}
{{- end -}}
{{- define "pod-gateway.webhook-inserted-sidecar-pullPolicy" -}}
{{ .Values.webhook.inserted.sidecar.pullPolicy | default .Values.image.pullPolicy }}
{{- end -}}
{{- define "pod-gateway.gateway" -}}
{{ printf "%s.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterName }}
{{- end -}}
{{- define "pod-gateway.init.image" -}}
{{ printf "%s:%s" .Values.webhook.inserted.init.repository (.Values.webhook.inserted.init.tag | default "latest" ) }}
{{- end -}}
{{- define "pod-gateway.sidecar.image" -}}
{{ printf "%s:%s" .Values.webhook.inserted.sidecar.repository (.Values.webhook.inserted.sidecar.tag | default "latest" ) }}
{{- end -}}
{{- define "pod-gateway.configmap" -}}
{{ include "common.names.fullname" . }}
{{- end -}}
{{- define "pod-gateway.selfSignedIssuer" -}}
{{ printf "%s-webhook-selfsign" (include "common.names.fullname" .) }}
{{- end -}}
{{- define "pod-gateway.rootCAIssuer" -}}
{{ printf "%s-webhook-ca" (include "common.names.fullname" .) }}
{{- end -}}
{{- define "pod-gateway.rootCACertificate" -}}
{{ printf "%s-webhook-ca" (include "common.names.fullname" .) }}
{{- end -}}
{{- define "pod-gateway.servingCertificate" -}}
{{ printf "%s-webhook-tls" (include "common.names.fullname" .) }}
{{- end -}}
{{- define "pod-gateway.labels.selectorLabels" -}}
app.kubernetes.io/name: {{ include "common.names.name" . }}-webhook
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end -}}

103
charts/stable/pod-gateway/templates/webhook-deployment.yaml Normal file
View File

@ -0,0 +1,103 @@
apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
kind: Deployment
metadata:
name: {{ include "common.names.fullname" . }}-webhook
labels:
{{- include "common.labels" . | nindent 4 }}
{{- with .Values.webhook.controllerLabels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.webhook.controllerAnnotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
replicas: {{ .Values.webhook.replicas }}
{{- with .Values.webhook.strategy }}
strategy:
{{- toYaml . | nindent 4 }}
{{- end }}
selector:
matchLabels:
{{ include "pod-gateway.labels.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.webhook.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{ include "pod-gateway.labels.selectorLabels" . | nindent 8 }}
spec:
volumes:
- name: certs
secret:
secretName: {{ include "pod-gateway.servingCertificate" . }}
defaultMode: 420
containers:
- name: foo-pod-gateway
image: {{ .Values.webhook.image.repository }}:{{ .Values.webhook.image.tag }}
args:
- --webhook-listen-address=:{{ .Values.webhook.service.port.port |toString }}
- --gateway={{ include "pod-gateway.gateway" . }}
- --DNS={{ .Values.DNS }}
{{- if .Values.configmap.enabled }}
- --configmapName={{ include "pod-gateway.configmap" . }}
{{- end}}
{{- if ( include "pod-gateway.webhook-inserted-init-repository" . ) }}
- --initImage={{ include "pod-gateway.webhook-inserted-init-repository" . }}
- --initImagePullPol={{ include "pod-gateway.webhook-inserted-init-pullPolicy" . }}
- --initCmd={{ .Values.webhook.inserted.init.cmd }}
- --initMountPoint={{ .Values.webhook.inserted.init.mountPath }}
{{- end}}
{{- if ( include "pod-gateway.webhook-inserted-sidecar-repository" . ) }}
- --sidecarImage={{ include "pod-gateway.webhook-inserted-init-repository" . }}
- --sidecarImagePullPol={{ include "pod-gateway.webhook-inserted-sidecar-pullPolicy" . }}
- --sidecarCmd={{ .Values.webhook.inserted.sidecar.cmd }}
- --sidecarMountPoint={{ .Values.webhook.inserted.sidecar.mountPath }}
{{- end}}
{{ toYaml .Values.webhook.args | nindent 12 }}
ports:
- name: http
containerPort: {{ .Values.webhook.service.port.port }}
protocol: TCP
resources: {}
volumeMounts:
- name: certs
readOnly: true
mountPath: /tls
livenessProbe:
httpGet:
path: /wh/health
port: {{ .Values.webhook.service.port.port }}
scheme: {{ .Values.webhook.service.port.protocol }}
initialDelaySeconds: 1
timeoutSeconds: 10
periodSeconds: 10
successThreshold: 1
failureThreshold: 5
readinessProbe:
httpGet:
path: /wh/health
port: {{ .Values.webhook.service.port.port }}
scheme: {{ .Values.webhook.service.port.protocol }}
initialDelaySeconds: 1
timeoutSeconds: 10
periodSeconds: 10
successThreshold: 1
failureThreshold: 5
startupProbe:
httpGet:
path: /wh/health
port: {{ .Values.webhook.service.port.port }}
scheme: {{ .Values.webhook.service.port.protocol }}
timeoutSeconds: 1
periodSeconds: 1
successThreshold: 1
failureThreshold: 30
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
restartPolicy: Always
strategy:
type: {{ .Values.webhook.strategy.type }}

26
charts/stable/pod-gateway-setter/templates/pki.yaml → charts/stable/pod-gateway/templates/webhook-pki.yaml
View File

@ -4,7 +4,7 @@
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Issuer kind: Issuer
metadata: metadata:
name: {{ include "pod-gateway-setter.selfSignedIssuer" . }} name: {{ include "pod-gateway.selfSignedIssuer" . }}
namespace: {{ .Release.Namespace | quote }} namespace: {{ .Release.Namespace | quote }}
labels: labels:
{{- include "common.labels" . | nindent 4 }} {{- include "common.labels" . | nindent 4 }}
@ -17,17 +17,17 @@ spec:
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
name: {{ include "pod-gateway-setter.rootCACertificate" . }} name: {{ include "pod-gateway.rootCACertificate" . }}
namespace: {{ .Release.Namespace | quote }} namespace: {{ .Release.Namespace | quote }}
labels: labels:
{{- include "common.labels" . | nindent 4 }} {{- include "common.labels" . | nindent 4 }}
spec: spec:
secretName: {{ include "pod-gateway-setter.rootCACertificate" . }} secretName: {{ include "pod-gateway.rootCACertificate" . }}
duration: 43800h # 5y duration: 43800h # 5y
issuerRef: issuerRef:
name: {{ include "pod-gateway-setter.selfSignedIssuer" . }} name: {{ include "pod-gateway.selfSignedIssuer" . }}
kind: Issuer kind: Issuer
commonName: "ca.pod-gateway-setter.cert-manager" commonName: "ca.pod-gateway.cert-manager"
isCA: true isCA: true
--- ---
@ -36,13 +36,13 @@ spec:
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Issuer kind: Issuer
metadata: metadata:
name: {{ include "pod-gateway-setter.rootCAIssuer" . }} name: {{ include "pod-gateway.rootCAIssuer" . }}
namespace: {{ .Release.Namespace | quote }} namespace: {{ .Release.Namespace | quote }}
labels: labels:
{{- include "common.labels" . | nindent 4 }} {{- include "common.labels" . | nindent 4 }}
spec: spec:
ca: ca:
secretName: {{ include "pod-gateway-setter.rootCACertificate" . }} secretName: {{ include "pod-gateway.rootCACertificate" . }}
--- ---
@ -50,17 +50,17 @@ spec:
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
name: {{ include "pod-gateway-setter.servingCertificate" . }} name: {{ include "pod-gateway.servingCertificate" . }}
namespace: {{ .Release.Namespace | quote }} namespace: {{ .Release.Namespace | quote }}
labels: labels:
{{- include "common.labels" . | nindent 4 }} {{- include "common.labels" . | nindent 4 }}
spec: spec:
secretName: {{ include "pod-gateway-setter.servingCertificate" . }} secretName: {{ include "pod-gateway.servingCertificate" . }}
duration: 8760h # 1y duration: 8760h # 1y
issuerRef: issuerRef:
name: {{ include "pod-gateway-setter.rootCAIssuer" . }} name: {{ include "pod-gateway.rootCAIssuer" . }}
kind: Issuer kind: Issuer
dnsNames: dnsNames:
- {{ include "common.names.fullname" . }} - {{ include "common.names.fullname" . }}-webhook
- {{ include "common.names.fullname" . }}.{{ .Release.Namespace }} - {{ include "common.names.fullname" . }}-webhook.{{ .Release.Namespace }}
- {{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc - {{ include "common.names.fullname" . }}-webhook.{{ .Release.Namespace }}.svc

32
charts/stable/pod-gateway/templates/webhook-service.yaml Normal file
View File

@ -0,0 +1,32 @@
{{- $values := .Values.webhook.service -}}
apiVersion: v1
kind: Service
metadata:
name: {{ include "common.names.fullname" . }}-webhook
labels:
{{- include "common.labels" . | nindent 4 }}
{{- if $values.labels }}
{{ toYaml $values.labels | nindent 4 }}
{{- end }}
annotations:
{{- if eq ( $values.port.protocol | default "" ) "HTTPS" }}
traefik.ingress.kubernetes.io/service.serversscheme: https
{{- end }}
{{- with $values.annotations }}
{{ toYaml . | nindent 4 }}
{{- end }}
spec:
type: ClusterIP
{{- if $values.clusterIP }}
clusterIP: {{ $values.clusterIP }}
{{end}}
{{- if $values.sessionAffinity }}
sessionAffinity: {{ $values.sessionAffinity }}
{{- if $values.sessionAffinityConfig }}
sessionAffinityConfig:
{{ toYaml $values.sessionAffinityConfig | nindent 4 }}
{{- end -}}
{{- end }}
{{- include "common.classes.service.ports" (dict "svcType" "ClusterIP" "values" $values ) | trim | nindent 2 }}
selector:
{{- include "pod-gateway.labels.selectorLabels" . | nindent 4 }}

227
charts/stable/pod-gateway/values.yaml Normal file
View File

@ -0,0 +1,227 @@
#
# IMPORTANT NOTE
#
# This chart inherits from our common library chart. You can check the default values/options here:
# https://github.com/k8s-at-home/library-charts/tree/main/charts/stable/common/values.yaml
#
image:
repository: ghcr.io/k8s-at-home/pod-gateway
pullPolicy: IfNotPresent
tag: v1.1.0
# -- IP address of the DNS server within the vxlan tunnel.
# All mutated PODs will get this as their DNS server.
# It must match VXLAN_GATEWAY_IP in settings.sh
DNS: 172.16.0.1
# -- cluster name used to derive the gateway full name
clusterName: "cluster.local"
configmap:
# -- configmap contains clients and gateway PODs setting
enabled: true
# -- Namespaces to create the configmap to.
# It must list all namespaces where client PODs get deployed to.
# The chart namespace is added automatically
namespaces:
- kube-system
- vpn
data:
# -- settings for gateway - defaults should usually be good
# NOTE: if you change it you will need to manually restart all
# containers using it
settings.sh: |
#!/bin/sh
# hostname of the gateway - it must accept vxlan and DHCP traffic
# clients get it as env variable
GATEWAY_NAME="${gateway}"
# K8S DNS IP address
# clients get it as env variable
K8S_DNS_IPS="${K8S_DNS_ips}"
# Vxlan ID to use
VXLAN_ID="42"
# VXLAN need an /24 IP range not conflicting with K8S and local IP ranges
VXLAN_IP_NETWORK="172.16.0"
# Gateway IP within the VXLAN - client PODs will be routed through it
VXLAN_GATEWAY_IP="${VXLAN_IP_NETWORK}.1"
# Keep a range of IPs for static assignment in nat.conf
VXLAN_GATEWAY_FIRST_DYNAMIC_IP=20
# If using a VPN, interface name created by it
VPN_INTERFACE=tun0
# Prevent non VPN traffic to leave the gateway
VPN_BLOCK_OTHER_TRAFFIC=false
# Traffic to these IPs will be send through the K8S gateway
VPN_LOCAL_CIDRS="10.0.0.0/8 192.168.0.0/16"
# DNS queries to these domains will be resolved by K8S DNS instead of
# the default (typcally the VPN client changes it)
DNS_LOCAL_CIDRS="local"
# -- settings to expose ports, usually through a VPN provider
# NOTE: if you change it you will need to manually restart all
# containers using it
nat.conf: |
# Configure client PODs with static IP addresses
# and ports exposed through NAT
# static IPs must be bellow VXLAN_GATEWAY_FIRST_DYNAMIC_IP
#
# hostname IP ports(coma separated)
# Example:
# transmission 10 tcp:18289,udp:18289
# You should not need to change the settings bellow this
# at least you have ready the webhook and pod-gateway containers
# documentation
command:
- /bin/gateway_sidecar.sh
securityContext:
capabilities:
add:
- NET_ADMIN
additionalVolumeMounts:
- name: config
mountPath: /config
readOnly: true
initContainers:
- name: "routes"
# -- Will be set automatically
# @default -- <image.repository>:<image.tag>
image:
# -- Will be set automatically
# @default -- <image.pullPolicy>
imagePullPolicy:
command:
- /bin/gateway_init.sh
securityContext:
capabilities:
add:
- NET_ADMIN
volumeMounts:
- name: config
mountPath: /config
readOnly: true
additionalContainers:
- name: "test"
image: "ghcr.io/k8s-at-home/pod-gateway:dev"
imagePullPolicy:
command:
- /bin/sh
- -c
- while true; do
sleep 600 &
wait $!;
done
securityContext:
capabilities:
add:
- NET_ADMIN
volumeMounts:
- name: config
mountPath: /config
readOnly: true
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
service:
type: ClusterIP
clusterIP: None
port:
port: 4789
protocol: UDP
webhook:
image:
repository: ghcr.io/k8s-at-home/gateway-admision-controller
pullPolicy: IfNotPresent
tag: v3.2.0
# -- Selector for namespace.
# All pods in this namespace will get their default gateway changed
namespaceSelector:
matchLabels:
routed-gateway: "true"
# matchExpressions:
# - key: notTouch
# operator: NotIn
# values: ["1"]
additionalVolumes: []
inserted:
init:
# -- Will be set automatically
# @default -- <image.repository>
repository:
# -- Will be set automatically
# @default -- <image.pullPolicy>
pullPolicy:
# -- Will be set automatically
# @default -- <image.tag>
tag:
cmd: /bin/client_init.sh
mountPath: /config
sidecar:
# -- Will be set automatically
# @default -- <image.repository>
repository:
# -- Will be set automatically
# @default -- <image.pullPolicy>
pullPolicy:
# -- Will be set automatically
# @default -- <image.tag>
tag:
cmd: /bin/client_sidecar.sh
mountPath: /config
replicas: 1
strategy:
type: RollingUpdate
# Args for webhook
# See more information in the container git repository at
# https://github.com/k8s-at-home/gateway-admision-controller
args:
- --tls-cert-file-path=/tls/tls.crt
- --tls-key-file-path=/tls/tls.key
- --setGatewayDefault
- --setGatewayLabel=setGateway
- --setGatewayAnnotation=setGateway
- --DNSPolicy=None
# - --debug
# - --development
# Set by Helm chart:
# --webhook-listen-address=:<set to service port>
# --gateway=<set automatically to 'gateway'>
# --DNS=<set automatically to 'gateway'>
# --initImage
# --initImagePullPol
# --initCmd
# --initMountPoint
# --sidecarImage
# --sidecarImagePullPol
# --sidecarCmd
# --sidecarMountPoint
# --configmapName
service:
port:
path: /wh/mutating/setgateway
protocol: HTTPS
port: 8080