diff --git a/charts/stable/pod-gateway/Chart.yaml b/charts/stable/pod-gateway/Chart.yaml index b15a04ad..54481565 100644 --- a/charts/stable/pod-gateway/Chart.yaml +++ b/charts/stable/pod-gateway/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 -appVersion: 1.0.0 +appVersion: 1.2.3 description: Admision controller to change the default gateway and DNS server of PODs name: pod-gateway -version: 1.0.1 +version: 2.0.0 kubeVersion: ">=1.16.0-0" keywords: - pod-gateway diff --git a/charts/stable/pod-gateway/README.md b/charts/stable/pod-gateway/README.md index 637ecd6c..d8e6c98d 100644 --- a/charts/stable/pod-gateway/README.md +++ b/charts/stable/pod-gateway/README.md @@ -1,6 +1,6 @@ # pod-gateway -![Version: 1.0.1](https://img.shields.io/badge/Version-1.0.1-informational?style=flat-square) ![AppVersion: 1.0.0](https://img.shields.io/badge/AppVersion-1.0.0-informational?style=flat-square) +![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square) ![AppVersion: 1.2.3](https://img.shields.io/badge/AppVersion-1.2.3-informational?style=flat-square) Admision controller to change the default gateway and DNS server of PODs @@ -99,31 +99,49 @@ certificates. It does not install it as dependency to avoid conflicts. | additionalVolumeMounts[0].mountPath | string | `"/config"` | | | additionalVolumeMounts[0].name | string | `"config"` | | | additionalVolumeMounts[0].readOnly | bool | `true` | | +| addons.vpn.configFileSecret | string | `"openvpn"` | | +| addons.vpn.enabled | bool | `false` | Enable the VPN if you want to route through a VPN. You might also want to set VPN_BLOCK_OTHER_TRAFFIC to true for extra safeness in case the VPN does connect | +| addons.vpn.env | string | `nil` | | +| addons.vpn.networkPolicy.egress[0].ports[0].port | int | `443` | | +| addons.vpn.networkPolicy.egress[0].ports[0].protocol | string | `"UDP"` | | +| addons.vpn.networkPolicy.egress[0].to[0].ipBlock.cidr | string | `"0.0.0.0/0"` | | +| addons.vpn.networkPolicy.egress[1].to[0].ipBlock.cidr | string | `"10.0.0.0/8"` | | +| addons.vpn.networkPolicy.enabled | bool | `true` | | +| addons.vpn.openvpn | string | `nil` | | +| addons.vpn.type | string | `"openvpn"` | | +| addons.vpn.wireguard | string | `nil` | | | clusterName | string | `"cluster.local"` | cluster name used to derive the gateway full name | | command[0] | string | `"/bin/gateway_sidecar.sh"` | | -| configmap.data."nat.conf" | string | `"# Configure client PODs with static IP addresses\n# and ports exposed through NAT\n# static IPs must be bellow VXLAN_GATEWAY_FIRST_DYNAMIC_IP\n#\n# hostname IP ports(coma separated)\n# Example:\n# transmission 10 tcp:18289,udp:18289\n"` | settings to expose ports, usually through a VPN provider NOTE: if you change it you will need to manually restart all containers using it | -| configmap.data."settings.sh" | string | `"#!/bin/sh\n# hostname of the gateway - it must accept vxlan and DHCP traffic\n# clients get it as env variable\nGATEWAY_NAME=\"${gateway}\"\n# K8S DNS IP address\n# clients get it as env variable\nK8S_DNS_IPS=\"${K8S_DNS_ips}\"\n\n# Vxlan ID to use\nVXLAN_ID=\"42\"\n# VXLAN need an /24 IP range not conflicting with K8S and local IP ranges\nVXLAN_IP_NETWORK=\"172.16.0\"\n# Gateway IP within the VXLAN - client PODs will be routed through it\nVXLAN_GATEWAY_IP=\"${VXLAN_IP_NETWORK}.1\"\n# Keep a range of IPs for static assignment in nat.conf\nVXLAN_GATEWAY_FIRST_DYNAMIC_IP=20\n\n# If using a VPN, interface name created by it\nVPN_INTERFACE=tun0\n# Prevent non VPN traffic to leave the gateway\nVPN_BLOCK_OTHER_TRAFFIC=false\n# Traffic to these IPs will be send through the K8S gateway\nVPN_LOCAL_CIDRS=\"10.0.0.0/8 192.168.0.0/16\"\n\n# DNS queries to these domains will be resolved by K8S DNS instead of\n# the default (typcally the VPN client changes it)\nDNS_LOCAL_CIDRS=\"local\"\n"` | settings for gateway - defaults should usually be good NOTE: if you change it you will need to manually restart all containers using it | -| configmap.enabled | bool | `true` | configmap contains clients and gateway PODs setting | -| configmap.namespaces | list | `[]` | Namespaces to create the configmap to. It must list all namespaces where client PODs get deployed to. The chart namespace is added automatically | | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"ghcr.io/k8s-at-home/pod-gateway"` | | -| image.tag | string | `"v1.1.0"` | | +| image.tag | string | `"v1.2.3"` | | | initContainers[0].command[0] | string | `"/bin/gateway_init.sh"` | | | initContainers[0].image | string | `nil` | Will be set automatically | | initContainers[0].imagePullPolicy | string | `nil` | Will be set automatically | | initContainers[0].name | string | `"routes"` | | -| initContainers[0].securityContext.capabilities.add[0] | string | `"NET_ADMIN"` | | +| initContainers[0].securityContext.privileged | bool | `true` | | | initContainers[0].volumeMounts[0].mountPath | string | `"/config"` | | | initContainers[0].volumeMounts[0].name | string | `"config"` | | | initContainers[0].volumeMounts[0].readOnly | bool | `true` | | | probes.liveness.enabled | bool | `false` | | | probes.readiness.enabled | bool | `false` | | | probes.startup.enabled | bool | `false` | | +| publicPorts | string | `nil` | settings to expose ports, usually through a VPN provider. NOTE: if you change it you will need to manually restart the gateway POD | +| routed_namespaces | list | `[]` | Namespaces that might contain routed PODs and therefore require a copy of the gneerated settings configmap. | | securityContext.capabilities.add[0] | string | `"NET_ADMIN"` | | | service.clusterIP | string | `"None"` | | | service.port.port | int | `4789` | | | service.port.protocol | string | `"UDP"` | | | service.type | string | `"ClusterIP"` | | +| settings.DNS_LOCAL_CIDRS | string | `"local"` | DNS queries to these domains will be resolved by K8S DNS instead of the default (typcally the VPN client changes it) | +| settings.NOT_ROUTED_TO_GATEWAY_CIDRS | string | `""` | IPs not sent to the POD gateway but to the default K8S. Multiple CIDRs can be specified using blanks as separator. Example for Calico: ""172.22.0.0/16 172.24.0.0/16" This is needed, for example, in case your CNI does not add a non-default rule for the K8S addresses (Flannel does). | +| settings.VPN_BLOCK_OTHER_TRAFFIC | bool | `false` | Prevent non VPN traffic to leave the gateway | +| settings.VPN_INTERFACE | string | `"tun0"` | If using a VPN, interface name created by it | +| settings.VPN_LOCAL_CIDRS | string | `"10.0.0.0/8 192.168.0.0/16"` | Traffic to these IPs will be send through the K8S gateway | +| settings.VPN_TRAFFIC_PORT | int | `443` | If VPN_BLOCK_OTHER_TRAFFIC is true, allow VPN traffic over this port | +| settings.VXLAN_GATEWAY_FIRST_DYNAMIC_IP | int | `20` | Keep a range of IPs for static assignment in nat.conf | +| settings.VXLAN_ID | int | `42` | Vxlan ID to use | +| settings.VXLAN_IP_NETWORK | string | `"172.16.0"` | VXLAN needs an /24 IP range not conflicting with K8S and local IP ranges | | webhook.additionalVolumes | list | `[]` | | | webhook.args[0] | string | `"--tls-cert-file-path=/tls/tls.crt"` | | | webhook.args[1] | string | `"--tls-key-file-path=/tls/tls.key"` | | @@ -157,6 +175,24 @@ All notable changes to this application Helm chart will be documented in this fi The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +### [2.0.0] + +#### Added + +- N/A + +#### Changed + +- run gateway init container as privileged +- configmap is now a dictionary instead of a long string +- only modifed settings need to be specified + +#### Removed + +- N/A + +[1.0.2]: #1.0.2 + ### [1.0.1] #### Added diff --git a/charts/stable/pod-gateway/README_CHANGELOG.md.gotmpl b/charts/stable/pod-gateway/README_CHANGELOG.md.gotmpl index 501636a1..1287b6f9 100644 --- a/charts/stable/pod-gateway/README_CHANGELOG.md.gotmpl +++ b/charts/stable/pod-gateway/README_CHANGELOG.md.gotmpl @@ -9,6 +9,24 @@ All notable changes to this application Helm chart will be documented in this fi The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +### [2.0.0] + +#### Added + +- N/A + +#### Changed + +- run gateway init container as privileged +- configmap is now a dictionary instead of a long string +- only modifed settings need to be specified + +#### Removed + +- N/A + +[1.0.2]: #1.0.2 + ### [1.0.1] #### Added diff --git a/charts/stable/pod-gateway/templates/configmap.yaml b/charts/stable/pod-gateway/templates/configmap.yaml index cfa0b6d7..28e18760 100644 --- a/charts/stable/pod-gateway/templates/configmap.yaml +++ b/charts/stable/pod-gateway/templates/configmap.yaml @@ -1,5 +1,4 @@ -{{- if .Values.configmap.enabled | default true -}} -{{- range $namespace := append .Values.configmap.namespaces .Release.Namespace }} +{{- range $namespace := append .Values.routed_namespaces .Release.Namespace }} --- apiVersion: v1 kind: ConfigMap @@ -9,6 +8,23 @@ metadata: labels: {{- include "common.labels" $ | nindent 4 }} data: - {{- $.Values.configmap.data | toYaml | nindent 2 }} -{{- end -}} + settings.sh: | + #!/bin/sh + # Generated by {{ include "common.names.fullname" $ }} + {{- range $key, $value := $.Values.settings }} + {{ $key }}={{ $value | quote }} + {{- end }} + nat.conf: | + # Generated by {{ include "common.names.fullname" $ }} + {{- range $entry := $.Values.publicPorts }} + {{ $entry.hostname | required "Missing hostname" }} {{ $entry.IP | required "Missing IP" }} + {{- range $index, $port := $entry.ports -}} + {{- if eq $index 0 -}} + {{- print " " -}} + {{- else -}} + {{- print "," -}} + {{- end -}} + {{- $port.type | required "Missing port type" }}:{{ $port.port | required "Missing port number" -}} + {{- end }} + {{- end }} {{- end -}} diff --git a/charts/stable/pod-gateway/templates/webhook-deployment.yaml b/charts/stable/pod-gateway/templates/webhook-deployment.yaml index 53b05859..3a71fff4 100644 --- a/charts/stable/pod-gateway/templates/webhook-deployment.yaml +++ b/charts/stable/pod-gateway/templates/webhook-deployment.yaml @@ -41,9 +41,7 @@ spec: - --webhook-listen-address=:{{ .Values.webhook.service.port.port |toString }} - --gateway={{ include "pod-gateway.gateway" . }} - --DNS={{ .Values.DNS }} - {{- if .Values.configmap.enabled }} - --configmapName={{ include "pod-gateway.configmap" . }} - {{- end}} {{- if ( include "pod-gateway.webhook-inserted-init-repository" . ) }} - --initImage={{ include "pod-gateway.webhook-inserted-init-repository" . }} - --initImagePullPol={{ include "pod-gateway.webhook-inserted-init-pullPolicy" . }} diff --git a/charts/stable/pod-gateway/values.yaml b/charts/stable/pod-gateway/values.yaml index 86459418..8bd1cecc 100644 --- a/charts/stable/pod-gateway/values.yaml +++ b/charts/stable/pod-gateway/values.yaml @@ -8,7 +8,7 @@ image: repository: ghcr.io/k8s-at-home/pod-gateway pullPolicy: IfNotPresent - tag: v1.1.0 + tag: v1.2.3 # -- IP address of the DNS server within the vxlan tunnel. # All mutated PODs will get this as their DNS server. @@ -18,57 +18,78 @@ DNS: 172.16.0.1 # -- cluster name used to derive the gateway full name clusterName: "cluster.local" -configmap: - # -- configmap contains clients and gateway PODs setting - enabled: true - # -- Namespaces to create the configmap to. - # It must list all namespaces where client PODs get deployed to. - # The chart namespace is added automatically - namespaces: [] - data: - # -- settings for gateway - defaults should usually be good - # NOTE: if you change it you will need to manually restart all - # containers using it - settings.sh: | - #!/bin/sh - # hostname of the gateway - it must accept vxlan and DHCP traffic - # clients get it as env variable - GATEWAY_NAME="${gateway}" - # K8S DNS IP address - # clients get it as env variable - K8S_DNS_IPS="${K8S_DNS_ips}" +# -- Namespaces that might contain routed PODs and therefore +# require a copy of the gneerated settings configmap. +routed_namespaces: [] +# - vpn - # Vxlan ID to use - VXLAN_ID="42" - # VXLAN need an /24 IP range not conflicting with K8S and local IP ranges - VXLAN_IP_NETWORK="172.16.0" - # Gateway IP within the VXLAN - client PODs will be routed through it - VXLAN_GATEWAY_IP="${VXLAN_IP_NETWORK}.1" - # Keep a range of IPs for static assignment in nat.conf - VXLAN_GATEWAY_FIRST_DYNAMIC_IP=20 +settings: + # -- IPs not sent to the POD gateway but to the default K8S. + # Multiple CIDRs can be specified using blanks as separator. + # Example for Calico: ""172.22.0.0/16 172.24.0.0/16" + # + # This is needed, for example, in case your CNI does + # not add a non-default rule for the K8S addresses (Flannel does). + NOT_ROUTED_TO_GATEWAY_CIDRS: "" - # If using a VPN, interface name created by it - VPN_INTERFACE=tun0 - # Prevent non VPN traffic to leave the gateway - VPN_BLOCK_OTHER_TRAFFIC=false - # Traffic to these IPs will be send through the K8S gateway - VPN_LOCAL_CIDRS="10.0.0.0/8 192.168.0.0/16" + # -- Vxlan ID to use + VXLAN_ID: 42 + # -- VXLAN needs an /24 IP range not conflicting with K8S and local IP ranges + VXLAN_IP_NETWORK: "172.16.0" + # -- Keep a range of IPs for static assignment in nat.conf + VXLAN_GATEWAY_FIRST_DYNAMIC_IP: 20 - # DNS queries to these domains will be resolved by K8S DNS instead of - # the default (typcally the VPN client changes it) - DNS_LOCAL_CIDRS="local" + # -- If using a VPN, interface name created by it + VPN_INTERFACE: tun0 + # -- Prevent non VPN traffic to leave the gateway + VPN_BLOCK_OTHER_TRAFFIC: false + # -- If VPN_BLOCK_OTHER_TRAFFIC is true, allow VPN traffic over this port + VPN_TRAFFIC_PORT: 443 + # -- Traffic to these IPs will be send through the K8S gateway + VPN_LOCAL_CIDRS: "10.0.0.0/8 192.168.0.0/16" - # -- settings to expose ports, usually through a VPN provider - # NOTE: if you change it you will need to manually restart all - # containers using it - nat.conf: | - # Configure client PODs with static IP addresses - # and ports exposed through NAT - # static IPs must be bellow VXLAN_GATEWAY_FIRST_DYNAMIC_IP - # - # hostname IP ports(coma separated) - # Example: - # transmission 10 tcp:18289,udp:18289 + # -- DNS queries to these domains will be resolved by K8S DNS instead of + # the default (typcally the VPN client changes it) + DNS_LOCAL_CIDRS: "local" + +# -- settings to expose ports, usually through a VPN provider. +# NOTE: if you change it you will need to manually restart the gateway POD +publicPorts: +# - hostname: qbittorrent +# IP: 10 +# ports: +# - type: udp +# port: 18289 +# - type: tcp +# port: 18289 + +addons: + vpn: + # -- Enable the VPN if you want to route through a VPN. + # You might also want to set VPN_BLOCK_OTHER_TRAFFIC to true + # for extra safeness in case the VPN does connect + enabled: false + type: openvpn + openvpn: + wireguard: + env: + configFileSecret: openvpn + networkPolicy: + enabled: true + egress: + # Allow only VPN traffic to Internet + - to: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + # VPN traffic (default OpenVPN) + - port: 443 + protocol: UDP + # Allow any traffic within k8s + - to: + - ipBlock: + # Cluster IPs (default k3s) + cidr: 10.0.0.0/8 # You should not need to change the settings bellow this @@ -99,9 +120,7 @@ initContainers: command: - /bin/gateway_init.sh securityContext: - capabilities: - add: - - NET_ADMIN + privileged: true volumeMounts: - name: config mountPath: /config