master-group/charts
2
0
Fork 0
mirror of https://github.com/k8s-at-home/charts.git synced 2025-01-23 23:49:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
navidrome-6.4.2
charts/charts/stable/pod-gateway
History
k8s-at-home[bot] 638c0ab5c5 chore: Auto-update chart README [skip ci]
2022-08-02 14:33:25 +00:00
..
templates [pod-gateway]: Proper default tags in webhook deployment 2022-07-14 16:56:46 +02:00
.helmignore Rename chart since it includes gateway now (#931) 2021-06-03 17:49:56 +02:00
Chart.yaml chore(deps): update helm chart common to v4.5.2 (#1729) 2022-08-02 16:32:34 +02:00
README_CONFIG.md.gotmpl [pod-gateway] Support for copying DNS search and options fields (#938) 2021-06-07 06:43:24 +02:00
README.md chore: Auto-update chart README [skip ci] 2022-08-02 14:33:25 +00:00
values.yaml [pod-gateway]: Bump image versions (#1688) 2022-07-04 08:26:58 +02:00

README.md

pod-gateway

Version: 5.6.2 AppVersion: v1.6.1

Admision controller to change the default gateway and DNS server of PODs

This chart is not maintained by the upstream project and any issues with the chart should be raised here

Source Code

Requirements

Kubernetes: >=1.16.0-0

Dependencies

Repository Name Version
https://library-charts.k8s-at-home.com common 4.5.2

TL;DR

helm repo add k8s-at-home https://k8s-at-home.com/charts/
helm repo update
helm install pod-gateway k8s-at-home/pod-gateway

Installing the Chart

To install the chart with the release name pod-gateway

helm install pod-gateway k8s-at-home/pod-gateway

Uninstalling the Chart

To uninstall the pod-gateway deployment

helm uninstall pod-gateway

The command removes all the Kubernetes components associated with the chart including persistent volumes and deletes the release.

Configuration

Read through the values.yaml file. It has several commented out suggested values. Other values may be used from the values.yaml from the common library.

Specify each parameter using the --set key=value[,key=value] argument to helm install.

helm install pod-gateway \
  --set env.TZ="America/New York" \
    k8s-at-home/pod-gateway

Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart.

helm install pod-gateway k8s-at-home/pod-gateway -f values.yaml

Custom configuration

Please check this guide for the full instructions.

You need to add routed-gateway=true to the namespaces with PODs you want to route through this POD gateway. If needed the label name can be changed in .Values.

The webhook by default changes all processed pods (remove --setGatewayDefault if you want to change the default). You can also change the default for a POD by adding a label or annotation (setGateway by default).

Processed PODs will get their default gateway changed. DNS server will also be set to the gateway (at least the option --keepDNS is used).

If you want to use the VPN please follow the common chart VPN sidecar docummentation. If you want to test without VPN client you can set the VPN_BLOCK_OTHER_TRAFFIC to false.

IMPORTANT: Do not deploy this chart to a namespace controlled by this webhook. This would result in a likelly deathlock when upgrading the chart.

NOTE: This char requires the cert-manager CRD to generate the required certificates. It does not install it as dependency to avoid conflicts.

Values

Important: When deploying an application Helm chart you can add more values from our common library chart here

Key Type Default Description
DNS string "172.16.0.1" IP address of the DNS server within the vxlan tunnel. All mutated PODs will get this as their DNS server. It must match VXLAN_GATEWAY_IP in settings.sh
DNSPolicy string "None" The DNSPolicy to apply to the POD. Only when set to "None" will the DNS value above apply. To avoid altering POD DNS (i.e., to allow initContainers to use DNS before the the VXLAN is up), set to "ClusterFirst"
addons object {"vpn":{"enabled":false,"networkPolicy":{"egress":[{"ports":[{"port":1194,"protocol":"UDP"}],"to":[{"ipBlock":{"cidr":"0.0.0.0/0"}}]},{"to":[{"ipBlock":{"cidr":"10.0.0.0/8"}}]}],"enabled":true},"type":"openvpn"}} IP: 10 ports: - type: udp port: 18289 - type: tcp port: 18289
addons.vpn.enabled bool false Enable the VPN if you want to route through a VPN. You might also want to set VPN_BLOCK_OTHER_TRAFFIC to true for extra safeness in case the VPN does connect
addons.vpn.networkPolicy object {"egress":[{"ports":[{"port":1194,"protocol":"UDP"}],"to":[{"ipBlock":{"cidr":"0.0.0.0/0"}}]},{"to":[{"ipBlock":{"cidr":"10.0.0.0/8"}}]}],"enabled":true} wireguard: env: configFileSecret: openvpn
clusterName string "cluster.local" cluster name used to derive the gateway full name
image.pullPolicy string "IfNotPresent" image pull policy of the gateway and inserted helper cotainers
image.repository string "ghcr.io/k8s-at-home/pod-gateway" image repository of the gateway and inserted helper containers
image.tag string chart.appVersion image tag of the gateway and inserted helper containers
publicPorts string nil settings to expose ports, usually through a VPN provider. NOTE: if you change it you will need to manually restart the gateway POD
routed_namespaces list [] Namespaces that might contain routed PODs and therefore require a copy of the gneerated settings configmap.
settings.DNS_LOCAL_CIDRS string "local" DNS queries to these domains will be resolved by K8S DNS instead of the default (typcally the VPN client changes it)
settings.NOT_ROUTED_TO_GATEWAY_CIDRS string "" IPs not sent to the POD gateway but to the default K8S. Multiple CIDRs can be specified using blanks as separator. Example for Calico: ""172.22.0.0/16 172.24.0.0/16" This is needed, for example, in case your CNI does not add a non-default rule for the K8S addresses (Flannel does).
settings.VPN_BLOCK_OTHER_TRAFFIC bool false Prevent non VPN traffic to leave the gateway
settings.VPN_INTERFACE string "tun0" If using a VPN, interface name created by it
settings.VPN_LOCAL_CIDRS string "10.0.0.0/8 192.168.0.0/16" Traffic to these IPs will be send through the K8S gateway
settings.VPN_TRAFFIC_PORT int 1194 If VPN_BLOCK_OTHER_TRAFFIC is true, allow VPN traffic over this port
settings.VXLAN_GATEWAY_FIRST_DYNAMIC_IP int 20 Keep a range of IPs for static assignment in nat.conf
settings.VXLAN_ID int 42 Vxlan ID to use
settings.VXLAN_IP_NETWORK string "172.16.0" VXLAN needs an /24 IP range not conflicting with K8S and local IP ranges
webhook object See below The webhook is used to mutate the PODs matching the given namespace labels. It inserts an init and sidecard helper containers that connect to the gateway pod created by this chart.
webhook.gatewayAnnotation string "setGateway" annotation name to check when evaluating POD. If true the POD will get the gateway. If not set setGatewayDefault will apply.
webhook.gatewayDefault bool true default behviour for new PODs in the evaluated namespace
webhook.gatewayLabel string "setGateway" label name to check when evaluating POD. If true the POD will get the gateway. If not set setGatewayDefault will apply.
webhook.image.pullPolicy string "IfNotPresent" image pullPolicy of the webhook
webhook.image.repository string "ghcr.io/k8s-at-home/gateway-admision-controller" image repository of the webhook
webhook.image.tag string "v3.5.0" image tag of the webhook
webhook.namespaceSelector object {"custom":{},"label":"routed-gateway","type":"label"} Selector for namespace. All pods in this namespace will get evaluated by the webhook. IMPORTANT: Do not select the namespace where the webhook is deployed to or you will get locking issues.
webhook.replicas int 1 number of webhook instances to deploy
webhook.strategy object {"type":"RollingUpdate"} strategy for updates

Changelog

Version 5.6.2

Added

N/A

Changed

  • Upgraded common chart dependency to version 4.5.2

Fixed

N/A

Older versions

A historical overview of changes can be found on ArtifactHUB

Support

Autogenerated from chart metadata using helm-docs v0.1.1