From eb987fa4424501f59ce5113379f8eeefce518458 Mon Sep 17 00:00:00 2001 From: Alexis Ducastel Date: Sun, 21 Nov 2021 23:07:32 +0100 Subject: [PATCH 1/6] Add optionnal initContainer to fix sysctl config --- .../wg-access-server/templates/deployment.yaml | 14 ++++++++++++++ deploy/helm/wg-access-server/values.yaml | 9 +++++++++ 2 files changed, 23 insertions(+) diff --git a/deploy/helm/wg-access-server/templates/deployment.yaml b/deploy/helm/wg-access-server/templates/deployment.yaml index 03620b87..c32a5fec 100644 --- a/deploy/helm/wg-access-server/templates/deployment.yaml +++ b/deploy/helm/wg-access-server/templates/deployment.yaml @@ -26,6 +26,20 @@ spec: {{- with .Values.imagePullSecrets }} imagePullSecrets: {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.sysctlInitContainer }} + initContainers: + - command: + - sysctl + - -w + - net.ipv4.ip_forward=1 + image: busybox + imagePullPolicy: IfNotPresent + name: init-sysctl + securityContext: + privileged: true + runAsNonRoot: false + runAsUser: 0 {{- end }} containers: - name: {{ .Chart.Name }} diff --git a/deploy/helm/wg-access-server/values.yaml b/deploy/helm/wg-access-server/values.yaml index e54f5cad..268de5ec 100644 --- a/deploy/helm/wg-access-server/values.yaml +++ b/deploy/helm/wg-access-server/values.yaml @@ -79,3 +79,12 @@ nodeSelector: {} tolerations: [] affinity: {} + +# sysctlInitContainer flag adds an initContainer named "init-sysctl" to wg-access-server deployment. +# The goal is to set the sysctl net.ipv4.ip_forward=1 to allow packet routing through node. +# This initContainer needs to run as privileged, but this is only limited to +# the initContainer run time, the main container will remain unprivileged as expected. +# Use case : +# DNS is functionning properly through VPN but does not work for standard traffic. +# NB : If you have no problem with wireguard traffic, you should not enable this initContainer +sysctlInitContainer: false From 8f9288c0b9c02b3167c6cd529cf1523ff99de565 Mon Sep 17 00:00:00 2001 From: Florian Buchmeier Date: Sat, 12 Mar 2022 13:13:59 +0100 Subject: [PATCH 2/6] add option to specify an existingSecret wit admin username, password and privatekey Signed-off-by: Florian Buchmeier --- deploy/helm/wg-access-server/README.md | 1 + .../templates/deployment.yaml | 30 +++++-------------- .../wg-access-server/templates/secret.yaml | 8 +++-- deploy/helm/wg-access-server/values.yaml | 14 +++++++++ 4 files changed, 28 insertions(+), 25 deletions(-) diff --git a/deploy/helm/wg-access-server/README.md b/deploy/helm/wg-access-server/README.md index 8f8d7860..127282bb 100644 --- a/deploy/helm/wg-access-server/README.md +++ b/deploy/helm/wg-access-server/README.md @@ -84,3 +84,4 @@ ingress: | image.pullPolicy | string | `"IfNotPresent"` | | | image.repository | string | `"place1/wg-access-server"` | | | imagePullSecrets | list | `[]` | | +| existingSecret | string | `""` | Allow the use of an existing secret for admin username, password and private key | diff --git a/deploy/helm/wg-access-server/templates/deployment.yaml b/deploy/helm/wg-access-server/templates/deployment.yaml index 03620b87..b0dec82f 100644 --- a/deploy/helm/wg-access-server/templates/deployment.yaml +++ b/deploy/helm/wg-access-server/templates/deployment.yaml @@ -41,28 +41,14 @@ spec: - name: wireguard containerPort: 51820 protocol: UDP - env: - {{- if .Values.wireguard.config.privateKey }} - - name: WG_WIREGUARD_PRIVATE_KEY - valueFrom: - secretKeyRef: - name: "{{ $fullName }}" - key: privateKey - {{- end }} - {{- if .Values.web.config.adminUsername }} - - name: WG_ADMIN_USERNAME - valueFrom: - secretKeyRef: - name: "{{ $fullName }}" - key: adminUsername - {{- end}} - {{- if .Values.web.config.adminPassword }} - - name: WG_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: "{{ $fullName }}" - key: adminPassword - {{- end}} + envFrom: + - secretRef: + {{- if .Values.existingSecret }} + name: {{ .Values.existingSecret }} + {{- else }} + name: {{ $fullName }} + {{- end }} + env: {} volumeMounts: - name: tun mountPath: /dev/net/tun diff --git a/deploy/helm/wg-access-server/templates/secret.yaml b/deploy/helm/wg-access-server/templates/secret.yaml index baf61c2c..039d3e32 100644 --- a/deploy/helm/wg-access-server/templates/secret.yaml +++ b/deploy/helm/wg-access-server/templates/secret.yaml @@ -1,5 +1,6 @@ {{- $fullName := include "wg-access-server.fullname" . -}} {{- if .Values.wireguard.config.privateKey }} +{{- if not .Values.existingSecret -}} apiVersion: v1 kind: Secret metadata: @@ -8,11 +9,12 @@ metadata: {{- include "wg-access-server.labels" . | nindent 4 }} type: Opaque data: - privateKey: {{ .Values.wireguard.config.privateKey | b64enc | quote }} + WG_WIREGUARD_PRIVATE_KEY: {{ .Values.wireguard.config.privateKey | b64enc | quote }} {{- if .Values.web.config.adminUsername }} - adminUsername: {{ .Values.web.config.adminUsername | b64enc | quote }} + WG_ADMIN_USERNAME: {{ .Values.web.config.adminUsername | b64enc | quote }} {{- end }} {{- if .Values.web.config.adminPassword }} - adminPassword: {{ .Values.web.config.adminPassword | b64enc | quote }} + WG_ADMIN_PASSWORD: {{ .Values.web.config.adminPassword | b64enc | quote }} {{- end }} {{- end }} +{{- end }} \ No newline at end of file diff --git a/deploy/helm/wg-access-server/values.yaml b/deploy/helm/wg-access-server/values.yaml index e54f5cad..93e21c93 100644 --- a/deploy/helm/wg-access-server/values.yaml +++ b/deploy/helm/wg-access-server/values.yaml @@ -1,6 +1,20 @@ # wg-access-server config config: {} +## Provide an existing secret with the following keys: +## +## data: +## WG_ADMIN_PASSWORD: X +## WG_ADMIN_USERNAME: X +## WG_WIREGUARD_PRIVATE_KEY: X +## +## overrides: +## web.config.adminUsername +## web.config.adminPassword +## wireguard.config.privateKey +## +# existingSecret: "" + web: config: adminUsername: "" From 108185be1d68807f139f7056d3061ad4c2ca7541 Mon Sep 17 00:00:00 2001 From: Florian Buchmeier Date: Sat, 12 Mar 2022 13:29:21 +0100 Subject: [PATCH 3/6] fix: invalid type for io.k8s.api.core.v1.Container.env: got 'map', expected 'array' Signed-off-by: Florian Buchmeier --- deploy/helm/wg-access-server/templates/deployment.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/helm/wg-access-server/templates/deployment.yaml b/deploy/helm/wg-access-server/templates/deployment.yaml index b0dec82f..cd779140 100644 --- a/deploy/helm/wg-access-server/templates/deployment.yaml +++ b/deploy/helm/wg-access-server/templates/deployment.yaml @@ -48,7 +48,6 @@ spec: {{- else }} name: {{ $fullName }} {{- end }} - env: {} volumeMounts: - name: tun mountPath: /dev/net/tun From 6830cd9538785c267e9d6550aa7a61f2f3b18087 Mon Sep 17 00:00:00 2001 From: Florian Buchmeier Date: Sat, 12 Mar 2022 14:05:38 +0100 Subject: [PATCH 4/6] feat: add option to use dedicated nodePort for wireguard Signed-off-by: Florian Buchmeier --- deploy/helm/wg-access-server/README.md | 1 + deploy/helm/wg-access-server/templates/service.yaml | 3 +++ deploy/helm/wg-access-server/values.yaml | 2 ++ 3 files changed, 6 insertions(+) diff --git a/deploy/helm/wg-access-server/README.md b/deploy/helm/wg-access-server/README.md index 127282bb..b369d74a 100644 --- a/deploy/helm/wg-access-server/README.md +++ b/deploy/helm/wg-access-server/README.md @@ -64,6 +64,7 @@ ingress: | web.service.type | string | `"ClusterIP"` | | | wireguard.config.privateKey | string | "" | A wireguard private key. You can generate one using `$ wg genkey` | | wireguard.service.type | string | `"ClusterIP"` | | +| wireguard.service.nodePort | int | `nil` | When `NodePort` is used as `service.type`, a static nodePort can be added | | ingress.enabled | bool | `false` | | | ingress.hosts | string | `nil` | | | ingress.tls | list | `[]` | | diff --git a/deploy/helm/wg-access-server/templates/service.yaml b/deploy/helm/wg-access-server/templates/service.yaml index 6734eab7..aecd2e4b 100644 --- a/deploy/helm/wg-access-server/templates/service.yaml +++ b/deploy/helm/wg-access-server/templates/service.yaml @@ -51,5 +51,8 @@ spec: targetPort: 51820 protocol: UDP name: wireguard + {{- if and ( eq .Values.wireguard.service.type "NodePort" ) .Values.wireguard.service.nodePort }} + nodePort: {{ .Values.wireguard.service.nodePort }} + {{- end }} selector: {{- include "wg-access-server.selectorLabels" . | nindent 4 }} diff --git a/deploy/helm/wg-access-server/values.yaml b/deploy/helm/wg-access-server/values.yaml index 93e21c93..0b08e8bb 100644 --- a/deploy/helm/wg-access-server/values.yaml +++ b/deploy/helm/wg-access-server/values.yaml @@ -27,6 +27,8 @@ wireguard: privateKey: "" service: type: ClusterIP + # type: NodePort + # nodePort: 51820 persistence: enabled: false From a755e087051c5d88b26be404cbde99c7ae1accbd Mon Sep 17 00:00:00 2001 From: Florian Date: Fri, 14 Apr 2023 19:56:44 +0200 Subject: [PATCH 5/6] Update deployment.yaml --- deploy/helm/wg-access-server/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/helm/wg-access-server/templates/deployment.yaml b/deploy/helm/wg-access-server/templates/deployment.yaml index 486a1553..2f73c44e 100644 --- a/deploy/helm/wg-access-server/templates/deployment.yaml +++ b/deploy/helm/wg-access-server/templates/deployment.yaml @@ -46,7 +46,7 @@ spec: securityContext: capabilities: add: ['NET_ADMIN'] - image: "{{ .Values.image.repository }}:{{ .Chart.AppVersion }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http From 8f3157f60f719dace5754930da4386419d3cb668 Mon Sep 17 00:00:00 2001 From: Florian Date: Fri, 14 Apr 2023 19:57:10 +0200 Subject: [PATCH 6/6] Update values.yaml --- deploy/helm/wg-access-server/values.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/deploy/helm/wg-access-server/values.yaml b/deploy/helm/wg-access-server/values.yaml index ca0c153a..1f48b5f5 100644 --- a/deploy/helm/wg-access-server/values.yaml +++ b/deploy/helm/wg-access-server/values.yaml @@ -67,6 +67,7 @@ imagePullSecrets: [] image: repository: place1/wg-access-server + tag: v0.4.6 pullPolicy: IfNotPresent # multiple replicas is only supported when using