Use labels and annotations; update to Defguard 1.5.1

charts/defguard-gateway/Chart.yaml

@@ -3,5 +3,5 @@ name: defguard-gateway
 description: Defguard gateway is a public-facing VPN endpoint.
 
 type: application
-version: 0.2.0
-appVersion: 1.5.0
+version: 0.3.0
+appVersion: 1.5.1

charts/defguard-gateway/templates/NOTES.txt

@@ -3,16 +3,16 @@
 {{- range $host := .Values.ingress.hosts }}
   http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}/
 {{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
+{{- else if contains "NodePort" .Values.service.grpc.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "defguard-gateway.fullname" . }})
   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
   echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
+{{- else if contains "LoadBalancer" .Values.service.grpc.type }}
      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
            You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "defguard-gateway.fullname" . }}'
   export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "defguard-gateway.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
+  echo http://$SERVICE_IP:{{ .Values.service.grpc.port }}
+{{- else if contains "ClusterIP" .Values.service.grpc.type }}
   export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "defguard-gateway.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
   export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
   echo "Visit http://127.0.0.1:8080 to use your application"

charts/defguard-gateway/templates/deployment.yaml

@@ -40,7 +40,7 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: grpc
-              containerPort: {{ .Values.service.ports.grpc }}
+              containerPort: {{ .Values.service.grpc.port }}
               protocol: UDP
           resources:
             {{- toYaml .Values.resources | nindent 12 }}

charts/defguard-gateway/templates/grpc-service.yaml

@@ -2,14 +2,19 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    traefik.ingress.kubernetes.io/service.serversscheme: h2c
+    {{- with .Values.service.grpc.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "defguard-gateway.fullname" . }}-grpc
   labels:
     {{- include "defguard-gateway.labels" . | nindent 4 }}
+    {{- with .Values.service.grpc.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
-  type: {{ .Values.service.type }}
+  type: {{ .Values.service.grpc.type }}
   ports:
-    - port: {{ .Values.service.ports.grpc }}
+    - port: {{ .Values.service.grpc.port }}
       targetPort: grpc
       protocol: UDP
       name: grpc

charts/defguard-gateway/templates/ingress-grpc.yaml

@@ -17,6 +17,9 @@ metadata:
   name: {{ $fullName }}-grpc
   labels:
     {{- include "defguard-gateway.labels" . | nindent 4 }}
+    {{- with .Values.ingress.grpc.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   {{- with .Values.ingress.grpc.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
@@ -44,9 +47,9 @@ spec:
               service:
                 name: {{ $fullName }}-grpc
                 port:
-                  number: {{ .Values.service.ports.grpc }}
+                  number: {{ .Values.service.grpc.port }}
               {{- else }}
               serviceName: {{ $fullName }}-grpc
-              servicePort: {{ .Values.service.ports.grpc }}
+              servicePort: {{ .Values.service.grpc.port }}
               {{- end }}
 {{- end }}

charts/defguard-gateway/values.yaml

@@ -32,6 +32,7 @@ ingress:
     className: ""
     enabled: true
     host: defguard-gateway-grpc.local
+    labels: {}
     tls: false
 # defguard-gateway pod affinity configuration
 affinity: {}
@@ -55,9 +56,12 @@ securityContext: {}
 additionalEnvFromConfigMap: ""
 # defguard-gateway service configuration
 service:
-  ports:
-    grpc: 50051
-  type: ClusterIP
+  grpc:
+    annotations:
+      traefik.ingress.kubernetes.io/service.serversscheme: h2c
+    labels: {}
+    port: 50051
+    type: ClusterIP
 # defguard-gateway serviceaccount configuration
 serviceAccount:
   annotations: {}

charts/defguard-proxy/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: defguard-proxy
-description: Defguard proxy is a public-facing proxy for core defguard service
+description: Defguard proxy is a public-facing proxy for core Defguard service
 
 type: application
-version: 0.6.0
-appVersion: 1.5.0
+version: 0.7.0
+appVersion: 1.5.1

charts/defguard-proxy/templates/NOTES.txt

@@ -3,16 +3,16 @@
 {{- range $host := .Values.ingress.hosts }}
   http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}/
 {{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
+{{- else if contains "NodePort" .Values.service.web.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "defguard-proxy.fullname" . }})
   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
   echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
+{{- else if contains "LoadBalancer" .Values.service.web.type }}
      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
            You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "defguard-proxy.fullname" . }}'
   export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "defguard-proxy.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
+  echo http://$SERVICE_IP:{{ .Values.service.web.port }}
+{{- else if contains "ClusterIP" .Values.service.web.type }}
   export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "defguard-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
   export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
   echo "Visit http://127.0.0.1:8080 to use your application"

charts/defguard-proxy/templates/config.yaml

@@ -5,7 +5,6 @@ metadata:
   labels:
     {{- include "defguard-proxy.labels" . | nindent 4 }}
 data:
-  DEFGUARD_PROXY_HTTP_PORT: {{ .Values.service.ports.http | quote }}
-  DEFGUARD_PROXY_GRPC_PORT: {{ .Values.service.ports.grpc | quote }}
+  DEFGUARD_PROXY_HTTP_PORT: {{ .Values.service.web.port | quote }}
+  DEFGUARD_PROXY_GRPC_PORT: {{ .Values.service.grpc.port | quote }}
   DEFGUARD_PROXY_URL: {{ .Values.publicUrl | quote }}
-

charts/defguard-proxy/templates/deployment.yaml

@@ -42,10 +42,10 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: http
-              containerPort: {{ .Values.service.ports.http }}
+              containerPort: {{ .Values.service.web.port }}
               protocol: TCP
             - name: grpc
-              containerPort: {{ .Values.service.ports.grpc }}
+              containerPort: {{ .Values.service.web.port }}
               protocol: TCP
           livenessProbe:
             httpGet:

charts/defguard-proxy/templates/grpc-service.yaml

@@ -2,14 +2,19 @@ apiVersion: v1
 kind: Service
 metadata:
   annotations:
-    traefik.ingress.kubernetes.io/service.serversscheme: h2c
+    {{- with .Values.service.grpc.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "defguard-proxy.fullname" . }}-grpc
   labels:
     {{- include "defguard-proxy.labels" . | nindent 4 }}
+    {{- with .Values.service.grpc.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
-  type: {{ .Values.service.type }}
+  type: {{ .Values.service.grpc.type }}
   ports:
-    - port: {{ .Values.service.ports.grpc }}
+    - port: {{ .Values.service.grpc.port }}
       targetPort: grpc
       protocol: TCP
       name: grpc

charts/defguard-proxy/templates/ingress-grpc.yaml

@@ -17,6 +17,9 @@ metadata:
   name: {{ $fullName }}-grpc
   labels:
     {{- include "defguard-proxy.labels" . | nindent 4 }}
+    {{- with .Values.ingress.grpc.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   {{- with .Values.ingress.grpc.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
@@ -44,9 +47,9 @@ spec:
               service:
                 name: {{ $fullName }}-grpc
                 port:
-                  number: {{ .Values.service.ports.grpc }}
+                  number: {{ .Values.service.grpc.port }}
               {{- else }}
               serviceName: {{ $fullName }}-grpc
-              servicePort: {{ .Values.service.ports.grpc }}
+              servicePort: {{ .Values.service.grpc.port }}
               {{- end }}
 {{- end }}

charts/defguard-proxy/templates/ingress-web.yaml

@@ -17,6 +17,9 @@ metadata:
   name: {{ $fullName }}-web
   labels:
     {{- include "defguard-proxy.labels" . | nindent 4 }}
+    {{- with .Values.ingress.web.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   {{- with .Values.ingress.web.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
@@ -44,9 +47,9 @@ spec:
               service:
                 name: {{ $fullName }}-web
                 port:
-                  number: {{ .Values.service.ports.http }}
+                  number: {{ .Values.service.web.port }}
               {{- else }}
               serviceName: {{ $fullName }}-web
-              servicePort: {{ .Values.service.ports.http }}
+              servicePort: {{ .Values.service.web.port }}
               {{- end }}
 {{- end }}

charts/defguard-proxy/templates/service.yaml

@@ -1,13 +1,20 @@
 apiVersion: v1
 kind: Service
 metadata:
+  annotations:
+    {{- with .Values.service.web.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "defguard-proxy.fullname" . }}-web
   labels:
     {{- include "defguard-proxy.labels" . | nindent 4 }}
+    {{- with .Values.service.web.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
-  type: {{ .Values.service.type }}
+  type: {{ .Values.service.web.type }}
   ports:
-    - port: {{ .Values.service.ports.http }}
+    - port: {{ .Values.service.web.port }}
       targetPort: http
       protocol: TCP
       name: http

charts/defguard-proxy/values.yaml

@@ -26,12 +26,14 @@ ingress:
     className: ""
     enabled: true
     host: enrollment-grpc.local
+    labels: {}
     tls: false
   web:
     annotations: {}
     className: ""
     enabled: true
     host: enrollment.local
+    labels: {}
     tls: false
 # defguard-proxy pod affinity
 affinity: {}
@@ -53,10 +55,17 @@ replicaCount: 1
 resources: {}
 # defguard-proxy service configuration
 service:
-  ports:
-    http: 8080
-    grpc: 50051
-  type: ClusterIP
+  grpc:
+    annotations:
+      traefik.ingress.kubernetes.io/service.serversscheme: h2c
+    labels: {}
+    port: 50051
+    type: ClusterIP
+  web:
+    annotations: {}
+    labels: {}
+    port: 8080
+    type: ClusterIP
 # defguard-proxy service account configuration
 serviceAccount:
   annotations: {}

charts/defguard/Chart.lock

@@ -3,10 +3,10 @@ dependencies:
   repository: https://charts.bitnami.com/bitnami
   version: 12.12.10
 - name: defguard-proxy
-  repository: https://defguard.github.io/deployment
-  version: 0.6.0
+  repository: file://../defguard-proxy
+  version: 0.7.0
 - name: defguard-gateway
-  repository: https://defguard.github.io/deployment
-  version: 0.2.0
-digest: sha256:94287139e81b04a14e90669c0b498334db487caa6c63242204af101a52e518a3
-generated: "2025-09-15T14:21:44.380602263+02:00"
+  repository: file://../defguard-gateway
+  version: 0.3.0
+digest: sha256:ac44d3ae14c8e870739546499a5c0ae10eff7520c8cace19f385a734aa3f5a99
+generated: "2025-09-24T15:37:23.3864+02:00"

charts/defguard/Chart.yaml

@@ -1,10 +1,10 @@
 apiVersion: v2
 name: defguard
-description: Defguard is an open-source enterprise wireGuard VPN with MFA and SSO
+description: Defguard is an open-source enterprise WireGuard VPN with MFA and SSO
 
 type: application
-version: 0.11.0
-appVersion: 1.5.0
+version: 0.12.0
+appVersion: 1.5.1
 
 dependencies:
   - name: postgresql
@@ -13,9 +13,11 @@ dependencies:
     repository: https://charts.bitnami.com/bitnami
   - name: defguard-proxy
     condition: defguard-proxy.enabled
-    version: 0.6.0
+    version: 0.7.0
     repository: https://defguard.github.io/deployment
+    # repository: "file://../defguard-proxy"
   - name: defguard-gateway
     condition: defguard-gateway.enabled
-    version: 0.2.0
+    version: 0.3.0
     repository: https://defguard.github.io/deployment
+    # repository: "file://../defguard-gateway"

charts/defguard/templates/NOTES.txt

@@ -3,16 +3,16 @@
 {{- range $host := .Values.ingress.hosts }}
   http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}/
 {{- end }}
-{{- else if contains "NodePort" .Values.service.type }}
+{{- else if contains "NodePort" .Values.service.web.type }}
   export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "defguard.fullname" . }})
   export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
   echo http://$NODE_IP:$NODE_PORT
-{{- else if contains "LoadBalancer" .Values.service.type }}
+{{- else if contains "LoadBalancer" .Values.service.web.type }}
      NOTE: It may take a few minutes for the LoadBalancer IP to be available.
            You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "defguard.fullname" . }}'
   export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "defguard.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
-  echo http://$SERVICE_IP:{{ .Values.service.port }}
-{{- else if contains "ClusterIP" .Values.service.type }}
+  echo http://$SERVICE_IP:{{ .Values.service.web.port }}
+{{- else if contains "ClusterIP" .Values.service.web.type }}
   export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "defguard.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
   export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
   echo "Visit http://127.0.0.1:8080 to use your application"

charts/defguard/templates/defguard-config.yaml

@@ -13,18 +13,10 @@ data:
   DEFGUARD_DB_PORT: {{ .Values.postgresql.port | quote}}
   DEFGUARD_DB_NAME: {{ .Values.postgresql.auth.database }}
   DEFGUARD_DB_USER: {{ .Values.postgresql.auth.username }}
-  DEFGUARD_GRPC_PORT: {{ .Values.service.ports.grpc | quote }}
+  DEFGUARD_GRPC_PORT: {{ .Values.service.grpc.port | quote }}
   DEFGUARD_ENROLLMENT_URL: {{ index .Values "defguard-proxy" "publicUrl" }}
   {{- if .Values.proxyUrl }}
   DEFGUARD_PROXY_URL: {{ .Values.proxyUrl }}
   {{- end }}
   DEFGUARD_URL: {{ .Values.publicUrl }}
   DEFGUARD_WEBAUTHN_RP_ID: {{ .Values.ingress.web.host }}
-  {{- if .Values.ldap.enabled }}
-  DEFGUARD_LDAP_ADMIN_GROUP: {{ .Values.ldap.admin_group | quote }}
-  DEFGUARD_LDAP_BIND_PASSWORD: {{ .Values.ldap.bind_password | quote }}
-  DEFGUARD_LDAP_BIND_USERNAME: {{ .Values.ldap.bind_username | quote }}
-  DEFGUARD_LDAP_GROUP_SEARCH_BASE: {{ .Values.ldap.group_search_base | quote }}
-  DEFGUARD_LDAP_USER_SEARCH_BASE: {{ .Values.ldap.user_search_base | quote }}
-  DEFGUARD_LDAP_URL: {{ .Values.ldap.url | quote }}
-  {{- end }}

charts/defguard/templates/defguard-service.yaml

@@ -1,13 +1,20 @@
 apiVersion: v1
 kind: Service
 metadata:
+  annotations:
+    {{- with .Values.service.web.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
   name: {{ include "defguard.fullname" . }}-web
   labels:
     {{- include "defguard.labels" . | nindent 4 }}
+    {{- with .Values.service.web.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
   type: {{ .Values.service.type }}
   ports:
-    - port: {{ .Values.service.ports.http }}
+    - port: {{ .Values.service.web.port }}
       targetPort: http
       protocol: TCP
       name: http