Merge pull request #20 from hooray4me/main

Make chart deploy-able on K3s and K8s

charts/wg-access-server/Chart.yaml

@@ -3,3 +3,4 @@ appVersion: v0.10.1
 description: A WireGuard VPN Access Server
 name: wg-access-server
 version: 0.12.1
+

charts/wg-access-server/templates/NOTES.txt

@@ -3,7 +3,7 @@ Thank you for installing {{ .Chart.Name }}.
 
 Your release is named {{ .Release.Name }}.
 
-{{- $fullName := include "wg-access-server.fullname" . }}
+{{- $fullName := include "wg-access-server.name" . }}
 {{ if .Values.ingress.enabled }}
 You can find the web interface at:
     {{- range .Values.ingress.hosts }}
@@ -13,4 +13,4 @@ You can find the web interface at:
 {{ if empty .Values.web.config.adminPassword }}
 You can display the auto-generated admin password by running:
   $ kubectl get secret --namespace {{ .Release.Namespace }} {{ $fullName }} -o jsonpath="{.data.adminPassword}" | base64 --decode
-{{- end }}
+{{- end }}

charts/wg-access-server/templates/_helpers.tpl

@@ -16,11 +16,6 @@ If release name contains chart name it will be used as a full name.
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
 {{- else -}}
 {{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
 {{- end -}}
 {{- end -}}
 
@@ -49,7 +44,7 @@ Selector labels
 {{- define "wg-access-server.selectorLabels" -}}
 app: {{ include "wg-access-server.name" . }}
 app.kubernetes.io/name: {{ include "wg-access-server.name" . }}
-app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/instance: {{ include "wg-access-server.name" . }}
 {{- end -}}
 
 {{/*
@@ -87,7 +82,7 @@ Return PostgreSQL Connection Secret Name
 {{- if .Values.storage.existingSecret -}}
     {{- .Values.storage.existingSecret -}}
 {{- else -}}
-    {{- include "wg-access-server.fullname" . -}}
+    {{- include "wg-access-server.name" . -}}
 {{- end -}}
 {{- end -}}
 
@@ -99,7 +94,7 @@ Return Web Config Secret Name
 {{- if .Values.web.config.existingSecret -}}
     {{- .Values.web.config.existingSecret -}}
 {{- else -}}
-    {{- include "wg-access-server.fullname" . -}}
+    {{- include "wg-access-server.name" . -}}
 {{- end -}}
 {{- end -}}
 
@@ -111,7 +106,7 @@ Return WireGuard Config Secret Name
 {{- if .Values.wireguard.config.existingSecret -}}
     {{- .Values.wireguard.config.existingSecret -}}
 {{- else -}}
-    {{- include "wg-access-server.fullname" . -}}
+    {{- include "wg-access-server.name" . -}}
 {{- end -}}
 {{- end -}}
 
@@ -123,6 +118,6 @@ Return WireGuard secretConfig Secret Name
 {{- if .Values.secretConfig.existingSecret -}}
     {{- .Values.secretConfig.existingSecret -}}
 {{- else -}}
-    {{- include "wg-access-server.fullname" . -}}
+    {{- include "wg-access-server.name" . -}}
 {{- end -}}
 {{- end -}}

charts/wg-access-server/templates/configmap.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "wg-access-server.fullname" . }}
+  name: {{ include "wg-access-server.name" . }}
   labels:
     {{- include "wg-access-server.labels" . | nindent 4 }}
 data:

charts/wg-access-server/templates/deployment.yaml

@@ -1,8 +1,8 @@
-{{- $fullName := include "wg-access-server.fullname" . -}}
+{{- $fullName := include "wg-access-server.name" . -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: {{ include "wg-access-server.fullname" . }}
+  name: {{ include "wg-access-server.name" . }}
   labels:
     {{- include "wg-access-server.labels" . | nindent 4 }}
 spec:
@@ -101,13 +101,12 @@ spec:
           volumeMounts:
             - name: tun
               mountPath: /dev/net/tun
+            - name: mods
+              mountPath: /lib/modules
             {{- if not .Values.storage.enabled }}
             - name: data
               mountPath: /data
             {{- end }}
-            - name: {{ if or .Values.secretConfig.config .Values.secretConfig.existingSecret }}merged-config{{ else }}configmap-config{{ end }}
-              mountPath: /config.yaml
-              subPath: config.yaml
           {{- with .Values.extraVolumeMounts }}
             {{- tpl ( . | toYaml ) $ | nindent 12 }}
           {{- end}}
@@ -122,6 +121,9 @@ spec:
           hostPath:
             type: 'CharDevice'
             path: /dev/net/tun
+        - name: mods
+          hostPath:
+            path: /lib/modules
       {{- if not .Values.storage.enabled }}
         - name: data
         {{- if .Values.persistence.enabled }}

charts/wg-access-server/templates/ingress.yaml

@@ -1,6 +1,6 @@
 {{- $kubeTargetVersion := default .Capabilities.KubeVersion.GitVersion .Values.kubeTargetVersionOverride }}
 {{- if .Values.ingress.enabled -}}
-{{- $fullName := include "wg-access-server.fullname" . -}}
+{{- $fullName := include "wg-access-server.name" . -}}
 {{- if semverCompare ">=1.19-0" $kubeTargetVersion -}}
 apiVersion: networking.k8s.io/v1
 {{- else if semverCompare ">=1.14-0" $kubeTargetVersion -}}

charts/wg-access-server/templates/secret.yaml

@@ -1,4 +1,4 @@
-{{- $fullName := include "wg-access-server.fullname" . -}}
+{{- $fullName := include "wg-access-server.name" . -}}
 apiVersion: v1
 kind: Secret
 metadata:

charts/wg-access-server/templates/service.yaml

@@ -1,4 +1,4 @@
-{{- $fullName := include "wg-access-server.fullname" . -}}
+{{- $fullName := include "wg-access-server.name" . -}}
 apiVersion: v1
 kind: Service
 metadata:

charts/wg-access-server/values.yaml

@@ -1,32 +1,67 @@
 # wg-access-server config
 config:
-  # IPv6 is disabled by default, since it leads to the pod failing if the
-  # k8s-cluster is not configured with IPv6 support
+  # The global log level
+  logLevel: info
+  # Turn off collection of device metadata logging. Includes last handshake time and RX/TX bytes only.
+  disableMetadata: false
+  # Enable/Disable the automatic deletion of inactive devices.
+  enableInactiveDeviceDeletion: false
+  # The duration after which inactive devices are automatically deleted, if automatic deletion is enabled. A device is inactive if it has not been connected to the server for longer than the inactive device grace period. The duration format is the go duration string format
+  inactiveDeviceGracePeriod: 8760h
+  # Change the name of the configuration file the user can download (Do not include the '.conf' extension )
+  filename: WireGuard
+  dns:
+    # Enable/disable the embedded DNS proxy server. This is enabled by default and allows VPN clients to avoid DNS leaks by sending all DNS requests to wg-access-server itself.
+    enabled: true
+    # The upstream DNS servers to proxy DNS requests to. By default the host machine's resolveconf configuration is used to find its upstream DNS server, with a fallback to Cloudflare.
+    #upstream: resolvconf
+    # A domain to serve configured devices authoritatively. Queries for names in the format .. will be answered with the device's IP addresses.
+    domain:
+  wireguard:
+    # Enable/disable the wireguard server. Useful for development on non-linux machines.
+    enabled: true
+    # The wireguard network interface name
+    interface: wg0
+    # The maximum transmission unit (MTU) to be used on the server-side interface.
+    mtu: 1420
   vpn:
+    # The VPN IPv4 network range. VPN clients will be assigned IP addresses in this range. Set to 0 to disable IPv4.
+    cidr: 10.44.0.0/24
+    # IPv6 is disabled by default, since it leads to the pod failing if the k8s-cluster is not configured with IPv6 support
     cidrv6: 0
-
-  # Declare a custom DNS entry to be written into the wg-quick client config file.
-  # Adapt to your needs or remove if you want the wg-access-server to act as DNS server.
+    # Disables NAT for IPv4
+    nat44: true
+    # Disables NAT for IPv6
+    nat66: true
+    # BLock or allow traffic between client devices (client isolation)
+    clientIsolation: false
+    # The VPN gateway interface. VPN client traffic will be forwarded to this interface.
+    # gatewayInterface: default gateway interface (e.g. eth0)
+    # Allowed IPs that clients may route through this VPN. This will be set in the client's WireGuard connection file and routing is also enforced by the server using iptables.
+    allowedIPs:
+      - "0.0.0.0/0"
+      - "::/0"
   clientConfig:
     dnsServers:
       - ""
     dnsSearchDomain: ""
+    mtu: ""
 
 secretConfig:
   config: {}
-  existingSecret: ""
+  existingSecret:
   secretRefKeys:
     config: "secretConfig"
 
 
 web:
   config:
-    existingSecret: ""
+    existingSecret:
     secretRefKeys:
       adminUsername: "adminUsername"
       adminPassword: "adminPassword"
     adminUsername: "admin"
-    adminPassword: ""
+    adminPassword: "admin"
     basicAuthEnabled: true
   service:
     annotations: {}
@@ -36,7 +71,7 @@ web:
 
 wireguard:
   config:
-    existingSecret: ""
+    existingSecret:
     secretRefKeys:
       privateKey: "privateKey"
     # PrivateKey must be changed before running this in a production environment.
@@ -50,7 +85,7 @@ wireguard:
     loadBalancerIP: ""
     externalIPs: []
     port: 51820
-    nodePort: ""
+    nodePort:
 
 storage:
   enabled: false
@@ -97,7 +132,7 @@ extraVolumeMounts: ""
 
 nameOverride: ""
 
-fullnameOverride: ""
+fullnameOverride:
 
 # use the host network for the application pod. Set to "true" if you want the
 # underlying K8S network to be reachable via the VPN.
@@ -122,9 +157,9 @@ strategy:
 
 # set securityContext for the application pod. With some kernel versions, adding the
 # 'NET_RAW' capability might be required for the iptables table to be initialized.
-# securityContext:
-#   capabilities:
-#     add: ['NET_ADMIN']
+securityContext:
+  capabilities:
+    add: ['NET_ADMIN']
 
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious