diff --git a/charts/apexkube-agent/Chart.yaml b/charts/apexkube-agent/Chart.yaml index 952b0dc..37e5316 100644 --- a/charts/apexkube-agent/Chart.yaml +++ b/charts/apexkube-agent/Chart.yaml @@ -4,5 +4,5 @@ description: A Helm chart for deploying the ApexKube agent with Envoy and WireGu maintainers: - name: improwised type: application -version: 1.0.1 +version: 1.2.0 appVersion: "1.0.0" diff --git a/charts/apexkube-agent/ci/ci-values.yaml b/charts/apexkube-agent/ci/ci-values.yaml new file mode 100644 index 0000000..bc1207c --- /dev/null +++ b/charts/apexkube-agent/ci/ci-values.yaml @@ -0,0 +1,65 @@ +envoy: + config: + jwt: + publicKey: "{\"keys\":[{\"alg\":\"EdDSA\",\"crv\":\"Ed25519\",\"kty\":\"OKP\",\"x\":\"11ks650uhzB2KlUPCoMDhtC2mkKfYym8U4WQjMeNjhU\"}]}" + +wireguard: + config: + address: "10.0.0.2/24" + peer: + publicKey: "11ks650uhzB2KlUPCoMDhtC2mkKfYym8U4WQjMeNjhU=" + endpoint: "wireguard.example.com:51820" + allowedIPs: "10.0.0.1/32" + privateKey: "uui586n4pFIq00r4+djMoM7mtA6zYjZXo2Euurmu0Xw=" + +tls: + certData: + tls.crt: | + -----BEGIN CERTIFICATE----- + MIIDCTCCAfGgAwIBAgIUaGwrA8nGGga2NXKUnIpyg5xUeZ0wDQYJKoZIhvcNAQEL + BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI2MDYwOTA1NTQyNFoXDTI3MDYw + OTA1NTQyNFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF + AAOCAQ8AMIIBCgKCAQEAo0Ejot8FHw9QpUgqHiVQ+xJAEiBVRF4NoRqesbRwsDEZ + XjZr5Hjijm6nb7tF8JDosIU0dY2uuxo5CopcpiSUmoxyd6MkEEDpK0AsuTA8vw5f + Dm2zNw45CF2+zUSXdK1zU0B+GIRkUpbTua691LhyFyJ5vzBNLl0HwqaZ1LjZTdwd + SQoKo1Z2V8rB0RN9OTqxO3caCFTqOJyHZtB3QoF8EPB/Tola6UwaJyZQ9vYdWKov + vhOx6ytWDCUqY6UWA6BFXtNP7gDkM7B5STpXL706PkzNhvKsaF4bTgkWDWhCKhmF + Oek/2gUxeURw+iSKw/FnF15EnFZee1/MS3StcHMTuwIDAQABo1MwUTAdBgNVHQ4E + FgQU7GZbVWRAsxjB/h+sSMMfZBPJvswwHwYDVR0jBBgwFoAU7GZbVWRAsxjB/h+s + SMMfZBPJvswwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAWPn9 + Iad2wxStDKowcANc8pJjqbLSsrq6/BGSleyug514/Wf2tEfa4okvsRtUy32u2s4U + kGYdAcmZxI9DEliUA+MI0UPq9cD3RBReboEVStfsKNaOlSxECOickc3EtAav6fR4 + hsCj3lIIgv3Ghn7NAlgUEM5Z41kfTU1yJ868Cbh9kX0VmrGAL3hOYHBE/PuoeG2q + TUKAl5Ji+1j4mBLnAMxxq+96yOLl0U4vyb1O9eXIOr+PXipVHi0p/bQJb791i5tg + k0jgQUjI+DyGi8bIRVedu6sCTHm3j8NSCTfK3OyBSocR5kSZ3Ml/kQk54lZnqfOW + 7ReukJfLzfHS1oaBjw== + -----END CERTIFICATE----- + tls.key: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCjQSOi3wUfD1Cl + SCoeJVD7EkASIFVEXg2hGp6xtHCwMRleNmvkeOKObqdvu0XwkOiwhTR1ja67GjkK + ilymJJSajHJ3oyQQQOkrQCy5MDy/Dl8ObbM3DjkIXb7NRJd0rXNTQH4YhGRSltO5 + rr3UuHIXInm/ME0uXQfCppnUuNlN3B1JCgqjVnZXysHRE305OrE7dxoIVOo4nIdm + 0HdCgXwQ8H9OiVrpTBonJlD29h1Yqi++E7HrK1YMJSpjpRYDoEVe00/uAOQzsHlJ + OlcvvTo+TM2G8qxoXhtOCRYNaEIqGYU56T/aBTF5RHD6JIrD8WcXXkScVl57X8xL + dK1wcxO7AgMBAAECggEADkjoW9uE4LNf3J6EZO/h9p4hshRXMazDJ4ojQaxmwdwB + +r7rUOoM9OaUyw+JbqPXYH6/WNvlYqTIQfZaZgVEZYONjo9dW/i6DllGsIuafSM+ + SQ5rRJF/hw5g4Cg00nZM5Yd6oR2Qg7OD4jb6kE71WLXhDkwlLL3iLHOUeUsVZJ0O + wc/COvrO82YHpmVyw+W1tatfnupKaaQQR6AT2rW1gw04OW3nSXXtkwELrXsmW9eD + IMBdHzNKoI64iWsZNrUKV2v+5sHIBp9szYdoggQ+0Cj8fYZPqqsH2qc3GdnoCdkG + t2A1VEc+a95FxriYdMDRu6YF+WWXsivXTPktelYKzQKBgQDONkeuMsKy/gcVLeib + Wy/U0KfG0zfaZWsi+B7b9OkGIUS/QwPboGhXsAG6ype8j9JkZIPLec4pzhVg+Vfi + N2gKp5W20ZcDHTyQHxSduaJ4Scxf13H3CMuXMHPY/3rzrXwzv7uoMFTRYySSI2bX + jEI8JDc9ThOMgfbnPUoLBEsvPwKBgQDKq7PImMxIds4NLd22FJLnKLarbf3R7omK + qO+MZvMNSJZr1+jWp8ROx0rb7OU0TJCuTGSgFYRJd6gfqFNhHjz1kR+g+qI6LN2D + 1ETWnbDUX8kZWy7IH7mwQiRIXkKT8EHG3jO4uI0wP1fBgl+KwZf6EXP2s9Gaj8jx + hM3H90J4hQKBgF6Ii7vUEWW1BtIyxZvS5c6OCRwg4E4CiGbzkFINqHXi8n0r36zj + kHICggh7r6wF0tGrMrApGtYXX72hESTneY7I3N1+n9gRox3+4Zic7Vpvmn2lat1w + 7sRUtgcYt+jV80ZV81VbMsb6yF0mVZMi/YpMn/Y+wL99JQ9FDZiXU1BJAoGAIzq1 + hakJ2Y7NQn02jPAGmSf6mNIFzPgp8HBtM3qxxR1ZCGX/k1CWTxtVZ+VF8lFc1O9y + jmEvHZYvI1GfLMKU1hrj5Jesm3AxETlUvfmrQz9jNYUkHKVnIbxdkjbQW+bniCoX + 04RBBqH8HycKdJQyVsWx4rBfPv6/bzwmiRvx8gECgYEAushj118qPg/QCz13JTp9 + e/hwQ/ySBrUAiIZUPEu9Q1aAQRYmOpFzIrUWYBPsgEvqh9J0a7eemKBMCxjGsbiI + PMX2Ykvkp63VpT3e1BxEvzFtGCeOXFJK/PyWp6jJ3sPCz73fTzf4YwNW1LB0o7yz + vaM6yMaGewGkOyFTFgYwZOM= + -----END PRIVATE KEY----- diff --git a/charts/apexkube-agent/templates/deployment.yaml b/charts/apexkube-agent/templates/deployment.yaml index b3e2092..70e6d3d 100644 --- a/charts/apexkube-agent/templates/deployment.yaml +++ b/charts/apexkube-agent/templates/deployment.yaml @@ -64,10 +64,9 @@ spec: port: healthcheck {{- end }} env: - - name: LOG_LEVEL - value: info - - name: ENABLE_HEALTHCHECK - value: "{{ .Values.wireguard.healthcheck.enabled }}" + {{- if .Values.wireguard.env }} + {{- toYaml .Values.wireguard.env | nindent 12 }} + {{- end }} securityContext: {{- toYaml .Values.wireguard.securityContext | nindent 12 }} resources: @@ -87,9 +86,16 @@ spec: - /bin/sh - -c - | - # Wait for WireGuard interface to be up - sleep 5 - echo "WireGuard interface should be up now" + # Wait for WireGuard interface to be up (poll with timeout instead of indefinite loop) + for i in 1 2 3 4 5 6 7 8 9 10; do + if ip link show wg0 > /dev/null 2>&1; then + echo "WireGuard is up" + exit 0 + fi + sleep 1 + done + echo "WireGuard failed to start in time" + exit 1 volumes: - name: envoy-config-volume configMap: diff --git a/charts/apexkube-agent/templates/envoy-config-cm.yaml b/charts/apexkube-agent/templates/envoy-config-cm.yaml index 9393dae..b295ca9 100644 --- a/charts/apexkube-agent/templates/envoy-config-cm.yaml +++ b/charts/apexkube-agent/templates/envoy-config-cm.yaml @@ -11,7 +11,7 @@ data: address: socket_address: address: 0.0.0.0 - port_value: 8080 + port_value: {{ .Values.envoy.containerPort }} filter_chains: - transport_socket: name: envoy.transport_sockets.tls @@ -68,7 +68,7 @@ data: end if cached_token then - request_handle:headers():add("Authorization", "Bearer " .. cached_token) + request_handle:headers():replace("Authorization", "Bearer " .. cached_token) end end - name: envoy.filters.http.router diff --git a/charts/apexkube-agent/templates/wireguard-config-cm.yaml b/charts/apexkube-agent/templates/wireguard-config-cm.yaml index 3c1f19d..bd67c37 100644 --- a/charts/apexkube-agent/templates/wireguard-config-cm.yaml +++ b/charts/apexkube-agent/templates/wireguard-config-cm.yaml @@ -10,6 +10,7 @@ data: wg0.conf: | [Interface] Address = {{ .Values.wireguard.config.address }} + PostUp = wg set %i private-key /etc/wireguard/privatekey [Peer] PublicKey = {{ .Values.wireguard.config.peer.publicKey }} diff --git a/charts/apexkube-agent/values.yaml b/charts/apexkube-agent/values.yaml index b24a949..6313a38 100644 --- a/charts/apexkube-agent/values.yaml +++ b/charts/apexkube-agent/values.yaml @@ -52,18 +52,6 @@ envoy: # Container port for Envoy containerPort: 10000 - # Service configuration for Envoy - service: - # Service type (ClusterIP, NodePort, LoadBalancer) - type: ClusterIP - # Service port - port: 10000 - # Target port on the container - targetPort: 10000 - # NodePort (only applicable when type is NodePort) - # If not specified, Kubernetes will allocate one automatically - nodePort: "" - # WireGuard VPN configuration wireguard: image: @@ -112,6 +100,14 @@ wireguard: # WARNING: This is sensitive data. Consider using existingSecret for production privateKey: "" + # Environment variables for WireGuard container (optional) + # Define as a list of env var objects; this replaces the hardcoded env in the deployment + env: + - name: LOG_LEVEL + value: "info" + - name: ENABLE_HEALTHCHECK + value: "true" + # Resource limits and requests for WireGuard container resources: requests: