Re-add deployment as a regular directory

2024-08-22 20:56:17 -04:00
parent 8252e8664d
commit 300dbe9857
43 changed files with 2124 additions and 1 deletions
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
@@ -0,0 +1,9 @@
+dependencies:
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 12.12.10
+- name: defguard-proxy
+  repository: https://defguard.github.io/deployment
+  version: 0.3.5
+digest: sha256:de930b480616cfa369caf7b1447c5b3e729fce3e17994717ab0f64aa02c027e7
+generated: "2024-07-26T09:00:54.309522115+02:00"
@@ -0,0 +1,17 @@
+apiVersion: v2
+name: defguard
+description: Defguard is an open-source enterprise wireGuard VPN with MFA and SSO 
+
+type: application
+version: 0.7.6
+appVersion: 0.11.0
+
+dependencies:
+  - name: postgresql
+    condition: postgresql.enabled
+    version: 12.12.10
+    repository: https://charts.bitnami.com/bitnami
+  - name: defguard-proxy
+    condition: defguard-proxy.enabled
+    version: 0.3.5
+    repository: https://defguard.github.io/deployment
@@ -0,0 +1,20 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host }}/
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "defguard.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "defguard.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "defguard.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "defguard.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}
@@ -0,0 +1,78 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "defguard.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "defguard.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "defguard.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "defguard.labels" -}}
+helm.sh/chart: {{ include "defguard.chart" . }}
+{{ include "defguard.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "defguard.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "defguard.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "defguard.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "defguard.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Define OpenID secret name
+*/}}
+{{- define "defguard.openidSecretName" -}}
+{{- $name := "openid-key" }}
+{{- $name }}
+{{- end }}
+
+{{/*
+Define JWT secret name
+*/}}
+{{- define "defguard.jwtSecretName" -}}
+{{- $name := "jwt-secrets" }}
+{{- $name }}
+{{- end }}
@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "defguard.fullname" . }}-config
+  labels:
+    {{- include "defguard.labels" . | nindent 4 }}
+data:
+  {{- if .Values.cookie.domain }}
+  DEFGUARD_COOKIE_DOMAIN: {{ .Values.cookie.domain }}
+  {{- end }}
+  DEFGUARD_COOKIE_INSECURE: {{ .Values.cookie.insecure | quote }}
+  DEFGUARD_DB_HOST: {{ .Values.postgresql.host | default (printf "%s-postgresql" (include "defguard.fullname" .)) }}
+  DEFGUARD_DB_PORT: {{ .Values.postgresql.port | quote}}
+  DEFGUARD_DB_NAME: {{ .Values.postgresql.auth.database }}
+  DEFGUARD_DB_USER: {{ .Values.postgresql.auth.username }}
+  DEFGUARD_GRPC_PORT: {{ .Values.service.ports.grpc | quote }}
+  DEFGUARD_ENROLLMENT_URL: {{ index .Values "defguard-proxy" "publicUrl" }}
+  {{- if .Values.proxyUrl }}
+  DEFGUARD_PROXY_URL: {{ .Values.proxyUrl }}
+  {{- end }}
+  DEFGUARD_URL: {{ .Values.publicUrl }}
+  DEFGUARD_WEBAUTHN_RP_ID: {{ .Values.ingress.web.host }}
+  {{- if .Values.ldap.enabled }}
+  DEFGUARD_LDAP_ADMIN_GROUP: {{ .Values.ldap.admin_group | quote }}
+  DEFGUARD_LDAP_BIND_PASSWORD: {{ .Values.ldap.bind_password | quote }}
+  DEFGUARD_LDAP_BIND_USERNAME: {{ .Values.ldap.bind_username | quote }}
+  DEFGUARD_LDAP_GROUP_SEARCH_BASE: {{ .Values.ldap.group_search_base | quote }}
+  DEFGUARD_LDAP_USER_SEARCH_BASE: {{ .Values.ldap.user_search_base | quote }}
+  DEFGUARD_LDAP_URL: {{ .Values.ldap.url | quote }}
+  {{- end }}
@@ -0,0 +1,105 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "defguard.fullname" . }}
+  labels:
+    {{- include "defguard.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "defguard.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "defguard.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "defguard.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          env:
+            - name: DEFGUARD_DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.postgresql.auth.existingSecret }}
+                  key: {{ .Values.postgresql.auth.existingSecretPasswordKey | default "password" }}
+            - name: DEFGUARD_AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.existingJwtSecret | default (include "defguard.jwtSecretName" .) }}
+                  key: auth
+            - name: DEFGUARD_GATEWAY_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.existingJwtSecret | default (include "defguard.jwtSecretName" .) }}
+                  key: gateway
+            - name: DEFGUARD_YUBIBRIDGE_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.existingJwtSecret | default (include "defguard.jwtSecretName" .) }}
+                  key: yubi-bridge
+            - name: DEFGUARD_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.existingJwtSecret | default (include "defguard.jwtSecretName" .) }}
+                  key: secret-key
+            - name: DEFGUARD_OPENID_KEY
+              value: "/etc/defguard-openid-key.pem"
+          envFrom:
+            - configMapRef:
+                name: {{ include "defguard.fullname" . }}-config
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+            - name: grpc
+              containerPort: 50055
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /api/v1/health
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /api/v1/health
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: openid-key
+              mountPath: "/etc/defguard-openid-key.pem"
+              readOnly: true
+              subPath: openid-key
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        - name: openid-key
+          secret:
+            secretName: {{ .Values.existingOpenIdSecret | default (include "defguard.openidSecretName" .) }}
+            optional: false
@@ -0,0 +1,25 @@
+{{ if not .Values.existingJwtSecret }}
+{{- $auth := (randAlpha 16) | b64enc | quote }}
+{{- $gateway := (randAlpha 16) | b64enc | quote }}
+{{- $yubiBridge := (randAlpha 16) | b64enc | quote }}
+{{- $secretKey := (randAlpha 64) | b64enc | quote }}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "defguard.jwtSecretName" .)) }}
+{{- if $secret }}
+{{- $auth = index $secret.data "auth" }}
+{{- $gateway = index $secret.data "gateway" }}
+{{- $yubiBridge = index $secret.data "yubi-bridge" }}
+{{- $secretKey = index $secret.data "secret-key" }}
+{{- end }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "defguard.jwtSecretName" . }}
+  labels:
+    {{- include "defguard.labels" . | nindent 4 }}
+type: Opaque
+data:
+  auth: {{ $auth }}
+  gateway: {{ $gateway }}
+  yubi-bridge: {{ $yubiBridge }}
+  secret-key: {{ $secretKey }}
+{{- end }}
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "defguard.fullname" . }}-web
+  labels:
+    {{- include "defguard.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.ports.http }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "defguard.selectorLabels" . | nindent 4 }}
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    traefik.ingress.kubernetes.io/service.serversscheme: h2c
+  name: {{ include "defguard.fullname" . }}-grpc
+  labels:
+    {{- include "defguard.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.ports.grpc }}
+      targetPort: grpc
+      protocol: TCP
+      name: grpc
+  selector:
+    {{- include "defguard.selectorLabels" . | nindent 4 }}
@@ -0,0 +1,52 @@
+{{- if .Values.ingress.grpc.enabled -}}
+{{- $fullName := include "defguard.fullname" . -}}
+{{- if and .Values.ingress.grpc.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.grpc.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.grpc.annotations "kubernetes.io/ingress.class" .Values.ingress.grpc.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-grpc
+  labels:
+    {{- include "defguard.labels" . | nindent 4 }}
+  {{- with .Values.ingress.grpc.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.grpc.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.grpc.className }}
+  {{- end }}
+  {{- if .Values.ingress.grpc.tls }}
+  tls:
+    - hosts:
+      - {{ .Values.ingress.grpc.host | quote }}
+      secretName: {{ printf "%s-grpc-tls" .Values.ingress.grpc.host }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.grpc.host | quote }}
+      http:
+        paths:
+          - path: /
+            {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+            pathType: ImplementationSpecific
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}-grpc
+                port:
+                  number: {{ .Values.service.ports.grpc }}
+              {{- else }}
+              serviceName: {{ $fullName }}-grpc
+              servicePort: {{ .Values.service.ports.grpc }}
+              {{- end }}
+{{- end }}
@@ -0,0 +1,52 @@
+{{- if .Values.ingress.web.enabled -}}
+{{- $fullName := include "defguard.fullname" . -}}
+{{- if and .Values.ingress.web.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.web.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.web.annotations "kubernetes.io/ingress.class" .Values.ingress.web.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-web
+  labels:
+    {{- include "defguard.labels" . | nindent 4 }}
+  {{- with .Values.ingress.web.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.web.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.web.className }}
+  {{- end }}
+  {{- if .Values.ingress.web.tls }}
+  tls:
+    - hosts:
+      - {{ .Values.ingress.web.host | quote }}
+      secretName: {{ printf "%s-web-tls" .Values.ingress.web.host }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.web.host | quote }}
+      http:
+        paths:
+          - path: /
+            {{- if semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion }}
+            pathType: ImplementationSpecific
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}-web
+                port:
+                  number: {{ .Values.service.ports.http }}
+              {{- else }}
+              serviceName: {{ $fullName }}-web
+              servicePort: {{ .Values.service.ports.http }}
+              {{- end }}
+{{- end }}
@@ -0,0 +1,16 @@
+{{ if not .Values.existingOpenIdSecret }}
+{{- $openIdKey := (genPrivateKey "rsa") | b64enc | quote }}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "defguard.openidSecretName" .)) }}
+{{- if $secret }}
+{{- $openIdKey = index $secret.data "openid-key" }}
+{{- end }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "defguard.openidSecretName" . }}
+  labels:
+    {{- include "defguard.labels" . | nindent 4 }}
+type: Opaque
+data:
+  openid-key: {{ $openIdKey }}
+{{- end }}
@@ -0,0 +1,19 @@
+{{ if .Values.postgresql.enabled }}
+{{- $password := (randAlpha 16) | b64enc | quote }}
+{{- $postgresPassword := (randAlpha 16) | b64enc | quote }}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.postgresql.auth.existingSecret) }}
+{{- if $secret }}
+{{- $password = index $secret.data "password" }}
+{{- $postgresPassword = index $secret.data "postgres-password" }}
+{{- end }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.postgresql.auth.existingSecret }}
+  labels:
+    {{- include "defguard.labels" . | nindent 4 }}
+type: Opaque
+data:
+  password: {{ $password }}
+  postgres-password: {{ $postgresPassword }}
+{{- end }}
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "defguard.serviceAccountName" . }}
+  labels:
+    {{- include "defguard.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
@@ -0,0 +1,75 @@
+affinity: {}
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 10
+cookie:
+  domain: ""
+  insecure: false
+fullnameOverride: ""
+image:
+  pullPolicy: IfNotPresent
+  repository: ghcr.io/defguard/defguard
+  tag: ""
+imagePullSecrets: []
+ingress:
+  grpc:
+    annotations: {}
+    className: ""
+    enabled: true
+    host: defguard-grpc.local
+    tls: false
+  web:
+    annotations: {}
+    className: ""
+    enabled: true
+    host: defguard.local
+    tls: false
+existingJwtSecret: ""
+ldap:
+  admin_group: ""
+  bind_password: ""
+  bind_username: ""
+  enabled: false
+  group_search_base: ""
+  url: ""
+  user_search_base: ""
+nameOverride: ""
+nodeSelector: {}
+existingOpenIdSecret: ""
+podAnnotations: {}
+podLabels: {}
+podSecurityContext: {}
+# sub-chart bitnami/postgresql
+postgresql:
+  enabled: true
+  host: "" # set if using external postgresql ~ enabled: false
+  port: 5432
+  auth:
+    database: defguard
+    existingSecret: postgres-password
+    existingSecretPasswordKey: "" # set if using external postgresql ~ enabled: false
+    username: defguard
+proxyUrl: ""
+publicUrl: "http://defguard.local"
+replicaCount: 1
+resources: {}
+securityContext: {}
+service:
+  ports:
+    grpc: 50055
+    http: 80
+  type: ClusterIP
+serviceAccount:
+  annotations: {}
+  create: true
+tolerations: []
+# sub-chart defguard-proxy
+defguard-proxy:
+  enabled: false
+  publicUrl: "http://enrollment.local"
+  ingress:
+    grpc:
+      host: defguard-proxy-grpc.local
+    web:
+      host: enrollment.local