From dbc9df070b4a7ca3b6558e6dde6d3ca7903c8079 Mon Sep 17 00:00:00 2001 From: naison <895703375@qq.com> Date: Thu, 3 Apr 2025 20:45:12 +0800 Subject: [PATCH] feat: add options netstack to helm charts (#509) --- charts/kubevpn/templates/NOTES.txt | 4 ++-- charts/kubevpn/templates/_helpers.tpl | 19 +++++++++++++++ charts/kubevpn/templates/configmap.yaml | 1 + charts/kubevpn/templates/deployment.yaml | 16 +++++++------ charts/kubevpn/templates/hpa.yaml | 1 + charts/kubevpn/templates/job.yaml | 23 ++++++++++--------- .../mutatingwebhookconfiguration.yaml | 5 ++-- charts/kubevpn/templates/role.yaml | 7 +++--- charts/kubevpn/templates/rolebinding.yaml | 9 ++++---- charts/kubevpn/templates/secret.yaml | 7 +++--- charts/kubevpn/templates/service.yaml | 1 + charts/kubevpn/templates/serviceaccount.yaml | 1 + charts/kubevpn/values.yaml | 22 +++++++++++------- 13 files changed, 76 insertions(+), 40 deletions(-) diff --git a/charts/kubevpn/templates/NOTES.txt b/charts/kubevpn/templates/NOTES.txt index 7f01dde1..e667e8f4 100644 --- a/charts/kubevpn/templates/NOTES.txt +++ b/charts/kubevpn/templates/NOTES.txt @@ -1,4 +1,4 @@ 1. Connect to cluster network by running these commands: - kubevpn connect --namespace {{ .Release.Namespace }} - export POD_IP=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "kubevpn.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].status.podIP}") + kubevpn connect --namespace {{ include "kubevpn.namespace" . }} + export POD_IP=$(kubectl get pods --namespace {{ include "kubevpn.namespace" . }} -l "app.kubernetes.io/name={{ include "kubevpn.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].status.podIP}") ping $POD_IP diff --git a/charts/kubevpn/templates/_helpers.tpl b/charts/kubevpn/templates/_helpers.tpl index 48533042..83bea564 100644 --- a/charts/kubevpn/templates/_helpers.tpl +++ b/charts/kubevpn/templates/_helpers.tpl @@ -61,3 +61,22 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Namespace +1. special by -n +2. use default namespace kubevpn +*/}} +{{- define "kubevpn.namespace" -}} +{{- if .Release.Namespace }} + {{- if eq .Release.Namespace "default" }} +{{- .Values.namespace }} + {{- else }} +{{- .Release.Namespace }} + {{- end }} +{{- else if .Values.namespace }} +{{- .Values.namespace }} +{{- else }} +{{- .Values.namespace }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/kubevpn/templates/configmap.yaml b/charts/kubevpn/templates/configmap.yaml index e7bc415a..0a6976f4 100644 --- a/charts/kubevpn/templates/configmap.yaml +++ b/charts/kubevpn/templates/configmap.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: ConfigMap metadata: name: {{ include "kubevpn.fullname" . }} + namespace: {{ include "kubevpn.namespace" . }} data: DHCP: "" DHCP6: "" diff --git a/charts/kubevpn/templates/deployment.yaml b/charts/kubevpn/templates/deployment.yaml index 3e711ea4..e5ec6353 100644 --- a/charts/kubevpn/templates/deployment.yaml +++ b/charts/kubevpn/templates/deployment.yaml @@ -2,6 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: {{ include "kubevpn.fullname" . }} + namespace: {{ include "kubevpn.namespace" . }} labels: {{- include "kubevpn.labels" . | nindent 4 }} spec: @@ -32,8 +33,8 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - args: - - |2- - + {{- if eq .Values.netstack "system" }} + - | sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv6.conf.all.disable_ipv6=0 sysctl -w net.ipv6.conf.all.forwarding=1 @@ -47,6 +48,9 @@ spec: iptables -t nat -A POSTROUTING -s ${CIDR4} -o eth0 -j MASQUERADE ip6tables -t nat -A POSTROUTING -s ${CIDR6} -o eth0 -j MASQUERADE kubevpn serve -L "tcp://:10800" -L "tun://:8422?net=${TunIPv4}" -L "gtcp://:10801" -L "gudp://:10802" --debug=true + {{- else }} + - kubevpn serve -L "tcp://:10800" -L "gtcp://:10801" -L "gudp://:10802" --debug=true + {{- end }} command: - /bin/sh - -c @@ -74,12 +78,10 @@ spec: protocol: TCP resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if eq .Values.netstack "system" }} securityContext: - capabilities: - add: - - NET_ADMIN - privileged: true - runAsUser: 0 + {{- toYaml .Values.securityContext | nindent 12 }} + {{- end }} - args: - control-plane - --watchDirectoryFilename diff --git a/charts/kubevpn/templates/hpa.yaml b/charts/kubevpn/templates/hpa.yaml index 5be2341b..ee70e179 100644 --- a/charts/kubevpn/templates/hpa.yaml +++ b/charts/kubevpn/templates/hpa.yaml @@ -3,6 +3,7 @@ apiVersion: autoscaling/v2 kind: HorizontalPodAutoscaler metadata: name: {{ include "kubevpn.fullname" . }} + namespace: {{ include "kubevpn.namespace" . }} labels: {{- include "kubevpn.labels" . | nindent 4 }} spec: diff --git a/charts/kubevpn/templates/job.yaml b/charts/kubevpn/templates/job.yaml index 5fbaa14c..048f73c2 100644 --- a/charts/kubevpn/templates/job.yaml +++ b/charts/kubevpn/templates/job.yaml @@ -2,6 +2,7 @@ apiVersion: batch/v1 kind: Job metadata: name: {{ include "kubevpn.fullname" . }} + namespace: {{ include "kubevpn.namespace" . }} labels: {{- include "kubevpn.labels" . | nindent 4 }} annotations: @@ -36,34 +37,34 @@ spec: args: - |2- - echo "Label namespace {{ .Release.Namespace }}" - kubectl label ns {{ .Release.Namespace }} ns={{ .Release.Namespace }} + echo "Label namespace {{ include "kubevpn.namespace" . }}" + kubectl label ns {{ include "kubevpn.namespace" . }} ns={{ include "kubevpn.namespace" . }} echo "Generating https certificate" - openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -subj "/CN={{ include "kubevpn.fullname" . }}.{{ .Release.Namespace }}.svc" -addext "subjectAltName=DNS:{{ include "kubevpn.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local,DNS:{{ include "kubevpn.fullname" . }}.{{ .Release.Namespace }}.svc" -keyout server.key -out server.crt + openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -subj "/CN={{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }}.svc" -addext "subjectAltName=DNS:{{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }}.svc.cluster.local,DNS:{{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }}.svc" -keyout server.key -out server.crt export TLS_CRT=$(cat server.crt | base64 | tr -d '\n') - echo "Patch mutatingwebhookconfigurations {{ include "kubevpn.fullname" . }}.{{ .Release.Namespace }}" - kubectl patch mutatingwebhookconfigurations {{ include "kubevpn.fullname" . }}.{{ .Release.Namespace }} -p "{\"webhooks\":[{\"name\":\"{{ include "kubevpn.fullname" . }}.naison.io\",\"sideEffects\":\"None\",\"admissionReviewVersions\":[\"v1\", \"v1beta1\"],\"clientConfig\":{\"service\":{\"namespace\":\"{{ .Release.Namespace }}\",\"name\":\"{{ include "kubevpn.fullname" . }}\"},\"caBundle\":\"$TLS_CRT\"}}]}" + echo "Patch mutatingwebhookconfigurations {{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }}" + kubectl patch mutatingwebhookconfigurations {{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }} -p "{\"webhooks\":[{\"name\":\"{{ include "kubevpn.fullname" . }}.naison.io\",\"sideEffects\":\"None\",\"admissionReviewVersions\":[\"v1\", \"v1beta1\"],\"clientConfig\":{\"service\":{\"namespace\":\"{{ include "kubevpn.namespace" . }}\",\"name\":\"{{ include "kubevpn.fullname" . }}\"},\"caBundle\":\"$TLS_CRT\"}}]}" export TLS_KEY=$(cat server.key | base64 | tr -d '\n') echo "Patch secret {{ include "kubevpn.fullname" . }}" - kubectl patch secret {{ include "kubevpn.fullname" . }} -n {{ .Release.Namespace }} -p "{\"data\":{\"tls_key\":\"$TLS_KEY\",\"tls_crt\":\"$TLS_CRT\"}}" + kubectl patch secret {{ include "kubevpn.fullname" . }} -n {{ include "kubevpn.namespace" . }} -p "{\"data\":{\"tls_key\":\"$TLS_KEY\",\"tls_crt\":\"$TLS_CRT\"}}" echo "Restart the pods..." - kubectl scale -n {{ .Release.Namespace }} --replicas=0 deployment/{{ include "kubevpn.fullname" . }} - kubectl scale -n {{ .Release.Namespace }} --replicas=1 deployment/{{ include "kubevpn.fullname" . }} + kubectl scale -n {{ include "kubevpn.namespace" . }} --replicas=0 deployment/{{ include "kubevpn.fullname" . }} + kubectl scale -n {{ include "kubevpn.namespace" . }} --replicas=1 deployment/{{ include "kubevpn.fullname" . }} - export POOLS=$(kubectl get cm {{ include "kubevpn.fullname" . }} -n {{ .Release.Namespace }} -o jsonpath='{.data.IPv4_POOLS}') + export POOLS=$(kubectl get cm {{ include "kubevpn.fullname" . }} -n {{ include "kubevpn.namespace" . }} -o jsonpath='{.data.IPv4_POOLS}') if [[ -z "${POOLS// }" ]];then echo "Cidr is empty" echo "Get pod cidr..." export POD_CIDR=$(kubectl get nodes -o jsonpath='{.items[*].spec.podCIDR}' | tr -s '\n' ' ') echo "Get service cidr..." - export SVC_CIDR=$(echo '{"apiVersion":"v1","kind":"Service","metadata":{"name":"kubevpn-get-svc-cidr-{{ .Release.Namespace }}", "namespace": "{{ .Release.Namespace }}"},"spec":{"clusterIP":"1.1.1.1","ports":[{"port":443}]}}' | kubectl apply -f - 2>&1 | sed 's/.*valid IPs is //') + export SVC_CIDR=$(echo '{"apiVersion":"v1","kind":"Service","metadata":{"name":"kubevpn-get-svc-cidr-{{ include "kubevpn.namespace" . }}", "namespace": "{{ include "kubevpn.namespace" . }}"},"spec":{"clusterIP":"1.1.1.1","ports":[{"port":443}]}}' | kubectl apply -f - 2>&1 | sed 's/.*valid IPs is //') echo "Pod cidr: $POD_CIDR, service cidr: $SVC_CIDR" echo "Patch configmap {{ include "kubevpn.fullname" . }}" - kubectl patch configmap {{ include "kubevpn.fullname" . }} -n {{ .Release.Namespace }} -p "{\"data\":{\"IPv4_POOLS\":\"$POD_CIDR $SVC_CIDR\"}}" + kubectl patch configmap {{ include "kubevpn.fullname" . }} -n {{ include "kubevpn.namespace" . }} -p "{\"data\":{\"IPv4_POOLS\":\"$POD_CIDR $SVC_CIDR\"}}" else echo "Cidr is NOT empty" fi diff --git a/charts/kubevpn/templates/mutatingwebhookconfiguration.yaml b/charts/kubevpn/templates/mutatingwebhookconfiguration.yaml index f1dbd732..dfb13830 100644 --- a/charts/kubevpn/templates/mutatingwebhookconfiguration.yaml +++ b/charts/kubevpn/templates/mutatingwebhookconfiguration.yaml @@ -1,7 +1,8 @@ apiVersion: admissionregistration.k8s.io/v1 kind: MutatingWebhookConfiguration metadata: - name: {{ include "kubevpn.fullname" . }}.{{ .Release.Namespace }} + name: {{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }} + namespace: {{ include "kubevpn.namespace" . }} webhooks: - admissionReviewVersions: - v1 @@ -10,7 +11,7 @@ webhooks: caBundle: {{ .Values.tls.crt }} service: name: {{ include "kubevpn.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "kubevpn.namespace" . }} path: /pods port: 80 failurePolicy: Ignore diff --git a/charts/kubevpn/templates/role.yaml b/charts/kubevpn/templates/role.yaml index 617c3381..578a9cf9 100644 --- a/charts/kubevpn/templates/role.yaml +++ b/charts/kubevpn/templates/role.yaml @@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: {{ include "kubevpn.fullname" . }} + namespace: {{ include "kubevpn.namespace" . }} rules: - apiGroups: - "" @@ -20,7 +21,7 @@ rules: - delete - apiGroups: [ "" ] resources: [ "namespaces" ] - resourceNames: [{{ .Release.Namespace }}] + resourceNames: ["{{ include "kubevpn.namespace" . }}"] verbs: - get - patch @@ -47,14 +48,14 @@ rules: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ include "kubevpn.fullname" . }}.{{ .Release.Namespace }} + name: {{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }} rules: - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations resourceNames: - - {{ include "kubevpn.fullname" . }}.{{ .Release.Namespace }} + - {{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }} verbs: - get - list diff --git a/charts/kubevpn/templates/rolebinding.yaml b/charts/kubevpn/templates/rolebinding.yaml index 91a445fc..99204619 100644 --- a/charts/kubevpn/templates/rolebinding.yaml +++ b/charts/kubevpn/templates/rolebinding.yaml @@ -2,6 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {{ include "kubevpn.fullname" . }} + namespace: {{ include "kubevpn.namespace" . }} roleRef: apiGroup: rbac.authorization.k8s.io kind: Role @@ -9,18 +10,18 @@ roleRef: subjects: - kind: ServiceAccount name: {{ include "kubevpn.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "kubevpn.namespace" . }} --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ include "kubevpn.fullname" . }}.{{ .Release.Namespace }} + name: {{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }} subjects: - kind: ServiceAccount name: {{ include "kubevpn.fullname" . }} - namespace: {{ .Release.Namespace }} + namespace: {{ include "kubevpn.namespace" . }} roleRef: kind: ClusterRole - name: {{ include "kubevpn.fullname" . }}.{{ .Release.Namespace }} + name: {{ include "kubevpn.fullname" . }}.{{ include "kubevpn.namespace" . }} apiGroup: rbac.authorization.k8s.io diff --git a/charts/kubevpn/templates/secret.yaml b/charts/kubevpn/templates/secret.yaml index 7e7a6946..d936935a 100644 --- a/charts/kubevpn/templates/secret.yaml +++ b/charts/kubevpn/templates/secret.yaml @@ -1,8 +1,9 @@ apiVersion: v1 -data: - tls_crt: {{ .Values.tls.crt }} - tls_key: {{ .Values.tls.key }} kind: Secret metadata: name: {{ include "kubevpn.fullname" . }} + namespace: {{ include "kubevpn.namespace" . }} type: Opaque +data: + tls_crt: {{ .Values.tls.crt }} + tls_key: {{ .Values.tls.key }} diff --git a/charts/kubevpn/templates/service.yaml b/charts/kubevpn/templates/service.yaml index 2690a8e0..732e55db 100644 --- a/charts/kubevpn/templates/service.yaml +++ b/charts/kubevpn/templates/service.yaml @@ -2,6 +2,7 @@ apiVersion: v1 kind: Service metadata: name: {{ include "kubevpn.fullname" . }} + namespace: {{ include "kubevpn.namespace" . }} labels: {{- include "kubevpn.labels" . | nindent 4 }} spec: diff --git a/charts/kubevpn/templates/serviceaccount.yaml b/charts/kubevpn/templates/serviceaccount.yaml index c056839d..6b13766b 100644 --- a/charts/kubevpn/templates/serviceaccount.yaml +++ b/charts/kubevpn/templates/serviceaccount.yaml @@ -3,6 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: {{ include "kubevpn.serviceAccountName" . }} + namespace: {{ include "kubevpn.namespace" . }} labels: {{- include "kubevpn.labels" . | nindent 4 }} {{- with .Values.serviceAccount.annotations }} diff --git a/charts/kubevpn/values.yaml b/charts/kubevpn/values.yaml index 2dbe1e4f..b3b37ebe 100644 --- a/charts/kubevpn/values.yaml +++ b/charts/kubevpn/values.yaml @@ -2,6 +2,13 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# default namespace +namespace: kubevpn +# default is system mode, available ["system", "gvisor"] +# system: needs privilege permission and cap NET_ADMIN (Best experience) +# gvisor: no needs any additional permission (Best compatibility) +netstack: system + replicaCount: 1 image: @@ -40,14 +47,13 @@ podLabels: podSecurityContext: { } # fsGroup: 2000 - -securityContext: { } -# capabilities: -# drop: -# - ALL -# readOnlyRootFilesystem: true -# runAsNonRoot: true -# runAsUser: 1000 +securityContext: + capabilities: + add: + - NET_ADMIN + privileged: true + runAsUser: 0 + runAsGroup: 0 service: type: ClusterIP