diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index f6377476..f998f533 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -23,7 +23,7 @@ jobs: strategy: fail-fast: false matrix: - language: [ 'go', 'javascript', 'python' ] + language: [ 'go', 'javascript' ] # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ] # Learn more about CodeQL language support at https://git.io/codeql-language-support diff --git a/.github/workflows/helm.yml b/.github/workflows/helm.yml deleted file mode 100644 index 217764df..00000000 --- a/.github/workflows/helm.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: Update Helm Chart -on: - push: - tags: - - 'v*.*.*' - -jobs: - package_helm: - name: Update and package Helm Chart - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: Checkout - uses: actions/checkout@v3 - with: - ref: 'master' - - name: Set up Python - uses: actions/setup-python@v3 - - name: Run Helm update - run: | - git config --global user.email "actions@github.com" - git config --global user.name "GitHub Actions" - pip3 install --upgrade -r scripts/requirements-update-helm.txt - python3 scripts/update-helm.py diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 3a14f750..74c38dcb 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -30,13 +30,3 @@ jobs: # Docs: version: v1.42 # without patch version only-new-issues: false # show only new issues if it's a pull request args: --timeout 4m # the default of 1m didn't suffice occasionally - - helm: - name: Helm - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v3 - with: {fetch-depth: 0} - - - name: Run helm lint - run: helm lint deploy/helm/wg-access-server/ diff --git a/README.md b/README.md index 490f2d98..90906557 100644 --- a/README.md +++ b/README.md @@ -94,18 +94,10 @@ to connect your phone using the UI and QR code! ## Running on Kubernetes via Helm -wg-access-server ships a Helm chart to make it easy to get started on -Kubernetes. - -Here's a quick start, but you can read more at the [Helm Chart Deployment Docs](https://freifunkMUC.github.io/wg-access-server/deployment/3-kubernetes/) - -```bash -# deploy -helm install my-release --repo https://freifunkMUC.github.io/wg-access-server wg-access-server - -# cleanup -helm delete my-release -``` +The Helm chart included in this repository has been removed due to lack of expertise on our side and nobody answering +our call for aid. +If you are a Kubernetes/Helm user, please consider stepping up and taking over maintenance of the chart at +https://github.com/freifunkMUC/wg-access-server-chart. ## Screenshots diff --git a/deploy/helm/wg-access-server/.helmignore b/deploy/helm/wg-access-server/.helmignore deleted file mode 100644 index 0e8a0eb3..00000000 --- a/deploy/helm/wg-access-server/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/deploy/helm/wg-access-server/Chart.yaml b/deploy/helm/wg-access-server/Chart.yaml deleted file mode 100644 index 77a74578..00000000 --- a/deploy/helm/wg-access-server/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v2 -appVersion: v0.6.0 -description: A Wireguard VPN Access Server -name: wg-access-server -version: v0.6.0 diff --git a/deploy/helm/wg-access-server/README.md b/deploy/helm/wg-access-server/README.md deleted file mode 100644 index ac3c240f..00000000 --- a/deploy/helm/wg-access-server/README.md +++ /dev/null @@ -1,105 +0,0 @@ -## Installing the Chart - -To install the chart with the release name `my-release`: - -```bash -$ helm install my-release --repo https://freie-netze.org/wg-access-server wg-access-server -``` - -The command deploys wg-access-server on the Kubernetes cluster in the default configuration. The configuration section lists the parameters that can be configured during installation. - -A wireguard private key needs to be set in order for the pod to start successfully. Use `wg genkey` and append `--set wireguard.config.privateKey=""` to the command above. - -Per default persistence is disable and devices will not persist. To enable persistence, set `persistence.enabled`. - -Because IPv6 on Kubernetes is disabled by default in most clusters and can't be enabled on a per-pod basis, the default `values.yaml` disables it for the VPN as well. If you have a cluster with working IPv6, set `config: {}` in your `values.yaml` or specify a custom VPN-internal prefix under `config.vpn.cidrv6`. - -If no admin password is set, the Chart generates a random one. You can retrieve it using `kubectl get secret ...` as prompted by helm after installing the Chart. - -## Uninstalling the Chart - -To uninstall/delete the my-release deployment: - -```bash -$ helm delete my-release -``` - -The command removes all the Kubernetes components associated with the chart and deletes the release. - -## Example values.yaml - -```yaml -config: - externalHost: "" - -# wg access server is an http server without TLS. Exposing it via a loadbalancer is NOT secure! -# Uncomment the following section only if you are running on private network or simple testing. -# A much better option would be TLS terminating ingress controller or reverse-proxy. -# web: -# service: -# type: "LoadBalancer" -# loadBalancerIP: "" - -wireguard: - config: - privateKey: "" - service: - type: "LoadBalancer" - loadBalancerIP: "" - -persistence: - enabled: true - -ingress: - enabled: true - hosts: ["vpn.example.com"] - tls: - - hosts: ["vpn.example.com"] - secretName: "tls-wg-access-server" -``` - - - -## All Configuration - -| Key | Type | Default | Description | -|-----|------|---------|-------------| -| config | object | `{}` | inline wg-access-server config (config.yaml) | -| web.config.adminUsername | string | `"admin"` | | -| web.config.adminPassword | string | `""` | If omitted a random password will be generated and stored in the secret | -| web.service.annotations | object | `{}` | | -| web.service.externalTrafficPolicy | string | `""` | | -| web.service.type | string | `"ClusterIP"` | | -| web.service.loadBalancerIP | string | `""` | | -| wireguard.config.privateKey | string | `""` | REQUIRED - A wireguard private key. You can generate one using `$ wg genkey` | -| wireguard.service.annotations | object | `{}` | | -| wireguard.service.type | string | `"ClusterIP"` | | -| wireguard.service.sessionAffinity | string | `"ClientIP"` | | -| wireguard.service.externalTrafficPolicy | string | `""` | | -| wireguard.service.ipFamilyPolicy | string | `"SingleStack"` | | -| wireguard.service.loadBalancerIP | string | `""` | | -| wireguard.service.port | int | `51820` | | -| wireguard.service.nodePort | int | `""` | Use available port from range 30000-32768 | -| persistence.enabled | bool | `false` | | -| persistence.existingClaim | string | `""` | Use existing PVC claim for persistence instead | -| persistence.annotations | object | `{}` | | -| persistence.accessModes[0] | string | `"ReadWriteOnce"` | | -| persistence.storageClass | string | `""` | | -| persistence.size | string | `"100Mi"` | | -| ingress.enabled | bool | `false` | | -| ingress.annotations | object | `{}` | | -| ingress.ingressClassName | string | `""` | | -| ingress.hosts | list | `[]` | | -| ingress.tls | list | `[]` | | -| nameOverride | string | `""` | | -| fullnameOverride | string | `""` | | -| imagePullSecrets | list | `[]` | | -| image.repository | string | `"ghcr.io/freifunkmuc/wg-access-server"` | | -| image.tag | string | `""` | | -| image.pullPolicy | string | `"IfNotPresent"` | | -| replicas | int | `1` | | -| strategy.type | string | `""` | `Recreate` if `persistence.enabled` true or `RollingUpdate` if false | -| resources | object | `{}` | pod cpu/memory resource requests and limits | -| nodeSelector | object | `{}` | | -| tolerations | list | `[]` | | -| affinity | object | `{}` | | diff --git a/deploy/helm/wg-access-server/templates/NOTES.txt b/deploy/helm/wg-access-server/templates/NOTES.txt deleted file mode 100644 index a6d5e29d..00000000 --- a/deploy/helm/wg-access-server/templates/NOTES.txt +++ /dev/null @@ -1,16 +0,0 @@ - -Thank you for installing {{ .Chart.Name }}. - -Your release is named {{ .Release.Name }}. - -{{- $fullName := include "wg-access-server.fullname" . }} -{{ if .Values.ingress.enabled }} -You can find the web interface at: - {{- range .Values.ingress.hosts }} - - {{ . }} - {{- end }} -{{- end }} -{{ if empty .Values.web.config.adminPassword }} -You can display the auto-generated admin password by running: - $ kubectl get secret --namespace {{ .Release.Namespace }} {{ $fullName }} -o jsonpath="{.data.adminPassword}" | base64 --decode -{{- end }} \ No newline at end of file diff --git a/deploy/helm/wg-access-server/templates/_helpers.tpl b/deploy/helm/wg-access-server/templates/_helpers.tpl deleted file mode 100644 index ddc3ca36..00000000 --- a/deploy/helm/wg-access-server/templates/_helpers.tpl +++ /dev/null @@ -1,80 +0,0 @@ -{{/* vim: set filetype=mustache: */}} -{{/* -Expand the name of the chart. -*/}} -{{- define "wg-access-server.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "wg-access-server.fullname" -}} -{{- if .Values.fullnameOverride -}} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- $name := default .Chart.Name .Values.nameOverride -}} -{{- if contains $name .Release.Name -}} -{{- .Release.Name | trunc 63 | trimSuffix "-" -}} -{{- else -}} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} -{{- end -}} -{{- end -}} -{{- end -}} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "wg-access-server.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} -{{- end -}} - -{{/* -Common labels -*/}} -{{- define "wg-access-server.labels" -}} -helm.sh/chart: {{ include "wg-access-server.chart" . }} -{{ include "wg-access-server.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end -}} - -{{/* -Selector labels -*/}} -{{- define "wg-access-server.selectorLabels" -}} -app: {{ include "wg-access-server.name" . }} -app.kubernetes.io/name: {{ include "wg-access-server.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end -}} - -{{/* -Create the name of the service account to use -*/}} -{{- define "wg-access-server.serviceAccountName" -}} -{{- if .Values.serviceAccount.create -}} - {{ default (include "wg-access-server.fullname" .) .Values.serviceAccount.name }} -{{- else -}} - {{ default "default" .Values.serviceAccount.name }} -{{- end -}} -{{- end -}} - -{{/* -Create a randomly generated admin password if none is supplied -*/}} -{{- define "wg-access-server.adminPassword" -}} -{{- if .Values.web.config.adminPassword -}} - {{ .Values.web.config.adminPassword }} -{{- else -}} -{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "wg-access-server.fullname" .)) -}} -{{- if $secret -}} - {{- $secret.data.adminPassword | b64dec -}} -{{- else -}} - {{- randAlphaNum 20 -}} -{{- end -}} -{{- end -}} -{{- end -}} \ No newline at end of file diff --git a/deploy/helm/wg-access-server/templates/configmap.yaml b/deploy/helm/wg-access-server/templates/configmap.yaml deleted file mode 100644 index 95897fd9..00000000 --- a/deploy/helm/wg-access-server/templates/configmap.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "wg-access-server.fullname" . }} - labels: - {{- include "wg-access-server.labels" . | nindent 4 }} -data: - config.yaml: |- -{{- if .Values.config }} -{{ toYaml .Values.config | indent 4 }} -{{- end }} diff --git a/deploy/helm/wg-access-server/templates/deployment.yaml b/deploy/helm/wg-access-server/templates/deployment.yaml deleted file mode 100644 index 36e9e44e..00000000 --- a/deploy/helm/wg-access-server/templates/deployment.yaml +++ /dev/null @@ -1,108 +0,0 @@ -{{- $fullName := include "wg-access-server.fullname" . -}} -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "wg-access-server.fullname" . }} - labels: - {{- include "wg-access-server.labels" . | nindent 4 }} -spec: - replicas: {{ .Values.replicas }} - strategy: - {{- if .Values.persistence.enabled }} - type: {{ .Values.strategy.type | default "Recreate" | quote }} - {{- else }} - type: {{ .Values.strategy.type | default "RollingUpdate" | quote }} - {{- end }} - selector: - matchLabels: - {{- include "wg-access-server.selectorLabels" . | nindent 6 }} - template: - metadata: - annotations: - checksum/configmap: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} - checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml" ) . | sha256sum }} - labels: - {{- include "wg-access-server.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - containers: - - name: {{ .Chart.Name }} - securityContext: - capabilities: - add: ['NET_ADMIN'] - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - ports: - - name: http - containerPort: 8000 - protocol: TCP - - name: wireguard - containerPort: {{ .Values.wireguard.service.port }} - protocol: UDP - env: - - name: WG_WIREGUARD_PORT - value: {{ .Values.wireguard.service.port | quote }} - {{- if .Values.wireguard.config.privateKey }} - - name: WG_WIREGUARD_PRIVATE_KEY - valueFrom: - secretKeyRef: - name: "{{ $fullName }}" - key: privateKey - {{- end }} - {{- if .Values.web.config.adminUsername }} - - name: WG_ADMIN_USERNAME - valueFrom: - secretKeyRef: - name: "{{ $fullName }}" - key: adminUsername - {{- end}} - - name: WG_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: "{{ $fullName }}" - key: adminPassword - volumeMounts: - - name: tun - mountPath: /dev/net/tun - - name: data - mountPath: /data - - name: config - mountPath: /config.yaml - subPath: config.yaml - readinessProbe: - httpGet: - path: / - port: http - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumes: - - name: tun - hostPath: - type: 'CharDevice' - path: /dev/net/tun - - name: data - {{- if .Values.persistence.enabled }} - persistentVolumeClaim: - claimName: {{ if .Values.persistence.existingClaim }}{{ .Values.persistence.existingClaim }}{{- else }}{{ $fullName }}{{- end }} - {{- end }} - {{- if not .Values.persistence.enabled }} - emptyDir: {} - {{- end }} - - name: config - configMap: - name: "{{ $fullName }}" - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/deploy/helm/wg-access-server/templates/ingress.yaml b/deploy/helm/wg-access-server/templates/ingress.yaml deleted file mode 100644 index 50acdd53..00000000 --- a/deploy/helm/wg-access-server/templates/ingress.yaml +++ /dev/null @@ -1,50 +0,0 @@ -{{- $kubeTargetVersion := default .Capabilities.KubeVersion.GitVersion .Values.kubeTargetVersionOverride }} -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "wg-access-server.fullname" . -}} -{{- if semverCompare ">=1.19-0" $kubeTargetVersion -}} -apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" $kubeTargetVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "wg-access-server.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: -{{- if .Values.ingress.ingressClassName }} - ingressClassName: {{ .Values.ingress.ingressClassName }} -{{- end }} -{{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} -{{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ . | quote }} - http: - paths: - - path: / - backend: - {{- if semverCompare ">=1.19-0" $kubeTargetVersion }} - service: - name: {{ $fullName }}-web - port: - number: 80 - pathType: Prefix - {{- else -}} - serviceName: {{ $fullName }}-web - servicePort: http - {{- end }} - {{- end }} -{{- end }} diff --git a/deploy/helm/wg-access-server/templates/pvc.yaml b/deploy/helm/wg-access-server/templates/pvc.yaml deleted file mode 100644 index 8c1091ee..00000000 --- a/deploy/helm/wg-access-server/templates/pvc.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{- if and ( .Values.persistence.enabled) ( not .Values.persistence.existingClaim ) -}} -{{- $fullName := include "wg-access-server.fullname" . -}} -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: "{{ $fullName }}" - labels: - {{- include "wg-access-server.labels" . | nindent 4 }} - {{- with .Values.persistence.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - accessModes: -{{ toYaml .Values.persistence.accessModes | indent 4 }} -{{- if .Values.persistence.storageClass }} -{{- if (eq "-" .Values.persistence.storageClass) }} - storageClassName: "" -{{- else }} - storageClassName: {{ .Values.persistence.storageClass | quote }} -{{- end }} -{{- end }} - resources: - requests: - storage: {{ .Values.persistence.size | quote }} -{{- end -}} diff --git a/deploy/helm/wg-access-server/templates/secret.yaml b/deploy/helm/wg-access-server/templates/secret.yaml deleted file mode 100644 index e4ac00f1..00000000 --- a/deploy/helm/wg-access-server/templates/secret.yaml +++ /dev/null @@ -1,14 +0,0 @@ -{{- $fullName := include "wg-access-server.fullname" . -}} -apiVersion: v1 -kind: Secret -metadata: - name: "{{ $fullName }}" - labels: - {{- include "wg-access-server.labels" . | nindent 4 }} -type: Opaque -data: - privateKey: {{ .Values.wireguard.config.privateKey | b64enc | quote }} - {{- if .Values.web.config.adminUsername }} - adminUsername: {{ .Values.web.config.adminUsername | b64enc | quote }} - {{- end }} - adminPassword: {{ (include "wg-access-server.adminPassword" .) | b64enc | quote }} diff --git a/deploy/helm/wg-access-server/templates/service.yaml b/deploy/helm/wg-access-server/templates/service.yaml deleted file mode 100644 index 8e907c1d..00000000 --- a/deploy/helm/wg-access-server/templates/service.yaml +++ /dev/null @@ -1,59 +0,0 @@ -{{- $fullName := include "wg-access-server.fullname" . -}} -apiVersion: v1 -kind: Service -metadata: - name: {{ $fullName }}-web - labels: - {{- include "wg-access-server.labels" . | nindent 4 }} -{{- if .Values.web.service.annotations }} - annotations: -{{ toYaml .Values.web.service.annotations | indent 4 }} -{{- end }} -spec: -{{- if .Values.web.service.externalTrafficPolicy }} - externalTrafficPolicy: {{ .Values.web.service.externalTrafficPolicy }} -{{- end }} - type: {{ .Values.web.service.type }} -{{- if and ( eq .Values.web.service.type "LoadBalancer" ) ( .Values.web.service.loadBalancerIP ) }} - loadBalancerIP: {{ .Values.web.service.loadBalancerIP }} -{{- end }} - ports: - - port: 80 - targetPort: 8000 - protocol: TCP - name: http - selector: - {{- include "wg-access-server.selectorLabels" . | nindent 4 }} - ---- - -apiVersion: v1 -kind: Service -metadata: - name: {{ $fullName }}-wireguard - labels: - {{- include "wg-access-server.labels" . | nindent 4 }} -{{- if .Values.wireguard.service.annotations }} - annotations: -{{ toYaml .Values.wireguard.service.annotations | indent 4 }} -{{- end }} -spec: - type: {{ .Values.wireguard.service.type }} - sessionAffinity: {{ .Values.wireguard.service.sessionAffinity }} -{{- if .Values.wireguard.service.externalTrafficPolicy }} - externalTrafficPolicy: {{ .Values.wireguard.service.externalTrafficPolicy }} -{{- end }} - ipFamilyPolicy: {{ .Values.wireguard.service.ipFamilyPolicy }} -{{- if and ( eq .Values.wireguard.service.type "LoadBalancer" ) ( .Values.wireguard.service.loadBalancerIP ) }} - loadBalancerIP: {{ .Values.wireguard.service.loadBalancerIP }} -{{- end }} - ports: - - port: {{ .Values.wireguard.service.port }} - targetPort: {{ .Values.wireguard.service.port }} -{{- if and ( eq .Values.wireguard.service.type "NodePort" ) ( .Values.wireguard.service.nodePort ) }} - nodePort: {{ .Values.wireguard.service.nodePort }} -{{- end }} - protocol: UDP - name: wireguard - selector: - {{- include "wg-access-server.selectorLabels" . | nindent 4 }} diff --git a/deploy/helm/wg-access-server/values.yaml b/deploy/helm/wg-access-server/values.yaml deleted file mode 100644 index 198f89c6..00000000 --- a/deploy/helm/wg-access-server/values.yaml +++ /dev/null @@ -1,99 +0,0 @@ -# wg-access-server config -config: - # IPv6 is disabled by default, since it leads to the pod failing if the - # k8s-cluster is not configured with IPv6 support - vpn: - cidrv6: 0 - -web: - config: - adminUsername: "admin" - adminPassword: "" - service: - annotations: {} - externalTrafficPolicy: "" - type: ClusterIP - loadBalancerIP: "" - -wireguard: - config: - privateKey: "" - service: - annotations: {} - type: ClusterIP - sessionAffinity: ClientIP - externalTrafficPolicy: "" - ipFamilyPolicy: SingleStack - loadBalancerIP: "" - port: 51820 - nodePort: "" - -persistence: - enabled: false - existingClaim: "" - annotations: {} - accessModes: - - ReadWriteOnce - - ## Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - storageClass: "" - size: 100Mi - - -ingress: - enabled: false - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - ingressClassName: "" - hosts: [] - # - www.example.com - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local - -nameOverride: "" - -fullnameOverride: "" - -imagePullSecrets: [] - -image: - repository: ghcr.io/freifunkmuc/wg-access-server - tag: "" - pullPolicy: IfNotPresent - -# multiple replicas is only supported when using -# a supported highly-available storage backend (i.e. postgresql) -replicas: 1 - -strategy: - type: "" - # the deployment strategy type will default to "Recreate" when persistence is enabled - # or "RollingUpdate" when persistence is not enabled. - # type: Recreate - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - -nodeSelector: {} - -tolerations: [] - -affinity: {} diff --git a/deploy/k8s/quickstart.yaml b/deploy/k8s/quickstart.yaml deleted file mode 100644 index a395d034..00000000 --- a/deploy/k8s/quickstart.yaml +++ /dev/null @@ -1,168 +0,0 @@ ---- -# Source: wg-access-server/templates/secret.yaml -apiVersion: v1 -kind: Secret -metadata: - name: "quickstart-wg-access-server" - labels: - helm.sh/chart: wg-access-server-v0.6.0 - app: wg-access-server - app.kubernetes.io/name: wg-access-server - app.kubernetes.io/instance: quickstart - app.kubernetes.io/version: "v0.6.0" - app.kubernetes.io/managed-by: Helm -type: Opaque -data: - privateKey: "" - adminUsername: "YWRtaW4=" - adminPassword: "clc1bVNKbGs1MnVaOUpiZUxVY2I=" ---- -# Source: wg-access-server/templates/configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - name: quickstart-wg-access-server - labels: - helm.sh/chart: wg-access-server-v0.6.0 - app: wg-access-server - app.kubernetes.io/name: wg-access-server - app.kubernetes.io/instance: quickstart - app.kubernetes.io/version: "v0.6.0" - app.kubernetes.io/managed-by: Helm -data: - config.yaml: |- - vpn: - cidrv6: 0 ---- -# Source: wg-access-server/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: quickstart-wg-access-server-web - labels: - helm.sh/chart: wg-access-server-v0.6.0 - app: wg-access-server - app.kubernetes.io/name: wg-access-server - app.kubernetes.io/instance: quickstart - app.kubernetes.io/version: "v0.6.0" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 8000 - protocol: TCP - name: http - selector: - app: wg-access-server - app.kubernetes.io/name: wg-access-server - app.kubernetes.io/instance: quickstart ---- -# Source: wg-access-server/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: quickstart-wg-access-server-wireguard - labels: - helm.sh/chart: wg-access-server-v0.6.0 - app: wg-access-server - app.kubernetes.io/name: wg-access-server - app.kubernetes.io/instance: quickstart - app.kubernetes.io/version: "v0.6.0" - app.kubernetes.io/managed-by: Helm -spec: - type: ClusterIP - sessionAffinity: ClientIP - ipFamilyPolicy: SingleStack - ports: - - port: 51820 - targetPort: 51820 - protocol: UDP - name: wireguard - selector: - app: wg-access-server - app.kubernetes.io/name: wg-access-server - app.kubernetes.io/instance: quickstart ---- -# Source: wg-access-server/templates/deployment.yaml -apiVersion: apps/v1 -kind: Deployment -metadata: - name: quickstart-wg-access-server - labels: - helm.sh/chart: wg-access-server-v0.6.0 - app: wg-access-server - app.kubernetes.io/name: wg-access-server - app.kubernetes.io/instance: quickstart - app.kubernetes.io/version: "v0.6.0" - app.kubernetes.io/managed-by: Helm -spec: - replicas: 1 - strategy: - type: "RollingUpdate" - selector: - matchLabels: - app: wg-access-server - app.kubernetes.io/name: wg-access-server - app.kubernetes.io/instance: quickstart - template: - metadata: - annotations: - checksum/configmap: 3240f1610ddb40f38805a86a7d42883d4e86eda88412120dc5ae055947190a2d - checksum/secret: 1467e5c5dd18b5fa07b6b9ee7ede1ae26a80c78c82b8253d8ad5832ffb07f01b - labels: - app: wg-access-server - app.kubernetes.io/name: wg-access-server - app.kubernetes.io/instance: quickstart - spec: - containers: - - name: wg-access-server - securityContext: - capabilities: - add: ['NET_ADMIN'] - image: "ghcr.io/freifunkmuc/wg-access-server:v0.6.0" - imagePullPolicy: IfNotPresent - ports: - - name: http - containerPort: 8000 - protocol: TCP - - name: wireguard - containerPort: 51820 - protocol: UDP - env: - - name: WG_WIREGUARD_PORT - value: "51820" - - name: WG_ADMIN_USERNAME - valueFrom: - secretKeyRef: - name: "quickstart-wg-access-server" - key: adminUsername - - name: WG_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - name: "quickstart-wg-access-server" - key: adminPassword - volumeMounts: - - name: tun - mountPath: /dev/net/tun - - name: data - mountPath: /data - - name: config - mountPath: /config.yaml - subPath: config.yaml - readinessProbe: - httpGet: - path: / - port: http - resources: - {} - volumes: - - name: tun - hostPath: - type: 'CharDevice' - path: /dev/net/tun - - name: data - emptyDir: {} - - name: config - configMap: - name: "quickstart-wg-access-server" diff --git a/docs/deployment/3-kubernetes.md b/docs/deployment/3-kubernetes.md index 3c46f034..7e276f57 100644 --- a/docs/deployment/3-kubernetes.md +++ b/docs/deployment/3-kubernetes.md @@ -1,3 +1,6 @@ # Helm Chart -{!../deploy/helm/wg-access-server/README.md!} +The Helm chart included in this repository has been removed due to lack of expertise on our side and nobody answering +our call for aid. +If you are a Kubernetes/Helm user, please consider stepping up and taking over maintenance of the chart at +https://github.com/freifunkMUC/wg-access-server-chart. diff --git a/scripts/requirements-update-helm.txt b/scripts/requirements-update-helm.txt deleted file mode 100644 index 5500f007..00000000 --- a/scripts/requirements-update-helm.txt +++ /dev/null @@ -1 +0,0 @@ -PyYAML diff --git a/scripts/update-helm.py b/scripts/update-helm.py deleted file mode 100755 index 7fdfbc76..00000000 --- a/scripts/update-helm.py +++ /dev/null @@ -1,52 +0,0 @@ -#!/usr/bin/env python3 - -# This script is intended to be run within GitHub Actions, triggered after new tags have been created. -# It updates the version in the Helm Chart, packages it, renders the k8s quickstart.yaml, then commits and pushes everything. -# A separate workflow triggered on pushes should then publish the charts to the GitHub Pages website. - -import os -import subprocess -import yaml - -version = os.environ.get('GITHUB_REF_NAME') -ref_type = os.environ.get('GITHUB_REF_TYPE') -if not version or ref_type != 'tag': - print('::error::Aborting, workflow not triggered by tag event') - exit(1) - -# update the helm chart and quickstart manifest -with open('deploy/helm/wg-access-server/Chart.yaml', 'r+') as f: - chart = yaml.safe_load(f) - chart['version'] = version - chart['appVersion'] = version - f.seek(0) - yaml.dump(chart, f, default_flow_style=False) - f.truncate() -with open('deploy/k8s/quickstart.yaml', 'w') as f: - try: - subprocess.run(['helm', 'template', '--name-template', - 'quickstart', 'deploy/helm/wg-access-server/'], - stdout=f, check=True) - except subprocess.CalledProcessError as ex: - print("::error::{}".format(ex)) - exit(1) - -try: - subprocess.run(['helm', 'package', 'deploy/helm/wg-access-server/', - '--destination', 'docs/charts/'], - check=True, capture_output=True) - subprocess.run(['helm', 'repo', 'index', 'docs/', '--url', - 'https://freie-netze.org/wg-access-server'], - check=True, capture_output=True) - - # commit changes - subprocess.run(['git', 'add', 'docs/index.yaml', 'docs/charts/', 'deploy/helm/', 'deploy/k8s/'], - check=True, capture_output=True) - subprocess.run(['git', 'commit', '-m', f'{version} - Automated Helm & k8s update'], - check=True, capture_output=True) - - # push everything - subprocess.run(['git', 'push'], check=True, capture_output=True) -except subprocess.CalledProcessError as ex: - print("::error::{}\nStdout:\n{}\nStderr:\n{}".format(ex, ex.stdout.decode('utf-8'), ex.stderr.decode('utf-8'))) - exit(1)