feat: add helm chart

GitOrigin-RevId: 36675591e22bbf41a6929db48e0f4dbc8561dc77

.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: wireguard-server
+description: A simple Helm chart for deploying a Wireguard server
+type: application
+version: 1.0.0
+appVersion: 1.0.20210914
+keywords:
+  - wireguard
+  - server
+  - vpn
+icon: https://www.logo.wine/a/logo/WireGuard/WireGuard-Icon-Logo.wine.svg

LICENSE → LICENCE

@@ -18,4 +18,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+SOFTWARE.

README.md

@@ -0,0 +1,34 @@
+# Wireguard Server Helm chart
+
+This simple Helm is a lightweight way to configure and run a Wireguard VPN server in Kubernetes.
+
+## Requirements:
+* Kubernetes
+* [Helm](https://helm.sh/docs/intro/install/) v3+
+
+## Installing
+TBD
+
+## Usage notes
+* This chart uses the [linuxserver/wireguard](https://github.com/linuxserver/docker-wireguard) image. Thanks to the [LinuxServer.io](https://www.linuxserver.io) team for this awesome solution!
+* The desired Wireguard peers are defined with the chart values. Their files (configuration, keys, QR code) are generated at container startup if they do not exist yet.
+* The server configuration needs to be shared between the different replicas of the application. At the moment, this chart only support sharing it with a `PersistentVolumeClaim`. Thus note that the PVC access mode needs to be `ReadWriteMany` for the different replicas to be spread accross different K8s nodes. It is planned to add support for sharing the configuration via S3.
+* We use a `StatefulSet` for the application to leverage ordered deploys and updates. This way we prevent race conditions when generating the peers configuration at startup.
+
+## Configuration
+
+These variables can be configured to set up the Wireguard server. Other variables, less likely to need tweaking, are available and can be seen in the chart's [values.yaml](values.yaml) file (annotations, resources, autoscaling, affinity, etc.).
+
+| Parameter | Description | Default |
+|-|-|-|
+| `replicaCount` | Number of desired replicas for the server | `1` |
+| `server.peers` | List defining all the different peers with their name | `["peer1"]` |
+| `server.env` | Object setting the server environment variables. Direct key / value mapping (except for the peers). Refer to the [linuxserver/wireguard](https://github.com/linuxserver/docker-wireguard/blob/master/README.md#parameters) documentation for more details | See all in [`values.yml`](values.yaml) |
+| `server.env.TZ` | Timezone used by Wireguard | `Europe/London` |
+| `configPersistence.type` | Type of config persistence. Supported values are: `pvc` (PersistentVolumeClaim) | `pvc` |
+| `configPersistence.accessModes` | Access modes for the PVC. Refer to the [Kubernetes documentation](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes) for more details| `["ReadWriteOnce"]` |
+| `configPersistence.size` | Storage size requested by the PVC | `50Mi` |
+| `service.nodePort` | Port number used by the K8s nodes to expose the Wireguard server | `30000` |
+
+## Contributing
+This project is still very early stage. All features and improvements to make it more general are welcomed! 👋

templates/NOTES.txt

@@ -0,0 +1,10 @@
+1. Get the peers QR codes by running this command:
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "wireguard-server.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  kubectl exec -n {{ .Release.Namespace }} $POD_NAME -- /app/show-peer {{ join " " .Values.server.peers }}
+2. Server configuration is persisted and shared using{{- " " -}}
+{{- if eq .Values.configPersistence.type "pvc" -}}
+a PersistentVolumeClaim. Get more information by running this command:
+  kubectl describe -n {{ .Release.Namespace }} pvc {{ .existingClaim | default (include "wireguard-server.fullname" $) }}
+{{- else -}}
+an unknown element. Configuration might be faulty.
+{{- end -}}

templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "wireguard-server.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "wireguard-server.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "wireguard-server.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "wireguard-server.labels" -}}
+helm.sh/chart: {{ include "wireguard-server.chart" . }}
+{{ include "wireguard-server.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "wireguard-server.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "wireguard-server.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "wireguard-server.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "wireguard-server.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

templates/configmap.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{include "wireguard-server.fullname" .}}
+  labels: {{- include "wireguard-server.labels" . | nindent 4}}
+data:
+  {{- with .Values.server.env }}
+    {{- toYaml . | nindent 2 }}
+  {{- end }}
+  {{- with .Values.server.peers }}
+  PEERS: {{ join "," . | quote }}
+  {{- end }}

templates/hpa.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2beta2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "wireguard-server.fullname" . }}
+  labels:
+    {{- include "wireguard-server.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: StatefulSet
+    name: {{ include "wireguard-server.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

templates/pvc.yaml

@@ -0,0 +1,26 @@
+{{- if and (not .Values.configPersistence.pvc.existingClaim) (eq .Values.configPersistence.type "pvc")}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{include "wireguard-server.fullname" .}}
+  labels: {{- include "wireguard-server.labels" . | nindent 4}}
+  {{- with .Values.configPersistence.pvc.annotations  }}
+  annotations:
+    {{ toYaml . | indent 4 }}
+  {{- end }}
+  {{- with .Values.configPersistence.pvc.finalizers  }}
+  finalizers:
+    {{ toYaml . | indent 4 }}
+  {{- end }}
+spec:
+  accessModes:
+    {{- range .Values.configPersistence.pvc.accessModes }}
+    - {{ . | quote }}
+    {{- end }}
+  resources:
+    requests:
+      storage: {{ .Values.configPersistence.pvc.size | quote }}
+  {{- if .Values.configPersistence.pvc.storageClassName }}
+  storageClassName: {{ .Values.configPersistence.pvc.storageClassName }}
+  {{- end -}}
+{{- end -}}

templates/service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{include "wireguard-server.fullname" .}}
+  labels: {{- include "wireguard-server.labels" . | nindent 4}}
+spec:
+  type: NodePort
+  ports:
+    - port: 51820
+      targetPort: 51820
+      nodePort: {{.Values.service.nodePort}}
+      protocol: UDP
+      name: http
+  selector: {{- include "wireguard-server.selectorLabels" . | nindent 4}}

templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "wireguard-server.serviceAccountName" . }}
+  labels:
+    {{- include "wireguard-server.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

templates/statefulset.yaml

@@ -0,0 +1,79 @@
+apiVersion: apps/v1
+# StatefulSet to enable ordered deployment
+kind: StatefulSet
+metadata:
+  name: {{ include "wireguard-server.fullname" . }}
+  labels:
+    {{- include "wireguard-server.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  podManagementPolicy: OrderedReady
+  serviceName: {{ include "wireguard-server.fullname" . }}
+  selector:
+    matchLabels:
+      {{- include "wireguard-server.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "wireguard-server.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "wireguard-server.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: wireguard
+              containerPort: 51820
+              protocol: UDP
+          volumeMounts:
+            - name: host-modules
+              mountPath: /lib/modules
+            - name: config
+              mountPath: /config
+          envFrom:
+            - configMapRef:
+                name: {{ include "wireguard-server.fullname" . }}
+                optional: false
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+        - name: host-modules
+          hostPath:
+            path: /lib/modules
+            type: Directory
+        {{- with .Values.configPersistence  }}
+        - name: config
+          {{- if eq .type "pvc" }}
+          persistentVolumeClaim:
+            claimName: {{ .pvc.existingClaim | default (include "wireguard-server.fullname" $) }}
+          {{- else }}
+          emptyDir: {}
+          {{- end }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}