Mirrors/wg-portal
1
0
Fork 0
mirror of https://github.com/h44z/wg-portal.git synced 2025-09-15 07:11:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: TLS support for web (#301)

Browse Source 
* Added TLS support for web

- Added optional configurations `cert_file` and `key_file` to run web server with https

Signed-off-by: Dmytro Bondar <git@bonddim.com>

* Helm chart update

- Refactored Ingress to use one host only (`config.web.external_url` is required)
- Added Certificate resource template (secret is mounted to container into `/app/certs/`)
- Added support for service with mixed protocols (exposes UI and Wireguard ports on same IP)
- Added helm-docs target to makefile
- Changed pod labels to use selectorLabels
- Removed default probes (app runs without healthy web)
- Removed sections from README

Signed-off-by: Dmytro Bondar <git@bonddim.com>

* Fix chart workflow path filter

* Fix chart lint issue

* Skip clean-up tested chart

* Try k3d cluster

---------

Signed-off-by: Dmytro Bondar <git@bonddim.com>
This commit is contained in:
Dmytro Bondar
2024-09-22 13:25:08 +02:00
committed by GitHub
parent e3d05a4678
commit 6ffe1a90ae
17 changed files with 289 additions and 274 deletions
Download Patch File Download Diff File Expand all files Collapse all files

157
deploy/helm/values.yaml
View File

@@ -3,267 +3,202 @@
# Declare variables to be passed into your templates.
# -- Partially override resource names (adds suffix)
# @section -- Common
nameOverride: ''
# -- Fully override resource names
# @section -- Common
fullnameOverride: ''
# -- Array of extra objects to deploy with the release
# @section -- Common
extraDeploy: []
# https://github.com/h44z/wg-portal/blob/master/README.md#configuration-options
config:
# -- (tpl/object) Advanced configuration options.
# @section -- Configuration
advanced: {}
# -- (tpl/object) Auth configuration options.
# @section -- Configuration
auth: {}
# -- (tpl/object) Core configuration options.<br>
# @section -- Configuration
# If external admins in `auth` are not defined and
# there are no `admin_user` and `admin_password` defined here,
# the default credentials will be generated.
core: {}
# -- (tpl/object) Database configuration options
# @section -- Configuration
database: {}
# -- (tpl/object) Mail configuration options
# @section -- Configuration
mail: {}
# -- (tpl/object) Statistics configuration options
# @section -- Configuration
statistics: {}
# -- (tpl/object) Web configuration options.<br>
# @section -- Configuration
# The chart will set `listening_address` automatically from `service.web.port`,
# and `external_url` from `ingress.host` if enabled.
# `listening_address` will be set automatically from `service.web.port`.
# `external_url` is required to enable ingress and certificate resources.
web: {}
# -- The number of old ReplicaSets to retain to allow rollback.
# @section -- Parameters
# @default -- `10`
revisionHistoryLimit: ''
# -- Workload type - `Deployment` or `StatefulSet`
# @section -- Parameters
workloadType: Deployment
# -- Update strategy for the workload
# Valid values are:
# `RollingUpdate` or `Recreate` for Deployment,
# `RollingUpdate` or `OnDelete` for StatefulSet
# @section -- Parameters
strategy:
type: RollingUpdate
image:
# -- Image repository
# @section -- Parameters
repository: ghcr.io/h44z/wg-portal
# -- Image pull policy
# @section -- Parameters
pullPolicy: IfNotPresent
# -- Overrides the image tag whose default is the chart appVersion
# @section -- Parameters
tag: ''
# -- Image pull secrets
# @section -- Parameters
imagePullSecrets: []
# -- (tpl/object) Extra annotations to add to the pod
# @section -- Parameters
podAnnotations: {}
# -- Extra labels to add to the pod
# @section -- Parameters
podLabels: {}
# -- Pod Security Context
# @section -- Parameters
podSecurityContext: {}
# Container Security Context
securityContext:
capabilities:
# -- Add capabilities to the container
# @section -- Parameters
add:
- NET_ADMIN
# -- (tpl/list) Pod init containers
# @section -- Parameters
initContainers: []
# -- (tpl/list) Pod sidecar containers
# @section -- Parameters
sidecarContainers: []
# -- Set DNS policy for the pod.
# Valid values are `ClusterFirstWithHostNet`, `ClusterFirst`, `Default` or `None`.
# @default -- `"ClusterFirst"`
# @section -- Parameters
dnsPolicy: ''
# -- Restart policy for all containers within the pod.
# Valid values are `Always`, `OnFailure` or `Never`.
# @default -- `"Always"`
# @section -- Parameters
restartPolicy: ''
# -- Use the host's network namespace.
# @default -- `false`.
# @section -- Parameters
hostNetwork: ''
# -- Resources requests and limits
# @section -- Parameters
resources: {}
# -- Overwrite pod command
# @section -- Parameters
command: []
# -- Additional pod arguments
# @section -- Parameters
args: []
# -- (tpl/list) Additional environment variables
# @section -- Parameters
env: []
# -- (tpl/list) Additional environment variables from a secret or configMap
# @section -- Parameters
envFrom: []
# -- Liveness probe configuration
# @ignore
livenessProbe:
failureThreshold: 10
httpGet:
path: /
port: http
livenessProbe: {}
# -- Readiness probe configuration
# @ignore
readinessProbe:
httpGet:
path: /
port: http
readinessProbe: {}
# -- Startup probe configuration
# @ignore
startupProbe:
initialDelaySeconds: 5
failureThreshold: 10
httpGet:
path: /
port: http
scheme: HTTP
startupProbe: {}
# -- (tpl/list) Additional volumes
# @section -- Parameters
volumes: []
# -- (tpl/list) Additional volumeMounts
# @section -- Parameters
volumeMounts: []
# -- Node Selector configuration
# @section -- Parameters
nodeSelector:
kubernetes.io/os: linux
# -- Tolerations configuration
# @section -- Parameters
tolerations: []
# -- Affinity configuration
# @section -- Parameters
affinity: {}
service:
mixed:
# -- Whether to create a single service for the web and wireguard interfaces
enabled: false
# -- Service type
type: LoadBalancer
web:
# -- Annotations for the web service
# @section -- Traffic exposure
annotations: {}
# -- Web service type
# @section -- Traffic exposure
type: ClusterIP
# -- Web service port
# Used for the web interface listener
# @section -- Traffic exposure
port: 8888
wireguard:
# -- Annotations for the WireGuard service
# @section -- Traffic exposure
annotations: {}
# -- Wireguard service type
# @section -- Traffic exposure
type: LoadBalancer
# -- Wireguard service ports.
# Exposes the WireGuard ports for created interfaces.
# Lowerest port is selected as start port for the first interface.
# Increment next port by 1 for each additional interface.
# @section -- Traffic exposure
ports:
- 51820
ingress:
# -- Specifies whether an ingress resource should be created
# @section -- Traffic exposure
enabled: false
# -- Ingress class name
# @section -- Traffic exposure
className: ''
# -- Ingress annotations
# @section -- Traffic exposure
# @section -- Traffic exposure
annotations: {}
# -- Ingress host FQDN
# @section -- Traffic exposure
host: ''
# -- Ingress path type
# @section -- Traffic exposure
pathType: ImplementationSpecific
# -- Ingress path
# @section -- Traffic exposure
path: /
# -- Ingress TLS configuration
# @section -- Traffic exposure
tls: []
# - secretName: wg-portal-example-tls
# hosts:
# - wg-portal.example.local
# -- Ingress TLS configuration.
# Enable certificate resource or add ingress annotation to create required secret
tls: false
certificate:
# -- Specifies whether a certificate resource should be created
enabled: false
issuer:
# -- Certificate issuer name
name: ''
# -- Certificate issuer kind (ClusterIssuer or Issuer)
kind: ''
# -- Certificate issuer group
group: cert-manager.io
# -- Optional. [Documentation](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources)
duration: ''
# -- Optional. [Documentation](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources)
renewBefore: ''
# -- Optional. [Documentation](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources)
commonName: ''
# -- Optional. [Documentation](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources)
emailAddresses: []
# -- Optional. [Documentation](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources)
ipAddresses: []
# -- Optional. [Documentation](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources)
keystores: {}
# -- Optional. [Documentation](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources)
privateKey: {}
# -- Optional. [Documentation](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources)
secretTemplate: {}
# -- Optional. [Documentation](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources)
subject: {}
# -- Optional. [Documentation](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources)
uris: []
# -- Optional. [Documentation](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources)
usages: []
persistence:
# -- Specifies whether an persistent volume should be created
# @section -- Persistence
enabled: false
# -- Persistent Volume Claim annotations
# @section -- Persistence
annotations: {}
# -- Persistent Volume storage class.
# If undefined (the default) cluster's default provisioner will be used.
# @section -- Persistence
storageClass: ''
# -- Persistent Volume Access Mode
# @section -- Persistence
accessMode: ReadWriteOnce
# -- Persistent Volume size
# @section -- Persistence
size: 1Gi
serviceAccount:
# -- Specifies whether a service account should be created
# @section -- RBAC
create: true
# -- Service account annotations
# @section -- RBAC
annotations: {}
# -- Automatically mount a ServiceAccount's API credentials
# @section -- RBAC
automount: false
# -- The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# @section -- RBAC
name: ''