updated helm charts

2024-09-20 15:26:04 +08:00 · 2021-10-17 15:31:37 -04:00 · 2021-10-17 15:31:37 -04:00 · 445df67030
parent a39ef16394
commit 445df67030
10 changed files with 157 additions and 134 deletions
--- a/kube/helm/netmaker/Chart.yaml
+++ b/kube/helm/netmaker/Chart.yaml
@ -1,6 +1,6 @@
 apiVersion: v2
 name: netmaker
-description: A Helm chart for Kubernetes
+description: A Helm chart to run HA Netmaker on Kubernetes

 # A chart can be either an 'application' or a 'library' chart.
 #
--- a/kube/helm/netmaker/templates/hpa.yaml
+++ b/kube/helm/netmaker/templates/hpa.yaml
@ -1,28 +0,0 @@
-{{- if .Values.autoscaling.enabled }}
-apiVersion: autoscaling/v2beta1
-kind: HorizontalPodAutoscaler
-metadata:
-  name: {{ include "netmaker.fullname" . }}
-  labels:
-    {{- include "netmaker.labels" . | nindent 4 }}
-spec:
-  scaleTargetRef:
-    apiVersion: apps/v1
-    kind: Deployment
-    name: {{ include "netmaker.fullname" . }}
-  minReplicas: {{ .Values.autoscaling.minReplicas }}
-  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
-  metrics:
-    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
-    - type: Resource
-      resource:
-        name: cpu
-        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
-    {{- end }}
-    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
-    - type: Resource
-      resource:
-        name: memory
-        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
-    {{- end }}
-{{- end }}
--- a/kube/helm/netmaker/templates/ingress.yaml
+++ b/kube/helm/netmaker/templates/ingress.yaml
@ -6,6 +6,7 @@
 {{- $uiSvcPort := .Values.service.uiPort -}}
 {{- $restSvcPort := .Values.service.restPort -}}
 {{- $grpcSvcPort := .Values.service.grpcPort -}}
+{{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}}
 {{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
@ -23,18 +24,29 @@ metadata:
  name: {{ $fullUIName }}
  labels:
    {{- include "netmaker.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
+  {{- with .Values.ingress }}
  annotations:
-    {{- toYaml . | nindent 4 }}
+    {{- toYaml .annotations.base | nindent 4 }}
+    {{- if eq .className "nginx" }}
+    {{- toYaml .annotations.nginx | nindent 4 }}
+    {{- end }}
+    {{- if eq .className "traefik" }}
+    {{- toYaml .annotations.traefik | nindent 4 }}
+    {{- end }}
+    {{- if .tls.enabled }}
+    {{- toYaml .annotations.tls | nindent 4 }}
+    {{- end }}
  {{- end }}
 spec:
  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
-  ingressClassName: {{ .Values.ingress.className }}
+  ingressClassName: {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}}
  {{- end }}
+  {{- if .Values.ingress.tls.enabled }}
  tls:
    - hosts:
        - {{ .Values.ingress.hostPrefix.ui }}{{ .Values.baseDomain }}
      secretName: {{ $fullUIName }}-tls-secret
+  {{- end}}
  rules:
    - host: {{ .Values.ingress.hostPrefix.ui }}{{ .Values.baseDomain }}
      http:
@ -66,18 +78,29 @@ metadata:
  name: {{ $fullRESTName }}
  labels:
    {{- include "netmaker.labels" . | nindent 4 }}
-  {{- with .Values.ingress.annotations }}
+  {{- with .Values.ingress }}
  annotations:
-    {{- toYaml . | nindent 4 }}
+    {{- toYaml .annotations.base | nindent 4 }}
+    {{- if eq .className "nginx" }}
+    {{- toYaml .annotations.nginx | nindent 4 }}
+    {{- end }}
+    {{- if eq .className "traefik" }}
+    {{- toYaml .annotations.traefik | nindent 4 }}
+    {{- end }}
+    {{- if .tls.enabled }}
+    {{- toYaml .annotations.tls | nindent 4 }}
+    {{- end }}
  {{- end }}
 spec:
  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
-  ingressClassName: {{ .Values.ingress.className }}
+  ingressClassName:  {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}}
  {{- end }}
+  {{- if .Values.ingress.tls.enabled }}
  tls:
    - hosts:
        - {{ .Values.ingress.hostPrefix.rest }}{{ .Values.baseDomain }}
      secretName: {{ $fullRESTName }}-tls-secret
+  {{- end }}
  rules:
    - host: {{ .Values.ingress.hostPrefix.rest }}{{ .Values.baseDomain }}
      http:
@ -109,18 +132,31 @@ metadata:
  name: {{ $fullGRPCName }}
  labels:
    {{- include "netmaker.labels" . | nindent 4 }}
-  {{- with .Values.ingress.grpcAnnotations }}
+  {{- with .Values.ingress }}
  annotations:
-    {{- toYaml . | nindent 4 }}
+    {{- toYaml .annotations.base | nindent 4 }}
+    {{- if eq .className "nginx" }}
+    {{- toYaml .annotations.nginx | nindent 4 }}
+    {{- toYaml .annotations.grpc.nginx | nindent 4 }}
+    {{- end }}
+    {{- if eq .className "traefik" }}
+    {{- toYaml .annotations.traefik | nindent 4 }}
+    {{- toYaml .annotations.grpc.traefik | nindent 4 }}
+    {{- end }}
+    {{- if .tls.enabled }}
+    {{- toYaml .annotations.tls | nindent 4 }}
+    {{- end }}
  {{- end }}
 spec:
  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
-  ingressClassName: {{ .Values.ingress.className }}
+  ingressClassName:  {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}}
  {{- end }}
+  {{- if .Values.ingress.tls.enabled }}
  tls:
    - hosts:
        - {{ .Values.ingress.hostPrefix.grpc }}{{ .Values.baseDomain }}
      secretName: {{ $fullGRPCName }}-tls-secret
+  {{- end }}
  rules:
    - host: {{ .Values.ingress.hostPrefix.grpc }}{{ .Values.baseDomain }}
      http:
--- a/kube/helm/netmaker/templates/netmaker-statefulset.yaml
+++ b/kube/helm/netmaker/templates/netmaker-statefulset.yaml
@ -16,7 +16,6 @@ spec:
        app: {{ include "netmaker.fullname" . }}
    spec:
      {{- if .Values.wireguard.enabled }}
-      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      affinity:
        podAntiAffinity:
@ -96,10 +95,17 @@ spec:
        imagePullPolicy: Always
        name: {{ include "netmaker.fullname" . }}
        ports:
-        - containerPort: 8081
+        - containerPort: {{ .Values.service.restPort }}
          protocol: TCP
-        - containerPort: 443
+        - containerPort: {{ .Values.service.grpcPort }}
          protocol: TCP
+      {{- if .Values.wireguard.enabled }}
+        {{ $count := (add .Values.wireguard.networkLimit 1 | int) }}
+        {{- range untilStep 1 $count 1 }}
+        - containerPort: {{ add 31820 . }}
+          protocol: UDP      
+        {{- end }}
+      {{- end }}
        resources: {}
        {{- if .Values.wireguard.enabled }}
        securityContext:
--- a/kube/helm/netmaker/templates/services.yaml
+++ b/kube/helm/netmaker/templates/services.yaml
@ -25,7 +25,7 @@ spec:
  - name: rest
    port: {{ .Values.service.restPort }}
    protocol: TCP
-    targetPort: {{ .Values.service.restPort }}
+    targetPort: {{ .Values.service.grpcPort }}
  selector:
    app: '{{ include "netmaker.fullname" . }}'
  sessionAffinity: None
@ -46,4 +46,27 @@ spec:
  selector:
    app: '{{ include "netmaker.fullname" . }}'
  sessionAffinity: None
-  type: {{ .Values.service.type }}
+  type: {{ .Values.service.type }}
+{{- if .Values.wireguard.enabled }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "netmaker.labels" . | nindent 4 }}
+  name: '{{ include "netmaker.fullname" . }}-wireguard'
+spec:
+  externalTrafficPolicy: Local
+  type: NodePort
+  ports:
+  {{ $count := (add .Values.wireguard.networkLimit 1 | int) }}
+  {{- range untilStep 1 $count 1 }}
+  - port: {{ add 31820 . }}
+    nodePort: {{ add 31820 . }}
+    protocol: UDP
+    targetPort: {{ add 31820 . }}
+    name: wg-iface-{{ add 31820 . }}
+  {{- end }}
+  selector:
+    app: '{{ include "netmaker.fullname" . }}'
+{{- end }}
--- a/kube/helm/netmaker/values.yaml
+++ b/kube/helm/netmaker/values.yaml
@ -2,113 +2,115 @@
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.

+# -- number of netmaker server replicas to create 
 replicas: 3

 image:
+  # -- The image repo to pull Netmaker image from 
  repository: gravitl/netmaker
+  # -- Pull Policy for images
  pullPolicy: Always
-  # Overrides the image tag whose default is the chart appVersion.
+  # -- Override the image tag to pull 
  tag: "v0.8.4"

-imagePullSecrets: []
-nameOverride: ""
+# -- override the name for netmaker objects 
+nameOverride: ""  
+
+# -- override the full name for netmaker objects 
 fullnameOverride: ""

 serviceAccount:
-  # Specifies whether a service account should be created
+  # -- Specifies whether a service account should be created
  create: true
-  # Annotations to add to the service account
+  # -- Annotations to add to the service account
  annotations: {}
-  # The name of the service account to use.
-  # If not set and create is true, a name is generated using the fullname template
+  # -- Name of SA to use. If not set and create is true, a name is generated using the fullname template
  name: ""

+# -- pod annotations to add
 podAnnotations: {}

+# -- pod security contect to add
 podSecurityContext: {}
  # fsGroup: 2000

-isKernel: false
-isClient: true
-
 ui:
+  # -- how many UI replicas to create
  replicas: 2

-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
-
 service:
+  # -- type for netmaker server services
  type: ClusterIP
+  # -- port for API service
  restPort: 8081
+  # -- port for GRPC service
  grpcPort: 443
+  # -- port for UI service
  uiPort: 80

 ingress:
+  # -- attempts to configure ingress if true
  enabled: false
-  className: ""
+  tls:
+    enabled: true
  annotations:
-    kubernetes.io/ingress.class: nginx
-    kubernetes.io/tls-acme: "true"
-    nginx.ingress.kubernetes.io/rewrite-target: /
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
-  grpcAnnotations:
-    kubernetes.io/ingress.class: nginx
-    kubernetes.io/tls-acme: "true"
-    nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
-    nginx.ingress.kubernetes.io/rewrite-target: /
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
+    base:
+      # -- annotation to generate ACME certs if available
+      kubernetes.io/ingress.allow-http: "false"    
+    tls:
+      kubernetes.io/tls-acme: "true"
+      # -- LE issuer name 
+      cert-manager.io/cluster-issuer: "letsencrypt-prod"
+      # -- Block HTTP requests
+    nginx:
+      # -- Redirect http to https 
+      nginx.ingress.kubernetes.io/ssl-redirect: 'true'
+      # -- destination addr for route
+      nginx.ingress.kubernetes.io/rewrite-target: /
+    traefik:
+      # -- Redirect to https
+      traefik.ingress.kubernetes.io/redirect-entry-point: https
+      # -- Redirect to https permanently
+      traefik.ingress.kubernetes.io/redirect-permanent: "true"
+      # -- rule type
+      traefik.ingress.kubernetes.io/rule-type: "PathPrefixStrip"
+    grpc:
+      nginx:
+        # -- annotation to use grpc protocol on grpc domain
+        nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
+      traefik:
+        # -- annotation to use grpc protocol on grpc domain
+        ingress.kubernetes.io/protocol: "h2c"
  hostPrefix:
+    # -- ui route subdomain
    ui: 'dashboard.'
+    # -- api (REST) route subdomain
    rest: 'api.'
+    # -- grpc route subdomain
    grpc: 'grpc.'

-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
-
 wireguard:
+  # -- whether or not to use WireGuard on server
  enabled: true
+  # -- whether or not to use Kernel WG (should be false unless WireGuard is installed on hosts).
  kernel: false
+  # -- max number of networks that Netmaker will support if running with WireGuard enabled
+  networkLimit: 10

 dns:
+  # -- whether or not to run with DNS (CoreDNS)
  enabled: false
+  # -- volume size for DNS (only needs to hold one file)
  storageSize: 128Mi

 postgresql-ha:
  postgresql:
+    # -- postgres user to generate
    username: netmaker
+    # -- postgres pass to generate
    password: netmaker
+    # -- postgress db to generate
    database: netmaker
  persistence:
+    # -- size of postgres DB
    size: 3Gi
-
-autoscaling:
-  enabled: false
-  minReplicas: 1
-  maxReplicas: 100
-  targetCPUUtilizationPercentage: 80
-  # targetMemoryUtilizationPercentage: 80
-
-netmakerUI:
-  
-
-nodeSelector: {}
-
-tolerations: []
-
-affinity: {}
--- a/logic/server.go
+++ b/logic/server.go
@ -18,6 +18,7 @@ import (

 // KUBERNETES_LISTEN_PORT - starting port for Kubernetes in order to use NodePort range
 const KUBERNETES_LISTEN_PORT = 31821
+const KUBERNETES_SERVER_MTU = 1024

 // ServerJoin - responsible for joining a server to a network
 func ServerJoin(network string, serverID string, privateKey string) error {
@ -36,10 +37,12 @@ func ServerJoin(network string, serverID string, privateKey string) error {
 		MacAddress:   serverID,
 		UDPHolePunch: "no",
 	}
+	node.SetDefaults()
+
 	if servercfg.GetPlatform() == "Kubernetes" {
 		node.ListenPort = KUBERNETES_LISTEN_PORT
+		node.MTU = KUBERNETES_SERVER_MTU
 	}
-	node.SetDefaults()

 	if node.LocalRange != "" && node.LocalAddress == "" {
 		Log("local vpn, getting local address from range: "+node.LocalRange, 1)
--- a/netclient/command/commands.go
+++ b/netclient/command/commands.go
@ -42,7 +42,7 @@ func Join(cfg config.ClientConfig, privateKey string) error {
 			}
 			if cfg.Daemon != "off" {
 				if ncutils.IsLinux() {
-					err = daemon.RemoveSystemDServices(cfg.Network)
+					err = daemon.RemoveSystemDServices()
 				}
 				if err != nil {
 					ncutils.PrintLog("error removing services: "+err.Error(), 1)
--- a/netclient/daemon/systemd.go
+++ b/netclient/daemon/systemd.go
@ -98,30 +98,17 @@ WantedBy=timers.target
 }

 // RemoveSystemDServices - removes the systemd services on a machine
-func RemoveSystemDServices(network string) error {
+func RemoveSystemDServices() error {
 	//sysExec, err := exec.LookPath("systemctl")
-	if !ncutils.IsWindows() {
-		fullremove, err := isOnlyService(network)
+	var err error
+	if !ncutils.IsWindows() && isOnlyService() {
 		if err != nil {
 			log.Println(err)
 		}
-
-		if fullremove {
-			_, err = ncutils.RunCmd("systemctl disable netclient.service", true)
-		}
-		_, _ = ncutils.RunCmd("systemctl daemon-reload", true)
-
-		if ncutils.FileExists("/etc/systemd/system/netclient.timer") {
-			_, _ = ncutils.RunCmd("systemctl disable netclient.timer", true)
-		}
-		if fullremove {
-			if ncutils.FileExists("/etc/systemd/system/netclient.service") {
-				err = os.Remove("/etc/systemd/system/netclient.service")
-			}
-		}
-		if ncutils.FileExists("/etc/systemd/system/netclient.timer") {
-			err = os.Remove("/etc/systemd/system/netclient.timer")
-		}
+		_, err = ncutils.RunCmd("systemctl disable netclient.service", true)
+		_, err = ncutils.RunCmd("systemctl disable netclient.timer", true)
+		err = os.Remove("/etc/systemd/system/netclient.service")
+		err = os.Remove("/etc/systemd/system/netclient.timer")
 		if err != nil {
 			log.Println("Error removing file. Please investigate.")
 			log.Println(err)
@ -132,16 +119,10 @@ func RemoveSystemDServices(network string) error {
 	return nil
 }

-func isOnlyService(network string) (bool, error) {
-	isonly := false
+func isOnlyService() bool {
 	files, err := filepath.Glob("/etc/netclient/config/netconfig-*")
 	if err != nil {
-		return isonly, err
+		return false
 	}
-	count := len(files)
-	if count == 0 {
-		isonly = true
-	}
-	return isonly, err
-
+	return len(files) == 0
 }
--- a/netclient/functions/common.go
+++ b/netclient/functions/common.go
@ -229,7 +229,7 @@ func RemoveLocalInstance(cfg *config.ClientConfig, networkName string) error {
 		} else if ncutils.IsMac() {
 			//TODO: Delete mac daemon
 		} else {
-			err = daemon.RemoveSystemDServices(networkName)
+			err = daemon.RemoveSystemDServices()
 		}
 	}
 	return err