diff --git a/kube/helm/netmaker/Chart.yaml b/kube/helm/netmaker/Chart.yaml index 515720aa..e036b100 100644 --- a/kube/helm/netmaker/Chart.yaml +++ b/kube/helm/netmaker/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v2 name: netmaker -description: A Helm chart for Kubernetes +description: A Helm chart to run HA Netmaker on Kubernetes # A chart can be either an 'application' or a 'library' chart. # diff --git a/kube/helm/netmaker/templates/hpa.yaml b/kube/helm/netmaker/templates/hpa.yaml deleted file mode 100644 index 073e7c0e..00000000 --- a/kube/helm/netmaker/templates/hpa.yaml +++ /dev/null @@ -1,28 +0,0 @@ -{{- if .Values.autoscaling.enabled }} -apiVersion: autoscaling/v2beta1 -kind: HorizontalPodAutoscaler -metadata: - name: {{ include "netmaker.fullname" . }} - labels: - {{- include "netmaker.labels" . | nindent 4 }} -spec: - scaleTargetRef: - apiVersion: apps/v1 - kind: Deployment - name: {{ include "netmaker.fullname" . }} - minReplicas: {{ .Values.autoscaling.minReplicas }} - maxReplicas: {{ .Values.autoscaling.maxReplicas }} - metrics: - {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} - - type: Resource - resource: - name: cpu - targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} - {{- end }} - {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} - - type: Resource - resource: - name: memory - targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} - {{- end }} -{{- end }} diff --git a/kube/helm/netmaker/templates/ingress.yaml b/kube/helm/netmaker/templates/ingress.yaml index d43b8a0e..739fdbe8 100644 --- a/kube/helm/netmaker/templates/ingress.yaml +++ b/kube/helm/netmaker/templates/ingress.yaml @@ -6,6 +6,7 @@ {{- $uiSvcPort := .Values.service.uiPort -}} {{- $restSvcPort := .Values.service.restPort -}} {{- $grpcSvcPort := .Values.service.grpcPort -}} +{{- $classname := required "A valid .Values.ingress.className entry required! Please set this to your ingress class (nginx, traefik)" .Values.ingress.className}} {{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} @@ -23,18 +24,29 @@ metadata: name: {{ $fullUIName }} labels: {{- include "netmaker.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} + {{- with .Values.ingress }} annotations: - {{- toYaml . | nindent 4 }} + {{- toYaml .annotations.base | nindent 4 }} + {{- if eq .className "nginx" }} + {{- toYaml .annotations.nginx | nindent 4 }} + {{- end }} + {{- if eq .className "traefik" }} + {{- toYaml .annotations.traefik | nindent 4 }} + {{- end }} + {{- if .tls.enabled }} + {{- toYaml .annotations.tls | nindent 4 }} + {{- end }} {{- end }} spec: {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} + ingressClassName: {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}} {{- end }} + {{- if .Values.ingress.tls.enabled }} tls: - hosts: - {{ .Values.ingress.hostPrefix.ui }}{{ .Values.baseDomain }} secretName: {{ $fullUIName }}-tls-secret + {{- end}} rules: - host: {{ .Values.ingress.hostPrefix.ui }}{{ .Values.baseDomain }} http: @@ -66,18 +78,29 @@ metadata: name: {{ $fullRESTName }} labels: {{- include "netmaker.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} + {{- with .Values.ingress }} annotations: - {{- toYaml . | nindent 4 }} + {{- toYaml .annotations.base | nindent 4 }} + {{- if eq .className "nginx" }} + {{- toYaml .annotations.nginx | nindent 4 }} + {{- end }} + {{- if eq .className "traefik" }} + {{- toYaml .annotations.traefik | nindent 4 }} + {{- end }} + {{- if .tls.enabled }} + {{- toYaml .annotations.tls | nindent 4 }} + {{- end }} {{- end }} spec: {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} + ingressClassName: {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}} {{- end }} + {{- if .Values.ingress.tls.enabled }} tls: - hosts: - {{ .Values.ingress.hostPrefix.rest }}{{ .Values.baseDomain }} secretName: {{ $fullRESTName }}-tls-secret + {{- end }} rules: - host: {{ .Values.ingress.hostPrefix.rest }}{{ .Values.baseDomain }} http: @@ -109,18 +132,31 @@ metadata: name: {{ $fullGRPCName }} labels: {{- include "netmaker.labels" . | nindent 4 }} - {{- with .Values.ingress.grpcAnnotations }} + {{- with .Values.ingress }} annotations: - {{- toYaml . | nindent 4 }} + {{- toYaml .annotations.base | nindent 4 }} + {{- if eq .className "nginx" }} + {{- toYaml .annotations.nginx | nindent 4 }} + {{- toYaml .annotations.grpc.nginx | nindent 4 }} + {{- end }} + {{- if eq .className "traefik" }} + {{- toYaml .annotations.traefik | nindent 4 }} + {{- toYaml .annotations.grpc.traefik | nindent 4 }} + {{- end }} + {{- if .tls.enabled }} + {{- toYaml .annotations.tls | nindent 4 }} + {{- end }} {{- end }} spec: {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} + ingressClassName: {{ required "A valid .Values.ingress.className entry required!" .Values.ingress.className}} {{- end }} + {{- if .Values.ingress.tls.enabled }} tls: - hosts: - {{ .Values.ingress.hostPrefix.grpc }}{{ .Values.baseDomain }} secretName: {{ $fullGRPCName }}-tls-secret + {{- end }} rules: - host: {{ .Values.ingress.hostPrefix.grpc }}{{ .Values.baseDomain }} http: diff --git a/kube/helm/netmaker/templates/netmaker-statefulset.yaml b/kube/helm/netmaker/templates/netmaker-statefulset.yaml index 64c3a1c2..ef7bd176 100644 --- a/kube/helm/netmaker/templates/netmaker-statefulset.yaml +++ b/kube/helm/netmaker/templates/netmaker-statefulset.yaml @@ -16,7 +16,6 @@ spec: app: {{ include "netmaker.fullname" . }} spec: {{- if .Values.wireguard.enabled }} - hostNetwork: true dnsPolicy: ClusterFirstWithHostNet affinity: podAntiAffinity: @@ -96,10 +95,17 @@ spec: imagePullPolicy: Always name: {{ include "netmaker.fullname" . }} ports: - - containerPort: 8081 + - containerPort: {{ .Values.service.restPort }} protocol: TCP - - containerPort: 443 + - containerPort: {{ .Values.service.grpcPort }} protocol: TCP + {{- if .Values.wireguard.enabled }} + {{ $count := (add .Values.wireguard.networkLimit 1 | int) }} + {{- range untilStep 1 $count 1 }} + - containerPort: {{ add 31820 . }} + protocol: UDP + {{- end }} + {{- end }} resources: {} {{- if .Values.wireguard.enabled }} securityContext: diff --git a/kube/helm/netmaker/templates/services.yaml b/kube/helm/netmaker/templates/services.yaml index 1be803d7..efc5e630 100644 --- a/kube/helm/netmaker/templates/services.yaml +++ b/kube/helm/netmaker/templates/services.yaml @@ -25,7 +25,7 @@ spec: - name: rest port: {{ .Values.service.restPort }} protocol: TCP - targetPort: {{ .Values.service.restPort }} + targetPort: {{ .Values.service.grpcPort }} selector: app: '{{ include "netmaker.fullname" . }}' sessionAffinity: None @@ -46,4 +46,27 @@ spec: selector: app: '{{ include "netmaker.fullname" . }}' sessionAffinity: None - type: {{ .Values.service.type }} \ No newline at end of file + type: {{ .Values.service.type }} +{{- if .Values.wireguard.enabled }} +--- +apiVersion: v1 +kind: Service +metadata: + labels: + {{- include "netmaker.labels" . | nindent 4 }} + name: '{{ include "netmaker.fullname" . }}-wireguard' +spec: + externalTrafficPolicy: Local + type: NodePort + ports: + {{ $count := (add .Values.wireguard.networkLimit 1 | int) }} + {{- range untilStep 1 $count 1 }} + - port: {{ add 31820 . }} + nodePort: {{ add 31820 . }} + protocol: UDP + targetPort: {{ add 31820 . }} + name: wg-iface-{{ add 31820 . }} + {{- end }} + selector: + app: '{{ include "netmaker.fullname" . }}' +{{- end }} \ No newline at end of file diff --git a/kube/helm/netmaker/values.yaml b/kube/helm/netmaker/values.yaml index d5d789d4..e75555d8 100644 --- a/kube/helm/netmaker/values.yaml +++ b/kube/helm/netmaker/values.yaml @@ -2,113 +2,115 @@ # This is a YAML-formatted file. # Declare variables to be passed into your templates. +# -- number of netmaker server replicas to create replicas: 3 image: + # -- The image repo to pull Netmaker image from repository: gravitl/netmaker + # -- Pull Policy for images pullPolicy: Always - # Overrides the image tag whose default is the chart appVersion. + # -- Override the image tag to pull tag: "v0.8.4" -imagePullSecrets: [] -nameOverride: "" +# -- override the name for netmaker objects +nameOverride: "" + +# -- override the full name for netmaker objects fullnameOverride: "" serviceAccount: - # Specifies whether a service account should be created + # -- Specifies whether a service account should be created create: true - # Annotations to add to the service account + # -- Annotations to add to the service account annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template + # -- Name of SA to use. If not set and create is true, a name is generated using the fullname template name: "" +# -- pod annotations to add podAnnotations: {} +# -- pod security contect to add podSecurityContext: {} # fsGroup: 2000 -isKernel: false -isClient: true - ui: + # -- how many UI replicas to create replicas: 2 -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - service: + # -- type for netmaker server services type: ClusterIP + # -- port for API service restPort: 8081 + # -- port for GRPC service grpcPort: 443 + # -- port for UI service uiPort: 80 ingress: + # -- attempts to configure ingress if true enabled: false - className: "" + tls: + enabled: true annotations: - kubernetes.io/ingress.class: nginx - kubernetes.io/tls-acme: "true" - nginx.ingress.kubernetes.io/rewrite-target: / - cert-manager.io/cluster-issuer: "letsencrypt-prod" - nginx.ingress.kubernetes.io/ssl-redirect: 'true' - grpcAnnotations: - kubernetes.io/ingress.class: nginx - kubernetes.io/tls-acme: "true" - nginx.ingress.kubernetes.io/backend-protocol: "GRPC" - nginx.ingress.kubernetes.io/rewrite-target: / - cert-manager.io/cluster-issuer: "letsencrypt-prod" - nginx.ingress.kubernetes.io/ssl-redirect: 'true' + base: + # -- annotation to generate ACME certs if available + kubernetes.io/ingress.allow-http: "false" + tls: + kubernetes.io/tls-acme: "true" + # -- LE issuer name + cert-manager.io/cluster-issuer: "letsencrypt-prod" + # -- Block HTTP requests + nginx: + # -- Redirect http to https + nginx.ingress.kubernetes.io/ssl-redirect: 'true' + # -- destination addr for route + nginx.ingress.kubernetes.io/rewrite-target: / + traefik: + # -- Redirect to https + traefik.ingress.kubernetes.io/redirect-entry-point: https + # -- Redirect to https permanently + traefik.ingress.kubernetes.io/redirect-permanent: "true" + # -- rule type + traefik.ingress.kubernetes.io/rule-type: "PathPrefixStrip" + grpc: + nginx: + # -- annotation to use grpc protocol on grpc domain + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" + traefik: + # -- annotation to use grpc protocol on grpc domain + ingress.kubernetes.io/protocol: "h2c" hostPrefix: + # -- ui route subdomain ui: 'dashboard.' + # -- api (REST) route subdomain rest: 'api.' + # -- grpc route subdomain grpc: 'grpc.' -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m - # memory: 128Mi - wireguard: + # -- whether or not to use WireGuard on server enabled: true + # -- whether or not to use Kernel WG (should be false unless WireGuard is installed on hosts). kernel: false + # -- max number of networks that Netmaker will support if running with WireGuard enabled + networkLimit: 10 dns: + # -- whether or not to run with DNS (CoreDNS) enabled: false + # -- volume size for DNS (only needs to hold one file) storageSize: 128Mi postgresql-ha: postgresql: + # -- postgres user to generate username: netmaker + # -- postgres pass to generate password: netmaker + # -- postgress db to generate database: netmaker persistence: + # -- size of postgres DB size: 3Gi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -netmakerUI: - - -nodeSelector: {} - -tolerations: [] - -affinity: {} diff --git a/logic/server.go b/logic/server.go index 7427ab38..21f91da4 100644 --- a/logic/server.go +++ b/logic/server.go @@ -18,6 +18,7 @@ import ( // KUBERNETES_LISTEN_PORT - starting port for Kubernetes in order to use NodePort range const KUBERNETES_LISTEN_PORT = 31821 +const KUBERNETES_SERVER_MTU = 1024 // ServerJoin - responsible for joining a server to a network func ServerJoin(network string, serverID string, privateKey string) error { @@ -36,10 +37,12 @@ func ServerJoin(network string, serverID string, privateKey string) error { MacAddress: serverID, UDPHolePunch: "no", } + node.SetDefaults() + if servercfg.GetPlatform() == "Kubernetes" { node.ListenPort = KUBERNETES_LISTEN_PORT + node.MTU = KUBERNETES_SERVER_MTU } - node.SetDefaults() if node.LocalRange != "" && node.LocalAddress == "" { Log("local vpn, getting local address from range: "+node.LocalRange, 1) diff --git a/netclient/command/commands.go b/netclient/command/commands.go index ae9e58e9..a96a1d68 100644 --- a/netclient/command/commands.go +++ b/netclient/command/commands.go @@ -42,7 +42,7 @@ func Join(cfg config.ClientConfig, privateKey string) error { } if cfg.Daemon != "off" { if ncutils.IsLinux() { - err = daemon.RemoveSystemDServices(cfg.Network) + err = daemon.RemoveSystemDServices() } if err != nil { ncutils.PrintLog("error removing services: "+err.Error(), 1) diff --git a/netclient/daemon/systemd.go b/netclient/daemon/systemd.go index 93bf4c77..6b90f1f4 100644 --- a/netclient/daemon/systemd.go +++ b/netclient/daemon/systemd.go @@ -98,30 +98,17 @@ WantedBy=timers.target } // RemoveSystemDServices - removes the systemd services on a machine -func RemoveSystemDServices(network string) error { +func RemoveSystemDServices() error { //sysExec, err := exec.LookPath("systemctl") - if !ncutils.IsWindows() { - fullremove, err := isOnlyService(network) + var err error + if !ncutils.IsWindows() && isOnlyService() { if err != nil { log.Println(err) } - - if fullremove { - _, err = ncutils.RunCmd("systemctl disable netclient.service", true) - } - _, _ = ncutils.RunCmd("systemctl daemon-reload", true) - - if ncutils.FileExists("/etc/systemd/system/netclient.timer") { - _, _ = ncutils.RunCmd("systemctl disable netclient.timer", true) - } - if fullremove { - if ncutils.FileExists("/etc/systemd/system/netclient.service") { - err = os.Remove("/etc/systemd/system/netclient.service") - } - } - if ncutils.FileExists("/etc/systemd/system/netclient.timer") { - err = os.Remove("/etc/systemd/system/netclient.timer") - } + _, err = ncutils.RunCmd("systemctl disable netclient.service", true) + _, err = ncutils.RunCmd("systemctl disable netclient.timer", true) + err = os.Remove("/etc/systemd/system/netclient.service") + err = os.Remove("/etc/systemd/system/netclient.timer") if err != nil { log.Println("Error removing file. Please investigate.") log.Println(err) @@ -132,16 +119,10 @@ func RemoveSystemDServices(network string) error { return nil } -func isOnlyService(network string) (bool, error) { - isonly := false +func isOnlyService() bool { files, err := filepath.Glob("/etc/netclient/config/netconfig-*") if err != nil { - return isonly, err + return false } - count := len(files) - if count == 0 { - isonly = true - } - return isonly, err - + return len(files) == 0 } diff --git a/netclient/functions/common.go b/netclient/functions/common.go index 46f6a614..e8725fd3 100644 --- a/netclient/functions/common.go +++ b/netclient/functions/common.go @@ -229,7 +229,7 @@ func RemoveLocalInstance(cfg *config.ClientConfig, networkName string) error { } else if ncutils.IsMac() { //TODO: Delete mac daemon } else { - err = daemon.RemoveSystemDServices(networkName) + err = daemon.RemoveSystemDServices() } } return err