diff --git a/.github/workflows/ami.yml b/.github/workflows/ami.yml index 7b75a47..349bdd2 100644 --- a/.github/workflows/ami.yml +++ b/.github/workflows/ami.yml @@ -25,7 +25,7 @@ jobs: echo "Proxy version: $PROXY_VERSION" echo "Gateway version: $GATEWAY_VERSION" - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: Setup `packer` uses: hashicorp/setup-packer@main diff --git a/.github/workflows/lint_charts.yml b/.github/workflows/lint_charts.yml index dc9dd19..e35a962 100644 --- a/.github/workflows/lint_charts.yml +++ b/.github/workflows/lint_charts.yml @@ -15,7 +15,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6608f21..59f40b3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,7 +11,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 @@ -31,7 +31,7 @@ jobs: done - name: Run chart-releaser - uses: helm/chart-releaser-action@v1.6.0 + uses: helm/chart-releaser-action@v1.7.0 env: CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" with: diff --git a/charts/defguard-gateway/Chart.yaml b/charts/defguard-gateway/Chart.yaml index 75d581e..101db7c 100644 --- a/charts/defguard-gateway/Chart.yaml +++ b/charts/defguard-gateway/Chart.yaml @@ -1,7 +1,8 @@ apiVersion: v2 name: defguard-gateway description: Defguard Gateway is a public-facing VPN endpoint. +icon: https://defguard.net/favicon/favicon-512x512.png type: application -version: 0.5.3 -appVersion: 1.6.3 +version: 2.0.0 +appVersion: 2.0.0 diff --git a/charts/defguard-gateway/templates/config.yaml b/charts/defguard-gateway/templates/config.yaml index 1e7e51b..ca9d6a6 100644 --- a/charts/defguard-gateway/templates/config.yaml +++ b/charts/defguard-gateway/templates/config.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "defguard-gateway.labels" . | nindent 4 }} data: - DEFGUARD_USERSPACE: {{ .Values.userspace | quote }} - DEFGUARD_GRPC_URL: {{ .Values.grpcUrl | quote }} - DEFGUARD_STATS_PERIOD: {{ .Values.statsPeriod | quote }} + DEFGUARD_GRPC_PORT: {{ .Values.service.grpc.port | quote }} DEFGUARD_LOG_LEVEL: {{ .Values.logLevel | quote }} + DEFGUARD_STATS_PERIOD: {{ .Values.statsPeriod | quote }} + DEFGUARD_USERSPACE: {{ .Values.userspace | quote }} diff --git a/charts/defguard-gateway/templates/grpc-headless-service.yaml b/charts/defguard-gateway/templates/grpc-headless-service.yaml new file mode 100644 index 0000000..015ce08 --- /dev/null +++ b/charts/defguard-gateway/templates/grpc-headless-service.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "defguard-gateway.fullname" . }}-headless + labels: + {{- include "defguard-gateway.labels" . | nindent 4 }} +spec: + clusterIP: None + selector: + {{- include "defguard-gateway.selectorLabels" . | nindent 4 }} diff --git a/charts/defguard-gateway/templates/grpc-service.yaml b/charts/defguard-gateway/templates/grpc-service.yaml new file mode 100644 index 0000000..3cfdcfa --- /dev/null +++ b/charts/defguard-gateway/templates/grpc-service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- with .Values.service.grpc.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "defguard-gateway.fullname" . }}-grpc + labels: + {{- include "defguard-gateway.labels" . | nindent 4 }} + {{- with .Values.service.grpc.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.grpc.type }} + ports: + - port: {{ .Values.service.grpc.port }} + targetPort: grpc + protocol: TCP + name: grpc + selector: + {{- include "defguard-gateway.selectorLabels" . | nindent 4 }} diff --git a/charts/defguard-gateway/templates/deployment.yaml b/charts/defguard-gateway/templates/statefulset.yaml similarity index 82% rename from charts/defguard-gateway/templates/deployment.yaml rename to charts/defguard-gateway/templates/statefulset.yaml index 766105d..9e3464d 100644 --- a/charts/defguard-gateway/templates/deployment.yaml +++ b/charts/defguard-gateway/templates/statefulset.yaml @@ -1,14 +1,16 @@ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: name: {{ include "defguard-gateway.fullname" . }} labels: {{- include "defguard-gateway.labels" . | nindent 4 }} spec: + podManagementPolicy: Parallel replicas: {{ .Values.replicaCount }} selector: matchLabels: {{- include "defguard-gateway.selectorLabels" . | nindent 6 }} + serviceName: {{ include "defguard-gateway.fullname" . }}-grpc-headless template: metadata: {{- with .Values.podAnnotations }} @@ -27,6 +29,11 @@ spec: {{- toYaml .Values.podSecurityContext | nindent 8 }} containers: - name: {{ .Chart.Name }} + {{- if .Values.healthCheck.enabled }} + env: + - name: HEALTH_PORT + value: {{ .Values.healthCheck.port }} + {{- end }} envFrom: - configMapRef: name: {{ include "defguard-gateway.fullname" . }}-config @@ -34,17 +41,20 @@ spec: - configMapRef: name: {{ .Values.additionalEnvFromConfigMap }} {{- end }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: + - name: grpc + containerPort: {{ .Values.service.grpc.port }} + protocol: TCP - name: wireguard containerPort: {{ .Values.service.wireguard.port }} protocol: UDP resources: {{- toYaml .Values.resources | nindent 12 }} {{- if .Values.healthCheck.enabled }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} livenessProbe: httpGet: path: / @@ -62,23 +72,9 @@ spec: timeoutSeconds: {{ .Values.healthCheck.readinessProbe.timeoutSeconds }} failureThreshold: {{ .Values.healthCheck.readinessProbe.failureThreshold }} {{- end }} - {{- if .Values.token }} - env: - - name: DEFGUARD_TOKEN - value: {{ .Values.token }} - {{- else if .Values.existingTokenSecret }} - env: - - name: DEFGUARD_TOKEN - valueFrom: - secretKeyRef: - name: {{ .Values.existingTokenSecret }} - key: {{ .Values.existingTokenSecretKey }} - {{- end }} - {{- if .Values.healthCheck.enabled }} - env: - - name: HEALTH_PORT - value: {{ .Values.healthCheck.port }} - {{- end }} + volumeMounts: + - name: data + mountPath: /etc/defguard {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -91,3 +87,15 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + {{- with .Values.persistence.storageClassName }} + storageClassName: {{ . }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size }} diff --git a/charts/defguard-gateway/values.schema.json b/charts/defguard-gateway/values.schema.json index 12626e8..6d8174d 100644 --- a/charts/defguard-gateway/values.schema.json +++ b/charts/defguard-gateway/values.schema.json @@ -16,19 +16,11 @@ "title": "affinity", "type": "object" }, - "existingTokenSecret": { - "default": "", - "description": "Secret to get the token from", - "required": [], - "title": "existingTokenSecret", - "type": "string" - }, - "existingTokenSecretKey": { - "default": "", - "description": "Key to extract the token from in existingTokenSecret", + "enabled": { + "default": false, "required": [], - "title": "existingTokenSecretKey", - "type": "string" + "title": "enabled", + "type": "boolean" }, "fullnameOverride": { "default": "", @@ -38,18 +30,12 @@ "type": "string" }, "global": { + "additionalProperties": true, "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", "required": [], "title": "global", "type": "object" }, - "grpcUrl": { - "default": "", - "description": "Defguard GRPC URL, e.g.: defguard-grpc.mycompany.com", - "required": [], - "title": "grpcUrl", - "type": "string" - }, "healthCheck": { "additionalProperties": false, "description": "defguard-gateway health check configuration", @@ -211,6 +197,28 @@ "title": "nodeSelector", "type": "object" }, + "persistence": { + "additionalProperties": false, + "description": "defguard-gateway persistent storage for certificates", + "properties": { + "size": { + "default": "32Mi", + "title": "size", + "type": "string" + }, + "storageClassName": { + "default": "", + "title": "storageClassName", + "type": "string" + } + }, + "required": [ + "size", + "storageClassName" + ], + "title": "persistence", + "type": "object" + }, "podAnnotations": { "additionalProperties": false, "description": "defguard-gateway pod annotations", @@ -303,6 +311,53 @@ "additionalProperties": false, "description": "defguard-gateway service configuration", "properties": { + "grpc": { + "additionalProperties": false, + "properties": { + "annotations": { + "additionalProperties": false, + "properties": { + "traefik.ingress.kubernetes.io/service.serversscheme": { + "default": "h2c", + "required": [], + "title": "traefik.ingress.kubernetes.io/service.serversscheme", + "type": "string" + } + }, + "required": [ + "traefik.ingress.kubernetes.io/service.serversscheme" + ], + "title": "annotations", + "type": "object" + }, + "labels": { + "additionalProperties": false, + "required": [], + "title": "labels", + "type": "object" + }, + "port": { + "default": 50066, + "required": [], + "title": "port", + "type": "integer" + }, + "type": { + "default": "ClusterIP", + "required": [], + "title": "type", + "type": "string" + } + }, + "required": [ + "annotations", + "labels", + "port", + "type" + ], + "title": "grpc", + "type": "object" + }, "wireguard": { "additionalProperties": false, "properties": { @@ -378,13 +433,6 @@ "title": "statsPeriod", "type": "integer" }, - "token": { - "default": "", - "description": "Token from Defguard app to secure gRPC connection, available on network page.\nIt is not recommended to use this. Create a secret yourself and use existingTokenSecret instead", - "required": [], - "title": "token", - "type": "string" - }, "tolerations": { "description": "defguard-gateway pod tolerations", "items": { @@ -396,7 +444,7 @@ }, "userspace": { "default": "false", - "description": "yaml-language-server: $schema=values.schema.json\nUse userspace wireguard implementation, useful on systems without native wireguard support. Set to true/false", + "description": "yaml-language-server: $schema=values.schema.json\nUse userspace WireGuard implementation, useful on systems without native wireguard support. Set to true/false", "required": [], "title": "userspace", "type": "string" @@ -404,10 +452,6 @@ }, "required": [ "userspace", - "grpcUrl", - "token", - "existingTokenSecret", - "existingTokenSecretKey", "statsPeriod", "logLevel", "fullnameOverride", @@ -419,6 +463,7 @@ "tolerations", "podAnnotations", "podLabels", + "persistence", "replicaCount", "resources", "podSecurityContext", @@ -429,4 +474,4 @@ "serviceAccount" ], "type": "object" -} \ No newline at end of file +} diff --git a/charts/defguard-gateway/values.yaml b/charts/defguard-gateway/values.yaml index bc589df..d0713c2 100644 --- a/charts/defguard-gateway/values.yaml +++ b/charts/defguard-gateway/values.yaml @@ -1,16 +1,7 @@ --- # yaml-language-server: $schema=values.schema.json -# Use userspace wireguard implementation, useful on systems without native wireguard support. Set to true/false +# Use userspace WireGuard implementation, useful on systems without native WireGuard support. Set to true/false userspace: "false" -# Defguard GRPC URL, e.g.: defguard-grpc.mycompany.com -grpcUrl: "" -# Token from Defguard app to secure gRPC connection, available on network page. -# It is not recommended to use this. Create a secret yourself and use existingTokenSecret instead -token: "" -# Secret to get the token from -existingTokenSecret: "" -# Key to extract the token from in existingTokenSecret -existingTokenSecretKey: "" # Defines how often (in seconds) should interface statistics be sent to Defguard server statsPeriod: 30 # rust log level, default is debug @@ -40,6 +31,10 @@ podLabels: {} replicaCount: 1 # defguard-gateway pod resources resources: {} +# defguard-gateway persistent storage for certificates +persistence: + size: 32Mi + storageClassName: "" # defguard-gateway pod security context podSecurityContext: {} # defguard-gateway container security context @@ -69,6 +64,12 @@ healthCheck: failureThreshold: 3 # defguard-gateway service configuration service: + grpc: + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: h2c + labels: {} + port: 50066 + type: ClusterIP wireguard: annotations: {} labels: {} diff --git a/charts/defguard-proxy/Chart.yaml b/charts/defguard-proxy/Chart.yaml index c4017d2..57fecf6 100644 --- a/charts/defguard-proxy/Chart.yaml +++ b/charts/defguard-proxy/Chart.yaml @@ -1,7 +1,8 @@ apiVersion: v2 name: defguard-proxy -description: Defguard proxy is a public-facing proxy for core Defguard service +description: Defguard Proxy is a public-facing proxy for Defguard Core. +icon: https://defguard.net/favicon/favicon-512x512.png type: application -version: 0.8.3 -appVersion: 1.6.3 +version: 2.0.0 +appVersion: 2.0.0 diff --git a/charts/defguard-proxy/templates/grpc-headless-service.yaml b/charts/defguard-proxy/templates/grpc-headless-service.yaml new file mode 100644 index 0000000..15b5830 --- /dev/null +++ b/charts/defguard-proxy/templates/grpc-headless-service.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Service +metadata: + annotations: + {{- with .Values.service.grpc.annotations }} + {{- toYaml . | nindent 4 }} + {{- end }} + name: {{ include "defguard-proxy.fullname" . }}-grpc-headless + labels: + {{- include "defguard-proxy.labels" . | nindent 4 }} + {{- with .Values.service.grpc.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + clusterIP: None + ports: + - port: {{ .Values.service.grpc.port }} + targetPort: grpc + protocol: TCP + name: grpc + selector: + {{- include "defguard-proxy.selectorLabels" . | nindent 4 }} diff --git a/charts/defguard-proxy/templates/deployment.yaml b/charts/defguard-proxy/templates/statefulset.yaml similarity index 81% rename from charts/defguard-proxy/templates/deployment.yaml rename to charts/defguard-proxy/templates/statefulset.yaml index ef986af..0ebc239 100644 --- a/charts/defguard-proxy/templates/deployment.yaml +++ b/charts/defguard-proxy/templates/statefulset.yaml @@ -1,16 +1,16 @@ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: name: {{ include "defguard-proxy.fullname" . }} labels: {{- include "defguard-proxy.labels" . | nindent 4 }} spec: - {{- if not .Values.autoscaling.enabled }} + podManagementPolicy: Parallel replicas: {{ .Values.replicaCount }} - {{- end }} selector: matchLabels: {{- include "defguard-proxy.selectorLabels" . | nindent 6 }} + serviceName: {{ include "defguard-proxy.fullname" . }}-grpc-headless template: metadata: {{- with .Values.podAnnotations }} @@ -36,8 +36,6 @@ spec: - configMapRef: name: {{ .Values.additionalEnvFromConfigMap }} {{- end }} - securityContext: - {{- toYaml .Values.securityContext | nindent 12 }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: @@ -57,6 +55,11 @@ spec: port: http resources: {{- toYaml .Values.resources | nindent 12 }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + volumeMounts: + - name: data + mountPath: /etc/defguard {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} @@ -69,3 +72,15 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} + volumeClaimTemplates: + - metadata: + name: data + spec: + accessModes: + - ReadWriteOnce + {{- with .Values.persistence.storageClassName }} + storageClassName: {{ . }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size }} diff --git a/charts/defguard-proxy/values.schema.json b/charts/defguard-proxy/values.schema.json index ffa11d6..ada36c3 100644 --- a/charts/defguard-proxy/values.schema.json +++ b/charts/defguard-proxy/values.schema.json @@ -16,37 +16,6 @@ "title": "affinity", "type": "object" }, - "autoscaling": { - "additionalProperties": false, - "description": "defguard-proxy pod autoscaling configuration", - "properties": { - "enabled": { - "default": false, - "required": [], - "title": "enabled", - "type": "boolean" - }, - "maxReplicas": { - "default": 10, - "required": [], - "title": "maxReplicas", - "type": "integer" - }, - "minReplicas": { - "default": 1, - "required": [], - "title": "minReplicas", - "type": "integer" - } - }, - "required": [ - "enabled", - "minReplicas", - "maxReplicas" - ], - "title": "autoscaling", - "type": "object" - }, "enabled": { "default": false, "description": "yaml-language-server: $schema=values.schema.json\ndefguard-proxy is turned off by default. enable to allow use of the enrollment interface", @@ -62,6 +31,7 @@ "type": "string" }, "global": { + "additionalProperties": true, "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", "required": [], "title": "global", @@ -235,6 +205,28 @@ "title": "nodeSelector", "type": "object" }, + "persistence": { + "additionalProperties": false, + "description": "defguard-proxy persistent storage for configuration files", + "properties": { + "size": { + "default": "32Mi", + "title": "size", + "type": "string" + }, + "storageClassName": { + "default": "", + "title": "storageClassName", + "type": "string" + } + }, + "required": [ + "size", + "storageClassName" + ], + "title": "persistence", + "type": "object" + }, "podAnnotations": { "additionalProperties": false, "description": "defguard-proxy pod annotations", @@ -419,7 +411,6 @@ "publicUrl", "fullnameOverride", "nameOverride", - "autoscaling", "image", "imagePullSecrets", "ingress", @@ -429,6 +420,7 @@ "podAnnotations", "podLabels", "podSecurityContext", + "persistence", "securityContext", "replicaCount", "resources", @@ -437,4 +429,4 @@ "additionalEnvFromConfigMap" ], "type": "object" -} \ No newline at end of file +} diff --git a/charts/defguard-proxy/values.yaml b/charts/defguard-proxy/values.yaml index 6803dd5..99bd815 100644 --- a/charts/defguard-proxy/values.yaml +++ b/charts/defguard-proxy/values.yaml @@ -8,11 +8,6 @@ publicUrl: "http://enrollment.local" fullnameOverride: "" # defguard-proxy name override nameOverride: "" -# defguard-proxy pod autoscaling configuration -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 10 # defguard-proxy container image configuration image: pullPolicy: IfNotPresent @@ -54,6 +49,10 @@ securityContext: {} replicaCount: 1 # defguard-proxy pod resource configuration resources: {} +# defguard-proxy persistent storage configuration +persistence: + size: 32Mi + storageClassName: "" # defguard-proxy service configuration service: grpc: diff --git a/charts/defguard/Chart.lock b/charts/defguard/Chart.lock index ebcb749..14662fc 100644 --- a/charts/defguard/Chart.lock +++ b/charts/defguard/Chart.lock @@ -1,12 +1,12 @@ dependencies: - name: postgresql repository: https://charts.bitnami.com/bitnami - version: 18.2.3 + version: 18.5.14 - name: defguard-proxy repository: https://defguard.github.io/deployment - version: 0.8.3 + version: 2.0.0 - name: defguard-gateway repository: https://defguard.github.io/deployment - version: 0.5.3 -digest: sha256:fe8b0c518d19ac33203769f2ad1b7a9dc9b0099f1596d86b0a2026a3f0131b46 -generated: "2026-02-18T08:19:16.209894248+01:00" + version: 2.0.0 +digest: sha256:f95486e78ca15726552e0be0d3d25dbc6ad7927eadf2a2c86833328aa838f1cb +generated: "2026-04-01T09:36:13.740222+02:00" diff --git a/charts/defguard/Chart.yaml b/charts/defguard/Chart.yaml index 2c21afd..504f53d 100644 --- a/charts/defguard/Chart.yaml +++ b/charts/defguard/Chart.yaml @@ -1,23 +1,24 @@ apiVersion: v2 name: defguard -description: Defguard is an open-source enterprise WireGuard VPN with MFA and SSO +description: Defguard is an open-source enterprise WireGuard VPN with MFA and SSO. +icon: https://defguard.net/favicon/favicon-512x512.png type: application -version: 0.14.7 -appVersion: 1.6.5 +version: 2.0.0 +appVersion: 2.0.0 dependencies: - name: postgresql condition: postgresql.enabled - version: 18.2.3 + version: 18.5.14 repository: https://charts.bitnami.com/bitnami - name: defguard-proxy condition: defguard-proxy.enabled - version: 0.8.3 + version: 2.0.0 repository: https://defguard.github.io/deployment # repository: "file://../defguard-proxy" - name: defguard-gateway condition: defguard-gateway.enabled - version: 0.5.3 + version: 2.0.0 repository: https://defguard.github.io/deployment # repository: "file://../defguard-gateway" diff --git a/charts/defguard/charts/defguard-gateway-0.5.3.tgz b/charts/defguard/charts/defguard-gateway-0.5.3.tgz deleted file mode 100644 index 66340fc..0000000 Binary files a/charts/defguard/charts/defguard-gateway-0.5.3.tgz and /dev/null differ diff --git a/charts/defguard/charts/defguard-gateway-2.0.0.tgz b/charts/defguard/charts/defguard-gateway-2.0.0.tgz new file mode 100644 index 0000000..6531c9f Binary files /dev/null and b/charts/defguard/charts/defguard-gateway-2.0.0.tgz differ diff --git a/charts/defguard/charts/defguard-proxy-0.8.3.tgz b/charts/defguard/charts/defguard-proxy-0.8.3.tgz deleted file mode 100644 index d10bbff..0000000 Binary files a/charts/defguard/charts/defguard-proxy-0.8.3.tgz and /dev/null differ diff --git a/charts/defguard/charts/defguard-proxy-2.0.0.tgz b/charts/defguard/charts/defguard-proxy-2.0.0.tgz new file mode 100644 index 0000000..ece2968 Binary files /dev/null and b/charts/defguard/charts/defguard-proxy-2.0.0.tgz differ diff --git a/charts/defguard/charts/postgresql-18.2.3.tgz b/charts/defguard/charts/postgresql-18.2.3.tgz deleted file mode 100644 index cd9cfa1..0000000 Binary files a/charts/defguard/charts/postgresql-18.2.3.tgz and /dev/null differ diff --git a/charts/defguard/charts/postgresql-18.5.14.tgz b/charts/defguard/charts/postgresql-18.5.14.tgz new file mode 100644 index 0000000..41fb11a Binary files /dev/null and b/charts/defguard/charts/postgresql-18.5.14.tgz differ diff --git a/charts/defguard/values.schema.json b/charts/defguard/values.schema.json index dbc7857..177f2d2 100644 --- a/charts/defguard/values.schema.json +++ b/charts/defguard/values.schema.json @@ -95,20 +95,6 @@ "title": "enabled", "type": "boolean" }, - "existingTokenSecret": { - "default": "", - "description": "Secret to get the token from", - "required": [], - "title": "existingTokenSecret", - "type": "string" - }, - "existingTokenSecretKey": { - "default": "", - "description": "Key to extract the token from in existingTokenSecret", - "required": [], - "title": "existingTokenSecretKey", - "type": "string" - }, "fullnameOverride": { "default": "", "description": "defguard-gateway full name override", @@ -116,12 +102,112 @@ "title": "fullnameOverride", "type": "string" }, - "grpcUrl": { - "default": "", - "description": "Defguard GRPC URL, e.g.: defguard-grpc.mycompany.com", + "global": { + "additionalProperties": true, + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", "required": [], - "title": "grpcUrl", - "type": "string" + "title": "global", + "type": "object" + }, + "healthCheck": { + "additionalProperties": false, + "description": "defguard-gateway health check configuration", + "properties": { + "enabled": { + "default": false, + "required": [], + "title": "enabled", + "type": "boolean" + }, + "livenessProbe": { + "additionalProperties": false, + "properties": { + "failureThreshold": { + "default": 3, + "required": [], + "title": "failureThreshold", + "type": "integer" + }, + "initialDelaySeconds": { + "default": 30, + "required": [], + "title": "initialDelaySeconds", + "type": "integer" + }, + "periodSeconds": { + "default": 10, + "required": [], + "title": "periodSeconds", + "type": "integer" + }, + "timeoutSeconds": { + "default": 5, + "required": [], + "title": "timeoutSeconds", + "type": "integer" + } + }, + "required": [ + "initialDelaySeconds", + "periodSeconds", + "timeoutSeconds", + "failureThreshold" + ], + "title": "livenessProbe", + "type": "object" + }, + "port": { + "default": 35053, + "required": [], + "title": "port", + "type": "integer" + }, + "readinessProbe": { + "additionalProperties": false, + "properties": { + "failureThreshold": { + "default": 3, + "required": [], + "title": "failureThreshold", + "type": "integer" + }, + "initialDelaySeconds": { + "default": 10, + "required": [], + "title": "initialDelaySeconds", + "type": "integer" + }, + "periodSeconds": { + "default": 10, + "required": [], + "title": "periodSeconds", + "type": "integer" + }, + "timeoutSeconds": { + "default": 5, + "required": [], + "title": "timeoutSeconds", + "type": "integer" + } + }, + "required": [ + "initialDelaySeconds", + "periodSeconds", + "timeoutSeconds", + "failureThreshold" + ], + "title": "readinessProbe", + "type": "object" + } + }, + "required": [ + "enabled", + "port", + "livenessProbe", + "readinessProbe" + ], + "title": "healthCheck", + "type": "object" }, "image": { "additionalProperties": false, @@ -184,6 +270,28 @@ "title": "nodeSelector", "type": "object" }, + "persistence": { + "additionalProperties": false, + "description": "defguard-gateway persistent storage for certificates", + "properties": { + "size": { + "default": "32Mi", + "title": "size", + "type": "string" + }, + "storageClassName": { + "default": "", + "title": "storageClassName", + "type": "string" + } + }, + "required": [ + "size", + "storageClassName" + ], + "title": "persistence", + "type": "object" + }, "podAnnotations": { "additionalProperties": false, "description": "defguard-gateway pod annotations", @@ -221,8 +329,54 @@ }, "securityContext": { "additionalProperties": false, - "description": "defguard-gateway container security context", - "required": [], + "description": "defguard-gateway container security context\nelevated priveleges are required for managing network interfaces", + "properties": { + "allowPrivilegeEscalation": { + "default": true, + "required": [], + "title": "allowPrivilegeEscalation", + "type": "boolean" + }, + "capabilities": { + "additionalProperties": false, + "properties": { + "add": { + "items": { + "anyOf": [ + { + "required": [], + "type": "string" + }, + { + "required": [], + "type": "string" + } + ], + "required": [] + }, + "required": [], + "title": "add", + "type": "array" + } + }, + "required": [ + "add" + ], + "title": "capabilities", + "type": "object" + }, + "privileged": { + "default": true, + "required": [], + "title": "privileged", + "type": "boolean" + } + }, + "required": [ + "allowPrivilegeEscalation", + "privileged", + "capabilities" + ], "title": "securityContext", "type": "object" }, @@ -230,6 +384,53 @@ "additionalProperties": false, "description": "defguard-gateway service configuration", "properties": { + "grpc": { + "additionalProperties": false, + "properties": { + "annotations": { + "additionalProperties": false, + "properties": { + "traefik.ingress.kubernetes.io/service.serversscheme": { + "default": "h2c", + "required": [], + "title": "traefik.ingress.kubernetes.io/service.serversscheme", + "type": "string" + } + }, + "required": [ + "traefik.ingress.kubernetes.io/service.serversscheme" + ], + "title": "annotations", + "type": "object" + }, + "labels": { + "additionalProperties": false, + "required": [], + "title": "labels", + "type": "object" + }, + "port": { + "default": 50066, + "required": [], + "title": "port", + "type": "integer" + }, + "type": { + "default": "ClusterIP", + "required": [], + "title": "type", + "type": "string" + } + }, + "required": [ + "annotations", + "labels", + "port", + "type" + ], + "title": "grpc", + "type": "object" + }, "wireguard": { "additionalProperties": false, "properties": { @@ -305,13 +506,6 @@ "title": "statsPeriod", "type": "integer" }, - "token": { - "default": "", - "description": "Token from Defguard app to secure gRPC connection, available on network page.\nIt is not recommended to use this. Create a secret yourself and use existingTokenSecret instead", - "required": [], - "title": "token", - "type": "string" - }, "tolerations": { "description": "defguard-gateway pod tolerations", "items": { @@ -323,7 +517,7 @@ }, "userspace": { "default": "false", - "description": "Use userspace wireguard implementation, useful on systems without native wireguard support. Set to true/false", + "description": "Use userspace WireGuard implementation, useful on systems without native wireguard support. Set to true/false", "required": [], "title": "userspace", "type": "string" @@ -332,10 +526,6 @@ "required": [ "enabled", "userspace", - "grpcUrl", - "token", - "existingTokenSecret", - "existingTokenSecretKey", "statsPeriod", "logLevel", "fullnameOverride", @@ -376,37 +566,6 @@ "title": "affinity", "type": "object" }, - "autoscaling": { - "additionalProperties": false, - "description": "defguard-proxy pod autoscaling configuration", - "properties": { - "enabled": { - "default": false, - "required": [], - "title": "enabled", - "type": "boolean" - }, - "maxReplicas": { - "default": 10, - "required": [], - "title": "maxReplicas", - "type": "integer" - }, - "minReplicas": { - "default": 1, - "required": [], - "title": "minReplicas", - "type": "integer" - } - }, - "required": [ - "enabled", - "minReplicas", - "maxReplicas" - ], - "title": "autoscaling", - "type": "object" - }, "enabled": { "default": false, "description": "defguard-proxy is turned off by default. enable to allow use of the enrollment interface", @@ -421,6 +580,13 @@ "title": "fullnameOverride", "type": "string" }, + "global": { + "additionalProperties": true, + "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.", + "required": [], + "title": "global", + "type": "object" + }, "image": { "additionalProperties": false, "description": "defguard-proxy container image configuration", @@ -589,6 +755,28 @@ "title": "nodeSelector", "type": "object" }, + "persistence": { + "additionalProperties": false, + "description": "defguard-proxy persistent storage for configuration files", + "properties": { + "size": { + "default": "32Mi", + "title": "size", + "type": "string" + }, + "storageClassName": { + "default": "", + "title": "storageClassName", + "type": "string" + } + }, + "required": [ + "size", + "storageClassName" + ], + "title": "persistence", + "type": "object" + }, "podAnnotations": { "additionalProperties": false, "description": "defguard-proxy pod annotations", @@ -773,7 +961,6 @@ "publicUrl", "fullnameOverride", "nameOverride", - "autoscaling", "image", "imagePullSecrets", "ingress", @@ -1296,4 +1483,4 @@ "defguard-gateway" ], "type": "object" -} \ No newline at end of file +} diff --git a/charts/defguard/values.yaml b/charts/defguard/values.yaml index d511f71..158c7e9 100644 --- a/charts/defguard/values.yaml +++ b/charts/defguard/values.yaml @@ -110,11 +110,6 @@ defguard-proxy: fullnameOverride: "" # defguard-proxy name override nameOverride: "" - # defguard-proxy pod autoscaling configuration - autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 10 # defguard-proxy container image configuration image: pullPolicy: IfNotPresent @@ -181,17 +176,8 @@ defguard-proxy: # defguard-gateway: enabled: false - # Use userspace wireguard implementation, useful on systems without native wireguard support. Set to true/false + # Use userspace WireGuard implementation, useful on systems without native WireGuard support. Set to true/false userspace: "false" - # Defguard GRPC URL, e.g.: defguard-grpc.mycompany.com - grpcUrl: "" - # Token from Defguard app to secure gRPC connection, available on network page. - # It is not recommended to use this. Create a secret yourself and use existingTokenSecret instead - token: "" - # Secret to get the token from - existingTokenSecret: "" - # Key to extract the token from in existingTokenSecret - existingTokenSecretKey: "" # Defines how often (in seconds) should interface statistics be sent to Defguard server statsPeriod: 30 # rust log level, default is debug @@ -224,11 +210,37 @@ defguard-gateway: # defguard-gateway pod security context podSecurityContext: {} # defguard-gateway container security context - securityContext: {} + securityContext: + allowPrivilegeEscalation: true + privileged: true + capabilities: + add: + - NET_ADMIN + - SYS_MODULE # defguard-gateway pod additional ENV from configmap additionalEnvFromConfigMap: "" + # defguard-gateway health check configuration + healthCheck: + enabled: false + port: 35053 + livenessProbe: + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 # defguard-gateway service configuration service: + grpc: + annotations: + traefik.ingress.kubernetes.io/service.serversscheme: h2c + labels: {} + port: 50066 + type: ClusterIP wireguard: annotations: {} labels: {} diff --git a/gateway/.env.template b/gateway/.env.template index 69a402e..6212614 100644 --- a/gateway/.env.template +++ b/gateway/.env.template @@ -1,4 +1,4 @@ -# Use userspace wireguard implementation, useful on systems without native wireguard support +# Use userspace WireGuard implementation, useful on systems without native WireGuard support # Set to 0/1 DEFGUARD_USERSPACE=0 # Defguard GRPC URL, e.g.: defguard-grpc.mycompany.com