Merge pull request #95 from zandemax/master

Disable IPv6 by default and auto generate admin password in helm Chart
freifunkMUC · Feb 2, 2022 · e5a636c · e5a636c
2 parents 5ab24e1 + f70b54b
commit e5a636c
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 4 deletions.
diff --git a/deploy/helm/wg-access-server/README.md b/deploy/helm/wg-access-server/README.md
@@ -11,6 +11,10 @@ The command deploys wg-access-server on the Kubernetes cluster in the default co
 By default an in-memory wireguard private key will be generated and devices will not persist
 between pod restarts.
 
+Because IPv6 on Kubernetes is disabled by default in most clusters and can't be enabled on a per-pod basis, the default `values.yaml` disables it for the VPN as well. If you have a cluster with working IPv6, set `config: {}` in your `values.yaml` or specify a custom VPN-internal prefix under `config.vpn.cidrv6`.
+
+If no admin password is set, the Chart generates a random one. You can retrieve it using `kubectl get secret ...` as prompted by helm after installing the Chart.
+
 ## Uninstalling the Chart
 
 To uninstall/delete the my-release deployment:

diff --git a/deploy/helm/wg-access-server/templates/NOTES.txt b/deploy/helm/wg-access-server/templates/NOTES.txt
@@ -0,0 +1,16 @@
+
+Thank you for installing {{ .Chart.Name }}.
+
+Your release is named {{ .Release.Name }}.
+
+{{- $fullName := include "wg-access-server.fullname" . }}
+{{ if .Values.ingress.enabled }}
+You can find the web interface at:
+    {{- range .Values.ingress.hosts }}
+    - {{ . }}
+    {{- end }}
+{{- end }}
+{{ if empty .Values.web.config.adminPassword }}
+You can display the auto-generated admin password by running:
+  $ kubectl get secret --namespace {{ .Release.Namespace }} {{ $fullName }} -o jsonpath="{.data.adminPassword}" | base64 --decode
+{{- end }}
diff --git a/deploy/helm/wg-access-server/templates/_helpers.tpl b/deploy/helm/wg-access-server/templates/_helpers.tpl
@@ -62,3 +62,19 @@ Create the name of the service account to use
     {{ default "default" .Values.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Create a randomly generated admin password if none is supplied
+*/}}
+{{- define "wg-access-server.adminPassword" -}}
+{{- if .Values.web.config.adminPassword -}}
+    {{ .Values.web.config.adminPassword }}
+{{- else -}}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace (include "wg-access-server.fullname" .)) -}}
+{{- if $secret -}}
+    {{-  $secret.data.adminPassword | b64dec -}}
+{{- else -}}
+    {{- randAlphaNum 20 -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/deploy/helm/wg-access-server/templates/secret.yaml b/deploy/helm/wg-access-server/templates/secret.yaml
@@ -12,7 +12,5 @@ data:
   {{- if .Values.web.config.adminUsername }}
   adminUsername: {{ .Values.web.config.adminUsername | b64enc | quote }}
   {{- end }}
-  {{- if .Values.web.config.adminPassword }}
-  adminPassword: {{ .Values.web.config.adminPassword | b64enc | quote }}
-  {{- end }}
+  adminPassword: {{ (include "wg-access-server.adminPassword" .) | b64enc | quote }}
 {{- end }}
diff --git a/deploy/helm/wg-access-server/values.yaml b/deploy/helm/wg-access-server/values.yaml
@@ -1,5 +1,9 @@
 # wg-access-server config
-config: {}
+config:
+  # IPv6 is disabled by default, since it leads to the pod failing if the
+  # k8s-cluster is not configured with IPv6 support
+  vpn:
+    cidrv6: 0
 
 web:
   config: