truenas/chart
1
0
Fork 0
mirror of https://github.com/truenas/charts.git synced 2026-04-13 16:19:43 +08:00
Code Issues Packages Projects Releases Wiki Activity

NAS-121719 / 23.10 / Add Zerotier to community train (#1164)

Browse Source 
* add zerotier to community train

* lib

* add email

* add metadata
This commit is contained in:
Stavros Kois
2023-05-07 18:37:13 +03:00
committed by GitHub
parent 330fc1e11f
commit 45d2f09976
15 changed files with 349 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
library/ix-dev/community/zerotier/Chart.lock Normal file
View File

@@ -0,0 +1,6 @@
dependencies:
- name: common
repository: file://../../../common
version: 1.0.6
digest: sha256:2f1f31c15fb7f92db141a66adbb8d23a8598727730050a3883a211763a4e5472
generated: "2023-04-27T15:56:00.724376021Z"

26
library/ix-dev/community/zerotier/Chart.yaml Normal file
View File

@@ -0,0 +1,26 @@
name: zerotier
description: Securely connect any device, anywhere.
annotations:
title: Zerotier
type: application
version: 1.0.0
apiVersion: v2
appVersion: '1.10.6'
kubeVersion: '>=1.16.0-0'
maintainers:
- name: truenas
url: https://www.truenas.com/
email: dev@ixsystems.com
dependencies:
- name: common
repository: file://../../../common
version: 1.0.6
home: https://www.zerotier.com
icon: https://avatars.githubusercontent.com/u/4173285
sources:
- https://www.zerotier.com
- https://github.com/truenas/charts/tree/master/community/zerotier
- https://hub.docker.com/r/zerotier/zerotier
keywords:
- vpn
- zerotier

3
library/ix-dev/community/zerotier/README.md Normal file
View File

@@ -0,0 +1,3 @@
# Zerotier
[Zerotier](https://www.zerotier.com) Securely connect any device, anywhere.

3
library/ix-dev/community/zerotier/app-readme.md Normal file
View File

@@ -0,0 +1,3 @@
# Zerotier
[Zerotier](https://www.zerotier.com) Securely connect any device, anywhere.

BIN
library/ix-dev/community/zerotier/charts/common-1.0.6.tgz Normal file
View File

Binary file not shown.

9
library/ix-dev/community/zerotier/ci/basic-values.yaml Normal file
View File

@@ -0,0 +1,9 @@
# FIXME: Find a way to have test keys for CI testing
# We need an authToken(aka API key) network(s) and identityPublic/identitySecret
zerotierConfig:
authToken: some auth token
identitySecret: some identity secret
identityPublic: some identity public
networks:
- some net id
- some other net id

4
library/ix-dev/community/zerotier/item.yaml Normal file
View File

@@ -0,0 +1,4 @@
icon_url: https://avatars.githubusercontent.com/u/4173285
categories:
- vpn
- zerotier

32
library/ix-dev/community/zerotier/metadata.yaml Normal file
View File

@@ -0,0 +1,32 @@
runAsContext:
- userName: root
groupName: root
gid: 0
uid: 0
description: Zerotier requires root privileges to start the Zerotier process
capabilities:
- name: NET_ADMIN
description: Zerotier requires NET_ADMIN to configure the VPN interface, modify routes, etc.
- name: NET_RAW
description: Zerotier requires NET_RAW to use raw sockets and proxying
- name: AUDIT_WRITE
description: Zerotier is able to write to audit log.
- name: CHOWN
description: Zerotier is able to chown files.
- name: DAC_OVERRIDE
description: Zerotier is able to bypass permission checks.
- name: FOWNER
description: Zerotier is able bypass permission checks for it's sub-processes.
- name: NET_BIND_SERVICE
description: Zerotier is able to bind to privileged ports.
- name: SETGID
description: Zerotier is able to set group ID for it's sub-processes.
- name: SETUID
description: Zerotier is able to set user ID for it's sub-processes.
- name: SETPCAP
description: Zerotier is able to set process capabilities.
- name: SYS_ADMIN
description: Zerotier is able to perform various system administration operations.
hostMounts:
- hostPath: /dev/tun
description: Required to access the TUN device

120
library/ix-dev/community/zerotier/questions.yaml Normal file
View File

@@ -0,0 +1,120 @@
groups:
- name: Zerotier Configuration
description: Configure Zerotier
- name: Network Configuration
description: Configure Network for Zerotier
- name: Resources Configuration
description: Configure Resources for Zerotier
questions:
- variable: zerotierConfig
label: ""
group: Zerotier Configuration
schema:
type: dict
attrs:
- variable: networks
label: Networks
description: The network(s) to join
schema:
type: list
empty: false
required: true
min: 1
default: []
items:
- variable: networkEntry
label: Network
schema:
type: string
required: true
- variable: authToken
label: Auth Token (API Key)
description: |
(Optional) The auth token for Zerotier.</br>
Same as authtoken.secret.
schema:
type: string
default: ""
private: true
- variable: identitySecret
label: Identity Secret
description: |
(Optional) The identity secret for Zerotier.</br>
Same as identity.secret.
schema:
type: string
default: ""
private: true
- variable: identityPublic
label: Identity Public
description: |
(Optional) The identity public for Zerotier.</br>
Same as identity.public.
schema:
type: string
default: ""
private: true
- variable: additionalEnvs
label: Additional Environment Variables
description: Configure additional environment variables for Zerotier.
schema:
type: list
default: []
items:
- variable: env
label: Environment Variable
schema:
type: dict
attrs:
- variable: name
label: Name
schema:
type: string
required: true
- variable: value
label: Value
schema:
type: string
required: true
- variable: zerotierNetwork
label: ""
group: Network Configuration
schema:
type: dict
attrs:
- variable: hostNetwork
label: Host Network
description: |
Bind to the host network. It's recommended to keep this disabled.</br>
schema:
type: boolean
default: false
- variable: resources
group: Resources Configuration
label: ""
schema:
type: dict
attrs:
- variable: limits
label: Limits
schema:
type: dict
attrs:
- variable: cpu
label: CPU
description: CPU limit for Zerotier.
schema:
type: string
default: "4000m"
required: true
- variable: memory
label: Memory
description: Memory limit for Zerotier.
schema:
type: string
default: "8Gi"
required: true

1
library/ix-dev/community/zerotier/templates/NOTES.txt Normal file
View File

@@ -0,0 +1 @@
{{ include "ix.v1.common.lib.chart.notes" $ }}

89
library/ix-dev/community/zerotier/templates/_zerotier.tpl Normal file
View File

@@ -0,0 +1,89 @@
{{- define "zerotier.workload" -}}
workload:
zerotier:
enabled: true
primary: true
type: Deployment
podSpec:
hostNetwork: {{ .Values.zerotierNetwork.hostNetwork }}
sysctls:
- name: net.ipv4.ip_forward
value: "1"
- name: net.ipv6.conf.all.forwarding
value: "1"
containers:
zerotier:
enabled: true
primary: true
imageSelector: image
args:
{{ if not .Values.zerotierConfig.networks }}
{{ fail "Zerotier - At least one network must be specified" }}
{{ end }}
{{ range .Values.zerotierConfig.networks }}
- {{ . }}
{{ end }}
securityContext:
runAsUser: 0
runAsGroup: 0
runAsNonRoot: false
readOnlyRootFilesystem: false
capabilities:
add:
{{/* Most of those capabilities are normally added by default in conainers
But by default, in common, we drop all of them. So here we add some of them
as they are needed, because zerotier starts as root but drops privs for some
of the processes running by the zerotier binary */}}
- AUDIT_WRITE
- CHOWN
- DAC_OVERRIDE
- FOWNER
- NET_ADMIN
- NET_BIND_SERVICE
- NET_RAW
- SETGID
- SETPCAP
- SETUID
- SYS_ADMIN
env:
{{ with .Values.zerotierConfig.authToken }}
ZEROTIER_API_SECRET: {{ . }}
{{ end }}
{{ with .Values.zerotierConfig.identityPublic }}
ZEROTIER_IDENTITY_PUBLIC: {{ . }}
{{ end }}
{{ with .Values.zerotierConfig.identitySecret }}
ZEROTIER_IDENTITY_SECRET: {{ . }}
{{ end }}
{{ with .Values.zerotierConfig.additionalEnvs }}
envList:
{{ range $env := . }}
- name: {{ $env.name }}
value: {{ $env.value }}
{{ end }}
{{ end }}
probes:
liveness:
enabled: true
type: exec
command: /healthcheck.sh
readiness:
enabled: true
type: exec
command: /healthcheck.sh
startup:
enabled: true
type: exec
command: /healthcheck.sh
{{/* Persistence */}}
persistence:
tun-dev:
enabled: true
type: device
hostPath: /dev/net/tun
targetSelector:
zerotier:
zerotier:
mountPath: /dev/net/tun
{{- end -}}

6
library/ix-dev/community/zerotier/templates/common.yaml Normal file
View File

@@ -0,0 +1,6 @@
{{- include "ix.v1.common.loader.init" . -}}
{{/* Merge the templates with Values */}}
{{- $_ := mustMergeOverwrite .Values (include "zerotier.workload" $ | fromYaml) -}}
{{- include "ix.v1.common.loader.apply" . -}}

1
library/ix-dev/community/zerotier/upgrade_info.json Normal file
View File

@@ -0,0 +1 @@
{"filename": "values.yaml", "keys": ["image"]}

30
library/ix-dev/community/zerotier/upgrade_strategy Normal file
View File

@@ -0,0 +1,30 @@
#!/usr/bin/python3
import json
import re
import sys
from catalog_update.upgrade_strategy import semantic_versioning
RE_STABLE_VERSION = re.compile(r'[0-9]+\.[0-9]+\.[0-9]+')
def newer_mapping(image_tags):
key = list(image_tags.keys())[0]
tags = {t: t for t in image_tags[key] if RE_STABLE_VERSION.fullmatch(t)}
version = semantic_versioning(list(tags))
if not version:
return {}
return {
'tags': {key: tags[version]},
'app_version': version,
}
if __name__ == '__main__':
try:
versions_json = json.loads(sys.stdin.read())
except ValueError:
raise ValueError('Invalid json specified')
print(json.dumps(newer_mapping(versions_json)))

19
library/ix-dev/community/zerotier/values.yaml Normal file
View File

@@ -0,0 +1,19 @@
image:
repository: zerotier/zerotier
pullPolicy: IfNotPresent
tag: '1.10.6'
resources:
limits:
cpu: 4000m
memory: 8Gi
zerotierConfig:
authToken: ''
identityPublic: ''
identitySecret: ''
networks: []
additionalEnvs: []
zerotierNetwork:
hostNetwork: false