diff --git a/library/ix-dev/community/zerotier/Chart.lock b/library/ix-dev/community/zerotier/Chart.lock new file mode 100644 index 0000000000..10260f8a0c --- /dev/null +++ b/library/ix-dev/community/zerotier/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: file://../../../common + version: 1.0.6 +digest: sha256:2f1f31c15fb7f92db141a66adbb8d23a8598727730050a3883a211763a4e5472 +generated: "2023-04-27T15:56:00.724376021Z" diff --git a/library/ix-dev/community/zerotier/Chart.yaml b/library/ix-dev/community/zerotier/Chart.yaml new file mode 100644 index 0000000000..4bef6a5fb2 --- /dev/null +++ b/library/ix-dev/community/zerotier/Chart.yaml @@ -0,0 +1,26 @@ +name: zerotier +description: Securely connect any device, anywhere. +annotations: + title: Zerotier +type: application +version: 1.0.0 +apiVersion: v2 +appVersion: '1.10.6' +kubeVersion: '>=1.16.0-0' +maintainers: + - name: truenas + url: https://www.truenas.com/ + email: dev@ixsystems.com +dependencies: + - name: common + repository: file://../../../common + version: 1.0.6 +home: https://www.zerotier.com +icon: https://avatars.githubusercontent.com/u/4173285 +sources: + - https://www.zerotier.com + - https://github.com/truenas/charts/tree/master/community/zerotier + - https://hub.docker.com/r/zerotier/zerotier +keywords: + - vpn + - zerotier diff --git a/library/ix-dev/community/zerotier/README.md b/library/ix-dev/community/zerotier/README.md new file mode 100644 index 0000000000..3c256798af --- /dev/null +++ b/library/ix-dev/community/zerotier/README.md @@ -0,0 +1,3 @@ +# Zerotier + +[Zerotier](https://www.zerotier.com) Securely connect any device, anywhere. diff --git a/library/ix-dev/community/zerotier/app-readme.md b/library/ix-dev/community/zerotier/app-readme.md new file mode 100644 index 0000000000..3c256798af --- /dev/null +++ b/library/ix-dev/community/zerotier/app-readme.md @@ -0,0 +1,3 @@ +# Zerotier + +[Zerotier](https://www.zerotier.com) Securely connect any device, anywhere. diff --git a/library/ix-dev/community/zerotier/charts/common-1.0.6.tgz b/library/ix-dev/community/zerotier/charts/common-1.0.6.tgz new file mode 100644 index 0000000000..04f43a20d5 Binary files /dev/null and b/library/ix-dev/community/zerotier/charts/common-1.0.6.tgz differ diff --git a/library/ix-dev/community/zerotier/ci/basic-values.yaml b/library/ix-dev/community/zerotier/ci/basic-values.yaml new file mode 100644 index 0000000000..51a06e830b --- /dev/null +++ b/library/ix-dev/community/zerotier/ci/basic-values.yaml @@ -0,0 +1,9 @@ +# FIXME: Find a way to have test keys for CI testing +# We need an authToken(aka API key) network(s) and identityPublic/identitySecret +zerotierConfig: + authToken: some auth token + identitySecret: some identity secret + identityPublic: some identity public + networks: + - some net id + - some other net id diff --git a/library/ix-dev/community/zerotier/item.yaml b/library/ix-dev/community/zerotier/item.yaml new file mode 100644 index 0000000000..118492e7fa --- /dev/null +++ b/library/ix-dev/community/zerotier/item.yaml @@ -0,0 +1,4 @@ +icon_url: https://avatars.githubusercontent.com/u/4173285 +categories: + - vpn + - zerotier diff --git a/library/ix-dev/community/zerotier/metadata.yaml b/library/ix-dev/community/zerotier/metadata.yaml new file mode 100644 index 0000000000..02c9b594df --- /dev/null +++ b/library/ix-dev/community/zerotier/metadata.yaml @@ -0,0 +1,32 @@ +runAsContext: + - userName: root + groupName: root + gid: 0 + uid: 0 + description: Zerotier requires root privileges to start the Zerotier process +capabilities: + - name: NET_ADMIN + description: Zerotier requires NET_ADMIN to configure the VPN interface, modify routes, etc. + - name: NET_RAW + description: Zerotier requires NET_RAW to use raw sockets and proxying + - name: AUDIT_WRITE + description: Zerotier is able to write to audit log. + - name: CHOWN + description: Zerotier is able to chown files. + - name: DAC_OVERRIDE + description: Zerotier is able to bypass permission checks. + - name: FOWNER + description: Zerotier is able bypass permission checks for it's sub-processes. + - name: NET_BIND_SERVICE + description: Zerotier is able to bind to privileged ports. + - name: SETGID + description: Zerotier is able to set group ID for it's sub-processes. + - name: SETUID + description: Zerotier is able to set user ID for it's sub-processes. + - name: SETPCAP + description: Zerotier is able to set process capabilities. + - name: SYS_ADMIN + description: Zerotier is able to perform various system administration operations. +hostMounts: + - hostPath: /dev/tun + description: Required to access the TUN device diff --git a/library/ix-dev/community/zerotier/questions.yaml b/library/ix-dev/community/zerotier/questions.yaml new file mode 100644 index 0000000000..ede49247fb --- /dev/null +++ b/library/ix-dev/community/zerotier/questions.yaml @@ -0,0 +1,120 @@ +groups: + - name: Zerotier Configuration + description: Configure Zerotier + - name: Network Configuration + description: Configure Network for Zerotier + - name: Resources Configuration + description: Configure Resources for Zerotier + +questions: + - variable: zerotierConfig + label: "" + group: Zerotier Configuration + schema: + type: dict + attrs: + - variable: networks + label: Networks + description: The network(s) to join + schema: + type: list + empty: false + required: true + min: 1 + default: [] + items: + - variable: networkEntry + label: Network + schema: + type: string + required: true + - variable: authToken + label: Auth Token (API Key) + description: | + (Optional) The auth token for Zerotier.
+ Same as authtoken.secret. + schema: + type: string + default: "" + private: true + - variable: identitySecret + label: Identity Secret + description: | + (Optional) The identity secret for Zerotier.
+ Same as identity.secret. + schema: + type: string + default: "" + private: true + - variable: identityPublic + label: Identity Public + description: | + (Optional) The identity public for Zerotier.
+ Same as identity.public. + schema: + type: string + default: "" + private: true + + - variable: additionalEnvs + label: Additional Environment Variables + description: Configure additional environment variables for Zerotier. + schema: + type: list + default: [] + items: + - variable: env + label: Environment Variable + schema: + type: dict + attrs: + - variable: name + label: Name + schema: + type: string + required: true + - variable: value + label: Value + schema: + type: string + required: true + + - variable: zerotierNetwork + label: "" + group: Network Configuration + schema: + type: dict + attrs: + - variable: hostNetwork + label: Host Network + description: | + Bind to the host network. It's recommended to keep this disabled.
+ schema: + type: boolean + default: false + + - variable: resources + group: Resources Configuration + label: "" + schema: + type: dict + attrs: + - variable: limits + label: Limits + schema: + type: dict + attrs: + - variable: cpu + label: CPU + description: CPU limit for Zerotier. + schema: + type: string + default: "4000m" + required: true + - variable: memory + label: Memory + description: Memory limit for Zerotier. + schema: + type: string + default: "8Gi" + required: true diff --git a/library/ix-dev/community/zerotier/templates/NOTES.txt b/library/ix-dev/community/zerotier/templates/NOTES.txt new file mode 100644 index 0000000000..ba4e01146c --- /dev/null +++ b/library/ix-dev/community/zerotier/templates/NOTES.txt @@ -0,0 +1 @@ +{{ include "ix.v1.common.lib.chart.notes" $ }} diff --git a/library/ix-dev/community/zerotier/templates/_zerotier.tpl b/library/ix-dev/community/zerotier/templates/_zerotier.tpl new file mode 100644 index 0000000000..64cb602875 --- /dev/null +++ b/library/ix-dev/community/zerotier/templates/_zerotier.tpl @@ -0,0 +1,89 @@ +{{- define "zerotier.workload" -}} +workload: + zerotier: + enabled: true + primary: true + type: Deployment + podSpec: + hostNetwork: {{ .Values.zerotierNetwork.hostNetwork }} + sysctls: + - name: net.ipv4.ip_forward + value: "1" + - name: net.ipv6.conf.all.forwarding + value: "1" + containers: + zerotier: + enabled: true + primary: true + imageSelector: image + args: + {{ if not .Values.zerotierConfig.networks }} + {{ fail "Zerotier - At least one network must be specified" }} + {{ end }} + {{ range .Values.zerotierConfig.networks }} + - {{ . }} + {{ end }} + securityContext: + runAsUser: 0 + runAsGroup: 0 + runAsNonRoot: false + readOnlyRootFilesystem: false + capabilities: + add: + {{/* Most of those capabilities are normally added by default in conainers + But by default, in common, we drop all of them. So here we add some of them + as they are needed, because zerotier starts as root but drops privs for some + of the processes running by the zerotier binary */}} + - AUDIT_WRITE + - CHOWN + - DAC_OVERRIDE + - FOWNER + - NET_ADMIN + - NET_BIND_SERVICE + - NET_RAW + - SETGID + - SETPCAP + - SETUID + - SYS_ADMIN + env: + {{ with .Values.zerotierConfig.authToken }} + ZEROTIER_API_SECRET: {{ . }} + {{ end }} + {{ with .Values.zerotierConfig.identityPublic }} + ZEROTIER_IDENTITY_PUBLIC: {{ . }} + {{ end }} + {{ with .Values.zerotierConfig.identitySecret }} + ZEROTIER_IDENTITY_SECRET: {{ . }} + {{ end }} + {{ with .Values.zerotierConfig.additionalEnvs }} + envList: + {{ range $env := . }} + - name: {{ $env.name }} + value: {{ $env.value }} + {{ end }} + {{ end }} + probes: + liveness: + enabled: true + type: exec + command: /healthcheck.sh + readiness: + enabled: true + type: exec + command: /healthcheck.sh + startup: + enabled: true + type: exec + command: /healthcheck.sh + +{{/* Persistence */}} +persistence: + tun-dev: + enabled: true + type: device + hostPath: /dev/net/tun + targetSelector: + zerotier: + zerotier: + mountPath: /dev/net/tun +{{- end -}} diff --git a/library/ix-dev/community/zerotier/templates/common.yaml b/library/ix-dev/community/zerotier/templates/common.yaml new file mode 100644 index 0000000000..c3a8461171 --- /dev/null +++ b/library/ix-dev/community/zerotier/templates/common.yaml @@ -0,0 +1,6 @@ +{{- include "ix.v1.common.loader.init" . -}} + +{{/* Merge the templates with Values */}} +{{- $_ := mustMergeOverwrite .Values (include "zerotier.workload" $ | fromYaml) -}} + +{{- include "ix.v1.common.loader.apply" . -}} diff --git a/library/ix-dev/community/zerotier/upgrade_info.json b/library/ix-dev/community/zerotier/upgrade_info.json new file mode 100644 index 0000000000..767388094a --- /dev/null +++ b/library/ix-dev/community/zerotier/upgrade_info.json @@ -0,0 +1 @@ +{"filename": "values.yaml", "keys": ["image"]} diff --git a/library/ix-dev/community/zerotier/upgrade_strategy b/library/ix-dev/community/zerotier/upgrade_strategy new file mode 100644 index 0000000000..e8e94b8314 --- /dev/null +++ b/library/ix-dev/community/zerotier/upgrade_strategy @@ -0,0 +1,30 @@ +#!/usr/bin/python3 +import json +import re +import sys + +from catalog_update.upgrade_strategy import semantic_versioning + +RE_STABLE_VERSION = re.compile(r'[0-9]+\.[0-9]+\.[0-9]+') + + +def newer_mapping(image_tags): + key = list(image_tags.keys())[0] + tags = {t: t for t in image_tags[key] if RE_STABLE_VERSION.fullmatch(t)} + version = semantic_versioning(list(tags)) + if not version: + return {} + + return { + 'tags': {key: tags[version]}, + 'app_version': version, + } + + +if __name__ == '__main__': + try: + versions_json = json.loads(sys.stdin.read()) + except ValueError: + raise ValueError('Invalid json specified') + + print(json.dumps(newer_mapping(versions_json))) diff --git a/library/ix-dev/community/zerotier/values.yaml b/library/ix-dev/community/zerotier/values.yaml new file mode 100644 index 0000000000..795f58cef9 --- /dev/null +++ b/library/ix-dev/community/zerotier/values.yaml @@ -0,0 +1,19 @@ +image: + repository: zerotier/zerotier + pullPolicy: IfNotPresent + tag: '1.10.6' + +resources: + limits: + cpu: 4000m + memory: 8Gi + +zerotierConfig: + authToken: '' + identityPublic: '' + identitySecret: '' + networks: [] + additionalEnvs: [] + +zerotierNetwork: + hostNetwork: false