mirror of
https://github.com/truenas/charts.git
synced 2026-04-24 10:30:37 +08:00
90 lines
2.7 KiB
Smarty
90 lines
2.7 KiB
Smarty
{{- define "zerotier.workload" -}}
|
|
workload:
|
|
zerotier:
|
|
enabled: true
|
|
primary: true
|
|
type: Deployment
|
|
podSpec:
|
|
hostNetwork: {{ .Values.zerotierNetwork.hostNetwork }}
|
|
sysctls:
|
|
- name: net.ipv4.ip_forward
|
|
value: "1"
|
|
- name: net.ipv6.conf.all.forwarding
|
|
value: "1"
|
|
containers:
|
|
zerotier:
|
|
enabled: true
|
|
primary: true
|
|
imageSelector: image
|
|
args:
|
|
{{ if not .Values.zerotierConfig.networks }}
|
|
{{ fail "Zerotier - At least one network must be specified" }}
|
|
{{ end }}
|
|
{{ range .Values.zerotierConfig.networks }}
|
|
- {{ . }}
|
|
{{ end }}
|
|
securityContext:
|
|
runAsUser: 0
|
|
runAsGroup: 0
|
|
runAsNonRoot: false
|
|
readOnlyRootFilesystem: false
|
|
capabilities:
|
|
add:
|
|
{{/* Most of those capabilities are normally added by default in conainers
|
|
But by default, in common, we drop all of them. So here we add some of them
|
|
as they are needed, because zerotier starts as root but drops privs for some
|
|
of the processes running by the zerotier binary */}}
|
|
- AUDIT_WRITE
|
|
- CHOWN
|
|
- DAC_OVERRIDE
|
|
- FOWNER
|
|
- NET_ADMIN
|
|
- NET_BIND_SERVICE
|
|
- NET_RAW
|
|
- SETGID
|
|
- SETPCAP
|
|
- SETUID
|
|
- SYS_ADMIN
|
|
env:
|
|
{{ with .Values.zerotierConfig.authToken }}
|
|
ZEROTIER_API_SECRET: {{ . }}
|
|
{{ end }}
|
|
{{ with .Values.zerotierConfig.identityPublic }}
|
|
ZEROTIER_IDENTITY_PUBLIC: {{ . }}
|
|
{{ end }}
|
|
{{ with .Values.zerotierConfig.identitySecret }}
|
|
ZEROTIER_IDENTITY_SECRET: {{ . }}
|
|
{{ end }}
|
|
{{ with .Values.zerotierConfig.additionalEnvs }}
|
|
envList:
|
|
{{ range $env := . }}
|
|
- name: {{ $env.name }}
|
|
value: {{ $env.value }}
|
|
{{ end }}
|
|
{{ end }}
|
|
probes:
|
|
liveness:
|
|
enabled: true
|
|
type: exec
|
|
command: /healthcheck.sh
|
|
readiness:
|
|
enabled: true
|
|
type: exec
|
|
command: /healthcheck.sh
|
|
startup:
|
|
enabled: true
|
|
type: exec
|
|
command: /healthcheck.sh
|
|
|
|
{{/* Persistence */}}
|
|
persistence:
|
|
tun-dev:
|
|
enabled: true
|
|
type: device
|
|
hostPath: /dev/net/tun
|
|
targetSelector:
|
|
zerotier:
|
|
zerotier:
|
|
mountPath: /dev/net/tun
|
|
{{- end -}}
|