Update VPN (#287)

Add new options: `host` and `externalIPs`.
Automatic password generation
Provide resource-view to dashboard for getting connection URLs

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>

packages/apps/vpn/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

packages/apps/vpn/README.md

@@ -22,6 +22,8 @@ The VPN Service is powered by the Outline Server, an advanced and user-friendly
 
 ### Configuration parameters
 
-| Name    | Description         | Value |
-| ------- | ------------------- | ----- |
-| `users` | Users configuration | `{}`  |
+| Name          | Description                                 | Value |
+| ------------- | ------------------------------------------- | ----- |
+| `host`        | Host used to substitute into generated URLs | `""`  |
+| `users`       | Users configuration                         | `{}`  |
+| `externalIPs` | List of externalIPs for service.            | `[]`  |

packages/apps/vpn/templates/dashboard-resourcemap.yaml

@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-urls
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}-vpn
+  verbs: ["get", "list", "watch"]

packages/apps/vpn/templates/secret.yaml

@@ -1,3 +1,23 @@
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-vpn" .Release.Name) }}
+{{- $accessKeys := list }}
+{{- $passwords := dict }}
+{{- if and (hasKey $existingSecret "data") (hasKey $existingSecret.data "shadowbox_config.json") }}
+  {{- $config := index $existingSecret.data "shadowbox_config.json" }}
+  {{- $accessKeys = index (fromJson (b64dec $config)) "accessKeys" }}
+{{- end }}
+{{- range $accessKeys }}
+  {{- $_ := set $passwords .name .password }}
+{{- end }}
+{{- range $user, $u := .Values.users }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+---
 apiVersion: v1
 kind: Secret
 metadata:
@@ -25,7 +45,7 @@ stringData:
           "id": "{{ $c }}",
           "metricsId": "{{ $user }}",
           "name": "{{ $user }}",
-          "password": "{{ $u.password }}",
+          "password": "{{ index $passwords $user }}",
           "port": 40000,
           "encryptionMethod": "chacha20-ietf-poly1305"
         }
@@ -34,3 +54,15 @@ stringData:
       ],
       "nextId": {{ $c }}
     }
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-urls
+type: Opaque
+foo: |
+  {{ toJson $passwords }}
+stringData:
+  {{- range $user, $u := .Values.users }}
+  "{{ $user }}": "ss://{{ regexReplaceAll "=" (replace "/" "_" (replace "+" "-" (printf "chacha20-ietf-poly1305:%s" (index $passwords $user) | b64enc))) "" }}@{{ $.Values.host | default (printf "%s.%s" $.Release.Name $host) }}:40000/?outline=1#{{ $.Release.Name }}"
+  {{- end }}

packages/apps/vpn/templates/service.yaml

@@ -6,11 +6,16 @@ metadata:
   labels:
     app: {{ .Release.Name }}-vpn
 spec:
-  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
-  {{- if .Values.external }}
-  externalTrafficPolicy: Local
-  allocateLoadBalancerNodePorts: false
+  {{- if .Values.externalIPs }}
+  externalIPs:
+    {{- toYaml .Values.externalIPs | nindent 12 }}
+  type: ClusterIP
+  externalTrafficPolicy: Cluster
+  {{- else }}
+  type: LoadBalancer
+  externalTrafficPolicy: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   {{- end }}
+
   ports:
     #- name: apiport-tcp
     #  protocol: TCP

packages/apps/vpn/values.schema.json

@@ -11,6 +11,19 @@
             "type": "number",
             "description": "Number of VPN-server replicas",
             "default": 2
+        },
+        "host": {
+            "type": "string",
+            "description": "Host used to substitute into generated URLs",
+            "default": ""
+        },
+        "externalIPs": {
+            "type": "array",
+            "description": "List of externalIPs for service.",
+            "default": "[]",
+            "items": {
+                "type": "string"
+            }
         }
     }
 }

packages/apps/vpn/values.yaml

@@ -8,11 +8,24 @@ replicas: 2
 
 ## @section Configuration parameters
 
+## @param host Host used to substitute into generated URLs
+host: ""
+
 ## @param users [object] Users configuration
 ## Example:
 ## users:
 ##   user1:
 ##     password: hackme
-##   user2:
-##     password: tttt
+##   user2: {} # autogenerated password
 users: {}
+
+## @param externalIPs [array] List of externalIPs for service.
+## Optional. If not specified will use LoadBalancer service by default.
+## 
+## e.g:
+## externalIPs:
+##   - "11.22.33.44"
+##   - "11.22.33.45"
+##   - "11.22.33.46"
+##
+externalIPs: []