From a2bcf1006f6ec1e0f61949e7610bc26f044fbe3b Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Fri, 16 Aug 2024 10:26:02 +0200
Subject: [PATCH] Update VPN (#287)

Add new options: `host` and `externalIPs`.
Automatic password generation
Provide resource-view to dashboard for getting connection URLs

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
---
 packages/apps/vpn/Chart.yaml                  |  2 +-
 packages/apps/vpn/README.md                   |  8 +++--
 .../vpn/templates/dashboard-resourcemap.yaml  | 19 +++++++++++
 packages/apps/vpn/templates/secret-urls.yaml  |  0
 packages/apps/vpn/templates/secret.yaml       | 34 ++++++++++++++++++-
 packages/apps/vpn/templates/service.yaml      | 13 ++++---
 packages/apps/vpn/values.schema.json          | 13 +++++++
 packages/apps/vpn/values.yaml                 | 17 ++++++++--
 8 files changed, 95 insertions(+), 11 deletions(-)
 create mode 100644 packages/apps/vpn/templates/dashboard-resourcemap.yaml
 create mode 100644 packages/apps/vpn/templates/secret-urls.yaml

diff --git a/packages/apps/vpn/Chart.yaml b/packages/apps/vpn/Chart.yaml
index b40fe8b2..f4d39afa 100644
--- a/packages/apps/vpn/Chart.yaml
+++ b/packages/apps/vpn/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/packages/apps/vpn/README.md b/packages/apps/vpn/README.md
index 9ab798ca..b89b7ca9 100644
--- a/packages/apps/vpn/README.md
+++ b/packages/apps/vpn/README.md
@@ -22,6 +22,8 @@ The VPN Service is powered by the Outline Server, an advanced and user-friendly
 
 ### Configuration parameters
 
-| Name    | Description         | Value |
-| ------- | ------------------- | ----- |
-| `users` | Users configuration | `{}`  |
+| Name          | Description                                 | Value |
+| ------------- | ------------------------------------------- | ----- |
+| `host`        | Host used to substitute into generated URLs | `""`  |
+| `users`       | Users configuration                         | `{}`  |
+| `externalIPs` | List of externalIPs for service.            | `[]`  |
diff --git a/packages/apps/vpn/templates/dashboard-resourcemap.yaml b/packages/apps/vpn/templates/dashboard-resourcemap.yaml
new file mode 100644
index 00000000..8f34e7d6
--- /dev/null
+++ b/packages/apps/vpn/templates/dashboard-resourcemap.yaml
@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-dashboard-resources
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  resourceNames:
+  - {{ .Release.Name }}-urls
+  verbs: ["get", "list", "watch"]
+- apiGroups:
+  - ""
+  resources:
+  - services
+  resourceNames:
+  - {{ .Release.Name }}-vpn
+  verbs: ["get", "list", "watch"]
diff --git a/packages/apps/vpn/templates/secret-urls.yaml b/packages/apps/vpn/templates/secret-urls.yaml
new file mode 100644
index 00000000..e69de29b
diff --git a/packages/apps/vpn/templates/secret.yaml b/packages/apps/vpn/templates/secret.yaml
index b420bc4d..79960096 100644
--- a/packages/apps/vpn/templates/secret.yaml
+++ b/packages/apps/vpn/templates/secret.yaml
@@ -1,3 +1,23 @@
+{{- $myNS := lookup "v1" "Namespace" "" .Release.Namespace }}
+{{- $host := index $myNS.metadata.annotations "namespace.cozystack.io/host" }}
+{{- $existingSecret := lookup "v1" "Secret" .Release.Namespace (printf "%s-vpn" .Release.Name) }}
+{{- $accessKeys := list }}
+{{- $passwords := dict }}
+{{- if and (hasKey $existingSecret "data") (hasKey $existingSecret.data "shadowbox_config.json") }}
+  {{- $config := index $existingSecret.data "shadowbox_config.json" }}
+  {{- $accessKeys = index (fromJson (b64dec $config)) "accessKeys" }}
+{{- end }}
+{{- range $accessKeys }}
+  {{- $_ := set $passwords .name .password }}
+{{- end }}
+{{- range $user, $u := .Values.users }}
+  {{- if $u.password }}
+    {{- $_ := set $passwords $user $u.password }}
+  {{- else if not (index $passwords $user) }}
+    {{- $_ := set $passwords $user (randAlphaNum 16) }}
+  {{- end }}
+{{- end }}
+---
 apiVersion: v1
 kind: Secret
 metadata:
@@ -25,7 +45,7 @@ stringData:
           "id": "{{ $c }}",
           "metricsId": "{{ $user }}",
           "name": "{{ $user }}",
-          "password": "{{ $u.password }}",
+          "password": "{{ index $passwords $user }}",
           "port": 40000,
           "encryptionMethod": "chacha20-ietf-poly1305"
         }
@@ -34,3 +54,15 @@ stringData:
       ],
       "nextId": {{ $c }}
     }
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-urls
+type: Opaque
+foo: |
+  {{ toJson $passwords }}
+stringData:
+  {{- range $user, $u := .Values.users }}
+  "{{ $user }}": "ss://{{ regexReplaceAll "=" (replace "/" "_" (replace "+" "-" (printf "chacha20-ietf-poly1305:%s" (index $passwords $user) | b64enc))) "" }}@{{ $.Values.host | default (printf "%s.%s" $.Release.Name $host) }}:40000/?outline=1#{{ $.Release.Name }}"
+  {{- end }}
diff --git a/packages/apps/vpn/templates/service.yaml b/packages/apps/vpn/templates/service.yaml
index 2eed167e..b014afb3 100644
--- a/packages/apps/vpn/templates/service.yaml
+++ b/packages/apps/vpn/templates/service.yaml
@@ -6,11 +6,16 @@ metadata:
   labels:
     app: {{ .Release.Name }}-vpn
 spec:
-  type: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
-  {{- if .Values.external }}
-  externalTrafficPolicy: Local
-  allocateLoadBalancerNodePorts: false
+  {{- if .Values.externalIPs }}
+  externalIPs:
+    {{- toYaml .Values.externalIPs | nindent 12 }}
+  type: ClusterIP
+  externalTrafficPolicy: Cluster
+  {{- else }}
+  type: LoadBalancer
+  externalTrafficPolicy: {{ ternary "LoadBalancer" "ClusterIP" .Values.external }}
   {{- end }}
+
   ports:
     #- name: apiport-tcp
     #  protocol: TCP
diff --git a/packages/apps/vpn/values.schema.json b/packages/apps/vpn/values.schema.json
index 16bc7c66..30f6807c 100644
--- a/packages/apps/vpn/values.schema.json
+++ b/packages/apps/vpn/values.schema.json
@@ -11,6 +11,19 @@
             "type": "number",
             "description": "Number of VPN-server replicas",
             "default": 2
+        },
+        "host": {
+            "type": "string",
+            "description": "Host used to substitute into generated URLs",
+            "default": ""
+        },
+        "externalIPs": {
+            "type": "array",
+            "description": "List of externalIPs for service.",
+            "default": "[]",
+            "items": {
+                "type": "string"
+            }
         }
     }
 }
\ No newline at end of file
diff --git a/packages/apps/vpn/values.yaml b/packages/apps/vpn/values.yaml
index 150a8060..817c1041 100644
--- a/packages/apps/vpn/values.yaml
+++ b/packages/apps/vpn/values.yaml
@@ -8,11 +8,24 @@ replicas: 2
 
 ## @section Configuration parameters
 
+## @param host Host used to substitute into generated URLs
+host: ""
+
 ## @param users [object] Users configuration
 ## Example:
 ## users:
 ##   user1:
 ##     password: hackme
-##   user2:
-##     password: tttt
+##   user2: {} # autogenerated password
 users: {}
+
+## @param externalIPs [array] List of externalIPs for service.
+## Optional. If not specified will use LoadBalancer service by default.
+## 
+## e.g:
+## externalIPs:
+##   - "11.22.33.44"
+##   - "11.22.33.45"
+##   - "11.22.33.46"
+##
+externalIPs: []