From c271b3b2b3243c76cc616e2928183cb7de7df603 Mon Sep 17 00:00:00 2001 From: Swordsteel Date: Mon, 25 Aug 2025 19:20:19 +0200 Subject: [PATCH] test --- .gitea/workflows/release.yaml | 44 ++++++ .gitignore | 1 + README.md | 157 ++++++++++++++++++++++ helm/.helmignore | 23 ++++ helm/Chart.yaml | 6 + helm/templates/_helpers.tpl | 18 +++ helm/templates/persistentvolumeclaim.yaml | 13 ++ helm/templates/service.yaml | 20 +++ helm/templates/statefulset.yaml | 44 ++++++ helm/values.yaml | 22 +++ 10 files changed, 348 insertions(+) create mode 100644 .gitea/workflows/release.yaml create mode 100644 .gitignore create mode 100644 README.md create mode 100644 helm/.helmignore create mode 100644 helm/Chart.yaml create mode 100644 helm/templates/_helpers.tpl create mode 100644 helm/templates/persistentvolumeclaim.yaml create mode 100644 helm/templates/service.yaml create mode 100644 helm/templates/statefulset.yaml create mode 100644 helm/values.yaml diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml new file mode 100644 index 0000000..7e82313 --- /dev/null +++ b/.gitea/workflows/release.yaml @@ -0,0 +1,44 @@ +name: Helm OCI CI + +on: + workflow_dispatch: + +jobs: + build-and-push: + runs-on: ubuntu-latest + steps: + # Checkout code + - name: Checkout repository + uses: actions/checkout@v3 + + # Install Helm + - name: Set up Helm + uses: azure/setup-helm@v4 + + # Extract chart name and version + - name: Get Chart Info + id: chart + run: | + NAME=$(helm show chart ./helm | grep '^name:' | awk '{print $2}') + VERSION=$(helm show chart ./helm | grep '^version:' | awk '{print $2}') + echo "chart_name=$NAME" >> $GITHUB_ENV + echo "chart_version=$VERSION" >> $GITHUB_ENV + + # Login to Gitea OCI Registry + - name: Helm OCI Login + run: | + echo "${{ secrets.CI_BOT_TOKEN }}" | helm registry login gitea.lulz.ltd \ + --username ${{ secrets.CI_BOT_USERNAME }} \ + --password-stdin + + # Package Helm chart + - name: Package Helm Chart + run: | + helm package ./helm + + # helm push heimdall-0.1.0.tgz oci://gitea.lulz.ltd/helm + # Push chart to Gitea OCI registry + - name: Push Helm Chart to Gitea OCI + run: | + echo "${chart_name}-${chart_version}.tgz oci://gitea.lulz.ltd/helm" + helm push ${chart_name}-${chart_version}.tgz oci://gitea.lulz.ltd/helm \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..62c8935 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.idea/ \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..e82964c --- /dev/null +++ b/README.md @@ -0,0 +1,157 @@ +# Check if traffic hits the pod + +```shell +kubectl -n wg-easy exec -it wg-easy-wg-easy-0 -- wg show +``` + +```shell +microk8s kubectl -n wg-easy exec -it wg-easy-wg-easy-0 -- iptables -t nat -L -n -v | grep 10.8 +``` + +sudo iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens192 -j MASQUERADE + + Qj&lLhA$L82m8zWi + +#net.ipv4.ip_forward=1 +#net.ipv4.conf.default.src_valid_mark=1 +#net.ipv4.conf.all.src_valid_mark=1 + + sudo nano /var/snap/microk8s/current/args/kubelet + + --allowed-unsafe-sysctls=net.ipv4.ip_forward,net.ipv4.conf.all.src_valid_mark + + + +```shell +helm install wg-easy ./ --namespace wg-easy --create-namespace +``` + +```shell +kubectl delete ns wg-easy +``` + +```shell +kubectl -n wg-easy exec -it pod/wg-easy-wg-easy-0 -- ip add +``` + +```shell + kubectl -n wg-easy exec -it pod/wg-easy-wg-easy-6bcdd9fcb4-7xt94 -- iptables -t nat -L -n -v +``` + +```shell +kubectl -n wg-easy exec -it pod/wg-easy-wg-easy-6bcdd9fcb4-7xt94 -- sysctl net.ipv4.ip_forward +``` + +```shell + kubectl -n wg-easy exec -it pod/wg-easy-wg-easy-6bcdd9fcb4-7xt94 -- sysctl net.ipv4.conf.all.src_valid_mark +``` + +```shell +kubectl -n wg-easy logs -f wg-easy-0 +``` + +```shell +kubectl -n wg-easy get pvc,pod,svc +``` + + + +# Rout traffic + +## Systemd service + +lets create a file `/etc/systemd/system/wireguard-masquerade.service` + +```shell +sudo nano /etc/systemd/system/wireguard-masquerade.service +``` + +replace `` with your network card like `eth0` + +``` +[Unit] +Description=WireGuard MASQUERADE for 10.8.0.0/24 +After=network.target + +[Service] +Type=oneshot +ExecStart=/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o ens192 -j MASQUERADE +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target +``` + +## Enable + +```shell +sudo systemctl enable wireguard-masquerade +``` + +## Start + +```shell +sudo systemctl start wireguard-masquerade +``` + +swordsteel@microk8s:~$ sudo systemctl enable wg-masquerade +Failed to enable unit: File wg-masquerade.service: Bad message + + + +--- + +# WireGuard + +Qj&lLhA$L82m8zWi + + +```shell +helm install wg-easy ./helm --namespace wireguard --create-namespace +``` + +```shell +helm -n wireguard upgrade wg-easy .\helm\ +``` + +```shell +kubectl -n wireguard get pvc,pod,svc +``` + +```shell +kubectl -n wireguard logs -f wg-easy-0 +``` + +```shell +kubectl delete ns wireguard +``` + +```shell +kubectl get ns +``` + +```shell +kubectl -n wireguard describe pod wg-easy-wg-easy-0 +``` + + + + + + + + + + + + + + + + + + + + + + diff --git a/helm/.helmignore b/helm/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/helm/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/Chart.yaml b/helm/Chart.yaml new file mode 100644 index 0000000..4364ac3 --- /dev/null +++ b/helm/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: wg-easy +description: Helm chart for wg-easy with MetalLB and StatefulSet +type: application +version: 0.1.0 +appVersion: "15.1.0" \ No newline at end of file diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl new file mode 100644 index 0000000..00bf256 --- /dev/null +++ b/helm/templates/_helpers.tpl @@ -0,0 +1,18 @@ +{{- define "wg-easy.name" -}} +wg-easy +{{- end }} + +{{- define "wg-easy.fullname" -}} +{{ printf "%s-%s" .Release.Name (include "wg-easy.name" .) | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{- define "wg-easy.labels" -}} +app.kubernetes.io/name: {{ include "wg-easy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/version: {{ .Chart.AppVersion }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{- define "wg-easy.selectorLabels" -}} +app: {{ include "wg-easy.name" . }} +{{- end }} \ No newline at end of file diff --git a/helm/templates/persistentvolumeclaim.yaml b/helm/templates/persistentvolumeclaim.yaml new file mode 100644 index 0000000..47a9295 --- /dev/null +++ b/helm/templates/persistentvolumeclaim.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "wg-easy.name" . }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.persistence.size }} + {{- if and .Values.persistence.storageClass (ne .Values.persistence.storageClass "") }} + storageClassName: {{ .Values.persistence.storageClass | quote }} + {{- end }} diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml new file mode 100644 index 0000000..62caf2b --- /dev/null +++ b/helm/templates/service.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "wg-easy.name" . }} +spec: + type: {{ .Values.service.type }} + {{- if and .Values.service.loadBalancerIP (ne .Values.service.loadBalancerIP "") }} + loadBalancerIP: {{ .Values.service.loadBalancerIP }} + {{- end }} + ports: + - name: http + port: {{ .Values.service.httpPort }} + targetPort: 51821 + protocol: TCP + - name: wireguard + port: {{ .Values.service.wgPort }} + targetPort: {{ .Values.service.wgPort }} + protocol: UDP + selector: + app: {{ include "wg-easy.name" . }} diff --git a/helm/templates/statefulset.yaml b/helm/templates/statefulset.yaml new file mode 100644 index 0000000..592e8a6 --- /dev/null +++ b/helm/templates/statefulset.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "wg-easy.name" . }} + labels: + app: {{ include "wg-easy.name" . }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + app: {{ include "wg-easy.name" . }} + template: + metadata: + labels: + app: {{ include "wg-easy.name" . }} + spec: + securityContext: + sysctls: + - name: net.ipv4.ip_forward + value: "1" + containers: + - name: wg-easy + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 51821 + protocol: TCP + - name: wireguard + containerPort: {{ .Values.service.wgPort }} + protocol: UDP + env: + - name: INSECURE + value: {{ .Values.env.INSECURE | quote }} + securityContext: + capabilities: + add: ["NET_ADMIN", "SYS_MODULE"] + volumeMounts: + - name: wg-easy-data + mountPath: /etc/wireguard + volumes: + - name: wg-easy-data + persistentVolumeClaim: + claimName: {{ include "wg-easy.name" . }} diff --git a/helm/values.yaml b/helm/values.yaml new file mode 100644 index 0000000..845f0a5 --- /dev/null +++ b/helm/values.yaml @@ -0,0 +1,22 @@ +replicaCount: 1 + +image: + repository: ghcr.io/wg-easy/wg-easy + tag: "15.1" + pullPolicy: IfNotPresent + +service: + type: LoadBalancer + httpPort: 80 + wgPort: 51820 + loadBalancerIP: "10.0.3.15" # Set to a MetalLB-assigned IP, e.g. 192.168.1.240 + +persistence: + enabled: true + size: 1Gi +# storageClass: "" + +env: + INSECURE: true + +