diff --git a/.gitignore b/.gitignore index 2c83b2c..42a5840 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ # OSX metadata .DS_Store ._DS_Store -.ideas +.idea diff --git a/Chart.yaml b/Chart.yaml index c0a45a8..d1b23ba 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -5,4 +5,4 @@ type: application version: 0.1.0 icon: https://upload.wikimedia.org/wikipedia/commons/8/8f/Icons_mumble.svg # https://hub.docker.com/r/pvarkiprojekti/mumbleserver/tags (do NOT use "latest") -appVersion: "20220903-2111" +appVersion: "20221110-1729" diff --git a/README.rst b/README.rst index d6b7e54..372b7d4 100644 --- a/README.rst +++ b/README.rst @@ -3,3 +3,19 @@ Helm chart for mumble server ============================ Char for deploying https://hub.docker.com/r/pvarkiprojekti/mumbleserver in k8s + +Development +^^^^^^^^^^^ + +Uses pre-commit, you need some basic dependencies (run in this directory):: + + pip3 install --user pre-commit detect-secrets + pre-commit install + +As usual using virtualenvs is generally recommended but in this case not strictly mandatory. + +Before committing check your work with:: + + pre-commit run --all-files ; echo $? + +This saves you annoyance of rewriting commit messages when one of the checks fail. diff --git a/templates/NOTES.txt b/templates/NOTES.txt index bec5cc8..08ee7ab 100644 --- a/templates/NOTES.txt +++ b/templates/NOTES.txt @@ -1,22 +1,15 @@ 1. Get the application URL by running these commands: -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "mumbleserver.fullname" . }}) +{{- if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[1].nodePort}" services {{ include "mumbleserver.fullname" . }}) export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT + DNS name should be {{ .Values.mumble.server_domain }} {{- else if contains "LoadBalancer" .Values.service.type }} NOTE: It may take a few minutes for the LoadBalancer IP to be available. You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "mumbleserver.fullname" . }}' export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "mumbleserver.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} + DNS name should be {{ .Values.mumble.server_domain }} {{- else if contains "ClusterIP" .Values.service.type }} export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "mumbleserver.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT + export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[1].containerPort}") + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME {{ .Values.mumble.externalport }}:$CONTAINER_PORT {{- end }} diff --git a/templates/deployment.yaml b/templates/deployment.yaml index 5674b0e..89c87a9 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -30,6 +30,21 @@ spec: volumes: - name: letsencrypt-data - name: murmur-data + initContainers: + - name: fill-volumes + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + volumeMounts: + - name: letsencrypt-data + mountPath: /tgt/le + - name: murmur-data + mountPath: /tgt/murmurdata + command: + - /bin/bash + - -c + - > + cp -a /etc/letsencrypt/./ /tgt/le/ && + cp -a /murmurdata/./ /tgt/murmurdata/ && + ls -R /tgt/le /tgt/murmurdata containers: - name: {{ .Chart.Name }} securityContext: @@ -37,27 +52,39 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: - # TODO: Remove this when we are production ready - - name: "CERTBOT_EXTRA_ARGS" - value: "--test-cert" - - name: "SERVER_DOMAIN" - value: {{ required "A valid .Values.mumble.server_domain entry required!" .Values.mumble.server_domain }} - - name: "CERTBOT_EMAIL" - value: {{ required "A valid .Values.mumble.certbot_email entry required!" .Values.mumble.certbot_email }} - - name: "SERVER_PASSWORD" - valueFrom: - secretKeyRef: - key: server_password - name: {{ .Release.Name }}-auth - - name: "SUPERUSER_PASSWORD" - valueFrom: - secretKeyRef: - key: superuser_password - name: {{ .Release.Name }}-auth + # TODO: Remove this when we are production ready + - name: "CERTBOT_EXTRA_ARGS" + value: "--test-cert" + {{- if .Values.mumble.disable_tls }} + - name: "NO_TLS" + value: "1" + {{- end }} + {{- if or .Values.use_certmanager .Values.mumble.disable_tls }} + - name: "NO_CERTBOT" + value: "1" + {{- end }} + - name: "SERVER_DOMAIN" + value: {{ required "A valid .Values.mumble.server_domain entry required!" .Values.mumble.server_domain }} + - name: "CERTBOT_EMAIL" + value: {{ required "A valid .Values.mumble.certbot_email entry required!" .Values.mumble.certbot_email }} + - name: "SERVER_USERS" + value: {{ required "A valid .Values.mumble.users entry required!" .Values.mumble.users }} + - name: "SERVER_PASSWORD" + valueFrom: + secretKeyRef: + key: server_password + name: {{ .Release.Name }}-auth + - name: "SUPERUSER_PASSWORD" + valueFrom: + secretKeyRef: + key: superuser_password + name: {{ .Release.Name }}-auth ports: + {{- if and (not .Values.use_certmanager) (not .Values.mumble.disable_tls) }} - name: http containerPort: 80 protocol: TCP + {{- end }} - name: mumble-tcp containerPort: 64738 protocol: TCP @@ -69,9 +96,17 @@ spec: command: - pgrep - murmurd + initialDelaySeconds: 15 + periodSeconds: 10 readinessProbe: - tcpSocket: - port: mumble-tcp + exec: + command: + - /bin/bash + - -c + - > + pgrep certbot || pgrep murmurd + initialDelaySeconds: 1 + periodSeconds: 1 resources: {{- toYaml .Values.resources | nindent 12 }} volumeMounts: diff --git a/templates/ingress.yaml b/templates/ingress.yaml deleted file mode 100644 index 04efdc1..0000000 --- a/templates/ingress.yaml +++ /dev/null @@ -1,61 +0,0 @@ -{{- if .Values.ingress.enabled -}} -{{- $fullName := include "mumbleserver.fullname" . -}} -{{- $svcPort := .Values.service.port -}} -{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }} - {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }} - {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}} - {{- end }} -{{- end }} -{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1 -{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}} -apiVersion: networking.k8s.io/v1beta1 -{{- else -}} -apiVersion: extensions/v1beta1 -{{- end }} -kind: Ingress -metadata: - name: {{ $fullName }} - labels: - {{- include "mumbleserver.labels" . | nindent 4 }} - {{- with .Values.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} - ingressClassName: {{ .Values.ingress.className }} - {{- end }} - {{- if .Values.ingress.tls }} - tls: - {{- range .Values.ingress.tls }} - - hosts: - {{- range .hosts }} - - {{ . | quote }} - {{- end }} - secretName: {{ .secretName }} - {{- end }} - {{- end }} - rules: - {{- range .Values.ingress.hosts }} - - host: {{ .host | quote }} - http: - paths: - {{- range .paths }} - - path: {{ .path }} - {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }} - pathType: {{ .pathType }} - {{- end }} - backend: - {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }} - service: - name: {{ $fullName }} - port: - number: {{ $svcPort }} - {{- else }} - serviceName: {{ $fullName }} - servicePort: {{ $svcPort }} - {{- end }} - {{- end }} - {{- end }} -{{- end }} diff --git a/templates/service.yaml b/templates/service.yaml index 2f5443a..7b3a9c2 100644 --- a/templates/service.yaml +++ b/templates/service.yaml @@ -4,13 +4,17 @@ metadata: name: {{ include "mumbleserver.fullname" . }} labels: {{- include "mumbleserver.labels" . | nindent 4 }} + annotations: + external-dns.alpha.kubernetes.io/hostname: {{ required "A valid .Values.mumble.server_domain entry required!" .Values.mumble.server_domain }} spec: type: {{ .Values.service.type }} ports: + {{- if and (not .Values.use_certmanager) (not .Values.mumble.disable_tls) }} - port: 80 targetPort: http protocol: TCP name: http + {{- end }} - port: 64738 targetPort: mumble-tcp protocol: TCP diff --git a/templates/tests/test-connection.yaml b/templates/tests/test-connection.yaml index 960e2ad..0be06d0 100644 --- a/templates/tests/test-connection.yaml +++ b/templates/tests/test-connection.yaml @@ -8,8 +8,9 @@ metadata: "helm.sh/hook": test spec: containers: - - name: wget - image: busybox - command: ['wget'] - args: ['{{ include "mumbleserver.fullname" . }}:{{ .Values.service.port }}'] + - name: mumble-ping + image: pvarkiprojekti/mumbleping:20220909-1026 + env: + - name: "SERVER_DOMAIN" + value: {{ required "A valid .Values.mumble.server_domain entry required!" .Values.mumble.server_domain }} restartPolicy: Never diff --git a/values.yaml b/values.yaml index 2e0bb30..71fa887 100644 --- a/values.yaml +++ b/values.yaml @@ -37,30 +37,19 @@ securityContext: {} # runAsUser: 1000 service: - type: ClusterIP + type: LoadBalancer mumble: server_domain: "" server_password: "" - certbot_email: "" superuser_password: "" - - -ingress: - enabled: false - className: "" - annotations: {} - # kubernetes.io/ingress.class: nginx - # kubernetes.io/tls-acme: "true" - hosts: - - host: chart-example.local - paths: - - path: / - pathType: ImplementationSpecific - tls: [] - # - secretName: chart-example-tls - # hosts: - # - chart-example.local + externalport: 64738 + certbot_email: "benjam.gronmark_arkiproj@hotmail.com" + # You can set this to false if you have added cert-manaer support or have handled DNS before certbot tries to do stuff + disable_tls: true + users: 100 +# TODO: Add actual certmanager support before setting this to true +use_certmanager: false resources: {} # We usually recommend not to specify default resources and to leave this as a conscious