Merge pull request #15 from foomo/beam-0.2.x

feat(beam): extend cloudflared
foomo · Aug 18, 2024 · c7096b4 · c7096b4
2 parents 2f857a0 + 8c5695e
commit c7096b4
Show file tree

Hide file tree

Showing 14 changed files with 578 additions and 67 deletions.
diff --git a/charts/beam/Chart.lock b/charts/beam/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: pinniped
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.2.10
-digest: sha256:f794bb9f303c14b6cbce2144c3265b1838146c1023b62d531b20e703b3e44696
-generated: "2024-07-17T09:32:44.477537+02:00"
+  version: 2.2.15
+digest: sha256:c394b2c94fbe832eced33555535bdb612f13d2c4c720f37a6f79d5130c2625e0
+generated: "2024-08-13T14:27:29.117583+02:00"
diff --git a/charts/beam/Chart.yaml b/charts/beam/Chart.yaml
@@ -18,10 +18,10 @@ annotations:
 dependencies:
   - name: pinniped
     alias: pinniped
-    version: 2.2.10
+    version: 2.2.15
     repository: "oci://registry-1.docker.io/bitnamicharts"
     condition: pinniped.enabled
-version: 0.1.2
-appVersion: 0.1.2
+version: 0.2.0
+appVersion: 0.2.0
 
 
diff --git a/charts/beam/README.md b/charts/beam/README.md
@@ -1,6 +1,6 @@
 # beam
 
-![Version: 0.1.2](https://img.shields.io/badge/Version-0.1.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.1.2](https://img.shields.io/badge/AppVersion-0.1.2-informational?style=flat-square)
+![Version: 0.2.0](https://img.shields.io/badge/Version-0.2.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.2.0](https://img.shields.io/badge/AppVersion-0.2.0-informational?style=flat-square)
 
 Secure infrastructure access
 
@@ -107,14 +107,25 @@ HTTPS_PROXY=socks5://127.0.0.1:1234 kubectl get namespaces --kubeconfig "beam-ku
 
 | Repository | Name | Version |
 |------------|------|---------|
-| oci://registry-1.docker.io/bitnamicharts | pinniped(pinniped) | 2.2.10 |
+| oci://registry-1.docker.io/bitnamicharts | pinniped(pinniped) | 2.2.15 |
 
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
+| cloudflared.account | string | `""` |  |
 | cloudflared.affinity | object | `{}` | Affinity settings for pods. |
+| cloudflared.autoscaling.behavior.enabled | bool | `false` | Enable autoscaling behaviours |
+| cloudflared.autoscaling.behavior.scaleDown | object | `{}` | Scale down policies, must conform to HPAScalingRules |
+| cloudflared.autoscaling.behavior.scaleUp | object | `{}` | Scale up policies, must conform to HPAScalingRules |
+| cloudflared.autoscaling.customMetrics | list | `[]` | Custom metrics using the HPA/v2 schema (for example, Pods, Object or External metrics) |
+| cloudflared.autoscaling.enabled | bool | `false` | Enable autoscaling |
+| cloudflared.autoscaling.maxReplicas | int | `9` | Maximum autoscaling replicas |
+| cloudflared.autoscaling.minReplicas | int | `1` | Minimum autoscaling replicas |
+| cloudflared.autoscaling.targetCPUUtilizationPercentage | int | `80` | Target CPU utilisation percentage |
+| cloudflared.autoscaling.targetMemoryUtilizationPercentage | string | `nil` | Target memory utilisation percentage |
 | cloudflared.dnsConfig | object | `{}` | DNSConfig settings for pods. |
+| cloudflared.enableWarp | bool | `false` |  |
 | cloudflared.enabled | bool | `false` |  |
 | cloudflared.extraEnv | list | `[]` | Environment variables to add |
 | cloudflared.extraEnvFrom | list | `[]` | Environment variables from secrets or configmaps to add |
@@ -123,25 +134,30 @@ HTTPS_PROXY=socks5://127.0.0.1:1234 kubectl get namespaces --kubeconfig "beam-ku
 | cloudflared.hostAliases | list | `[]` | Host aliases to add |
 | cloudflared.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
 | cloudflared.image.repository | string | `"cloudflare/cloudflared"` | The image repository |
-| cloudflared.image.tag | string | `"2024.6.1"` | The image tag |
+| cloudflared.image.tag | string | `"2024.8.2"` | The image tag |
 | cloudflared.imagePullSecrets | list | `[]` | Image pull secrets |
+| cloudflared.ingress | list | `[]` |  |
 | cloudflared.livenessProbe.failureThreshold | int | `1` |  |
 | cloudflared.livenessProbe.httpGet.path | string | `"/ready"` |  |
-| cloudflared.livenessProbe.httpGet.port | int | `3100` |  |
+| cloudflared.livenessProbe.httpGet.port | int | `2000` |  |
 | cloudflared.livenessProbe.initialDelaySeconds | int | `10` |  |
 | cloudflared.livenessProbe.periodSeconds | int | `10` |  |
 | cloudflared.maxUnavailable | string | `nil` | Pod Disruption Budget maxUnavailable |
 | cloudflared.nodeSelector | object | `{}` | Tolerations settings for pods. |
 | cloudflared.podAnnotations | object | `{}` | Annotations for pods |
 | cloudflared.podLabels | object | `{}` | Labels for pods |
-| cloudflared.podSecurityContext | object | `{}` | The SecurityContext for pods |
+| cloudflared.podSecurityContext | object | `{}` | The SecurityContext for pods Security items common to everything in the pod.  Here we require that it does not run as the user defined in the image, literally named "nonroot". |
 | cloudflared.readinessProbe.httpGet.path | string | `"/ready"` |  |
-| cloudflared.readinessProbe.httpGet.port | int | `3100` |  |
-| cloudflared.replicaCount | int | `1` | Number of replicas |
+| cloudflared.readinessProbe.httpGet.port | int | `2000` |  |
+| cloudflared.replicaCount | int | `2` | Number of replicas |
 | cloudflared.resources | object | `{}` | Resource request & limits. |
-| cloudflared.securityContext | object | `{}` |  |
-| cloudflared.token | string | `"TOKEN-HERE"` |  |
+| cloudflared.secret | string | `""` |  |
+| cloudflared.securityContext.allowPrivilegeEscalation | bool | `false` |  |
+| cloudflared.securityContext.capabilities.drop[0] | string | `"ALL"` |  |
+| cloudflared.securityContext.readOnlyRootFilesystem | bool | `true` |  |
 | cloudflared.tolerations | list | `[]` | Tolerations settings for pods. |
+| cloudflared.tunnelId | string | `""` |  |
+| cloudflared.tunnelName | string | `""` |  |
 | cloudflaredSidecars | list | `[]` | - Additional cloudflared sidecars |
 | cloudflaredSplitter.beams | object | `{}` | - List of additional enpoints beams:   kubectl: your-cloud-provider-k8s-api |
 | cloudflaredSplitter.enabled | bool | `false` | - Enable cloudflared splitter |
@@ -151,6 +167,8 @@ HTTPS_PROXY=socks5://127.0.0.1:1234 kubectl get namespaces --kubeconfig "beam-ku
 | cloudflaredSplitter.image.pullPolicy | string | `"IfNotPresent"` | The image pull policy |
 | cloudflaredSplitter.image.repository | string | `"nginx"` | The image repository |
 | cloudflaredSplitter.image.tag | string | `"1.27.0"` | The image tag |
+| cloudflaredSplitter.livenessProbe | object | `{}` |  |
+| cloudflaredSplitter.readinessProbe | object | `{}` |  |
 | cloudflaredSplitter.resources | object | `{}` | Resource request & limits. |
 | cloudflaredSplitter.securityContext | object | `{}` | - Security context |
 | fullnameOverride | string | `""` | Overrides the chart's computed fullname |
@@ -165,4 +183,21 @@ HTTPS_PROXY=socks5://127.0.0.1:1234 kubectl get namespaces --kubeconfig "beam-ku
 | pinniped.supervisor.federationDomains | object | `{}` | - Federation Domains to create in the supervisor cluster federationDomains:   cluster:     tlsSecretName: tls-secret-name     issuer: https://beam.your-domain.com/issuer-path     identityProviders:       foomo:         teams:           - organization/team-devs           - organization/team-devops |
 | pinniped.supervisor.githubProviders | object | `{}` | - GitHub Providers to create in the supervisor cluster githubProviders:   foomo:     clientId: id     clientSecret: secret |
 | revisionHistoryLimit | int | `10` | Number of revisions to retain to allow rollback |
+| serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
+| serviceAccount.automount | bool | `true` | Automatically mount a ServiceAccount's API credentials? |
+| serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
+| serviceAccount.name | string | `""` | If not set and create is true, a name is generated using the fullname template |
+| serviceMonitor.annotations | object | `{}` | ServiceMonitor annotations |
+| serviceMonitor.enabled | bool | `false` | If enabled, ServiceMonitor resources for Prometheus Operator are created |
+| serviceMonitor.interval | string | `nil` | ServiceMonitor scrape interval |
+| serviceMonitor.labels | object | `{}` | Additional ServiceMonitor labels |
+| serviceMonitor.matchExpressions | list | `[]` | Optional expressions to match on |
+| serviceMonitor.metricRelabelings | list | `[]` | ServiceMonitor metric relabel configs to apply to samples before ingestion https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#endpoint |
+| serviceMonitor.namespace | string | `nil` | Alternative namespace for ServiceMonitor resources |
+| serviceMonitor.namespaceSelector | object | `{}` | Namespace selector for ServiceMonitor resources |
+| serviceMonitor.relabelings | list | `[]` | ServiceMonitor relabel configs to apply to samples before scraping https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/api.md#relabelconfig |
+| serviceMonitor.scheme | string | `"http"` | ServiceMonitor will use http by default, but you can pick https as well |
+| serviceMonitor.scrapeTimeout | string | `nil` | ServiceMonitor scrape timeout in Go duration format (e.g. 15s) |
+| serviceMonitor.targetLabels | list | `[]` |  |
+| serviceMonitor.tlsConfig | string | `nil` | ServiceMonitor will use these tlsConfig settings to make the health check requests |
 
diff --git a/charts/beam/templates/_helpers.tpl b/charts/beam/templates/_helpers.tpl
@@ -50,6 +50,18 @@ app.kubernetes.io/name: {{ include "beam.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "beam.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "beam.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
 {{/*
 Create the name of the namespace
 */}}

diff --git a/charts/beam/templates/cloudflared/configmap.yaml b/charts/beam/templates/cloudflared/configmap.yaml
@@ -1,17 +1,41 @@
-{{- if .Values.cloudflaredSplitter.enabled }}
-apiVersion: v1
+{{- if .Values.cloudflared.enabled }}
+  apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "beam.cloudflared.splitter.fullname" . }}
+  name: {{ include "beam.cloudflared.fullname" . }}
   labels:
-    {{- include "beam.cloudflared.splitter.labels" . | nindent 4 }}
+    {{- include "beam.cloudflared.labels" . | nindent 4 }}
   namespace: {{ include "beam.namespace" . }}
 data:
+  config.yaml: |
+    # Name of the tunnel you want to run
+    tunnel: {{ .Values.cloudflared.tunnelName }}
+    # The location of the secret containing the tunnel credentials
+    credentials-file: /etc/cloudflared/creds/credentials.json
+    # General purpose TCP routing for the network
+    warp-routing:
+      enabled: {{ .Values.cloudflared.enableWarp }}
+    # Serves the metrics server under /metrics and the readiness server under /ready
+    metrics: 0.0.0.0:2000
+    # Autoupdates applied in a k8s pod will be lost when the pod is removed or restarted, so
+    # autoupdate doesn't make sense in Kubernetes. However, outside of Kubernetes, we strongly
+    # recommend using autoupdate.
+    no-autoupdate: true
+    # The `ingress` block tells cloudflared which local service to route incoming
+    # requests to. For more about ingress rules, see
+    # https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/configuration/ingress
+    ingress:
+      {{- with .Values.cloudflared.ingress }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+      # This rule matches any traffic which didn't match a previous rule, and responds with HTTP 404.
+      - service: http_status:404
+  {{- if .Values.cloudflaredSplitter.enabled }}
   nginx.conf: |
     user  nginx;
     worker_processes  auto;
 
-    error_log  /var/log/nginx/error.log notice;
+    error_log  /dev/stdout notice;
     pid        /var/run/nginx.pid;
     events {
       worker_connections  1024;
@@ -23,7 +47,7 @@ data:
                         '$status $body_bytes_sent "$http_referer" '
                         '"$http_user_agent" "$http_x_forwarded_for"';
 
-      access_log  /var/log/nginx/access.log  main;
+      access_log  /dev/stdout  main;
       sendfile        on;
       keepalive_timeout  65;
     }
@@ -35,7 +59,7 @@ data:
         {{- if .Values.pinniped.concierge.enabled }}
         {{ include "beam.fullname" $ }}-pinniped-concierge-impersonation-proxy-cluster-ip.{{ .Release.Namespace }} concierge;
         {{- range $k, $v := .Values.pinniped.concierge.jwtAuths }}
-        {{ get (urlParse $v.issuer) "host" }} supervisor-{{ $k }};
+        {{ get (urlParse $v.issuer) "host" }} jwt-auth-{{ $k }};
         {{- end }}
         {{- end }}
         {{- range $k, $v := .Values.cloudflaredSplitter.beams }}
@@ -49,7 +73,7 @@ data:
         server {{ include "beam.fullname" $ }}-pinniped-concierge-impersonation-proxy-cluster-ip.{{ .Release.Namespace }}:443;
       }
       {{- range $k, $v := .Values.pinniped.concierge.jwtAuths }}
-      upstream supervisor-{{ $k }} {
+      upstream jwt-auth-{{ $k }} {
         server {{ get (urlParse $v.issuer) "host" }}:443;
       }
       {{- end }}
@@ -69,4 +93,5 @@ data:
         ssl_preread on;
       }
     }
+  {{- end }}
 {{- end }}
diff --git a/charts/beam/templates/cloudflared/deployment.yaml b/charts/beam/templates/cloudflared/deployment.yaml
@@ -20,6 +20,9 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       annotations:
+        # These are here so the deployment rolls when the config or secret change.
+        checksum/configmap: {{ include (print $.Template.BasePath "/cloudflared/configmap.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/cloudflared/secret.yaml") . | sha256sum }}
         {{- with .Values.cloudflared.podAnnotations }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -28,33 +31,28 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      serviceAccountName: {{ include "beam.serviceAccountName" . }}
       {{- with .Values.cloudflared.hostAliases }}
       hostAliases:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- with .Values.cloudflared.podSecurityContext }}
       securityContext:
-        {{- toYaml . | nindent 8 }}
-      {{- end }}
+        {{- toYaml .Values.cloudflared.podSecurityContext | nindent 8 }}
       containers:
       - name: cloudflared
         {{- with .Values.cloudflared.image }}
         image: "{{ .repository }}:{{ .tag }}"
         imagePullPolicy: {{ .pullPolicy }}
         {{- end }}
-        command:
-          - cloudflared
+        args:
           - tunnel
-          - --metrics
-          - 0.0.0.0:3100
-          - --no-autoupdate
+          # Points cloudflared to the config file, which configures what
+          # cloudflared will actually do. This file is created by a ConfigMap.
+          - --config
+          - /etc/cloudflared/config/config.yaml
           - run
-          - --token
-          - {{ .Values.cloudflared.token }}
-        {{- with .Values.cloudflared.securityContext }}
         securityContext:
-          {{- toYaml . | nindent 12 }}
-        {{- end }}
+          {{- toYaml .Values.cloudflared.securityContext | nindent 12 }}
         ports:
           - name: http-metrics
             containerPort: 3100
@@ -75,10 +73,19 @@ spec:
         resources:
           {{- toYaml . | nindent 12 }}
         {{- end }}
-        {{- with .Values.cloudflared.extraVolumeMounts }}
         volumeMounts:
+          - name: config
+            mountPath: /etc/cloudflared/config
+            readOnly: true
+          # Each tunnel has an associated "credentials file" which authorizes machines
+          # to run the tunnel. cloudflared will read this file from its local filesystem,
+          # and it'll be stored in a k8s secret.
+          - name: creds
+            mountPath: /etc/cloudflared/creds
+            readOnly: true
+          {{- with .Values.cloudflared.extraVolumeMounts }}
           {{- toYaml . | nindent 12 }}
-        {{- end }}
+          {{- end }}
       {{- with .Values.cloudflaredSidecars }}
       {{- toYaml . | nindent 6 }}
       {{- end }}
@@ -107,10 +114,14 @@ spec:
         envFrom:
           {{- toYaml . | nindent 12 }}
         {{- end }}
+        {{- with .Values.cloudflaredSplitter.readinessProbe }}
         readinessProbe:
-          {{- toYaml .Values.cloudflaredSplitter.readinessProbe | nindent 12 }}
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.cloudflaredSplitter.livenessProbe }}
         livenessProbe:
-          {{- toYaml .Values.cloudflaredSplitter.livenessProbe | nindent 12 }}
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
         {{- with .Values.cloudflaredSplitter.resources }}
         resources:
           {{- toYaml . | nindent 12 }}
@@ -123,12 +134,54 @@ spec:
           {{- end }}
       {{- end }}
       volumes:
+        - name: creds
+          secret:
+            secretName: {{ include "beam.cloudflared.fullname" . }}
+        - name: config
+          configMap:
+            name: {{ include "beam.cloudflared.fullname" . }}
+            items:
+              - key: config.yaml
+                path: config.yaml
         {{- if .Values.cloudflaredSplitter.enabled }}
         - name: splitter-config
           configMap:
-            name: {{ include "beam.cloudflared.splitter.fullname" . }}
+            name: {{ include "beam.cloudflared.fullname" . }}
+            items:
+              - key: nginx.conf
+                path: nginx.conf
         {{- end }}
         {{- with .Values.cloudflared.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
+      {{- with .Values.cloudflared.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.cloudflared.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      affinity:
+         {{- with .Values.cloudflared.affinity }}
+         {{- toYaml . | nindent 8 }}
+         {{- else }}
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+            - weight: 10
+              podAffinityTerm:
+                topologyKey: kubernetes.io/hostname
+                labelSelector:
+                  matchExpressions:
+                   {{- range $k, $v := include "beam.cloudflared.selectorLabels" . | fromYaml }}
+                    - key: {{ $k }}
+                      operator: In
+                      values:
+                        - {{ $v }}
+                   {{- end }}
+      {{- end }}
+      {{- with .Values.cloudflared.dnsConfig }}
+      dnsConfig:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
 {{- end }}