⚠️ Complete refactor to sync with gravitl/netmaker-helm latest changes

Merge pull request #7 from small-hack/fix/posgres

.github/workflows/ci-helm-lint-test.yml

@@ -0,0 +1,52 @@
+name: Lint and Test Chart
+
+on:
+  pull_request:
+    paths:
+      - 'charts/netmaker/**'
+
+permissions:
+  contents: read
+
+jobs:
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: "0"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v4
+
+      - name: Add dependency chart repos
+        run: |
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+
+      - name: Set up chart-testing
+        uses: helm/[email protected]
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Run chart-testing (lint)
+        id: lint
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }}
+
+      - name: Create kind cluster
+        uses: helm/[email protected]
+        if: steps.list-changed.outputs.changed == 'true'
+
+      - name: Run chart-testing (install)
+        id: install
+        if: steps.list-changed.outputs.changed == 'true'
+        run: |
+            ct install --target-branch ${{ github.event.repository.default_branch }}

.github/workflows/renovate.yml

@@ -1,17 +1,31 @@
-name: Renovate - check for dependency updates
+name: Renovate
 on:
   schedule:
     # The "*" (#42, asterisk) character has special semantics in YAML, so this
     # string has to be quoted.
-    - cron: '1 * * * *'
+    - cron: '0/15 * * * *'
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/workflows/renovate.yml"
+      - "renovate.json"
 jobs:
   renovate:
     runs-on: ubuntu-latest
     steps:
+      - name: Get token
+        id: get_token
+        uses: tibdex/github-app-token@v2
+        with:
+          private_key: ${{ secrets.private_key }}
+          app_id: ${{ secrets.app_id }}
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/[email protected]
+
       - name: Self-hosted Renovate
-        uses: renovatebot/github-action@v39.0.1
+        uses: renovatebot/github-action@v40.1.5
         with:
-          token: ${{ secrets.RENOVATE_TOKEN }}
-          configurationFile: .github/config.js
+          configurationFile: renovate.json
+          token: '${{ steps.get_token.outputs.token }}'

.pre-commit-config.yaml

@@ -0,0 +1,16 @@
+repos:
+  # update the chart README.md with the comments from values.yaml
+  - repo: https://github.com/norwoodj/helm-docs
+    rev: v1.13.1
+    hooks:
+      - id: helm-docs
+  # helm lint and markdown link verifier
+  - repo: https://github.com/gruntwork-io/pre-commit
+    rev: v0.1.23 
+    hooks:
+      - id: helmlint
+  # detect any secrets that may be committed before they're committed
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.18.2
+    hooks:
+      - id: gitleaks

charts/netmaker/Chart.lock

@@ -1,6 +1,6 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 12.8.0
-digest: sha256:d30a9afa794d29fe3b3f564c1fafd89030705ac4d5a77c99843235449525a152
-generated: "2023-08-07T23:04:08.264324788Z"
+  version: 15.1.2
+digest: sha256:0766b5084b914ac9e7edb772078003b4727ed87c986b9265172777a14ff0b5be
+generated: "2024-03-24T11:32:00.096443+01:00"

charts/netmaker/Chart.yaml

@@ -15,16 +15,24 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.9.0
+version: 0.10.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "v0.20.3"
+appVersion: "v0.21.2"
+
+maintainers:
+  - name: "jessebot"
+    email: "[email protected]"
+    url: "https://github.com/jessebot/"
+  - name: "cloudymax"
+    email: "[email protected]"
+    url: "https://github.com/cloudymax/"
 
 dependencies:
   - name: postgresql
-    version: 12.9.0
+    version: 15.1.2
     repository: oci://registry-1.docker.io/bitnamicharts
     condition: postgresql.enabled

charts/netmaker/README.md

@@ -1,95 +1,114 @@
 # netmaker
 
-![Version: 0.9.0](https://img.shields.io/badge/Version-0.9.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.20.3](https://img.shields.io/badge/AppVersion-v0.20.3-informational?style=flat-square)
+![Version: 0.10.0](https://img.shields.io/badge/Version-0.10.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.21.2](https://img.shields.io/badge/AppVersion-v0.21.2-informational?style=flat-square)
 
 A Helm chart to run HA Netmaker on Kubernetes
 
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| jessebot | <[email protected]> | <https://github.com/jessebot/> |
+| cloudymax | <[email protected]> | <https://github.com/cloudymax/> |
+
 ## Requirements
 
 | Repository | Name | Version |
 |------------|------|---------|
-| oci://registry-1.docker.io/bitnamicharts | postgresql | 12.9.0 |
+| oci://registry-1.docker.io/bitnamicharts | postgresql | 15.1.2 |
 
 ## Values
 
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
-| baseDomain | string | `"example.com"` |  |
-| dns.RWX.storageClassName | string | `""` |  |
+| affinity | object | `{}` | optional affinity settings for netmaker |
+| api.ingress.annotations | object | `{}` | annotations for the netmaker API ingress object |
+| api.ingress.className | string | `"nginx"` | api ingress className |
+| api.ingress.enabled | bool | `true` | attempts to configure ingress if true |
+| api.ingress.host | string | `"api.cluster.local"` | api (REST) route subdomain |
+| api.ingress.tls | list | `[]` | ingress api tls list |
+| api.service.port | int | `8081` | port for API service |
+| api.service.targetPort | int | `8081` | targetport for API service |
+| api.service.type | string | `"ClusterIP"` | type for netmaker server services |
 | dns.enabled | bool | `false` | whether or not to deploy coredns |
-| dns.existingClaim | string | `""` |  |
-| dns.storageSize | string | `"128Mi"` |  |
+| dns.persistence.accessMode | string | `"ReadWriteOnce"` |  |
+| dns.persistence.existingClaim | string | `""` | existingClaim, if not set, defaults to HELM.RELEASE.NAME-dns |
+| dns.persistence.storage | string | `"1Gi"` |  |
+| dns.persistence.storageClassName | string | `""` |  |
 | externalDatabase.database | string | `"netmaker"` | postgress db |
-| externalDatabase.existingSecret | string | `""` |  |
+| externalDatabase.existingSecret | string | `""` | use existing secret for netmaker db credentials, must have the following keys: SQL_PASS, SQL_HOST, SQL_PORT, SQL_USER, SQL_DB |
 | externalDatabase.host | string | `"external.postgres.url"` | postgres host |
 | externalDatabase.password | string | `""` | postgres pass for netmaker user. ignored if existingSecret is set |
 | externalDatabase.port | int | `5432` | postgres hosts port |
-| externalDatabase.secretKeys.passwordKey | string | `""` |  |
 | externalDatabase.type | string | `"postgresql"` |  |
 | externalDatabase.username | string | `"netmaker"` | postgres username |
 | fullnameOverride | string | `""` | override the full name for netmaker objects |
 | image.pullPolicy | string | `"IfNotPresent"` | Pull Policy for images |
 | image.repository | string | `"gravitl/netmaker"` | The image repo to pull Netmaker image from |
-| ingress.annotations.base."kubernetes.io/ingress.allow-http" | string | `"false"` | annotation to generate ACME certs if available |
-| ingress.annotations.mq | object | `{}` |  |
-| ingress.annotations.nginx."nginx.ingress.kubernetes.io/rewrite-target" | string | `"/"` | destination addr for route |
-| ingress.annotations.nginx."nginx.ingress.kubernetes.io/ssl-redirect" | string | `"true"` | Redirect http to https |
-| ingress.annotations.rest | object | `{}` |  |
-| ingress.annotations.tls."kubernetes.io/tls-acme" | string | `"true"` | use acme cert if available |
-| ingress.annotations.traefik."traefik.ingress.kubernetes.io/redirect-entry-point" | string | `"https"` | Redirect to https |
-| ingress.annotations.traefik."traefik.ingress.kubernetes.io/redirect-permanent" | string | `"true"` | Redirect to https permanently |
-| ingress.annotations.traefik."traefik.ingress.kubernetes.io/rule-type" | string | `"PathPrefixStrip"` | rule type |
-| ingress.annotations.ui | object | `{}` |  |
-| ingress.className | string | `"nginx"` |  |
-| ingress.enabled | bool | `true` | attempts to configure ingress if true |
-| ingress.hostPrefix.broker | string | `"broker."` | mqtt route subdomain |
-| ingress.hostPrefix.rest | string | `"api."` | api (REST) route subdomain |
-| ingress.hostPrefix.ui | string | `"dashboard."` | ui route subdomain |
-| ingress.tls.enabled | bool | `false` |  |
-| ingress.tls.issuerName | string | `"letsencrypt-prod"` |  |
-| mq.RWX.storageClassName | string | `""` |  |
-| mq.existingClaim | string | `""` |  |
-| mq.existingSecret | string | `""` |  |
-| mq.password | string | `"3yyerWGdds43yegGR"` |  |
-| mq.replicas | int | `1` | how many MQTT replicas to create change to 2 or more and set singlenode to false if needed |
-| mq.secretKey | string | `""` |  |
-| mq.singlenode | bool | `true` |  |
-| mq.storageSize | string | `"128Mi"` |  |
+| mq.affinity | object | `{}` | optional affinity settings for mqtt |
+| mq.existingSecret | string | `""` | name of an existing secret to use for mq password. If set, ignores mq.password, mq.username secret keys must be: MQ_PASSWORD, MQ_USERNAME |
+| mq.generateCert | bool | `false` |  |
+| mq.ingress.annotations | object | `{}` | annotations for the mqtt ingress object |
+| mq.ingress.className | string | `"nginx"` |  |
+| mq.ingress.enabled | bool | `true` | attempts to configure ingress if true |
+| mq.ingress.host | string | `"broker.cluster.local"` | hostname for mqtt ingress |
+| mq.ingress.tls | list | `[]` | ingress tls list |
+| mq.password | string | `""` |  |
+| mq.replicas | int | `1` | how many MQTT replicas to create |
+| mq.service.port | int | `443` | port for MQTT service |
+| mq.service.targetPort | int | `8883` | Target port for MQTT service |
+| mq.service.type | string | `"ClusterIP"` | type for netmaker server services |
+| mq.tolerations | object | `{}` | optional tolerations settings for mqtt |
 | mq.username | string | `"netmaker"` |  |
 | nameOverride | string | `""` | override the name for netmaker objects |
-| oauth.enabled | bool | `false` |  |
-| oauth.existingSecret | string | `""` |  |
-| oauth.provider | string | `"oidc"` |  |
-| oauth.secretKeys.clientID | string | `nil` |  |
-| oauth.secretKeys.clientSecret | string | `nil` |  |
-| oauth.secretKeys.frontendURL | string | `nil` |  |
-| oauth.secretKeys.issuer | string | `nil` |  |
-| persistence.sharedData.existingClaim | string | `""` |  |
+| netmaker.enterprise | object | `{"licenseKey":"","tenantId":""}` | if using enterprise edition fill out this section |
+| netmaker.enterprise.licenseKey | string | `""` | netmaker enterprise license key, ignored if netmaker.existingSecret set |
+| netmaker.enterprise.tenantId | string | `""` | netmaker enterprise tenant ID, ignored if netmaker.existingSecret set |
+| netmaker.existingSecret | string | `""` | if set ignores netmaker.masterKey and enterprise.* must have key called MASTER_KEY, optionally for enterprise must have key: LICENSE_KEY, NETMAKER_TENANT_ID |
+| netmaker.jwtDuration | int | `43200` | Duration of JWT token validity in seconds |
+| netmaker.masterKey | string | `"netmaker"` | ignored if netmaker.masterKeyExistingSecret is set |
+| netmaker.oauth.azureTenant | string | `""` | azureTenant if using azure for oauth - ignored if netmaker.oauth.existingSecret is set |
+| netmaker.oauth.clientID | string | `""` | client id if using oidc - ignored if netmaker.oauth.existingSecret is set |
+| netmaker.oauth.clientSecret | string | `""` | client secret if using oidc - ignored if netmaker.oauth.existingSecret is set |
+| netmaker.oauth.enabled | bool | `false` |  |
+| netmaker.oauth.existingSecret | string | `""` | existing secret for oauth, must have the following keys: CLIENT_ID, CLIENT_SECRET, OIDC_ISSUER, and optionally AZURE_TENANT ignores plane text values if this is set |
+| netmaker.oauth.issuer | string | `""` | oidc issuer - ignored if netmaker.oauth.existingSecret is set |
+| netmaker.oauth.provider | string | `"oidc"` | AUTH_PROVIDER: must be one of: azure-ad|github|google|oidc |
+| netmaker.racAutoDisable | string | `"true"` | Auto disable a user's connecteds clients bassed on JWT token expiration |
+| netmaker.serverName | string | `"cluster.local"` |  |
 | podAnnotations | object | `{}` | pod annotations to add |
 | podSecurityContext | object | `{}` | pod security contect to add |
 | postgresql.auth.database | string | `"netmaker"` |  |
-| postgresql.auth.existingSecret | string | `""` |  |
+| postgresql.auth.existingSecret | string | `""` | use existing secret for netmaker db credentials, must have the following keys: SQL_PASS, SQL_HOST, SQL_PORT, SQL_USER, SQL_DB |
 | postgresql.auth.password | string | `""` |  |
-| postgresql.auth.secretKeys.adminPasswordKey | string | `""` |  |
-| postgresql.auth.secretKeys.userPasswordKey | string | `""` |  |
+| postgresql.auth.primary.persistence.enabled | bool | `true` |  |
 | postgresql.auth.username | string | `"netmaker"` |  |
 | postgresql.enabled | bool | `true` |  |
-| postgresql.persistence.existingClaim | string | `""` |  |
 | replicas | int | `1` | number of netmaker server replicas to create |
-| service.mqPort | int | `443` | port for MQTT service |
-| service.restPort | int | `8081` | port for API service |
-| service.type | string | `"ClusterIP"` | type for netmaker server services |
-| service.uiPort | int | `80` | port for UI service |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created |
 | serviceAccount.name | string | `""` | Name of SA to use. If not set and create is true, a name is generated using the fullname template |
 | setIpForwarding.enabled | bool | `true` |  |
+| shared_data.persistence.accessMode | string | `"ReadWriteMany"` |  |
+| shared_data.persistence.existingClaim | string | `""` | name of existing PVC claim to use. if set, storageClassName is ignored |
+| shared_data.persistence.storage | string | `"128Mi"` |  |
+| shared_data.persistence.storageClassName | string | `""` |  |
+| tolerations | object | `{}` | optional tolerations settings for netmaker |
+| turn.apiHost | string | `""` |  |
+| turn.enabled | bool | `false` | use an external turn server |
+| turn.existingSecret | string | `""` | existing secret with turn server info. Must have the following keys: TURN_SERVER_HOST, TURN_SERVER_API_HOST, TURN_PORT, TURN_USERNAME, TURN_PASSWORD |
+| turn.host | string | `""` |  |
+| turn.password | string | `""` |  |
+| turn.username | string | `""` |  |
+| ui.ingress.annotations | object | `{}` | annotations for the netmaker UI ingress object |
+| ui.ingress.className | string | `"nginx"` | UI ingress className |
+| ui.ingress.enabled | bool | `true` | attempts to configure ingress if true |
+| ui.ingress.host | string | `"dashboard.cluster.local"` | hostname for mqtt ingress |
+| ui.ingress.tls | list | `[]` | ingress tls list |
 | ui.replicas | int | `1` | how many UI replicas to create |
-| wireguard.enabled | bool | `true` | whether or not to use WireGuard on server |
-| wireguard.kernel | bool | `false` | whether or not to use Kernel WG (should be false unless WireGuard is installed on hosts). |
-| wireguard.networkLimit | int | `10` | max number of networks that Netmaker will support if running with WireGuard enabled |
-| wireguard.service.annotations | object | `{}` |  |
-| wireguard.service.serviceType | string | `"NodePort"` |  |
+| ui.service.port | int | `80` | port for UI service |
+| ui.service.targetport | int | `80` | target port for UI service |
+| ui.service.type | string | `"ClusterIP"` | type for netmaker server services |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)

charts/netmaker/templates/_helpers.tpl

@@ -144,3 +144,60 @@ Database for postgresql
 {{- index .Values "externalDatabase" "database" }}
 {{- end }}
 {{- end }}
+
+{{/*
+netmaker db secret
+*/}}
+{{- define "netmaker.db.secret" -}}
+{{- if .Values.postgresql.auth.existingSecret -}}
+{{ .Values.postgresql.auth.existingSecret }}
+{{- else if .Values.externalDatabase.existingSecret -}}
+{{ .Values.externalDatabase.existingSecret }}
+{{- else -}}
+db-secret
+{{- end }}
+{{- end }}
+
+{{/*
+netmaker secret
+*/}}
+{{- define "netmaker.secret" -}}
+{{- if .Values.netmaker.existingSecret -}}
+{{ .Values.netmaker.existingSecret }}
+{{- else -}}
+netmaker-secret
+{{- end }}
+{{- end }}
+
+{{/*
+mqtt (broker) secret
+*/}}
+{{- define "netmaker.mq.secret" -}}
+{{- if .Values.mq.existingSecret -}}
+{{ .Values.mq.existingSecret }}
+{{- else -}}
+mq-secret
+{{- end }}
+{{- end }}
+
+{{/*
+netmaker oauth secret
+*/}}
+{{- define "netmaker.oauth.secret" -}}
+{{- if .Values.netmaker.oauth.existingSecret -}}
+{{ .Values.netmaker.oauth.existingSecret }}
+{{- else -}}
+netmaker-oauth-secret
+{{- end }}
+{{- end }}
+
+{{/*
+netmaker turn secret
+*/}}
+{{- define "netmaker.turn.secret" -}}
+{{- if .Values.netmaker.turn.existingSecret -}}
+{{ .Values.netmaker.turn.existingSecret }}
+{{- else -}}
+turn-secret
+{{- end }}
+{{- end }}