145 lines
4.9 KiB
YAML
145 lines
4.9 KiB
YAML
{{ if and .Values.headscale.keys.create (not .Values.headscale.keys.existingSecret ) }}
|
|
{{ $name := (print ( include "headscale.fullname" . ) "-keys") }}
|
|
{{ $secretName := (print ( include "headscale.fullname" . ) "-keys") }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
annotations:
|
|
helm.sh/resource-policy: keep
|
|
name: {{ $name }}
|
|
type: Opaque
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: {{ $name }}
|
|
labels:
|
|
app.kubernetes.io/component: keys-job
|
|
{{- include "headscale.labels" . | nindent 4 }}
|
|
annotations:
|
|
"helm.sh/hook": "pre-install,pre-upgrade"
|
|
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: {{ $name }}
|
|
labels:
|
|
app.kubernetes.io/component: keys-job
|
|
{{- include "headscale.labels" . | nindent 4 }}
|
|
annotations:
|
|
"helm.sh/hook": "pre-install,pre-upgrade"
|
|
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
resourceNames:
|
|
- {{ $secretName }}
|
|
verbs:
|
|
- get
|
|
- update
|
|
- patch
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: {{ $name }}
|
|
labels:
|
|
app.kubernetes.io/component: keys-job
|
|
{{- include "headscale.labels" . | nindent 4 }}
|
|
annotations:
|
|
"helm.sh/hook": "pre-install,pre-upgrade"
|
|
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: Role
|
|
name: {{ $name }}
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: {{ $name }}
|
|
namespace: {{ .Release.Namespace }}
|
|
---
|
|
apiVersion: batch/v1
|
|
kind: Job
|
|
metadata:
|
|
name: {{ $name }}
|
|
labels:
|
|
{{- include "headscale.labels" . | nindent 4 }}
|
|
annotations:
|
|
"helm.sh/hook": "pre-install,pre-upgrade"
|
|
"helm.sh/hook-delete-policy": "before-hook-creation,hook-succeeded"
|
|
spec:
|
|
template:
|
|
spec:
|
|
restartPolicy: "Never"
|
|
serviceAccount: {{ $name }}
|
|
initContainers:
|
|
- name: generate-key
|
|
{{- with .Values.image }}
|
|
image: "{{ .registry }}/{{ .repository }}:{{ .tag | default $.Chart.AppVersion }}-debug"
|
|
{{- end }}
|
|
imagePullPolicy: {{ .Values.image.pullPolicy }}
|
|
command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
set -e
|
|
echo "generate private-keys"
|
|
headscale generate private-key --output json > /etc/headscale/secrets/wireguard.json
|
|
headscale generate private-key --output json > /etc/headscale/secrets/noise.json
|
|
headscale generate private-key --output json > /etc/headscale/secrets/derp.json
|
|
ls /etc/headscale/secrets/
|
|
volumeMounts:
|
|
- name: config
|
|
mountPath: "/etc/headscale"
|
|
readOnly: true
|
|
- mountPath: "/etc/headscale/secrets"
|
|
name: secrets
|
|
containers:
|
|
- name: upload-key
|
|
image: bitnami/kubectl
|
|
command:
|
|
- sh
|
|
- -c
|
|
- |
|
|
# check if key already exists
|
|
key=$(kubectl get secret {{ $secretName }} -o jsonpath="{.data}" 2> /dev/null)
|
|
[ $? -ne 0 ] && echo "Failed to get existing secret" && exit 1
|
|
if ! echo $key | jq -e 'has("wireguard.key")' 2> /dev/null ; then
|
|
echo "store wireguard.key"
|
|
kubectl patch secret {{ $secretName }} -p "{\"data\":{\"wireguard.key\":\"$(jq -r '.["private_key"] | split(":")[1] | @base64' /etc/headscale/secrets/wireguard.json)\"}}"
|
|
fi
|
|
if ! echo $key | jq -e 'has("noise.key")' 2> /dev/null ; then
|
|
echo "store noise.key"
|
|
kubectl patch secret {{ $secretName }} -p "{\"data\":{\"noise.key\":\"$(jq -r '.["private_key"] | @base64' /etc/headscale/secrets/noise.json)\"}}"
|
|
elif ! echo $key | jq -e '.["noise.key"] |@base64d | contains("privkey")' 2> /dev/null ; then
|
|
echo "patch noise.key"
|
|
newKey="privkey:$(echo $key | jq -r '.["noise.key"]|@base64d')"
|
|
kubectl patch secret {{ $secretName }} -p "{\"data\":{\"noise.key\":\"$(echo $newKey | base64 -w0)\"}}"
|
|
fi
|
|
if ! echo $key | jq -e 'has("derp.key")' 2> /dev/null ; then
|
|
echo "store derp.key"
|
|
kubectl patch secret {{ $secretName }} -p "{\"data\":{\"derp.key\":\"$(jq -r '.["private_key"] | @base64' /etc/headscale/secrets/derp.json)\"}}"
|
|
fi
|
|
[ $? -ne 0 ] && echo "Failed to update secret." && exit 1
|
|
echo "Signing key successfully created."
|
|
volumeMounts:
|
|
- mountPath: /etc/headscale/secrets
|
|
name: secrets
|
|
readOnly: true
|
|
volumes:
|
|
- name: config
|
|
secret:
|
|
secretName: {{ include "headscale.fullname" . }}
|
|
items:
|
|
- key: "config.yaml"
|
|
path: "config.yaml"
|
|
- name: secrets
|
|
emptyDir: {}
|
|
parallelism: 1
|
|
completions: 1
|
|
backoffLimit: 1
|
|
{{ end }}
|