Add helm chart

README.md

@@ -131,3 +131,13 @@ To install this DaemonSet:
 ```shell
 kubectl apply -f https://raw.githubusercontent.com/compumike/hairpin-proxy/v0.2.1/deploy-etchosts-daemonset.yml
 ```
+
+### Alternatively install via helm chart
+
+The helm chart installs both the controller and haproxy at one go.
+
+The chart creates a configMap for `haproxy.cfg` and mount it at `/usr/local/etc/haproxy/haproxy.cfg`. You might want to update the value of `haproxy.targetServer` to point to the correct ingress controller endpoint for your deployment.
+
+```shell
+helm --namespace hairpin-proxy install --create-namespace hairpin-proxy charts/hairpin-proxy
+```

charts/hairpin-proxy/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/hairpin-proxy/Chart.yaml

@@ -0,0 +1,9 @@
+apiVersion: v2
+name: hairpin-proxy
+description: Chart for the hairpin-proxy traffic reflector
+type: application
+version: 0.1.0
+appVersion: 0.2.1
+home: https://github.com/compumike/hairpin-proxy
+sources:
+ - https://github.com/compumike/hairpin-proxy

charts/hairpin-proxy/files/haproxy.cfg

@@ -0,0 +1,20 @@
+defaults
+timeout connect 5000ms
+timeout client 60000ms
+timeout server 60000ms
+
+frontend fe_8080
+bind *:8080
+mode tcp
+use_backend be_ingress_80
+backend be_ingress_80
+mode tcp
+server my_server "${TARGET_SERVER}:80" send-proxy
+
+frontend fe_8443
+bind *:8443
+mode tcp
+use_backend be_ingress_443
+backend be_ingress_443
+mode tcp
+server my_server "${TARGET_SERVER}:443" send-proxy

charts/hairpin-proxy/templates/NOTES.txt

@@ -0,0 +1,11 @@
+1. Get the application URL by running these commands:
+{{- if contains "NodePort" .Values.haproxy.service.type }}
+ export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "hairpin-proxy.fullname" . }})
+ export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+ echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "ClusterIP" .Values.haproxy.service.type }}
+ export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "hairpin-proxy.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+ export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+ echo "Visit http://127.0.0.1:8080 to use your application"
+ kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}

charts/hairpin-proxy/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "hairpin-proxy.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "hairpin-proxy.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "hairpin-proxy.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "hairpin-proxy.labels" -}}
+helm.sh/chart: {{ include "hairpin-proxy.chart" . }}
+{{ include "hairpin-proxy.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "hairpin-proxy.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "hairpin-proxy.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "hairpin-proxy.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "hairpin-proxy.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/hairpin-proxy/templates/clusterrole.yaml

@@ -0,0 +1,19 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+ name: {{ include "hairpin-proxy.fullname" . }}
+ labels:
+ {{- include "hairpin-proxy.labels" . | nindent 4 }}
+rules:
+ - apiGroups:
+ - extensions
+ - networking.k8s.io
+ resources:
+ - ingresses
+ verbs:
+ - get
+ - list
+ - watch
+{{- end }}
+

charts/hairpin-proxy/templates/clusterrolebinding.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+ name: {{ include "hairpin-proxy.fullname" . }}
+ labels:
+ {{- include "hairpin-proxy.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: ClusterRole
+ name: {{ include "hairpin-proxy.fullname" . }}
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "hairpin-proxy.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}

charts/hairpin-proxy/templates/configmap.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ include "hairpin-proxy.fullname" . }}
+ labels:
+ app.kubernetes.io/component: haproxy
+ {{- include "hairpin-proxy.labels" . | nindent 4 }}
+data:
+{{ (.Files.Glob "files/*").AsConfig | indent 2 }}

charts/hairpin-proxy/templates/controller-deployment.yaml

@@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "hairpin-proxy.fullname" . }}-controller
+ labels:
+ app.kubernetes.io/component: controller
+ {{- include "hairpin-proxy.labels" . | nindent 4 }}
+ annotations:
+ kube-score/ignore: deployment-has-poddisruptionbudget, deployment-has-host-podantiaffinity, pod-probes, container-security-context-user-group-id, pod-networkpolicy
+spec:
+ replicas: {{ .Values.replicaCount }}
+ selector:
+ matchLabels:
+ app.kubernetes.io/component: controller
+ {{- include "hairpin-proxy.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ {{- with .Values.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ app.kubernetes.io/component: controller
+ {{- include "hairpin-proxy.selectorLabels" . | nindent 8 }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ serviceAccountName: {{ include "hairpin-proxy.serviceAccountName" . }}
+ securityContext:
+ {{- toYaml .Values.controller.podSecurityContext | nindent 8 }}
+ containers:
+ - name: {{ .Chart.Name }}-controller
+ securityContext:
+ {{- toYaml .Values.controller.securityContext | nindent 12 }}
+ image: "{{ .Values.controller.image.repository }}:{{ .Values.controller.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.controller.image.pullPolicy }}
+ env:
+ - name: HAIRPIN_NAMESPACE
+ value: {{ .Release.Namespace }}
+ - name: HAIRPIN_SERVICE
+ value: {{ include "hairpin-proxy.fullname" . }}
+ resources:
+ {{- toYaml .Values.controller.resources | nindent 12 }}
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}

charts/hairpin-proxy/templates/haproxy-deployment.yaml

@@ -0,0 +1,73 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: {{ include "hairpin-proxy.fullname" . }}-haproxy
+ labels:
+ app.kubernetes.io/component: haproxy
+ {{- include "hairpin-proxy.labels" . | nindent 4 }}
+ annotations:
+ kube-score/ignore: deployment-has-poddisruptionbudget, deployment-has-host-podantiaffinity, pod-probes, container-security-context-user-group-id, pod-networkpolicy
+spec:
+ replicas: {{ .Values.haproxy.replicaCount }}
+ selector:
+ matchLabels:
+ {{- include "hairpin-proxy.selectorLabels" . | nindent 6 }}
+ template:
+ metadata:
+ {{- with .Values.podAnnotations }}
+ annotations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ labels:
+ app.kubernetes.io/component: haproxy
+ {{- include "hairpin-proxy.selectorLabels" . | nindent 8 }}
+ spec:
+ {{- with .Values.imagePullSecrets }}
+ imagePullSecrets:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ serviceAccountName: {{ include "hairpin-proxy.serviceAccountName" . }}
+ securityContext:
+ {{- toYaml .Values.haproxy.podSecurityContext | nindent 8 }}
+ containers:
+ - name: {{ .Chart.Name }}-haproxy
+ securityContext:
+ {{- toYaml .Values.haproxy.securityContext | nindent 12 }}
+ image: "{{ .Values.haproxy.image.repository }}:{{ .Values.haproxy.image.tag | default .Chart.AppVersion }}"
+ imagePullPolicy: {{ .Values.haproxy.image.pullPolicy }}
+ ports:
+ - name: http
+ containerPort: 8080
+ protocol: TCP
+ - name: https
+ containerPort: 8443
+ protocol: TCP
+ env:
+ - name: TARGET_SERVER
+ value: {{ .Values.haproxy.targetServer }}
+ volumeMounts:
+ - name: haproxycfg
+ mountPath: /usr/local/etc/haproxy
+ readinessProbe:
+ {{- toYaml .Values.haproxy.readinessProbe | nindent 12 }}
+ resources:
+ {{- toYaml .Values.haproxy.resources | nindent 12 }}
+ volumes:
+ - name: haproxycfg
+ configMap:
+ name: {{ include "hairpin-proxy.fullname" . }}
+ items:
+ - key: "haproxy.cfg"
+ path: "haproxy.cfg"
+ {{- with .Values.nodeSelector }}
+ nodeSelector:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.affinity }}
+ affinity:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}
+ {{- with .Values.tolerations }}
+ tolerations:
+ {{- toYaml . | nindent 8 }}
+ {{- end }}

charts/hairpin-proxy/templates/psp-role.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ template "hairpin-proxy.fullname" . }}-psp
+ labels:
+{{- include "hairpin-proxy.labels" . | nindent 4 }}
+rules:
+- apiGroups: ['policy']
+ resources: ['podsecuritypolicies']
+ verbs: ['use']
+ resourceNames:
+ - {{ template "hairpin-proxy.fullname" . }}
+{{- end }}

charts/hairpin-proxy/templates/psp-rolebinding.yaml

@@ -0,0 +1,17 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: {{ template "hairpin-proxy.fullname" . }}-psp
+ labels:
+{{- include "hairpin-proxy.labels" . | nindent 4 }}
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: {{ template "hairpin-proxy.fullname" . }}-psp
+subjects:
+ - kind: ServiceAccount
+ name: {{ include "hairpin-proxy.serviceAccountName" . }}
+ namespace: {{ .Release.Namespace }}
+{{- end }}
+

charts/hairpin-proxy/templates/psp.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+ name: {{ template "hairpin-proxy.fullname" . }}
+ labels:
+{{- include "hairpin-proxy.labels" . | nindent 4 }}
+ annotations:
+ seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+ seccomp.security.alpha.kubernetes.io/defaultProfileName: 'docker/default'
+spec:
+ privileged: false
+ allowPrivilegeEscalation: false
+ allowedCapabilities: []
+ readOnlyRootFilesystem: true
+ volumes:
+ - configMap
+ - emptyDir
+ - projected
+ - secret
+ - downwardAPI
+ - persistentVolumeClaim
+ hostNetwork: false
+ hostIPC: false
+ hostPID: false
+ runAsUser:
+ rule: MustRunAs
+ ranges:
+ - min: 1
+ max: 65535
+ seLinux:
+ rule: RunAsAny
+ supplementalGroups:
+ rule: MustRunAs
+ ranges:
+ - min: 1
+ max: 65535
+ fsGroup:
+ rule: MustRunAs
+ ranges:
+ - min: 1
+ max: 65535
+{{- end }}