Add client connect test (#55)

Author: bryopsida

.devcontainer/devcontainer.json

@@ -0,0 +1,41 @@
+{
+    "name": "WG-Chart Dev Container",
+    "image": "mcr.microsoft.com/vscode/devcontainers/go:latest",
+    "features": {
+        "ghcr.io/devcontainers/features/github-cli:1": {},
+        "ghcr.io/devcontainers/features/common-utils:2": {},
+        "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+        "ghcr.io/devcontainers/features/kubectl-helm-minikube:1": {},
+        "ghcr.io/mpriscella/features/kind:1": {},
+        "ghcr.io/devcontainers-contrib/features/apt-packages:1": {
+            "packages": "wireguard"
+        }
+    },
+    "customizations": {
+        "vscode": {
+            "extensions": [
+                "ms-kubernetes-tools.vscode-kubernetes-tools",
+                "redhat.vscode-yaml",
+                "github.vscode-pull-request-github",
+                "github.vscode-github-actions",
+                "ms-azuretools.vscode-docker",
+                "johnpapa.vscode-peacock",
+                "ms-vscode.makefile-tools"
+            ],
+            "settings": {
+                "editor.tabSize": 2,
+                "terminal.integrated.defaultProfile.linux": "zsh",
+                "terminal.integrated.profiles.linux": {
+                    "bash": {
+                        "path": "bash",
+                        "icon": "terminal-bash"
+                    },
+                    "zsh": {
+                        "path": "zsh"
+                    }
+                }
+            }
+        },
+        "postStartCommand": "git config --global --add safe.directory ${containerWorkspaceFolder} && curl -sS https://webinstall.dev/k9s | bash"
+    }
+}

.github/workflows/helm-qa.yml

@@ -9,8 +9,16 @@ on:
       - '.github/workflows/helm-qa.yml'
 jobs:
   test:
-    name: 'Helm'
+    strategy:
+      matrix:
+        suite:
+          - name: default
+            ct_extra_args: >-
+              --upgrade
+              --helm-extra-set-args='--set=service.type=ClusterIP'
+    name: 'Helm (${{ matrix.suite.name }})'
     uses: curium-rocks/flows/.github/workflows/helm-qa.yml@main
     with:
       charts_dir: 'helm'
-      helm_extra_sets: '--set service.type=ClusterIP'
+      ct_extra_args: ${{ matrix.suite.ct_extra_args }}
+      run-kubeval: false

Makefile

@@ -13,6 +13,15 @@ template:
 deploy:
 	helm --namespace $(HELM_NAMESPACE) upgrade --install $(HELM_RELEASE_NAME) ./helm/wireguard/ -f $(OVERRIDE_PATH) $(HELM_EXTRA_ARGS)
 
+test:
+	helm --namespace $(HELM_NAMESPACE) test $(HELM_RELEASE_NAME)
+
+cluster:
+	kind create cluster
+
+cluster-go-away:
+	kind delete cluster
+
 clean-secret:
 	kubectl --namespace $(HELM_NAMESPACE) delete secret $(HELM_RELEASE_NAME)-wg-generated
 

ci/test-with-1-replica.yaml

@@ -0,0 +1,5 @@
+service:
+  type: ClusterIP
+replicaCount: 1
+autoscaling:
+  enabled: false

helm/wireguard/.helmignore

@@ -21,3 +21,4 @@
 .idea/
 *.tmproj
 .vscode/
+ci

helm/wireguard/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: wireguard
 description: A Helm chart for managing a wireguard vpn in kubernetes
 type: application
-version: 0.23.0
+version: 0.24.0
 appVersion: "0.0.0"
 maintainers:
   - name: bryopsida

helm/wireguard/README.md

@@ -1,6 +1,6 @@
 # wireguard
 
-![Version: 0.23.0](https://img.shields.io/badge/Version-0.23.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square)
+![Version: 0.24.0](https://img.shields.io/badge/Version-0.24.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square)
 
 A Helm chart for managing a wireguard vpn in kubernetes
 
@@ -132,4 +132,4 @@ A Helm chart for managing a wireguard vpn in kubernetes
 | wireguard.serverCidr | string | `"10.34.0.0/24"` | Subnet for your VPN, take care not to clash with cluster POD cidr |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1)
+Autogenerated from chart metadata using [helm-docs v1.14.2](https://github.com/norwoodj/helm-docs/releases/v1.14.2)

helm/wireguard/ci/README.md

@@ -0,0 +1,5 @@
+# What is this?
+
+This is a set of value files that will be tested in the CI pipeline.
+
+You can read more about the behavior [here](https://github.com/helm/charts/blob/master/test/README.md#providing-custom-test-values)

helm/wireguard/ci/default-values.yaml

@@ -0,0 +1,15 @@
+# kics-scan ignore
+service:
+  type: ClusterIP
+wireguard:
+  clients:
+    - AllowedIPs: 172.32.32.2/32
+      # used for testing only
+      PublicKey: NzYmaNXHi8+3NBpg7uoRFw7wO+fLG65gZToKqtecLAo=
+  serverAddress: 172.32.32.1/24
+  serverCidr: 172.32.32.0/24
+replicaCount: 1
+autoscaling:
+  enabled: false
+deploymentStrategy:
+  type: Recreate

helm/wireguard/templates/tests/client-connect.yaml

@@ -0,0 +1,100 @@
+# kics-scan ignore
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: wireguard-client-test
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    helm.sh/hook: test
+spec:
+  template:
+    spec:
+      automountServiceAccountToken: false
+      initContainers:
+        - name: sysctls
+          image: busybox:stable
+          command:
+          - sh
+          - -c
+          - sysctl -w net.ipv4.ip_forward=1 && sysctl -w net.ipv4.conf.all.forwarding=1
+          securityContext:
+            runAsNonRoot: false
+            privileged: true
+          resources:
+            requests:
+              memory: 64Mi
+              cpu: "100m"
+            limits:
+              memory: 64Mi
+              cpu: "100m"
+      containers:
+        - name: wireguard-client
+          image: ghcr.io/bryopsida/wireguard:main
+          securityContext:
+            runAsNonRoot: {{ .Values.securityContext.runAsNonRoot | default true }}
+            runAsUser: {{ .Values.securityContext.runAsUser | default 1000 }}
+            readOnlyRootFilesystem: {{ .Values.securityContext.readOnlyRootFilesystem | default true }}
+            allowPrivilegeEscalation: {{ .Values.securityContext.allowPrivilegeEscalation | default true }}
+            privileged: {{ .Values.securityContext.privileged | default false }}
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_ADMIN
+                - NET_RAW
+                - SETUID
+                - SETGID
+          env:
+            - name: WG_PRIVATE_KEY
+              value: "gILClOGWPR+w9q4f0A7hlTKdQHC0vHwXPrGLHPKJi2o="
+            - name: WG_SERVER
+              value: "{{ .Release.Name }}-wireguard.{{ .Release.Namespace }}.svc"
+            - name: WG_SERVER_PORT
+              value: "{{ .Values.service.port }}"
+            - name: WG_SERVER_CIDR
+              value: "{{ .Values.wireguard.serverCidr }}"
+            - name: WG_CLIENT_IP
+              value: "172.32.32.2/32"
+          resources:
+            requests:
+              cpu: "100m"
+              memory: "128Mi"
+            limits:
+              cpu: "500m"
+              memory: "256Mi"
+          command: 
+            - /bin/sh
+          args:
+            - -c
+            - |
+                set -e
+                
+                cat <<EOF > /tmp/wg0.conf
+                [Interface]
+                PrivateKey = ${WG_PRIVATE_KEY}
+                Address = ${WG_CLIENT_IP}
+
+                [Peer]
+                PublicKey = $(cat /etc/wireguard-server/privatekey | wg pubkey)
+                Endpoint = ${WG_SERVER}:${WG_SERVER_PORT}
+                AllowedIPs = ${WG_SERVER_CIDR}
+                EOF
+
+                wg-quick up /tmp/wg0.conf
+                sleep 5
+                sudo ping -c 1 -W 1 172.32.32.1
+          volumeMounts:
+            - name: wireguard-server-secret
+              mountPath: /etc/wireguard-server/
+              readOnly: true
+            - name: tmp-volume
+              mountPath: /tmp
+      volumes:
+        - name: wireguard-server-secret
+          secret:
+            secretName: {{ .Release.Name }}-wg-generated
+        - name: tmp-volume
+          emptyDir: {}
+      restartPolicy: Never
+  backoffLimit: 4