Optional toggle to use k8s-wireguard-mgr for keygen hook (#51)

What
---
When running through a system such as argo, which doesn't correctly
handle the helm hook directives and always runs the install phase hook,
more graceful handling of the case of the secret already existing is
needed. This is also beneficial for cases where the release has been
uninstalled and one wants to re-use the existing key on a new install.

This introduces a new boolean toggle to opt into using the
k8s-wireguard-mgr image found here:

https://github.com/bryopsida/k8s-wireguard-mgr

This image generates the server key, if an error is returned from the
kubernetes API it inspects the reason, if the reason is already exists,
it exits with status code 0. The reason it always attempts to create the
secret is to avoid giving the hook/job serviceaccount access to read
secrets.

The toggle is enabled with the value `keygenJob.useWireguardManager`,
the image used can be customized with

- keygenJob.wireguardMgrImage.repository
- keygenJob.wireguardMgrImage.tag

Relates to: #46

Author: bryopsida

ci/test-with-wgmgr-keygen.yaml

@@ -0,0 +1,2 @@
+keygenJob:
+  useWireguardManager: true

helm/wireguard/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: wireguard
 description: A Helm chart for managing a wireguard vpn in kubernetes
 type: application
-version: 0.24.0
+version: 0.25.0
 appVersion: "0.0.0"
 maintainers:
   - name: bryopsida

helm/wireguard/README.md

@@ -1,6 +1,6 @@
 # wireguard
 
-![Version: 0.24.0](https://img.shields.io/badge/Version-0.24.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square)
+![Version: 0.25.0](https://img.shields.io/badge/Version-0.25.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.0.0](https://img.shields.io/badge/AppVersion-0.0.0-informational?style=flat-square)
 
 A Helm chart for managing a wireguard vpn in kubernetes
 
@@ -64,6 +64,8 @@ A Helm chart for managing a wireguard vpn in kubernetes
 | keygenJob.podSecurityContext.fsGroup | int | `1000` |  |
 | keygenJob.podSecurityContext.fsGroupChangePolicy | string | `"Always"` |  |
 | keygenJob.podSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
+| keygenJob.useWireguardManager | bool | `false` | when enabled, uses a image with go bindings for k8s and wg    to create the secret if it does not exist, on re-runs it    it leaves the existing secret in place and exits succesfully |
+| keygenJob.wireguardMgrImage | object | `{"pullPolicy":"Always","repository":"ghcr.io/bryopsida/k8s-wireguard-mgr","tag":"main"}` | When useWireguardManager is enabled this image is used instead of the kubectl image |
 | labels | object | `{}` |  |
 | metrics.dashboard.annotations | object | `{}` | Grafana dashboard annotations |
 | metrics.dashboard.enabled | bool | `true` | Create a ConfigMap with a Grafana dashboard |

helm/wireguard/ci/wg-keymgr-values.yaml

@@ -0,0 +1,17 @@
+# kics-scan ignore
+service:
+  type: ClusterIP
+wireguard:
+  clients:
+    - AllowedIPs: 172.32.32.2/32
+      # used for testing only
+      PublicKey: NzYmaNXHi8+3NBpg7uoRFw7wO+fLG65gZToKqtecLAo=
+  serverAddress: 172.32.32.1/24
+  serverCidr: 172.32.32.0/24
+replicaCount: 1
+autoscaling:
+  enabled: false
+deploymentStrategy:
+  type: Recreate
+keygenJob:
+  useWireguardManager: true

helm/wireguard/templates/privatekey-gen-job.yaml

@@ -119,12 +119,17 @@ spec:
                 mode: 0755
               {{- end }}
       containers:
-      - volumeMounts:
+      - name: keygen-job
+        {{- if not .Values.keygenJob.useWireguardManager }}
+        volumeMounts:
           - name: script
             mountPath: /job/
-        name: keygen-job
         image: "{{ .Values.keygenJob.image.repository }}:{{ .Values.keygenJob.image.tag }}"
         imagePullPolicy: "{{ .Values.keygenJob.image.pullPolicy }}"
+        {{- else }}
+        image: "{{ .Values.keygenJob.wireguardMgrImage.repository }}:{{ .Values.keygenJob.wireguardMgrImage.tag }}"
+        imagePullPolicy: "{{ .Values.keygenJob.wireguardMgrImage.pullPolicy }}"
+        {{- end }}
         securityContext: {{ .Values.keygenJob.containerSecurityContext | toYaml | nindent 10 }}
         resources:
           requests:
@@ -134,7 +139,11 @@ spec:
             memory: 64Mi
             cpu: "100m"
         env:
+          {{- if .Values.keygenJob.useWireguardManager }}
+          - name: K8S_WG_MGR_SERVER_SECRET_NAME
+          {{- else }}
           - name: SECRET_NAME
+          {{- end }}
             value: "{{ .Release.Name }}-wg-generated"
           - name: RELEASE_NAMESPACE
             value: "{{ .Release.Namespace }}"
@@ -151,5 +160,7 @@ spec:
                 name: {{ tpl $value.secretName $ }}
                 key: {{ tpl $value.secretPropertyName $ }}
           {{- end }}
+        {{- if not .Values.keygenJob.useWireguardManager }}
         command: {{ .Values.keygenJob.command | toYaml | nindent 10}}
+        {{- end }}
 {{- end }}

helm/wireguard/values.yaml

@@ -6,6 +6,15 @@ image:
   pullPolicy: Always
 
 keygenJob:
+  # -- when enabled, uses a image with go bindings for k8s and wg
+  #    to create the secret if it does not exist, on re-runs it
+  #    it leaves the existing secret in place and exits succesfully
+  useWireguardManager: false
+  # -- When useWireguardManager is enabled this image is used instead of the kubectl image
+  wireguardMgrImage:
+    repository: ghcr.io/bryopsida/k8s-wireguard-mgr
+    tag: main
+    pullPolicy: Always
   image:
     repository: ghcr.io/curium-rocks/wg-kubectl
     tag: latest