Skip to content

Commit

Permalink
helm-docs: automated action
Browse files Browse the repository at this point in the history
  • Loading branch information
@github-actions
github-actions[bot] committed Oct 23, 2023
1 parent 3cbce14 commit 8616622
Showing 1 changed file with 127 additions and 0 deletions.
127 changes: 127 additions & 0 deletions charts/ziti-edge-tunnel/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
<!-- README.md generated by helm-docs from README.md.gotmpl -->
# ziti-edge-tunnel

![Version: 0.0.2](https://img.shields.io/badge/Version-0.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 0.22.12](https://img.shields.io/badge/AppVersion-0.22.12-informational?style=flat-square)

Host OpenZiti services with a tunneler pod

**Homepage:** <https://github.com/openziti/ziti>

## Source Code

* <https://github.com/openziti/ziti>

## Requirements

Kubernetes: `>= 1.20.0-0`

## Overview

You may use this chart to reach services node-wide via your Ziti network via DNS. For example, if you create a repository or container registry Ziti service, and your cluster has no internet access, you can reach those repositories or container registries via Ziti services.
**NOTE:**
For one node kubernetes approaches like k3s, this works out-of-the-box and you can extend your coredns configuration to forward to the Ziti DNS IP, as you can see [here](https://openziti.io/docs/guides/kubernetes/workload-tunneling/kubernetes-daemonset/).
For multinode kubernetes installations, where your cluster DNS could run on a different node, you need to install the [node-local-dns](https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/) feature, which secures that the Ziti DNS name will be resolved locally, on the very same tunneler, as Ziti Intercept IPs can change from node to node. See [this](https://github.com/lablabs/k8s-nodelocaldns-helm) helm chart for a possible implementation.

## How this Chart Works

This chart deploys a pod running `ziti-edge-tunnel`, [the OpenZiti Linux tunneler](https://docs.openziti.io/docs/reference/tunnelers/linux/), in transparent proxy mode with DNS nameserver. The chart uses container image `docker.io/openziti/ziti-edge-tunnel` which runs `ziti-edge-tunnel run`.

## Installation

```console
helm repo add openziti https://docs.openziti.io/helm-charts/
```

After adding the charts repo to Helm then you may enroll the identity and install the chart. You must supply a Ziti identity JSON file when you install the chart.

```console
ziti edge enroll --jwt /tmp/k8s-tunneler.jwt --out /tmp/k8s-tunneler.json
helm install ziti-run-node openziti/ziti-edge-tunnel --set-file zitiIdentity=/tmp/k8s-tunneler-03.json
```

### Installation using a existing / pre-created secret

Alternatively when you want to use a existing / pre-created secret (i.e. you have sealed-secrets enabled in your setup), you could refer to an existing secret with the ziti identity to use.

This sample shows you how to create the secret:

```console
kubectl create secret generic k8s-tunneler-identity --from-file=persisted-identity=k8s-tunneler.json
```

When you deploy the helm chart refer to the existing secret:

```console
helm install ziti-run-node openziti/ziti-edge-tunnel --set secret.existingSecretName=k8s-tunneler-identity
```

When you don't want to use the default key name `persisted-identity` you can define your own name by adding `--set secret.keyName=myKeyName`.

### Configure CoreDNS

If you want to resolve your Ziti domain inside the pods, you need to customize CoreDNS. See [Official docs](https://openziti.io/docs/guides/kubernetes/workload-tunneling/kubernetes-daemonset/).

Customize CoreDNS configuration,

```console
kubectl -n kube-system apply -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns-custom
namespace: kube-system
data:
ziti.server: |
your.ziti.domain {
forward . 100.64.0.2
}
EOF
```

Reload CoreDNS config,

```console
kubectl rollout restart -n kube-system deployment/coredns
```

## Values Reference

| Key | Type | Default | Description |
|-----|------|---------|-------------|
| additionalVolumes | list | `[]` | additional volumes to mount to ziti-host container |
| affinity | object | `{}` | |
| dnsPolicy | string | `"ClusterFirstWithHostNet"` | |
| fullnameOverride | string | `""` | |
| hostNetwork | bool | `true` | |
| image.args | list | `[]` | |
| image.pullPolicy | string | `"Always"` | |
| image.registry | string | `"docker.io"` | |
| image.repository | string | `"openziti/ziti-edge-tunnel"` | |
| image.tag | string | `""` | |
| imagePullSecrets | list | `[]` | |
| ingress.enabled | bool | `false` | |
| nameOverride | string | `""` | |
| nodeSelector."node-role.kubernetes.io/node" | string | `"worker"` | |
| persistence.accessMode | string | `"ReadWriteOnce"` | |
| persistence.enabled | bool | `true` | |
| persistence.size | string | `"100Mi"` | |
| podAnnotations | object | `{}` | |
| podSecurityContext | object | `{}` | |
| ports | list | `[]` | |
| resources | object | `{}` | |
| secret | object | `{}` | |
| securityContext.privileged | bool | `true` | |
| serviceAccount.annotations | object | `{}` | |
| serviceAccount.create | bool | `true` | |
| serviceAccount.name | string | `""` | |
| spireAgent.enabled | bool | `false` | if you are running a container with the spire-agent binary installed then this will allow you to add the hostpath necessary for connecting to the spire socket |
| spireAgent.spireSocketMnt | string | `"/run/spire/sockets"` | file path of the spire socket mount |
| systemDBus.enabled | bool | `true` | enable D-Bus socket connection |
| systemDBus.systemDBusSocketMnt | string | `"/var/run/dbus/system_bus_socket"` | file path of the System D-Bus socket mount |
| tolerations | list | `[]` | |

```console
helm upgrade {release} {source dir}
```

<!-- README.md generated by helm-docs from README.md.gotmpl -->

0 comments on commit 8616622

Please sign in to comment.