From f9e250f60bb87b2e4d2fab3c6cb726a7b4a0922b Mon Sep 17 00:00:00 2001 From: Koen de Laat Date: Thu, 28 Mar 2024 11:16:13 +0000 Subject: [PATCH] Add Helm charts for FRP server and client --- .dockerignore | 1 + charts/frpc/.helmignore | 23 ++++ charts/frpc/Chart.yaml | 7 ++ charts/frpc/templates/_helpers.tpl | 62 +++++++++ charts/frpc/templates/certificate.yaml | 41 ++++++ charts/frpc/templates/config.yaml | 7 ++ charts/frpc/templates/dashboard-service.yaml | 19 +++ charts/frpc/templates/deployment.yaml | 85 +++++++++++++ charts/frpc/templates/serviceaccount.yaml | 12 ++ charts/frpc/values.yaml | 126 +++++++++++++++++++ charts/frps/.helmignore | 23 ++++ charts/frps/Chart.yaml | 7 ++ charts/frps/templates/_helpers.tpl | 68 ++++++++++ charts/frps/templates/certificate.yaml | 56 +++++++++ charts/frps/templates/config.yaml | 43 +++++++ charts/frps/templates/dashboard-service.yaml | 19 +++ charts/frps/templates/deployment.yaml | 95 ++++++++++++++ charts/frps/templates/internal-service.yaml | 21 ++++ charts/frps/templates/service.yaml | 19 +++ charts/frps/templates/serviceaccount.yaml | 12 ++ charts/frps/values.yaml | 106 ++++++++++++++++ 21 files changed, 852 insertions(+) create mode 100644 .dockerignore create mode 100644 charts/frpc/.helmignore create mode 100644 charts/frpc/Chart.yaml create mode 100644 charts/frpc/templates/_helpers.tpl create mode 100644 charts/frpc/templates/certificate.yaml create mode 100644 charts/frpc/templates/config.yaml create mode 100644 charts/frpc/templates/dashboard-service.yaml create mode 100644 charts/frpc/templates/deployment.yaml create mode 100644 charts/frpc/templates/serviceaccount.yaml create mode 100644 charts/frpc/values.yaml create mode 100644 charts/frps/.helmignore create mode 100644 charts/frps/Chart.yaml create mode 100644 charts/frps/templates/_helpers.tpl create mode 100644 charts/frps/templates/certificate.yaml create mode 100644 charts/frps/templates/config.yaml create mode 100644 charts/frps/templates/dashboard-service.yaml create mode 100644 charts/frps/templates/deployment.yaml create mode 100644 charts/frps/templates/internal-service.yaml create mode 100644 charts/frps/templates/service.yaml create mode 100644 charts/frps/templates/serviceaccount.yaml create mode 100644 charts/frps/values.yaml diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 00000000..80bf7fc7 --- /dev/null +++ b/.dockerignore @@ -0,0 +1 @@ +charts \ No newline at end of file diff --git a/charts/frpc/.helmignore b/charts/frpc/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/frpc/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/frpc/Chart.yaml b/charts/frpc/Chart.yaml new file mode 100644 index 00000000..000f58bf --- /dev/null +++ b/charts/frpc/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: frpc +description: A Helm chart Fast Reverse Proxy Client + +type: application +version: 0.1.0 +appVersion: "v0.56.0" diff --git a/charts/frpc/templates/_helpers.tpl b/charts/frpc/templates/_helpers.tpl new file mode 100644 index 00000000..5867efad --- /dev/null +++ b/charts/frpc/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "frpc.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "frpc.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "frpc.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "frpc.labels" -}} +helm.sh/chart: {{ include "frpc.chart" . }} +{{ include "frpc.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "frpc.selectorLabels" -}} +app.kubernetes.io/name: {{ include "frpc.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "frpc.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "frpc.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/frpc/templates/certificate.yaml b/charts/frpc/templates/certificate.yaml new file mode 100644 index 00000000..18d8f804 --- /dev/null +++ b/charts/frpc/templates/certificate.yaml @@ -0,0 +1,41 @@ +{{- if and .Values.mTLS.enabled (eq .Values.mTLS.existingSecret "") }} +{{- if eq .Values.mTLS.certificatePEM "" }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ printf "%s-client" (include "frpc.fullname" .) }} +spec: + commonName: {{ .Values.mTLS.commonName }} + issuerRef: + {{- .Values.mTLS.issuerRef | toYaml | nindent 4 }} + {{- with .Values.mTLS.subject }} + subject: + {{- . | toYaml | nindent 4 }} + {{- end }} + privateKey: + algorithm: ECDSA + size: 256 + usages: + - client auth + secretName: {{ printf "%s-client" (include "frpc.fullname" .) }} +--- +{{- else }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-client-ca" (include "frpc.fullname" .) }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.mTLS.certificatePEM | b64enc | quote }} + tls.key: {{ required "Both PEM and KEY are required" .Values.mTLS.certificateKEY | b64enc | quote }} +--- +{{- end }} +{{- end }} +{{- if ne .Values.mTLS.trustedCA "" }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-ca" (include "frpc.fullname" .) }} +data: + ca.crt: {{ .Values.mTLS.trustedCA | b64enc | quote }} +{{- end}} \ No newline at end of file diff --git a/charts/frpc/templates/config.yaml b/charts/frpc/templates/config.yaml new file mode 100644 index 00000000..9a79d508 --- /dev/null +++ b/charts/frpc/templates/config.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "frpc.fullname" . }} +data: + frpc.yaml: | + {{- tpl (.Values.config | toYaml) $ | nindent 4 }} \ No newline at end of file diff --git a/charts/frpc/templates/dashboard-service.yaml b/charts/frpc/templates/dashboard-service.yaml new file mode 100644 index 00000000..8cbc1102 --- /dev/null +++ b/charts/frpc/templates/dashboard-service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "frpc.fullname" . }}-dashboard + labels: + {{- include "frpc.labels" . | nindent 4 }} + {{- with .Values.dashboardService.annotations }} + annotations: + {{- . | toYaml | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.dashboardService.type }} + ports: + - port: {{ .Values.dashboardService.port }} + targetPort: dashboard + protocol: TCP + name: http + selector: + {{- include "frpc.selectorLabels" . | nindent 4 }} diff --git a/charts/frpc/templates/deployment.yaml b/charts/frpc/templates/deployment.yaml new file mode 100644 index 00000000..f3d3618a --- /dev/null +++ b/charts/frpc/templates/deployment.yaml @@ -0,0 +1,85 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "frpc.fullname" . }} + labels: + {{- include "frpc.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "frpc.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "frpc.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "frpc.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - "-c" + - "/var/frp/conf/frpc.yaml" + ports: + - name: dashboard + containerPort: {{ .Values.config.webServer.port }} + protocol: TCP + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - mountPath: /var/frp/conf + name: config + {{- if ne .Values.mTLS.trustedCA "" }} + - mountPath: /var/frp/tls + name: tls + {{- end }} + {{- if .Values.mTLS.enabled}} + - mountPath: /var/frp/mtls + name: mtls + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ include "frpc.fullname" . }} + {{- if ne .Values.mTLS.trustedCA "" }} + - name: tls + secret: + secretName: {{ printf "%s-ca" (include "frpc.fullname" .) }} + {{- end }} + {{- if .Values.mTLS.enabled}} + - name: mtls + secret: + secretName: {{ .Values.mTLS.existingSecret | default (printf "%s-client-ca" (include "frpc.fullname" .)) }} + items: + - key: tls.crt + path: tls.crt + - key: tls.key + path: tls.key + {{- end }} diff --git a/charts/frpc/templates/serviceaccount.yaml b/charts/frpc/templates/serviceaccount.yaml new file mode 100644 index 00000000..e3df1722 --- /dev/null +++ b/charts/frpc/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "frpc.serviceAccountName" . }} + labels: + {{- include "frpc.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/frpc/values.yaml b/charts/frpc/values.yaml new file mode 100644 index 00000000..b4611b08 --- /dev/null +++ b/charts/frpc/values.yaml @@ -0,0 +1,126 @@ +replicaCount: 1 + +image: + repository: fatedier/frpc + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +dashboardService: + type: ClusterIP + port: 8080 + containerPort: 7500 + annotations: {} + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +mTLS: + enabled: false + existingSecret: "" + certificatePEM: "" + certificateKEY: "" + trustedCA: "" + commonName: "Fast Reverse Proxy mTLS client" + subject: {} + issuerRef: + group: cert-manager.io + kind: Issuer + name: frps-client-ca + +config: + serverAddr: "0.0.0.0" + serverPort: 443 + + webServer: + addr: "0.0.0.0" + port: 7500 + user: "admin" + password: "admin" + + transport: + protocol: "wss" + tls: + certFile: '{{ .Values.mTLS.enabled | ternary "/var/frp/mtls/tls.crt" "" }}' + keyFile: '{{ .Values.mTLS.enabled | ternary "/var/frp/mtls/tls.key" "" }}' + trustedCaFile : '{{ eq .Values.mTLS.trustedCA "" | ternary "" "/var/frp/tls/ca.crt" }}' + disableCustomTLSFirstByte: true + + + proxies: [] +# - name: "ssh" +# type: "tcp" +# localIP: "127.0.0.1" +# localPort: 22 +# transport: +# # Limit bandwidth for this proxy, unit is KB and MB +# bandwidthLimit: "1MB" +# # Where to limit bandwidth, can be 'client' or 'server', default is 'client' +# bandwidthLimitMode: "client" +# # If true, traffic of this proxy will be encrypted, default is false +# tuseEncryption: false +# # If true, traffic will be compressed +# useCompression: false +# # Remote port listen by frps +# remotePort: 6001 +# +# loadBalancer: +# # frps will load balancing connections for proxies in same group +# group: "test_group" +# # group should have same group key +# groupKey: "123456" +# # Enable health check for the backend service, it supports 'tcp' and 'http' now. +# # frpc will connect local service's port to detect it's healthy status +# healthCheck: +# type: "tcp" +# # Health check connection timeout +# timeoutSeconds: 3 +# # If continuous failed in 3 times, the proxy will be removed from frps +# maxFailed: 3 +# # Every 10 seconds will do a health check +# intervalSeconds: 10 +# # Additional meta info for each proxy. It will be passed to the server-side plugin for use. +# metadatas: +# var1: "abc" +# var2: "123" diff --git a/charts/frps/.helmignore b/charts/frps/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/frps/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/frps/Chart.yaml b/charts/frps/Chart.yaml new file mode 100644 index 00000000..be6f2f19 --- /dev/null +++ b/charts/frps/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: frps +description: A Helm chart Fast Reverse Proxy Server + +type: application +version: 0.1.0 +appVersion: "v0.56.0" diff --git a/charts/frps/templates/_helpers.tpl b/charts/frps/templates/_helpers.tpl new file mode 100644 index 00000000..616b1ed4 --- /dev/null +++ b/charts/frps/templates/_helpers.tpl @@ -0,0 +1,68 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "frps.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "frps.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "frps.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "frps.labels" -}} +helm.sh/chart: {{ include "frps.chart" . }} +{{ include "frps.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "frps.selectorLabels" -}} +app.kubernetes.io/name: {{ include "frps.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "frps.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "frps.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{- define "frps.trustedCaFile" -}} +{{- if .Values.mTLS.enabled }} +{{- printf "/var/frp/mtls/%s" .Values.mTLS.key }} +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/frps/templates/certificate.yaml b/charts/frps/templates/certificate.yaml new file mode 100644 index 00000000..53248544 --- /dev/null +++ b/charts/frps/templates/certificate.yaml @@ -0,0 +1,56 @@ +{{- if eq .Values.certificate.existingSecret "" }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "frps.fullname" . }} +spec: + issuerRef: + {{- .Values.certificate.issuerRef | toYaml | nindent 4 }} + dnsNames: + {{- .Values.certificate.dnsNames | toYaml | nindent 4 }} + privateKey: + algorithm: ECDSA + size: 256 + secretName: {{ include "frps.fullname" . }} +--- +{{- end }} +{{- if and .Values.mTLS.enabled (eq .Values.mTLS.existingSecret "") }} +{{- if eq .Values.mTLS.certificatePEM "" }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ printf "%s-client-ca" (include "frps.fullname" .) }} +spec: + commonName: {{ .Values.mTLS.commonName }} + issuerRef: + {{- .Values.mTLS.issuerRef | toYaml | nindent 4 }} + {{- with .Values.mTLS.subject }} + subject: + {{- . | toYaml | nindent 4 }} + {{- end }} + isCA: true + privateKey: + algorithm: ECDSA + size: 256 + secretName: {{ printf "%s-client-ca" (include "frps.fullname" .) }} +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ printf "%s-client-ca" (include "frps.fullname" .) }} +spec: + ca: + secretName: {{ printf "%s-client-ca" (include "frps.fullname" .) }} +--- +{{- else }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-client-ca" (include "frps.fullname" .) }} +type: kubernetes.io/tls +data: + tls.crt: {{ .Values.mTLS.certificatePEM | b64enc | quote }} + tls.key: "" +--- +{{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/frps/templates/config.yaml b/charts/frps/templates/config.yaml new file mode 100644 index 00000000..e32bf2e4 --- /dev/null +++ b/charts/frps/templates/config.yaml @@ -0,0 +1,43 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "frps.fullname" . }} +data: + frps.toml: | + {{- range $elem, $elemVal := .Values.config }} + {{- if not (kindIs "map" $elemVal) }} + {{- if kindIs "invalid" $elemVal }} + {{ $elem }} = + {{- else if kindIs "string" $elemVal }} + {{- $tplElemVal := tpl $elemVal $ }} + {{- if eq $tplElemVal $elemVal }} + {{ $elem }} = {{ $elemVal | quote }} + {{- else }} + {{ $elem }} = {{ $tplElemVal }} + {{- end }} + {{- else }} + {{ $elem }} = {{ $elemVal }} + {{- end }} + {{- end }} + {{- end }} + {{- range $key, $value := .Values.config }} + {{- if kindIs "map" $value }} + + [[{{ $key }}]] + {{- range $elem, $elemVal := $value }} + {{- if kindIs "invalid" $elemVal }} + {{ $elem }} = + {{- else if kindIs "string" $elemVal }} + {{- $tplElemVal := tpl $elemVal $ }} + {{- if eq $tplElemVal $elemVal }} + {{ $elem }} = {{ $elemVal | quote }} + {{- else }} + {{ $elem }} = {{ $tplElemVal }} + {{- end }} + {{- else }} + {{ $elem }} = {{ $elemVal }} + {{- end }} + {{- end }} + {{- end }} + {{- end }} + diff --git a/charts/frps/templates/dashboard-service.yaml b/charts/frps/templates/dashboard-service.yaml new file mode 100644 index 00000000..040414d1 --- /dev/null +++ b/charts/frps/templates/dashboard-service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "frps.fullname" . }}-dashboard + labels: + {{- include "frps.labels" . | nindent 4 }} + {{- with .Values.dashboardService.annotations }} + annotations: + {{- . | toYaml | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.dashboardService.type }} + ports: + - port: {{ .Values.dashboardService.port }} + targetPort: dashboard + protocol: TCP + name: http + selector: + {{- include "frps.selectorLabels" . | nindent 4 }} diff --git a/charts/frps/templates/deployment.yaml b/charts/frps/templates/deployment.yaml new file mode 100644 index 00000000..02a2c88d --- /dev/null +++ b/charts/frps/templates/deployment.yaml @@ -0,0 +1,95 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "frps.fullname" . }} + labels: + {{- include "frps.labels" . | nindent 4 }} +spec: + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "frps.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/config.yaml") . | sha256sum }} + {{- with .Values.podAnnotations }} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "frps.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "frps.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: + - "-c" + - "/var/frp/conf/frps.toml" + ports: + - name: bind + containerPort: {{ .Values.service.containerPort }} + protocol: TCP + - name: dashboard + containerPort: {{ .Values.dashboardService.containerPort }} + protocol: TCP + {{- if .Values.internalService.enabled }} + - name: https + containerPort: {{ .Values.internalService.containerPort }} + protocol: TCP + {{- end }} +{{/* livenessProbe:*/}} +{{/* httpGet:*/}} +{{/* path: /*/}} +{{/* port: http*/}} +{{/* readinessProbe:*/}} +{{/* httpGet:*/}} +{{/* path: /*/}} +{{/* port: http*/}} + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + - mountPath: /var/frp/conf + name: config + - mountPath: /var/frp/tls + name: tls + {{- if .Values.mTLS.enabled}} + - mountPath: /var/frp/mtls + name: mtls + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: config + configMap: + name: {{ include "frps.fullname" . }} + - name: tls + secret: + secretName: {{ .Values.certificate.existingSecret | default (include "frps.fullname" .) }} + {{- if .Values.mTLS.enabled}} + - name: mtls + secret: + secretName: {{ .Values.mTLS.existingSecret | default (printf "%s-client-ca" (include "frps.fullname" .)) }} + items: + - key: {{ .Values.mTLS.key }} + path: {{ .Values.mTLS.key }} + {{- end }} diff --git a/charts/frps/templates/internal-service.yaml b/charts/frps/templates/internal-service.yaml new file mode 100644 index 00000000..e354c040 --- /dev/null +++ b/charts/frps/templates/internal-service.yaml @@ -0,0 +1,21 @@ +{{- if .Values.internalService.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "frps.fullname" . }}-internal + labels: + {{- include "frps.labels" . | nindent 4 }} + {{- with .Values.internalService.annotations }} + annotations: + {{- . | toYaml | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.internalService.type }} + ports: + - port: {{ .Values.internalService.port }} + targetPort: https + protocol: TCP + name: https + selector: + {{- include "frps.selectorLabels" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/frps/templates/service.yaml b/charts/frps/templates/service.yaml new file mode 100644 index 00000000..30787635 --- /dev/null +++ b/charts/frps/templates/service.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "frps.fullname" . }} + labels: + {{- include "frps.labels" . | nindent 4 }} + {{- with .Values.service.annotations }} + annotations: + {{- . | toYaml | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: bind + protocol: TCP + name: http + selector: + {{- include "frps.selectorLabels" . | nindent 4 }} diff --git a/charts/frps/templates/serviceaccount.yaml b/charts/frps/templates/serviceaccount.yaml new file mode 100644 index 00000000..602ff8f3 --- /dev/null +++ b/charts/frps/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "frps.serviceAccountName" . }} + labels: + {{- include "frps.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/frps/values.yaml b/charts/frps/values.yaml new file mode 100644 index 00000000..616327a8 --- /dev/null +++ b/charts/frps/values.yaml @@ -0,0 +1,106 @@ +replicaCount: 1 + +image: + repository: fatedier/frps + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: LoadBalancer + port: 443 + containerPort: 7000 + annotations: {} + +dashboardService: + type: ClusterIP + port: 8080 + containerPort: 7500 + annotations: {} + +internalService: + enabled: false + type: ClusterIP + port: 443 + containerPort: 443 + annotations: {} + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +certificate: + existingSecret: "" + dnsNames: [] + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: letsencrypt-prod + +mTLS: + enabled: false + existingSecret: "" + certificatePEM: "" + key: tls.crt + commonName: "Fast Reverse Proxy mTLS" + subject: {} + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: selfsigned + +config: + bindAddr: "0.0.0.0" + bindPort: "{{ .Values.service.containerPort }}" + + webServer.addr: "0.0.0.0" + webServer.port: "{{ .Values.dashboardService.containerPort }}" + webServer.user: "admin" + webServer.password: "admin" + + vhostHTTPSPort: "{{ .Values.internalService.enabled | ternary .Values.internalService.containerPort .Values.service.containerPort }}" + + transport.tls.force: true + transport.tls.certFile: "/var/frp/tls/tls.crt" + transport.tls.keyFile: "/var/frp/tls/tls.key" + transport.tls.trustedCaFile : '{{ include "frps.trustedCaFile" . | quote }}' \ No newline at end of file