Convert proxy StatefulSet (#138)

Author: moubctez

.github/workflows/ami.yml

@@ -25,7 +25,7 @@ jobs:
           echo "Proxy version: $PROXY_VERSION"
           echo "Gateway version: $GATEWAY_VERSION"
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup `packer`
         uses: hashicorp/setup-packer@main

.github/workflows/build-ova.yml

@@ -47,14 +47,13 @@ jobs:
           fi
 
       - name: Setup Packer
-        uses: hashicorp/setup-packer@v3.1.0
+        uses: hashicorp/setup-packer@v3
         with:
           version: "1.11.2"
 
       - name: Download ISO
         run: |
-          curl -fL -o ubuntu-24.04.4-live-server-amd64.iso \
-            https://releases.ubuntu.com/24.04.4/ubuntu-24.04.4-live-server-amd64.iso
+          curl -fLO https://releases.ubuntu.com/24.04.4/ubuntu-24.04.4-live-server-amd64.iso
 
       - name: Packer init
         run: packer init defguard.pkr.hcl

.github/workflows/lint_charts.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

.github/workflows/release.yml

@@ -11,7 +11,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -21,7 +21,7 @@ jobs:
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
 
       - name: Install Helm
-        uses: azure/setup-helm@v4
+        uses: azure/setup-helm@v5
 
       # https://github.com/helm/chart-releaser-action/issues/74
       - name: Add repositories
@@ -31,7 +31,7 @@ jobs:
           done
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.6.0
+        uses: helm/chart-releaser-action@v1.7.0
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
         with:

.github/workflows/test.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: [self-hosted, Linux, X64]
     steps:
       - name: Login to GitHub container registry
-        uses: docker/login-action@v2
+        uses: docker/login-action@v4
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

charts/defguard-gateway/Chart.yaml

@@ -1,7 +1,8 @@
 apiVersion: v2
 name: defguard-gateway
 description: Defguard Gateway is a public-facing VPN endpoint.
+icon: https://defguard.net/favicon/favicon-512x512.png
 
 type: application
-version: 0.5.4
-appVersion: 1.6.4
+version: 2.0.0-beta.1
+appVersion: 2.0.0-beta1

charts/defguard-gateway/templates/config.yaml

@@ -5,7 +5,7 @@ metadata:
   labels:
     {{- include "defguard-gateway.labels" . | nindent 4 }}
 data:
-  DEFGUARD_USERSPACE: {{ .Values.userspace | quote }}
-  DEFGUARD_GRPC_URL: {{ .Values.grpcUrl | quote }}
-  DEFGUARD_STATS_PERIOD: {{ .Values.statsPeriod | quote }}
+  DEFGUARD_GRPC_PORT: {{ .Values.service.grpc.port | quote }}
   DEFGUARD_LOG_LEVEL: {{ .Values.logLevel | quote }}
+  DEFGUARD_STATS_PERIOD: {{ .Values.statsPeriod | quote }}
+  DEFGUARD_USERSPACE: {{ .Values.userspace | quote }}

charts/defguard-gateway/templates/grpc-headless-service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "defguard-gateway.labels" . | nindent 4 }}
+  name: {{ include "defguard-gateway.fullname" . }}-grpc-headless
+spec:
+  clusterIP: None
+  ports:
+    - name: grpc
+      port: {{ .Values.service.grpc.port }}
+      protocol: TCP
+      targetPort: grpc
+  selector:
+    {{- include "defguard-gateway.selectorLabels" . | nindent 4 }}

charts/defguard-gateway/templates/grpc-service.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{- with .Values.service.grpc.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ include "defguard-gateway.fullname" . }}-grpc
+  labels:
+    {{- include "defguard-gateway.labels" . | nindent 4 }}
+    {{- with .Values.service.grpc.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.service.grpc.type }}
+  ports:
+    - port: {{ .Values.service.grpc.port }}
+      targetPort: grpc
+      protocol: TCP
+      name: grpc
+  selector:
+    {{- include "defguard-gateway.selectorLabels" . | nindent 4 }}

…fguard-gateway/templates/deployment.yaml …guard-gateway/templates/statefulset.yamlcharts/defguard-gateway/templates/deployment.yaml renamed to charts/defguard-gateway/templates/statefulset.yaml charts/defguard-gateway/templates/deployment.yaml renamed to charts/defguard-gateway/templates/statefulset.yaml

@@ -1,14 +1,16 @@
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
   name: {{ include "defguard-gateway.fullname" . }}
   labels:
     {{- include "defguard-gateway.labels" . | nindent 4 }}
 spec:
+  podManagementPolicy: Parallel
   replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
       {{- include "defguard-gateway.selectorLabels" . | nindent 6 }}
+  serviceName: {{ include "defguard-gateway.fullname" . }}-grpc-headless
   template:
     metadata:
       {{- with .Values.podAnnotations }}
@@ -27,18 +29,24 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
+          {{- if .Values.healthCheck.enabled }}
+          env:
+            - name: HEALTH_PORT
+              value: {{ .Values.healthCheck.port }}
+          {{- end }}
           envFrom:
             - configMapRef:
                 name: {{ include "defguard-gateway.fullname" . }}-config
             {{- if .Values.additionalEnvFromConfigMap }}
             - configMapRef:
                 name: {{ .Values.additionalEnvFromConfigMap }}
             {{- end }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
+            - name: grpc
+              containerPort: {{ .Values.service.grpc.port }}
+              protocol: TCP
             - name: wireguard
               containerPort: {{ .Values.service.wireguard.port }}
               protocol: UDP
@@ -62,23 +70,11 @@ spec:
             timeoutSeconds: {{ .Values.healthCheck.readinessProbe.timeoutSeconds }}
             failureThreshold: {{ .Values.healthCheck.readinessProbe.failureThreshold }}
           {{- end }}
-          {{- if .Values.token }}
-          env:
-            - name: DEFGUARD_TOKEN
-              value: {{ .Values.token }}
-          {{- else if .Values.existingTokenSecret }}
-          env:
-            - name: DEFGUARD_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.existingTokenSecret }}
-                  key: {{ .Values.existingTokenSecretKey }}
-          {{- end }}
-          {{- if .Values.healthCheck.enabled }}
-          env:
-            - name: HEALTH_PORT
-              value: {{ .Values.healthCheck.port }}
-          {{- end }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          volumeMounts:
+            - name: data
+              mountPath: /etc/defguard
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -91,3 +87,15 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        {{- with .Values.persistence.storageClassName }}
+        storageClassName: {{ . }}
+        {{- end }}
+        resources:
+          requests:
+            storage: {{ .Values.persistence.size }}