NAS-121719 / 23.10 / Add Zerotier to `community` train (#1164)

* add zerotier to community train

* lib

* add email

* add metadata

library/ix-dev/community/zerotier/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+  repository: file://../../../common
+  version: 1.0.6
+digest: sha256:2f1f31c15fb7f92db141a66adbb8d23a8598727730050a3883a211763a4e5472
+generated: "2023-04-27T15:56:00.724376021Z"

library/ix-dev/community/zerotier/Chart.yaml

@@ -0,0 +1,26 @@
+name: zerotier
+description: Securely connect any device, anywhere.
+annotations:
+  title: Zerotier
+type: application
+version: 1.0.0
+apiVersion: v2
+appVersion: '1.10.6'
+kubeVersion: '>=1.16.0-0'
+maintainers:
+  - name: truenas
+    url: https://www.truenas.com/
+    email: dev@ixsystems.com
+dependencies:
+  - name: common
+    repository: file://../../../common
+    version: 1.0.6
+home: https://www.zerotier.com
+icon: https://avatars.githubusercontent.com/u/4173285
+sources:
+  - https://www.zerotier.com
+  - https://github.com/truenas/charts/tree/master/community/zerotier
+  - https://hub.docker.com/r/zerotier/zerotier
+keywords:
+  - vpn
+  - zerotier

library/ix-dev/community/zerotier/README.md

@@ -0,0 +1,3 @@
+# Zerotier
+
+[Zerotier](https://www.zerotier.com) Securely connect any device, anywhere.

library/ix-dev/community/zerotier/app-readme.md

@@ -0,0 +1,3 @@
+# Zerotier
+
+[Zerotier](https://www.zerotier.com) Securely connect any device, anywhere.

library/ix-dev/community/zerotier/ci/basic-values.yaml

@@ -0,0 +1,9 @@
+# FIXME: Find a way to have test keys for CI testing
+# We need an authToken(aka API key) network(s) and identityPublic/identitySecret
+zerotierConfig:
+  authToken: some auth token
+  identitySecret: some identity secret
+  identityPublic: some identity public
+  networks:
+    - some net id
+    - some other net id

library/ix-dev/community/zerotier/item.yaml

@@ -0,0 +1,4 @@
+icon_url: https://avatars.githubusercontent.com/u/4173285
+categories:
+  - vpn
+  - zerotier

library/ix-dev/community/zerotier/metadata.yaml

@@ -0,0 +1,32 @@
+runAsContext:
+  - userName: root
+    groupName: root
+    gid: 0
+    uid: 0
+    description: Zerotier requires root privileges to start the Zerotier process
+capabilities:
+  - name: NET_ADMIN
+    description: Zerotier requires NET_ADMIN to configure the VPN interface, modify routes, etc.
+  - name: NET_RAW
+    description: Zerotier requires NET_RAW to use raw sockets and proxying
+  - name: AUDIT_WRITE
+    description: Zerotier is able to write to audit log.
+  - name: CHOWN
+    description: Zerotier is able to chown files.
+  - name: DAC_OVERRIDE
+    description: Zerotier is able to bypass permission checks.
+  - name: FOWNER
+    description: Zerotier is able bypass permission checks for it's sub-processes.
+  - name: NET_BIND_SERVICE
+    description: Zerotier is able to bind to privileged ports.
+  - name: SETGID
+    description: Zerotier is able to set group ID for it's sub-processes.
+  - name: SETUID
+    description: Zerotier is able to set user ID for it's sub-processes.
+  - name: SETPCAP
+    description: Zerotier is able to set process capabilities.
+  - name: SYS_ADMIN
+    description: Zerotier is able to perform various system administration operations.
+hostMounts:
+  - hostPath: /dev/tun
+    description: Required to access the TUN device

library/ix-dev/community/zerotier/questions.yaml

@@ -0,0 +1,120 @@
+groups:
+  - name: Zerotier Configuration
+    description: Configure Zerotier
+  - name: Network Configuration
+    description: Configure Network for Zerotier
+  - name: Resources Configuration
+    description: Configure Resources for Zerotier
+
+questions:
+  - variable: zerotierConfig
+    label: ""
+    group: Zerotier Configuration
+    schema:
+      type: dict
+      attrs:
+        - variable: networks
+          label: Networks
+          description: The network(s) to join
+          schema:
+            type: list
+            empty: false
+            required: true
+            min: 1
+            default: []
+            items:
+              - variable: networkEntry
+                label: Network
+                schema:
+                  type: string
+                  required: true
+        - variable: authToken
+          label: Auth Token (API Key)
+          description: |
+            (Optional) The auth token for Zerotier.</br>
+            Same as authtoken.secret.
+          schema:
+            type: string
+            default: ""
+            private: true
+        - variable: identitySecret
+          label: Identity Secret
+          description: |
+            (Optional) The identity secret for Zerotier.</br>
+            Same as identity.secret.
+          schema:
+            type: string
+            default: ""
+            private: true
+        - variable: identityPublic
+          label: Identity Public
+          description: |
+            (Optional) The identity public for Zerotier.</br>
+            Same as identity.public.
+          schema:
+            type: string
+            default: ""
+            private: true
+
+        - variable: additionalEnvs
+          label: Additional Environment Variables
+          description: Configure additional environment variables for Zerotier.
+          schema:
+            type: list
+            default: []
+            items:
+              - variable: env
+                label: Environment Variable
+                schema:
+                  type: dict
+                  attrs:
+                    - variable: name
+                      label: Name
+                      schema:
+                        type: string
+                        required: true
+                    - variable: value
+                      label: Value
+                      schema:
+                        type: string
+                        required: true
+
+  - variable: zerotierNetwork
+    label: ""
+    group: Network Configuration
+    schema:
+      type: dict
+      attrs:
+        - variable: hostNetwork
+          label: Host Network
+          description: |
+            Bind to the host network. It's recommended to keep this disabled.</br>
+          schema:
+            type: boolean
+            default: false
+
+  - variable: resources
+    group: Resources Configuration
+    label: ""
+    schema:
+      type: dict
+      attrs:
+        - variable: limits
+          label: Limits
+          schema:
+            type: dict
+            attrs:
+              - variable: cpu
+                label: CPU
+                description: CPU limit for Zerotier.
+                schema:
+                  type: string
+                  default: "4000m"
+                  required: true
+              - variable: memory
+                label: Memory
+                description: Memory limit for Zerotier.
+                schema:
+                  type: string
+                  default: "8Gi"
+                  required: true

library/ix-dev/community/zerotier/templates/NOTES.txt

@@ -0,0 +1 @@
+{{ include "ix.v1.common.lib.chart.notes" $ }}

library/ix-dev/community/zerotier/templates/_zerotier.tpl

@@ -0,0 +1,89 @@
+{{- define "zerotier.workload" -}}
+workload:
+  zerotier:
+    enabled: true
+    primary: true
+    type: Deployment
+    podSpec:
+      hostNetwork: {{ .Values.zerotierNetwork.hostNetwork }}
+      sysctls:
+        - name: net.ipv4.ip_forward
+          value: "1"
+        - name: net.ipv6.conf.all.forwarding
+          value: "1"
+      containers:
+        zerotier:
+          enabled: true
+          primary: true
+          imageSelector: image
+          args:
+          {{ if not .Values.zerotierConfig.networks }}
+            {{ fail "Zerotier - At least one network must be specified" }}
+          {{ end }}
+          {{ range .Values.zerotierConfig.networks }}
+          - {{ . }}
+          {{ end }}
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+            runAsNonRoot: false
+            readOnlyRootFilesystem: false
+            capabilities:
+              add:
+                {{/* Most of those capabilities are normally added by default in conainers
+                But by default, in common, we drop all of them. So here we add some of them
+                as they are needed, because zerotier starts as root but drops privs for some
+                of the processes running by the zerotier binary */}}
+                - AUDIT_WRITE
+                - CHOWN
+                - DAC_OVERRIDE
+                - FOWNER
+                - NET_ADMIN
+                - NET_BIND_SERVICE
+                - NET_RAW
+                - SETGID
+                - SETPCAP
+                - SETUID
+                - SYS_ADMIN
+          env:
+            {{ with .Values.zerotierConfig.authToken }}
+            ZEROTIER_API_SECRET: {{ . }}
+            {{ end }}
+            {{ with .Values.zerotierConfig.identityPublic }}
+            ZEROTIER_IDENTITY_PUBLIC: {{ . }}
+            {{ end }}
+            {{ with .Values.zerotierConfig.identitySecret }}
+            ZEROTIER_IDENTITY_SECRET: {{ . }}
+            {{ end }}
+          {{ with .Values.zerotierConfig.additionalEnvs }}
+          envList:
+            {{ range $env := . }}
+            - name: {{ $env.name }}
+              value: {{ $env.value }}
+            {{ end }}
+          {{ end }}
+          probes:
+            liveness:
+              enabled: true
+              type: exec
+              command: /healthcheck.sh
+            readiness:
+              enabled: true
+              type: exec
+              command: /healthcheck.sh
+            startup:
+              enabled: true
+              type: exec
+              command: /healthcheck.sh
+
+{{/* Persistence */}}
+persistence:
+  tun-dev:
+    enabled: true
+    type: device
+    hostPath: /dev/net/tun
+    targetSelector:
+      zerotier:
+        zerotier:
+          mountPath: /dev/net/tun
+{{- end -}}

library/ix-dev/community/zerotier/templates/common.yaml

@@ -0,0 +1,6 @@
+{{- include "ix.v1.common.loader.init" . -}}
+
+{{/* Merge the templates with Values */}}
+{{- $_ := mustMergeOverwrite .Values (include "zerotier.workload" $ | fromYaml) -}}
+
+{{- include "ix.v1.common.loader.apply" . -}}

library/ix-dev/community/zerotier/upgrade_info.json

@@ -0,0 +1 @@
+{"filename": "values.yaml", "keys": ["image"]}

library/ix-dev/community/zerotier/upgrade_strategy

@@ -0,0 +1,30 @@
+#!/usr/bin/python3
+import json
+import re
+import sys
+
+from catalog_update.upgrade_strategy import semantic_versioning
+
+RE_STABLE_VERSION = re.compile(r'[0-9]+\.[0-9]+\.[0-9]+')
+
+
+def newer_mapping(image_tags):
+    key = list(image_tags.keys())[0]
+    tags = {t: t for t in image_tags[key] if RE_STABLE_VERSION.fullmatch(t)}
+    version = semantic_versioning(list(tags))
+    if not version:
+        return {}
+
+    return {
+        'tags': {key: tags[version]},
+        'app_version': version,
+    }
+
+
+if __name__ == '__main__':
+    try:
+        versions_json = json.loads(sys.stdin.read())
+    except ValueError:
+        raise ValueError('Invalid json specified')
+
+    print(json.dumps(newer_mapping(versions_json)))

library/ix-dev/community/zerotier/values.yaml

@@ -0,0 +1,19 @@
+image:
+  repository: zerotier/zerotier
+  pullPolicy: IfNotPresent
+  tag: '1.10.6'
+
+resources:
+  limits:
+    cpu: 4000m
+    memory: 8Gi
+
+zerotierConfig:
+  authToken: ''
+  identityPublic: ''
+  identitySecret: ''
+  networks: []
+  additionalEnvs: []
+
+zerotierNetwork:
+  hostNetwork: false