Expose AGH dashboard

Makefile

@@ -211,7 +211,7 @@ test:
 .PHONY: e2etest
 e2etest:
 	TAG=$(TS) WGTEST_REPO=localhost:5111/glm-wgtest $(MAKE) docker_push_wgtest
-	go test ./internal/e2etest/ $(GO_TEST_FLAGS) -count=1 -race -v -e2e -wgtest-image $(WGTEST_REPO):$(TS) -api-server http://localhost:38080/api
+	go test ./internal/e2etest/ $(GO_TEST_FLAGS) -count=1 -race -v -e2e -wgtest-image $(WGTEST_REPO):$(TS) -api-server http://localhost:38080
 
 WGTEST_REPO ?= k3d-guardllama.localhost:5111/glm-wgtest
 .PHONY: docker_push_wgtest

README.md

@@ -43,7 +43,7 @@ GuardLlama is licensed under the [Apache 2.0 License](LICENSE.md).
 This software wouldn't have been possible without the incredible work of several open-source projects, including:
 
 - [WireGuard](https://www.wireguard.com)
-- [AdGuard Home](https://github.com/AdguardTeam/AdGuardHome)
+- [AdGuardHome](https://github.com/AdguardTeam/AdGuardHome)
 - [Unbound](https://github.com/NLnetLabs/unbound)
 - [K3S](https://k3s.io)
 

api/v1/tunnel_types.go

@@ -15,10 +15,12 @@ const (
 	ConditionTunnelPodReady     ConditionType = "TunnelPodReady"
 	ConditionTunnelServiceReady ConditionType = "TunnelServiceReady"
 
-	ConditionDNSConfigReady  ConditionType = "DNSConfigReady"
-	ConditionDNSDeployReady  ConditionType = "DNSDeployReady"
-	ConditionDNSPodReady     ConditionType = "DNSPodReady"
-	ConditionDNSServiceReady ConditionType = "DNSServiceReady"
+	ConditionDNSInitConfigReady ConditionType = "DNSInitConfigReady"
+	ConditionDNSConfigReady     ConditionType = "DNSConfigReady"
+	ConditionDNSPVCReady        ConditionType = "DNSPVCReady"
+	ConditionDNSDeployReady     ConditionType = "DNSDeployReady"
+	ConditionDNSPodReady        ConditionType = "DNSPodReady"
+	ConditionDNSServiceReady    ConditionType = "DNSServiceReady"
 )
 
 var (
@@ -30,7 +32,9 @@ var (
 		ConditionTunnelServiceReady,
 		ConditionTunnelPodReady,
 
+		ConditionDNSInitConfigReady,
 		ConditionDNSConfigReady,
+		ConditionDNSPVCReady,
 		ConditionDNSDeployReady,
 		ConditionDNSPodReady,
 		ConditionDNSServiceReady,
@@ -47,7 +51,7 @@ type TunnelProtocol struct {
 }
 
 type TunnelDNS struct {
-	AdGuard *AdGuardSpec `json:"adGuard,omitempty"`
+	AdGuardHome *AdGuardHomeSpec `json:"adGuardHome,omitempty"`
 }
 
 type WireGuardSpec struct {
@@ -72,17 +76,18 @@ type WireGuardInterface struct {
 	PostDown     string   `json:"postDown,omitempty"`
 }
 
-type AdGuardSpec struct {
-	FilteringEnabled *bool                `json:"filteringEnabled,omitempty"`
-	BlockLists       []TunnelDNSBlockList `json:"blockLists,omitempty"`
-	Rules            []string             `json:"rules,omitempty"`
+type AdGuardHomeSpec struct {
+	FilteringEnabled *bool                  `json:"filteringEnabled,omitempty"`
+	BlockLists       []AdGuardHomeBlockList `json:"blockLists,omitempty"`
 }
 
-type TunnelDNSBlockList struct {
-	ID      int32  `json:"id"`
-	Name    string `json:"name"`
-	URL     string `json:"url"`
-	Enabled *bool  `json:"enabled,omitempty"`
+func (s AdGuardHomeSpec) IsFilteringEnabled() bool {
+	return s.FilteringEnabled == nil || *s.FilteringEnabled
+}
+
+type AdGuardHomeBlockList struct {
+	Name string `json:"name"`
+	URL  string `json:"url"`
 }
 
 type WireGuardPeer struct {
@@ -151,16 +156,20 @@ func (t Tunnel) WireGuardAdminServiceHost() string {
 	return fmt.Sprintf("%s.%s", t.WireGuardAdminServiceName(), t.Namespace)
 }
 
-func (t Tunnel) AdGuardTypedName() string {
-	return fmt.Sprintf("ag-%s", t.Name)
+func (t Tunnel) AdGuardHomeTypedName() string {
+	return fmt.Sprintf("agh-%s", t.Name)
+}
+
+func (t Tunnel) AdGuardHomeServiceName() string {
+	return t.AdGuardHomeTypedName()
 }
 
-func (t Tunnel) AdGuardAdminServiceName() string {
-	return t.AdGuardTypedName()
+func (t Tunnel) AdGuardHomeDataPVCName() string {
+	return fmt.Sprintf("%s-data", t.AdGuardHomeTypedName())
 }
 
-func (t Tunnel) AdGuardAdminServiceHost() string {
-	return fmt.Sprintf("%s.%s", t.AdGuardAdminServiceName(), t.Namespace)
+func (t Tunnel) AdGuardHomeServiceHost() string {
+	return fmt.Sprintf("%s.%s", t.AdGuardHomeServiceName(), t.Namespace)
 }
 
 // +kubebuilder:object:root=true

api/v1/tunnel_webhook.go

@@ -44,11 +44,11 @@ func (r *Tunnel) Default() {
 		}
 	}
 
-	adGuard := r.Spec.DNS.AdGuard
-	if adGuard != nil {
+	agh := r.Spec.DNS.AdGuardHome
+	if agh != nil {
 		defaultFilteringEnabled := true
-		if adGuard.FilteringEnabled == nil {
-			adGuard.FilteringEnabled = &defaultFilteringEnabled
+		if agh.FilteringEnabled == nil {
+			agh.FilteringEnabled = &defaultFilteringEnabled
 		}
 	}
 }
@@ -83,8 +83,8 @@ func validateTunnel(r *Tunnel) error {
 		}
 	}
 
-	if r.Spec.DNS.AdGuard == nil {
-		err = errors.Join(err, fmt.Errorf("AdGuard DNS is the only supported DNS and can not be empty"))
+	if r.Spec.DNS.AdGuardHome == nil {
+		err = errors.Join(err, fmt.Errorf("AGH DNS is the only supported DNS and can not be empty"))
 	}
 
 	return err

charts/guardllama/templates/crd.yaml

@@ -52,32 +52,22 @@ spec:
             properties:
               dns:
                 properties:
-                  adGuard:
+                  adGuardHome:
                     properties:
                       blockLists:
                         items:
                           properties:
-                            enabled:
-                              type: boolean
-                            id:
-                              format: int32
-                              type: integer
                             name:
                               type: string
                             url:
                               type: string
                           required:
-                          - id
                           - name
                           - url
                           type: object
                         type: array
                       filteringEnabled:
                         type: boolean
-                      rules:
-                        items:
-                          type: string
-                        type: array
                     type: object
                 type: object
               protocol:

charts/guardllama/templates/deployment.yaml

@@ -140,6 +140,10 @@ spec:
           env:
             - name: GLMMGR_WEB_ADDR
               value: ":{{ .Values.service.web.port }}"
+            - name: GLMMGR_JWT_SIGN_KEY_PATH
+              value: /tmp/glmmgr/jwt/signKey
+            - name: GLMMGR_JWT_VERIFY_KEY_PATH
+              value: /tmp/glmmgr/jwt/verifyKey
           ports:
             - name: web
               containerPort: {{ .Values.service.web.port }}
@@ -154,6 +158,15 @@ spec:
               port: web
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /tmp/glmmgr/jwt
+              name: jwt
+              readOnly: true
+      volumes:
+        - name: jwt
+          secret:
+            defaultMode: 420
+            secretName: {{ include "guardllama.fullname" . }}-jwtkey
       terminationGracePeriodSeconds: 10
       {{- with .Values.nodeSelector }}
       nodeSelector:

charts/guardllama/templates/rbac.yaml

@@ -72,6 +72,18 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - persistentvolumeclaims
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
 - apiGroups:
   - ""
   resources:

charts/guardllama/templates/secret.yaml

@@ -13,7 +13,7 @@ stringData:
     }
 kind: Secret
 metadata:
-  name: {{ include "guardllama.fullname" . }}-imagePullSecret
+  name: {{ include "guardllama.fullname" . }}-imagepullsecret
 type: kubernetes.io/dockerconfigjson
 {{- end }}
 
@@ -34,6 +34,20 @@ stringData:
     }
 kind: Secret
 metadata:
-  name: {{ include "guardllama.fullname" . }}-tunnel-imagePullSecret
+  name: {{ include "guardllama.fullname" . }}-tunnel-imagepullsecret
 type: kubernetes.io/dockerconfigjson
 {{- end }}
+
+
+---
+
+apiVersion: v1
+stringData:
+  signKey: |
+    {{ .Values.jwt.signKey | nindent 4 }}
+  verifyKey: |
+    {{ .Values.jwt.verifyKey | nindent 4 }}
+kind: Secret
+metadata:
+  name: {{ include "guardllama.fullname" . }}-jwtkey
+type: Opaque

charts/guardllama/values.yaml

@@ -47,6 +47,10 @@ securityContext: {}
   # runAsNonRoot: true
   # runAsUser: 1000
 
+jwt:
+  signKey: ''
+  verifyKey: ''
+
 service:
   controller:
     type: ClusterIP

config/crd/bases/tunnel.guardllama.net_tunnels.yaml

@@ -53,32 +53,22 @@ spec:
             properties:
               dns:
                 properties:
-                  adGuard:
+                  adGuardHome:
                     properties:
                       blockLists:
                         items:
                           properties:
-                            enabled:
-                              type: boolean
-                            id:
-                              format: int32
-                              type: integer
                             name:
                               type: string
                             url:
                               type: string
                           required:
-                          - id
                           - name
                           - url
                           type: object
                         type: array
                       filteringEnabled:
                         type: boolean
-                      rules:
-                        items:
-                          type: string
-                        type: array
                     type: object
                 type: object
               protocol: