Skip to content

Make it easy to deploy on aws #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Make it easy to deploy on aws #75

wants to merge 2 commits into from

Conversation

tudor-pop
Copy link

@tudor-pop tudor-pop commented Jun 3, 2025
edited
Loading

  1. Add default stuff which without them the gateway wouldn't start like securityContext.capabilities.
  2. Add resource explicit requests/limits based on measurements from prometheus
  3. Add explicit wireguard port to the deployment. It's not obvious on which port wg runs without ssh-ing into the pod
  4. Add service LoadBalancer to create an NLB in aws when it's deployed. This needs a small sidecar which responds to TCP healthchecks from the NLB - added this as well.
  5. Enable aws deployment using a cloudProvider: aws
  6. Add missing masquarade on ip tables. Without this, traffic doesn't flow

@teon teon moved this to Review in Backlog & Roadmap Jun 3, 2025
moubctez
moubctez reviewed Jun 11, 2025
View reviewed changes
charts/defguard-gateway/templates/config.yaml
@@ -9,3 +9,5 @@ data:
DEFGUARD_GRPC_URL: {{ .Values.grpcUrl | quote }}
DEFGUARD_STATS_PERIOD: {{ .Values.statsPeriod | quote }}
RUST_LOG: {{ .Values.logLevel | quote }}
PRE_UP: "iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is that necessary? Can we guarantee the network interface will always be eth0 for all users of this chart? Maybe it should be wrapped in AWS-only condition?

moubctez
moubctez reviewed Jun 11, 2025
View reviewed changes
charts/defguard-gateway/templates/deployment.yaml
@@ -56,6 +59,19 @@ spec:
name: {{ .Values.existingTokenSecret }}
key: {{ .Values.existingTokenSecretKey }}
{{- end }}
# used to keep nlb happy to do health checks at port 80.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems to be AWS-related only. Should be wrapped in a condition.

moubctez
moubctez reviewed Jun 11, 2025
View reviewed changes
charts/defguard-gateway/templates/wireguard-service.yaml
selector:
{{- include "defguard-gateway.selectorLabels" . | nindent 4 }}

{{ end }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing LineFeed (LF) characted at the end of the file

moubctez
moubctez reviewed Jun 11, 2025
View reviewed changes
charts/defguard-gateway/values.yaml
type: ClusterIP
cloudProvider: aws
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should not be the default value.

@kchudy
Copy link
Contributor

kchudy commented Jul 17, 2025

Closing the issue due to inactivity

@kchudy kchudy closed this Jul 17, 2025
@github-project-automation github-project-automation bot moved this from Review to Ready to release in Backlog & Roadmap Jul 17, 2025
@kchudy kchudy added this to the 1.5-alpha milestone Jul 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moubctez moubctez moubctez left review comments

@t-aleksander t-aleksander Awaiting requested review from t-aleksander

@wojcik91 wojcik91 Awaiting requested review from wojcik91

Assignees

@moubctez moubctez

Labels
None yet
Projects
Backlog & Roadmap
Status: Ready to release
Milestone
1.5-alpha
Development

Successfully merging this pull request may close these issues.
4 participants
@tudor-pop @kchudy @moubctez @tudor-pop-mimedia