Merge pull request #141 from cloudymax/cloudbase-support

cloudymax · web-flow · commit 13dba4d8ccfa · 2025-11-15T11:53:04.000+01:00
- Adds support for cloudbase-init syntax
- fixes issue where wireguard configs supplied as secrets would not render
- we now just grab the whole users[] array to avoid having to define every single possible option
- fix default wireguard type declaration
- remove some superfluous comments
- add more reasonable default network data example

Breaking Changes:
- `ssh_import_id: []` and `ssh_authorized_keys: []` removed from default user values, should be commented our or removed when not in-use to avoid a templating error
- new value `cloudbase: true/false` required
diff --git a/charts/cloud-init/Chart.yaml b/charts/cloud-init/Chart.yaml
@@ -2,6 +2,6 @@ apiVersion: v2
 name: cloud-init
 description: A Helm chart that generates cloud-init config files
 type: application
-version: 1.0.3
+version: 2.0.0
 maintainers:
   - name: cloudymax
diff --git a/charts/cloud-init/README.md b/charts/cloud-init/README.md
@@ -1,6 +1,6 @@
 # cloud-init
 
-![Version: 1.0.2](https://img.shields.io/badge/Version-1.0.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 2.0.0](https://img.shields.io/badge/Version-2.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Helm chart that generates cloud-init config files
 
@@ -20,6 +20,7 @@ A Helm chart that generates cloud-init config files
 | argocd.syncString | string | `"Prune=false,Delete=false"` | String containing ArgoCD resource sync options |
 | boot_cmd | list | `[]` | Run arbitrary commands early in the boot process See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#bootcmd |
 | ca_certs | list | `[]` | Add CA certificates See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#ca-certificates |
+| cloudbase | bool | `false` |  |
 | debug | bool | `false` | when enabled job sleeps to allow user to exec into the container |
 | disable_root | bool | `false` | Disable root login over ssh |
 | disk_setup | list | `[]` |  |
@@ -32,9 +33,9 @@ A Helm chart that generates cloud-init config files
 | image | string | `"deserializeme/kv-cloud-init:1.0.0"` | image version |
 | mounts | list | `[]` | Set up mount points. mounts contains a list of lists. The inner list contains entries for an /etc/fstab line |
 | namespace | string | `"default"` | namespace in which to create resources |
-| network | object | `{"config":"disabled"}` | networking options |
-| network.config | string | `"disabled"` | disable cloud-init’s network configuration capability and rely on other methods such as embedded configuration or other customisations. |
-| networkData.content | string | `"renderer: networkd\nnetwork:\n  version: 2\n  ethernets:\n    multus:\n      match:\n        macaddress: ${macaddress}\n      dhcp4: false\n      dhcp6: false\n      addresses:\n        - 192.168.100.100/24\n      routes:\n        - to: default\n          via: 192.168.100.1\n      mtu: 1500\n      nameservers:\n        addresses:\n          - 192.168.100.1"` |  |
+| network | object | `{"config":"enabled"}` | networking options |
+| network.config | string | `"enabled"` | disable cloud-init’s network configuration capability and rely on other methods such as embedded configuration or other customisations. |
+| networkData.content | string | `"network:\n  version: 2\n  renderer: networkd\n  ethernets:\n    enp1s0:\n      dhcp4: true\n      dhcp6: false\n"` |  |
 | networkData.enabled | bool | `false` |  |
 | package_reboot_if_required | bool | `false` | Update, upgrade, and install package See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#package-update-upgrade-install |
 | package_update | bool | `true` |  |
@@ -45,11 +46,9 @@ A Helm chart that generates cloud-init config files
 | secret_name | string | `"my-userdata"` | secret in which to save the user-data file, must be unique within namespace |
 | serviceAccount | object | `{"create":true,"existingServiceAccountName":"some-other-sa","name":"my-service-account"}` | Choose weather to create a service-account or not. Once a SA has been created you should set this to false on subsequent runs, or use a uniqne name per vm. |
 | swap | object | `{"enabled":false,"filename":"/swapfile","maxsize":"1G","size":"1G"}` | creates a swap file using human-readable values. |
-| users | list | `[{"groups":"users, admin, docker, sudo, kvm","lock_passwd":false,"name":"$USERNAME","password":"random","shell":"/bin/bash","ssh_authorized_keys":[],"ssh_import_id":[],"sudo":"ALL=(ALL) NOPASSWD:ALL"}]` | user configuration options See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#users-and-groups do NOT use 'admin' as username - it conflicts with multiele cloud-images |
-| users[0].password | string | `"random"` | When set to 'random' a password will be generated for the user. |
-| users[0].ssh_authorized_keys | list | `[]` | provider user ssh pub key as plaintext |
-| users[0].ssh_import_id | list | `[]` | import user ssh public keys from github, gitlab, or launchpad See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#ssh |
-| wireguard | list | `[]` | add wireguard configuration from existing secret or as plain-text See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#wireguard |
+| users | list | `[{"groups":"users, admin, docker, sudo, kvm","lock_passwd":false,"name":"$USERNAME","passwd":"random","shell":"/bin/bash","sudo":"ALL=(ALL) NOPASSWD:ALL"}]` | user configuration options See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#users-and-groups You are advised NOT to use 'admin' as username for linux systems because it conflicts with multiple cloud-images default user configurations When using with cloudbase-init syntax the use of "Admin" as a username is fine. |
+| users[0].passwd | string | `"random"` | When set to 'random' a password will be generated for the user. When empty "" we will look for an env-var named <$USERNAME>_PASSWORD Passing plain-text passwords is not supported. |
+| wireguard | object | `{"interfaces":[]}` | add wireguard configuration from existing secret or as plain-text See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#wireguard |
 | write_files | list | `[]` | Write arbitrary files to disk. Files my be provided as plain-text or downloaded from a url See https://cloudinit.readthedocs.io/en/latest/reference/modules.html#write-files |
 
 ----------------------------------------------
diff --git a/charts/cloud-init/scripts/cigen.sh b/charts/cloud-init/scripts/cigen.sh
@@ -32,6 +32,7 @@ export ARGO_ENABLED="false"
 export ARGO_APP_NAME="none"
 export ARGO_SYNC="none"
 export ARGO_COMPARE="none"
+export CLOUDBASE="false"
 
 # Parse and validate user inputs.
 parse_params() {
@@ -84,6 +85,10 @@ parse_params() {
                         export ARGO_COMPARE="${2-}"
                         shift
                         ;;
+                -cb | --cloudbase)
+                        export CLOUDBASE="${2}"
+                        shift
+                        ;;
                -?*) die "Unknown option: $1" ;;
                 *) echo "${2-}" && break ;;
                 esac
@@ -114,6 +119,8 @@ Available options:
 
 -s, --salt              Salt to use when encrypting passwords [string]
 
+-cb, --cloudbase        Use cloudbase-init syntax
+
 Optional Kubernetes settings:
 
 -k, --kubernetes        Create kubernetes secrets from user and network data [true/false]
@@ -160,14 +167,23 @@ run_envsubst(){
 }
 
 random_hostname(){
-      CHECK=$(yq '.hostname' $USER_DATA_PATH | tr '[:lower:]' '[:upper:]')
+     if [ "${CLOUDBASE}" == "true" ]; then
+        CHECK=$(yq '.set_hostname' $USER_DATA_PATH | tr '[:lower:]' '[:upper:]')
+     else
+        CHECK=$(yq '.hostname' $USER_DATA_PATH | tr '[:lower:]' '[:upper:]')
+     fi
 
-      if [ ${CHECK} == "RANDOM" ]; then
+     if [ ${CHECK} == "RANDOM" ]; then
         log "Generating a random hostname."
         export HOSTNAME=$(golang-petname)
-        yq -i '.hostname = env(HOSTNAME)' $USER_DATA_PATH
+
+        if [ "${CLOUDBASE}" == "true" ]; then
+            yq -i '.set_hostname = env(HOSTNAME)' $USER_DATA_PATH
+        else
+            yq -i '.hostname = env(HOSTNAME)' $USER_DATA_PATH
+        fi
         log "Nice to meet you, $HOSTNAME"
-      fi
+     fi
 }
 
 # Hash and insert passwd field for each specified user
@@ -212,9 +228,16 @@ admin_password(){
                 --argo-compare "${ARGO_COMPARE}"
         fi
 
-        log "Setting hashed password for user: $user"
-        export HASHED_PASSWORD=$(mkpasswd --method=SHA-512 --rounds=4096 "${PASSWORD}" -s "${SALT}")
-        yq -i '.users[env(COUNT)].passwd = env(HASHED_PASSWORD)' $USER_DATA_PATH
+        # If not using cloudbse syntax, add the hashed password to the userdata
+        if [ "${CLOUDBASE}" == "true" ]; then
+            log "Setting password for user: $user"
+            yq -i '.users[env(COUNT)].passwd = env(PASSWORD)' $USER_DATA_PATH
+        else
+            log "Setting hashed password for user: $user"
+            export HASHED_PASSWORD=$(mkpasswd --method=SHA-512 --rounds=4096 "${PASSWORD}" -s "${SALT}")
+            yq -i '.users[env(COUNT)].passwd = env(HASHED_PASSWORD)' $USER_DATA_PATH
+        fi
+
         export COUNT=$(($COUNT + 1))
     done
 }
@@ -297,6 +320,18 @@ wireguard(){
                 yq -i '.wireguard.interfaces[env(COUNT)] |= (del(.path))' $USER_DATA_PATH
             fi
 
+            # if the config is from a secret
+            if [ "$SOURCE" == "secret" ]; then
+                export WG_NAME=$(yq '.wireguard.interfaces[env(COUNT)].name' "${USER_DATA_PATH}")
+                export WG_PATH="/secrets/${WG_NAME}.conf"
+                export OUTPUT=$(/bin/cat "${WG_PATH}")
+
+                log "Adding wireguard interface ${interface}"
+                yq -i '.wireguard.interfaces[env(COUNT)].content = strenv(OUTPUT)' $USER_DATA_PATH
+                yq -i '.wireguard.interfaces[env(COUNT)] |= (del(.source))' $USER_DATA_PATH
+                yq -i '.wireguard.interfaces[env(COUNT)] |= (del(.path))' $USER_DATA_PATH
+            fi
+
             # if the config is in-line content
             if [ "$SOURCE" == "content" ]; then
                 export CONTENT=$(yq '.wireguard.interfaces[env(COUNT)].content' "${USER_DATA_PATH}")
diff --git a/charts/cloud-init/templates/cloudbase-configmap.yaml b/charts/cloud-init/templates/cloudbase-configmap.yaml
@@ -0,0 +1,49 @@
+{{- if .Values.cloudbase }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.secret_name }}-userdata
+  namespace: {{ .Values.namespace }}
+  labels:
+    {{- include "cloud-init.labels" . | nindent 4 }}
+data:
+  {{- if .Values.networkData.enabled }}
+  {{- $content := .Values.networkData.content }}
+  network-data.yaml: |-
+    {{- $content | nindent 4 }}
+  {{- end }}
+  user-data.yaml: |-
+    #cloud-config
+    set_hostname: {{ .Values.hostname }}
+    {{- with .Values.groups }}
+    groups:
+        {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.users }}
+    users:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- if gt (len .Values.write_files) 0 }}
+    write_files:
+    {{- range $reg, $props := .Values.write_files }}
+      - path: {{ $props.path }}
+        permissions: {{ $props.permissions | quote }}
+      {{- if $props.url }}
+        url: {{ $props.url | quote }}
+      {{- end}}
+      {{- if $props.encoding }}
+        encoding: {{ $props.encoding | quote }}
+      {{- end}}
+      {{- if $props.content }}
+        content: |-
+        {{- with $props.content }}
+          {{- . | nindent 10 }}
+        {{- end }}
+      {{- end }}
+      {{- end }}
+    {{- end }}
+    {{- with .Values.runcmd }}
+    runcmd:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+{{- end }}
diff --git a/charts/cloud-init/templates/configmap.yaml b/charts/cloud-init/templates/configmap.yaml
@@ -1,3 +1,4 @@
+{{- if not .Values.cloudbase }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -44,23 +45,10 @@ data:
     groups:
         {{- toYaml . | nindent 4 }}
     {{- end }}
+    {{- with .Values.users }}
     users:
-      {{- range $reg, $props := .Values.users }}
-      - name: {{ $props.name }}
-        groups: {{ $props.groups }}
-        sudo: {{ $props.sudo }}
-        shell: {{ $props.shell }}
-        lock_passwd: {{ $props.lock_passwd }}
-        passwd: {{ $props.password }}
-        {{- with $props.ssh_import_id }}
-        ssh_import_id:
-          {{- toYaml . | nindent 10 }}
-        {{- end }}
-        {{- with $props.ssh_authorized_keys }}
-        ssh_authorized_keys:
-          {{- toYaml . | nindent 10 }}
-        {{- end }}
-      {{- end }}
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
     {{- with .Values.boot_cmd }}
     bootcmd:
       {{- toYaml . | nindent 6 }}
@@ -98,11 +86,19 @@ data:
     runcmd:
       {{- toYaml . | nindent 6 }}
     {{- end }}
-    {{- if .Values.wireguard }}
+    {{- if .Values.wireguard.interfaces }}
     wireguard:
       interfaces:
         {{- range $reg, $props := .Values.wireguard.interfaces }}
         - name: {{ $props.name }}
           config_path: {{ $props.config_path }}
+          source: {{ $props.source }}
+          {{- if eq $props.source "content" }}
+          content: |-
+          {{- with $props.content }}
+            {{- . | nindent 12 }}
+          {{- end }}
+          {{- end }}
         {{- end }}
     {{- end }}
+{{- end }}
diff --git a/charts/cloud-init/templates/job.yaml b/charts/cloud-init/templates/job.yaml
@@ -39,6 +39,7 @@ spec:
             - "/bin/bash"
             - "/home/appuser/cigen.sh"
             - "--userdata /secrets/user-data.yaml"
+            - "--cloudbase {{ .Values.cloudbase }}"
             {{- if .Values.networkData.enabled }}
             - "--networkdata /secrets/network-data.yaml"
             {{- end }}
@@ -79,11 +80,14 @@ spec:
               subPath: secretgen.sh
             {{- if .Values.wireguard }}
             {{- range $reg, $props := .Values.wireguard.interfaces }}
+            {{- if $props.existingSecret }}
             - name: {{ $props.name }}
-              mountPath: /secrets
+              mountPath: /secrets/{{ $props.name }}.conf
+              subPath: {{ $props.name }}.conf
               readOnly: true
             {{- end }}
             {{- end }}
+            {{- end }}
       volumes:
         - name: userdata
           configMap:
@@ -113,7 +117,7 @@ spec:
         {{- end }}
         {{- if .Values.wireguard }}
         {{- range $reg, $props := .Values.wireguard.interfaces }}
-        {{- if eq .props.source "secret" }}
+        {{- if $props.existingSecret }}
         - name: {{ $props.name }}
           secret:
             secretName: {{ $props.existingSecret.name }}
diff --git a/charts/cloud-init/values.yaml b/charts/cloud-init/values.yaml
