DefGuard · moubctez · Apr 15, 2026 · Mar 31, 2026 · Mar 31, 2026 · Apr 1, 2026
diff --git a/.github/workflows/ami.yml b/.github/workflows/ami.yml
@@ -25,7 +25,7 @@ jobs:
           echo "Proxy version: $PROXY_VERSION"
           echo "Gateway version: $GATEWAY_VERSION"
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup `packer`
         uses: hashicorp/setup-packer@main

diff --git a/.github/workflows/lint_charts.yml b/.github/workflows/lint_charts.yml
@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,7 +11,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
@@ -31,7 +31,7 @@ jobs:
           done
 
       - name: Run chart-releaser
-        uses: helm/chart-releaser-action@v1.6.0
+        uses: helm/chart-releaser-action@v1.7.0
         env:
           CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
         with:

diff --git a/charts/defguard-gateway/Chart.yaml b/charts/defguard-gateway/Chart.yaml
@@ -1,7 +1,8 @@
 apiVersion: v2
 name: defguard-gateway
 description: Defguard Gateway is a public-facing VPN endpoint.
+icon: https://defguard.net/favicon/favicon-512x512.png
 
 type: application
-version: 0.5.4
-appVersion: 1.6.4
+version: 2.0.0
+appVersion: 2.0.0
diff --git a/charts/defguard-gateway/templates/config.yaml b/charts/defguard-gateway/templates/config.yaml
@@ -5,7 +5,7 @@ metadata:
   labels:
     {{- include "defguard-gateway.labels" . | nindent 4 }}
 data:
-  DEFGUARD_USERSPACE: {{ .Values.userspace | quote }}
-  DEFGUARD_GRPC_URL: {{ .Values.grpcUrl | quote }}
-  DEFGUARD_STATS_PERIOD: {{ .Values.statsPeriod | quote }}
+  DEFGUARD_GRPC_PORT: {{ .Values.service.grpc.port | quote }}
   DEFGUARD_LOG_LEVEL: {{ .Values.logLevel | quote }}
+  DEFGUARD_STATS_PERIOD: {{ .Values.statsPeriod | quote }}
+  DEFGUARD_USERSPACE: {{ .Values.userspace | quote }}
diff --git a/charts/defguard-gateway/templates/grpc-headless-service.yaml b/charts/defguard-gateway/templates/grpc-headless-service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "defguard-gateway.labels" . | nindent 4 }}
+  name: {{ include "defguard-gateway.fullname" . }}-grpc-headless
+spec:
+  clusterIP: None
+  ports:
+    - name: grpc
+      port: {{ .Values.service.grpc.port }}
+      protocol: TCP
+      targetPort: grpc
+  selector:
+    {{- include "defguard-gateway.selectorLabels" . | nindent 4 }}
diff --git a/charts/defguard-gateway/templates/grpc-service.yaml b/charts/defguard-gateway/templates/grpc-service.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    {{- with .Values.service.grpc.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  name: {{ include "defguard-gateway.fullname" . }}-grpc
+  labels:
+    {{- include "defguard-gateway.labels" . | nindent 4 }}
+    {{- with .Values.service.grpc.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.service.grpc.type }}
+  ports:
+    - port: {{ .Values.service.grpc.port }}
+      targetPort: grpc
+      protocol: TCP
+      name: grpc
+  selector:
+    {{- include "defguard-gateway.selectorLabels" . | nindent 4 }}
diff --git a/...efguard-gateway/templates/deployment.yaml → ...fguard-gateway/templates/statefulset.yaml b/...efguard-gateway/templates/deployment.yaml → ...fguard-gateway/templates/statefulset.yaml
@@ -1,14 +1,16 @@
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
   name: {{ include "defguard-gateway.fullname" . }}
   labels:
     {{- include "defguard-gateway.labels" . | nindent 4 }}
 spec:
+  podManagementPolicy: Parallel
   replicas: {{ .Values.replicaCount }}
   selector:
     matchLabels:
       {{- include "defguard-gateway.selectorLabels" . | nindent 6 }}
+  serviceName: {{ include "defguard-gateway.fullname" . }}-grpc-headless
   template:
     metadata:
       {{- with .Values.podAnnotations }}
@@ -27,18 +29,24 @@ spec:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
         - name: {{ .Chart.Name }}
+          {{- if .Values.healthCheck.enabled }}
+          env:
+            - name: HEALTH_PORT
+              value: {{ .Values.healthCheck.port }}
+          {{- end }}
           envFrom:
             - configMapRef:
                 name: {{ include "defguard-gateway.fullname" . }}-config
             {{- if .Values.additionalEnvFromConfigMap }}
             - configMapRef:
                 name: {{ .Values.additionalEnvFromConfigMap }}
             {{- end }}
-          securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
+            - name: grpc
+              containerPort: {{ .Values.service.grpc.port }}
+              protocol: TCP
             - name: wireguard
               containerPort: {{ .Values.service.wireguard.port }}
               protocol: UDP
@@ -62,23 +70,11 @@ spec:
             timeoutSeconds: {{ .Values.healthCheck.readinessProbe.timeoutSeconds }}
             failureThreshold: {{ .Values.healthCheck.readinessProbe.failureThreshold }}
           {{- end }}
-          {{- if .Values.token }}
-          env:
-            - name: DEFGUARD_TOKEN
-              value: {{ .Values.token }}
-          {{- else if .Values.existingTokenSecret }}
-          env:
-            - name: DEFGUARD_TOKEN
-              valueFrom:
-                secretKeyRef:
-                  name: {{ .Values.existingTokenSecret }}
-                  key: {{ .Values.existingTokenSecretKey }}
-          {{- end }}
-          {{- if .Values.healthCheck.enabled }}
-          env:
-            - name: HEALTH_PORT
-              value: {{ .Values.healthCheck.port }}
-          {{- end }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          volumeMounts:
+            - name: data
+              mountPath: /etc/defguard
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -91,3 +87,15 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        {{- with .Values.persistence.storageClassName }}
+        storageClassName: {{ . }}
+        {{- end }}
+        resources:
+          requests:
+            storage: {{ .Values.persistence.size }}
diff --git a/charts/defguard-gateway/values.schema.json b/charts/defguard-gateway/values.schema.json
@@ -16,20 +16,6 @@
       "title": "affinity",
       "type": "object"
     },
-    "existingTokenSecret": {
-      "default": "",
-      "description": "Secret to get the token from",
-      "required": [],
-      "title": "existingTokenSecret",
-      "type": "string"
-    },
-    "existingTokenSecretKey": {
-      "default": "",
-      "description": "Key to extract the token from in existingTokenSecret",
-      "required": [],
-      "title": "existingTokenSecretKey",
-      "type": "string"
-    },
     "fullnameOverride": {
       "default": "",
       "description": "defguard-gateway full name override",
@@ -38,18 +24,12 @@
       "type": "string"
     },
     "global": {
+      "additionalProperties": true,
       "description": "Global values are values that can be accessed from any chart or subchart by exactly the same name.",
       "required": [],
       "title": "global",
       "type": "object"
     },
-    "grpcUrl": {
-      "default": "",
-      "description": "Defguard GRPC URL, e.g.: defguard-grpc.mycompany.com",
-      "required": [],
-      "title": "grpcUrl",
-      "type": "string"
-    },
     "healthCheck": {
       "additionalProperties": false,
       "description": "defguard-gateway health check configuration",
@@ -211,6 +191,28 @@
       "title": "nodeSelector",
       "type": "object"
     },
+    "persistence": {
+      "additionalProperties": false,
+      "description": "defguard-gateway persistent storage for certificates",
+      "properties": {
+        "size": {
+          "default": "32Mi",
+          "title": "size",
+          "type": "string"
+        },
+        "storageClassName": {
+          "default": "",
+          "title": "storageClassName",
+          "type": "string"
+        }
+      },
+      "required": [
+        "size",
+        "storageClassName"
+      ],
+      "title": "persistence",
+      "type": "object"
+    },
     "podAnnotations": {
       "additionalProperties": false,
       "description": "defguard-gateway pod annotations",
@@ -303,6 +305,53 @@
       "additionalProperties": false,
       "description": "defguard-gateway service configuration",
       "properties": {
+        "grpc": {
+          "additionalProperties": false,
+          "properties": {
+            "annotations": {
+              "additionalProperties": false,
+              "properties": {
+                "traefik.ingress.kubernetes.io/service.serversscheme": {
+                  "default": "h2c",
+                  "required": [],
+                  "title": "traefik.ingress.kubernetes.io/service.serversscheme",
+                  "type": "string"
+                }
+              },
+              "required": [
+                "traefik.ingress.kubernetes.io/service.serversscheme"
+              ],
+              "title": "annotations",
+              "type": "object"
+            },
+            "labels": {
+              "additionalProperties": false,
+              "required": [],
+              "title": "labels",
+              "type": "object"
+            },
+            "port": {
+              "default": 50066,
+              "required": [],
+              "title": "port",
+              "type": "integer"
+            },
+            "type": {
+              "default": "ClusterIP",
+              "required": [],
+              "title": "type",
+              "type": "string"
+            }
+          },
+          "required": [
+            "annotations",
+            "labels",
+            "port",
+            "type"
+          ],
+          "title": "grpc",
+          "type": "object"
+        },
         "wireguard": {
           "additionalProperties": false,
           "properties": {
@@ -378,13 +427,6 @@
       "title": "statsPeriod",
       "type": "integer"
     },
-    "token": {
-      "default": "",
-      "description": "Token from Defguard app to secure gRPC connection, available on network page.\nIt is not recommended to use this. Create a secret yourself and use existingTokenSecret instead",
-      "required": [],
-      "title": "token",
-      "type": "string"
-    },
     "tolerations": {
       "description": "defguard-gateway pod tolerations",
       "items": {
@@ -396,18 +438,14 @@
     },
     "userspace": {
       "default": "false",
-      "description": "yaml-language-server: $schema=values.schema.json\nUse userspace wireguard implementation, useful on systems without native wireguard support. Set to true/false",
+      "description": "yaml-language-server: $schema=values.schema.json\nUse userspace WireGuard implementation, useful on systems without native wireguard support. Set to true/false",
       "required": [],
       "title": "userspace",
       "type": "string"
     }
   },
   "required": [
     "userspace",
-    "grpcUrl",
-    "token",
-    "existingTokenSecret",
-    "existingTokenSecretKey",
     "statsPeriod",
     "logLevel",
     "fullnameOverride",
@@ -419,6 +457,7 @@
     "tolerations",
     "podAnnotations",
     "podLabels",
+    "persistence",
     "replicaCount",
     "resources",
     "podSecurityContext",
@@ -429,4 +468,4 @@
     "serviceAccount"
   ],
   "type": "object"
-}
+}