From 51e750d07c5a5bfc497a512b32839063626f3207 Mon Sep 17 00:00:00 2001 From: Johnny Walker Date: Sat, 18 Jul 2020 09:55:39 -0400 Subject: [PATCH] add openvpn sidecar option for nzbget --- charts/nzbget/templates/deployment.yaml | 27 +++++++++++ charts/nzbget/templates/openvpn-config.yaml | 16 +++++++ charts/nzbget/templates/openvpn-env.yaml | 20 ++++++++ .../templates/openvpn-networkpolicy.yaml | 17 +++++++ charts/nzbget/values.yaml | 46 +++++++++++++++++++ 5 files changed, 126 insertions(+) create mode 100644 charts/nzbget/templates/openvpn-config.yaml create mode 100644 charts/nzbget/templates/openvpn-env.yaml create mode 100644 charts/nzbget/templates/openvpn-networkpolicy.yaml diff --git a/charts/nzbget/templates/deployment.yaml b/charts/nzbget/templates/deployment.yaml index d922a34a..b6a80978 100644 --- a/charts/nzbget/templates/deployment.yaml +++ b/charts/nzbget/templates/deployment.yaml @@ -79,6 +79,28 @@ spec: {{- end }} resources: {{ toYaml .Values.resources | indent 12 }} + {{- if .Values.openvpn.enabled }} + - name: openvpn + image: "{{ .Values.openvpn.image.repository }}:{{ .Values.openvpn.image.tag }}" + imagePullPolicy: {{ .Values.openvpn.image.pullPolicy }} + securityContext: + capabilities: + add: ["NET_ADMIN"] + {{- if .Values.openvpn.env }} + envFrom: + - secretRef: + name: {{ template "nzbget.fullname" . }}-openvpnenv + {{- end }} + {{- if .Values.openvpn.vpnConf }} + volumeMounts: + - name: openvpnconf + mountPath: /vpn/vpn.conf + subPath: vpnConf + {{- end }} + env: + - name: NETWORK_POLICY_ENABLED + value: {{ .Values.openvpn.networkPolicy.enabled | quote }} + {{- end }} volumes: - name: config {{- if .Values.persistence.config.enabled }} @@ -94,6 +116,11 @@ spec: {{- else }} emptyDir: {} {{ end }} + {{- if .Values.openvpn.vpnConf }} + - name: openvpnconf + configMap: + name: {{ template "nzbget.fullname" . }}-openvpnconf + {{ end }} {{- range .Values.persistence.extraMounts }} - name: {{ .name }} persistentVolumeClaim: diff --git a/charts/nzbget/templates/openvpn-config.yaml b/charts/nzbget/templates/openvpn-config.yaml new file mode 100644 index 00000000..f839eb77 --- /dev/null +++ b/charts/nzbget/templates/openvpn-config.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.openvpn.enabled .Values.openvpn.vpnConf}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "nzbget.fullname" . }}-openvpnconf + labels: + app.kubernetes.io/name: {{ include "nzbget.name" . }} + helm.sh/chart: {{ include "nzbget.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + {{- if .Values.openvpn.vpnConf }} + vpnConf: |- + {{- .Values.openvpn.vpnConf | nindent 4}} + {{- end }} +{{- end -}} \ No newline at end of file diff --git a/charts/nzbget/templates/openvpn-env.yaml b/charts/nzbget/templates/openvpn-env.yaml new file mode 100644 index 00000000..0f23ca91 --- /dev/null +++ b/charts/nzbget/templates/openvpn-env.yaml @@ -0,0 +1,20 @@ +{{- if and .Values.openvpn.enabled ( or .Values.openvpn.env .Values.openvpn.auth )}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "nzbget.fullname" . }}-openvpnenv + labels: + app.kubernetes.io/name: {{ include "nzbget.name" . }} + helm.sh/chart: {{ include "nzbget.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +data: + {{- if .Values.openvpn.auth }} + VPN_AUTH: {{ .Values.openvpn.auth | b64enc }} + {{- end }} + {{- if .Values.openvpn.env }} + {{- range $k, $v := .Values.openvpn.env }} + {{ $k }}: {{ $v | b64enc }} + {{- end }} + {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/nzbget/templates/openvpn-networkpolicy.yaml b/charts/nzbget/templates/openvpn-networkpolicy.yaml new file mode 100644 index 00000000..68c628d7 --- /dev/null +++ b/charts/nzbget/templates/openvpn-networkpolicy.yaml @@ -0,0 +1,17 @@ +{{- if .Values.openvpn.networkPolicy.enabled }} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ template "nzbget.fullname" . }}-deny-all-netpol +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "nzbget.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Egress + egress: + {{- if .Values.openvpn.networkPolicy.egress }} + {{- .Values.openvpn.networkPolicy.egress | toYaml | nindent 4 }} + {{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/nzbget/values.yaml b/charts/nzbget/values.yaml index 58ba31bc..84f9d653 100644 --- a/charts/nzbget/values.yaml +++ b/charts/nzbget/values.yaml @@ -62,6 +62,52 @@ ingress: # hosts: # - chart-example.local +openvpn: + # Enables an openvpn sidecar that when configured properly will provide a + # Secure outbound VPN for use by NZBGet. + enabled: false + + image: + repository: dperson/openvpn-client + tag: latest + pullPolicy: IfNotPresent + + # All variables specified here will be added to the openvpn sidecar container + # Ref https://hub.docker.com/r/dperson/openvpn-client for all config values + env: [] + # DNS: "true" + # TZ: EST5EDT + + # Provide a customized vpn.conf file to be used by openvpn. + vpnConf: # |- + # Some Example Config + # remote greatvpnhost.com 8888 + # auth-user-pass + # Cipher AES + + # Credentials to connect to the VPN Service (used with -a) + auth: # "user;password" + + # If set to true, will deploy a network policy that blocks all outbound + # traffic except traffic specified as allowed + networkPolicy: + enabled: false + + # The egress configuration for your network policy, All outbound traffic + # From the pod will be blocked unless specified here. Your cluster must + # have a CNI that supports network policies (Canal, Calico, etc...) + # https://kubernetes.io/docs/concepts/services-networking/network-policies/ + # https://github.com/ahmetb/kubernetes-network-policy-recipes + egress: + # - to: + # - ipBlock: + # cidr: 0.0.0.0/0 + # ports: + # - port: 53 + # protocol: UDP + # - port: 53 + # protocol: TCP + persistence: config: enabled: true