add openvpn sidecar option for nzbget

2025-02-03 07:49:03 +00:00 · 2020-07-18 09:55:39 -04:00 · 2020-07-18 09:55:39 -04:00 · 51e750d07c
commit 51e750d07c
parent c0da502c9e
5 changed files with 126 additions and 0 deletions
--- a/charts/nzbget/templates/deployment.yaml
+++ b/charts/nzbget/templates/deployment.yaml
@ -79,6 +79,28 @@ spec:
            {{- end }}
          resources:
 {{ toYaml .Values.resources | indent 12 }}
        {{- if .Values.openvpn.enabled }}
        - name: openvpn
          image: "{{ .Values.openvpn.image.repository }}:{{ .Values.openvpn.image.tag }}"
          imagePullPolicy: {{ .Values.openvpn.image.pullPolicy }}
          securityContext:
            capabilities:
              add: ["NET_ADMIN"]
          {{- if .Values.openvpn.env }}
          envFrom:
          - secretRef:
              name: {{ template "nzbget.fullname" . }}-openvpnenv
          {{- end }}
          {{- if .Values.openvpn.vpnConf }}
          volumeMounts:
          - name: openvpnconf
            mountPath: /vpn/vpn.conf
            subPath: vpnConf
          {{- end }}
          env:
          - name: NETWORK_POLICY_ENABLED
            value: {{ .Values.openvpn.networkPolicy.enabled | quote }}
        {{- end }}
      volumes:
      - name: config
      {{- if .Values.persistence.config.enabled }}
@ -94,6 +116,11 @@ spec:
      {{- else }}
        emptyDir: {}
      {{ end }}
      {{- if .Values.openvpn.vpnConf }}
      - name: openvpnconf
        configMap:
          name: {{ template "nzbget.fullname" . }}-openvpnconf
      {{ end }}
     {{- range .Values.persistence.extraMounts }}
      - name: {{ .name }}
        persistentVolumeClaim:
--- a/charts/nzbget/templates/openvpn-config.yaml
+++ b/charts/nzbget/templates/openvpn-config.yaml
@ -0,0 +1,16 @@
 {{- if and .Values.openvpn.enabled .Values.openvpn.vpnConf}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ template "nzbget.fullname" . }}-openvpnconf
  labels:
    app.kubernetes.io/name: {{ include "nzbget.name" . }}
    helm.sh/chart: {{ include "nzbget.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 data:
  {{- if .Values.openvpn.vpnConf }}
  vpnConf: |-
    {{- .Values.openvpn.vpnConf | nindent 4}}
  {{- end }}
 {{- end -}}
--- a/charts/nzbget/templates/openvpn-env.yaml
+++ b/charts/nzbget/templates/openvpn-env.yaml
@ -0,0 +1,20 @@
 {{- if and .Values.openvpn.enabled ( or .Values.openvpn.env .Values.openvpn.auth )}}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ template "nzbget.fullname" . }}-openvpnenv
  labels:
    app.kubernetes.io/name: {{ include "nzbget.name" . }}
    helm.sh/chart: {{ include "nzbget.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
 data:
  {{- if .Values.openvpn.auth }}
  VPN_AUTH: {{ .Values.openvpn.auth | b64enc }}
  {{- end }}
  {{- if .Values.openvpn.env }}
  {{- range $k, $v := .Values.openvpn.env }}
  {{ $k }}: {{ $v | b64enc }}
  {{- end }}
  {{- end -}}
 {{- end -}}
--- a/charts/nzbget/templates/openvpn-networkpolicy.yaml
+++ b/charts/nzbget/templates/openvpn-networkpolicy.yaml
@ -0,0 +1,17 @@
 {{- if .Values.openvpn.networkPolicy.enabled }}
 kind: NetworkPolicy
 apiVersion: networking.k8s.io/v1
 metadata:
  name: {{ template "nzbget.fullname" . }}-deny-all-netpol
 spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: {{ include "nzbget.name" . }}
      app.kubernetes.io/instance: {{ .Release.Name }}
  policyTypes:
  - Egress
  egress:
  {{- if .Values.openvpn.networkPolicy.egress }} 
  {{- .Values.openvpn.networkPolicy.egress | toYaml | nindent 4 }}
  {{- end -}}
 {{- end -}}
--- a/charts/nzbget/values.yaml
+++ b/charts/nzbget/values.yaml
@ -62,6 +62,52 @@ ingress:
  #    hosts:
  #      - chart-example.local
 openvpn:
  # Enables an openvpn sidecar that when configured properly will provide a
  # Secure outbound VPN for use by NZBGet. 
  enabled: false
  image:
    repository: dperson/openvpn-client
    tag: latest
    pullPolicy: IfNotPresent
  # All variables specified here will be added to the openvpn sidecar container
  # Ref https://hub.docker.com/r/dperson/openvpn-client for all config values
  env: []
  # DNS: "true"
  # TZ: EST5EDT
  # Provide a customized vpn.conf file to be used by openvpn.
  vpnConf: # |-
    # Some Example Config
    # remote greatvpnhost.com 8888
    # auth-user-pass
    # Cipher AES
  # Credentials to connect to the VPN Service (used with -a)
  auth: # "user;password"
  # If set to true, will deploy a network policy that blocks all outbound
  # traffic except traffic specified as allowed
  networkPolicy:
    enabled: false
    # The egress configuration for your network policy, All outbound traffic
    # From the pod will be blocked unless specified here. Your cluster must
    # have a CNI that supports network policies (Canal, Calico, etc...)
    # https://kubernetes.io/docs/concepts/services-networking/network-policies/
    # https://github.com/ahmetb/kubernetes-network-policy-recipes
    egress:
      # - to:
      #   - ipBlock:
      #       cidr: 0.0.0.0/0
      #   ports:
      #   - port: 53
      #     protocol: UDP
      #   - port: 53
      #     protocol: TCP
 persistence:
  config:
    enabled: true