[media-common-openvpn] Initial version

charts/media-common-openvpn/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/media-common-openvpn/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: media-common-openvpn
+description: OpenVPN add-on for `media-common`-based charts
+type: library
+keywords:
+  - media-common
+home: https://github.com/k8s-at-home/charts/tree/master/charts/media-common-openvpn
+maintainers:
+  - name: bjw-s
+    email: bjw-s@users.noreply.github.com
+version: 1.0.0

charts/media-common-openvpn/README.md

@@ -0,0 +1,16 @@
+# Add-on chart for k8s@home media charts
+
+This chart provides a single maintainable OpenVPN add-on to the `meda-common` chart.
+
+## Configuration
+
+Read through the [values.yaml](https://github.com/k8s-at-home/charts/blob/master/charts/media-common-openvpn/values.yaml) file.
+It has several commented out suggested values.
+
+These values will normally be nested as it is a dependency, for example:
+```yaml
+radarr:
+  openvpn:
+    enabled: true
+    <values>
+```

charts/media-common-openvpn/templates/_configmap.tpl

@@ -0,0 +1,24 @@
+{{/*
+The OpenVPN configmaps to be inserted
+*/}}
+{{- define "media-common.openvpn.configmap" -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "media-common.fullname" . }}-openvpn
+  labels:
+  {{- include "media-common.labels" . | nindent 4 }}
+data:
+{{- if .Values.openvpn.vpnConf }}
+  vpnConf: |-
+    {{- .Values.openvpn.vpnConf | nindent 4}}
+{{- end }}
+{{ if .Values.openvpn.scripts.up }}
+  up.sh: |-
+    {{- .Values.openvpn.scripts.up | nindent 4}}
+{{- end }}
+{{- if .Values.openvpn.scripts.down }}
+  down.sh: |-
+    {{- .Values.openvpn.scripts.down | nindent 4}}
+{{- end }}
+{{- end -}}

charts/media-common-openvpn/templates/_container.tpl

@@ -0,0 +1,50 @@
+{{/*
+The OpenVPN container(s) to be inserted
+*/}}
+{{- define "media-common.openvpn.container" -}}
+- name: openvpn
+  image: "{{ .Values.openvpn.image.repository }}:{{ .Values.openvpn.image.tag }}"
+  imagePullPolicy: {{ .Values.openvpn.image.pullPolicy }}
+  securityContext:
+    capabilities:
+      add: ["NET_ADMIN"]
+  {{- if .Values.openvpn.env }}
+  env:
+  {{- if .Values.openvpn.env }}
+  {{- range $k, $v := .Values.openvpn.env }}
+    - name: {{ $k }}
+      value: {{ $v }}
+  {{- end }}
+  {{- end }}  
+  envFrom:
+    {{- if or .Values.openvpn.auth .Values.openvpn.authSecret }}
+    - secretRef:
+      {{- if .Values.openvpn.authSecret }}
+      name: {{ .Values.openvpn.authSecret }}
+      {{- else }}
+      name: {{ template "media-common.fullname" . }}-openvpn
+      {{- end }}
+    {{- end }}
+  {{- end }}
+  volumeMounts:
+    {{- if .Values.openvpn.vpnConf }}
+    - name: openvpnconf
+      mountPath: /vpn/vpn.conf
+      subPath: vpnConf
+    {{- end }}
+    {{- if .Values.openvpn.scripts.up }}
+    - name: openvpnconf
+      mountPath: /vpn/up.sh
+      subPath: up.sh
+    {{- end }}
+    {{- if .Values.openvpn.scripts.down }}
+    - name: openvpnconf
+      mountPath: /vpn/down.sh
+      subPath: down.sh
+    {{- end }}
+    {{- if .Values.openvpn.additionalVolumeMounts }}
+    {{- toYaml .Values.openvpn.additionalVolumeMounts | nindent 4 }}
+    {{- end }}
+  livenessProbe:
+    {{- toYaml .Values.openvpn.livenessProbe | nindent 4 }}
+{{- end -}}

charts/media-common-openvpn/templates/_networkpolicy.tpl

@@ -0,0 +1,22 @@
+{{/*
+The OpenVPN networkpolicy to be inserted
+*/}}
+{{- define "media-common.openvpn.networkpolicy" -}}
+{{- if .Values.openvpn.networkPolicy.enabled -}}
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ template "media-common.fullname" . }}-deny-all-netpol
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "media-common.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  policyTypes:
+  - Egress
+  egress:
+  {{- if .Values.openvpn.networkPolicy.egress }} 
+  {{- .Values.openvpn.networkPolicy.egress | toYaml | nindent 4 }}
+  {{- end -}}
+{{- end -}}
+{{- end -}}

charts/media-common-openvpn/templates/_secret.tpl

@@ -0,0 +1,15 @@
+{{/*
+The OpenVPN secrets to be inserted
+*/}}
+{{- define "media-common.openvpn.secret" -}}
+{{- if .Values.openvpn.auth -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "media-common.fullname" . }}-openvpn
+  labels:
+  {{- include "media-common.labels" . | nindent 4 }}
+data:
+  VPN_AUTH: {{ .Values.openvpn.auth | b64enc }}
+{{- end -}}
+{{- end -}}

charts/media-common-openvpn/templates/_volume.tpl

@@ -0,0 +1,25 @@
+{{/*
+The OpenVPN volumes to be inserted
+*/}}
+{{- define "media-common.openvpn.volume" -}}
+{{- if or .Values.openvpn.vpnConf .Values.openvpn.scripts.up .Values.openvpn.scripts.down -}}
+- name: openvpnconf
+  configMap:
+    name: {{ template "media-common.fullname" . }}-openvpn
+    items:
+      {{- if .Values.openvpn.vpnConf }}
+      - key: vpnConf
+        path: vpnConf
+      {{- end }}
+      {{- if .Values.openvpn.scripts.up }}
+      - key: up.sh
+        path: up.sh
+        mode: 0777
+      {{- end }}
+      {{- if .Values.openvpn.scripts.down }}
+      - key: down.sh
+        path: down.sh
+        mode: 0777
+      {{- end }}
+{{- end -}}
+{{- end -}}

charts/media-common-openvpn/values.yaml

@@ -0,0 +1,67 @@
+# Default values for media-common-openvpn.
+
+image:
+  repository: dperson/openvpn-client
+  tag: latest
+  pullPolicy: IfNotPresent
+
+# All variables specified here will be added to the openvpn sidecar container
+# Ref https://hub.docker.com/r/dperson/openvpn-client for all config values
+env: []
+# TZ: UTC
+
+# Provide a customized vpn.conf file to be used by openvpn.
+vpnConf:  # |-
+  # Some Example Config
+  # remote greatvpnhost.com 8888
+  # auth-user-pass
+  # Cipher AES
+
+# Provide custom up/down scripts that can be used by the vpnConf
+scripts:
+  up:  # |-
+    # #!/bin/bash
+    # echo "connected" > /shared/vpnstatus
+  down:  # |-
+    # #!/bin/bash
+    # echo "disconnected" > /shared/vpnstatus
+
+# Credentials to connect to the VPN Service (used with -a)
+auth:  # "user;password"
+# OR specify an existing secret that contains the credentials. Credentials should be stored
+# under the VPN_AUTH key
+authSecret:  # my-vpn-secret
+
+additionalVolumeMounts: []
+
+# Optionally specify a livenessProbe, e.g. to check if the connection is still
+# being protected by the VPN
+livenessProbe: {}
+# exec:
+#    command:
+#      - sh
+#      - -c
+#      - if [ $(curl -s https://ipinfo.io/country) == 'US' ]; then exit 0; else exit $?; fi
+#  initialDelaySeconds: 30
+#  periodSeconds: 60
+#  failureThreshold: 1
+
+# If set to true, will deploy a network policy that blocks all outbound
+# traffic except traffic specified as allowed
+networkPolicy:
+  enabled: false
+
+  # The egress configuration for your network policy, All outbound traffic
+  # From the pod will be blocked unless specified here. Your cluster must
+  # have a CNI that supports network policies (Canal, Calico, etc...)
+  # https://kubernetes.io/docs/concepts/services-networking/network-policies/
+  # https://github.com/ahmetb/kubernetes-network-policy-recipes
+  egress:
+    # - to:
+    #   - ipBlock:
+    #       cidr: 0.0.0.0/0
+    #   ports:
+    #   - port: 53
+    #     protocol: UDP
+    #   - port: 53
+    #     protocol: TCP