diff --git a/charts/media-common-openvpn/.helmignore b/charts/media-common-openvpn/.helmignore new file mode 100644 index 00000000..0e8a0eb3 --- /dev/null +++ b/charts/media-common-openvpn/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/media-common-openvpn/Chart.yaml b/charts/media-common-openvpn/Chart.yaml new file mode 100644 index 00000000..40a648fc --- /dev/null +++ b/charts/media-common-openvpn/Chart.yaml @@ -0,0 +1,11 @@ +apiVersion: v2 +name: media-common-openvpn +description: OpenVPN add-on for `media-common`-based charts +type: library +keywords: + - media-common +home: https://github.com/k8s-at-home/charts/tree/master/charts/media-common-openvpn +maintainers: + - name: bjw-s + email: bjw-s@users.noreply.github.com +version: 1.0.0 diff --git a/charts/media-common-openvpn/README.md b/charts/media-common-openvpn/README.md new file mode 100644 index 00000000..de60bcb3 --- /dev/null +++ b/charts/media-common-openvpn/README.md @@ -0,0 +1,16 @@ +# Add-on chart for k8s@home media charts + +This chart provides a single maintainable OpenVPN add-on to the `meda-common` chart. + +## Configuration + +Read through the [values.yaml](https://github.com/k8s-at-home/charts/blob/master/charts/media-common-openvpn/values.yaml) file. +It has several commented out suggested values. + +These values will normally be nested as it is a dependency, for example: +```yaml +radarr: + openvpn: + enabled: true + +``` \ No newline at end of file diff --git a/charts/media-common-openvpn/templates/_configmap.tpl b/charts/media-common-openvpn/templates/_configmap.tpl new file mode 100644 index 00000000..83e2acbb --- /dev/null +++ b/charts/media-common-openvpn/templates/_configmap.tpl @@ -0,0 +1,24 @@ +{{/* +The OpenVPN configmaps to be inserted +*/}} +{{- define "media-common.openvpn.configmap" -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "media-common.fullname" . }}-openvpn + labels: + {{- include "media-common.labels" . | nindent 4 }} +data: +{{- if .Values.openvpn.vpnConf }} + vpnConf: |- + {{- .Values.openvpn.vpnConf | nindent 4}} +{{- end }} +{{ if .Values.openvpn.scripts.up }} + up.sh: |- + {{- .Values.openvpn.scripts.up | nindent 4}} +{{- end }} +{{- if .Values.openvpn.scripts.down }} + down.sh: |- + {{- .Values.openvpn.scripts.down | nindent 4}} +{{- end }} +{{- end -}} diff --git a/charts/media-common-openvpn/templates/_container.tpl b/charts/media-common-openvpn/templates/_container.tpl new file mode 100644 index 00000000..cf19eedc --- /dev/null +++ b/charts/media-common-openvpn/templates/_container.tpl @@ -0,0 +1,50 @@ +{{/* +The OpenVPN container(s) to be inserted +*/}} +{{- define "media-common.openvpn.container" -}} +- name: openvpn + image: "{{ .Values.openvpn.image.repository }}:{{ .Values.openvpn.image.tag }}" + imagePullPolicy: {{ .Values.openvpn.image.pullPolicy }} + securityContext: + capabilities: + add: ["NET_ADMIN"] + {{- if .Values.openvpn.env }} + env: + {{- if .Values.openvpn.env }} + {{- range $k, $v := .Values.openvpn.env }} + - name: {{ $k }} + value: {{ $v }} + {{- end }} + {{- end }} + envFrom: + {{- if or .Values.openvpn.auth .Values.openvpn.authSecret }} + - secretRef: + {{- if .Values.openvpn.authSecret }} + name: {{ .Values.openvpn.authSecret }} + {{- else }} + name: {{ template "media-common.fullname" . }}-openvpn + {{- end }} + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.openvpn.vpnConf }} + - name: openvpnconf + mountPath: /vpn/vpn.conf + subPath: vpnConf + {{- end }} + {{- if .Values.openvpn.scripts.up }} + - name: openvpnconf + mountPath: /vpn/up.sh + subPath: up.sh + {{- end }} + {{- if .Values.openvpn.scripts.down }} + - name: openvpnconf + mountPath: /vpn/down.sh + subPath: down.sh + {{- end }} + {{- if .Values.openvpn.additionalVolumeMounts }} + {{- toYaml .Values.openvpn.additionalVolumeMounts | nindent 4 }} + {{- end }} + livenessProbe: + {{- toYaml .Values.openvpn.livenessProbe | nindent 4 }} +{{- end -}} diff --git a/charts/media-common-openvpn/templates/_networkpolicy.tpl b/charts/media-common-openvpn/templates/_networkpolicy.tpl new file mode 100644 index 00000000..93b91345 --- /dev/null +++ b/charts/media-common-openvpn/templates/_networkpolicy.tpl @@ -0,0 +1,22 @@ +{{/* +The OpenVPN networkpolicy to be inserted +*/}} +{{- define "media-common.openvpn.networkpolicy" -}} +{{- if .Values.openvpn.networkPolicy.enabled -}} +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: {{ template "media-common.fullname" . }}-deny-all-netpol +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: {{ include "media-common.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + policyTypes: + - Egress + egress: + {{- if .Values.openvpn.networkPolicy.egress }} + {{- .Values.openvpn.networkPolicy.egress | toYaml | nindent 4 }} + {{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/media-common-openvpn/templates/_secret.tpl b/charts/media-common-openvpn/templates/_secret.tpl new file mode 100644 index 00000000..862c38f3 --- /dev/null +++ b/charts/media-common-openvpn/templates/_secret.tpl @@ -0,0 +1,15 @@ +{{/* +The OpenVPN secrets to be inserted +*/}} +{{- define "media-common.openvpn.secret" -}} +{{- if .Values.openvpn.auth -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "media-common.fullname" . }}-openvpn + labels: + {{- include "media-common.labels" . | nindent 4 }} +data: + VPN_AUTH: {{ .Values.openvpn.auth | b64enc }} +{{- end -}} +{{- end -}} diff --git a/charts/media-common-openvpn/templates/_volume.tpl b/charts/media-common-openvpn/templates/_volume.tpl new file mode 100644 index 00000000..dd7b1af5 --- /dev/null +++ b/charts/media-common-openvpn/templates/_volume.tpl @@ -0,0 +1,25 @@ +{{/* +The OpenVPN volumes to be inserted +*/}} +{{- define "media-common.openvpn.volume" -}} +{{- if or .Values.openvpn.vpnConf .Values.openvpn.scripts.up .Values.openvpn.scripts.down -}} +- name: openvpnconf + configMap: + name: {{ template "media-common.fullname" . }}-openvpn + items: + {{- if .Values.openvpn.vpnConf }} + - key: vpnConf + path: vpnConf + {{- end }} + {{- if .Values.openvpn.scripts.up }} + - key: up.sh + path: up.sh + mode: 0777 + {{- end }} + {{- if .Values.openvpn.scripts.down }} + - key: down.sh + path: down.sh + mode: 0777 + {{- end }} +{{- end -}} +{{- end -}} diff --git a/charts/media-common-openvpn/values.yaml b/charts/media-common-openvpn/values.yaml new file mode 100644 index 00000000..6aec9799 --- /dev/null +++ b/charts/media-common-openvpn/values.yaml @@ -0,0 +1,67 @@ +# Default values for media-common-openvpn. + +image: + repository: dperson/openvpn-client + tag: latest + pullPolicy: IfNotPresent + +# All variables specified here will be added to the openvpn sidecar container +# Ref https://hub.docker.com/r/dperson/openvpn-client for all config values +env: [] +# TZ: UTC + +# Provide a customized vpn.conf file to be used by openvpn. +vpnConf: # |- + # Some Example Config + # remote greatvpnhost.com 8888 + # auth-user-pass + # Cipher AES + +# Provide custom up/down scripts that can be used by the vpnConf +scripts: + up: # |- + # #!/bin/bash + # echo "connected" > /shared/vpnstatus + down: # |- + # #!/bin/bash + # echo "disconnected" > /shared/vpnstatus + +# Credentials to connect to the VPN Service (used with -a) +auth: # "user;password" +# OR specify an existing secret that contains the credentials. Credentials should be stored +# under the VPN_AUTH key +authSecret: # my-vpn-secret + +additionalVolumeMounts: [] + +# Optionally specify a livenessProbe, e.g. to check if the connection is still +# being protected by the VPN +livenessProbe: {} +# exec: +# command: +# - sh +# - -c +# - if [ $(curl -s https://ipinfo.io/country) == 'US' ]; then exit 0; else exit $?; fi +# initialDelaySeconds: 30 +# periodSeconds: 60 +# failureThreshold: 1 + +# If set to true, will deploy a network policy that blocks all outbound +# traffic except traffic specified as allowed +networkPolicy: + enabled: false + + # The egress configuration for your network policy, All outbound traffic + # From the pod will be blocked unless specified here. Your cluster must + # have a CNI that supports network policies (Canal, Calico, etc...) + # https://kubernetes.io/docs/concepts/services-networking/network-policies/ + # https://github.com/ahmetb/kubernetes-network-policy-recipes + egress: + # - to: + # - ipBlock: + # cidr: 0.0.0.0/0 + # ports: + # - port: 53 + # protocol: UDP + # - port: 53 + # protocol: TCP