Add ProtonVPN

app-of-apps/templates/apps.yaml

@@ -227,3 +227,32 @@ spec:
       prune: true
     syncOptions:
     - CreateNamespace=true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: proton-vpn
+  namespace: argo
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+
+  source:
+    repoURL: https://gitea.scubbo.org/scubbo/helm-charts.git
+    targetRevision: HEAD
+    path: charts/proton-vpn
+
+    helm:
+      valueFiles:
+      - values.yaml
+
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: proton-vpn
+
+  syncPolicy:
+    automated:
+      prune: true
+    syncOptions:
+    - CreateNamespace=true

charts/proton-vpn/Chart.yaml

@@ -0,0 +1,31 @@
+apiVersion: v2
+name: proton-vpn
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.16.0"
+
+dependencies:
+  # https://github.com/k8s-at-home/charts/tree/master/charts/stable/pod-gateway
+  # https://github.com/k8s-at-home/charts/commit/bc8aee9648feb02fbe03246026e799cd1bd50ae5
+  - name: pod-gateway
+    version: "2.0.0"
+    repository: https://k8s-at-home.com/charts/

charts/proton-vpn/README.md

@@ -0,0 +1,73 @@
+Implements [this guide](https://docs.k8s-at-home.com/guides/pod-gateway/). Note that I only tested this with OpenVPN, not Wireguard.
+
+
+## Dependencies
+
+### Cert-manager
+
+Depends on the CRDs installed as part of `cert-manager`, which apparently will not be installed if that chart is a dependency of this one - so it's installed manually in its own directory.
+
+If you need to install it manually, run `helm repo add jetstack https://charts.jetstack.io; helm repo update; helm install --create-namespace -n security jetstack/cert-manager cert-manager --set installCRDs=true`
+
+## Secrets
+
+Note that the names of both of these secrets are arbitrary (though the keys within them are not) - the expected names are set in `values.yaml`.
+
+### Config file
+
+Depends on the existence of a secret called `openvpn-config`, with a key `vpnConfigfile` that contains the appropriate config file. Download it from [here](https://account.protonvpn.com/downloads) and upload it with:
+
+```
+kubectl -n proton-vpn create secret generic openvpn-config --from-file=vpnConfigfile=<path_to_config_file>
+```
+
+### OpenVPN creds
+
+Fetch from [here](https://account.protonvpn.com/account) (note - these are different from your ProtonVPN credentials!), then upload with:
+
+```
+kubectl -n proton-vpn create secret generic openvpn-creds --from-literal="VPN_AUTH=<username>;<password>"
+```
+
+Note that you can (apparently!) append various suffices to the OpenVPN username to enable extra features if you are a paying member:
+
+* `<username>+f1` as username to enable anti-malware filtering
+* `<username>+f2` as username to additionally enable ad-blocking filtering
+* `<username>+nr` as username to enable Moderate NAT
+
+I haven't tested - use at your own risk! Probably best to get a functioning connection working before messing around with extra features.
+
+### update-resolv-conf
+
+TODO: (Not sure if this is required for all servers...) This is required by the ProtonVPN OpenVPN configuration (line 124)
+
+## Debugging
+
+### `GATEWAY_IP=';; connection timed out; no servers could be reached'`
+
+As per [here](https://docs.k8s-at-home.com/guides/pod-gateway/#routed-pod-fails-to-init), "_try setting the_ `NOT_ROUTED_TO_GATEWAY_CIDRS:` _with your cluster cidr and service cidrs_". The way to find those values is described [here](https://stackoverflow.com/questions/44190607/how-do-you-find-the-cluster-service-cidr-of-a-kubernetes-cluster)
+
+## More info
+
+Some OpenVPN server configurations rely on a script at `/etc/openvpn/update-resolv-conf.sh`, which isn't provided by default. It [looks like](https://github.com/dperson/openvpn-client/issues/90) it's been replaced with `/etc/openvpn/up.sh` and `.../down.sh` - you should be able to manually edit the `.ovpn` file to reference those scripts instead.
+
+If you really need the original file - get it from [here](https://github.com/alfredopalhares/openvpn-update-resolv-conf) and provide it in a ConfigMap:
+
+```
+curl -s https://raw.githubusercontent.com/alfredopalhares/openvpn-update-resolv-conf/master/update-resolv-conf.sh -o /tmp/update-resolv-conf
+```
+
+### Debugging image
+
+Useful tools to install:
+
+```
+apt update -y
+apt install -y traceroute net-tools iputils-ping dnsutils
+```
+
+## References
+
+* [Values definition for VPN](https://github.com/k8s-at-home/library-charts/blob/2b4e0aa1ef5f8c6ef4ac14c2335fc9a008394ed6/charts/stable/common/values.yaml#L479)
+* [Charts for VPN](https://github.com/k8s-at-home/library-charts/tree/2b4e0aa1ef5f8c6ef4ac14c2335fc9a008394ed6/charts/stable/common/templates/addons/vpn)
+* [Pod Gateway templates](https://github.com/k8s-at-home/charts/tree/master/charts/stable/pod-gateway/templates)

charts/proton-vpn/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "proton-vpn.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "proton-vpn.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "proton-vpn.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "proton-vpn.labels" -}}
+helm.sh/chart: {{ include "proton-vpn.chart" . }}
+{{ include "proton-vpn.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "proton-vpn.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "proton-vpn.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "proton-vpn.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "proton-vpn.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/proton-vpn/templates/namespace.yaml

@@ -0,0 +1,11 @@
+# Note these are _not_ the namespace for the items created by this chart, but rather are the namespaces of pods that will
+# be routed _through_ this VPN
+{{- range (index .Values "pod-gateway" "routed_namespaces") }}
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ . }}
+  labels:
+    routed-gateway: "true"
+{{- end }}

charts/proton-vpn/values.yaml

@@ -0,0 +1,59 @@
+pod-gateway:
+  routed_namespaces:
+    - "vpn"
+    - "ombi"
+
+  settings:
+    NOT_ROUTED_TO_GATEWAY_CIDRS: "10.42.0.0/16 10.43.0.0/16 192.168.0.0/16"
+    VPN_BLOCK_OTHER_TRAFFIC: true
+    # https://github.com/k8s-at-home/charts/tree/master/charts/stable/pod-gateway
+    VPN_INTERFACE: tun0 # For OpenVPN. For Wireguard, use `wg0`
+    VPN_TRAFFIC_PORT: 1194 # UDP port - which is generally preferred over TCP. If you use TCP, 443 is probably correct
+
+  publicPorts:
+    - hostname: ombi
+      IP: 9
+      ports:
+        - type: udp
+          port: 6789
+        - type: tcp
+          port: 6789
+
+  addons:
+    # https://github.com/k8s-at-home/library-charts/blob/2b4e0aa1ef5f8c6ef4ac14c2335fc9a008394ed6/charts/stable/common/templates/addons/vpn/openvpn/_container.tpl
+    # https://github.com/k8s-at-home/library-charts/blob/2b4e0aa1ef5f8c6ef4ac14c2335fc9a008394ed6/charts/stable/common/values.yaml#L477
+    vpn:
+      enabled: true
+
+      type: openvpn
+      openvpn:
+        authSecret: openvpn-creds
+      configFileSecret: openvpn-config
+
+      livenessProbe:
+        exec:
+          # Change "CA" to whatever country your VPN connects to
+          command:
+            - sh
+            - -c
+            - if [ $(curl -s https://ipinfo.io/country) == 'CA' ]; then exit 0; else exit $?; fi
+        initialDelaySeconds: 30
+        periodSeconds: 60
+        failureThreshold: 1
+
+      networkPolicy:
+        enabled: true
+        egress:
+        - ports:
+            - protocol: UDP # Setting settings.VPN_TRAFFIC_PORT is insufficient
+              port: 1194
+          to:
+            - ipBlock:
+                cidr: 0.0.0.0/0
+        - to:
+            - ipBlock:
+                cidr: 10.0.0.0/8
+
+        scripts:
+          up: true
+          down: true