parent
b9325384f1
commit
e0536fd808
@ -0,0 +1,31 @@ |
||||
apiVersion: v2 |
||||
name: proton-vpn |
||||
description: A Helm chart for Kubernetes |
||||
|
||||
# A chart can be either an 'application' or a 'library' chart. |
||||
# |
||||
# Application charts are a collection of templates that can be packaged into versioned archives |
||||
# to be deployed. |
||||
# |
||||
# Library charts provide useful utilities or functions for the chart developer. They're included as |
||||
# a dependency of application charts to inject those utilities and functions into the rendering |
||||
# pipeline. Library charts do not define any templates and therefore cannot be deployed. |
||||
type: application |
||||
|
||||
# This is the chart version. This version number should be incremented each time you make changes |
||||
# to the chart and its templates, including the app version. |
||||
# Versions are expected to follow Semantic Versioning (https://semver.org/) |
||||
version: 0.1.0 |
||||
|
||||
# This is the version number of the application being deployed. This version number should be |
||||
# incremented each time you make changes to the application. Versions are not expected to |
||||
# follow Semantic Versioning. They should reflect the version the application is using. |
||||
# It is recommended to use it with quotes. |
||||
appVersion: "1.16.0" |
||||
|
||||
dependencies: |
||||
# https://github.com/k8s-at-home/charts/tree/master/charts/stable/pod-gateway |
||||
# https://github.com/k8s-at-home/charts/commit/bc8aee9648feb02fbe03246026e799cd1bd50ae5 |
||||
- name: pod-gateway |
||||
version: "2.0.0" |
||||
repository: https://k8s-at-home.com/charts/ |
@ -0,0 +1,73 @@ |
||||
Implements [this guide](https://docs.k8s-at-home.com/guides/pod-gateway/). Note that I only tested this with OpenVPN, not Wireguard. |
||||
|
||||
|
||||
## Dependencies |
||||
|
||||
### Cert-manager |
||||
|
||||
Depends on the CRDs installed as part of `cert-manager`, which apparently will not be installed if that chart is a dependency of this one - so it's installed manually in its own directory. |
||||
|
||||
If you need to install it manually, run `helm repo add jetstack https://charts.jetstack.io; helm repo update; helm install --create-namespace -n security jetstack/cert-manager cert-manager --set installCRDs=true` |
||||
|
||||
## Secrets |
||||
|
||||
Note that the names of both of these secrets are arbitrary (though the keys within them are not) - the expected names are set in `values.yaml`. |
||||
|
||||
### Config file |
||||
|
||||
Depends on the existence of a secret called `openvpn-config`, with a key `vpnConfigfile` that contains the appropriate config file. Download it from [here](https://account.protonvpn.com/downloads) and upload it with: |
||||
|
||||
``` |
||||
kubectl -n proton-vpn create secret generic openvpn-config --from-file=vpnConfigfile=<path_to_config_file> |
||||
``` |
||||
|
||||
### OpenVPN creds |
||||
|
||||
Fetch from [here](https://account.protonvpn.com/account) (note - these are different from your ProtonVPN credentials!), then upload with: |
||||
|
||||
``` |
||||
kubectl -n proton-vpn create secret generic openvpn-creds --from-literal="VPN_AUTH=<username>;<password>" |
||||
``` |
||||
|
||||
Note that you can (apparently!) append various suffices to the OpenVPN username to enable extra features if you are a paying member: |
||||
|
||||
* `<username>+f1` as username to enable anti-malware filtering |
||||
* `<username>+f2` as username to additionally enable ad-blocking filtering |
||||
* `<username>+nr` as username to enable Moderate NAT |
||||
|
||||
I haven't tested - use at your own risk! Probably best to get a functioning connection working before messing around with extra features. |
||||
|
||||
### update-resolv-conf |
||||
|
||||
TODO: (Not sure if this is required for all servers...) This is required by the ProtonVPN OpenVPN configuration (line 124) |
||||
|
||||
## Debugging |
||||
|
||||
### `GATEWAY_IP=';; connection timed out; no servers could be reached'` |
||||
|
||||
As per [here](https://docs.k8s-at-home.com/guides/pod-gateway/#routed-pod-fails-to-init), "_try setting the_ `NOT_ROUTED_TO_GATEWAY_CIDRS:` _with your cluster cidr and service cidrs_". The way to find those values is described [here](https://stackoverflow.com/questions/44190607/how-do-you-find-the-cluster-service-cidr-of-a-kubernetes-cluster) |
||||
|
||||
## More info |
||||
|
||||
Some OpenVPN server configurations rely on a script at `/etc/openvpn/update-resolv-conf.sh`, which isn't provided by default. It [looks like](https://github.com/dperson/openvpn-client/issues/90) it's been replaced with `/etc/openvpn/up.sh` and `.../down.sh` - you should be able to manually edit the `.ovpn` file to reference those scripts instead. |
||||
|
||||
If you really need the original file - get it from [here](https://github.com/alfredopalhares/openvpn-update-resolv-conf) and provide it in a ConfigMap: |
||||
|
||||
``` |
||||
curl -s https://raw.githubusercontent.com/alfredopalhares/openvpn-update-resolv-conf/master/update-resolv-conf.sh -o /tmp/update-resolv-conf |
||||
``` |
||||
|
||||
### Debugging image |
||||
|
||||
Useful tools to install: |
||||
|
||||
``` |
||||
apt update -y |
||||
apt install -y traceroute net-tools iputils-ping dnsutils |
||||
``` |
||||
|
||||
## References |
||||
|
||||
* [Values definition for VPN](https://github.com/k8s-at-home/library-charts/blob/2b4e0aa1ef5f8c6ef4ac14c2335fc9a008394ed6/charts/stable/common/values.yaml#L479) |
||||
* [Charts for VPN](https://github.com/k8s-at-home/library-charts/tree/2b4e0aa1ef5f8c6ef4ac14c2335fc9a008394ed6/charts/stable/common/templates/addons/vpn) |
||||
* [Pod Gateway templates](https://github.com/k8s-at-home/charts/tree/master/charts/stable/pod-gateway/templates) |
Binary file not shown.
@ -0,0 +1,62 @@ |
||||
{{/* |
||||
Expand the name of the chart. |
||||
*/}} |
||||
{{- define "proton-vpn.name" -}} |
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} |
||||
{{- end }} |
||||
|
||||
{{/* |
||||
Create a default fully qualified app name. |
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). |
||||
If release name contains chart name it will be used as a full name. |
||||
*/}} |
||||
{{- define "proton-vpn.fullname" -}} |
||||
{{- if .Values.fullnameOverride }} |
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} |
||||
{{- else }} |
||||
{{- $name := default .Chart.Name .Values.nameOverride }} |
||||
{{- if contains $name .Release.Name }} |
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" }} |
||||
{{- else }} |
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} |
||||
{{- end }} |
||||
{{- end }} |
||||
{{- end }} |
||||
|
||||
{{/* |
||||
Create chart name and version as used by the chart label. |
||||
*/}} |
||||
{{- define "proton-vpn.chart" -}} |
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} |
||||
{{- end }} |
||||
|
||||
{{/* |
||||
Common labels |
||||
*/}} |
||||
{{- define "proton-vpn.labels" -}} |
||||
helm.sh/chart: {{ include "proton-vpn.chart" . }} |
||||
{{ include "proton-vpn.selectorLabels" . }} |
||||
{{- if .Chart.AppVersion }} |
||||
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} |
||||
{{- end }} |
||||
app.kubernetes.io/managed-by: {{ .Release.Service }} |
||||
{{- end }} |
||||
|
||||
{{/* |
||||
Selector labels |
||||
*/}} |
||||
{{- define "proton-vpn.selectorLabels" -}} |
||||
app.kubernetes.io/name: {{ include "proton-vpn.name" . }} |
||||
app.kubernetes.io/instance: {{ .Release.Name }} |
||||
{{- end }} |
||||
|
||||
{{/* |
||||
Create the name of the service account to use |
||||
*/}} |
||||
{{- define "proton-vpn.serviceAccountName" -}} |
||||
{{- if .Values.serviceAccount.create }} |
||||
{{- default (include "proton-vpn.fullname" .) .Values.serviceAccount.name }} |
||||
{{- else }} |
||||
{{- default "default" .Values.serviceAccount.name }} |
||||
{{- end }} |
||||
{{- end }} |
@ -0,0 +1,11 @@ |
||||
# Note these are _not_ the namespace for the items created by this chart, but rather are the namespaces of pods that will |
||||
# be routed _through_ this VPN |
||||
{{- range (index .Values "pod-gateway" "routed_namespaces") }} |
||||
--- |
||||
apiVersion: v1 |
||||
kind: Namespace |
||||
metadata: |
||||
name: {{ . }} |
||||
labels: |
||||
routed-gateway: "true" |
||||
{{- end }} |
@ -0,0 +1,59 @@ |
||||
pod-gateway: |
||||
routed_namespaces: |
||||
- "vpn" |
||||
- "ombi" |
||||
|
||||
settings: |
||||
NOT_ROUTED_TO_GATEWAY_CIDRS: "10.42.0.0/16 10.43.0.0/16 192.168.0.0/16" |
||||
VPN_BLOCK_OTHER_TRAFFIC: true |
||||
# https://github.com/k8s-at-home/charts/tree/master/charts/stable/pod-gateway |
||||
VPN_INTERFACE: tun0 # For OpenVPN. For Wireguard, use `wg0` |
||||
VPN_TRAFFIC_PORT: 1194 # UDP port - which is generally preferred over TCP. If you use TCP, 443 is probably correct |
||||
|
||||
publicPorts: |
||||
- hostname: ombi |
||||
IP: 9 |
||||
ports: |
||||
- type: udp |
||||
port: 6789 |
||||
- type: tcp |
||||
port: 6789 |
||||
|
||||
addons: |
||||
# https://github.com/k8s-at-home/library-charts/blob/2b4e0aa1ef5f8c6ef4ac14c2335fc9a008394ed6/charts/stable/common/templates/addons/vpn/openvpn/_container.tpl |
||||
# https://github.com/k8s-at-home/library-charts/blob/2b4e0aa1ef5f8c6ef4ac14c2335fc9a008394ed6/charts/stable/common/values.yaml#L477 |
||||
vpn: |
||||
enabled: true |
||||
|
||||
type: openvpn |
||||
openvpn: |
||||
authSecret: openvpn-creds |
||||
configFileSecret: openvpn-config |
||||
|
||||
livenessProbe: |
||||
exec: |
||||
# Change "CA" to whatever country your VPN connects to |
||||
command: |
||||
- sh |
||||
- -c |
||||
- if [ $(curl -s https://ipinfo.io/country) == 'CA' ]; then exit 0; else exit $?; fi |
||||
initialDelaySeconds: 30 |
||||
periodSeconds: 60 |
||||
failureThreshold: 1 |
||||
|
||||
networkPolicy: |
||||
enabled: true |
||||
egress: |
||||
- ports: |
||||
- protocol: UDP # Setting settings.VPN_TRAFFIC_PORT is insufficient |
||||
port: 1194 |
||||
to: |
||||
- ipBlock: |
||||
cidr: 0.0.0.0/0 |
||||
- to: |
||||
- ipBlock: |
||||
cidr: 10.0.0.0/8 |
||||
|
||||
scripts: |
||||
up: true |
||||
down: true |
Loading…
Reference in new issue