diff --git a/.github/workflows/chart-release.yml b/.github/workflows/chart-release.yml index 12b076d..7956c29 100644 --- a/.github/workflows/chart-release.yml +++ b/.github/workflows/chart-release.yml @@ -5,7 +5,7 @@ on: branches: - master paths: - - 'helm/**' + - 'charts/**' jobs: chart-release: diff --git a/helm/Chart.yaml b/helm/Chart.yaml deleted file mode 100644 index 71838aa..0000000 --- a/helm/Chart.yaml +++ /dev/null @@ -1,2 +0,0 @@ -name: ovpn-admin -version: 1.0.0 diff --git a/helm/README.md b/helm/README.md deleted file mode 100644 index eabf182..0000000 --- a/helm/README.md +++ /dev/null @@ -1 +0,0 @@ -helm chart example diff --git a/helm/templates/configmap.yaml b/helm/templates/configmap.yaml deleted file mode 100644 index 076e72d..0000000 --- a/helm/templates/configmap.yaml +++ /dev/null @@ -1,88 +0,0 @@ -{{ $openvpnNetwork := required "A valid .Values.openvpn.subnet entry required!" .Values.openvpn.subnet }} -{{ $openvpnNetworkAddress := index (splitList "/" $openvpnNetwork) 0 }} -{{ $openvpnNetworkNetmask := index (splitList "/" $openvpnNetwork) 1 }} ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: openvpn -data: - openvpn.conf: |- - user nobody - group nogroup - - mode server - tls-server - # dev-type tun - dev tun - proto tcp-server - port 1194 - # local 127.0.0.1 - management 127.0.0.1 8989 - - tun-mtu 1500 - mssfix - # only udp - #fragment 1300 - - keepalive 10 60 - client-to-client - persist-key - persist-tun - - cipher AES-128-CBC - duplicate-cn - - server {{ $openvpnNetworkAddress }} {{ $openvpnNetworkNetmask }} - - topology subnet - push "topology subnet" - push "route-metric 9999" - - verb 4 - - ifconfig-pool-persist /tmp/openvpn.ipp - status /tmp/openvpn.status - - key-direction 0 - - ca /etc/openvpn/certs/pki/ca.crt - key /etc/openvpn/certs/pki/private/server.key - cert /etc/openvpn/certs/pki/issued/server.crt - dh /etc/openvpn/certs/pki/dh.pem - crl-verify /etc/openvpn/certs/pki/crl.pem - tls-auth /etc/openvpn/certs/pki/ta.key - client-config-dir /etc/openvpn/ccd - - entrypoint.sh: |- - #!/bin/sh - set -x - - iptables -t nat -A POSTROUTING -s {{ $openvpnNetworkAddress }}/{{ $openvpnNetworkNetmask }} ! -d {{ $openvpnNetworkAddress }}/{{ $openvpnNetworkNetmask }} -j MASQUERADE - - mkdir -p /dev/net - if [ ! -c /dev/net/tun ]; then - mknod /dev/net/tun c 10 200 - fi - - wait_file() { - file_path="$1" - while true; do - if [ -f $file_path ]; then - break - fi - echo "wait $file_path" - sleep 2 - done - } - - easyrsa_path="/etc/openvpn/certs" - - wait_file "$easyrsa_path/pki/ca.crt" - wait_file "$easyrsa_path/pki/private/server.key" - wait_file "$easyrsa_path/pki/issued/server.crt" - wait_file "$easyrsa_path/pki/ta.key" - wait_file "$easyrsa_path/pki/dh.pem" - wait_file "$easyrsa_path/pki/crl.pem" - - openvpn --config /etc/openvpn/openvpn.conf diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml deleted file mode 100644 index 1cc0538..0000000 --- a/helm/templates/deployment.yaml +++ /dev/null @@ -1,117 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: openvpn -spec: - selector: - matchLabels: - app: openvpn - template: - metadata: - labels: - app: openvpn - spec: - {{- if .Values.openvpn.nodeSelector }} - nodeSelector: - {{- .Values.openvpn.nodeSelector | toYaml | indent 8 | printf "\n%s" }} - {{- end }} - {{- if .Values.openvpn.tolerations }} - tolerations: - {{- .Values.openvpn.tolerations | toYaml | indent 8 | printf "\n%s" }} - {{- end }} - terminationGracePeriodSeconds: 0 - serviceAccountName: openvpn - containers: - - name: ovpn-admin - image: {{ .Values.ovpnAdmin.image }} - command: - - /bin/sh - - -c - - /app/ovpn-admin - --storage.backend="kubernetes.secrets" - --listen.host="0.0.0.0" - --listen.port="8000" - --role="master" - {{- if hasKey .Values.openvpn "inlet" }} - {{- if eq .Values.openvpn.inlet "LoadBalancer" }} - --ovpn.server.behindLB - --ovpn.service="openvpn-external" - {{- end }} - {{- end }} - --mgmt=main="127.0.0.1:8989" - --ccd --ccd.path="/mnt/ccd" - --easyrsa.path="/mnt/certs" - {{- $externalHost := "" }} - {{- if hasKey .Values.openvpn "inlet" }} - {{- if eq .Values.openvpn.inlet "ExternalIP" }}{{ $externalHost = .Values.openvpn.externalIP }}{{- end }} - {{- end }} - {{- if hasKey .Values.openvpn "externalHost" }}{{ $externalHost = .Values.openvpn.externalHost }}{{- end }} - {{- if ne $externalHost "" }} - --ovpn.server="{{ $externalHost }}:{{ .Values.openvpn.externalPort | default 5416 | quote }}:tcp" - {{- end }} - ports: - - name: ovpn-admin - protocol: TCP - containerPort: 8000 - volumeMounts: - - name: certs - mountPath: /mnt/certs - - name: ccd - mountPath: /mnt/ccd - - name: openvpn - image: {{ .Values.openvpn.image }} - command: [ '/entrypoint.sh' ] - # imagePullPolicy: Always - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - - MKNOD - - SETGID - - SETUID - drop: - - ALL - ports: - - name: openvpn-tcp - protocol: TCP - containerPort: 1194 - {{- if eq .Values.openvpn.inlet "HostPort" }} - hostPort: {{ .Values.openvpn.hostPort }} - {{- end }} - volumeMounts: - - name: tmp - mountPath: /tmp - - name: dev-net - mountPath: /dev/net - - name: certs - mountPath: /etc/openvpn/certs - - name: ccd - mountPath: /etc/openvpn/ccd - - name: config - mountPath: /etc/openvpn/openvpn.conf - subPath: openvpn.conf - readOnly: true - - name: entrypoint - mountPath: /entrypoint.sh - subPath: entrypoint.sh - readOnly: true - volumes: - - name: tmp - emptyDir: {} - - name: dev-net - emptyDir: {} - - name: certs - emptyDir: {} - - name: ccd - emptyDir: {} - - name: config - configMap: - name: openvpn - defaultMode: 0644 - - name: entrypoint - configMap: - name: openvpn - defaultMode: 0755 diff --git a/helm/templates/ingress.yaml b/helm/templates/ingress.yaml deleted file mode 100644 index 8f227ef..0000000 --- a/helm/templates/ingress.yaml +++ /dev/null @@ -1,39 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: ovpn-admin - annotations: - kubernetes.io/ingress.class: nginx - nginx.ingress.kubernetes.io/backend-protocol: HTTP - nginx.ingress.kubernetes.io/auth-type: basic - nginx.ingress.kubernetes.io/auth-realm: "Authentication Required" - nginx.ingress.kubernetes.io/auth-secret: basic-auth -spec: - tls: - - hosts: - - {{ .Values.domain }} - secretName: ingress-tls - rules: - - host: {{ .Values.domain }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: ovpn-admin - port: - name: http ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: ovpn-admin -spec: - secretName: ingress-tls - dnsNames: - - {{ .Values.domain }} - issuerRef: - name: letsencrypt - kind: ClusterIssuer diff --git a/helm/templates/rbac.yaml b/helm/templates/rbac.yaml deleted file mode 100644 index 4693d83..0000000 --- a/helm/templates/rbac.yaml +++ /dev/null @@ -1,36 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: openvpn ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: openvpn -rules: -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list -- apiGroups: - - "" - resources: - - secrets - verbs: - - "*" ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: openvpn -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: openvpn -subjects: -- kind: ServiceAccount - name: openvpn diff --git a/helm/templates/secret.yaml b/helm/templates/secret.yaml deleted file mode 100644 index b2dd27d..0000000 --- a/helm/templates/secret.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: basic-auth -type: Opaque -data: - auth: {{ print .Values.ovpnAdmin.basicAuth.user ":{PLAIN}" .Values.ovpnAdmin.basicAuth.password | b64enc | quote }} diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml deleted file mode 100644 index e04e626..0000000 --- a/helm/templates/service.yaml +++ /dev/null @@ -1,57 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: ovpn-admin -spec: - clusterIP: None - ports: - - name: http - port: 8000 - protocol: TCP - targetPort: 8000 - selector: - app: openvpn ---- -{{- if hasKey .Values.openvpn "inlet" }} - - {{- if eq .Values.openvpn.inlet "LoadBalancer" }} ---- -apiVersion: v1 -kind: Service -metadata: - name: openvpn-external -spec: - externalTrafficPolicy: Local - type: LoadBalancer - ports: - - name: openvpn-tcp - protocol: TCP - port: {{ .Values.openvpn.externalPort | default 1194 }} - targetPort: openvpn-tcp - selector: - app: openvpn - {{- else if eq .Values.openvpn.inlet "ExternalIP" }} ---- -apiVersion: v1 -kind: Service -metadata: - name: openvpn-external -spec: - type: ClusterIP - externalIPs: - - {{ .Values.openvpn.externalIP }} - ports: - - name: openvpn-tcp - port: {{ .Values.openvpn.externalPort | default 1194 }} - protocol: TCP - targetPort: openvpn-tcp - selector: - app: openvpn - {{- else if eq .Values.openvpn.inlet "HostPort" }} ---- - {{- else }} - {{- cat "Unsupported inlet type" .inlet | fail }} - {{- end }} - -{{- end }} diff --git a/helm/values.yaml b/helm/values.yaml deleted file mode 100644 index 544e3dd..0000000 --- a/helm/values.yaml +++ /dev/null @@ -1,26 +0,0 @@ -domain: changeme -ovpnAdmin: - image: changeme - basicAuth: - user: admin - password: changeme -openvpn: - image: changeme - subnet: 172.16.200.0/255.255.255.0 - # nodeSelector: - # node-role.kubernetes.io/master: "" - # tolerations: - # - effect: NoSchedule - # key: node-role.kubernetes.io/master - # - # // LoadBalancer or ExternalIP or HostPort - inlet: HostPort - # - # If inlet: ExternalIP - # externalIP: 1.2.3.4 - # externalPort: 1194 - # - # If inlet: HostPort - hostPort: 1194 - # Domain or ip for connect to OpenVPN server - # externalHost: 1.2.3.4