diff --git a/.drone.yml b/.drone.yml index 1a04823..64d2b37 100644 --- a/.drone.yml +++ b/.drone.yml @@ -20,7 +20,7 @@ steps: GITEA_TOKEN: from_secret: GITEA_TOKEN CONTAINERFILE: ./containerfiles/Containerfile-XOR - CUSTOM_TAG: v2.6.5-XOR-4.0.0beta08 + CUSTOM_TAG: v2.6.5-XOR-4.0.0beta13 commands: - build-container @@ -34,18 +34,3 @@ steps: CUSTOM_TAG: v2.6.8 commands: - build-container - - - name: Publish the Helm chart - image: alpine/helm - depends_on: - - Build openvpn xor amd64 - - Build openvpn amd64 - environment: - GITEA_TOKEN: - from_secret: GITEA_TOKEN - commands: - - cd helm - - helm plugin install https://github.com/chartmuseum/helm-push - - helm package . -d chart-package - - helm repo add --username allanger --password $GITEA_TOKEN openvpn https://git.badhouseplants.net/api/packages/allanger/helm - - helm cm-push "./chart-package/$(ls chart-package)" openvpn diff --git a/containerfiles/Containerfile-XOR b/containerfiles/Containerfile-XOR index 2d892f8..68422cf 100644 --- a/containerfiles/Containerfile-XOR +++ b/containerfiles/Containerfile-XOR @@ -1,6 +1,6 @@ FROM ghcr.io/allanger/dumb-downloader as dudo ENV OPENVPN_VERSION=2.6.5 -ENV TUNNELBLICK_VERSION=4.0.0beta08 +ENV TUNNELBLICK_VERSION=4.0.0beta13 RUN apt update && apt install gnupg tar -y RUN mkdir /output # ------------------------------------------------------ @@ -28,7 +28,7 @@ FROM ubuntu as builder # -- TODO: Define it only once # ------------------------------------------------------ ENV OPENVPN_VERSION=2.6.5 -ENV TUNNELBLICK_VERSION=v4.0.0beta08 +ENV TUNNELBLICK_VERSION=v4.0.0beta13 COPY --from=dudo /output /src RUN apt-get update &&\ apt-get install -y wget tar unzip build-essential \ diff --git a/helm/Chart.yaml b/helm/Chart.yaml deleted file mode 100644 index bb6862e..0000000 --- a/helm/Chart.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: v2 -name: openvpn -description: A Helm chart for deploying OpenVPN -type: application -version: 1.0.7 -appVersion: 2.6.5 - -sources: - - https://git.badhouseplants.net/allanger/container-openvpn-xor - - https://github.com/kylemanna/docker-openvpn - - https://github.com/lawtancool/docker-openvpn-xor - -maintainers: - - name: allanger - email: allanger@zohomail.com - url: https://badhouseplants.net - -keywords: - - OpenVPN - - VPN - - xor diff --git a/helm/LICENSE b/helm/LICENSE deleted file mode 100644 index d5075a3..0000000 --- a/helm/LICENSE +++ /dev/null @@ -1,17 +0,0 @@ -Permission is hereby granted, without written agreement and without -license or royalty fees, to use, copy, modify, and distribute this -software and its documentation for any purpose, provided that the -above copyright notice and the following two paragraphs appear in -all copies of this software. - -IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR -DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES -ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN -IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH -DAMAGE. - -THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, -BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND -FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS -ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO -PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. diff --git a/helm/README.md b/helm/README.md deleted file mode 100644 index 4041aa1..0000000 --- a/helm/README.md +++ /dev/null @@ -1,9 +0,0 @@ -# helm-openvpn - -A helm chart to deploy openvpn -## K8s reqs: ---allowed-unsafe-sysctls=net.ipv4.ip_forward -## How it works? - -1. It's generating the openvpn configuration if it's not generated yet. It's an `ininContainer` that really runs only once. - diff --git a/helm/templates/NOTES.txt b/helm/templates/NOTES.txt deleted file mode 100644 index 7d790da..0000000 --- a/helm/templates/NOTES.txt +++ /dev/null @@ -1 +0,0 @@ -1. Get the application URL by running these commands: diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl deleted file mode 100644 index e4d932c..0000000 --- a/helm/templates/_helpers.tpl +++ /dev/null @@ -1,62 +0,0 @@ -{{/* -Expand the name of the chart. -*/}} -{{- define "openvpn-chart.name" -}} -{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Create a default fully qualified app name. -We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). -If release name contains chart name it will be used as a full name. -*/}} -{{- define "openvpn-chart.fullname" -}} -{{- if .Values.fullnameOverride }} -{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- $name := default .Chart.Name .Values.nameOverride }} -{{- if contains $name .Release.Name }} -{{- .Release.Name | trunc 63 | trimSuffix "-" }} -{{- else }} -{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} -{{- end }} -{{- end }} -{{- end }} - -{{/* -Create chart name and version as used by the chart label. -*/}} -{{- define "openvpn-chart.chart" -}} -{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} -{{- end }} - -{{/* -Common labels -*/}} -{{- define "openvpn-chart.labels" -}} -helm.sh/chart: {{ include "openvpn-chart.chart" . }} -{{ include "openvpn-chart.selectorLabels" . }} -{{- if .Chart.AppVersion }} -app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} -{{- end }} -app.kubernetes.io/managed-by: {{ .Release.Service }} -{{- end }} - -{{/* -Selector labels -*/}} -{{- define "openvpn-chart.selectorLabels" -}} -app.kubernetes.io/name: {{ include "openvpn-chart.name" . }} -app.kubernetes.io/instance: {{ .Release.Name }} -{{- end }} - -{{/* -Create the name of the service account to use -*/}} -{{- define "openvpn-chart.serviceAccountName" -}} -{{- if .Values.serviceAccount.create }} -{{- default (include "openvpn-chart.fullname" .) .Values.serviceAccount.name }} -{{- else }} -{{- default "default" .Values.serviceAccount.name }} -{{- end }} -{{- end }} diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml deleted file mode 100644 index d3db544..0000000 --- a/helm/templates/deployment.yaml +++ /dev/null @@ -1,128 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ include "openvpn-chart.fullname" . }} - labels: - {{- include "openvpn-chart.labels" . | nindent 4 }} -spec: - {{- if not .Values.autoscaling.enabled }} - replicas: {{ .Values.replicaCount }} - {{- end }} - selector: - matchLabels: - {{- include "openvpn-chart.selectorLabels" . | nindent 6 }} - template: - metadata: - {{- with .Values.podAnnotations }} - annotations: - {{- toYaml . | nindent 8 }} - {{- end }} - labels: - {{- include "openvpn-chart.selectorLabels" . | nindent 8 }} - spec: - {{- with .Values.imagePullSecrets }} - imagePullSecrets: - {{- toYaml . | nindent 8 }} - {{- end }} - volumes: - - name: pvc-openvpn - persistentVolumeClaim: - claimName: {{ include "openvpn-chart.fullname" . }} - - name: pki-scripts - configMap: - name: {{ include "openvpn-chart.fullname" . }}-pki-scripts - securityContext: - sysctls: - - name: net.ipv4.ip_forward - value: "1" - containers: - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - resources: - {{- toYaml .Values.resources | nindent 12 }} - volumeMounts: - - mountPath: "/etc/openvpn" - name: pvc-openvpn - - mountPath: /scripts - name: pki-scripts - env: - - name: OVPN_SERVER - value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}" - - name: OPENVPN - value: "/etc/openvpn" - securityContext: - capabilities: - add: - - NET_ADMIN - initContainers: - # ---------------------------------------------------------------------- - # -- This init container is generating the basic configuration - # ---------------------------------------------------------------------- - - name: 0-ovpn-genconfig - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - volumeMounts: - - mountPath: "/etc/openvpn" - name: pvc-openvpn - env: - - name: OVPN_SERVER_URL - value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}" - - name: OVPN_DATA - value: "/etc/openvpn" - - name: OPENVPN - value: "/etc/openvpn" - command: - - sh - - -c - - 'if ! [ -f "/etc/openvpn/ovpn_env.sh" ]; then ovpn_genconfig -u $OVPN_SERVER_URL && touch /etc/openvpn/.init; fi' - - name: 1-ovpn-initpki - env: - - name: OVPN_DATA - value: /etc/openvpn - - name: OPENVPN - value: "/etc/openvpn" - - name: EASYRSA_REQ_CN - value: {{ .Values.easyrsa.cn }} - - name: EASYRSA_REQ_COUNTRY - value: {{ .Values.easyrsa.country }} - - name: EASYRSA_REQ_PROVINCE - value: {{ .Values.easyrsa.province }} - - name: EASYRSA_REQ_CITY - value: {{ .Values.easyrsa.city }} - - name: EASYRSA_REQ_ORG - value: {{ .Values.easyrsa.org }} - - name: EASYRSA_REQ_EMAIL - value: {{ .Values.easyrsa.email }} - - name: EASYRSA_REQ_OU - value: {{ .Values.easyrsa.ou }} - - name: EASYRSA_ALGO - value: {{ .Values.easyrsa.algo }} - - name: EASYRSA_DIGEST - value: {{ .Values.easyrsa.digest }} - - name: EASYRSA_BATCH - value: "yes" - - name: OVPN_SERVER_URL - value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}" - volumeMounts: - - mountPath: "/etc/openvpn" - name: pvc-openvpn - - mountPath: /scripts - name: pki-scripts - image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - command: - - bash - - /scripts/init_pki.sh - {{- with .Values.nodeSelector }} - nodeSelector: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.affinity }} - affinity: - {{- toYaml . | nindent 8 }} - {{- end }} - {{- with .Values.tolerations }} - tolerations: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/helm/templates/pki-generate-scripts.yaml b/helm/templates/pki-generate-scripts.yaml deleted file mode 100644 index d211fe1..0000000 --- a/helm/templates/pki-generate-scripts.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "openvpn-chart.fullname" . }}-pki-scripts - labels: - {{- include "openvpn-chart.labels" . | nindent 4 }} -data: - init_pki.sh: | - if [ ! -d /etc/openvpn/pki ]; then - source "$OPENVPN/ovpn_env.sh" - OVPN_DIR=/etc/openvpn - PKI_DIR=$OVPN_DIR/pki - cd $OVPN_DIR - export EASYRSA_BATCH=yes - unset EASYRSA_VARS_FILE - /usr/share/easy-rsa/easyrsa init-pki - /usr/share/easy-rsa/easyrsa build-ca nopass - /usr/share/easy-rsa/easyrsa build-server-full {{ .Values.openvpn.host }} nopass - /usr/share/easy-rsa/easyrsa gen-dh - cd $PKI_DIR - openvpn --genkey tls-crypt-v2-server private/{{ .Values.openvpn.host }}.pem - openvpn --genkey secret > ta.key - fi - gen_client.sh: | - source "$OPENVPN/ovpn_env.sh" - CLIENTNAME=$1 - PASSWORD=$2 - OVPN_DIR=/etc/openvpn - cd $OVPN_DIR - /usr/share/easy-rsa/easyrsa build-client-full $CLIENTNAME $PASSWORD diff --git a/helm/templates/pvc.yaml b/helm/templates/pvc.yaml deleted file mode 100644 index 495cd06..0000000 --- a/helm/templates/pvc.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ include "openvpn-chart.fullname" . }} - labels: - {{- include "openvpn-chart.labels" . | nindent 4 }} -spec: - storageClassName: {{ .Values.storage.class }} - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ .Values.storage.size }} diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml deleted file mode 100644 index e84818f..0000000 --- a/helm/templates/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: {{ include "openvpn-chart.fullname" . }} - labels: - {{- include "openvpn-chart.labels" . | nindent 4 }} -spec: - type: {{ .Values.service.type }} - ports: - - port: {{ .Values.service.port }} - {{- if .Values.service.nodePort }} - nodePort: {{ int .Values.service.nodePort }} - {{- end}} - targetPort: {{ .Values.service.port | default 1194 }} - protocol: {{ .Values.service.protocol | default "UDP" | quote }} - name: openvpn - selector: - {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} diff --git a/helm/templates/tests/test-connection.yaml b/helm/templates/tests/test-connection.yaml deleted file mode 100644 index a419802..0000000 --- a/helm/templates/tests/test-connection.yaml +++ /dev/null @@ -1,200 +0,0 @@ - -{{- $version := semver .Capabilities.KubeVersion.Version }} -{{- if .Values.tests.enabled }} -# --------------------------------------------------------------------- -# -- Test that CRDs are installed ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "openvpn-chart.fullname" . }}-test-script - labels: - {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} - annotations: - "helm.sh/hook": test - {{- if .Values.tests.cleanup }} - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - {{- end }} - "helm.sh/hook-weight": "6" -data: - get_config.sh: |- - #!/bin/bash - kubectl rollout status deployment/{{ include "openvpn-chart.fullname" . }} - kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_genclientcert test nopass - kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_getclient test > /data/test.ovpn - test_connection.sh : |- - sed -i "s/127.0.0.1/{{ include "openvpn-chart.fullname" . }}/g" /data/test.ovpn - mkdir -p /dev/net - mknod /dev/net/tun c 10 200 - chmod 600 /dev/net/tun - openvpn --config /data/test.ovpn --daemon --log-append /tmp/ovpnlog - tail -n0 -f /tmp/ovpnlog | sed '/Initialization Sequence Completed/ q' - ---- -# --------------------------------------------------------------------- -# -- Prepare roles and bindings to access k8s resources from the test -# --------------------------------------------------------------------- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: {{ include "openvpn-chart.fullname" . }}-test-role - labels: - {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} - annotations: - "helm.sh/hook": test - {{- if .Values.tests.cleanup }} - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - {{- end }} - "helm.sh/hook-weight": "1" -rules: -- apiGroups: ["*"] - resources: ["*"] - verbs: ["*"] - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa - labels: - {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} - annotations: - "helm.sh/hook": test - {{- if .Values.tests.cleanup }} - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - {{- end }} - "helm.sh/hook-weight": "1" -automountServiceAccountToken: true - ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-rb - labels: - {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} - annotations: - "helm.sh/hook": test - {{- if .Values.tests.cleanup }} - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - {{- end }} - "helm.sh/hook-weight": "1" -subjects: -- kind: ServiceAccount - name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa - namespace: {{ .Release.Namespace }} -roleRef: - kind: ClusterRole - name: {{ include "openvpn-chart.fullname" . }}-test-role - apiGroup: rbac.authorization.k8s.io - ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: {{ include "openvpn-chart.fullname" . }}-test - annotations: - "helm.sh/hook": test - {{- if .Values.tests.cleanup }} - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - {{- end }} - "helm.sh/hook-weight": "7" - labels: - {{- include "openvpn-chart.labels" . | nindent 4 }} -spec: - storageClassName: {{ .Values.storage.class }} - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 512Mi - ---- -apiVersion: v1 -kind: Pod -metadata: - name: {{ include "openvpn-chart.fullname" . }}-test - labels: - {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} - annotations: - "helm.sh/hook": test - {{- if .Values.tests.cleanup }} - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - {{- end }} - "helm.sh/hook-weight": "7" -spec: - serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa - automountServiceAccountToken: true - volumes: - - name: test-script - configMap: - name: {{ include "openvpn-chart.fullname" . }}-test-script - - name: data - persistentVolumeClaim: - claimName: {{ include "openvpn-chart.fullname" . }}-test - containers: - - name: tester - image: alpine/k8s:{{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }} - volumeMounts: - - name: test-script - readOnly: true - mountPath: /get_config.sh - subPath: get_config.sh - - name: data - readOnly: false - mountPath: /data - command: - - bash - args: - - -e - - /get_config.sh - restartPolicy: Never - ---- -apiVersion: v1 -kind: Pod -metadata: - name: {{ include "openvpn-chart.fullname" . }}-test-connection - labels: - {{- include "openvpn-chart.selectorLabels" . | nindent 4 }} - annotations: - "helm.sh/hook": test - {{- if .Values.tests.cleanup }} - "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded - {{- end }} - "helm.sh/hook-weight": "7" -spec: - serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa - automountServiceAccountToken: true - volumes: - - name: data - persistentVolumeClaim: - claimName: {{ include "openvpn-chart.fullname" . }}-test - - name: test-script - configMap: - name: {{ include "openvpn-chart.fullname" . }}-test-script - containers: - - name: tester - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - volumeMounts: - - name: data - readOnly: false - mountPath: /data - - name: test-script - readOnly: true - mountPath: /test_connection.sh - subPath: test_connection.sh - command: - - bash - args: - - -e - - /test_connection.sh - securityContext: - capabilities: - add: - - NET_ADMIN - - restartPolicy: Never - -{{- end }} diff --git a/helm/values.yaml b/helm/values.yaml deleted file mode 100644 index 0798f1f..0000000 --- a/helm/values.yaml +++ /dev/null @@ -1,101 +0,0 @@ -# Default values for openvpn-chart. -image: - repository: git.badhouseplants.net/allanger/container-openvpn - pullPolicy: Always - # ------------------------------------------- - # -- TODO: Switch to proper versions - # ------------------------------------------- - # tag: "" - -# ----------------------------- -# -- Open VPN configuration -# ----------------------------- -openvpn: - proto: tcp - host: 127.0.0.1 - port: 1194 -# --------------------------------------- -# -- Deploy OpenVPN admin -# -- https://github.com/flant/ovpn-admin -# --------------------------------------- -openvpn_admin: - enabled: true -# ----------------------------- -# -- Easy RSA configuration -# ----------------------------- -easyrsa: - cn: . # -- EASYRSA_REQ_CN - country: . # -- EASYRSA_REQ_COUNTRY - province: . # -- EASYRSA_REQ_PROVINCE - city: . # -- EASYRSA_REQ_CITY - org: . # -- EASYRSA_REQ_ORG - email: . # -- EASYRSA_REQ_EMAIL - ou: Community # -- EASYRSA_REQ_OU - algo: ec # -- EASYRSA_ALGO - digest: sha512 # -- EASYRSA_DIGEST - -replicaCount: 1 - - -imagePullSecrets: [] -nameOverride: "" -fullnameOverride: "" -storage: - class: local-path - size: 1Gi -serviceAccount: - # Specifies whether a service account should be created - create: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -podAnnotations: {} - -podSecurityContext: {} - # fsGroup: 2000 - -securityContext: {} - # capabilities: - # drop: - # - ALL - # readOnlyRootFilesystem: true - # runAsNonRoot: true - # runAsUser: 1000 - -service: - type: ClusterIP - port: 1194 - protocol: TCP - - -resources: {} - # We usually recommend not to specify default resources and to leave this as a conscious - # choice for the user. This also increases chances charts run on environments with little - # resources, such as Minikube. If you do want to specify resources, uncomment the following - # lines, adjust them as necessary, and remove the curly braces after 'resources:'. - # limits: - # cpu: 100m - # memory: 128Mi - # requests: - # cpu: 100m -# memory: 128Mi - -autoscaling: - enabled: false - minReplicas: 1 - maxReplicas: 100 - targetCPUUtilizationPercentage: 80 - # targetMemoryUtilizationPercentage: 80 - -nodeSelector: {} - -tolerations: [] - -affinity: {} - -tests: - enabled: false - cleanup: true \ No newline at end of file