allanger/container-openvpn
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Activity

chore: Keep versions up-to-date

Browse Source
This commit is contained in:
Nikolai Rodionov 2023-12-25 19:31:23 +01:00
parent b48a954ab8
commit 2df2ec12e8
No known key found for this signature in database
GPG Key ID: 0AA46A90E25592AD
13 changed files with 3 additions and 619 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
.drone.yml
View File

@ -20,7 +20,7 @@ steps:
GITEA_TOKEN: GITEA_TOKEN:
from_secret: GITEA_TOKEN from_secret: GITEA_TOKEN
CONTAINERFILE: ./containerfiles/Containerfile-XOR CONTAINERFILE: ./containerfiles/Containerfile-XOR
CUSTOM_TAG: v2.6.5-XOR-4.0.0beta08 CUSTOM_TAG: v2.6.5-XOR-4.0.0beta13
commands: commands:
- build-container - build-container
@ -34,18 +34,3 @@ steps:
CUSTOM_TAG: v2.6.8 CUSTOM_TAG: v2.6.8
commands: commands:
- build-container - build-container
- name: Publish the Helm chart
image: alpine/helm
depends_on:
- Build openvpn xor amd64
- Build openvpn amd64
environment:
GITEA_TOKEN:
from_secret: GITEA_TOKEN
commands:
- cd helm
- helm plugin install https://github.com/chartmuseum/helm-push
- helm package . -d chart-package
- helm repo add --username allanger --password $GITEA_TOKEN openvpn https://git.badhouseplants.net/api/packages/allanger/helm
- helm cm-push "./chart-package/$(ls chart-package)" openvpn

4
containerfiles/Containerfile-XOR
View File

@ -1,6 +1,6 @@
FROM ghcr.io/allanger/dumb-downloader as dudo FROM ghcr.io/allanger/dumb-downloader as dudo
ENV OPENVPN_VERSION=2.6.5 ENV OPENVPN_VERSION=2.6.5
ENV TUNNELBLICK_VERSION=4.0.0beta08 ENV TUNNELBLICK_VERSION=4.0.0beta13
RUN apt update && apt install gnupg tar -y RUN apt update && apt install gnupg tar -y
RUN mkdir /output RUN mkdir /output
# ------------------------------------------------------ # ------------------------------------------------------
@ -28,7 +28,7 @@ FROM ubuntu as builder
# -- TODO: Define it only once # -- TODO: Define it only once
# ------------------------------------------------------ # ------------------------------------------------------
ENV OPENVPN_VERSION=2.6.5 ENV OPENVPN_VERSION=2.6.5
ENV TUNNELBLICK_VERSION=v4.0.0beta08 ENV TUNNELBLICK_VERSION=v4.0.0beta13
COPY --from=dudo /output /src COPY --from=dudo /output /src
RUN apt-get update &&\ RUN apt-get update &&\
apt-get install -y wget tar unzip build-essential \ apt-get install -y wget tar unzip build-essential \

22
helm/Chart.yaml
View File

@ -1,22 +0,0 @@
---
apiVersion: v2
name: openvpn
description: A Helm chart for deploying OpenVPN
type: application
version: 1.0.7
appVersion: 2.6.5
sources:
- https://git.badhouseplants.net/allanger/container-openvpn-xor
- https://github.com/kylemanna/docker-openvpn
- https://github.com/lawtancool/docker-openvpn-xor
maintainers:
- name: allanger
email: allanger@zohomail.com
url: https://badhouseplants.net
keywords:
- OpenVPN
- VPN
- xor

17
helm/LICENSE
View File

@ -1,17 +0,0 @@
Permission is hereby granted, without written agreement and without
license or royalty fees, to use, copy, modify, and distribute this
software and its documentation for any purpose, provided that the
above copyright notice and the following two paragraphs appear in
all copies of this software.
IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR
DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN
IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS
ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO
PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.

9
helm/README.md
View File

@ -1,9 +0,0 @@
# helm-openvpn
A helm chart to deploy openvpn
## K8s reqs:
--allowed-unsafe-sysctls=net.ipv4.ip_forward
## How it works?
1. It's generating the openvpn configuration if it's not generated yet. It's an `ininContainer` that really runs only once.

1
helm/templates/NOTES.txt
View File

@ -1 +0,0 @@
1. Get the application URL by running these commands:

62
helm/templates/_helpers.tpl
View File

@ -1,62 +0,0 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "openvpn-chart.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "openvpn-chart.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "openvpn-chart.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "openvpn-chart.labels" -}}
helm.sh/chart: {{ include "openvpn-chart.chart" . }}
{{ include "openvpn-chart.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "openvpn-chart.selectorLabels" -}}
app.kubernetes.io/name: {{ include "openvpn-chart.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "openvpn-chart.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "openvpn-chart.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

128
helm/templates/deployment.yaml
View File

@ -1,128 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "openvpn-chart.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: pvc-openvpn
persistentVolumeClaim:
claimName: {{ include "openvpn-chart.fullname" . }}
- name: pki-scripts
configMap:
name: {{ include "openvpn-chart.fullname" . }}-pki-scripts
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
- mountPath: /scripts
name: pki-scripts
env:
- name: OVPN_SERVER
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
- name: OPENVPN
value: "/etc/openvpn"
securityContext:
capabilities:
add:
- NET_ADMIN
initContainers:
# ----------------------------------------------------------------------
# -- This init container is generating the basic configuration
# ----------------------------------------------------------------------
- name: 0-ovpn-genconfig
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
env:
- name: OVPN_SERVER_URL
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
- name: OVPN_DATA
value: "/etc/openvpn"
- name: OPENVPN
value: "/etc/openvpn"
command:
- sh
- -c
- 'if ! [ -f "/etc/openvpn/ovpn_env.sh" ]; then ovpn_genconfig -u $OVPN_SERVER_URL && touch /etc/openvpn/.init; fi'
- name: 1-ovpn-initpki
env:
- name: OVPN_DATA
value: /etc/openvpn
- name: OPENVPN
value: "/etc/openvpn"
- name: EASYRSA_REQ_CN
value: {{ .Values.easyrsa.cn }}
- name: EASYRSA_REQ_COUNTRY
value: {{ .Values.easyrsa.country }}
- name: EASYRSA_REQ_PROVINCE
value: {{ .Values.easyrsa.province }}
- name: EASYRSA_REQ_CITY
value: {{ .Values.easyrsa.city }}
- name: EASYRSA_REQ_ORG
value: {{ .Values.easyrsa.org }}
- name: EASYRSA_REQ_EMAIL
value: {{ .Values.easyrsa.email }}
- name: EASYRSA_REQ_OU
value: {{ .Values.easyrsa.ou }}
- name: EASYRSA_ALGO
value: {{ .Values.easyrsa.algo }}
- name: EASYRSA_DIGEST
value: {{ .Values.easyrsa.digest }}
- name: EASYRSA_BATCH
value: "yes"
- name: OVPN_SERVER_URL
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
- mountPath: /scripts
name: pki-scripts
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bash
- /scripts/init_pki.sh
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

30
helm/templates/pki-generate-scripts.yaml
View File

@ -1,30 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "openvpn-chart.fullname" . }}-pki-scripts
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
data:
init_pki.sh: |
if [ ! -d /etc/openvpn/pki ]; then
source "$OPENVPN/ovpn_env.sh"
OVPN_DIR=/etc/openvpn
PKI_DIR=$OVPN_DIR/pki
cd $OVPN_DIR
export EASYRSA_BATCH=yes
unset EASYRSA_VARS_FILE
/usr/share/easy-rsa/easyrsa init-pki
/usr/share/easy-rsa/easyrsa build-ca nopass
/usr/share/easy-rsa/easyrsa build-server-full {{ .Values.openvpn.host }} nopass
/usr/share/easy-rsa/easyrsa gen-dh
cd $PKI_DIR
openvpn --genkey tls-crypt-v2-server private/{{ .Values.openvpn.host }}.pem
openvpn --genkey secret > ta.key
fi
gen_client.sh: |
source "$OPENVPN/ovpn_env.sh"
CLIENTNAME=$1
PASSWORD=$2
OVPN_DIR=/etc/openvpn
cd $OVPN_DIR
/usr/share/easy-rsa/easyrsa build-client-full $CLIENTNAME $PASSWORD

13
helm/templates/pvc.yaml
View File

@ -1,13 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
storageClassName: {{ .Values.storage.class }}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.storage.size }}

18
helm/templates/service.yaml
View File

@ -1,18 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
{{- if .Values.service.nodePort }}
nodePort: {{ int .Values.service.nodePort }}
{{- end}}
targetPort: {{ .Values.service.port | default 1194 }}
protocol: {{ .Values.service.protocol | default "UDP" | quote }}
name: openvpn
selector:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}

200
helm/templates/tests/test-connection.yaml
View File

@ -1,200 +0,0 @@
{{- $version := semver .Capabilities.KubeVersion.Version }}
{{- if .Values.tests.enabled }}
# ---------------------------------------------------------------------
# -- Test that CRDs are installed
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test-script
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "6"
data:
get_config.sh: |-
#!/bin/bash
kubectl rollout status deployment/{{ include "openvpn-chart.fullname" . }}
kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_genclientcert test nopass
kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_getclient test > /data/test.ovpn
test_connection.sh : |-
sed -i "s/127.0.0.1/{{ include "openvpn-chart.fullname" . }}/g" /data/test.ovpn
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
openvpn --config /data/test.ovpn --daemon --log-append /tmp/ovpnlog
tail -n0 -f /tmp/ovpnlog | sed '/Initialization Sequence Completed/ q'
---
# ---------------------------------------------------------------------
# -- Prepare roles and bindings to access k8s resources from the test
# ---------------------------------------------------------------------
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test-role
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "1"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "1"
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-rb
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "1"
subjects:
- kind: ServiceAccount
name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ include "openvpn-chart.fullname" . }}-test-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "7"
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
storageClassName: {{ .Values.storage.class }}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 512Mi
---
apiVersion: v1
kind: Pod
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "7"
spec:
serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
automountServiceAccountToken: true
volumes:
- name: test-script
configMap:
name: {{ include "openvpn-chart.fullname" . }}-test-script
- name: data
persistentVolumeClaim:
claimName: {{ include "openvpn-chart.fullname" . }}-test
containers:
- name: tester
image: alpine/k8s:{{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}
volumeMounts:
- name: test-script
readOnly: true
mountPath: /get_config.sh
subPath: get_config.sh
- name: data
readOnly: false
mountPath: /data
command:
- bash
args:
- -e
- /get_config.sh
restartPolicy: Never
---
apiVersion: v1
kind: Pod
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test-connection
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "7"
spec:
serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
automountServiceAccountToken: true
volumes:
- name: data
persistentVolumeClaim:
claimName: {{ include "openvpn-chart.fullname" . }}-test
- name: test-script
configMap:
name: {{ include "openvpn-chart.fullname" . }}-test-script
containers:
- name: tester
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: data
readOnly: false
mountPath: /data
- name: test-script
readOnly: true
mountPath: /test_connection.sh
subPath: test_connection.sh
command:
- bash
args:
- -e
- /test_connection.sh
securityContext:
capabilities:
add:
- NET_ADMIN
restartPolicy: Never
{{- end }}

101
helm/values.yaml
View File

@ -1,101 +0,0 @@
# Default values for openvpn-chart.
image:
repository: git.badhouseplants.net/allanger/container-openvpn
pullPolicy: Always
# -------------------------------------------
# -- TODO: Switch to proper versions
# -------------------------------------------
# tag: ""
# -----------------------------
# -- Open VPN configuration
# -----------------------------
openvpn:
proto: tcp
host: 127.0.0.1
port: 1194
# ---------------------------------------
# -- Deploy OpenVPN admin
# -- https://github.com/flant/ovpn-admin
# ---------------------------------------
openvpn_admin:
enabled: true
# -----------------------------
# -- Easy RSA configuration
# -----------------------------
easyrsa:
cn: . # -- EASYRSA_REQ_CN
country: . # -- EASYRSA_REQ_COUNTRY
province: . # -- EASYRSA_REQ_PROVINCE
city: . # -- EASYRSA_REQ_CITY
org: . # -- EASYRSA_REQ_ORG
email: . # -- EASYRSA_REQ_EMAIL
ou: Community # -- EASYRSA_REQ_OU
algo: ec # -- EASYRSA_ALGO
digest: sha512 # -- EASYRSA_DIGEST
replicaCount: 1
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
storage:
class: local-path
size: 1Gi
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 1194
protocol: TCP
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
tests:
enabled: false
cleanup: true