allanger/container-openvpn
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases Activity

Compare commits

base: allanger:main
Branches Tags
allanger:main
allanger:renovate/configure
allanger:refactor-the-project
allanger:tests-and-linter
allanger:add-openvpn-admin
allanger:v2.1.0
allanger:v2.0.0
allanger:v1.1.0
allanger:v1.0
allanger:v0.2
allanger:v0.1
..
compare: allanger:tests-and-linter
Branches Tags
allanger:main
allanger:renovate/configure
allanger:refactor-the-project
allanger:tests-and-linter
allanger:add-openvpn-admin
allanger:v2.1.0
allanger:v2.0.0
allanger:v1.1.0
allanger:v1.0
allanger:v0.2
allanger:v0.1

4 Commits
main ... tests-and-

Author SHA1 Message Date
Nikolai Rodionov
a743ac830c
Dim innactive panes 2023-12-19 15:21:20 +01:00
Nikolai Rodionov
860db9ba38
Dim innactive panes 2023-12-19 15:19:33 +01:00
Nikolai Rodionov
5384f455c4
Remove broken pipe 2023-12-16 09:25:43 +01:00
Nikolai Rodionov
19401ed113
WIP: I'm already running the cluster in woodpecker, now I need to fix 
the test
 2023-12-14 20:12:21 +01:00
25 changed files with 1001 additions and 67 deletions
Show Stats Expand all files Collapse all files

132
.drone.yml Normal file
View File

@ -0,0 +1,132 @@
---
kind: pipeline
type: docker
name: Lint the chart
trigger:
event:
- push
environment:
KIND_VERSION: v0.20.0
HELM_VERSION: v3.12.1
KUBECTL_VERSION: v1.28.3
CT_VERSION: 3.10.1
steps:
# ---------------------------------------------------------------------
# -- Prepare dependencies
# ---------------------------------------------------------------------
- name: Download dependencies
image: ghcr.io/allanger/dumb-downloader:latest
commands:
- mkdir .bin
# -- Download kind
- dudo -l "https://kind.sigs.k8s.io/dl/{{ version }}/kind-{{ os }}-{{ arch }}" -d .bin/kind -p $KIND_VERSION
- chmod +x .bin/kind
- name: Check changed charts
image: quay.io/helmpack/chart-testing
volumes:
- name: dockersock
path: /var/run
commands:
- export KUBECONFIG=$PWD/kubeconfig
- git fetch origin
- |
if [[ -n "$(ct list-changed --chart-dirs . --target-branch main)" ]]; then
touch .changed
fi
- name: Lint changed charts
image: quay.io/helmpack/chart-testing
volumes:
- name: dockersock
path: /var/run
commands:
- git fetch origin
- |
if [ -e .changed ]; then
ct lint --target-branch main --validate-maintainers=false --chart-dirs .
fi
- name: Test changed charts
image: quay.io/helmpack/chart-testing
volumes:
- name: dockersock
path: /var/run
commands:
- export PATH=$PWD/.bin:$PATH
- apk update && apk add docker
- kind create cluster --config kind.yaml
- sed -i -E -e 's/localhost|0\.0\.0\.0/docker/g' ~/.kube/config
- kubectl get storageclass
- git fetch origin
- |
if [ -e .changed ]; then
ct install --target-branch main --chart-dirs .
ct install --target-branch main --chart-dirs . --upgrade
fi
services:
- name: docker
image: docker:dind
privileged: true
volumes:
- name: dockersock
path: /var/run
volumes:
- name: dockersock
temp: {}
---
# ----------------------------------------------
# -- Build an image and push it to the registry
# ----------------------------------------------
kind: pipeline
type: docker
name: Build the builder
trigger:
event:
- push
branch:
- main
steps:
- name: Build openvpn xor amd64
image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:555262114ea81f6f286010474527f419b56d33a3
privileged: true
environment:
GITEA_TOKEN:
from_secret: GITEA_TOKEN
CONTAINERFILE: ./containerfiles/Containerfile-XOR
CUSTOM_TAG: v2.6.5-XOR-4.0.0beta08
commands:
- build-container
- name: Build openvpn amd64
image: git.badhouseplants.net/badhouseplants/badhouseplants-builder:555262114ea81f6f286010474527f419b56d33a3
privileged: true
environment:
GITEA_TOKEN:
from_secret: GITEA_TOKEN
CONTAINERFILE: ./containerfiles/Containerfile
CUSTOM_TAG: v2.6.8
commands:
- build-container
- name: Publish the Helm chart
image: alpine/helm
depends_on:
- Build openvpn xor amd64
- Build openvpn amd64
environment:
GITEA_TOKEN:
from_secret: GITEA_TOKEN
commands:
- cd helm
- helm plugin install https://github.com/chartmuseum/helm-push
- helm package . -d chart-package
- helm repo add --username allanger --password $GITEA_TOKEN openvpn https://git.badhouseplants.net/api/packages/allanger/helm
- helm cm-push "./chart-package/$(ls chart-package)" openvpn

37
.woodpecker.yaml
View File

@ -1,37 +0,0 @@
---
when:
event:
- push
branch:
- main
matrix:
TARGET:
- openvpn_xor
- openvpn
steps:
build-${TARGET}:
name: Build ${TARGET}
image: zot.badhouseplants.net/badhouseplants/badhouseplants-builder:latest
secrets:
- registry_token
environment:
CONTAINER_REGISTRY: zot.badhouseplants.net
privileged: true
depends_on: []
backend_options:
kubernetes:
resources:
requests:
memory: 1024Mi
cpu: 300m
limits:
memory: 1024Mi
securityContext:
privileged: true
nodeSelector:
kubernetes.io/arch: "amd64"
commands:
- source ./env/${TARGET}.env
- ./scripts/$SCRIPT

18
.woodpecker/.check-workflow.yml Normal file
View File

@ -0,0 +1,18 @@
---
steps:
deps:
name: Download dependencies
image: alpine
commands:
- echo 1
mail:
image: deblan/woodpecker-email
settings:
from.address: noreply@github.com
from.name: John Smith
host: smtp.mailgun.org
username:
from_secret: check
password: 12345
recipients:
- octocat@github.com

82
.woodpecker/.test.yml Normal file
View File

@ -0,0 +1,82 @@
---
clone:
git:
image: woodpeckerci/plugin-git
settings:
partial: false
steps:
deps:
name: Download dependencies
image: ghcr.io/allanger/dumb-downloader:latest
environment:
KIND_VERSION: v0.20.0
HELM_VERSION: v3.12.1
KUBECTL_VERSION: v1.28.3
CT_VERSION: 3.10.1
commands:
- mkdir .bin
# -- Download kind
- dudo -l "https://kind.sigs.k8s.io/dl/{{ version }}/kind-{{ os }}-{{ arch }}" -d .bin/kind -p $KIND_VERSION
- chmod +x .bin/kind
changed:
name: Check changed charts
image: quay.io/helmpack/chart-testing
commands:
- git fetch origin
- ls -la
- ct help
- ct lint --chart-dirs . --target-branch main --print-config --debug
- |
if [[ -n "$(ct list-changed --chart-dirs . --target-branch main)" ]]; then
touch .changed
fi
lint:
name: Lint charts
image: quay.io/helmpack/chart-testing
commands:
- git fetch origin
- |
if [ -e .changed ]; then
ct lint --target-branch main --validate-maintainers=false --chart-dirs .
fi
test:
name: Test charts
image: quay.io/helmpack/chart-testing
environment:
- DOCKER_HOST=tcp://docker:2375
commands:
- export PATH=$PWD/.bin:$PATH
- apk update && apk add docker curl bash
- curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bash
- k3d cluster create test --api-port 16443 --k3s-arg="kubelet-args=\"--allowed-unsafe-sysctls=net.ipv4.ip_forward\""@all
- sed -i -E -e 's/localhost|0\.0\.0\.0/docker/g' ~/.kube/config
- kubectl get storageclass
- git fetch origin
- |
if [ -e .changed ]; then
ct install --target-branch main --chart-dirs .
ct install --target-branch main --chart-dirs . --upgrade
fi
services:
docker:
image: docker:dind
commands:
- echo "1" > /proc/sys/net/ipv4/ip_forward
- dockerd -H tcp://0.0.0.0:2375 --tls=false
privileged: true
ports:
- 2375
- 16443
backend_options:
kubernetes:
resources:
requests:
memory: 500Mi
cpu: 500m
limits:
memory: 1000Mi
cpu: 1000m

79
Containerfile Normal file
View File

@ -0,0 +1,79 @@
FROM ghcr.io/allanger/dumb-downloader as dudo
ENV OPENVPN_VERSION=2.6.5
ENV TUNNELBLICK_VERSION=4.0.0beta08
ENV EASYRSA_VERSION=3.1.5
RUN apt update && apt install gnupg tar -y
RUN mkdir /output
# ------------------------------------------------------
# -- Downlaod OpenVPN
# ------------------------------------------------------
RUN dudo -l "https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7" -d security-openvpn-net.asc -p DUMMY
RUN gpg --import security-openvpn-net.asc
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz.asc" -d /tmp/openvpn.asc -p $OPENVPN_VERSION
# ------------------------------------------------------
# -- I should fix it later
# ------------------------------------------------------
# RUN gpg --no-tty --verify /tmp/openvpn.asc
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz " -d /tmp/openvpn.tar.gz -p $OPENVPN_VERSION
RUN tar -xf /tmp/openvpn.tar.gz -C /tmp && rm -f /tmp/openvpn.tar.gz
RUN mv /tmp/openvpn-$OPENVPN_VERSION /output/openvpn
# ------------------------------------------------------
# -- Download Tunnelblick
# ------------------------------------------------------
RUN dudo -l "https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v{{ version }}.tar.gz" -d /tmp/tunnelblick.tar.gz -p $TUNNELBLICK_VERSION
RUN tar -xf /tmp/tunnelblick.tar.gz -C /tmp && rm -f /tmp/tunnelblick.tar.gz
RUN mv /tmp/Tunnelblick-$TUNNELBLICK_VERSION /output/tunnelblick
FROM ubuntu as builder
# ------------------------------------------------------
# -- TODO: Define it only once
# ------------------------------------------------------
ENV OPENVPN_VERSION=2.6.5
ENV TUNNELBLICK_VERSION=v4.0.0beta08
COPY --from=dudo /output /src
RUN apt-get update &&\
apt-get install -y wget tar unzip build-essential \
libssl-dev iproute2 liblz4-dev liblzo2-dev \
libpam0g-dev libpkcs11-helper1-dev libsystemd-dev \
easy-rsa iptables pkg-config libcap-ng-dev
RUN cp /src/tunnelblick/third_party/sources/openvpn/openvpn-$OPENVPN_VERSION/patches/*.diff /src/openvpn
WORKDIR /src/openvpn
RUN for patch in $(find -type f | grep diff); do\
patch -p1 < $patch;\
done
RUN ./configure --disable-systemd --enable-async-push --enable-iproute2
RUN make && make install
RUN mkdir /output
RUN cp $(which openvpn) /output/
# ------------------------------------------------------
# -- Final container
# ------------------------------------------------------
FROM ubuntu:22.04
LABEL maintainer="allanger <allanger@zohomail.com>"
COPY --from=builder /output /src
# -------------------------------------------------------
# -- Prepare system deps
# -------------------------------------------------------
RUN apt update && apt install openvpn easy-rsa iptables -y && \
mv /src/openvpn $(which openvpn)
# Needed by scripts
ENV OPENVPN /etc/openvpn
# Prevents refused client connection because of an expired CRL
ENV EASYRSA_CRL_DAYS 3650
VOLUME ["/etc/openvpn"]
# Internally uses port 1194, remap if needed using `docker run -p 443:1194/tcp`
EXPOSE 1194
CMD ["ovpn_run"]
COPY --chmod='755' ./bin /usr/local/bin
# -----------------------------------------------------------
# -- Add support for OTP authentication using a PAM module
# -- I have no idea how it works yet
# -----------------------------------------------------------
COPY ./otp/openvpn /etc/pam.d/

52
alpine/google-authenticator/APKBUILD Normal file
View File

@ -0,0 +1,52 @@
# Contributor: Fabio Napoleoni <f.napoleoni@gmail.com>
# Maintainer:
pkgname=google-authenticator
pkgver=20160207
pkgrel=1
pkgdesc="Google Authenticator PAM module"
url="https://github.com/google/google-authenticator"
arch="all"
license="ASL 2.0"
depends=
depends_dev=
makedepends="$depends_dev autoconf automake libtool linux-pam-dev m4 openssl-dev"
install=
subpackages="$pkgname-doc"
source="https://github.com/google/google-authenticator/archive/c0404dcdbda9ab9e4f0b8451ecdd44eee8db2425.zip"
_builddir="$srcdir"/$pkgname-c0404dcdbda9ab9e4f0b8451ecdd44eee8db2425/libpam
prepare() {
local i
cd "$_builddir"
for i in $source; do
case $i in
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
}
build() {
cd "$_builddir"
./bootstrap.sh || return 1
./configure \
--build=$CBUILD \
--host=$CHOST \
--prefix=/usr \
--libdir=/lib \
--sysconfdir=/etc \
--mandir=/usr/share/man \
--infodir=/usr/share/info \
|| return 1
make || return 1
}
package() {
cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
}
md5sums="33d3cbd0488bcb4f50b34b5670deffae c0404dcdbda9ab9e4f0b8451ecdd44eee8db2425.zip"
sha256sums="e32abe693e54195bdb6aca52783e6e1c239e67296876ac59211a59e4608338b8 c0404dcdbda9ab9e4f0b8451ecdd44eee8db2425.zip"
sha512sums="b44a626e6cc5d8e27685f5d39b5d33f49fc7070331db7b458d3ee40723972821bb8ed5458f27a287dc664d162acf1f8f9a36ca3b1bf767f2bbf27d4f538e9872 c0404dcdbda9ab9e4f0b8451ecdd44eee8db2425.zip"

15
containerfiles/Containerfile
View File

@ -1,5 +1,5 @@
FROM ghcr.io/allanger/dumb-downloader as dudo
ARG OPENVPN_VERSION
ENV OPENVPN_VERSION=2.6.8
RUN apt update && apt install gnupg tar -y
RUN mkdir /output
# ------------------------------------------------------
@ -7,20 +7,20 @@ RUN mkdir /output
# ------------------------------------------------------
RUN dudo -l "https://keys.openpgp.org/vks/v1/by-fingerprint/F554A3687412CFFEBDEFE0A312F5F7B42F2B01E7" -d security-openvpn-net.asc -p DUMMY
RUN gpg --import security-openvpn-net.asc
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz.asc" -d /tmp/openvpn.asc -p ${OPENVPN_VERSION}
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz.asc" -d /tmp/openvpn.asc -p $OPENVPN_VERSION
# ------------------------------------------------------
# -- todo: I should fix it later
# -- I should fix it later
# ------------------------------------------------------
# RUN gpg --no-tty --verify /tmp/openvpn.asc
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz " -d /tmp/openvpn.tar.gz -p ${OPENVPN_VERSION}
RUN dudo -l "https://swupdate.openvpn.org/community/releases/openvpn-{{ version }}.tar.gz " -d /tmp/openvpn.tar.gz -p $OPENVPN_VERSION
RUN tar -xf /tmp/openvpn.tar.gz -C /tmp && rm -f /tmp/openvpn.tar.gz
RUN mv /tmp/openvpn-${OPENVPN_VERSION} /output/openvpn
RUN mv /tmp/openvpn-$OPENVPN_VERSION /output/openvpn
FROM ubuntu:22.04 as builder
FROM ubuntu as builder
# ------------------------------------------------------
# -- TODO: Define it only once
# ------------------------------------------------------
ARG OPENVPN_VERSION
ENV OPENVPN_VERSION=2.6.8
COPY --from=dudo /output /src
RUN apt-get update &&\
apt-get install -y wget tar unzip build-essential \
@ -64,3 +64,4 @@ COPY --chmod='755' ./bin /usr/local/bin
# -- I have no idea how it works yet
# -----------------------------------------------------------
WORKDIR /etc/openvpn
COPY ./otp/openvpn /etc/pam.d/

13
containerfiles/Containerfile-XOR
View File

@ -1,6 +1,6 @@
FROM ghcr.io/allanger/dumb-downloader as dudo
ARG OPENVPN_VERSION
ARG TUNNELBLICK_VERSION
ENV OPENVPN_VERSION=2.6.5
ENV TUNNELBLICK_VERSION=4.0.0beta08
RUN apt update && apt install gnupg tar -y
RUN mkdir /output
# ------------------------------------------------------
@ -23,12 +23,12 @@ RUN dudo -l "https://github.com/Tunnelblick/Tunnelblick/archive/refs/tags/v{{ ve
RUN tar -xf /tmp/tunnelblick.tar.gz -C /tmp && rm -f /tmp/tunnelblick.tar.gz
RUN mv /tmp/Tunnelblick-$TUNNELBLICK_VERSION /output/tunnelblick
FROM ubuntu:24.04 as builder
FROM ubuntu as builder
# ------------------------------------------------------
# -- TODO: Define it only once
# ------------------------------------------------------
ARG OPENVPN_VERSION
ARG TUNNELBLICK_VERSION
ENV OPENVPN_VERSION=2.6.5
ENV TUNNELBLICK_VERSION=v4.0.0beta08
COPY --from=dudo /output /src
RUN apt-get update &&\
apt-get install -y wget tar unzip build-essential \
@ -48,7 +48,7 @@ RUN cp $(which openvpn) /output/
# ------------------------------------------------------
# -- Final container
# ------------------------------------------------------
FROM ubuntu:24.04
FROM ubuntu:22.04
LABEL maintainer="allanger <allanger@zohomail.com>"
COPY --from=builder /output /src
# -------------------------------------------------------
@ -76,3 +76,4 @@ COPY --chmod='755' ./bin /usr/local/bin
# -- I have no idea how it works yet
# -----------------------------------------------------------
WORKDIR /etc/openvpn
COPY ./otp/openvpn /etc/pam.d/

3
env/openvpn.env vendored
View File

@ -1,3 +0,0 @@
export OPENVPN_VERSION=2.6.5
export CONTAINERFILE=./containerfiles/Containerfile
export SCRIPT=build_upstream.sh

3
env/openvpn_xor.env vendored
View File

@ -1,3 +0,0 @@
export TUNNELBLICK_VERSION=6.0beta03
export CONTAINERFILE=./containerfiles/Containerfile-XOR
export SCRIPT=build_xor.sh

22
helm/Chart.yaml Normal file
View File

@ -0,0 +1,22 @@
---
apiVersion: v2
name: openvpn
description: A Helm chart for deploying OpenVPN
type: application
version: 1.0.8
appVersion: 2.6.5
sources:
- https://git.badhouseplants.net/allanger/container-openvpn-xor
- https://github.com/kylemanna/docker-openvpn
- https://github.com/lawtancool/docker-openvpn-xor
maintainers:
- name: allanger
email: allanger@zohomail.com
url: https://badhouseplants.net
keywords:
- OpenVPN
- VPN
- xor

17
helm/LICENSE Normal file
View File

@ -0,0 +1,17 @@
Permission is hereby granted, without written agreement and without
license or royalty fees, to use, copy, modify, and distribute this
software and its documentation for any purpose, provided that the
above copyright notice and the following two paragraphs appear in
all copies of this software.
IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR
DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES
ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN
IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING,
BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS
ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO
PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS.

9
helm/README.md Normal file
View File

@ -0,0 +1,9 @@
# helm-openvpn
A helm chart to deploy openvpn
## K8s reqs:
--allowed-unsafe-sysctls=net.ipv4.ip_forward
## How it works?
1. It's generating the openvpn configuration if it's not generated yet. It's an `ininContainer` that really runs only once.

1
helm/templates/NOTES.txt Normal file
View File

@ -0,0 +1 @@
1. Get the application URL by running these commands:

62
helm/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,62 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "openvpn-chart.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "openvpn-chart.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "openvpn-chart.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "openvpn-chart.labels" -}}
helm.sh/chart: {{ include "openvpn-chart.chart" . }}
{{ include "openvpn-chart.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "openvpn-chart.selectorLabels" -}}
app.kubernetes.io/name: {{ include "openvpn-chart.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "openvpn-chart.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "openvpn-chart.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

128
helm/templates/deployment.yaml Normal file
View File

@ -0,0 +1,128 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
{{- if not .Values.autoscaling.enabled }}
replicas: {{ .Values.replicaCount }}
{{- end }}
selector:
matchLabels:
{{- include "openvpn-chart.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 8 }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
volumes:
- name: pvc-openvpn
persistentVolumeClaim:
claimName: {{ include "openvpn-chart.fullname" . }}
- name: pki-scripts
configMap:
name: {{ include "openvpn-chart.fullname" . }}-pki-scripts
securityContext:
sysctls:
- name: net.ipv4.ip_forward
value: "1"
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
- mountPath: /scripts
name: pki-scripts
env:
- name: OVPN_SERVER
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
- name: OPENVPN
value: "/etc/openvpn"
securityContext:
capabilities:
add:
- NET_ADMIN
initContainers:
# ----------------------------------------------------------------------
# -- This init container is generating the basic configuration
# ----------------------------------------------------------------------
- name: 0-ovpn-genconfig
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
env:
- name: OVPN_SERVER_URL
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
- name: OVPN_DATA
value: "/etc/openvpn"
- name: OPENVPN
value: "/etc/openvpn"
command:
- sh
- -c
- 'if ! [ -f "/etc/openvpn/ovpn_env.sh" ]; then ovpn_genconfig -u $OVPN_SERVER_URL && touch /etc/openvpn/.init; fi'
- name: 1-ovpn-initpki
env:
- name: OVPN_DATA
value: /etc/openvpn
- name: OPENVPN
value: "/etc/openvpn"
- name: EASYRSA_REQ_CN
value: {{ .Values.easyrsa.cn }}
- name: EASYRSA_REQ_COUNTRY
value: {{ .Values.easyrsa.country }}
- name: EASYRSA_REQ_PROVINCE
value: {{ .Values.easyrsa.province }}
- name: EASYRSA_REQ_CITY
value: {{ .Values.easyrsa.city }}
- name: EASYRSA_REQ_ORG
value: {{ .Values.easyrsa.org }}
- name: EASYRSA_REQ_EMAIL
value: {{ .Values.easyrsa.email }}
- name: EASYRSA_REQ_OU
value: {{ .Values.easyrsa.ou }}
- name: EASYRSA_ALGO
value: {{ .Values.easyrsa.algo }}
- name: EASYRSA_DIGEST
value: {{ .Values.easyrsa.digest }}
- name: EASYRSA_BATCH
value: "yes"
- name: OVPN_SERVER_URL
value: "{{ .Values.openvpn.proto }}://{{ .Values.openvpn.host }}:{{ .Values.openvpn.port }}"
volumeMounts:
- mountPath: "/etc/openvpn"
name: pvc-openvpn
- mountPath: /scripts
name: pki-scripts
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
command:
- bash
- /scripts/init_pki.sh
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

30
helm/templates/pki-generate-scripts.yaml Normal file
View File

@ -0,0 +1,30 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "openvpn-chart.fullname" . }}-pki-scripts
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
data:
init_pki.sh: |
if [ ! -d /etc/openvpn/pki ]; then
source "$OPENVPN/ovpn_env.sh"
OVPN_DIR=/etc/openvpn
PKI_DIR=$OVPN_DIR/pki
cd $OVPN_DIR
export EASYRSA_BATCH=yes
unset EASYRSA_VARS_FILE
/usr/share/easy-rsa/easyrsa init-pki
/usr/share/easy-rsa/easyrsa build-ca nopass
/usr/share/easy-rsa/easyrsa build-server-full {{ .Values.openvpn.host }} nopass
/usr/share/easy-rsa/easyrsa gen-dh
cd $PKI_DIR
openvpn --genkey tls-crypt-v2-server private/{{ .Values.openvpn.host }}.pem
openvpn --genkey secret > ta.key
fi
gen_client.sh: |
source "$OPENVPN/ovpn_env.sh"
CLIENTNAME=$1
PASSWORD=$2
OVPN_DIR=/etc/openvpn
cd $OVPN_DIR
/usr/share/easy-rsa/easyrsa build-client-full $CLIENTNAME $PASSWORD

19
helm/templates/pvc.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
{{- if .Values.storage.class }}
{{- if (eq "-" .Values.storage.class) }}
storageClassName: ""
{{- else }}
storageClassName: "{{ .Values.storage.class }}"
{{- end }}
{{- end }}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.storage.size }}

18
helm/templates/service.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "openvpn-chart.fullname" . }}
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
{{- if .Values.service.nodePort }}
nodePort: {{ int .Values.service.nodePort }}
{{- end}}
targetPort: {{ .Values.service.port | default 1194 }}
protocol: {{ .Values.service.protocol | default "UDP" | quote }}
name: openvpn
selector:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}

200
helm/templates/tests/test-connection.yaml Normal file
View File

@ -0,0 +1,200 @@
{{- $version := semver .Capabilities.KubeVersion.Version }}
{{- if .Values.tests.enabled }}
# ---------------------------------------------------------------------
# -- Test that CRDs are installed
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test-script
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "6"
data:
get_config.sh: |-
#!/bin/bash
kubectl rollout status deployment/{{ include "openvpn-chart.fullname" . }}
kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_genclientcert test nopass
kubectl exec deployment/{{ include "openvpn-chart.fullname" . }} -- ovpn_getclient test > /data/test.ovpn
test_connection.sh : |-
sed -i "s/127.0.0.1/{{ include "openvpn-chart.fullname" . }}/g" /data/test.ovpn
mkdir -p /dev/net
mknod /dev/net/tun c 10 200
chmod 600 /dev/net/tun
openvpn --config /data/test.ovpn --daemon --log-append /tmp/ovpnlog
tail -n0 -f /tmp/ovpnlog | sed '/Initialization Sequence Completed/ q'
---
# ---------------------------------------------------------------------
# -- Prepare roles and bindings to access k8s resources from the test
# ---------------------------------------------------------------------
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test-role
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "1"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "1"
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-rb
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "1"
subjects:
- kind: ServiceAccount
name: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: {{ include "openvpn-chart.fullname" . }}-test-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "7"
labels:
{{- include "openvpn-chart.labels" . | nindent 4 }}
spec:
storageClassName: {{ .Values.storage.class }}
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 512Mi
---
apiVersion: v1
kind: Pod
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "7"
spec:
serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
automountServiceAccountToken: true
volumes:
- name: test-script
configMap:
name: {{ include "openvpn-chart.fullname" . }}-test-script
- name: data
persistentVolumeClaim:
claimName: {{ include "openvpn-chart.fullname" . }}-test
containers:
- name: tester
image: alpine/k8s:{{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}
volumeMounts:
- name: test-script
readOnly: true
mountPath: /get_config.sh
subPath: get_config.sh
- name: data
readOnly: false
mountPath: /data
command:
- bash
args:
- -e
- /get_config.sh
restartPolicy: Never
---
apiVersion: v1
kind: Pod
metadata:
name: {{ include "openvpn-chart.fullname" . }}-test-connection
labels:
{{- include "openvpn-chart.selectorLabels" . | nindent 4 }}
annotations:
"helm.sh/hook": test
{{- if .Values.tests.cleanup }}
"helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
{{- end }}
"helm.sh/hook-weight": "7"
spec:
serviceAccountName: {{ include "openvpn-chart.fullname" . }}-gsql-dbin-sa
automountServiceAccountToken: true
volumes:
- name: data
persistentVolumeClaim:
claimName: {{ include "openvpn-chart.fullname" . }}-test
- name: test-script
configMap:
name: {{ include "openvpn-chart.fullname" . }}-test-script
containers:
- name: tester
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: data
readOnly: false
mountPath: /data
- name: test-script
readOnly: true
mountPath: /test_connection.sh
subPath: test_connection.sh
command:
- bash
args:
- -e
- /test_connection.sh
securityContext:
capabilities:
add:
- NET_ADMIN
restartPolicy: Never
{{- end }}

89
helm/values.yaml Normal file
View File

@ -0,0 +1,89 @@
# Default values for openvpn-chart.
image:
repository: git.badhouseplants.net/allanger/container-openvpn
pullPolicy: Always
# -------------------------------------------
# -- TODO: Switch to proper versions
# -------------------------------------------
# tag: ""
# -----------------------------
# -- Open VPN configuration
# -----------------------------
openvpn:
proto: tcp
host: 127.0.0.1
port: 1194
# ---------------------------------------
# -- Deploy OpenVPN admin
# -- https://github.com/flant/ovpn-admin
# ---------------------------------------
openvpn_admin:
enabled: true
# -----------------------------
# -- Easy RSA configuration
# -----------------------------
easyrsa:
cn: . # -- EASYRSA_REQ_CN
country: . # -- EASYRSA_REQ_COUNTRY
province: . # -- EASYRSA_REQ_PROVINCE
city: . # -- EASYRSA_REQ_CITY
org: . # -- EASYRSA_REQ_ORG
email: . # -- EASYRSA_REQ_EMAIL
ou: Community # -- EASYRSA_REQ_OU
algo: ec # -- EASYRSA_ALGO
digest: sha512 # -- EASYRSA_DIGEST
replicaCount: 1
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
storage:
class: ""
size: 1Gi
serviceAccount:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
podAnnotations: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext: {}
# capabilities:
# drop:
# - ALL
# readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
service:
type: ClusterIP
port: 1194
protocol: TCP
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
autoscaling:
enabled: false
minReplicas: 1
maxReplicas: 100
targetCPUUtilizationPercentage: 80
# targetMemoryUtilizationPercentage: 80
nodeSelector: {}
tolerations: []
affinity: {}
tests:
enabled: false
cleanup: true

21
kind.yaml Normal file
View File

@ -0,0 +1,21 @@
apiVersion: kind.x-k8s.io/v1alpha4
kind: Cluster
name: test
networking:
apiServerAddress: "0.0.0.0"
apiServerPort: 16443
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
allowed-unsafe-sysctls: net.ipv4.ip_forward
nodes:
- role: control-plane
kubeadmConfigPatches:
- |
kind: ClusterConfiguration
apiServer:
certSANs:
- "docker"
- role: worker

7
otp/openvpn Normal file
View File

@ -0,0 +1,7 @@
# Uses google authenticator library as PAM module using a single folder for all users tokens
# User root is required to stick with an hardcoded user when trying to determine user id and allow unexisting system users
# See https://github.com/google/google-authenticator-libpam#usersome-user
auth required pam_google_authenticator.so secret=/etc/openvpn/otp/${USER}.google_authenticator user=root
# Accept any user since we're dealing with virtual users there's no need to have a system account (pam_unix.so)
account sufficient pam_permit.so

4
scripts/build_upstream.sh
View File

@ -1,4 +0,0 @@
#!/usr/bin/env sh
export CUSTOM_TAG="v$OPENVPN_VERSION"
export BUILD_ARGS="--build-arg OPENVPN_VERSION=$OPENVPN_VERSION"
build-container

7
scripts/build_xor.sh
View File

@ -1,7 +0,0 @@
#!/usr/bin/env sh
git clone https://github.com/Tunnelblick/Tunnelblick.git /tmp/tunnelblick
git -C /tmp/tunnelblick checkout $TUNNELBLICK_VERSION
export OPENVPN_VERSION=$(ls /tmp/tunnelblick/third_party/sources/openvpn | sed 's/openvpn-//g' | sort -k1,1nr -k2,2n -k3,3n | head -n 1)
export CUSTOM_TAG="v$OPENVPN_VERSION-XOR-$TUNNELBLICK_VERSION"
export BUILD_ARGS="--build-arg OPENVPN_VERSION=$OPENVPN_VERSION --build-arg TUNNELBLICK_VERSION=$TUNNELBLICK_VERSION"
build-container