|
@@ -1,13 +1,14 @@
|
|
|
-registry_secret_data: ewoJImF1dGhzIjogewoJCSJqY3IuaW5mb2NsaW5pY2EucnUiOiB7CgkJCSJhdXRoIjogImNISnZkbWx6YVc5dU9rUmxiVzl6WlhKMlpYSWpjMlJ6TVRJeiIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTkuMDMuMTIgKGxpbnV4KSIKCX0KfQ==
|
|
|
|
|
|
|
+# Image registry secret. Required if authorization is needed on registry access.
|
|
|
|
|
+# Value of $(base64 ~/.docker/config.json).
|
|
|
|
|
+# For more info see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
|
|
|
+# registry_secret_data:
|
|
|
|
|
|
|
|
|
|
+# Settings for main openvpn deployment
|
|
|
openvpn:
|
|
openvpn:
|
|
|
- image: "jcr.infoclinica.ru/sys/openvpn-gost"
|
|
|
|
|
- tag: "200518041"
|
|
|
|
|
|
|
+ image: "jcr.infoclinica.ru/sys/openvpn-rsa"
|
|
|
|
|
+ tag: "200207025"
|
|
|
pullPolicy: IfNotPresent
|
|
pullPolicy: IfNotPresent
|
|
|
|
|
|
|
|
- mode: server
|
|
|
|
|
- ccd_confdir: ccd
|
|
|
|
|
-
|
|
|
|
|
# podAnnotations:
|
|
# podAnnotations:
|
|
|
resources:
|
|
resources:
|
|
|
limits:
|
|
limits:
|
|
@@ -16,13 +17,14 @@ openvpn:
|
|
|
requests:
|
|
requests:
|
|
|
cpu: 350m
|
|
cpu: 350m
|
|
|
memory: 50Mi
|
|
memory: 50Mi
|
|
|
|
|
+ # Openvpn config file
|
|
|
configuration: |-
|
|
configuration: |-
|
|
|
- dev external
|
|
|
|
|
|
|
+ dev openvpn-tun
|
|
|
dev-type tun
|
|
dev-type tun
|
|
|
- port 1195
|
|
|
|
|
- proto tcp
|
|
|
|
|
|
|
+ port 1194
|
|
|
|
|
+ proto udp
|
|
|
verb 3
|
|
verb 3
|
|
|
- status /var/log/openvpn-external-status.log
|
|
|
|
|
|
|
+ status /var/log/openvpn-status.log
|
|
|
management localhost 7505
|
|
management localhost 7505
|
|
|
keepalive 10 120
|
|
keepalive 10 120
|
|
|
persist-key
|
|
persist-key
|
|
@@ -31,121 +33,78 @@ openvpn:
|
|
|
push comp-lzo yes
|
|
push comp-lzo yes
|
|
|
topology subnet
|
|
topology subnet
|
|
|
mssfix
|
|
mssfix
|
|
|
- server 10.9.0.0 255.255.0.0
|
|
|
|
|
- push "route 192.168.205.0 255.255.255.0"
|
|
|
|
|
- push "route 10.1.116.0 255.255.255.0"
|
|
|
|
|
- push "route 217.74.42.72 255.255.255.255"
|
|
|
|
|
- route 192.168.21.0 255.255.255.0
|
|
|
|
|
- route 10.10.0.0 255.255.0.0
|
|
|
|
|
|
|
+ server 10.100.0.0 255.255.0.0
|
|
|
crl-verify /etc/openvpn/keys/crl.pem
|
|
crl-verify /etc/openvpn/keys/crl.pem
|
|
|
client-config-dir /etc/openvpn/ccd
|
|
client-config-dir /etc/openvpn/ccd
|
|
|
ccd-exclusive
|
|
ccd-exclusive
|
|
|
- engine cryptocom
|
|
|
|
|
- auth gost-mac
|
|
|
|
|
- cipher gost89
|
|
|
|
|
- tls-cipher GOST2012-GOST8912-GOST8912
|
|
|
|
|
ca /etc/openvpn/keys/ca.crt
|
|
ca /etc/openvpn/keys/ca.crt
|
|
|
cert /etc/openvpn/keys/server.crt
|
|
cert /etc/openvpn/keys/server.crt
|
|
|
key /etc/openvpn/keys/server.key
|
|
key /etc/openvpn/keys/server.key
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
|
|
+ # Openvpn keys
|
|
|
keys:
|
|
keys:
|
|
|
ca.crt: |-
|
|
ca.crt: |-
|
|
|
-----BEGIN CERTIFICATE-----
|
|
-----BEGIN CERTIFICATE-----
|
|
|
- MIICPzCCAeqgAwIBAgIJAL4mALec3gSvMAwGCCqFAwcBAQMCBQAwSTELMAkGA1UE
|
|
|
|
|
- BhMCUlUxDzANBgNVBAcTBk1vc2NvdzEOMAwGA1UEChMFU0RTeXMxGTAXBgNVBAMT
|
|
|
|
|
- EEVhc3ktR09TVCBDQSB2M2wwHhcNMjAwMzE4MDk1MTE2WhcNMjIwMzE4MDk1MTE2
|
|
|
|
|
- WjBJMQswCQYDVQQGEwJSVTEPMA0GA1UEBxMGTW9zY293MQ4wDAYDVQQKEwVTRFN5
|
|
|
|
|
- czEZMBcGA1UEAxMQRWFzeS1HT1NUIENBIHYzbDBmMB8GCCqFAwcBAQEBMBMGByqF
|
|
|
|
|
- AwICIwEGCCqFAwcBAQICA0MABEAllxmY+xR99A9iyEmgPb9mkm+Wm9jbYe2zOT0O
|
|
|
|
|
- tqhAREQUEJPaolixLvNxTxEsySyumqHDihrCD/LXTV9nUhnTo4GrMIGoMB0GA1Ud
|
|
|
|
|
- DgQWBBTf9pPnhQwwCC6VD+yCTkhWZpUWEDB5BgNVHSMEcjBwgBTf9pPnhQwwCC6V
|
|
|
|
|
- D+yCTkhWZpUWEKFNpEswSTELMAkGA1UEBhMCUlUxDzANBgNVBAcTBk1vc2NvdzEO
|
|
|
|
|
- MAwGA1UEChMFU0RTeXMxGTAXBgNVBAMTEEVhc3ktR09TVCBDQSB2M2yCCQC+JgC3
|
|
|
|
|
- nN4ErzAMBgNVHRMEBTADAQH/MAwGCCqFAwcBAQMCBQADQQBx4PZpxdGxFiA+3Dgs
|
|
|
|
|
- GUr4Urk8+jiQLbmknuD6vWUADO9A7VvMEEdZkWgml0/3Yt2qGs2ZZ56IMmkmwkM4
|
|
|
|
|
- Rozv
|
|
|
|
|
-----END CERTIFICATE-----
|
|
-----END CERTIFICATE-----
|
|
|
server.crt: |-
|
|
server.crt: |-
|
|
|
-----BEGIN CERTIFICATE-----
|
|
-----BEGIN CERTIFICATE-----
|
|
|
- MIICWDCCAgOgAwIBAgIBbjAMBggqhQMHAQEDAgUAMEkxCzAJBgNVBAYTAlJVMQ8w
|
|
|
|
|
- DQYDVQQHEwZNb3Njb3cxDjAMBgNVBAoTBVNEU3lzMRkwFwYDVQQDExBFYXN5LUdP
|
|
|
|
|
- U1QgQ0EgdjNsMB4XDTIwMDUxNzEzMzQ1NFoXDTIxMDUxNzEzMzQ1NFowSzELMAkG
|
|
|
|
|
- A1UEBhMCUlUxDzANBgNVBAcTBk1vc2NvdzEOMAwGA1UEChMFU0RTeXMxCjAIBgNV
|
|
|
|
|
- BAsTATIxDzANBgNVBAMTBnNlcnZlcjBmMB8GCCqFAwcBAQEBMBMGByqFAwICIwEG
|
|
|
|
|
- CCqFAwcBAQICA0MABEDMynDvbv1HLKFmQc1gdSCzC3XiBZkczzYEG3cGMwe9pPwu
|
|
|
|
|
- +XfeErjCnI6L3dZ20bZR7Ad91bwXoUjOVZQnuY88o4HKMIHHMAkGA1UdEwQCMAAw
|
|
|
|
|
- HQYDVR0OBBYEFGtYB3CvKR0VqUQRWqmzqwPxFjJCMHkGA1UdIwRyMHCAFN/2k+eF
|
|
|
|
|
- DDAILpUP7IJOSFZmlRYQoU2kSzBJMQswCQYDVQQGEwJSVTEPMA0GA1UEBxMGTW9z
|
|
|
|
|
- Y293MQ4wDAYDVQQKEwVTRFN5czEZMBcGA1UEAxMQRWFzeS1HT1NUIENBIHYzbIIJ
|
|
|
|
|
- AL4mALec3gSvMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIDiDAMBggq
|
|
|
|
|
- hQMHAQEDAgUAA0EAlDPHu4InFKvakuz70ISjgfYJddTbSMvnxGV9h9LCuOnyotML
|
|
|
|
|
- 2k6/NS/SXEnVm/zaF2i1bMsUlU1mBQX3sxGRqQ==
|
|
|
|
|
-----END CERTIFICATE-----
|
|
-----END CERTIFICATE-----
|
|
|
server.key: |-
|
|
server.key: |-
|
|
|
-----BEGIN PRIVATE KEY-----
|
|
-----BEGIN PRIVATE KEY-----
|
|
|
- MIGAAgEAMB8GCCqFAwcBAQEBMBMGByqFAwICIwEGCCqFAwcBAQICBCCQsswQzpFL
|
|
|
|
|
- 7ecRbAKbTf8V5tZs8hMOnMDp486YomUsoaA4MDYGCCqFAwIJAwgBMSoEKAFsAU0p
|
|
|
|
|
- lsQAkisnUOguGeJ96UJQIXzPjpnm/WBFeECPYfeygjbUp10=
|
|
|
|
|
-----END PRIVATE KEY-----
|
|
-----END PRIVATE KEY-----
|
|
|
crl.pem: |-
|
|
crl.pem: |-
|
|
|
-----BEGIN X509 CRL-----
|
|
-----BEGIN X509 CRL-----
|
|
|
- MIIBMTCB3TAMBggqhQMHAQEDAgUAMEkxCzAJBgNVBAYTAlJVMQ8wDQYDVQQHEwZN
|
|
|
|
|
- b3Njb3cxDjAMBgNVBAoTBVNEU3lzMRkwFwYDVQQDExBFYXN5LUdPU1QgQ0EgdjNs
|
|
|
|
|
- Fw0yMDAzMjMwODAyMDJaFw0zMDAzMjEwODAyMDJaMGQwEgIBIxcNMTkxMjI1MTEz
|
|
|
|
|
- MjQwWjASAgElFw0yMDAzMjMwODAyMDFaMBICASoXDTIwMDIyODE1NDA0MVowEgIB
|
|
|
|
|
- MRcNMjAwMzExMDk1NjQ2WjASAgFAFw0yMDAzMTkxMTI4MTVaMAwGCCqFAwcBAQMC
|
|
|
|
|
- BQADQQDsLtvVArTSNUu58siBrFJnIFneV17SB8RzvB/NFsmqlDYKAcC5YlSuPeX0
|
|
|
|
|
- 4NsLD/VSPLD1eJEZotycJgubXQhq
|
|
|
|
|
-----END X509 CRL-----
|
|
-----END X509 CRL-----
|
|
|
|
|
|
|
|
|
|
+ # Openvn deployment scripts
|
|
|
scripts:
|
|
scripts:
|
|
|
|
|
+ # Initscript, executed by dedicated initialization container, main purpose - set firewall rules, or some similar, before openvpn start.
|
|
|
initscript: |-
|
|
initscript: |-
|
|
|
#!/bin/bash
|
|
#!/bin/bash
|
|
|
- iptables -I FORWARD 1 -m state --state NEW -s 10.9.10.0/24 -i external -j DROP
|
|
|
|
|
- iptables -I FORWARD 1 -m state --state NEW -s 10.9.10.0/24 -d 192.168.205.10 -i external -j ACCEPT
|
|
|
|
|
- iptables -I INPUT 1 -m state --state NEW -s 10.9.10.0/24 -i external -j DROP
|
|
|
|
|
- iptables -I INPUT 1 -m state --state NEW -s 10.9.10.0/24 -d 217.74.42.72 -i external -j ACCEPT
|
|
|
|
|
|
|
+ iptables -I FORWARD 1 -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
|
|
|
|
|
+ iptables -I FORWARD 1 -m state --state NEW -s 10.100.10.0/24 -d 192.168.205.10 -i openvpn-tun -j ACCEPT
|
|
|
|
|
+ iptables -I INPUT 1 -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
|
|
|
|
|
+ iptables -I INPUT 1 -m state --state NEW -s 10.100.10.0/24 -d 217.74.42.72 -i openvpn-tun -j ACCEPT
|
|
|
|
|
+ # Main openvpn container startup script, aka ENTRYPOINT
|
|
|
startscript: |-
|
|
startscript: |-
|
|
|
#!/bin/bash
|
|
#!/bin/bash
|
|
|
- _SERVERKEY_="MZCP-EU87-PNM9-E985"
|
|
|
|
|
- cp -r /tmp/server/.magprocryptopack /root
|
|
|
|
|
- chmod -R 700 /root/.magprocryptopack
|
|
|
|
|
- echo ${_SERVERKEY_} | /opt/cryptopack3/ssl/misc/getlicense.sh
|
|
|
|
|
- touch /tmp/lic
|
|
|
|
|
mkdir /dev/net
|
|
mkdir /dev/net
|
|
|
mknod /dev/net/tun c 10 200
|
|
mknod /dev/net/tun c 10 200
|
|
|
- exec "/opt/openvpn-gost/sbin/openvpn" "--config" "/etc/openvpn/configuration/openvpn.conf"
|
|
|
|
|
|
|
+ exec "/usr/sbin/openvpn" "--config" "/etc/openvpn/configuration/openvpn.conf"
|
|
|
|
|
+ # Stop script, executed by separate container on Pod termination.
|
|
|
stopscript: |-
|
|
stopscript: |-
|
|
|
#!/bin/bash
|
|
#!/bin/bash
|
|
|
- iptables -D FORWARD -m state --state NEW -s 10.9.10.0/24 -i external -j DROP
|
|
|
|
|
- iptables -D FORWARD -m state --state NEW -s 10.9.10.0/24 -d 192.168.205.10 -i external -j ACCEPT
|
|
|
|
|
- iptables -D INPUT -m state --state NEW -s 10.9.10.0/24 -i external -j DROP
|
|
|
|
|
- iptables -D INPUT -m state --state NEW -s 10.9.10.0/24 -d 217.74.42.72 -i external -j ACCEPT
|
|
|
|
|
|
|
+ iptables -D FORWARD -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
|
|
|
|
|
+ iptables -D FORWARD -m state --state NEW -s 10.100.10.0/24 -d 192.168.205.10 -i openvpn-tun -j ACCEPT
|
|
|
|
|
+ iptables -D INPUT -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
|
|
|
|
|
+ iptables -D INPUT -m state --state NEW -s 10.100.10.0/24 -d 217.74.42.72 -i openvpn-tun -j ACCEPT
|
|
|
|
|
+ # The health check script
|
|
|
healthcheck: |-
|
|
healthcheck: |-
|
|
|
#!/bin/bash
|
|
#!/bin/bash
|
|
|
- update_lic() {
|
|
|
|
|
- /opt/cryptopack3/bin/updater -l /opt/cryptopack3/ssl/cryptocom.lic
|
|
|
|
|
- touch /tmp/lic
|
|
|
|
|
- }
|
|
|
|
|
- file=`find /tmp -name lic -type f -mtime +1`
|
|
|
|
|
- if [[ -z ${file} ]];then echo "Обновление лицензии не требуется"; else update_lic;fi
|
|
|
|
|
|
|
+ # ping something, or check connection status on port 7505
|
|
|
|
|
|
|
|
|
|
|
|
|
# Inbound IP and port
|
|
# Inbound IP and port
|
|
|
-inbound_IP: 10.1.116.14
|
|
|
|
|
-inbound_port: 1195
|
|
|
|
|
|
|
+# ip, port and protocol for loadbalancer service, in case it's a server
|
|
|
|
|
+inbound_IP: 10.1.2.3
|
|
|
|
|
+# must be same, as port in openvpn config
|
|
|
|
|
+inbound_port: 1194
|
|
|
|
|
+# must be same, as proto in openvpn config
|
|
|
|
|
+inbound_proto: UDP
|
|
|
|
|
|
|
|
-dev_name: external
|
|
|
|
|
-net: 10.9.0.0
|
|
|
|
|
|
|
+# Openvpn settings, musb be the same, as in config, used in router daemonset
|
|
|
|
|
+dev_name: openvpn-tun
|
|
|
|
|
+net: 10.100.0.0
|
|
|
mask: 255.255.0.0
|
|
mask: 255.255.0.0
|
|
|
-client_net: "10.9.10.0/24"
|
|
|
|
|
|
|
|
|
|
|
|
+# CCD configmap
|
|
|
ccd:
|
|
ccd:
|
|
|
- client: ifconfig-push 10.9.10.2 255.255.0.0
|
|
|
|
|
|
|
+ client: ifconfig-push 10.100.10.2 255.255.0.0
|
|
|
someclient: |-
|
|
someclient: |-
|
|
|
- ifconfig-push 10.9.10.2 255.255.0.0
|
|
|
|
|
|
|
+ ifconfig-push 10.100.10.3 255.255.0.0
|
|
|
iroute 192.168.250.0 255.255.255.0
|
|
iroute 192.168.250.0 255.255.255.0
|
|
|
|
|
|
|
|
|
|
+# Router container
|
|
|
router:
|
|
router:
|
|
|
image: "jcr.infoclinica.ru/sys/kubectl"
|
|
image: "jcr.infoclinica.ru/sys/kubectl"
|
|
|
tag: "1.18.9-3"
|
|
tag: "1.18.9-3"
|
