add multus support

helm/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v2
 name: openvpn
-description: A Helm chart for Kubernetes
+description: The Helm chart OpenVPN-RSA and OpenVPN-GOST for Kubernetes
 
 # A chart can be either an 'application' or a 'library' chart.
 #
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.1
+version: 0.1.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm/templates/cm-openvpnscripts.yaml

@@ -9,16 +9,20 @@ data:
   {{- else }}
   startscript: |-
     #!/bin/bash
+    {{- if and .Values.virtIP_addr .Values.virtIP_dev }}
     ip addr add {{ .Values.virtIP_addr }} dev {{ .Values.virtIP_dev }}
+    {{- end }}
     mkdir /dev/net
     mknod /dev/net/tun c 10 200
     exec "/usr/sbin/openvpn" "--config" "/etc/openvpn/configuration/openvpn.conf"
   {{- end }}
-  
+
+  {{- if and .Values.virtIP_addr .Values.virtIP_dev }}
   # Stop script, executed by separate container on Pod termination.
   stopscript: |-
     #!/bin/bash
     ip addr delete {{ .Values.virtIP_addr }} dev {{ .Values.virtIP_dev }}
+  {{- end }}
   {{- if .Values.openvpn.healthcheck }}
   healthcheck: {{- toYaml .Values.openvpn.healthcheck | indent 2 }}
   {{- end }}

helm/templates/cm-router.yaml

@@ -1,9 +1,10 @@
+{{- if .Values.netOpenvpn -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ include "openvpn.fullname" . }}-routecheck
 data:
-  route-add: | 
+  route-add: |
     {{- range .Values.netOpenvpn}}
     ip route add {{ . }} via {{ $.Values.virtIP_addr }} metric 200
     {{- end}}
@@ -12,3 +13,4 @@ data:
     {{- range .Values.netOpenvpn}}
     ip route delete {{ . }} via {{ $.Values.virtIP_addr }} metric 200
     {{- end}}
+{{- end -}}

helm/templates/daemonset.yaml

@@ -1,3 +1,4 @@
+{{- if and .Values.netOpenvpn .Values.router -}}
 kind: DaemonSet
 apiVersion: apps/v1
 metadata:
@@ -46,5 +47,4 @@ spec:
         configMap:
           name: {{ include "openvpn.fullname" . }}-routecheck
           defaultMode: 0755
-      
-
+{{- end -}}

helm/templates/deployment.yaml

@@ -6,12 +6,17 @@ metadata:
     {{- include "openvpn.labels" . | nindent 4 }}
 spec:
   replicas: 1
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
       {{- include "openvpn.selectorLabels" . | nindent 6 }}
   template:
     metadata:
       annotations:
+        {{- if .Values.multus }}
+        v1.multus-cni.io/default-network: "{{ .Release.Namespace }}/{{ .Release.Name }}-net"
+        {{- end }}
         checksum/config: {{ include (print $.Template.BasePath "/cm-configuration.yaml") . | sha256sum }}
         checksum/config2: {{ include (print $.Template.BasePath "/secret-keys.yaml") . | sha256sum }}
         checksum/config3: {{ include (print $.Template.BasePath "/cm-openvpnscripts.yaml") . | sha256sum }}
@@ -25,7 +30,9 @@ spec:
       imagePullSecrets:
       - name: {{ include "openvpn.fullname" . }}-registry-secret
       {{- end }}
+      {{- if not .Values.multus }}
       hostNetwork: true
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           command: ["/scripts/startscript"]
@@ -47,7 +54,7 @@ spec:
           imagePullPolicy: {{ .Values.openvpn.pullPolicy }}
           env:
             - name: TZ
-              value: Europe/Moscow          
+              value: Europe/Moscow
           resources:
             {{- toYaml .Values.openvpn.resources | nindent 12 }}
           volumeMounts:
@@ -59,6 +66,7 @@ spec:
               mountPath: /etc/openvpn/configuration/
             - name: scripts
               mountPath: /scripts/
+        {{- if and .Values.virtIP_addr .Values.virtIP_dev }}
         - name: {{ .Chart.Name }}-stop
           image: "{{ .Values.openvpn.image }}:{{ .Values.openvpn.tag | default "latest" }}"
           imagePullPolicy: {{ .Values.openvpn.pullPolicy }}
@@ -75,12 +83,19 @@ spec:
               add:
                 - NET_ADMIN
                 - MKNOD
+        {{- end }}
+      {{- if .Values.multus }}
+      dnsPolicy: "None"
+      dnsConfig:
+        nameservers:
+          - {{ .Values.multus.dnsIP }}
+      {{- end }}
       volumes:
       - name: keys
         secret:
           secretName: {{ include "openvpn.fullname" . }}-keys
       - name: ccd
-        configMap: 
+        configMap:
           name: {{ include "openvpn.fullname" . }}-ccd
       - name: configuration
         configMap:

helm/templates/nad.yaml

@@ -0,0 +1,29 @@
+{{- if .Values.multus }}
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  name: {{ .Release.Name }}-net
+spec:
+  {{- with .Values.multus }}
+  config: '{
+            "cniVersion": "0.3.1",
+            "type": "macvlan",
+            "master": "{{ .masterIface }}",
+            "mode": "bridge",
+            "ipam": {
+                "type": "static",
+                "addresses": [ {
+                  "address": "{{ .internalIP }}",
+                  "gateway": "{{ .internalGW }}"
+                }{{- if .externalIP }},
+                {
+                  "address":"{{ .externalIP }}"
+                }{{- end }}
+                ],
+                "routes": [
+                  { "dst": "0.0.0.0/0" }
+                ]
+            }
+          }'
+  {{- end }}
+{{- end }}

helm/values.yaml

@@ -1,7 +1,7 @@
-# Image registry secret. Required if authorization is needed on registry access. 
+# Image registry secret. Required if authorization is needed on registry access.
 # Value of $(base64 ~/.docker/config.json).
 # For more info see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-# registry_secret_data: 
+# registry_secret_data:
 
 # Settings for main openvpn deployment
 openvpn:
@@ -9,7 +9,7 @@ openvpn:
   tag: "200207025"
   pullPolicy: IfNotPresent
 
-#  podAnnotations:
+  podAnnotations: {}
   resources:
     limits:
       cpu: 350m
@@ -61,26 +61,36 @@ openvpn:
   #   #!/bin/bash
   #   echo state | nc localhost 7505 | grep -i connected
 
-service:
+service: {}
   # Loadbalancer IP and port
   # ip, port and protocol for loadbalancer service, in case it's a server
-  ip: 192.168.21.75
+  # ip: 192.168.21.75
   # must be same, as port in openvpn config
-  port: 1194
+  # port: 1194
   # must be same, as proto in openvpn config
-  proto: UDP
+  # proto: UDP
   # annotations
-  annotations: {}
+  # annotations: {}
   #  metallb.universe.tf/allow-shared-ip: openvpn-ip
 
 # Virtual flow ip for openvpn service
-virtIP_addr: 192.168.21.71
-virtIP_dev: team0
+virtIP_addr: {}
+# 192.168.21.71
+virtIP_dev: {}
+# team0
+
+# Create additional NetworkAttachmentDefinition for multus deployment
+multus: {}
+  # masterIface: team0
+  # internalIP: 10.215.0.10/24
+  # internalGW: 10.215.0.1
+  # externalIP: 217.74.42.168/32
+  # dnsIP: 192.168.215.100
 
 # Networks CIDR which has to be routed through openvpn
-netOpenvpn:
-  - 10.10.0.0/16
-  - 10.1.200.0/24
+netOpenvpn: {}
+  # - 10.10.0.0/16
+  # - 10.1.200.0/24
 
 # CCD configmap
 ccd: {}
@@ -90,14 +100,14 @@ ccd: {}
 #    push "route 192.168.200.0 255.255.248.0"
 
 # Router container
-router:
-  image: "images.sdsys.ru/sys/ovpn-rsa" #nicolaka/netshoot 
-  tag: "200207025"         
-  pullPolicy: IfNotPresent
-  resources:
-    limits:
-      cpu: 50m
-      memory: 50Mi
-    requests:
-      cpu: 50m
-      memory: 50Mi
+router: {}
+  # image: "images.sdsys.ru/sys/ovpn-rsa" #nicolaka/netshoot
+  # tag: "200207025"
+  # pullPolicy: IfNotPresent
+  # resources:
+  #   limits:
+  #     cpu: 50m
+  #     memory: 50Mi
+  #   requests:
+  #     cpu: 50m
+  #     memory: 50Mi