rc 0.1

helm/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: openvpn
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 1.16.0

helm/templates/_helpers.tpl

@@ -0,0 +1,79 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "openvpn.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "openvpn.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "openvpn.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "openvpn.labels" -}}
+helm.sh/chart: {{ include "openvpn.chart" . }}
+{{ include "openvpn.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{- define "openvpn.router.labels" -}}
+helm.sh/chart: {{ include "openvpn.chart" . }}
+{{ include "openvpn.router.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "openvpn.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "openvpn.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+component: application
+{{- end }}
+
+{{- define "openvpn.router.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "openvpn.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+component: router
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "openvpn.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "openvpn.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

helm/templates/cm-ccd.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "openvpn.fullname" . }}-ccd
+data:
+{{- range $key, $val := .Values.ccd}}
+  {{ $key }}: {{- toYaml $val | indent 2}}
+{{- end }}
+

helm/templates/cm-configuration.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "openvpn.fullname" . }}-configuration
+data:
+  openvpn.conf: {{- toYaml .Values.openvpn.configuration | indent 2}}

helm/templates/cm-openvpnscripts.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.openvpn.scripts }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "openvpn.fullname" . }}-scripts
+data:
+  {{- range $key, $val := .Values.openvpn.scripts }}
+  {{ $key }}: {{- toYaml $val | indent 2}}
+  {{- end }}
+{{- end }}

helm/templates/cm-router.yaml

@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "openvpn.fullname" . }}-routecheck
+data:
+  route.sh: | 
+    while sleep 60
+    do
+      /sbin/ip link list {{ .Values.dev_name }} > /dev/null 2>&1
+      if [ $? -ne 0 ]; then
+        __server_pod_ip=$(kubectl get po -o json | jq -r '.items[] | select(.metadata.labels.component=="application") | select(.status.phase=="Running").status.podIP')
+        __route_ip=$(ip route get {{ .Values.net }} | awk '{print $3}') 
+        if [[ $__server_pod_ip != $__route_ip ]]; then
+          ip route delete {{ .Values.net }}/$(mask2cdr {{ .Values.mask }}) > /dev/null 2>&1
+          ip route add {{ .Values.net }}/$(mask2cdr {{ .Values.mask }}) via $__server_pod_ip
+        fi
+      fi
+    done
+  finish.sh: |
+    ip route delete {{ .Values.net }}/$(mask2cdr {{ .Values.mask }}) > /dev/null 2>&1

helm/templates/daemonset.yaml

@@ -0,0 +1,44 @@
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: {{ include "openvpn.fullname" . }}-router
+  labels:
+    {{- include "openvpn.router.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "openvpn.router.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "openvpn.router.selectorLabels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ .Release.Name }}-router
+      {{- if .Values.registry_secret_data }}
+      imagePullSecrets:
+      - name: {{ include "openvpn.fullname" . }}-registry-secret
+      {{- end }}
+      hostNetwork: true
+      priorityClassName: system-cluster-critical
+      containers:
+        - name: {{ .Chart.Name }}-router
+          image: "{{ .Values.router.image }}:{{ .Values.router.tag }}"
+          imagePullPolicy: IfNotPresent
+          command: ["sleep"]
+          args: ["infinity"]
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+          resources:
+            {{- toYaml .Values.router.resources | nindent 12 }}
+          volumeMounts:
+            - name: routecheck
+              mountPath: /opt
+      volumes:
+      - name: routecheck
+        configMap:
+          name: {{ include "openvpn.fullname" . }}-routecheck
+          defaultMode: 0755
+      
+

helm/templates/deployment.yaml

@@ -0,0 +1,67 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "openvpn.fullname" . }}
+  labels:
+    {{- include "openvpn.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "openvpn.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+    {{- with .Values.openvpn.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      labels:
+        {{- include "openvpn.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- if .Values.registry_secret_data }}
+      imagePullSecrets:
+      - name: {{ include "openvpn.fullname" . }}-registry-secret
+      {{- end }}
+      hostNetwork: true
+      containers:
+        - name: {{ .Chart.Name }}
+          command: ["sleep"]
+          args: ["infinity"]
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+          image: "{{ .Values.openvpn.image }}:{{ .Values.openvpn.tag | default "latest" }}"
+          imagePullPolicy: {{ .Values.openvpn.pullPolicy }}
+          env:
+            - name: TZ
+              value: Europe/Moscow          
+          resources:
+            {{- toYaml .Values.openvpn.resources | nindent 12 }}
+          volumeMounts:
+            - name: keys
+              mountPath: /etc/openvpn/keys/
+            - name: ccd
+              mountPath: /etc/openvpn/ccd/
+            - name: configuration
+              mountPath: /etc/openvpn/configuration/
+            {{- if .Values.openvpn.scripts }}
+            - name: scripts
+              mountPath: /scripts/
+            {{- end }}
+      volumes:
+      - name: keys
+        secret:
+          secretName: {{ include "openvpn.fullname" . }}-keys
+      - name: ccd
+        configMap: 
+          name: {{ include "openvpn.fullname" . }}-ccd
+      - name: configuration
+        configMap:
+          name: {{ include "openvpn.fullname" . }}-configuration
+      {{- if .Values.openvpn.scripts }}
+      - name: scripts
+        configMap:
+          name: {{ include "openvpn.fullname" . }}-scripts
+          defaultMode: 0755
+      {{- end }}

helm/templates/sa-rbac.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Release.Name }}-router
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Release.Name }}-router
+rules:
+  - apiGroups:
+      - ""
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+
+---
+
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ .Release.Name }}-router
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ .Release.Name }}-router
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Release.Name }}-router
+    namespace: {{ .Release.Namespace }}

helm/templates/secret-keys.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "openvpn.fullname" . }}-keys
+data:
+{{- range $key, $val := .Values.openvpn.keys}}
+  {{ $key }}: {{- b64enc $val | indent 2}}
+{{- end }}

helm/templates/secret-registry.yaml

@@ -0,0 +1,9 @@
+{{ if .Values.registry_secret_data }}
+apiVersion: v1
+data:
+  .dockerconfigjson: {{ .Values.registry_secret_data }}
+kind: Secret
+metadata:
+  name: {{ include "openvpn.fullname" . }}-registry-secret
+type: kubernetes.io/dockerconfigjson
+{{ end }}

helm/templates/service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ .Release.Name }}-ingress
+spec:
+  type: LoadBalancer
+  selector:
+    {{- include "openvpn.selectorLabels" . | nindent 4 }}
+  ports:
+  - name: ingress
+    protocol: TCP
+    port: {{ .Values.inbound_port }}
+  loadBalancerIP: {{ .Values.inbound_IP }}
+  externalTrafficPolicy: Local

helm/values.yaml

@@ -0,0 +1,150 @@
+registry_secret_data: ewoJImF1dGhzIjogewoJCSJqY3IuaW5mb2NsaW5pY2EucnUiOiB7CgkJCSJhdXRoIjogImNISnZkbWx6YVc5dU9tUmxiVzl6WlhKMlpYSWpjMlJ6TVRJeiIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTguMDkuOSAobGludXgpIgoJfQp9
+
+openvpn:
+  image: "jcr.infoclinica.ru/iru/openvpn-gost"
+  tag: "200518041"
+  pullPolicy: IfNotPresent
+
+  mode: server
+  ccd_confdir: ccd
+
+#  podAnnotations:
+  resources:
+    limits:
+      cpu: 350m
+      memory: 50Mi
+    requests:
+      cpu: 350m
+      memory: 50Mi
+  configuration: |-
+    dev             external
+    dev-type        tun
+    port            1195
+    proto           tcp
+    verb            3
+    status /var/log/openvpn-external-status.log
+    management localhost 7505
+    keepalive       10 120
+    persist-key
+    persist-tun
+    comp-lzo       yes
+    push comp-lzo  yes
+    topology subnet
+    mssfix
+    server  10.9.0.0 255.255.0.0
+    push "route 5.200.59.165 255.255.255.255"
+    push "route 192.168.200.0 255.255.248.0"
+    push "route 192.168.205.0 255.255.255.0"
+    push "route 10.1.116.0 255.255.255.0"
+    push "route 217.74.42.71 255.255.255.255"
+    route 192.168.206.0 255.255.255.0
+    route 192.168.201.0 255.255.255.0
+    route 192.168.21.0 255.255.255.0
+    route 10.10.0.0 255.255.0.0
+    crl-verify /etc/openvpn/keys/crl.pem
+    client-config-dir /etc/openvpn/ccd
+    ccd-exclusive
+    engine          cryptocom
+    auth            gost-mac
+    cipher          gost89
+    tls-cipher      GOST2012-GOST8912-GOST8912
+    ca              /etc/openvpn/keys/ca.crt
+    cert            /etc/openvpn/keys/server.crt
+    key             /etc/openvpn/keys/server.key
+  
+  keys:
+    ca.crt: |-
+      -----BEGIN CERTIFICATE-----
+      MIICPzCCAeqgAwIBAgIJAL4mALec3gSvMAwGCCqFAwcBAQMCBQAwSTELMAkGA1UE
+      BhMCUlUxDzANBgNVBAcTBk1vc2NvdzEOMAwGA1UEChMFU0RTeXMxGTAXBgNVBAMT
+      EEVhc3ktR09TVCBDQSB2M2wwHhcNMjAwMzE4MDk1MTE2WhcNMjIwMzE4MDk1MTE2
+      WjBJMQswCQYDVQQGEwJSVTEPMA0GA1UEBxMGTW9zY293MQ4wDAYDVQQKEwVTRFN5
+      czEZMBcGA1UEAxMQRWFzeS1HT1NUIENBIHYzbDBmMB8GCCqFAwcBAQEBMBMGByqF
+      AwICIwEGCCqFAwcBAQICA0MABEAllxmY+xR99A9iyEmgPb9mkm+Wm9jbYe2zOT0O
+      tqhAREQUEJPaolixLvNxTxEsySyumqHDihrCD/LXTV9nUhnTo4GrMIGoMB0GA1Ud
+      DgQWBBTf9pPnhQwwCC6VD+yCTkhWZpUWEDB5BgNVHSMEcjBwgBTf9pPnhQwwCC6V
+      D+yCTkhWZpUWEKFNpEswSTELMAkGA1UEBhMCUlUxDzANBgNVBAcTBk1vc2NvdzEO
+      MAwGA1UEChMFU0RTeXMxGTAXBgNVBAMTEEVhc3ktR09TVCBDQSB2M2yCCQC+JgC3
+      nN4ErzAMBgNVHRMEBTADAQH/MAwGCCqFAwcBAQMCBQADQQBx4PZpxdGxFiA+3Dgs
+      GUr4Urk8+jiQLbmknuD6vWUADO9A7VvMEEdZkWgml0/3Yt2qGs2ZZ56IMmkmwkM4
+      Rozv
+      -----END CERTIFICATE-----
+    server.crt: |-
+      -----BEGIN CERTIFICATE-----
+      MIICWDCCAgOgAwIBAgIBbjAMBggqhQMHAQEDAgUAMEkxCzAJBgNVBAYTAlJVMQ8w
+      DQYDVQQHEwZNb3Njb3cxDjAMBgNVBAoTBVNEU3lzMRkwFwYDVQQDExBFYXN5LUdP
+      U1QgQ0EgdjNsMB4XDTIwMDUxNzEzMzQ1NFoXDTIxMDUxNzEzMzQ1NFowSzELMAkG
+      A1UEBhMCUlUxDzANBgNVBAcTBk1vc2NvdzEOMAwGA1UEChMFU0RTeXMxCjAIBgNV
+      BAsTATIxDzANBgNVBAMTBnNlcnZlcjBmMB8GCCqFAwcBAQEBMBMGByqFAwICIwEG
+      CCqFAwcBAQICA0MABEDMynDvbv1HLKFmQc1gdSCzC3XiBZkczzYEG3cGMwe9pPwu
+      +XfeErjCnI6L3dZ20bZR7Ad91bwXoUjOVZQnuY88o4HKMIHHMAkGA1UdEwQCMAAw
+      HQYDVR0OBBYEFGtYB3CvKR0VqUQRWqmzqwPxFjJCMHkGA1UdIwRyMHCAFN/2k+eF
+      DDAILpUP7IJOSFZmlRYQoU2kSzBJMQswCQYDVQQGEwJSVTEPMA0GA1UEBxMGTW9z
+      Y293MQ4wDAYDVQQKEwVTRFN5czEZMBcGA1UEAxMQRWFzeS1HT1NUIENBIHYzbIIJ
+      AL4mALec3gSvMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIDiDAMBggq
+      hQMHAQEDAgUAA0EAlDPHu4InFKvakuz70ISjgfYJddTbSMvnxGV9h9LCuOnyotML
+      2k6/NS/SXEnVm/zaF2i1bMsUlU1mBQX3sxGRqQ==
+      -----END CERTIFICATE-----
+    server.key: |-
+      -----BEGIN PRIVATE KEY-----
+      MIGAAgEAMB8GCCqFAwcBAQEBMBMGByqFAwICIwEGCCqFAwcBAQICBCCQsswQzpFL
+      7ecRbAKbTf8V5tZs8hMOnMDp486YomUsoaA4MDYGCCqFAwIJAwgBMSoEKAFsAU0p
+      lsQAkisnUOguGeJ96UJQIXzPjpnm/WBFeECPYfeygjbUp10=
+      -----END PRIVATE KEY-----
+    crl.pem: |-
+      -----BEGIN X509 CRL-----
+      MIIBMTCB3TAMBggqhQMHAQEDAgUAMEkxCzAJBgNVBAYTAlJVMQ8wDQYDVQQHEwZN
+      b3Njb3cxDjAMBgNVBAoTBVNEU3lzMRkwFwYDVQQDExBFYXN5LUdPU1QgQ0EgdjNs
+      Fw0yMDAzMjMwODAyMDJaFw0zMDAzMjEwODAyMDJaMGQwEgIBIxcNMTkxMjI1MTEz
+      MjQwWjASAgElFw0yMDAzMjMwODAyMDFaMBICASoXDTIwMDIyODE1NDA0MVowEgIB
+      MRcNMjAwMzExMDk1NjQ2WjASAgFAFw0yMDAzMTkxMTI4MTVaMAwGCCqFAwcBAQMC
+      BQADQQDsLtvVArTSNUu58siBrFJnIFneV17SB8RzvB/NFsmqlDYKAcC5YlSuPeX0
+      4NsLD/VSPLD1eJEZotycJgubXQhq
+      -----END X509 CRL-----
+
+  scripts:
+    startscript.sh: |-
+      _SERVERKEY_="MZCP-EU87-PNM9-E985"
+      cp -r /tmp/server/.magprocryptopack /root
+      chmod -R 700 /root/.magprocryptopack
+      echo ${_SERVERKEY_} | /opt/cryptopack3/ssl/misc/getlicense.sh
+      touch /tmp/lic
+      mkdir /dev/net
+      mknod /dev/net/tun c 10 200
+      exec "/opt/openvpn-gost/sbin/openvpn" "--config" "/etc/openvpn/configuration/openvpn.conf"
+    healthcheck.sh: |-
+      #!/bin/bash
+      update_lic() {
+        /opt/cryptopack3/bin/updater -l /opt/cryptopack3/ssl/cryptocom.lic
+        touch /tmp/lic
+      }
+      file=`find /tmp -name lic -type f -mtime +1`
+      if [[ -z ${file} ]];then echo "Обновление лицензии не требуется"; else update_lic;fi
+
+
+# Inbound IP and port
+inbound_IP: 10.1.116.14
+inbound_port: 1195
+
+dev_name: external
+net: 10.9.0.0
+mask: 255.255.0.0
+
+ccd:
+  client: ifconfig-push 10.9.10.2 255.255.0.0
+  someclient: |-
+    ifconfig-push 10.9.10.2 255.255.0.0
+    iroute 192.168.250.0 255.255.255.0
+
+router:
+  image: "jcr.infoclinica.ru/sdsys/kubectl"
+  tag: "1.18.9-3"
+  pullPolicy: IfNotPresent
+  resources:
+    limits:
+      cpu: 50m
+      memory: 50Mi
+    requests:
+      cpu: 50m
+      memory: 50Mi
+