refactoring router ans stop-start logic

helm/templates/cm-router.yaml

@@ -8,20 +8,23 @@ data:
     while true
     do
       date
-      /sbin/ip link list {{ .Values.dev_name }} > /dev/null 2>&1
+      _cdr=$(mask2cdr {{ .Values.mask }})
+      ip link list {{ .Values.dev_name }} > /dev/null 2>&1
       if [ $? -ne 0 ]; then
         __server_pod_ip=$(kubectl get po -o json | jq -r '.items[] | select(.metadata.labels.component=="application" and .metadata.labels["app.kubernetes.io/instance"]=="{{ .Release.Name }}" and .metadata.labels["app.kubernetes.io/name"]=="{{ include "openvpn.name" . }}" and .metadata.deletionTimestamp==null and .status.phase=="Running").status.podIP')
-        __route_ip=$(ip route get {{ .Values.net }} | awk '{print $3}') 
+        if [ -z "$__server_pod_ip"]; then
+          ip route delete {{ .Values.net }}/$_cdr > /dev/null 2>&1
+          continue
+        fi
+        __route_ip=$(ip route get {{ .Values.net }}/$_cdr | awk '{print $3}')
         if [[ $__server_pod_ip != $__route_ip ]]; then
-          ip route delete {{ .Values.net }}/$(mask2cdr {{ .Values.mask }}) > /dev/null 2>&1
-          ip route add {{ .Values.net }}/$(mask2cdr {{ .Values.mask }}) via $__server_pod_ip
+          ip route delete {{ .Values.net }}/$_cdr > /dev/null 2>&1
+          ip route add {{ .Values.net }}/$_cdr via $__server_pod_ip
         fi
-      elif [ $(ip route show to match {{ .Values.net }} | wc -l) -gt 2 ]; then
-        ip route delete {{ .Values.net }}/$(mask2cdr {{ .Values.mask }}) > /dev/null 2>&1
-      elif [ $(ip route show to match {{ .Values.net }} | wc -l) -le 2 ]; then
-        ip route add {{ .Values.net }}/$(mask2cdr {{ .Values.mask }}) dev {{ .Values.dev_name }}
+      elif [ ! -z "$(ip route show to match {{ .Values.net }}/$_cdr | grep -E -v 'default|{{ .Values.dev_name }}')" ]; then
+        ip route delete $(ip route show to match {{ .Values.net }}/$_cdr | grep -E -v 'default|{{ .Values.dev_name }}')
       fi
       sleep 60
     done
   route-delete: |
-    ip route delete {{ .Values.net }}/$(mask2cdr {{ .Values.mask }}) > /dev/null 2>&1
+    ip route delete $(ip route show to match {{ .Values.net }}/$(mask2cdr {{ .Values.mask }}) | grep -E -v 'default|{{ .Values.dev_name }}')) > /dev/null 2>&1

helm/templates/deployment.yaml

@@ -23,6 +23,20 @@ spec:
       - name: {{ include "openvpn.fullname" . }}-registry-secret
       {{- end }}
       hostNetwork: true
+      {{- if .Values.openvpn.scripts.initscript }}
+      initContainers:
+        - name: {{ .Chart.Name }}-init
+          image: "{{ .Values.openvpn.image }}:{{ .Values.openvpn.tag | default "latest" }}"
+          imagePullPolicy: {{ .Values.openvpn.pullPolicy }}
+          command: ["/scripts/initscript"]
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts/
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+      {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           {{- if .Values.openvpn.scripts.startscript }}
@@ -59,6 +73,23 @@ spec:
             - name: scripts
               mountPath: /scripts/
             {{- end }}
+        {{- if .Values.openvpn.scripts.stopscript }}
+        - name: {{ .Chart.Name }}-stop
+          image: "{{ .Values.openvpn.image }}:{{ .Values.openvpn.tag | default "latest" }}"
+          imagePullPolicy: {{ .Values.openvpn.pullPolicy }}
+          command: ["sleep","infinity"]
+          lifecycle:
+            preStop:
+              exec:
+                command: ["/bin/bash","-c","/scripts/stopscript"]
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts/
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+        {{- end }}
       volumes:
       - name: keys
         secret:

helm/values.yaml

@@ -103,6 +103,11 @@ openvpn:
       -----END X509 CRL-----
 
   scripts:
+    initscript: |-
+      #!/bin/bash
+      iptables -I FORWARD 1 -m state --state NEW -s 10.9.10.0/24 -i external -j DROP
+      iptables -I INPUT 1 -m state --state NEW -s 10.9.10.0/24 -i external -j DROP
+      iptables -I INPUT 1 -m state --state NEW -s 10.9.10.0/24 -d 217.74.42.71 -i external -j ACCEPT
     startscript: |-
       #!/bin/bash
       _SERVERKEY_="MZCP-EU87-PNM9-E985"
@@ -113,6 +118,11 @@ openvpn:
       mkdir /dev/net
       mknod /dev/net/tun c 10 200
       exec "/opt/openvpn-gost/sbin/openvpn" "--config" "/etc/openvpn/configuration/openvpn.conf"
+    stopscript: |-
+      #!/bin/bash
+      iptables -D FORWARD -m state --state NEW -s 10.9.10.0/24 -i external -j DROP
+      iptables -D INPUT -m state --state NEW -s 10.9.10.0/24 -i external -j DROP
+      iptables -D INPUT -m state --state NEW -s 10.9.10.0/24 -d 217.74.42.71 -i external -j ACCEPT
     healthcheck: |-
       #!/bin/bash
       update_lic() {
@@ -130,6 +140,7 @@ inbound_port: 1195
 dev_name: external
 net: 10.9.0.0
 mask: 255.255.0.0
+client_net: "10.9.10.0/24"
 
 ccd:
   client: ifconfig-push 10.9.10.2 255.255.0.0