# Image registry secret. Required if authorization is needed on registry access. # Value of $(base64 ~/.docker/config.json). # For more info see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ # registry_secret_data: # Settings for main openvpn deployment openvpn: image: "jcr.infoclinica.ru/sys/openvpn-rsa" tag: "200207025" pullPolicy: IfNotPresent # podAnnotations: resources: limits: cpu: 350m memory: 50Mi requests: cpu: 350m memory: 50Mi # Openvpn config file configuration: |- dev openvpn-tun dev-type tun port 1194 proto udp verb 3 status /var/log/openvpn-status.log management localhost 7505 keepalive 10 120 persist-key persist-tun comp-lzo yes push comp-lzo yes topology subnet mssfix server 10.100.0.0 255.255.0.0 crl-verify /etc/openvpn/keys/crl.pem client-config-dir /etc/openvpn/ccd ccd-exclusive ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key # Openvpn keys keys: ca.crt: |- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- server.crt: |- -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- server.key: |- -----BEGIN PRIVATE KEY----- -----END PRIVATE KEY----- crl.pem: |- -----BEGIN X509 CRL----- -----END X509 CRL----- # Openvn deployment scripts scripts: # Initscript, executed by dedicated initialization container, main purpose - set firewall rules, or some similar, before openvpn start. initscript: |- #!/bin/bash iptables -I FORWARD 1 -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP iptables -I FORWARD 1 -m state --state NEW -s 10.100.10.0/24 -d 192.168.205.10 -i openvpn-tun -j ACCEPT iptables -I INPUT 1 -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP iptables -I INPUT 1 -m state --state NEW -s 10.100.10.0/24 -d 217.74.42.72 -i openvpn-tun -j ACCEPT # Main openvpn container startup script, aka ENTRYPOINT startscript: |- #!/bin/bash mkdir /dev/net mknod /dev/net/tun c 10 200 exec "/usr/sbin/openvpn" "--config" "/etc/openvpn/configuration/openvpn.conf" # Stop script, executed by separate container on Pod termination. stopscript: |- #!/bin/bash iptables -D FORWARD -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP iptables -D FORWARD -m state --state NEW -s 10.100.10.0/24 -d 192.168.205.10 -i openvpn-tun -j ACCEPT iptables -D INPUT -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP iptables -D INPUT -m state --state NEW -s 10.100.10.0/24 -d 217.74.42.72 -i openvpn-tun -j ACCEPT # The health check script healthcheck: |- #!/bin/bash # ping something, or check connection status on port 7505 # Inbound IP and port # ip, port and protocol for loadbalancer service, in case it's a server inbound_IP: 10.1.2.3 # must be same, as port in openvpn config inbound_port: 1194 # must be same, as proto in openvpn config inbound_proto: UDP # Openvpn settings, musb be the same, as in config, used in router daemonset dev_name: openvpn-tun net: 10.100.0.0 mask: 255.255.0.0 # CCD configmap ccd: client: ifconfig-push 10.100.10.2 255.255.0.0 someclient: |- ifconfig-push 10.100.10.3 255.255.0.0 iroute 192.168.250.0 255.255.255.0 # Router container router: image: "jcr.infoclinica.ru/sys/kubectl" tag: "1.18.9-3" pullPolicy: IfNotPresent resources: limits: cpu: 50m memory: 50Mi requests: cpu: 50m memory: 50Mi