registry_secret_data: ewoJImF1dGhzIjogewoJCSJqY3IuaW5mb2NsaW5pY2EucnUiOiB7CgkJCSJhdXRoIjogImNISnZkbWx6YVc5dU9tUmxiVzl6WlhKMlpYSWpjMlJ6TVRJeiIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTguMDkuOSAobGludXgpIgoJfQp9 openvpn: image: "jcr.infoclinica.ru/iru/openvpn-gost" tag: "200518041" pullPolicy: IfNotPresent mode: server ccd_confdir: ccd # podAnnotations: resources: limits: cpu: 350m memory: 50Mi requests: cpu: 350m memory: 50Mi configuration: |- dev external dev-type tun port 1195 proto tcp verb 3 status /var/log/openvpn-external-status.log management localhost 7505 keepalive 10 120 persist-key persist-tun comp-lzo yes push comp-lzo yes topology subnet mssfix server 10.9.0.0 255.255.0.0 push "route 192.168.205.0 255.255.255.0" push "route 10.1.116.0 255.255.255.0" push "route 217.74.42.72 255.255.255.255" route 192.168.21.0 255.255.255.0 route 10.10.0.0 255.255.0.0 crl-verify /etc/openvpn/keys/crl.pem client-config-dir /etc/openvpn/ccd ccd-exclusive engine cryptocom auth gost-mac cipher gost89 tls-cipher GOST2012-GOST8912-GOST8912 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key keys: ca.crt: |- -----BEGIN CERTIFICATE----- MIICPzCCAeqgAwIBAgIJAL4mALec3gSvMAwGCCqFAwcBAQMCBQAwSTELMAkGA1UE BhMCUlUxDzANBgNVBAcTBk1vc2NvdzEOMAwGA1UEChMFU0RTeXMxGTAXBgNVBAMT EEVhc3ktR09TVCBDQSB2M2wwHhcNMjAwMzE4MDk1MTE2WhcNMjIwMzE4MDk1MTE2 WjBJMQswCQYDVQQGEwJSVTEPMA0GA1UEBxMGTW9zY293MQ4wDAYDVQQKEwVTRFN5 czEZMBcGA1UEAxMQRWFzeS1HT1NUIENBIHYzbDBmMB8GCCqFAwcBAQEBMBMGByqF AwICIwEGCCqFAwcBAQICA0MABEAllxmY+xR99A9iyEmgPb9mkm+Wm9jbYe2zOT0O tqhAREQUEJPaolixLvNxTxEsySyumqHDihrCD/LXTV9nUhnTo4GrMIGoMB0GA1Ud DgQWBBTf9pPnhQwwCC6VD+yCTkhWZpUWEDB5BgNVHSMEcjBwgBTf9pPnhQwwCC6V D+yCTkhWZpUWEKFNpEswSTELMAkGA1UEBhMCUlUxDzANBgNVBAcTBk1vc2NvdzEO MAwGA1UEChMFU0RTeXMxGTAXBgNVBAMTEEVhc3ktR09TVCBDQSB2M2yCCQC+JgC3 nN4ErzAMBgNVHRMEBTADAQH/MAwGCCqFAwcBAQMCBQADQQBx4PZpxdGxFiA+3Dgs GUr4Urk8+jiQLbmknuD6vWUADO9A7VvMEEdZkWgml0/3Yt2qGs2ZZ56IMmkmwkM4 Rozv -----END CERTIFICATE----- server.crt: |- -----BEGIN CERTIFICATE----- MIICWDCCAgOgAwIBAgIBbjAMBggqhQMHAQEDAgUAMEkxCzAJBgNVBAYTAlJVMQ8w DQYDVQQHEwZNb3Njb3cxDjAMBgNVBAoTBVNEU3lzMRkwFwYDVQQDExBFYXN5LUdP U1QgQ0EgdjNsMB4XDTIwMDUxNzEzMzQ1NFoXDTIxMDUxNzEzMzQ1NFowSzELMAkG A1UEBhMCUlUxDzANBgNVBAcTBk1vc2NvdzEOMAwGA1UEChMFU0RTeXMxCjAIBgNV BAsTATIxDzANBgNVBAMTBnNlcnZlcjBmMB8GCCqFAwcBAQEBMBMGByqFAwICIwEG CCqFAwcBAQICA0MABEDMynDvbv1HLKFmQc1gdSCzC3XiBZkczzYEG3cGMwe9pPwu +XfeErjCnI6L3dZ20bZR7Ad91bwXoUjOVZQnuY88o4HKMIHHMAkGA1UdEwQCMAAw HQYDVR0OBBYEFGtYB3CvKR0VqUQRWqmzqwPxFjJCMHkGA1UdIwRyMHCAFN/2k+eF DDAILpUP7IJOSFZmlRYQoU2kSzBJMQswCQYDVQQGEwJSVTEPMA0GA1UEBxMGTW9z Y293MQ4wDAYDVQQKEwVTRFN5czEZMBcGA1UEAxMQRWFzeS1HT1NUIENBIHYzbIIJ AL4mALec3gSvMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIDiDAMBggq hQMHAQEDAgUAA0EAlDPHu4InFKvakuz70ISjgfYJddTbSMvnxGV9h9LCuOnyotML 2k6/NS/SXEnVm/zaF2i1bMsUlU1mBQX3sxGRqQ== -----END CERTIFICATE----- server.key: |- -----BEGIN PRIVATE KEY----- MIGAAgEAMB8GCCqFAwcBAQEBMBMGByqFAwICIwEGCCqFAwcBAQICBCCQsswQzpFL 7ecRbAKbTf8V5tZs8hMOnMDp486YomUsoaA4MDYGCCqFAwIJAwgBMSoEKAFsAU0p lsQAkisnUOguGeJ96UJQIXzPjpnm/WBFeECPYfeygjbUp10= -----END PRIVATE KEY----- crl.pem: |- -----BEGIN X509 CRL----- MIIBMTCB3TAMBggqhQMHAQEDAgUAMEkxCzAJBgNVBAYTAlJVMQ8wDQYDVQQHEwZN b3Njb3cxDjAMBgNVBAoTBVNEU3lzMRkwFwYDVQQDExBFYXN5LUdPU1QgQ0EgdjNs Fw0yMDAzMjMwODAyMDJaFw0zMDAzMjEwODAyMDJaMGQwEgIBIxcNMTkxMjI1MTEz MjQwWjASAgElFw0yMDAzMjMwODAyMDFaMBICASoXDTIwMDIyODE1NDA0MVowEgIB MRcNMjAwMzExMDk1NjQ2WjASAgFAFw0yMDAzMTkxMTI4MTVaMAwGCCqFAwcBAQMC BQADQQDsLtvVArTSNUu58siBrFJnIFneV17SB8RzvB/NFsmqlDYKAcC5YlSuPeX0 4NsLD/VSPLD1eJEZotycJgubXQhq -----END X509 CRL----- scripts: initscript: |- #!/bin/bash iptables -I FORWARD 1 -m state --state NEW -s 10.9.10.0/24 -i external -j DROP iptables -I FORWARD 1 -m state --state NEW -s 10.9.10.0/24 -d 192.168.205.10 -i external -j ACCEPT iptables -I INPUT 1 -m state --state NEW -s 10.9.10.0/24 -i external -j DROP iptables -I INPUT 1 -m state --state NEW -s 10.9.10.0/24 -d 217.74.42.72 -i external -j ACCEPT startscript: |- #!/bin/bash _SERVERKEY_="MZCP-EU87-PNM9-E985" cp -r /tmp/server/.magprocryptopack /root chmod -R 700 /root/.magprocryptopack echo ${_SERVERKEY_} | /opt/cryptopack3/ssl/misc/getlicense.sh touch /tmp/lic mkdir /dev/net mknod /dev/net/tun c 10 200 exec "/opt/openvpn-gost/sbin/openvpn" "--config" "/etc/openvpn/configuration/openvpn.conf" stopscript: |- #!/bin/bash iptables -D FORWARD -m state --state NEW -s 10.9.10.0/24 -i external -j DROP iptables -D FORWARD -m state --state NEW -s 10.9.10.0/24 -d 192.168.205.10 -i external -j ACCEPT iptables -D INPUT -m state --state NEW -s 10.9.10.0/24 -i external -j DROP iptables -D INPUT -m state --state NEW -s 10.9.10.0/24 -d 217.74.42.72 -i external -j ACCEPT healthcheck: |- #!/bin/bash update_lic() { /opt/cryptopack3/bin/updater -l /opt/cryptopack3/ssl/cryptocom.lic touch /tmp/lic } file=`find /tmp -name lic -type f -mtime +1` if [[ -z ${file} ]];then echo "Обновление лицензии не требуется"; else update_lic;fi # Inbound IP and port inbound_IP: 10.1.116.14 inbound_port: 1195 dev_name: external net: 10.9.0.0 mask: 255.255.0.0 client_net: "10.9.10.0/24" ccd: client: ifconfig-push 10.9.10.2 255.255.0.0 someclient: |- ifconfig-push 10.9.10.2 255.255.0.0 iroute 192.168.250.0 255.255.255.0 router: image: "jcr.infoclinica.ru/sdsys/kubectl" tag: "1.18.9-3" pullPolicy: IfNotPresent resources: limits: cpu: 50m memory: 50Mi requests: cpu: 50m memory: 50Mi