registry_secret_data: ewoJImF1dGhzIjogewoJCSJqY3IuaW5mb2NsaW5pY2EucnUiOiB7CgkJCSJhdXRoIjogImNISnZkbWx6YVc5dU9tUmxiVzl6WlhKMlpYSWpjMlJ6TVRJeiIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTguMDkuOSAobGludXgpIgoJfQp9 openvpn: image: "jcr.infoclinica.ru/iru/openvpn-gost" tag: "200518041" pullPolicy: IfNotPresent mode: server ccd_confdir: ccd # podAnnotations: resources: limits: cpu: 350m memory: 50Mi requests: cpu: 350m memory: 50Mi configuration: |- dev external dev-type tun port 1195 proto tcp verb 3 status /var/log/openvpn-external-status.log management localhost 7505 keepalive 10 120 persist-key persist-tun comp-lzo yes push comp-lzo yes topology subnet mssfix server 10.9.0.0 255.255.0.0 push "route 5.200.59.165 255.255.255.255" push "route 192.168.200.0 255.255.248.0" push "route 192.168.205.0 255.255.255.0" push "route 10.1.116.0 255.255.255.0" push "route 217.74.42.72 255.255.255.255" route 192.168.206.0 255.255.255.0 route 192.168.201.0 255.255.255.0 route 192.168.21.0 255.255.255.0 route 10.10.0.0 255.255.0.0 crl-verify /etc/openvpn/keys/crl.pem client-config-dir /etc/openvpn/ccd ccd-exclusive engine cryptocom auth gost-mac cipher gost89 tls-cipher GOST2012-GOST8912-GOST8912 ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/server.crt key /etc/openvpn/keys/server.key keys: ca.crt: |- -----BEGIN CERTIFICATE----- MIICPzCCAeqgAwIBAgIJAL4mALec3gSvMAwGCCqFAwcBAQMCBQAwSTELMAkGA1UE BhMCUlUxDzANBgNVBAcTBk1vc2NvdzEOMAwGA1UEChMFU0RTeXMxGTAXBgNVBAMT EEVhc3ktR09TVCBDQSB2M2wwHhcNMjAwMzE4MDk1MTE2WhcNMjIwMzE4MDk1MTE2 WjBJMQswCQYDVQQGEwJSVTEPMA0GA1UEBxMGTW9zY293MQ4wDAYDVQQKEwVTRFN5 czEZMBcGA1UEAxMQRWFzeS1HT1NUIENBIHYzbDBmMB8GCCqFAwcBAQEBMBMGByqF AwICIwEGCCqFAwcBAQICA0MABEAllxmY+xR99A9iyEmgPb9mkm+Wm9jbYe2zOT0O tqhAREQUEJPaolixLvNxTxEsySyumqHDihrCD/LXTV9nUhnTo4GrMIGoMB0GA1Ud DgQWBBTf9pPnhQwwCC6VD+yCTkhWZpUWEDB5BgNVHSMEcjBwgBTf9pPnhQwwCC6V D+yCTkhWZpUWEKFNpEswSTELMAkGA1UEBhMCUlUxDzANBgNVBAcTBk1vc2NvdzEO MAwGA1UEChMFU0RTeXMxGTAXBgNVBAMTEEVhc3ktR09TVCBDQSB2M2yCCQC+JgC3 nN4ErzAMBgNVHRMEBTADAQH/MAwGCCqFAwcBAQMCBQADQQBx4PZpxdGxFiA+3Dgs GUr4Urk8+jiQLbmknuD6vWUADO9A7VvMEEdZkWgml0/3Yt2qGs2ZZ56IMmkmwkM4 Rozv -----END CERTIFICATE----- server.crt: |- -----BEGIN CERTIFICATE----- MIICWDCCAgOgAwIBAgIBbjAMBggqhQMHAQEDAgUAMEkxCzAJBgNVBAYTAlJVMQ8w DQYDVQQHEwZNb3Njb3cxDjAMBgNVBAoTBVNEU3lzMRkwFwYDVQQDExBFYXN5LUdP U1QgQ0EgdjNsMB4XDTIwMDUxNzEzMzQ1NFoXDTIxMDUxNzEzMzQ1NFowSzELMAkG A1UEBhMCUlUxDzANBgNVBAcTBk1vc2NvdzEOMAwGA1UEChMFU0RTeXMxCjAIBgNV BAsTATIxDzANBgNVBAMTBnNlcnZlcjBmMB8GCCqFAwcBAQEBMBMGByqFAwICIwEG CCqFAwcBAQICA0MABEDMynDvbv1HLKFmQc1gdSCzC3XiBZkczzYEG3cGMwe9pPwu +XfeErjCnI6L3dZ20bZR7Ad91bwXoUjOVZQnuY88o4HKMIHHMAkGA1UdEwQCMAAw HQYDVR0OBBYEFGtYB3CvKR0VqUQRWqmzqwPxFjJCMHkGA1UdIwRyMHCAFN/2k+eF DDAILpUP7IJOSFZmlRYQoU2kSzBJMQswCQYDVQQGEwJSVTEPMA0GA1UEBxMGTW9z Y293MQ4wDAYDVQQKEwVTRFN5czEZMBcGA1UEAxMQRWFzeS1HT1NUIENBIHYzbIIJ AL4mALec3gSvMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIDiDAMBggq hQMHAQEDAgUAA0EAlDPHu4InFKvakuz70ISjgfYJddTbSMvnxGV9h9LCuOnyotML 2k6/NS/SXEnVm/zaF2i1bMsUlU1mBQX3sxGRqQ== -----END CERTIFICATE----- server.key: |- -----BEGIN PRIVATE KEY----- MIGAAgEAMB8GCCqFAwcBAQEBMBMGByqFAwICIwEGCCqFAwcBAQICBCCQsswQzpFL 7ecRbAKbTf8V5tZs8hMOnMDp486YomUsoaA4MDYGCCqFAwIJAwgBMSoEKAFsAU0p lsQAkisnUOguGeJ96UJQIXzPjpnm/WBFeECPYfeygjbUp10= -----END PRIVATE KEY----- crl.pem: |- -----BEGIN X509 CRL----- MIIBMTCB3TAMBggqhQMHAQEDAgUAMEkxCzAJBgNVBAYTAlJVMQ8wDQYDVQQHEwZN b3Njb3cxDjAMBgNVBAoTBVNEU3lzMRkwFwYDVQQDExBFYXN5LUdPU1QgQ0EgdjNs Fw0yMDAzMjMwODAyMDJaFw0zMDAzMjEwODAyMDJaMGQwEgIBIxcNMTkxMjI1MTEz MjQwWjASAgElFw0yMDAzMjMwODAyMDFaMBICASoXDTIwMDIyODE1NDA0MVowEgIB MRcNMjAwMzExMDk1NjQ2WjASAgFAFw0yMDAzMTkxMTI4MTVaMAwGCCqFAwcBAQMC BQADQQDsLtvVArTSNUu58siBrFJnIFneV17SB8RzvB/NFsmqlDYKAcC5YlSuPeX0 4NsLD/VSPLD1eJEZotycJgubXQhq -----END X509 CRL----- scripts: initscript: |- #!/bin/bash iptables -I FORWARD 1 -m state --state NEW -s 10.9.10.0/24 -i external -j DROP iptables -I INPUT 1 -m state --state NEW -s 10.9.10.0/24 -i external -j DROP iptables -I INPUT 1 -m state --state NEW -s 10.9.10.0/24 -d 217.74.42.72 -i external -j ACCEPT iptables -I INPUT 1 -m state --state NEW -s 10.9.10.0/24 -d 5.200.59.165 -i external -j ACCEPT iptables -I INPUT 1 -m state --state NEW -s 10.9.10.0/24 -d 192.168.205.10 -i external -j ACCEPT startscript: |- #!/bin/bash _SERVERKEY_="MZCP-EU87-PNM9-E985" cp -r /tmp/server/.magprocryptopack /root chmod -R 700 /root/.magprocryptopack echo ${_SERVERKEY_} | /opt/cryptopack3/ssl/misc/getlicense.sh touch /tmp/lic mkdir /dev/net mknod /dev/net/tun c 10 200 exec "/opt/openvpn-gost/sbin/openvpn" "--config" "/etc/openvpn/configuration/openvpn.conf" stopscript: |- #!/bin/bash iptables -D FORWARD -m state --state NEW -s 10.9.10.0/24 -i external -j DROP iptables -D INPUT -m state --state NEW -s 10.9.10.0/24 -i external -j DROP iptables -D INPUT -m state --state NEW -s 10.9.10.0/24 -d 217.74.42.72 -i external -j ACCEPT iptables -D INPUT -m state --state NEW -s 10.9.10.0/24 -d 5.200.59.165 -i external -j ACCEPT iptables -D INPUT -m state --state NEW -s 10.9.10.0/24 -d 192.168.205.10 -i external -j ACCEPT healthcheck: |- #!/bin/bash update_lic() { /opt/cryptopack3/bin/updater -l /opt/cryptopack3/ssl/cryptocom.lic touch /tmp/lic } file=`find /tmp -name lic -type f -mtime +1` if [[ -z ${file} ]];then echo "Обновление лицензии не требуется"; else update_lic;fi # Inbound IP and port inbound_IP: 10.1.116.14 inbound_port: 1195 dev_name: external net: 10.9.0.0 mask: 255.255.0.0 client_net: "10.9.10.0/24" ccd: client: ifconfig-push 10.9.10.2 255.255.0.0 someclient: |- ifconfig-push 10.9.10.2 255.255.0.0 iroute 192.168.250.0 255.255.255.0 router: image: "jcr.infoclinica.ru/sdsys/kubectl" tag: "1.18.9-3" pullPolicy: IfNotPresent resources: limits: cpu: 50m memory: 50Mi requests: cpu: 50m memory: 50Mi