sdsys
/
openvpn


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160
							registry_secret_data: ewoJImF1dGhzIjogewoJCSJqY3IuaW5mb2NsaW5pY2EucnUiOiB7CgkJCSJhdXRoIjogImNISnZkbWx6YVc5dU9tUmxiVzl6WlhKMlpYSWpjMlJ6TVRJeiIKCQl9Cgl9LAoJIkh0dHBIZWFkZXJzIjogewoJCSJVc2VyLUFnZW50IjogIkRvY2tlci1DbGllbnQvMTguMDkuOSAobGludXgpIgoJfQp9

openvpn:
  image: "jcr.infoclinica.ru/iru/openvpn-gost"
  tag: "200518041"
  pullPolicy: IfNotPresent

  mode: server
  ccd_confdir: ccd

#  podAnnotations:
  resources:
    limits:
      cpu: 350m
      memory: 50Mi
    requests:
      cpu: 350m
      memory: 50Mi
  configuration: |-
    dev             external
    dev-type        tun
    port            1195
    proto           tcp
    verb            3
    status /var/log/openvpn-external-status.log
    management localhost 7505
    keepalive       10 120
    persist-key
    persist-tun
    comp-lzo       yes
    push comp-lzo  yes
    topology subnet
    mssfix
    server  10.9.0.0 255.255.0.0
    push "route 192.168.205.0 255.255.255.0"
    push "route 10.1.116.0 255.255.255.0"
    push "route 217.74.42.72 255.255.255.255"
    route 192.168.21.0 255.255.255.0
    route 10.10.0.0 255.255.0.0
    crl-verify /etc/openvpn/keys/crl.pem
    client-config-dir /etc/openvpn/ccd
    ccd-exclusive
    engine          cryptocom
    auth            gost-mac
    cipher          gost89
    tls-cipher      GOST2012-GOST8912-GOST8912
    ca              /etc/openvpn/keys/ca.crt
    cert            /etc/openvpn/keys/server.crt
    key             /etc/openvpn/keys/server.key
  
  keys:
    ca.crt: |-
      -----BEGIN CERTIFICATE-----
      MIICPzCCAeqgAwIBAgIJAL4mALec3gSvMAwGCCqFAwcBAQMCBQAwSTELMAkGA1UE
      BhMCUlUxDzANBgNVBAcTBk1vc2NvdzEOMAwGA1UEChMFU0RTeXMxGTAXBgNVBAMT
      EEVhc3ktR09TVCBDQSB2M2wwHhcNMjAwMzE4MDk1MTE2WhcNMjIwMzE4MDk1MTE2
      WjBJMQswCQYDVQQGEwJSVTEPMA0GA1UEBxMGTW9zY293MQ4wDAYDVQQKEwVTRFN5
      czEZMBcGA1UEAxMQRWFzeS1HT1NUIENBIHYzbDBmMB8GCCqFAwcBAQEBMBMGByqF
      AwICIwEGCCqFAwcBAQICA0MABEAllxmY+xR99A9iyEmgPb9mkm+Wm9jbYe2zOT0O
      tqhAREQUEJPaolixLvNxTxEsySyumqHDihrCD/LXTV9nUhnTo4GrMIGoMB0GA1Ud
      DgQWBBTf9pPnhQwwCC6VD+yCTkhWZpUWEDB5BgNVHSMEcjBwgBTf9pPnhQwwCC6V
      D+yCTkhWZpUWEKFNpEswSTELMAkGA1UEBhMCUlUxDzANBgNVBAcTBk1vc2NvdzEO
      MAwGA1UEChMFU0RTeXMxGTAXBgNVBAMTEEVhc3ktR09TVCBDQSB2M2yCCQC+JgC3
      nN4ErzAMBgNVHRMEBTADAQH/MAwGCCqFAwcBAQMCBQADQQBx4PZpxdGxFiA+3Dgs
      GUr4Urk8+jiQLbmknuD6vWUADO9A7VvMEEdZkWgml0/3Yt2qGs2ZZ56IMmkmwkM4
      Rozv
      -----END CERTIFICATE-----
    server.crt: |-
      -----BEGIN CERTIFICATE-----
      MIICWDCCAgOgAwIBAgIBbjAMBggqhQMHAQEDAgUAMEkxCzAJBgNVBAYTAlJVMQ8w
      DQYDVQQHEwZNb3Njb3cxDjAMBgNVBAoTBVNEU3lzMRkwFwYDVQQDExBFYXN5LUdP
      U1QgQ0EgdjNsMB4XDTIwMDUxNzEzMzQ1NFoXDTIxMDUxNzEzMzQ1NFowSzELMAkG
      A1UEBhMCUlUxDzANBgNVBAcTBk1vc2NvdzEOMAwGA1UEChMFU0RTeXMxCjAIBgNV
      BAsTATIxDzANBgNVBAMTBnNlcnZlcjBmMB8GCCqFAwcBAQEBMBMGByqFAwICIwEG
      CCqFAwcBAQICA0MABEDMynDvbv1HLKFmQc1gdSCzC3XiBZkczzYEG3cGMwe9pPwu
      +XfeErjCnI6L3dZ20bZR7Ad91bwXoUjOVZQnuY88o4HKMIHHMAkGA1UdEwQCMAAw
      HQYDVR0OBBYEFGtYB3CvKR0VqUQRWqmzqwPxFjJCMHkGA1UdIwRyMHCAFN/2k+eF
      DDAILpUP7IJOSFZmlRYQoU2kSzBJMQswCQYDVQQGEwJSVTEPMA0GA1UEBxMGTW9z
      Y293MQ4wDAYDVQQKEwVTRFN5czEZMBcGA1UEAxMQRWFzeS1HT1NUIENBIHYzbIIJ
      AL4mALec3gSvMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGA1UdDwQEAwIDiDAMBggq
      hQMHAQEDAgUAA0EAlDPHu4InFKvakuz70ISjgfYJddTbSMvnxGV9h9LCuOnyotML
      2k6/NS/SXEnVm/zaF2i1bMsUlU1mBQX3sxGRqQ==
      -----END CERTIFICATE-----
    server.key: |-
      -----BEGIN PRIVATE KEY-----
      MIGAAgEAMB8GCCqFAwcBAQEBMBMGByqFAwICIwEGCCqFAwcBAQICBCCQsswQzpFL
      7ecRbAKbTf8V5tZs8hMOnMDp486YomUsoaA4MDYGCCqFAwIJAwgBMSoEKAFsAU0p
      lsQAkisnUOguGeJ96UJQIXzPjpnm/WBFeECPYfeygjbUp10=
      -----END PRIVATE KEY-----
    crl.pem: |-
      -----BEGIN X509 CRL-----
      MIIBMTCB3TAMBggqhQMHAQEDAgUAMEkxCzAJBgNVBAYTAlJVMQ8wDQYDVQQHEwZN
      b3Njb3cxDjAMBgNVBAoTBVNEU3lzMRkwFwYDVQQDExBFYXN5LUdPU1QgQ0EgdjNs
      Fw0yMDAzMjMwODAyMDJaFw0zMDAzMjEwODAyMDJaMGQwEgIBIxcNMTkxMjI1MTEz
      MjQwWjASAgElFw0yMDAzMjMwODAyMDFaMBICASoXDTIwMDIyODE1NDA0MVowEgIB
      MRcNMjAwMzExMDk1NjQ2WjASAgFAFw0yMDAzMTkxMTI4MTVaMAwGCCqFAwcBAQMC
      BQADQQDsLtvVArTSNUu58siBrFJnIFneV17SB8RzvB/NFsmqlDYKAcC5YlSuPeX0
      4NsLD/VSPLD1eJEZotycJgubXQhq
      -----END X509 CRL-----

  scripts:
    initscript: |-
      #!/bin/bash
      iptables -I FORWARD 1 -m state --state NEW -s 10.9.10.0/24 -i external -j DROP
      iptables -I FORWARD 1 -m state --state NEW -s 10.9.10.0/24 -d 192.168.205.10 -i external -j ACCEPT
      iptables -I INPUT 1 -m state --state NEW -s 10.9.10.0/24 -i external -j DROP
      iptables -I INPUT 1 -m state --state NEW -s 10.9.10.0/24 -d 217.74.42.72 -i external -j ACCEPT
    startscript: |-
      #!/bin/bash
      _SERVERKEY_="MZCP-EU87-PNM9-E985"
      cp -r /tmp/server/.magprocryptopack /root
      chmod -R 700 /root/.magprocryptopack
      echo ${_SERVERKEY_} | /opt/cryptopack3/ssl/misc/getlicense.sh
      touch /tmp/lic
      mkdir /dev/net
      mknod /dev/net/tun c 10 200
      exec "/opt/openvpn-gost/sbin/openvpn" "--config" "/etc/openvpn/configuration/openvpn.conf"
    stopscript: |-
      #!/bin/bash
      iptables -D FORWARD -m state --state NEW -s 10.9.10.0/24 -i external -j DROP
      iptables -D FORWARD -m state --state NEW -s 10.9.10.0/24 -d 192.168.205.10 -i external -j ACCEPT
      iptables -D INPUT -m state --state NEW -s 10.9.10.0/24 -i external -j DROP
      iptables -D INPUT -m state --state NEW -s 10.9.10.0/24 -d 217.74.42.72 -i external -j ACCEPT
    healthcheck: |-
      #!/bin/bash
      update_lic() {
        /opt/cryptopack3/bin/updater -l /opt/cryptopack3/ssl/cryptocom.lic
        touch /tmp/lic
      }
      file=`find /tmp -name lic -type f -mtime +1`
      if [[ -z ${file} ]];then echo "Обновление лицензии не требуется"; else update_lic;fi


# Inbound IP and port
inbound_IP: 10.1.116.14
inbound_port: 1195

dev_name: external
net: 10.9.0.0
mask: 255.255.0.0
client_net: "10.9.10.0/24"

ccd:
  client: ifconfig-push 10.9.10.2 255.255.0.0
  someclient: |-
    ifconfig-push 10.9.10.2 255.255.0.0
    iroute 192.168.250.0 255.255.255.0

router:
  image: "jcr.infoclinica.ru/sdsys/kubectl"
  tag: "1.18.9-3"
  pullPolicy: IfNotPresent
  resources:
    limits:
      cpu: 50m
      memory: 50Mi
    requests:
      cpu: 50m
      memory: 50Mi