123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119 |
- # Image registry secret. Required if authorization is needed on registry access.
- # Value of $(base64 ~/.docker/config.json).
- # For more info see https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
- # registry_secret_data:
- # Settings for main openvpn deployment
- openvpn:
- image: "jcr.infoclinica.ru/sys/openvpn-rsa"
- tag: "200207025"
- pullPolicy: IfNotPresent
- # podAnnotations:
- resources:
- limits:
- cpu: 350m
- memory: 50Mi
- requests:
- cpu: 350m
- memory: 50Mi
- # Openvpn config file
- configuration: |-
- dev openvpn-tun
- dev-type tun
- port 1194
- proto udp
- verb 3
- status /var/log/openvpn-status.log
- management localhost 7505
- keepalive 10 120
- persist-key
- persist-tun
- comp-lzo yes
- push comp-lzo yes
- topology subnet
- mssfix
- server 10.100.0.0 255.255.0.0
- crl-verify /etc/openvpn/keys/crl.pem
- client-config-dir /etc/openvpn/ccd
- ccd-exclusive
- ca /etc/openvpn/keys/ca.crt
- cert /etc/openvpn/keys/server.crt
- key /etc/openvpn/keys/server.key
- # Openvpn keys
- keys:
- ca.crt: |-
- -----BEGIN CERTIFICATE-----
- -----END CERTIFICATE-----
- server.crt: |-
- -----BEGIN CERTIFICATE-----
- -----END CERTIFICATE-----
- server.key: |-
- -----BEGIN PRIVATE KEY-----
- -----END PRIVATE KEY-----
- crl.pem: |-
- -----BEGIN X509 CRL-----
- -----END X509 CRL-----
- # Openvn deployment scripts
- scripts:
- # Initscript, executed by dedicated initialization container, main purpose - set firewall rules, or some similar, before openvpn start.
- initscript: |-
- #!/bin/bash
- iptables -I FORWARD 1 -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
- iptables -I FORWARD 1 -m state --state NEW -s 10.100.10.0/24 -d 192.168.205.10 -i openvpn-tun -j ACCEPT
- iptables -I INPUT 1 -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
- iptables -I INPUT 1 -m state --state NEW -s 10.100.10.0/24 -d 217.74.42.72 -i openvpn-tun -j ACCEPT
- # Main openvpn container startup script, aka ENTRYPOINT
- startscript: |-
- #!/bin/bash
- mkdir /dev/net
- mknod /dev/net/tun c 10 200
- exec "/usr/sbin/openvpn" "--config" "/etc/openvpn/configuration/openvpn.conf"
- # Stop script, executed by separate container on Pod termination.
- stopscript: |-
- #!/bin/bash
- iptables -D FORWARD -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
- iptables -D FORWARD -m state --state NEW -s 10.100.10.0/24 -d 192.168.205.10 -i openvpn-tun -j ACCEPT
- iptables -D INPUT -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
- iptables -D INPUT -m state --state NEW -s 10.100.10.0/24 -d 217.74.42.72 -i openvpn-tun -j ACCEPT
- # The health check script
- healthcheck: |-
- #!/bin/bash
- # ping something, or check connection status on port 7505
- # Inbound IP and port
- # ip, port and protocol for loadbalancer service, in case it's a server
- inbound_IP: 10.1.2.3
- # must be same, as port in openvpn config
- inbound_port: 1194
- # must be same, as proto in openvpn config
- inbound_proto: UDP
- # Openvpn settings, musb be the same, as in config, used in router daemonset
- dev_name: openvpn-tun
- net: 10.100.0.0
- mask: 255.255.0.0
- # CCD configmap
- ccd:
- client: ifconfig-push 10.100.10.2 255.255.0.0
- someclient: |-
- ifconfig-push 10.100.10.3 255.255.0.0
- iroute 192.168.250.0 255.255.255.0
- # Router container
- router:
- image: "jcr.infoclinica.ru/sys/kubectl"
- tag: "1.18.9-3"
- pullPolicy: IfNotPresent
- resources:
- limits:
- cpu: 50m
- memory: 50Mi
- requests:
- cpu: 50m
- memory: 50Mi
|