this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

It probably breaks totally, but that's fine

+327 -113
+1
k8s/nebula/apps/vpn/kustomization.yaml
··· 3 3 resources: 4 4 - ns.yaml 5 5 - vpn-gateway/ks.yaml 6 + - vpn-gateway/ks-webhook.yaml
+115 -112
k8s/nebula/apps/vpn/vpn-gateway/app/helm-release.yaml
··· 1 1 --- 2 + # yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s-labs/helm-charts/common-3.7.3/charts/library/common/values.schema.json 2 3 apiVersion: helm.toolkit.fluxcd.io/v2 3 4 kind: HelmRelease 4 5 metadata: 5 - name: vpn-gateway 6 + name: &app vpn-gateway 6 7 namespace: vpn 7 8 spec: 8 9 interval: 15m 9 - chart: 10 - spec: 11 - chart: pod-gateway 12 - version: 6.5.1 13 - sourceRef: 14 - kind: HelmRepository 15 - name: angelnu-charts 16 - namespace: flux-system 17 - interval: 15m 10 + chartRef: 11 + kind: OCIRepository 12 + name: app-template 13 + namespace: flux-system 18 14 install: 19 15 createNamespace: true 20 16 remediation: ··· 23 19 remediation: 24 20 retries: 5 25 21 values: 26 - image: 27 - repository: ghcr.io/angelnu/pod-gateway 28 - tag: v1.13.0 29 - # repository: registry.skysolutions.fi/library/pod-gateway 30 - # tag: 110125@sha256:2578dd6cc5d56857a9ffaf992e573c97bda68307ac593162982d35f298b617ee 31 - 32 - addons: 33 - netshoot: 22 + controllers: 23 + vpn-gateway: 24 + annotations: 25 + reloader.stakater.com/auto: "true" 26 + initContainers: 27 + routes: 28 + image: 29 + repository: ghcr.io/angelnu/pod-gateway 30 + tag: v1.13.0 31 + command: 32 + - /bin/gateway_init.sh 33 + securityContext: 34 + privileged: true 35 + containers: 36 + gateway: 37 + image: 38 + repository: ghcr.io/angelnu/pod-gateway 39 + tag: v1.13.0 40 + command: 41 + - /bin/gateway_sidecar.sh 42 + securityContext: 43 + capabilities: 44 + add: [ "NET_RAW", "NET_ADMIN" ] 45 + netshoot: 46 + image: 47 + repository: ghcr.io/nicolaka/netshoot 48 + tag: v0.13 49 + command: 50 + - /bin/sh 51 + - -c 52 + - sleep infinity 53 + resources: 54 + requests: 55 + cpu: 10m 56 + memory: 10M 57 + limits: 58 + memory: 50M 59 + securityContext: 60 + capabilities: 61 + add: [ "NET_ADMIN" ] 62 + gluetun: 63 + image: 64 + repository: ghcr.io/qdm12/gluetun 65 + tag: v3.40.0@sha256:2b42bfa046757145a5155acece417b65b4443c8033fb88661a8e9dcf7fda5a00 66 + env: 67 + TZ: "Europe/Helsinki" 68 + VPN_TYPE: wireguard 69 + VPN_SERVICE_PROVIDER: airvpn 70 + VPN_INTERFACE: wg0 71 + FIREWALL: "off" 72 + DOT: "off" 73 + FIREWALL_VPN_INPUT_PORTS: "51820,55633" 74 + SERVER_COUNTRIES: "Switzerland,Netherlands" 75 + WIREGUARD_MTU: 1320 76 + envFrom: 77 + - secretRef: 78 + name: pod-gateway-secret 79 + resources: 80 + requests: 81 + cpu: 15m 82 + memory: 64Mi 83 + limits: 84 + squat.ai/tun: 1 85 + memory: 128Mi 86 + securityContext: 87 + capabilities: 88 + add: [ "NET_ADMIN" ] 89 + service: 90 + app: 91 + controller: *app 92 + type: ClusterIP 93 + clusterIP: None 94 + ports: 95 + vxlan: 96 + protocol: UDP 97 + port: 4789 98 + configMaps: 99 + config: 34 100 enabled: true 35 - vpn: 36 - enabled: true 37 - type: gluetun 38 - image: 39 - repository: docker.io/qmcgaw/gluetun 40 - tag: v3.40.0 41 - env: 42 - - name: VPN_TYPE 43 - value: wireguard 44 - - name: VPN_SERVICE_PROVIDER 45 - value: airvpn 46 - - name: VPN_INTERFACE 47 - value: wg0 48 - - name: FIREWALL 49 - value: "off" 50 - - name: DOT 51 - value: "off" 52 - - name: FIREWALL_VPN_INPUT_PORTS 53 - value: 51820,55633 54 - - name: SERVER_COUNTRIES 55 - value: "Switzerland,Netherlands" 56 - - name: WIREGUARD_MTU 57 - value: 1320 58 - # - name: WIREGUARD_PRIVATE_KEY 59 - # value: set in secret 60 - # - name: WIREGUARD_ADDRESSES 61 - # value: set in secret 62 - 63 - envFrom: 64 - - secretRef: 65 - name: vpn-gateway-vpnconfig 66 - securityContext: 67 - privileged: true 68 - # capabilities: 69 - # add: 70 - # - NET_ADMIN 71 - 72 - networkPolicy: 73 - enabled: false 74 - # egress: 75 - # - to: 76 - # - ipBlock: 77 - # cidr: 0.0.0.0/0 78 - # - ipBlock: 79 - # cidr: ::/0 # Allow IPv6 to VPN servers 80 - # ports: 81 - # # VPN traffic 82 - # - port: 51820 83 - # protocol: UDP 84 - # - port: 1637 85 - # protocol: UDP 86 - # - port: 53 87 - # protocol: UDP 88 - # - to: 89 - # - namespaceSelector: {} 90 - 91 - podAnnotations: 92 - configmap.reloader.stakater.com/reload: vpn-gateway-pod-gateway 93 - secret.reloader.stakater.com/reload: vpn-gateway-vpnconfig 94 - 95 - 96 - DNS: 172.16.1.1 97 - routed_namespaces: 98 - - media 99 - 100 - settings: 101 - IPV4_ENABLED: true 102 - IPV6_ENABLED: false 103 - VPN_INTERFACE: "wg0" 104 - VXLAN_ID: 44 105 - VXLAN_PORT: 4789 106 - VXLAN_IP_NETWORK: 172.16.1 107 - VXLAN_IPV6_NETWORK: fd60:ca7f:e5d8:42e9 108 - VXLAN_GATEWAY_FIRST_DYNAMIC_IP: 20 109 - VPN_BLOCK_OTHER_TRAFFIC: false 110 - VPN_TRAFFIC_PORT: "51820" 111 - VPN_LOCAL_CIDRS: 10.0.0.0/8 192.168.0.0/16 112 - NOT_ROUTED_TO_GATEWAY_CIDRS: 10.0.0.0/8 192.168.0.0/16 113 - 114 - 115 - webhook: 116 - image: 117 - repository: ghcr.io/angelnu/gateway-admision-controller 118 - tag: v3.12.0@sha256:6f6ab596afd5fef0ca4648eadfb21cd37ba86fa5afa8b85edcc072976a61fbed 119 - gatewayDefault: false 120 - gatewayLabel: setGateway 121 - gatewayAnnotation: setGateway 122 - namespaceSelector: 123 - label: "vpn-routed-gateway" 101 + data: 102 + nat.conf: | 103 + # Placeholder 104 + nat6.conf: | 105 + # Placeholder 106 + settings.sh: | 107 + #!/bin/sh 108 + DNS_LOCAL_CIDRS="local" 109 + IPV4_ENABLED="true" 110 + IPV6_ENABLED="false" 111 + NOT_ROUTED_TO_GATEWAY_CIDRS="10.0.0.0/8 192.168.0.0/16" 112 + VPN_BLOCK_OTHER_TRAFFIC="false" 113 + VPN_INTERFACE="wg0" 114 + VPN_LOCAL_CIDRS="10.0.0.0/8 192.168.0.0/16" 115 + VPN_TRAFFIC_PORT="51820" 116 + VXLAN_GATEWAY_FIRST_DYNAMIC_IP="20" 117 + VXLAN_ID="44" 118 + VXLAN_IPV6_NETWORK="fd60:ca7f:e5d8:42e9" 119 + VXLAN_IP_NETWORK="172.16.1" 120 + VXLAN_PORT="4789" 124 121 125 122 persistence: 126 - dev: 127 - enabled: false 128 - hostPath: /dev/ 129 - mountPath: /dev/ 130 - type: hostPath 123 + config: 124 + type: configMap 125 + name: vpn-gateway-configmap 126 + advancedMounts: 127 + pod-gateway: 128 + routes: 129 + - path: /config 130 + readOnly: true 131 + gateway: 132 + - path: /config 133 + readOnly: true
+15
k8s/nebula/apps/vpn/vpn-gateway/ks-webhook.yaml
··· 1 + apiVersion: kustomize.toolkit.fluxcd.io/v1 2 + kind: Kustomization 3 + metadata: 4 + name: vpn-gateway-webhook 5 + namespace: flux-system 6 + spec: 7 + targetNamespace: vpn 8 + path: ./k8s/nebula/apps/vpn/vpn-gateway/webhook 9 + prune: true 10 + sourceRef: 11 + kind: GitRepository 12 + name: flux-system 13 + namespace: flux-system 14 + interval: 30m 15 + timeout: 5m
+2 -1
k8s/nebula/apps/vpn/vpn-gateway/ks.yaml
··· 1 1 apiVersion: kustomize.toolkit.fluxcd.io/v1 2 2 kind: Kustomization 3 3 metadata: 4 - name: cluster-vpn-gateway 4 + name: vpn-gateway 5 5 namespace: flux-system 6 6 labels: 7 7 component.skylab.fi/part-of: definitions ··· 12 12 sourceRef: 13 13 kind: GitRepository 14 14 name: flux-system 15 + namespace: flux-system 15 16 interval: 30m 16 17 timeout: 5m
+60
k8s/nebula/apps/vpn/vpn-gateway/webhook/cert.yaml
··· 1 + --- 2 + # Create a selfsigned Issuer, in order to create a root CA certificate for 3 + # signing webhook serving certificates 4 + apiVersion: cert-manager.io/v1 5 + kind: Issuer 6 + metadata: 7 + name: vpn-gateway-webhook-selfsign 8 + labels: 9 + app.kubernetes.io/name: pod-gateway 10 + app.kubernetes.io/instance: vpn-gateway 11 + spec: 12 + selfSigned: {} 13 + --- 14 + # Generate a CA Certificate used to sign certificates for the webhook 15 + apiVersion: cert-manager.io/v1 16 + kind: Certificate 17 + metadata: 18 + name: vpn-gateway-webhook-ca 19 + labels: 20 + app.kubernetes.io/name: pod-gateway 21 + app.kubernetes.io/instance: vpn-gateway 22 + spec: 23 + secretName: vpn-gateway-webhook-ca 24 + duration: 43800h # 5y 25 + issuerRef: 26 + name: vpn-gateway-webhook-selfsign 27 + kind: Issuer 28 + commonName: "ca.vpn-gateway.cert-manager" 29 + isCA: true 30 + --- 31 + # Create an Issuer that uses the above generated CA certificate to issue certs 32 + apiVersion: cert-manager.io/v1 33 + kind: Issuer 34 + metadata: 35 + name: vpn-gateway-webhook-ca 36 + labels: 37 + app.kubernetes.io/name: pod-gateway 38 + app.kubernetes.io/instance: vpn-gateway 39 + spec: 40 + ca: 41 + secretName: pod-gateway-webhook-ca 42 + --- 43 + # Finally, generate a serving certificate for the webhook to use 44 + apiVersion: cert-manager.io/v1 45 + kind: Certificate 46 + metadata: 47 + name: vpn-gateway-webhook-tls 48 + labels: 49 + app.kubernetes.io/name: pod-gateway 50 + app.kubernetes.io/instance: vpn-gateway 51 + spec: 52 + secretName: pod-gateway-webhook-tls 53 + duration: 8760h # 1y 54 + issuerRef: 55 + name: vpn-gateway-webhook-ca 56 + kind: Issuer 57 + dnsNames: 58 + - vpn-gateway-webhook 59 + - vpn-gateway-webhook.vpn 60 + - vpn-gateway-webhook.vpn.svc
+97
k8s/nebula/apps/vpn/vpn-gateway/webhook/hr.yaml
··· 1 + --- 2 + apiVersion: helm.toolkit.fluxcd.io/v2 3 + kind: HelmRelease 4 + metadata: 5 + name: &app vpn-gateway-webhook 6 + spec: 7 + interval: 1h 8 + chartRef: 9 + kind: OCIRepository 10 + name: app-template 11 + namespace: flux-system 12 + values: 13 + controllers: 14 + pod-gateway-webhook: 15 + annotations: 16 + reloader.stakater.com/auto: "true" 17 + containers: 18 + app: 19 + image: 20 + repository: ghcr.io/angelnu/gateway-admision-controller 21 + tag: v3.12.0@sha256:6f6ab596afd5fef0ca4648eadfb21cd37ba86fa5afa8b85edcc072976a61fbed 22 + args: 23 + - --webhook-listen-address=:443 24 + - --gateway=vpn-gateway.vpn.svc.cluster.local 25 + - --DNS=172.16.1.1 26 + - --configmapName=vpn-gateway-configmap 27 + - --setGatewayLabel=setGateway 28 + - --setGatewayAnnotation=setGateway 29 + # Static 30 + - --tls-cert-file-path=/tls/tls.crt 31 + - --tls-key-file-path=/tls/tls.key 32 + - --DNSPolicy=None 33 + # Init container 34 + - --initImage=ghcr.io/angelnu/pod-gateway:v1.11.1 35 + - --initImagePullPol=IfNotPresent 36 + - --initCmd=/bin/client_init.sh 37 + - --initMountPoint=/config 38 + # Sidecar container 39 + - --sidecarImage=ghcr.io/angelnu/pod-gateway:v1.11.1 40 + - --sidecarImagePullPol=IfNotPresent 41 + - --sidecarCmd=/bin/client_sidecar.sh 42 + - --sidecarMountPoint=/config 43 + securityContext: 44 + allowPrivilegeEscalation: false 45 + readOnlyRootFilesystem: true 46 + capabilities: { drop: ["ALL"] } 47 + resources: 48 + requests: 49 + cpu: 10m 50 + memory: 10Mi 51 + limits: 52 + memory: 50Mi 53 + probes: 54 + readiness: &probe 55 + enabled: true 56 + custom: true 57 + spec: 58 + httpGet: 59 + path: /wh/health 60 + port: 443 61 + scheme: HTTPS 62 + initialDelaySeconds: 1 63 + timeoutSeconds: 10 64 + periodSeconds: 10 65 + successThreshold: 1 66 + failureThreshold: 5 67 + liveness: *probe 68 + startup: 69 + enabled: true 70 + custom: true 71 + spec: 72 + httpGet: 73 + path: /wh/health 74 + port: 443 75 + scheme: HTTPS 76 + timeoutSeconds: 1 77 + periodSeconds: 1 78 + successThreshold: 1 79 + failureThreshold: 30 80 + defaultPodOptions: 81 + securityContext: 82 + runAsNonRoot: true 83 + runAsUser: 1000 84 + runAsGroup: 1000 85 + service: 86 + app: 87 + controller: *app 88 + ports: 89 + http: 90 + port: 443 91 + persistence: 92 + config: 93 + type: secret 94 + name: vpn-gateway-webhook-tls 95 + globalMounts: 96 + - path: /tls 97 + readOnly: true
+7
k8s/nebula/apps/vpn/vpn-gateway/webhook/kustomization.yaml
··· 1 + --- 2 + apiVersion: kustomize.config.k8s.io/v1beta1 3 + kind: Kustomization 4 + resources: 5 + - ./cert.yaml 6 + - ./hr.yaml 7 + - ./webhook.yaml
+30
k8s/nebula/apps/vpn/vpn-gateway/webhook/webhook.yaml
··· 1 + --- 2 + apiVersion: admissionregistration.k8s.io/v1 3 + kind: MutatingWebhookConfiguration 4 + metadata: 5 + name: vpn-gateway 6 + labels: 7 + app.kubernetes.io/name: pod-gateway 8 + app.kubernetes.io/instance: vpn-gateway 9 + annotations: 10 + cert-manager.io/inject-ca-from: "vpn/vpn-gateway-webhook-tls" 11 + webhooks: 12 + - name: vpn-gateway.svc.cluster.local 13 + clientConfig: 14 + service: 15 + name: vpn-gateway-webhook 16 + namespace: vpn 17 + path: "/wh/mutating/setgateway" 18 + rules: 19 + - apiGroups: [""] 20 + apiVersions: ["v1"] 21 + operations: ["CREATE"] 22 + resources: ["pods"] 23 + scope: "Namespaced" 24 + failurePolicy: Fail 25 + admissionReviewVersions: ["v1", "v1beta1"] 26 + sideEffects: None 27 + timeoutSeconds: 5 28 + namespaceSelector: 29 + matchLabels: 30 + label: "vpn-routed-gateway"