docs: Add initial docs

2025-07-03 16:37:04 +02:00 · 2022-08-07 16:32:24 +02:00 · 2022-08-07 16:32:24 +02:00 · 567577762f
commit 567577762f
parent 155946fb1e
15 changed files with 819 additions and 11 deletions
--- a/docs/common-library/common-library-add-ons.md
+++ b/docs/common-library/common-library-add-ons.md
@ -0,0 +1,271 @@
+# Common library add-ons
+
+The common library chart supplies a few add-ons which are meant to simplify some features
+you might be looking for. These are sidecars that run in the same pod as your
+application you configured it with.
+
+## Code Server
+
+The [code-server](https://github.com/cdr/code-server) add-on can be used to
+access and modify persistent volume data in your application. This can be
+useful when you need to edit the persistent volume data, for example with
+Home Assistant.
+
+### Example values
+
+Below is a snippet from a `values.yaml` using the add-on. More configuration
+options can be found in our common chart documentation.
+
+!!! note
+    This example will mount `/config` into the code-server sidecar.
+
+```yaml
+addons:
+  codeserver:
+    enabled: true
+    image:
+      repository: codercom/code-server
+      tag: 3.9.0
+    workingDir: "/config"
+    args:
+    - --auth
+    - "none"
+    - --user-data-dir
+    - "/config/.vscode"
+    - --extensions-dir
+    - "/config/.vscode"
+    ingress:
+      enabled: true
+      annotations:
+        kubernetes.io/ingress.class: "nginx"
+      hosts:
+      - host: app-config.domain.tld
+        paths:
+        - path: /
+          pathType: Prefix
+      tls:
+      - hosts:
+        - app-config.domain.tld
+    volumeMounts:
+    - name: config
+      mountPath: /config
+```
+
+## Wireguard VPN
+
+The Wireguard add-on enables you to force all (or selected) network traffic
+through a VPN.
+
+This example shows how to add a Wireguard sidecar to our
+[qBittorrent Helm chart](https://github.com/k8s-at-home/charts/tree/master/charts/stable/qbittorrent).
+It does not cover all of the configuration possibilities of the
+[Wireguard client image](https://github.com/k8s-at-home/container-images/tree/main/apps/wireguard),
+but should give a good starting point for configuring a similar setup.
+
+### Example values
+
+Below is an annotated example `values.yaml` that will result in a qBittorrent
+container with **all** its traffic routed through a VPN. In order to have
+functioning ingress and/or probes, it might be required to open certain
+networks or ports on the VPN firewall. That is beyond the scope of this
+document. Please refer to the
+[Wireguard client image](https://github.com/k8s-at-home/container-images/tree/main/apps/wireguard)
+for more details on these environment variables.
+
+!!! note
+    The `WAIT_FOR_VPN` environment variable is specifically implemented by our
+    own qBittorrent image, and it will not work with other container images.
+
+```yaml
+image:
+  repository: k8sathome/qbittorrent
+  tag: v4.3.3
+  pullPolicy: IfNotPresent
+
+env:
+  # Our qBittorrent image has a feature that can wait for the VPN to be connected before actually starting the application.
+  # It does this by checking the contents of a file /shared/vpnstatus to contain the string 'connected'.
+  WAIT_FOR_VPN: "true"
+
+persistence:
+  config:
+    enabled: true
+    type: emptyDir
+    mountPath: /config
+
+  # This should be enabled so that both the qBittorrent and Wireguard container have access to a shared volume mounted to /shared.
+  # It will be used to communicate between the two containers.
+  shared:
+    enabled: true
+    type: emptyDir
+    mountPath: /shared
+
+addons:
+  vpn:
+    enabled: true
+    # This Should be set to `wireguard`. This will set the add-on to use the default settings for Wireguard based connections.
+    type: wireguard
+
+    # If the podSecurityContext is set to run as a different user, make sure to run the Wireguard container as UID/GID 568.
+    # This is required for it to be able to read certain configuration files.
+    securityContext:
+      runAsUser: 568
+      runAsGroup: 568
+
+    env:
+      # Enable a killswitch that kills all trafic when the VPN is not connected
+      KILLSWITCH: "true"
+
+    # The wireguard configuration file provided by your VPN provider goes here.
+    #
+    # Set AllowedIPs to 0.0.0.0/0 to route all traffic through the VPN.
+    #
+    # Pay close attention to the PostUp and PreDown lines. They must be added if you wish to run a script when the connection
+    # is opened / closed.
+    configFile: |-
+      [Interface]
+      PrivateKey = <my-private-key>
+      Address = <interface address>
+      DNS = <interface DNS server>
+      PostUp = /config/up.sh %i
+      PreDown = /config/down.sh %i
+
+      [Peer]
+      PublicKey = <my-public-key>
+      AllowedIPs = 0.0.0.0/0
+      Endpoint = <peer endpoint>
+
+    # The scripts that get run when the VPN connection opens/closes are defined here.
+    # The default scripts will write a string to represent the current connection state to a file.
+    # Our qBittorrent image has a feature that can wait for this file to contain the word 'connected' before actually starting the application.
+    scripts:
+      up: |-
+        #!/bin/bash
+        echo "connected" > /shared/vpnstatus
+
+      down: |-
+        #!/bin/bash
+        echo "disconnected" > /shared/vpnstatus
+```
+
+## OpenVPN
+
+Similar to the Wireguard VPN, the OpenVPN add-on enables you to force all
+(or selected) network traffic through a VPN.
+
+This example shows how to add an OpenVPN sidecar to our
+[qBittorrent Helm chart](https://github.com/k8s-at-home/charts/tree/master/charts/stable/qbittorrent).
+It does not cover all of the configuration possibilities of the
+[OpenVPN client image](https://github.com/dperson/openvpn-client) by
+[@dperson](https://github.com/dperson), but should give a good starting point
+for configuring a similar setup.
+
+### Example values
+
+Below is an annotated example `values.yaml` that will result in a qBittorrent
+container with **all** its traffic routed through a VPN. In order to have
+functioning ingress and/or probes, it might be required to open certain
+networks or ports on the VPN firewall. That is beyond the scope of this
+document. Please refer to the
+[OpenVPN client image](https://github.com/dperson/openvpn-client) for
+more details on these environment variables.
+
+!!! note
+    The `WAIT_FOR_VPN` environment variable is specifically implemented by our
+    own qBittorrent image, and it will not work with other container images.
+
+```yaml
+image:
+  repository: k8sathome/qbittorrent
+  tag: v4.3.3
+  pullPolicy: IfNotPresent
+
+env:
+  # Our qBittorrent image has a feature that can wait for the VPN to be
+  # connected before actually starting the application.
+  # It does this by checking the contents of a file /shared/vpnstatus to
+  # contain the string 'connected'.
+  WAIT_FOR_VPN: "true"
+
+persistence:
+  config:
+    enabled: true
+    type: emptyDir
+    mountPath: /config
+
+  # This should be enabled so that both the qBittorrent and OpenVPN container have access to a shared volume mounted to /shared.
+  # It will be used to communicate between the two containers.
+  shared:
+    enabled: true
+    type: emptyDir
+    mountPath: /shared
+
+addons:
+  vpn:
+    enabled: true
+    # This Should be set to `openvpn`. This will set the add-on to use the default settings for OpenVPN based connections.
+    type: openvpn
+
+    openvpn:
+      # This gets read by the Helm chart. The default OpenVPN image reads this and uses it to connect to the VPN provider.
+      auth: |
+        myuser
+        mypassword
+
+    # If the podSecurityContext is set to run as a different user, make sure to run the OpenVPN container as root.
+    # This is required for it to be able to read certain configuration files.
+    securityContext:
+      runAsGroup: 0
+      runAsUser: 0
+
+    env:
+      # Set this environment variable to 'on' to make sure all traffic gets routed through the VPN container.
+      # Make sure to check the other environment variables for the OpenVPN image to see how you can exclude certain
+      # traffic from these firewall rules.
+      FIREWALL: 'on'
+
+    # The .ovpn file provided by your VPN provider goes here.
+    #
+    # Any CA / certificate must either be placed inline, or provided through an additionalVolumeMount so that OpenVPN can find it.
+    #
+    # Pay close attention to the last 3 lines in this file. They must be added if you wish to run a script when the connection
+    # is opened / closed.
+    configFile: |-
+      client
+      dev tun
+      proto udp
+      remote my-awesome-vpn-provider.com 995
+      remote-cert-tls server
+      resolv-retry infinite
+      nobind
+      tls-version-min 1.2
+      cipher AES-128-GCM
+      compress
+      ncp-disable
+      tun-mtu-extra 32
+      auth-user-pass
+
+      <ca>
+      -----BEGIN CERTIFICATE-----
+      MIIDMTCCAhmgAwIBAgIJAKnGGJK6qLqSMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
+      -----END CERTIFICATE-----
+      </ca>
+
+      script-security 2
+      up /vpn/up.sh
+      down /vpn/down.sh
+
+    # The scripts that get run when the VPN connection opens/closes are defined here.
+    # The default scripts will write a string to represent the current connection state to a file.
+    # Our qBittorrent image has a feature that can wait for this file to contain the word 'connected' before actually starting the application.
+    scripts:
+      up: |-
+        #!/bin/bash
+        /etc/openvpn/up.sh
+        echo "connected" > /shared/vpnstatus
+
+      down: |-
+        #!/bin/bash
+        /etc/openvpn/down.sh
+        echo "disconnected" > /shared/vpnstatus
+```