public/helm-charts
1
0
Fork 0
mirror of https://github.com/bjw-s-labs/helm-charts.git synced 2025-07-04 17:07:04 +02:00
Code Issues Projects Releases Packages Wiki Activity
helm-charts/docs/common-library/common-library-add-ons.md
Bᴇʀɴᴅ Sᴄʜᴏʀɢᴇʀs 567577762f
docs: Add initial docs
2022-08-07 18:58:19 +02:00

271 lines
8.9 KiB
Markdown
Raw Blame History

# Common library add-ons
The common library chart supplies a few add-ons which are meant to simplify some features
you might be looking for. These are sidecars that run in the same pod as your
application you configured it with.
## Code Server
The [code-server](https://github.com/cdr/code-server) add-on can be used to
access and modify persistent volume data in your application. This can be
useful when you need to edit the persistent volume data, for example with
Home Assistant.
### Example values
Below is a snippet from a `values.yaml` using the add-on. More configuration
options can be found in our common chart documentation.
!!! note
This example will mount `/config` into the code-server sidecar.
```yaml
addons:
codeserver:
enabled: true
image:
repository: codercom/code-server
tag: 3.9.0
workingDir: "/config"
args:
- --auth
- "none"
- --user-data-dir
- "/config/.vscode"
- --extensions-dir
- "/config/.vscode"
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: "nginx"
hosts:
- host: app-config.domain.tld
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- app-config.domain.tld
volumeMounts:
- name: config
mountPath: /config
```
## Wireguard VPN
The Wireguard add-on enables you to force all (or selected) network traffic
through a VPN.
This example shows how to add a Wireguard sidecar to our
[qBittorrent Helm chart](https://github.com/k8s-at-home/charts/tree/master/charts/stable/qbittorrent).
It does not cover all of the configuration possibilities of the
[Wireguard client image](https://github.com/k8s-at-home/container-images/tree/main/apps/wireguard),
but should give a good starting point for configuring a similar setup.
### Example values
Below is an annotated example `values.yaml` that will result in a qBittorrent
container with **all** its traffic routed through a VPN. In order to have
functioning ingress and/or probes, it might be required to open certain
networks or ports on the VPN firewall. That is beyond the scope of this
document. Please refer to the
[Wireguard client image](https://github.com/k8s-at-home/container-images/tree/main/apps/wireguard)
for more details on these environment variables.
!!! note
The `WAIT_FOR_VPN` environment variable is specifically implemented by our
own qBittorrent image, and it will not work with other container images.
```yaml
image:
repository: k8sathome/qbittorrent
tag: v4.3.3
pullPolicy: IfNotPresent
env:
# Our qBittorrent image has a feature that can wait for the VPN to be connected before actually starting the application.
# It does this by checking the contents of a file /shared/vpnstatus to contain the string 'connected'.
WAIT_FOR_VPN: "true"
persistence:
config:
enabled: true
type: emptyDir
mountPath: /config
# This should be enabled so that both the qBittorrent and Wireguard container have access to a shared volume mounted to /shared.
# It will be used to communicate between the two containers.
shared:
enabled: true
type: emptyDir
mountPath: /shared
addons:
vpn:
enabled: true
# This Should be set to `wireguard`. This will set the add-on to use the default settings for Wireguard based connections.
type: wireguard
# If the podSecurityContext is set to run as a different user, make sure to run the Wireguard container as UID/GID 568.
# This is required for it to be able to read certain configuration files.
securityContext:
runAsUser: 568
runAsGroup: 568
env:
# Enable a killswitch that kills all trafic when the VPN is not connected
KILLSWITCH: "true"
# The wireguard configuration file provided by your VPN provider goes here.
#
# Set AllowedIPs to 0.0.0.0/0 to route all traffic through the VPN.
#
# Pay close attention to the PostUp and PreDown lines. They must be added if you wish to run a script when the connection
# is opened / closed.
configFile: |-
[Interface]
PrivateKey = <my-private-key>
Address = <interface address>
DNS = <interface DNS server>
PostUp = /config/up.sh %i
PreDown = /config/down.sh %i
[Peer]
PublicKey = <my-public-key>
AllowedIPs = 0.0.0.0/0
Endpoint = <peer endpoint>
# The scripts that get run when the VPN connection opens/closes are defined here.
# The default scripts will write a string to represent the current connection state to a file.
# Our qBittorrent image has a feature that can wait for this file to contain the word 'connected' before actually starting the application.
scripts:
up: |-
#!/bin/bash
echo "connected" > /shared/vpnstatus
down: |-
#!/bin/bash
echo "disconnected" > /shared/vpnstatus
```
## OpenVPN
Similar to the Wireguard VPN, the OpenVPN add-on enables you to force all
(or selected) network traffic through a VPN.
This example shows how to add an OpenVPN sidecar to our
[qBittorrent Helm chart](https://github.com/k8s-at-home/charts/tree/master/charts/stable/qbittorrent).
It does not cover all of the configuration possibilities of the
[OpenVPN client image](https://github.com/dperson/openvpn-client) by
[@dperson](https://github.com/dperson), but should give a good starting point
for configuring a similar setup.
### Example values
Below is an annotated example `values.yaml` that will result in a qBittorrent
container with **all** its traffic routed through a VPN. In order to have
functioning ingress and/or probes, it might be required to open certain
networks or ports on the VPN firewall. That is beyond the scope of this
document. Please refer to the
[OpenVPN client image](https://github.com/dperson/openvpn-client) for
more details on these environment variables.
!!! note
The `WAIT_FOR_VPN` environment variable is specifically implemented by our
own qBittorrent image, and it will not work with other container images.
```yaml
image:
repository: k8sathome/qbittorrent
tag: v4.3.3
pullPolicy: IfNotPresent
env:
# Our qBittorrent image has a feature that can wait for the VPN to be
# connected before actually starting the application.
# It does this by checking the contents of a file /shared/vpnstatus to
# contain the string 'connected'.
WAIT_FOR_VPN: "true"
persistence:
config:
enabled: true
type: emptyDir
mountPath: /config
# This should be enabled so that both the qBittorrent and OpenVPN container have access to a shared volume mounted to /shared.
# It will be used to communicate between the two containers.
shared:
enabled: true
type: emptyDir
mountPath: /shared
addons:
vpn:
enabled: true
# This Should be set to `openvpn`. This will set the add-on to use the default settings for OpenVPN based connections.
type: openvpn
openvpn:
# This gets read by the Helm chart. The default OpenVPN image reads this and uses it to connect to the VPN provider.
auth: |
myuser
mypassword
# If the podSecurityContext is set to run as a different user, make sure to run the OpenVPN container as root.
# This is required for it to be able to read certain configuration files.
securityContext:
runAsGroup: 0
runAsUser: 0
env:
# Set this environment variable to 'on' to make sure all traffic gets routed through the VPN container.
# Make sure to check the other environment variables for the OpenVPN image to see how you can exclude certain
# traffic from these firewall rules.
FIREWALL: 'on'
# The .ovpn file provided by your VPN provider goes here.
#
# Any CA / certificate must either be placed inline, or provided through an additionalVolumeMount so that OpenVPN can find it.
#
# Pay close attention to the last 3 lines in this file. They must be added if you wish to run a script when the connection
# is opened / closed.
configFile: |-
client
dev tun
proto udp
remote my-awesome-vpn-provider.com 995
remote-cert-tls server
resolv-retry infinite
nobind
tls-version-min 1.2
cipher AES-128-GCM
compress
ncp-disable
tun-mtu-extra 32
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
MIIDMTCCAhmgAwIBAgIJAKnGGJK6qLqSMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
-----END CERTIFICATE-----
</ca>
script-security 2
up /vpn/up.sh
down /vpn/down.sh
# The scripts that get run when the VPN connection opens/closes are defined here.
# The default scripts will write a string to represent the current connection state to a file.
# Our qBittorrent image has a feature that can wait for this file to contain the word 'connected' before actually starting the application.
scripts:
up: |-
#!/bin/bash
/etc/openvpn/up.sh
echo "connected" > /shared/vpnstatus
down: |-
#!/bin/bash
/etc/openvpn/down.sh
echo "disconnected" > /shared/vpnstatus
```
Reference in a new issue View git blame Copy permalink