feat(sabnzbd): run gluetun as sidecar

jfroy · Aug 15, 2024 · 19edb0a · 19edb0a
1 parent 490d5ca
commit 19edb0a
Show file tree

Hide file tree

Showing 6 changed files with 111 additions and 18 deletions.
diff --git a/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml b/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml
@@ -61,7 +61,7 @@ spec:
                   timeoutSeconds: 1
                   failureThreshold: 3
               readiness: *probes
-            securityContext:
+            securityContext: &securityContext
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
               capabilities: { drop: ["ALL"] }
@@ -72,6 +72,58 @@ spec:
               limits:
                 cpu: 4
                 memory: 50Gi
+        initContainers:
+          gluetun:
+            image:
+              repository: ghcr.io/qdm12/gluetun
+              tag: v3.39.0@sha256:2f011a9aca767af62008d879eefcbc80a8645bd4fd4466ab312cc941cb658ad1
+            env:
+              BLOCK_MALICIOUS: "off"  # save 300MB of RAM; https://github.com/qdm12/gluetun/issues/2054
+              DOT_IPV6: "on"
+              FIREWALL_DEBUG: on
+              FIREWALL_INPUT_PORTS: "80,9999"
+              HEALTH_SERVER_ADDRESS: ":9999"
+              HEALTH_VPN_DURATION_INITIAL: 60s
+              LOG_LEVEL: debug
+              VPN_INTERFACE: wg0
+              VPN_TYPE: wireguard
+              TZ: America/Los_Angeles
+            envFrom:
+              - secretRef:
+                  name: sabnzbd-gluetun-secret
+            probes:
+              liveness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /
+                    port: 9999
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  failureThreshold: 3
+              startup:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /
+                    port: 9999
+                  initialDelaySeconds: 10
+                  periodSeconds: 10
+                  failureThreshold: 5
+            resources:
+              requests:
+                memory: 48Mi
+              limits:
+                memory: 96Mi
+            restartPolicy: Always
+            securityContext:
+              <<: *securityContext
+              readOnlyRootFilesystem: false
+              runAsNonRoot: false
+              runAsUser: 0
+              capabilities: { add: ["NET_ADMIN"] }
         pod:
           labels:
             stealth-gateway: "true"
@@ -108,6 +160,14 @@ spec:
     persistence:
       config:
         existingClaim: sabnzbd
+      empty:
+        type: emptyDir
+        sizeLimit: 20Mi
+        globalMounts:
+          - path: /gluetun
+            subPath: gluetun
+          - path: /tmp
+            subPath: tmp
       media:
         type: nfs
         server: kaidame.flat
@@ -119,5 +179,10 @@ spec:
         type: emptyDir
         globalMounts:
           - path: /config/logs
-      tmp:
+      run:
         type: emptyDir
+        medium: Memory
+        sizeLimit: 10Mi
+        globalMounts:
+          - path: /run
+          - path: /var/run
diff --git a/kubernetes/apps/default/sabnzbd/app/kustomization.yaml b/kubernetes/apps/default/sabnzbd/app/kustomization.yaml
@@ -5,6 +5,7 @@ kind: Kustomization
 resources:
   - ./externalsecret.yaml
   - ./helmrelease.yaml
-  - ./networkpolicy.yaml
+  - ./networkpolicy.sops.yaml
+  - ./secret.sops.yaml
   - ../../../../templates/gatus/guarded
   - ../../../../templates/volsync
diff --git a/kubernetes/apps/default/sabnzbd/app/networkpolicy.sops.yaml b/kubernetes/apps/default/sabnzbd/app/networkpolicy.sops.yaml
@@ -0,0 +1,26 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: sabnzbd-allow-gluetun
+  annotations:
+    future-me-why: allow ingress and egress to gluetun endpoints; also puts pod in deny-by-default mode for egress
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: sabnzbd
+  egress:
+    - toCIDR:
+        - 37.120.132.82/32
+        - 37.120.132.90/32
+        - 217.138.217.106/32
+        - 2a0d:5600:4f:8000:e97d:9761:c3d1:c92f/128
+        - 2a0d:5600:8:3d:bf35:b49d:b2c1:8537/128
+        - 2a0d:5600:8:3e:b389:fbfa:508a:1eca/128
+  ingress:
+    - fromCIDR:
+        - 37.120.132.82/32
+        - 37.120.132.90/32
+        - 217.138.217.106/32
+        - 2a0d:5600:4f:8000:e97d:9761:c3d1:c92f/128
+        - 2a0d:5600:8:3d:bf35:b49d:b2c1:8537/128
+        - 2a0d:5600:8:3e:b389:fbfa:508a:1eca/128
diff --git a/kubernetes/apps/default/sabnzbd/app/networkpolicy.yaml b/kubernetes/apps/default/sabnzbd/app/networkpolicy.yaml
diff --git a/kubernetes/apps/default/sabnzbd/app/secret.sops.yaml b/kubernetes/apps/default/sabnzbd/app/secret.sops.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sabnzbd-gluetun-secret
+type: Opaque
+stringData:
+  SERVER_CITIES: Los Angeles
+  SERVER_COUNTRIES: United States
+  VPN_SERVICE_PROVIDER: airvpn
+  WIREGUARD_ADDRESSES: 10.179.45.218/32,fd7d:76ee:e68f:a993:2e72:6388:a4b3:8103/128
+  WIREGUARD_DNS: 10.128.0.1
+  WIREGUARD_MTU: "1320"
+  WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL: 15s
+  WIREGUARD_PRESHARED_KEY: 7eDa23NIyjXF1INH3Hwvc6kWINj57Q5LPcJqQuJHptI=
+  WIREGUARD_PRIVATE_KEY: kMTK2v13xv/El1YGK49W5bPm78iGoC+vBGuta9ZtfEY=
+  WIREGUARD_PUBLIC_KEY: PyLCXAQT8KkM4T+dUsOQfn+Ub3pGxfGlxkIApuig+hk=
diff --git a/kubernetes/apps/default/sabnzbd/ks.yaml b/kubernetes/apps/default/sabnzbd/ks.yaml
@@ -12,7 +12,6 @@ spec:
       app.kubernetes.io/name: *app
   dependsOn:
     - name: external-secrets-stores
-    - name: stealth-gateway
     - name: volsync
   path: ./kubernetes/apps/default/sabnzbd/app
   prune: true