feat(qbittorrent): run gluetun as sidecar

jfroy · Aug 14, 2024 · 92e1326 · 92e1326
1 parent f250ade
commit 92e1326
Show file tree

Hide file tree

Showing 7 changed files with 152 additions and 22 deletions.
diff --git a/.sops.yaml b/.sops.yaml
@@ -13,6 +13,11 @@ creation_rules:
     key_groups:
       - age:
           - "age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t"
+  - path_regex: kubernetes/.*/networkpolicy\.sops\.ya?ml
+    encrypted_regex: "^(egress|ingress)$"
+    key_groups:
+      - age:
+          - "age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t"
   - path_regex: kubernetes/.*\.sops\.ya?ml
     encrypted_regex: "^(data|stringData|password)$"
     key_groups:

diff --git a/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml b/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml
@@ -40,9 +40,9 @@ spec:
               QBT_BitTorrent__Session__AsyncIOThreadsCount: "4"
               QBT_BitTorrent__Session__DefaultSavePath: /media/qbittorrent/complete/default
               QBT_BitTorrent__Session__DisableAutoTMMByDefault: "false"
-              QBT_BitTorrent__Session__Interface: vxlan0
+              QBT_BitTorrent__Session__Interface: wg0
               QBT_BitTorrent__Session__InterfaceAddress:  0.0.0.0
-              QBT_BitTorrent__Session__InterfaceName: vxlan0
+              QBT_BitTorrent__Session__InterfaceName: wg0
               QBT_BitTorrent__Session__LSDEnabled: "false"
               QBT_BitTorrent__Session__TempPath: /media/qbittorrent/incomplete
               QBT_BitTorrent__Session__TempPathEnabled: "true"
@@ -82,6 +82,48 @@ spec:
                 cpu: 4
                 memory: 50Gi
         initContainers:
+          gluetun:
+            image:
+              repository: ghcr.io/qdm12/gluetun
+              tag: v3.39.0@sha256:2f011a9aca767af62008d879eefcbc80a8645bd4fd4466ab312cc941cb658ad1
+            env:
+              HEALTH_VPN_DURATION_INITIAL: 30s
+              FIREWALL_OUTBOUND_SUBNETS: 10.11.0.0/16,10.12.0.0/16
+              VPN_INTERFACE: wg0
+              VPN_TYPE: wireguard
+              TZ: America/Los_Angeles
+            envFrom:
+              - secretRef:
+                  name: qbittorrent-gluetun-secret
+            probes:
+              liveness:
+                custom: true
+                spec:
+                  httpGet:
+                    path: /
+                    port: 9999
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  failureThreshold: 3
+              startup:
+                custom: true
+                spec:
+                  httpGet:
+                    path: /
+                    port: 9999
+                  initialDelaySeconds: 10
+                  periodSeconds: 10
+                  failureThreshold: 5
+            resources:
+              limits:
+                memory: 128Mi
+            restartPolicy: Always
+            securityContext:
+              <<: *securityContext
+              readOnlyRootFilesystem: false
+              runAsNonRoot: false
+              runAsUser: 0
+              capabilities: { add: ["NET_ADMIN"] }
           vuetorrent:
             image:
               repository: ghcr.io/jfroy/vuetorrent
@@ -140,15 +182,30 @@ spec:
     persistence:
       config:
         existingClaim: qbittorrent
+      empty:
+        type: emptyDir
+        sizeLimit: 20Mi
+        globalMounts:
+          - path: /gluetun
+            subPath: gluetun
+          - path: /share
+            subPath: share
+          - path: /tmp
+            subPath: tmp
       media:
         type: nfs
         server: kaidame.flat
         path: /mnt/citerne/media
         globalMounts:
           - path: /media/qbittorrent
             subPath: qbittorrent
-      share:
+      run:
         type: emptyDir
+        medium: Memory
+        sizeLimit: 10Mi
+        globalMounts:
+          - path: /run
+          - path: /var/run
   postRenderers:
     - kustomize:
         patches:

diff --git a/kubernetes/apps/default/qbittorrent/app/kustomization.yaml b/kubernetes/apps/default/qbittorrent/app/kustomization.yaml
@@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./helmrelease.yaml
-  - ./networkpolicy.yaml
+  - ./networkpolicy.sops.yaml
   - ./secret.sops.yaml
   - ../../../../templates/gatus/guarded
   - ../../../../templates/volsync
diff --git a/kubernetes/apps/default/qbittorrent/app/networkpolicy.sops.yaml b/kubernetes/apps/default/qbittorrent/app/networkpolicy.sops.yaml
@@ -0,0 +1,46 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: qbittorrent-allow-gluetun-egress
+  annotations:
+    future-me-why: allow ingress and egress to gluetun endpoints, which also puts pod in deny-by-default mode for egress
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: qbittorrent
+  egress:
+    - toCIDR:
+        - ENC[AES256_GCM,data:xsfsgKgQt/f3dsZqRI4ppw==,iv:oOYtzeNyKPdj8e9d8gF1Go+5VhHKqdW7zYlXCdW2WPU=,tag:/xxdKZwokEwOt71SUJ4pzA==,type:str]
+        - ENC[AES256_GCM,data:JBYdykm1hOxD4zDDvUUT/Q==,iv:+nl1azgwDmtjMLvNEtrqbpJRfH5aADGa0npJpY7JEf0=,tag:/0gInFQMU3OEDJfy7YXRAw==,type:str]
+        - ENC[AES256_GCM,data:Wr1ymdW7QutGfsgQwoFixflr,iv:svoG79R0egaw1gRdleANg2CrIWszxm+kOV/yR2Ps9aM=,tag:+PJlhn/7YfsdpRY3VZPopw==,type:str]
+        - ENC[AES256_GCM,data:j1yYnbPNjqlCmHHfVO28QUkad08nTYVYK66v+dyCUkaAx16y2E8Vt3M=,iv:1ViZc1WJ6ynwF5KK+K8qGzrmiOIRLFVrxpB2u78VPsQ=,tag:HR6kSkDDHiXFrPb/mBiLeg==,type:str]
+        - ENC[AES256_GCM,data:pwinIowkrDrS7BBwzdU5OCZtuTKun+zS4i1YX0f09tw8ZIZC4JU=,iv:i4tSQJ1saK51hSbwefWHwwxppi9U83qiu3RazOJMSdA=,tag:BjtaMoJYkH5KhLMOvm1jNw==,type:str]
+        - ENC[AES256_GCM,data:qkwuoc6g9caxChUpz+KYoU4a3LXDh4Fak8lMPDwtlI9X0PQndMs=,iv:UP1eJnZD/tq+4JKOMqHhiHNC/yHH0sLuS4plMTLrCEc=,tag:QJr9rzIMBg5VYvl69JHj1Q==,type:str]
+  ingress:
+    - fromCIDR:
+        - ENC[AES256_GCM,data:EV6+034utA4Y6wcFHupv8g==,iv:2x+3WTQMfDQDbJOhg94RUS+5CX/tT9xO3cTyilJrVDM=,tag:EObkMoGVfvcs0rgUvcX1wg==,type:str]
+        - ENC[AES256_GCM,data:cAlulRKfUSRS1gFdp+QCaQ==,iv:iRMt/olmy6Qkac2KvjYj1xS95D65zV/jm5nyFT2Yx80=,tag:R4WpGAbCqv0/BtE2X65+nw==,type:str]
+        - ENC[AES256_GCM,data:9TK+h2mrr3R7jKWp85jmXecc,iv:He0n4Y2BeG1UEYN/joZJVnRsGlq2QPnhEqgsr4jIDVI=,tag:VQF3BhEK330cKsTtSJp20A==,type:str]
+        - ENC[AES256_GCM,data:mFOJsPpHR+dNmUcGGZz3FmVSG+Dwo1V3SDxRzRwg8jd0VqvWLnSbL64=,iv:7Vm8/8osIDcrfyPp/e0WM00BkM9guhGhP95iecHAFzU=,tag:WWNwwn8wMQB+p5iC+Bhrhg==,type:str]
+        - ENC[AES256_GCM,data:DIAlcz03qmLhd0kb+XhJENr4QNM8bkIa12ojJMfMeHLUfYJcRQ0=,iv:yfIyiUkrUzJFGVYdMbmURUYidGIsXLrJdXLYoyq+GkU=,tag:bxj9Ts3JUa6fus1W2F/g3g==,type:str]
+        - ENC[AES256_GCM,data:VsBlsN94838c8KC2/ARqSHL3QdERZgfuZE9yDTqDMX2Cb8g0QdA=,iv:ShsbJQbGsuhBoSpQSY9SC3levIdp7LYhnvOg7tWq43U=,tag:WSOpMP+BAwJz05nBPWLVgg==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvRE9WbHB2WGhCaTNzYmVD
+        c2xhZmdyNUhYaWZVWVB6aC93K3Q3Wnl1Q3djCmhiQzdvTTNOaVVxWW9jeEZuc3d0
+        T2lteERMWCtUWmhHRk4yQWxaVGhqMTAKLS0tIFJtcldaZWlOTkxPMHQ0NEI4alB0
+        aFY2Y1IyeDVPL3hwMjFlM3RreW0yL3MKXViSZ6vOYKenQ48ONcD2ZOfIvoSpYJZW
+        FkKsPqZUcU4SaVMHSKGjYSQ9ky+KN40aRPdOGNLRBBtq2PRXCjwPgw==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-08-14T21:02:29Z"
+  mac: ENC[AES256_GCM,data:5pgK2aCz1MTpHauYcRp2KYtXkYCjOT3hPgylIwI1lSzUqrs5VQev9+CvcChJhM8NgPKgahpOQCwjdjZBOLH5ubOfp6x/fOjihpmKTD0yn2zPurEJsoKdNUg0yIPyZfYEHgKfYVDQN0n8og22JK9EmC0L8yv+vDoonMXmKQtSOBA=,iv:Oto+nCNvA0/c7GmazYupdn4azNfPu7irU/YwQc95lFI=,tag:Jq9km88r26vakb8uRcLjIQ==,type:str]
+  pgp: []
+  encrypted_regex: ^(egress|ingress)$
+  version: 3.9.0
diff --git a/kubernetes/apps/default/qbittorrent/app/networkpolicy.yaml b/kubernetes/apps/default/qbittorrent/app/networkpolicy.yaml
diff --git a/kubernetes/apps/default/qbittorrent/app/secret.sops.yaml b/kubernetes/apps/default/qbittorrent/app/secret.sops.yaml
@@ -20,8 +20,45 @@ sops:
             VE1VVDE5dFVJQ0JUYUZKa2QyU1liRXcKbklvSiVER1PLfJ+Mq/UXaJHs3XugCB8F
             iZ6sFC2NIEF37MM2x7esY57eCAdRekQXXe3Vs3YPql5uNY79muesdQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-30T06:05:13Z"
-    mac: ENC[AES256_GCM,data:0DPazO1rL5pvdCT/45azTqMOP/AF+JNIvJfD9/c2wRYSTVbrcCeAtqad2RGgCcfAfK125Wy0C+9qzz27iqlZI9oozu93dgaCtLvkPdV9BqfqGe8oJA+gX89jR//9Q0v0+6Aq/78Rl7MB1YDz7cXamgml7EhGzj+MXJC2PI/NlbU=,iv:LV/ULhy1YDTuq6ZYW3I9YRWu4itJXr09c8us1wDckOU=,tag:RMrWMAx2Ex/Dy0ULhm9UhA==,type:str]
+    lastmodified: "2024-08-14T20:40:52Z"
+    mac: ENC[AES256_GCM,data:1x+/RfB74rJnWT3VsjyMa4M37DeW0bPtK+HQx3p0zbBj4eHPOi1isoXayIQscmQVnLcR5lBZzh5YYWabOOpyi3gIwFEdvdWEkJA6y4iEgGfIzJTflcIurhJSMbMCuEJkkEpnZqUSVIqnQfjfbtKD4zPl9jO7SwFWnRN47YDh/7k=,iv:5q7OHog3jwhpPFyqwGnURBMh+fsuTmqllX0KCoNY8d4=,tag:FD9AA3zaivX1ug4ItltINw==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData|password)$
-    version: 3.8.1
+    version: 3.9.0
+---
+apiVersion: v1
+kind: Secret
+metadata:
+    name: qbittorrent-gluetun-secret
+type: Opaque
+stringData:
+    FIREWALL_VPN_INPUT_PORTS: ENC[AES256_GCM,data:4TNsEN8=,iv:n78Oc3mEldzM7jPcoW/BByF4hEuVHFIMMoI2YCX4Zmw=,tag:SFRzOWvEPXjn1/pq7R1PGA==,type:str]
+    SERVER_CITIES: ENC[AES256_GCM,data:ZKP3QBQo0GEkNXc=,iv:qkEcBLEVZ/e0qctJYuMBMNvJWO+F61xlZ0KBKhX4auU=,tag:hRXCdoPog2MaO3ip8Wj+ng==,type:str]
+    SERVER_COUNTRIES: ENC[AES256_GCM,data:m1CSyYtHHpPQW6/mDw==,iv:TVoRB+UJNawyielU+g9o/+UFIEgMwPR2OwIM/RVZh9Q=,tag:pRuId64OoDC+n3wtx2skYg==,type:str]
+    VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:IL6MAzXc,iv:jXS5qpwsOJ4I+u8u+bhKSAbJgEhDeKyCmOgDUiS2Nqc=,tag:rZXjKxgnhz+7v9rnCETraA==,type:str]
+    WIREGUARD_ADDRESSES: ENC[AES256_GCM,data:vx5Yt8qoQwKzNsjZdDqo3ofBPb27/p8oO9jv9NLrTvpIju74LWTnRpucRe+LJrR6i0Pr2WQ8WWI=,iv:LuniAzMs0imKr/aXBRxZoA6e90E8lEz+sJJTEHkerc0=,tag:7mwnERA+pds62ycqbenFDQ==,type:str]
+    WIREGUARD_DNS: ENC[AES256_GCM,data:sLh6/TwlOgbVMuXYAxyXF7YB9aZHJupjNgW/iq/87qfS,iv:d2de2OLZmLNNqxl3Bt9dHGqHPGlaAI9T9F6kS/gnrT0=,tag:hC1dpvdwEAbVhYcLJCyEXA==,type:str]
+    WIREGUARD_MTU: ENC[AES256_GCM,data:W6UQjQ==,iv:I/Su+wC7vzC2vjijEObAXNqzi0MB8AWhQVtXPGIOh04=,tag:5FnkWoXXmHLwJ3dpsB7I3w==,type:str]
+    WIREGUARD_PRESHARED_KEY: ENC[AES256_GCM,data:fKO+l3yyNjuWBTmVI+HcasUpTuGwCO9+73j0u5PYguZp/QPBNLKECz040P4=,iv:04LosdND2rytuX5mqV6TnoYsUEMDs9bOYd2IhLQnquk=,tag:ubMD9EaY/4ErJpsAHuzyYQ==,type:str]
+    WIREGUARD_PRIVATE_KEY: ENC[AES256_GCM,data:vKrajwrpo8G6UL8UFTCmK2hhnVbvQw5OTVr+l1gCrwwSQioCFjY0NcCJOF4=,iv:T7DlJ82+V2+9ywV9oZ79t2wVyJFYEJuetnEg2Wwu1Lc=,tag:Xd5DVwApllcUTaSgXJ+nCg==,type:str]
+    WIREGUARD_PUBLIC_KEY: ENC[AES256_GCM,data:LlSeS3w3BG9DuD7ez57VpWPcoVABdVK83ZllXwuGMSV9amGE4SVIr5hVfnI=,iv:zQQ3A5ca00sLqAD172k41miMk3unBUrTe33j+jQZd7c=,tag:oe7BFu9FJGV3KOFh4raAPQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzT1A5UElsOFNOZFhveFFJ
+            aG5MWmpiS1JPanNrdWp2aEREaXZyWjJXUTJRCmcvcXNZNmZ1ZGs3SU1hN2NRRmNB
+            NTRLbFZVSW5OYlRhemZaWGNpRkRGajQKLS0tIDJ1bGljT1FUWjVBaXg4d2I2a2Za
+            VE1VVDE5dFVJQ0JUYUZKa2QyU1liRXcKbklvSiVER1PLfJ+Mq/UXaJHs3XugCB8F
+            iZ6sFC2NIEF37MM2x7esY57eCAdRekQXXe3Vs3YPql5uNY79muesdQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-14T20:40:52Z"
+    mac: ENC[AES256_GCM,data:1x+/RfB74rJnWT3VsjyMa4M37DeW0bPtK+HQx3p0zbBj4eHPOi1isoXayIQscmQVnLcR5lBZzh5YYWabOOpyi3gIwFEdvdWEkJA6y4iEgGfIzJTflcIurhJSMbMCuEJkkEpnZqUSVIqnQfjfbtKD4zPl9jO7SwFWnRN47YDh/7k=,iv:5q7OHog3jwhpPFyqwGnURBMh+fsuTmqllX0KCoNY8d4=,tag:FD9AA3zaivX1ug4ItltINw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData|password)$
+    version: 3.9.0
diff --git a/kubernetes/apps/default/qbittorrent/ks.yaml b/kubernetes/apps/default/qbittorrent/ks.yaml
@@ -12,7 +12,6 @@ spec:
       app.kubernetes.io/name: *app
   dependsOn:
     - name: external-secrets-stores
-    - name: stealth-gateway
     - name: volsync
   path: ./kubernetes/apps/default/qbittorrent/app
   prune: true