From 92e132615771a0bc41dd857771cd1a962583fffc Mon Sep 17 00:00:00 2001 From: Jean-Francois Roy Date: Wed, 14 Aug 2024 11:23:24 -0700 Subject: [PATCH] feat(qbittorrent): run gluetun as sidecar --- .sops.yaml | 5 ++ .../default/qbittorrent/app/helmrelease.yaml | 63 ++++++++++++++++++- .../qbittorrent/app/kustomization.yaml | 2 +- .../qbittorrent/app/networkpolicy.sops.yaml | 46 ++++++++++++++ .../qbittorrent/app/networkpolicy.yaml | 14 ----- .../default/qbittorrent/app/secret.sops.yaml | 43 ++++++++++++- kubernetes/apps/default/qbittorrent/ks.yaml | 1 - 7 files changed, 152 insertions(+), 22 deletions(-) create mode 100644 kubernetes/apps/default/qbittorrent/app/networkpolicy.sops.yaml delete mode 100644 kubernetes/apps/default/qbittorrent/app/networkpolicy.yaml diff --git a/.sops.yaml b/.sops.yaml index d016818bf..bae1cf487 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -13,6 +13,11 @@ creation_rules: key_groups: - age: - "age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t" + - path_regex: kubernetes/.*/networkpolicy\.sops\.ya?ml + encrypted_regex: "^(egress|ingress)$" + key_groups: + - age: + - "age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t" - path_regex: kubernetes/.*\.sops\.ya?ml encrypted_regex: "^(data|stringData|password)$" key_groups: diff --git a/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml b/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml index 689e15120..0f96a2863 100644 --- a/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml +++ b/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml @@ -40,9 +40,9 @@ spec: QBT_BitTorrent__Session__AsyncIOThreadsCount: "4" QBT_BitTorrent__Session__DefaultSavePath: /media/qbittorrent/complete/default QBT_BitTorrent__Session__DisableAutoTMMByDefault: "false" - QBT_BitTorrent__Session__Interface: vxlan0 + QBT_BitTorrent__Session__Interface: wg0 QBT_BitTorrent__Session__InterfaceAddress: 0.0.0.0 - QBT_BitTorrent__Session__InterfaceName: vxlan0 + QBT_BitTorrent__Session__InterfaceName: wg0 QBT_BitTorrent__Session__LSDEnabled: "false" QBT_BitTorrent__Session__TempPath: /media/qbittorrent/incomplete QBT_BitTorrent__Session__TempPathEnabled: "true" @@ -82,6 +82,48 @@ spec: cpu: 4 memory: 50Gi initContainers: + gluetun: + image: + repository: ghcr.io/qdm12/gluetun + tag: v3.39.0@sha256:2f011a9aca767af62008d879eefcbc80a8645bd4fd4466ab312cc941cb658ad1 + env: + HEALTH_VPN_DURATION_INITIAL: 30s + FIREWALL_OUTBOUND_SUBNETS: 10.11.0.0/16,10.12.0.0/16 + VPN_INTERFACE: wg0 + VPN_TYPE: wireguard + TZ: America/Los_Angeles + envFrom: + - secretRef: + name: qbittorrent-gluetun-secret + probes: + liveness: + custom: true + spec: + httpGet: + path: / + port: 9999 + initialDelaySeconds: 0 + periodSeconds: 10 + failureThreshold: 3 + startup: + custom: true + spec: + httpGet: + path: / + port: 9999 + initialDelaySeconds: 10 + periodSeconds: 10 + failureThreshold: 5 + resources: + limits: + memory: 128Mi + restartPolicy: Always + securityContext: + <<: *securityContext + readOnlyRootFilesystem: false + runAsNonRoot: false + runAsUser: 0 + capabilities: { add: ["NET_ADMIN"] } vuetorrent: image: repository: ghcr.io/jfroy/vuetorrent @@ -140,6 +182,16 @@ spec: persistence: config: existingClaim: qbittorrent + empty: + type: emptyDir + sizeLimit: 20Mi + globalMounts: + - path: /gluetun + subPath: gluetun + - path: /share + subPath: share + - path: /tmp + subPath: tmp media: type: nfs server: kaidame.flat @@ -147,8 +199,13 @@ spec: globalMounts: - path: /media/qbittorrent subPath: qbittorrent - share: + run: type: emptyDir + medium: Memory + sizeLimit: 10Mi + globalMounts: + - path: /run + - path: /var/run postRenderers: - kustomize: patches: diff --git a/kubernetes/apps/default/qbittorrent/app/kustomization.yaml b/kubernetes/apps/default/qbittorrent/app/kustomization.yaml index ae3c51676..3144b19a6 100644 --- a/kubernetes/apps/default/qbittorrent/app/kustomization.yaml +++ b/kubernetes/apps/default/qbittorrent/app/kustomization.yaml @@ -4,7 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helmrelease.yaml - - ./networkpolicy.yaml + - ./networkpolicy.sops.yaml - ./secret.sops.yaml - ../../../../templates/gatus/guarded - ../../../../templates/volsync diff --git a/kubernetes/apps/default/qbittorrent/app/networkpolicy.sops.yaml b/kubernetes/apps/default/qbittorrent/app/networkpolicy.sops.yaml new file mode 100644 index 000000000..354544090 --- /dev/null +++ b/kubernetes/apps/default/qbittorrent/app/networkpolicy.sops.yaml @@ -0,0 +1,46 @@ +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: qbittorrent-allow-gluetun-egress + annotations: + future-me-why: allow ingress and egress to gluetun endpoints, which also puts pod in deny-by-default mode for egress +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/instance: qbittorrent + egress: + - toCIDR: + - ENC[AES256_GCM,data:xsfsgKgQt/f3dsZqRI4ppw==,iv:oOYtzeNyKPdj8e9d8gF1Go+5VhHKqdW7zYlXCdW2WPU=,tag:/xxdKZwokEwOt71SUJ4pzA==,type:str] + - ENC[AES256_GCM,data:JBYdykm1hOxD4zDDvUUT/Q==,iv:+nl1azgwDmtjMLvNEtrqbpJRfH5aADGa0npJpY7JEf0=,tag:/0gInFQMU3OEDJfy7YXRAw==,type:str] + - ENC[AES256_GCM,data:Wr1ymdW7QutGfsgQwoFixflr,iv:svoG79R0egaw1gRdleANg2CrIWszxm+kOV/yR2Ps9aM=,tag:+PJlhn/7YfsdpRY3VZPopw==,type:str] + - ENC[AES256_GCM,data:j1yYnbPNjqlCmHHfVO28QUkad08nTYVYK66v+dyCUkaAx16y2E8Vt3M=,iv:1ViZc1WJ6ynwF5KK+K8qGzrmiOIRLFVrxpB2u78VPsQ=,tag:HR6kSkDDHiXFrPb/mBiLeg==,type:str] + - ENC[AES256_GCM,data:pwinIowkrDrS7BBwzdU5OCZtuTKun+zS4i1YX0f09tw8ZIZC4JU=,iv:i4tSQJ1saK51hSbwefWHwwxppi9U83qiu3RazOJMSdA=,tag:BjtaMoJYkH5KhLMOvm1jNw==,type:str] + - ENC[AES256_GCM,data:qkwuoc6g9caxChUpz+KYoU4a3LXDh4Fak8lMPDwtlI9X0PQndMs=,iv:UP1eJnZD/tq+4JKOMqHhiHNC/yHH0sLuS4plMTLrCEc=,tag:QJr9rzIMBg5VYvl69JHj1Q==,type:str] + ingress: + - fromCIDR: + - ENC[AES256_GCM,data:EV6+034utA4Y6wcFHupv8g==,iv:2x+3WTQMfDQDbJOhg94RUS+5CX/tT9xO3cTyilJrVDM=,tag:EObkMoGVfvcs0rgUvcX1wg==,type:str] + - ENC[AES256_GCM,data:cAlulRKfUSRS1gFdp+QCaQ==,iv:iRMt/olmy6Qkac2KvjYj1xS95D65zV/jm5nyFT2Yx80=,tag:R4WpGAbCqv0/BtE2X65+nw==,type:str] + - ENC[AES256_GCM,data:9TK+h2mrr3R7jKWp85jmXecc,iv:He0n4Y2BeG1UEYN/joZJVnRsGlq2QPnhEqgsr4jIDVI=,tag:VQF3BhEK330cKsTtSJp20A==,type:str] + - ENC[AES256_GCM,data:mFOJsPpHR+dNmUcGGZz3FmVSG+Dwo1V3SDxRzRwg8jd0VqvWLnSbL64=,iv:7Vm8/8osIDcrfyPp/e0WM00BkM9guhGhP95iecHAFzU=,tag:WWNwwn8wMQB+p5iC+Bhrhg==,type:str] + - ENC[AES256_GCM,data:DIAlcz03qmLhd0kb+XhJENr4QNM8bkIa12ojJMfMeHLUfYJcRQ0=,iv:yfIyiUkrUzJFGVYdMbmURUYidGIsXLrJdXLYoyq+GkU=,tag:bxj9Ts3JUa6fus1W2F/g3g==,type:str] + - ENC[AES256_GCM,data:VsBlsN94838c8KC2/ARqSHL3QdERZgfuZE9yDTqDMX2Cb8g0QdA=,iv:ShsbJQbGsuhBoSpQSY9SC3levIdp7LYhnvOg7tWq43U=,tag:WSOpMP+BAwJz05nBPWLVgg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvRE9WbHB2WGhCaTNzYmVD + c2xhZmdyNUhYaWZVWVB6aC93K3Q3Wnl1Q3djCmhiQzdvTTNOaVVxWW9jeEZuc3d0 + T2lteERMWCtUWmhHRk4yQWxaVGhqMTAKLS0tIFJtcldaZWlOTkxPMHQ0NEI4alB0 + aFY2Y1IyeDVPL3hwMjFlM3RreW0yL3MKXViSZ6vOYKenQ48ONcD2ZOfIvoSpYJZW + FkKsPqZUcU4SaVMHSKGjYSQ9ky+KN40aRPdOGNLRBBtq2PRXCjwPgw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-14T21:02:29Z" + mac: ENC[AES256_GCM,data:5pgK2aCz1MTpHauYcRp2KYtXkYCjOT3hPgylIwI1lSzUqrs5VQev9+CvcChJhM8NgPKgahpOQCwjdjZBOLH5ubOfp6x/fOjihpmKTD0yn2zPurEJsoKdNUg0yIPyZfYEHgKfYVDQN0n8og22JK9EmC0L8yv+vDoonMXmKQtSOBA=,iv:Oto+nCNvA0/c7GmazYupdn4azNfPu7irU/YwQc95lFI=,tag:Jq9km88r26vakb8uRcLjIQ==,type:str] + pgp: [] + encrypted_regex: ^(egress|ingress)$ + version: 3.9.0 diff --git a/kubernetes/apps/default/qbittorrent/app/networkpolicy.yaml b/kubernetes/apps/default/qbittorrent/app/networkpolicy.yaml deleted file mode 100644 index a1dd95384..000000000 --- a/kubernetes/apps/default/qbittorrent/app/networkpolicy.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: "cilium.io/v2" -kind: CiliumNetworkPolicy -metadata: - name: "qbittorrent-allow-egress-cluster" - annotations: - future-me-why: "allow egress to cluster for all endpoints, which also puts pod in deny-by-default mode for egress; must use stealth-gateway" -spec: - endpointSelector: - matchLabels: - app.kubernetes.io/instance: qbittorrent - egress: - - toEntities: - - "cluster" diff --git a/kubernetes/apps/default/qbittorrent/app/secret.sops.yaml b/kubernetes/apps/default/qbittorrent/app/secret.sops.yaml index 92ab0992e..1b1fe8f4d 100644 --- a/kubernetes/apps/default/qbittorrent/app/secret.sops.yaml +++ b/kubernetes/apps/default/qbittorrent/app/secret.sops.yaml @@ -20,8 +20,45 @@ sops: VE1VVDE5dFVJQ0JUYUZKa2QyU1liRXcKbklvSiVER1PLfJ+Mq/UXaJHs3XugCB8F iZ6sFC2NIEF37MM2x7esY57eCAdRekQXXe3Vs3YPql5uNY79muesdQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-30T06:05:13Z" - mac: ENC[AES256_GCM,data:0DPazO1rL5pvdCT/45azTqMOP/AF+JNIvJfD9/c2wRYSTVbrcCeAtqad2RGgCcfAfK125Wy0C+9qzz27iqlZI9oozu93dgaCtLvkPdV9BqfqGe8oJA+gX89jR//9Q0v0+6Aq/78Rl7MB1YDz7cXamgml7EhGzj+MXJC2PI/NlbU=,iv:LV/ULhy1YDTuq6ZYW3I9YRWu4itJXr09c8us1wDckOU=,tag:RMrWMAx2Ex/Dy0ULhm9UhA==,type:str] + lastmodified: "2024-08-14T20:40:52Z" + mac: ENC[AES256_GCM,data:1x+/RfB74rJnWT3VsjyMa4M37DeW0bPtK+HQx3p0zbBj4eHPOi1isoXayIQscmQVnLcR5lBZzh5YYWabOOpyi3gIwFEdvdWEkJA6y4iEgGfIzJTflcIurhJSMbMCuEJkkEpnZqUSVIqnQfjfbtKD4zPl9jO7SwFWnRN47YDh/7k=,iv:5q7OHog3jwhpPFyqwGnURBMh+fsuTmqllX0KCoNY8d4=,tag:FD9AA3zaivX1ug4ItltINw==,type:str] pgp: [] encrypted_regex: ^(data|stringData|password)$ - version: 3.8.1 + version: 3.9.0 +--- +apiVersion: v1 +kind: Secret +metadata: + name: qbittorrent-gluetun-secret +type: Opaque +stringData: + FIREWALL_VPN_INPUT_PORTS: ENC[AES256_GCM,data:4TNsEN8=,iv:n78Oc3mEldzM7jPcoW/BByF4hEuVHFIMMoI2YCX4Zmw=,tag:SFRzOWvEPXjn1/pq7R1PGA==,type:str] + SERVER_CITIES: ENC[AES256_GCM,data:ZKP3QBQo0GEkNXc=,iv:qkEcBLEVZ/e0qctJYuMBMNvJWO+F61xlZ0KBKhX4auU=,tag:hRXCdoPog2MaO3ip8Wj+ng==,type:str] + SERVER_COUNTRIES: ENC[AES256_GCM,data:m1CSyYtHHpPQW6/mDw==,iv:TVoRB+UJNawyielU+g9o/+UFIEgMwPR2OwIM/RVZh9Q=,tag:pRuId64OoDC+n3wtx2skYg==,type:str] + VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:IL6MAzXc,iv:jXS5qpwsOJ4I+u8u+bhKSAbJgEhDeKyCmOgDUiS2Nqc=,tag:rZXjKxgnhz+7v9rnCETraA==,type:str] + WIREGUARD_ADDRESSES: ENC[AES256_GCM,data:vx5Yt8qoQwKzNsjZdDqo3ofBPb27/p8oO9jv9NLrTvpIju74LWTnRpucRe+LJrR6i0Pr2WQ8WWI=,iv:LuniAzMs0imKr/aXBRxZoA6e90E8lEz+sJJTEHkerc0=,tag:7mwnERA+pds62ycqbenFDQ==,type:str] + WIREGUARD_DNS: ENC[AES256_GCM,data:sLh6/TwlOgbVMuXYAxyXF7YB9aZHJupjNgW/iq/87qfS,iv:d2de2OLZmLNNqxl3Bt9dHGqHPGlaAI9T9F6kS/gnrT0=,tag:hC1dpvdwEAbVhYcLJCyEXA==,type:str] + WIREGUARD_MTU: ENC[AES256_GCM,data:W6UQjQ==,iv:I/Su+wC7vzC2vjijEObAXNqzi0MB8AWhQVtXPGIOh04=,tag:5FnkWoXXmHLwJ3dpsB7I3w==,type:str] + WIREGUARD_PRESHARED_KEY: ENC[AES256_GCM,data:fKO+l3yyNjuWBTmVI+HcasUpTuGwCO9+73j0u5PYguZp/QPBNLKECz040P4=,iv:04LosdND2rytuX5mqV6TnoYsUEMDs9bOYd2IhLQnquk=,tag:ubMD9EaY/4ErJpsAHuzyYQ==,type:str] + WIREGUARD_PRIVATE_KEY: ENC[AES256_GCM,data:vKrajwrpo8G6UL8UFTCmK2hhnVbvQw5OTVr+l1gCrwwSQioCFjY0NcCJOF4=,iv:T7DlJ82+V2+9ywV9oZ79t2wVyJFYEJuetnEg2Wwu1Lc=,tag:Xd5DVwApllcUTaSgXJ+nCg==,type:str] + WIREGUARD_PUBLIC_KEY: ENC[AES256_GCM,data:LlSeS3w3BG9DuD7ez57VpWPcoVABdVK83ZllXwuGMSV9amGE4SVIr5hVfnI=,iv:zQQ3A5ca00sLqAD172k41miMk3unBUrTe33j+jQZd7c=,tag:oe7BFu9FJGV3KOFh4raAPQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzT1A5UElsOFNOZFhveFFJ + aG5MWmpiS1JPanNrdWp2aEREaXZyWjJXUTJRCmcvcXNZNmZ1ZGs3SU1hN2NRRmNB + NTRLbFZVSW5OYlRhemZaWGNpRkRGajQKLS0tIDJ1bGljT1FUWjVBaXg4d2I2a2Za + VE1VVDE5dFVJQ0JUYUZKa2QyU1liRXcKbklvSiVER1PLfJ+Mq/UXaJHs3XugCB8F + iZ6sFC2NIEF37MM2x7esY57eCAdRekQXXe3Vs3YPql5uNY79muesdQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-14T20:40:52Z" + mac: ENC[AES256_GCM,data:1x+/RfB74rJnWT3VsjyMa4M37DeW0bPtK+HQx3p0zbBj4eHPOi1isoXayIQscmQVnLcR5lBZzh5YYWabOOpyi3gIwFEdvdWEkJA6y4iEgGfIzJTflcIurhJSMbMCuEJkkEpnZqUSVIqnQfjfbtKD4zPl9jO7SwFWnRN47YDh/7k=,iv:5q7OHog3jwhpPFyqwGnURBMh+fsuTmqllX0KCoNY8d4=,tag:FD9AA3zaivX1ug4ItltINw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData|password)$ + version: 3.9.0 diff --git a/kubernetes/apps/default/qbittorrent/ks.yaml b/kubernetes/apps/default/qbittorrent/ks.yaml index 381b1995a..aba3dcecc 100644 --- a/kubernetes/apps/default/qbittorrent/ks.yaml +++ b/kubernetes/apps/default/qbittorrent/ks.yaml @@ -12,7 +12,6 @@ spec: app.kubernetes.io/name: *app dependsOn: - name: external-secrets-stores - - name: stealth-gateway - name: volsync path: ./kubernetes/apps/default/qbittorrent/app prune: true