-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathvalues.yaml
146 lines (133 loc) · 4.6 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
# Default values for openvpn.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
replicaCount: 1
updateStrategy: {}
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 1
# maxUnavailable: 0
# For supporting pulling from private registries
imagePullSecretName:
image:
repository: jok3rbrvt/openvpn-ldap-auth-docker
tag: v1.0.0
pullPolicy: IfNotPresent
service:
type: LoadBalancer
externalPort: 443
internalPort: 443
# hostPort: 443
externalIPs: []
nodePort: 32085
# clusterIP: None
# LoadBalancerSourceRanges: 0.0.0.0/0
# loadBalancerIP: 10.0.0.1
## Here annotations can be added to the openvpn service
# annotations:
# external-dns.alpha.kubernetes.io/hostname: vpn.example.com
annotations: {}
## Here annotations can be added to the openvpn pod
# podAnnotations:
# backup.ark.heptio.com/backup-volumes: certs
podAnnotations: {}
# Add privileged init container to enable IPv4 forwarding
ipForwardInitContainer: false
resources:
limits:
cpu: 300m
memory: 128Mi
requests:
cpu: 300m
memory: 128Mi
readinessProbe:
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 2
persistence:
enabled: true
# subPath: openvpn
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
# existingClaim:
## openvpn data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
accessMode: ReadWriteOnce
size: 2M
openvpn:
# Network allocated for openvpn clients (default: 10.240.0.0).
OVPN_NETWORK: 172.16.69.0
# Network subnet allocated for openvpn client (default: 255.255.0.0).
OVPN_SUBNET: 255.255.255.0
# Protocol used by openvpn tcp or udp (default: udp).
OVPN_PROTO: tcp
# Kubernetes pod network (optional).
OVPN_K8S_POD_NETWORK: "10.42.0.0"
# Kubernetes pod network subnet (optional).
OVPN_K8S_POD_SUBNET: "255.255.0.0"
# Kubernetes service network (optional).
# Define openvpn.OVPN_K8S_SVC_NETWORK and openvpn.OVPN_K8S_SVC_SUBNET if it's needed to create a separate route to Kubernates service subnet
OVPN_K8S_SVC_NETWORK: "10.43.0.0"
# Kubernetes service network subnet (optional).
OVPN_K8S_SVC_SUBNET: "255.255.0.0"
# Set default route which openvpn figures basing on network routes inside openvpn pod
DEFAULT_ROUTE_ENABLED: true
# Server certificate data
# keystoreSecret:
# secret with openvpn certificates. If specified, certificates are taken from the secret
# create secret with such command:
# kubectl create secret generic openvpn-keystore-secret --from-file=./server.key --from-file=./ca.crt --from-file=./server.crt --from-file=./dh.pem [--from-file=./crl.pem] [--from-file=./ta.key]
# Push a `dhcp-option DOMAIN` config
dhcpOptionDomain: true
# Redirect all client traffic through VPN
redirectGateway: false
# Use/generate certificate revocation list
useCrl: true
# Use/generate a ta.key (https://openvpn.net/community-resources/hardening-openvpn-security/)
taKey: true
# Override default cipher
cipher: AES-256-CBC
# Lines appended to the end of the server configuration file
serverConf: |
max-clients 20
# client-to-client
# Lines appended to the end of the client configuration file
# Example: if all of your clients are Ubuntu (18.04+) you may need to install
# the update-systemd-resolved package (apt install update-systemd-resolved) then
# set the following to make sure systemd-resolved routes DNS requests correctly:
# clientConf: |
# script-security 2
# up /etc/openvpn/update-systemd-resolved
# up-restart
# down /etc/openvpn/update-systemd-resolved
# down-pre
# Enable istio support for openvpn connections
istio:
enabled: false
proxy:
port: 15001
iptablesExtra: []
# - -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# - -A FORWARD -m conntrack --ctstate NEW -d 10.240.0.0/255.255.0.0 -j ACCEPT
# - -A FORWARD -j REJECT
# Enable CCD support
ccd:
enabled: false
config: {}
# johndoe: "ifconfig-push 10.240.100.10 10.240.100.11"
# janedoe: "ifconfig-push 10.240.100.20 10.240.100.21"
ldap:
enabled: true
url: ldap://10.10.10.10
binddn: cn=readonly,ou=system,dc=demo,dc=com
password: P@ssword
basedn: ou=vpn,dc=demo,dc=com
nodeSelector: {}
tolerations: []