k8s/apps/mtproxy/telemt-daemonset.yaml

---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: telemt
  labels:
    app: telemt
spec:
  selector:
    matchLabels:
      app: telemt
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: telemt
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
              - matchExpressions:
                  - key: mtproxy
                    operator: Exists
      serviceAccountName: mtproxy
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      initContainers:
        - name: register-proxy
          image: bitnami/kubectl:latest
          env:
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            - name: SECRET
              valueFrom:
                secretKeyRef:
                  name: tgproxy-secret
                  key: SECRET
            - name: TELEMT_PORT
              valueFrom:
                secretKeyRef:
                  name: telemt-secret
                  key: PORT
          command:
            - /bin/bash
            - -c
            - |
              set -e
              NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)
              SERVER=$(kubectl get node "${NODE_NAME}" -o jsonpath='{.metadata.labels.mtproxy}')
              if [ -z "${SERVER}" ]; then
                echo "ERROR: node ${NODE_NAME} has no mtproxy label"
                exit 1
              fi
              # Build ee-prefixed secret: ee + secret + hex(tls_domain)
              # "ya.ru" = 79612e7275
              EE_SECRET="ee${SECRET}79612e7275"
              LINK="tg://proxy?server=${SERVER}&port=${TELEMT_PORT}&secret=${EE_SECRET}"
              echo "Registering telemt: ${SERVER} -> ${LINK}"
              if kubectl get secret telemt-links -n "${NAMESPACE}" &>/dev/null; then
                kubectl patch secret telemt-links -n "${NAMESPACE}" \
                  --type merge -p "{\"stringData\":{\"${SERVER}\":\"${LINK}\"}}"
              else
                kubectl create secret generic telemt-links -n "${NAMESPACE}" \
                  --from-literal="${SERVER}=${LINK}"
              fi
              echo "Done"
      containers:
        - name: telemt
          image: ghcr.io/telemt/telemt:latest
          imagePullPolicy: Always
          ports:
            - name: proxy
              containerPort: 30444
              protocol: TCP
            - name: api
              containerPort: 9091
              protocol: TCP
          workingDir: /run/telemt
          env:
            - name: RUST_LOG
              value: info
          volumeMounts:
            - name: workdir
              mountPath: /run/telemt
            - name: config
              mountPath: /run/telemt/config.toml
              subPath: config.toml
              readOnly: true
            - name: etcdir
              mountPath: /etc/telemt
          securityContext:
            readOnlyRootFilesystem: true
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
      volumes:
        - name: config
          secret:
            secretName: telemt-secret
            items:
              - key: config.toml
                path: config.toml
        - name: workdir
          emptyDir:
            medium: Memory
            sizeLimit: 1Mi
        - name: etcdir
          emptyDir:
            medium: Memory
            sizeLimit: 1Mi
Added telemt 2026-04-06 11:52:36 +01:00			`---`
			`apiVersion: apps/v1`
			`kind: DaemonSet`
			`metadata:`
			`name: telemt`
			`labels:`
			`app: telemt`
			`spec:`
			`selector:`
			`matchLabels:`
			`app: telemt`
			`updateStrategy:`
			`type: RollingUpdate`
			`template:`
			`metadata:`
			`labels:`
			`app: telemt`
			`spec:`
			`affinity:`
			`nodeAffinity:`
			`requiredDuringSchedulingIgnoredDuringExecution:`
			`nodeSelectorTerms:`
			`- matchExpressions:`
			`- key: mtproxy`
			`operator: Exists`
			`serviceAccountName: mtproxy`
			`hostNetwork: true`
			`dnsPolicy: ClusterFirstWithHostNet`
			`initContainers:`
			`- name: register-proxy`
			`image: bitnami/kubectl:latest`
			`env:`
			`- name: NODE_NAME`
			`valueFrom:`
			`fieldRef:`
			`fieldPath: spec.nodeName`
			`- name: SECRET`
			`valueFrom:`
			`secretKeyRef:`
			`name: tgproxy-secret`
			`key: SECRET`
			`- name: TELEMT_PORT`
			`valueFrom:`
			`secretKeyRef:`
			`name: telemt-secret`
			`key: PORT`
			`command:`
			`- /bin/bash`
			`- -c`
			`- \|`
			`set -e`
			`NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)`
			`SERVER=$(kubectl get node "${NODE_NAME}" -o jsonpath='{.metadata.labels.mtproxy}')`
			`if [ -z "${SERVER}" ]; then`
			`echo "ERROR: node ${NODE_NAME} has no mtproxy label"`
			`exit 1`
			`fi`
Added telemt 2026-04-06 12:24:19 +01:00			`# Build ee-prefixed secret: ee + secret + hex(tls_domain)`
			`# "ya.ru" = 79612e7275`
			`EE_SECRET="ee${SECRET}79612e7275"`
Added telemt 2026-04-06 12:09:14 +01:00			`LINK="tg://proxy?server=${SERVER}&port=${TELEMT_PORT}&secret=${EE_SECRET}"`
Added telemt 2026-04-06 11:52:36 +01:00			`echo "Registering telemt: ${SERVER} -> ${LINK}"`
			`if kubectl get secret telemt-links -n "${NAMESPACE}" &>/dev/null; then`
			`kubectl patch secret telemt-links -n "${NAMESPACE}" \`
			`--type merge -p "{\"stringData\":{\"${SERVER}\":\"${LINK}\"}}"`
			`else`
			`kubectl create secret generic telemt-links -n "${NAMESPACE}" \`
			`--from-literal="${SERVER}=${LINK}"`
			`fi`
			`echo "Done"`
			`containers:`
			`- name: telemt`
			`image: ghcr.io/telemt/telemt:latest`
			`imagePullPolicy: Always`
			`ports:`
			`- name: proxy`
			`containerPort: 30444`
			`protocol: TCP`
			`- name: api`
			`containerPort: 9091`
			`protocol: TCP`
			`workingDir: /run/telemt`
			`env:`
			`- name: RUST_LOG`
			`value: info`
			`volumeMounts:`
			`- name: workdir`
			`mountPath: /run/telemt`
			`- name: config`
			`mountPath: /run/telemt/config.toml`
			`subPath: config.toml`
			`readOnly: true`
Added telemt 2026-04-06 12:01:49 +01:00			`- name: etcdir`
			`mountPath: /etc/telemt`
Added telemt 2026-04-06 11:52:36 +01:00			`securityContext:`
			`readOnlyRootFilesystem: true`
			`allowPrivilegeEscalation: false`
			`capabilities:`
			`drop:`
			`- ALL`
			`volumes:`
			`- name: config`
			`secret:`
			`secretName: telemt-secret`
			`items:`
			`- key: config.toml`
			`path: config.toml`
			`- name: workdir`
			`emptyDir:`
			`medium: Memory`
			`sizeLimit: 1Mi`
Added telemt 2026-04-06 12:01:49 +01:00			`- name: etcdir`
			`emptyDir:`
			`medium: Memory`
			`sizeLimit: 1Mi`