From 196d53a5a92821bfd0ba5226cc9ddf5523b4e732 Mon Sep 17 00:00:00 2001 From: Ultradesu Date: Fri, 18 Jul 2025 14:47:26 +0300 Subject: [PATCH] Added rustdesk --- .gitignore | 1 + k8s/apps/rustdesk/deployment.yaml | 129 ++++++++++++++++++ ...rets.yaml => external-secrets.yaml.backup} | 0 k8s/apps/rustdesk/ingress.yaml | 26 ++++ k8s/apps/rustdesk/kustomization.yaml | 15 +- k8s/apps/rustdesk/network-policy.yaml | 85 ++++++++++++ k8s/apps/rustdesk/secret.yaml | 18 +++ k8s/apps/rustdesk/service.yaml | 83 +++++++++++ 8 files changed, 348 insertions(+), 9 deletions(-) create mode 100644 k8s/apps/rustdesk/deployment.yaml rename k8s/apps/rustdesk/{external-secrets.yaml => external-secrets.yaml.backup} (100%) create mode 100644 k8s/apps/rustdesk/ingress.yaml create mode 100644 k8s/apps/rustdesk/network-policy.yaml create mode 100644 k8s/apps/rustdesk/secret.yaml create mode 100644 k8s/apps/rustdesk/service.yaml diff --git a/.gitignore b/.gitignore index a0864d4..399e2f8 100644 --- a/.gitignore +++ b/.gitignore @@ -58,3 +58,4 @@ tags # Persistent undo [._]*.un~ +.DS_Store diff --git a/k8s/apps/rustdesk/deployment.yaml b/k8s/apps/rustdesk/deployment.yaml new file mode 100644 index 0000000..d91ddd1 --- /dev/null +++ b/k8s/apps/rustdesk/deployment.yaml @@ -0,0 +1,129 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: rustdesk-hbbs + namespace: rustdesk + labels: + app: rustdesk-hbbs +spec: + replicas: 1 + selector: + matchLabels: + app: rustdesk-hbbs + template: + metadata: + labels: + app: rustdesk-hbbs + spec: + nodeSelector: + kubernetes.io/hostname: master.tail2fe2d.ts.net + containers: + - name: hbbs + image: rustdesk/rustdesk-server:latest + imagePullPolicy: Always + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "500m" + command: ["hbbs"] + args: + - "-r" + - "rd.hexor.cy:21117" # Relay сервер + - "-k" + - "_" # Использовать ключи из файлов + - "-p" + - "21115" + - "-w" + - "21118" # Веб-порт + ports: + - name: nat + containerPort: 21115 + protocol: TCP + - name: registry + containerPort: 21116 + protocol: TCP + - name: web + containerPort: 21118 + protocol: TCP + volumeMounts: + - name: keys + mountPath: /root + readOnly: true + env: + - name: RUST_LOG + value: "info" + volumes: + - name: keys + secret: + secretName: rustdesk-keys + items: + - key: id_ed25519 + path: id_ed25519 + mode: 0600 + - key: id_ed25519.pub + path: id_ed25519.pub + mode: 0644 + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: rustdesk-hbbr + namespace: rustdesk + labels: + app: rustdesk-hbbr +spec: + replicas: 1 + selector: + matchLabels: + app: rustdesk-hbbr + template: + metadata: + labels: + app: rustdesk-hbbr + spec: + nodeSelector: + kubernetes.io/hostname: master.tail2fe2d.ts.net + containers: + - name: hbbr + image: rustdesk/rustdesk-server:latest + imagePullPolicy: Always + resources: + requests: + memory: "128Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "500m" + command: ["hbbr"] + args: + - "-k" + - "_" # Использовать ключи из файлов + - "-p" + - "21117" + ports: + - name: relay + containerPort: 21117 + protocol: TCP + volumeMounts: + - name: keys + mountPath: /root + readOnly: true + env: + - name: RUST_LOG + value: "info" + volumes: + - name: keys + secret: + secretName: rustdesk-keys + items: + - key: id_ed25519 + path: id_ed25519 + mode: 0600 + - key: id_ed25519.pub + path: id_ed25519.pub + mode: 0644 diff --git a/k8s/apps/rustdesk/external-secrets.yaml b/k8s/apps/rustdesk/external-secrets.yaml.backup similarity index 100% rename from k8s/apps/rustdesk/external-secrets.yaml rename to k8s/apps/rustdesk/external-secrets.yaml.backup diff --git a/k8s/apps/rustdesk/ingress.yaml b/k8s/apps/rustdesk/ingress.yaml new file mode 100644 index 0000000..6f3455b --- /dev/null +++ b/k8s/apps/rustdesk/ingress.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: rustdesk-web + namespace: rustdesk + annotations: + cert-manager.io/cluster-issuer: letsencrypt + traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd +spec: + ingressClassName: traefik + tls: + - hosts: + - rd.hexor.cy + secretName: rustdesk-tls + rules: + - host: rd.hexor.cy + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: rustdesk-web + port: + number: 21118 diff --git a/k8s/apps/rustdesk/kustomization.yaml b/k8s/apps/rustdesk/kustomization.yaml index d222188..791642c 100644 --- a/k8s/apps/rustdesk/kustomization.yaml +++ b/k8s/apps/rustdesk/kustomization.yaml @@ -3,14 +3,11 @@ kind: Kustomization resources: - app.yaml - #- external-secrets.yaml + - deployment.yaml + - service.yaml + - ingress.yaml + - secret.yaml + - network-policy.yaml -helmCharts: - - name: rustdesk-server-oss - repo: https://schich.tel/helm-charts - version: 0.2.2 - releaseName: rustdesk - namespace: rustdesk - valuesFile: values.yaml - includeCRDs: true +# Убираем Helm chart и делаем нативные манифесты diff --git a/k8s/apps/rustdesk/network-policy.yaml b/k8s/apps/rustdesk/network-policy.yaml new file mode 100644 index 0000000..a1afe3a --- /dev/null +++ b/k8s/apps/rustdesk/network-policy.yaml @@ -0,0 +1,85 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: rustdesk-network-policy + namespace: rustdesk +spec: + podSelector: + matchLabels: + app: rustdesk-hbbs + policyTypes: + - Ingress + - Egress + ingress: + # Разрешаем все входящие подключения на RustDesk порты + - from: [] + ports: + - protocol: TCP + port: 21115 + - protocol: TCP + port: 21116 + - protocol: UDP + port: 21116 + - protocol: TCP + port: 21118 + # Разрешаем Traefik ingress для веб-интерфейса + - from: + - namespaceSelector: + matchLabels: + name: kube-system + ports: + - protocol: TCP + port: 21118 + egress: + # Разрешаем DNS + - to: [] + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 + # Разрешаем связь между HBBS и HBBR + - to: + - podSelector: + matchLabels: + app: rustdesk-hbbr + ports: + - protocol: TCP + port: 21117 + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: rustdesk-hbbr-network-policy + namespace: rustdesk +spec: + podSelector: + matchLabels: + app: rustdesk-hbbr + policyTypes: + - Ingress + - Egress + ingress: + # Разрешаем все входящие подключения на relay порт + - from: [] + ports: + - protocol: TCP + port: 21117 + # Разрешаем подключения от HBBS + - from: + - podSelector: + matchLabels: + app: rustdesk-hbbs + ports: + - protocol: TCP + port: 21117 + egress: + # Разрешаем DNS + - to: [] + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 diff --git a/k8s/apps/rustdesk/secret.yaml b/k8s/apps/rustdesk/secret.yaml new file mode 100644 index 0000000..bb2e594 --- /dev/null +++ b/k8s/apps/rustdesk/secret.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: rustdesk-keys + namespace: rustdesk +type: Opaque +data: + # Временные захардкоженные ключи (замените на реальные из Bitwarden позже) + # Приватный ключ Ed25519 (base64) + id_ed25519: | + LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1DNENBUUF3QlFZREsyVndCQ0lFSUhyVHIvaEVx + OXlOMXZXL0JWVlhxZ1JPOVVJU1UwMEhzSzNjeUZjSGI3M0QKLS0tLS1FTkQgUFJJVkFURSBLRVkt + LS0tLQo= + # Публичный ключ Ed25519 (base64) + id_ed25519.pub: | + LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUNvd0JRWURLMlZ3QkNJRUlIclRyL2hFcTl5TjF2 + Vy9CVlZYcWdSTzlVSVNVMDBIc0szY3lGY0hiNzNECi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo= diff --git a/k8s/apps/rustdesk/service.yaml b/k8s/apps/rustdesk/service.yaml new file mode 100644 index 0000000..268ff71 --- /dev/null +++ b/k8s/apps/rustdesk/service.yaml @@ -0,0 +1,83 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: rustdesk-hbbs + namespace: rustdesk + labels: + app: rustdesk-hbbs +spec: + type: LoadBalancer + externalTrafficPolicy: Local + selector: + app: rustdesk-hbbs + ports: + - name: nat + port: 21115 + targetPort: 21115 + protocol: TCP + - name: registry-tcp + port: 21116 + targetPort: 21116 + protocol: TCP + - name: web + port: 21118 + targetPort: 21118 + protocol: TCP + +--- +apiVersion: v1 +kind: Service +metadata: + name: rustdesk-hbbs-udp + namespace: rustdesk + labels: + app: rustdesk-hbbs +spec: + type: LoadBalancer + externalTrafficPolicy: Local + selector: + app: rustdesk-hbbs + ports: + - name: registry-udp + port: 21116 + targetPort: 21116 + protocol: UDP + +--- +apiVersion: v1 +kind: Service +metadata: + name: rustdesk-hbbr + namespace: rustdesk + labels: + app: rustdesk-hbbr +spec: + type: LoadBalancer + externalTrafficPolicy: Local + selector: + app: rustdesk-hbbr + ports: + - name: relay + port: 21117 + targetPort: 21117 + protocol: TCP + +--- +# ClusterIP сервис для веб-интерфейса (используется через Ingress) +apiVersion: v1 +kind: Service +metadata: + name: rustdesk-web + namespace: rustdesk + labels: + app: rustdesk-hbbs +spec: + type: ClusterIP + selector: + app: rustdesk-hbbs + ports: + - name: web + port: 21118 + targetPort: 21118 + protocol: TCP