From b032852dd82fbb7d064430d5b58a98e4cc11cb26 Mon Sep 17 00:00:00 2001 From: Ultradesu Date: Mon, 6 Apr 2026 11:52:36 +0100 Subject: [PATCH] Added telemt --- k8s/apps/mtproxy/kustomization.yaml | 2 + k8s/apps/mtproxy/telemt-daemonset.yaml | 109 ++++++++++++++++++ k8s/apps/mtproxy/telemt-external-secrets.yaml | 57 +++++++++ 3 files changed, 168 insertions(+) create mode 100644 k8s/apps/mtproxy/telemt-daemonset.yaml create mode 100644 k8s/apps/mtproxy/telemt-external-secrets.yaml diff --git a/k8s/apps/mtproxy/kustomization.yaml b/k8s/apps/mtproxy/kustomization.yaml index 9411c52..3f30d0e 100644 --- a/k8s/apps/mtproxy/kustomization.yaml +++ b/k8s/apps/mtproxy/kustomization.yaml @@ -5,7 +5,9 @@ resources: - ./app.yaml - ./rbac.yaml - ./daemonset.yaml + - ./telemt-daemonset.yaml - ./external-secrets.yaml + - ./telemt-external-secrets.yaml - ./service.yaml - ./secret-reader.yaml # - ./storage.yaml diff --git a/k8s/apps/mtproxy/telemt-daemonset.yaml b/k8s/apps/mtproxy/telemt-daemonset.yaml new file mode 100644 index 0000000..e0eb4c4 --- /dev/null +++ b/k8s/apps/mtproxy/telemt-daemonset.yaml @@ -0,0 +1,109 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: telemt + labels: + app: telemt +spec: + selector: + matchLabels: + app: telemt + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app: telemt + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: mtproxy + operator: Exists + serviceAccountName: mtproxy + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + initContainers: + - name: register-proxy + image: bitnami/kubectl:latest + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: SECRET + valueFrom: + secretKeyRef: + name: tgproxy-secret + key: SECRET + - name: TELEMT_PORT + valueFrom: + secretKeyRef: + name: telemt-secret + key: PORT + command: + - /bin/bash + - -c + - | + set -e + NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace) + SERVER=$(kubectl get node "${NODE_NAME}" -o jsonpath='{.metadata.labels.mtproxy}') + if [ -z "${SERVER}" ]; then + echo "ERROR: node ${NODE_NAME} has no mtproxy label" + exit 1 + fi + # Build dd-prefixed secret for TLS mode: dd + secret + hex(tls_domain) + DOMAIN_HEX=$(echo -n 'ya.ru' | xxd -p | tr -d '\n') + DD_SECRET="dd${SECRET}${DOMAIN_HEX}" + LINK="tg://proxy?server=${SERVER}&port=${TELEMT_PORT}&secret=${DD_SECRET}" + echo "Registering telemt: ${SERVER} -> ${LINK}" + if kubectl get secret telemt-links -n "${NAMESPACE}" &>/dev/null; then + kubectl patch secret telemt-links -n "${NAMESPACE}" \ + --type merge -p "{\"stringData\":{\"${SERVER}\":\"${LINK}\"}}" + else + kubectl create secret generic telemt-links -n "${NAMESPACE}" \ + --from-literal="${SERVER}=${LINK}" + fi + echo "Done" + containers: + - name: telemt + image: ghcr.io/telemt/telemt:latest + imagePullPolicy: Always + ports: + - name: proxy + containerPort: 30444 + protocol: TCP + - name: api + containerPort: 9091 + protocol: TCP + workingDir: /run/telemt + env: + - name: RUST_LOG + value: info + volumeMounts: + - name: workdir + mountPath: /run/telemt + - name: config + mountPath: /run/telemt/config.toml + subPath: config.toml + readOnly: true + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + volumes: + - name: config + secret: + secretName: telemt-secret + items: + - key: config.toml + path: config.toml + - name: workdir + emptyDir: + medium: Memory + sizeLimit: 1Mi diff --git a/k8s/apps/mtproxy/telemt-external-secrets.yaml b/k8s/apps/mtproxy/telemt-external-secrets.yaml new file mode 100644 index 0000000..3109d04 --- /dev/null +++ b/k8s/apps/mtproxy/telemt-external-secrets.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: telemt-secret +spec: + target: + name: telemt-secret + deletionPolicy: Delete + template: + type: Opaque + data: + SECRET: |- + {{ .secret }} + PORT: "30444" + config.toml: | + [general] + use_middle_proxy = true + log_level = "normal" + + [general.modes] + classic = false + secure = false + tls = true + + [general.links] + show = "*" + public_port = 30444 + + [server] + port = 30444 + + [server.api] + enabled = true + listen = "0.0.0.0:9091" + whitelist = ["0.0.0.0/0"] + + [[server.listeners]] + ip = "0.0.0.0" + + [censorship] + tls_domain = "ya.ru" + mask = true + tls_emulation = true + tls_front_dir = "tlsfront" + + [access.users] + user = "{{ .secret }}" + data: + - secretKey: secret + sourceRef: + storeRef: + name: vaultwarden-login + kind: ClusterSecretStore + remoteRef: + key: 58a37daf-72d8-430d-86bd-6152aa8f888d + property: fields[0].value