ab/homelab
1
0
Fork 1
Code Pull Requests Actions Packages Wiki Activity

Reworked pasarguard nodes daemonset.
All checks were successful
Update Kubernetes Services Wiki / Generate and Update K8s Wiki (push) Successful in 14s
Details
Check with kubeconform / lint (push) Successful in 1m29s
Details
Auto-update README / Generate README and Create MR (push) Successful in 6s
Details

Browse Source
This commit is contained in:
Ultradesu
2025-12-08 17:31:51 +02:00
parent fc1bc1a65e
commit b2a77a6572
3 changed files with 502 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

225
k8s/apps/pasarguard/daemonset-ingress.yaml Normal file
View File

@@ -0,0 +1,225 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: pasarguard-node-ingress
labels:
app: pasarguard-node-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pasarguard-node-ingress-configmap
labels:
app: pasarguard-node-ingress
rules:
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "create", "update", "patch"]
- apiGroups: ["cert-manager.io"]
resources: ["certificates"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["services", "endpoints"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
- apiGroups: ["traefik.io", "traefik.containo.us"]
resources: ["ingressroutetcps"]
verbs: ["get", "list", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pasarguard-node-ingress-configmap
labels:
app: pasarguard-node-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pasarguard-node-ingress-configmap
subjects:
- kind: ServiceAccount
name: pasarguard-node-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pasarguard-node-ingress-reader
labels:
app: pasarguard-node-ingress
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: pasarguard-node-ingress-reader
labels:
app: pasarguard-node-ingress
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: pasarguard-node-ingress-reader
subjects:
- kind: ServiceAccount
name: pasarguard-node-ingress
namespace: pasarguard
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: pasarguard-node-ingress
labels:
app: pasarguard-node-ingress
spec:
selector:
matchLabels:
app: pasarguard-node-ingress
revisionHistoryLimit: 3
updateStrategy:
type: RollingUpdate
template:
metadata:
labels:
app: pasarguard-node-ingress
spec:
serviceAccountName: pasarguard-node-ingress
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: xray-node-address
operator: Exists
initContainers:
- name: init-uuid
image: bitnami/kubectl:latest
env:
- name: GODEBUG
value: "x509sha1=1"
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
command:
- /bin/bash
- /scripts/init-uuid-ingress.sh
volumeMounts:
- name: shared-data
mountPath: /shared
- name: scripts
mountPath: /scripts
containers:
- name: xray-exporter
image: alpine:3.18
imagePullPolicy: IfNotPresent
command:
- /bin/sh
- /scripts/exporter-start.sh
ports:
- name: metrics
containerPort: 9550
protocol: TCP
livenessProbe:
httpGet:
path: /scrape
port: metrics
initialDelaySeconds: 60
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 3
readinessProbe:
httpGet:
path: /scrape
port: metrics
initialDelaySeconds: 45
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "128Mi"
cpu: "150m"
volumeMounts:
- name: shared-data
mountPath: /shared
readOnly: true
- name: scripts
mountPath: /scripts
- name: pasarguard-node
image: 'pasarguard/node:v0.1.3'
imagePullPolicy: Always
command:
- /bin/sh
- /scripts/pasarguard-start.sh
ports:
- name: api
containerPort: 62050
protocol: TCP
- name: proxy
containerPort: 443
protocol: TCP
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: NODE_HOST
value: "0.0.0.0"
- name: SERVICE_PORT
value: "62050"
- name: SERVICE_PROTOCOL
value: "grpc"
- name: DEBUG
value: "true"
- name: SSL_CERT_FILE
value: "/shared/tls.crt"
- name: SSL_KEY_FILE
value: "/shared/tls.key"
- name: XRAY_EXECUTABLE_PATH
value: "/usr/local/bin/xray"
- name: XRAY_ASSETS_PATH
value: "/usr/local/share/xray"
- name: API_KEY
value: "change-this-to-a-secure-uuid"
livenessProbe:
tcpSocket:
port: 62050
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
tcpSocket:
port: 62050
initialDelaySeconds: 10
periodSeconds: 5
timeoutSeconds: 3
failureThreshold: 3
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "750m"
volumeMounts:
- name: shared-data
mountPath: /shared
readOnly: false
- name: scripts
mountPath: /scripts
volumes:
- name: shared-data
emptyDir: {}
- name: scripts
configMap:
name: pasarguard-scripts-ingress
defaultMode: 0755