--- apiVersion: v1 kind: ServiceAccount metadata: name: pasarguard-node labels: app: pasarguard-node --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pasarguard-node-configmap labels: app: pasarguard-node rules: - apiGroups: [""] resources: ["configmaps"] verbs: ["get", "list", "create", "update", "patch"] - apiGroups: ["cert-manager.io"] resources: ["certificates"] verbs: ["get", "list", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["secrets"] verbs: ["get", "list"] - apiGroups: [""] resources: ["services", "endpoints"] verbs: ["get", "list", "create", "update", "patch", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: pasarguard-node-configmap labels: app: pasarguard-node roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: pasarguard-node-configmap subjects: - kind: ServiceAccount name: pasarguard-node --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: pasarguard-node-reader labels: app: pasarguard-node rules: - apiGroups: [""] resources: ["nodes"] verbs: ["get", "list"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: pasarguard-node-reader labels: app: pasarguard-node roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: pasarguard-node-reader subjects: - kind: ServiceAccount name: pasarguard-node namespace: pasarguard --- apiVersion: apps/v1 kind: DaemonSet metadata: name: pasarguard-node labels: app: pasarguard-node spec: selector: matchLabels: app: pasarguard-node revisionHistoryLimit: 3 updateStrategy: type: RollingUpdate template: metadata: labels: app: pasarguard-node spec: serviceAccountName: pasarguard-node hostNetwork: true affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: xray-node-address operator: Exists initContainers: - name: init-uuid image: bitnami/kubectl:latest env: - name: GODEBUG value: "x509sha1=1" - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName command: - /bin/bash - /scripts/init-uuid.sh volumeMounts: - name: shared-data mountPath: /shared - name: scripts mountPath: /scripts containers: - name: pasarguard-node image: 'pasarguard/node:v0.1.3' imagePullPolicy: Always command: - /bin/sh - /scripts/pasarguard-start.sh ports: - name: api containerPort: 62050 protocol: TCP env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: NODE_HOST value: "0.0.0.0" - name: SERVICE_PORT value: "62050" - name: SERVICE_PROTOCOL value: "grpc" - name: DEBUG value: "true" - name: SSL_CERT_FILE value: "/shared/tls.crt" - name: SSL_KEY_FILE value: "/shared/tls.key" - name: XRAY_EXECUTABLE_PATH value: "/usr/local/bin/xray" - name: XRAY_ASSETS_PATH value: "/usr/local/share/xray" - name: API_KEY value: "change-this-to-a-secure-uuid" livenessProbe: tcpSocket: port: 62050 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: tcpSocket: port: 62050 initialDelaySeconds: 10 periodSeconds: 5 timeoutSeconds: 3 failureThreshold: 3 resources: requests: memory: "128Mi" cpu: "100m" limits: memory: "512Mi" cpu: "750m" volumeMounts: - name: shared-data mountPath: /shared readOnly: false - name: scripts mountPath: /scripts - name: xray-exporter image: alpine:3.18 imagePullPolicy: IfNotPresent command: - /bin/sh - /scripts/exporter-start.sh ports: - name: metrics containerPort: 9550 protocol: TCP livenessProbe: httpGet: path: /scrape port: metrics initialDelaySeconds: 60 periodSeconds: 30 timeoutSeconds: 10 failureThreshold: 3 readinessProbe: httpGet: path: /scrape port: metrics initialDelaySeconds: 45 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 resources: requests: memory: "64Mi" cpu: "50m" limits: memory: "128Mi" cpu: "150m" volumeMounts: - name: shared-data mountPath: /shared readOnly: true - name: scripts mountPath: /scripts volumes: - name: shared-data emptyDir: {} - name: scripts configMap: name: pasarguard-scripts defaultMode: 0755