From 1fa606747da3e31e11dade244bc4604739eab694 Mon Sep 17 00:00:00 2001 From: Mac Chaffee Date: Mon, 11 Nov 2024 21:34:12 -0500 Subject: [PATCH] Add example of running tunmgr in Kubernetes --- README.md | 2 + examples/example-docker-compose.yaml | 27 ++++++++++ examples/kubernetes/README.md | 35 +++++++++++++ examples/kubernetes/kustomization.yaml | 6 +++ examples/kubernetes/resources.yaml | 72 ++++++++++++++++++++++++++ 5 files changed, 142 insertions(+) create mode 100644 examples/example-docker-compose.yaml create mode 100644 examples/kubernetes/README.md create mode 100644 examples/kubernetes/kustomization.yaml create mode 100644 examples/kubernetes/resources.yaml diff --git a/README.md b/README.md index 2560f33..0f4c12f 100644 --- a/README.md +++ b/README.md @@ -77,3 +77,5 @@ Auto tunnels will be established for: 1. [https://antonio-ce37a3511391.tuns.sh](https://tuns.sh) 2. [https://antonio-httpbin.tuns.sh](https://tuns.sh) 3. [https://antonio-tunmgr-httpbin-1.tuns.sh](https://tuns.sh) + +See also the `examples` folder of this repo. diff --git a/examples/example-docker-compose.yaml b/examples/example-docker-compose.yaml new file mode 100644 index 0000000..00696fc --- /dev/null +++ b/examples/example-docker-compose.yaml @@ -0,0 +1,27 @@ +services: + tunmgr: + image: ghcr.io/picosh/tunmgr:latest + restart: always + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - $HOME/.ssh/id_ed25519_pico_antonio:/key:ro + # ports: # Ports map for local tunnels like below + # - 8000:8000 + # command: | # Provide other commands below + # -only-labels=true + # -local-tunnel=0.0.0.0:8000:antonio-httpbin:8000 + healthcheck: + test: ["CMD", "curl", "-f", "http://localhost:8080/health"] + interval: 2s + timeout: 5s + retries: 5 + start_period: 1s + httpbin: + image: kennethreitz/httpbin + depends_on: + tunmgr: + condition: service_healthy + # labels: # or provide tunnel names and ports explicitly + # tunmgr.names: httpbin # Comma separated list of names. Can be an empty. If empty, allows for tcp forward (or random name). + # tunmgr.ports: 8000:80,80:80 # Comma separated list of port maps. (remote:local). First is alias, second is http. + command: gunicorn -b 0.0.0.0:80 httpbin:app -k gevent --access-logfile - diff --git a/examples/kubernetes/README.md b/examples/kubernetes/README.md new file mode 100644 index 0000000..8bcf2c6 --- /dev/null +++ b/examples/kubernetes/README.md @@ -0,0 +1,35 @@ +# tunmgr with Kustomize + +Here's an example of installing tunmgr using Kustomize with your own overrides. We recommend proxying all traffic through an [Ingress Controller](https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/) or a [Gateway](https://kubernetes.io/docs/concepts/services-networking/gateway/) for maximum flexibility. + +Create a `kustomization.yaml` file like the following: + +```yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +# We recommend pinning a specific commit SHA instead of main +- https://github.com/picosh/tunmgr//examples/kubernetes?ref=main +# Bring your own secret +- secret.yaml +namespace: tunmgr +patches: +- patch: |- + - op: add + path: /spec/template/spec/containers/0/args/- + value: -tunnel=mysite.example.com:80:traefik.traefik.svc.cluster.local:80 +``` + +Also create a `secret.yaml` file: + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: ssh-key +type: Opaque +stringData: + id_ed25519: PUT_YOUR_PRIVATE_KEY_HERE +``` + +Then you can install it with `kubectl apply -k .` diff --git a/examples/kubernetes/kustomization.yaml b/examples/kubernetes/kustomization.yaml new file mode 100644 index 0000000..630cb08 --- /dev/null +++ b/examples/kubernetes/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- resources.yaml + +namespace: tunmgr diff --git a/examples/kubernetes/resources.yaml b/examples/kubernetes/resources.yaml new file mode 100644 index 0000000..5d2d285 --- /dev/null +++ b/examples/kubernetes/resources.yaml @@ -0,0 +1,72 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: tunmgr + labels: + app.kubernetes.io/name: tunmgr +spec: + revisionHistoryLimit: 3 + replicas: 1 + strategy: + # tuns.sh doesn't enable load balancing https://docs.ssi.sh/advanced#load-balancing + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: tunmgr + template: + metadata: + labels: + app.kubernetes.io/name: tunmgr + spec: + automountServiceAccountToken: false + enableServiceLinks: false + securityContext: + fsGroup: 1000 + containers: + - name: tunmgr + image: ghcr.io/picosh/tunmgr:latest + imagePullPolicy: Always + args: + - -docker-events=false + - -remote-key-location=/key/id_ed25519 + # Add your own args + volumeMounts: + - name: ssh-key + mountPath: /key + readOnly: true + ports: + - name: http + containerPort: 8080 + protocol: TCP + # Tunmgr binds to localhost so this probe won't work + # readinessProbe: + # httpGet: + # path: /health + # port: http + # initialDelaySeconds: 1 + # failureThreshold: 3 + # timeoutSeconds: 1 + # periodSeconds: 10 + resources: + requests: + cpu: 50m + memory: 50Mi + limits: + memory: 200Mi + ephemeral-storage: 100Mi + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: + type: RuntimeDefault + volumes: + - name: ssh-key + secret: + secretName: ssh-key + defaultMode: 0400