feat(sabnzbd): run gluetun as sidecar

kubernetes/apps/default/sabnzbd/app/helmrelease.yaml

@@ -61,7 +61,7 @@ spec:
                   timeoutSeconds: 1
                   failureThreshold: 3
               readiness: *probes
-            securityContext:
+            securityContext: &securityContext
               allowPrivilegeEscalation: false
               readOnlyRootFilesystem: true
               capabilities: { drop: ["ALL"] }
@@ -72,6 +72,58 @@ spec:
               limits:
                 cpu: 4
                 memory: 50Gi
+        initContainers:
+          gluetun:
+            image:
+              repository: ghcr.io/qdm12/gluetun
+              tag: v3.39.0@sha256:2f011a9aca767af62008d879eefcbc80a8645bd4fd4466ab312cc941cb658ad1
+            env:
+              BLOCK_MALICIOUS: "off"  # save 300MB of RAM; https://github.com/qdm12/gluetun/issues/2054
+              DOT_IPV6: "on"
+              FIREWALL_DEBUG: on
+              FIREWALL_INPUT_PORTS: "80,9999"
+              HEALTH_SERVER_ADDRESS: ":9999"
+              HEALTH_VPN_DURATION_INITIAL: 60s
+              LOG_LEVEL: debug
+              VPN_INTERFACE: wg0
+              VPN_TYPE: wireguard
+              TZ: America/Los_Angeles
+            envFrom:
+              - secretRef:
+                  name: sabnzbd-gluetun-secret
+            probes:
+              liveness:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /
+                    port: 9999
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  failureThreshold: 3
+              startup:
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /
+                    port: 9999
+                  initialDelaySeconds: 10
+                  periodSeconds: 10
+                  failureThreshold: 5
+            resources:
+              requests:
+                memory: 48Mi
+              limits:
+                memory: 96Mi
+            restartPolicy: Always
+            securityContext:
+              <<: *securityContext
+              readOnlyRootFilesystem: false
+              runAsNonRoot: false
+              runAsUser: 0
+              capabilities: { add: ["NET_ADMIN"] }
         pod:
           labels:
             stealth-gateway: "true"
@@ -108,6 +160,14 @@ spec:
     persistence:
       config:
         existingClaim: sabnzbd
+      empty:
+        type: emptyDir
+        sizeLimit: 20Mi
+        globalMounts:
+          - path: /gluetun
+            subPath: gluetun
+          - path: /tmp
+            subPath: tmp
       media:
         type: nfs
         server: kaidame.flat
@@ -119,5 +179,10 @@ spec:
         type: emptyDir
         globalMounts:
           - path: /config/logs
-      tmp:
+      run:
         type: emptyDir
+        medium: Memory
+        sizeLimit: 10Mi
+        globalMounts:
+          - path: /run
+          - path: /var/run

kubernetes/apps/default/sabnzbd/app/kustomization.yaml

@@ -5,6 +5,7 @@ kind: Kustomization
 resources:
   - ./externalsecret.yaml
   - ./helmrelease.yaml
-  - ./networkpolicy.yaml
+  - ./networkpolicy.sops.yaml
+  - ./secret.sops.yaml
   - ../../../../templates/gatus/guarded
   - ../../../../templates/volsync

kubernetes/apps/default/sabnzbd/app/networkpolicy.sops.yaml

@@ -0,0 +1,46 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: sabnzbd-allow-gluetun
+  annotations:
+    future-me-why: allow ingress and egress to gluetun endpoints; also puts pod in deny-by-default mode for egress
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: sabnzbd
+  egress:
+    - toCIDR:
+        - ENC[AES256_GCM,data:mNT5z8Y3xn/7/jR5QxZtzw==,iv:wzNXRlt1epGSxlXJYUFhjhVglqXiDFLCEpl5byu8bAM=,tag:kIvGjcyyGpvrSRQlW+GPxA==,type:str]
+        - ENC[AES256_GCM,data:U6hf+lZE4/t8vtaK0O0ZLw==,iv:bqmORY2mWxGr9GDwsDTaw7eKTx4YJPmVHEZfuGWs+SQ=,tag:ej5CbkEj1+8r5nemp8lWNg==,type:str]
+        - ENC[AES256_GCM,data:1mq8eRXb/OxcbalLu55d7Jga,iv:PYsxTu140h1dN+D8x6thkW3HCfoNMe0+tzdFuB9EHfo=,tag:5JaXUTvTej5NKvMKgB5qUw==,type:str]
+        - ENC[AES256_GCM,data:amSC52gm3vbBWGqSlWtJF0p2tftSU3aRjTHKxGo1rNzMevgnqQ3q5Cs=,iv:w+UnCBLuZYCC5UAAuHscCpl5KIB9FTDDK+0FjGaauQQ=,tag:2QxF7NFOz3JVcN8NHTuL7Q==,type:str]
+        - ENC[AES256_GCM,data:DCxTc0I4Q5iufNtLw4HGSU/53gWkqnhAGTIZapgDjxLZOXMTXoU=,iv:xjjGzGubdluqvkWMgCu+iPZnVPTZwc3/R018fTidYcA=,tag:oktvHzFR06EYWQZOo4m11A==,type:str]
+        - ENC[AES256_GCM,data:OEvllsPoeuf993p8f8Vy9TtQYmTgfYAI24D5JmKRNfI8XT+FPZg=,iv:J70BhAUVkvUVYCzNVfutVb4VqKJB0o8oDCYr3oEGpWI=,tag:UmfIFBemDmhiCUBtn/zQHg==,type:str]
+  ingress:
+    - fromCIDR:
+        - ENC[AES256_GCM,data:Kg7ijWY9UqkiaSaxX2PFZw==,iv:359xnjjwZ3LF7IRRikFnlTTGQ3gib76j2pNkfmu1tDw=,tag:uqtE4ce7fg6ye9gc9uFzrA==,type:str]
+        - ENC[AES256_GCM,data:aCwlwwTe5CbLGIW0/vXQ/w==,iv:w754jDfiQjVX+TUPZFPXelZ6J4CqIth8PR6fRz/z53g=,tag:Xj8XCkjc7H6NiIMkjL+D5A==,type:str]
+        - ENC[AES256_GCM,data:9aOU2DDj0msdTXUdQpBPf8Rh,iv:62/j5DLwms1Beq+fxZ8VJuXs45D8XVkJ+8h4A/V444I=,tag:hDtIoOqho5Ht0FLGr72Fwg==,type:str]
+        - ENC[AES256_GCM,data:Oqp9pdPslT5tf6MrRWVofCmARQjQMSy3ZGs/u3juU+DBKQjhXoGO6IU=,iv:sKUIAghUZJ9E8KSVetYN5widrQmX8bOy1iGrgIA5vkU=,tag:7kZ7KzKjZbINAV6F8qXZ1w==,type:str]
+        - ENC[AES256_GCM,data:tJ4rsaw55a3KRd0E0NYMiHMBdE0ayf0xoUS8q177tlFp7VIFd+Q=,iv:RFY1WLLHQb5XLgI6+BSU6HKIMxsQzVnHm9EZmIk7jMU=,tag:FuLZzWAJUyyRS1lmDZdqeg==,type:str]
+        - ENC[AES256_GCM,data:4jF0dxldQtZK3BSnzC28r3L84EzE9gWzW3cRQBPaJ2EUVzsmyFQ=,iv:BRixMhRZRiIguSJmjC0n2pZXf3xMP/pOG2hud2ZRiqY=,tag:DPPJgU0mPMBEHshaqod51Q==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWWE2VDVVN0FDRnN6WTRq
+        WlkrMmxuTUI5Y0lQNkRSQUJ6VDlvR0ZPMERFCkhyLzFOQXE1OFBUNVBHN296S0U0
+        Nm93dlNOWDg2Yk5qUHljN1FNdVZOdlkKLS0tIDlYNENJZURSbDYxSlZFWDNBaVBE
+        YXJ0N2FYU1BRREt3WUJ2Qm9jTEtTcEEKdDfqzQpKbtl9eiDgL4TFUvaCFklhfy3s
+        twR7fq2hW1E1uXWFxLQiuZz7Ut/8U+A4yTKsWSbTaI2JWg7gShU1CA==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-08-15T16:00:57Z"
+  mac: ENC[AES256_GCM,data:EFc1B2yZxVgqfy08G9gJ+RxQdU9NbNpO31V3bwOMrjV1ykJJCTTKJel1EM8GNFCnDfg5jw+d8Nz9GeAKUqFcWkLHIDaL90BoT+EvFE7378HwJKDqQl9Q3wnnz5S29tHxNx85ZZ/0AKVrjCEQyHSqppGU05ErKZzoNtgnMfDVNdQ=,iv:g26tViBC+Z9cItN/KOCgC535IR0zYKMMGcBBQSw3RmU=,tag:JLeL7sTa8H758c6c7DmFmw==,type:str]
+  pgp: []
+  encrypted_regex: ^(egress|ingress)$
+  version: 3.9.0

kubernetes/apps/default/sabnzbd/app/secret.sops.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sabnzbd-gluetun-secret
+type: Opaque
+stringData:
+  SERVER_CITIES: ENC[AES256_GCM,data:23y/J81FMEK8pB8=,iv:bE9J8X4TpAz8Va3v6PuXF7D6QJO+4bmWZUNOn3Qf51M=,tag:qOKym05kNejgv+Qd/nEKDQ==,type:str]
+  SERVER_COUNTRIES: ENC[AES256_GCM,data:Spb9yCEOTYPA9oeuzQ==,iv:LAz5w9smVQJTjPGuZIx3bSt1YGkvg1ABubp2EGbeRsQ=,tag:ARxkFHY5DyGSwHPknyM04Q==,type:str]
+  VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:BBxwxXEq,iv:cSe3ANBS6q4qZLNZdra/PV1BCTNNl/OoJjUZRMZxbsA=,tag:2mNfU3rmMPOfNHMtIchVSg==,type:str]
+  WIREGUARD_ADDRESSES: ENC[AES256_GCM,data:WJ4T1a4/9r74PEkc5M4WRzAg30UcMIx2eXzo7V4gz4K/XV8u4X/IBX6nMAdrCD8fnIAK9ZhVh083zzw=,iv:zhzNhaw1qNQ5qfEtk/pHlWWugSTEB3ag/1yhHuAOHWs=,tag:6buTTE6zP4omtDNF7zaiaA==,type:str]
+  WIREGUARD_DNS: ENC[AES256_GCM,data:Xz+WI/+T90ICoQ==,iv:2qnA70tcOmdC3NeaXoaGjQoGFRL7ZJJ6c+/E+3wMc8Q=,tag:kFaX2XX5Jao03kVtQ2SMjg==,type:str]
+  WIREGUARD_MTU: ENC[AES256_GCM,data:19spCA==,iv:xt09ktwkd+JoNDQLU7CqQ6OdA8Q+hQlgkgCqF1Mu2JM=,tag:yJ0mEKNTm9oRSqoP3+cMHA==,type:str]
+  WIREGUARD_PERSISTENT_KEEPALIVE_INTERVAL: ENC[AES256_GCM,data:b2Po,iv:ZcCq0EfM8Dt97iarKr3iPPO4CWLbgAoxQz9w2z1WqWU=,tag:QNSANNuIpKTQ5X0SUIltZg==,type:str]
+  WIREGUARD_PRESHARED_KEY: ENC[AES256_GCM,data:JpVtEnkLimIVRi4VjDLQdjiWA1X7JvOmn7lYgqUcTvtYerct70qPUjStcEo=,iv:AFPjQ7/IDNVB742t7eJi1S9/TnYZu//pHAIrNE3huaU=,tag:t+MteOo1wXXb5lYSV+xXSg==,type:str]
+  WIREGUARD_PRIVATE_KEY: ENC[AES256_GCM,data:hJAlIoxsjv7+9PaVzBxhlB/F+8CqlfseQuoApfGq6tvuIx2kUv3rutzn3Cw=,iv:0wOpV3cLzpcd75UsnoMwvTvP2nDPw9k6IX9N7N8PUtM=,tag:z5F8nLnWgZn6cTx3lWLvoQ==,type:str]
+  WIREGUARD_PUBLIC_KEY: ENC[AES256_GCM,data:d8Gf3x5iKmskaUoljbEdOyVA1RkNDPnmMArexp/Ia+4yntPpv3TfJy2TnMI=,iv:pbSyRSPm8jeubPkMhT1mxkAlFQL48uRSGT4EhHK0gwc=,tag:ji/bNE4O/DaZxxmCBpInhg==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1u006cywqm39pr9zgh2hn0svnry5gs2ayhrtxucz77qc7j88kmqzqxtxz0t
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoOUhUN09lTXA3YVloeEUx
+        WDJZcmxpVEpwU1J2WCtpSE52b2FvQ2VlRVN3CmpjV3p5M05EWlJTejMzelY4UU5j
+        eUxUa21DQXZhYjQvWE91ejNQcExFUFUKLS0tIGZOaGJzOC92M1o2N0x6Q1V0b28r
+        TnVKeHpQN1phYTE4WDlpa0s0S2FDZzAKPAamVca3n38HSE1cOvgFFIr9fhZY21Gm
+        PPeOc9udI87OVhsYiPMeoJn8A8vwRwp92mzubQcNnkiFohuWEg/VYA==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-08-15T16:00:57Z"
+  mac: ENC[AES256_GCM,data:9EvzL4NQmAcbDUXdRuwuGrJ9cQo4/WT0DiT/3ptAoY6gM9T8YP5WHIFAcG2f3BGh55iRpfLYyrETulgr4J0ZyVAtc2ygczSCmVRRkJ8+165iKQ3InQOCY2fvlT29EJSt7TLPozuxvppDE18Xkjt/ZzODJbubyjKXsG7YFvvIYTY=,iv:OXaY/1SPV412e3FlZWpZddUZIRlBta9IxHOD0/tE30k=,tag:JgETvdDyFw3/P7QvtDG7QQ==,type:str]
+  pgp: []
+  encrypted_regex: ^(data|stringData|password)$
+  version: 3.9.0

kubernetes/apps/default/sabnzbd/ks.yaml

@@ -12,7 +12,6 @@ spec:
       app.kubernetes.io/name: *app
   dependsOn:
     - name: external-secrets-stores
-    - name: stealth-gateway
     - name: volsync
   path: ./kubernetes/apps/default/sabnzbd/app
   prune: true