Open MicahBird opened 11 months ago
I would love to see this merged in! I followed these instructions and was able to easily setup gluetun on k8s.
I would love to see this merged in! I followed these instructions and was able to easily setup gluetun on k8s.
Hey, do you mind sharing how you configured the other containers to use the sidecar?
I would love to see this merged in! I followed these instructions and was able to easily setup gluetun on k8s.
Hey, do you mind sharing how you configured the other containers to use the sidecar?
Sure! Here's a Deployment where I put an application and gluetun onto the same Pod: https://github.com/shepherdjerred/servers/blob/main/cdk8s/dist/turing.k8s.yaml#L1862-L1967
With cdk8s: https://github.com/shepherdjerred/servers/blob/main/cdk8s/src/services/torrents/qbittorrent.ts#L39-L86
I would love to see this merged in! I followed these instructions and was able to easily setup gluetun on k8s.
Hey, do you mind sharing how you configured the other containers to use the sidecar?
Sure! Here's a Deployment where I put an application and gluetun onto the same Pod: https://github.com/shepherdjerred/servers/blob/main/cdk8s/dist/turing.k8s.yaml#L1862-L1967
With cdk8s: https://github.com/shepherdjerred/servers/blob/main/cdk8s/src/services/torrents/qbittorrent.ts#L39-L86
Thanks for getting back to me so quickly. The solution worked for me too. However, I'm thinking that with this setup, I won't be able to share the gluetun container with networks that aren't in the same pod, right? I'm planning to check if there's a good way to deploy gluetun separately and then set up other pods to use it as an egress network using labels.
I'm not super experienced with Kubernetes, but that sounds correct. You could deploy one gluetun sidecar container per pod that needs the VPN, but maybe there's a better way.
@S0PEX @shepherdjerred I'm currently researching what you guys are looking for. As far as I understand it. It should be possible to run the gluetun separately. Currently trying to figure it for for a nomad deployment. For both nomad and kubeneters it should be the same because in order to run it separately it must be using a CNI Network macvlan
as I understand it now. I don't have it working yet. But at least I have figured out that people are using the CNI macvlan driver for this and are creating a separate network for their vpn. Hope this helps. Because both nomad and kubernetes can use CNI plugins it should work for both.
Here is the clue I'm working with: a lot of home labbers are using the macvlan CNI to create a special vpn network in their clusters, both for kubernetes and nomad. And use it to redirect their traffic through tailscale. I'm currently thinking the same principle should work for gluetun.
If you check blogs and repositories on github you see people are using the macvlan cni driver to create special cluster wide network to route all traffic through tailscale vpn.
Hope this helps, please ping me if you figure it out. I will do the same.
@gjrtimmer Thanks for the hint, I'll check out macvlan
and see if I can get it working.
I was able to access the UI using kubectl port-forward
, but LoadBalancer service never worked for me, and I know its not user error on my part as I was able to access the other container's UI just fine when I got rid of gluetun.
Here's the manifest I applied, if anyone sees why this won't work through the LoadBalancer I'd love to hear it, I hate giving up but screw it it works with port forwarding.
Thank you this was really helpful. I was able to use Gluten with browserless/chromium that another container uses Puppeteer to connect and run some routines.
Thanks for this pull, this helped me get everything together and working, albeit slightly differently.
For anyone stumbling upon this to integrate with applications like qbittorrent, I have created a helm chart that creates an init-container based side-car out of gluetun, to enable binding to the tunnel interface in the same pod.
https://gitlab.com/GeorgeRaven/raven-helm-charts/-/tree/main/charts/qbittorrent?ref_type=heads
or using the gitlab package registry:
helm repo add raven https://gitlab.com/api/v4/projects/55284972/packages/helm/stable
The optional init container boils down to this: https://gitlab.com/GeorgeRaven/raven-helm-charts/-/blob/main/charts/qbittorrent/values.yaml?ref_type=heads#L28-L61
initContainers:
# optional gluetun VPN client sidecar
# https://github.com/qdm12/gluetun
# https://github.com/qdm12/gluetun-wiki/pull/7
- name: gluetun # init sidecar for VPN connection
image: "ghcr.io/qdm12/gluetun:latest" # <- you probably want this to be a set version
restartPolicy: Always # makes this init into a sidecar container k8s 1.29
imagePullPolicy: Always
ports:
- name: http-proxy
containerPort: 8888
protocol: TCP
- name: tcp-shadowsocks
containerPort: 8388
protocol: TCP
- name: udp-shadowsocks
containerPort: 8388
protocol: UDP
envFrom:
- secretRef:
name: gluetun
optional: false
env:
- name: TZ
value: "Europe/London"
- name: FIREWALL_DEBUG
value: "on"
- name: FIREWALL_INPUT_PORTS
value: "8080" # <- the port for qbittorrent container otherwise blocked by gluetun firewall in same pod
securityContext:
capabilities:
add:
- NET_ADMIN
This will specifically enable a firewall rule to forward normal web traffic to qbittorrent server in the standard ingress > svc > pod manner of k8s, otherwise the firewall blocks the normal traffic like you trying to access qbittorrent (and fails liveness probes etc). This also uses envFrom which allows one secret to populate lots of environment variables, which is useful if you encrypt your secrets with something like bitnami sealed-secrets as I do.
Hope this helps the next person looking to do this.
I love this project and hope this documentation helps! Please let me know if anything needs to be tweaked/adjusted :)