-
Notifications
You must be signed in to change notification settings - Fork 2
/
vpn.beebs.dev_maskprovider_crd.yaml
152 lines (151 loc) · 9.03 KB
/
vpn.beebs.dev_maskprovider_crd.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: maskproviders.vpn.beebs.dev
spec:
group: vpn.beebs.dev
names:
categories: []
kind: MaskProvider
plural: maskproviders
shortNames: []
singular: maskprovider
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.activeSlots
name: USED
type: integer
- jsonPath: .status.phase
name: PHASE
type: string
- jsonPath: .status.lastUpdated
name: AGE
type: date
name: v1
schema:
openAPIV3Schema:
description: Auto-generated derived type for MaskProviderSpec via `CustomResource`
properties:
spec:
description: '[`MaskProviderSpec`] is the configuration for the [`MaskProvider`] resource, which represents a VPN service provider. It specifies a reference to a [`Secret`](k8s_openapi::api::core::v1::Secret) containing the credentials for connecting to the VPN service, as well as other important details like the maximum number of clients that can connect with the credentials at the same time.'
properties:
maxSlots:
description: Maximum number of [`MaskConsumer`] resources that can be assigned this [`MaskProvider`] at any given time. Used to prevent excessive connections to the VPN service, which could result in account suspension with some providers.
format: uint
minimum: 0.0
type: integer
namespaces:
description: Optional list of namespaces that are allowed to use this [`MaskProvider`]. Even if the [`Mask`] expresses a preference for this provider in [`MaskSpec::providers`], it can only be assigned if it's in one of these namespaces. If unset, all [`Mask`] namespaces are permitted.
items:
type: string
nullable: true
type: array
secret:
description: Reference to a [`Secret`](k8s_openapi::api::core::v1::Secret) resource containing the env vars that will be injected into the [gluetun](https://github.com/qdm12/gluetun) container. The contents of this `Secret` will be copied to the namespace of any [`MaskConsumer`] that reserves a slot with the provider. The created `Secret` is owned by the `MaskConsumer` and will automatically be deleted whenever the [`MaskConsumer`] is deleted, which happens when the provider is unassigned or the [`Mask`] itself is deleted.
type: string
tags:
description: |-
Optional list of short names that [`Mask`] resources can use to refer to this [`MaskProvider`] at the exclusion of others. Only one of these has to match one entry in [`MaskSpec::providers`] for this [`MaskProvider`] to be considered suitable for the [`Mask`].
Example values might be the role of the service (`"default"` or `"preferred"`), the service name (`"nordvpn"`, `"atlasvpn"`), or even region names (`"us-west"`, `"uk-london"`) - whatever makes sense for you.
items:
type: string
nullable: true
type: array
verify:
description: VPN service verification options. Used to ensure the credentials are valid before assigning the [`MaskProvider`] to [`Mask`] resources. Enabled by default. Set [`skip=true`](MaskProviderVerifySpec::skip) to disable verification.
nullable: true
properties:
interval:
description: How often you want to verify the credentials (e.g. `"24h"`). If unset, the credentials are only verified once (unless [`skip=true`](MaskProviderVerifySpec::skip), then they are never verified).
nullable: true
type: string
overrides:
description: Optional customization for the verification [`Pod`](k8s_openapi::api::core::v1::Pod). Use this to setup the image, networking, etc. These values are merged onto the controller-created [`Pod`](k8s_openapi::api::core::v1::Pod).
nullable: true
properties:
containers:
description: Optional customization for the verification [`Pod`](k8s_openapi::api::core::v1::Pod)'s different containers. Since the templating process will overwrite arrays, the containers can be overriden separately so as to avoid having to specify the full container array in [`MaskProviderVerifyOverridesSpec::pod`].
nullable: true
properties:
init:
description: Customization for the init container that probes the initial IP address. The structure of this field corresponds to the [`Container`](k8s_openapi::api::core::v1::Container) schema. Validation is disabled for both peformance and simplicity.
type: object
x-kubernetes-preserve-unknown-fields: true
probe:
description: Customization for the container that probes the public IP address until it differs from the initial. The structure of this field corresponds to the [`Container`](k8s_openapi::api::core::v1::Container) schema. Validation is disabled for both peformance and simplicity.
type: object
x-kubernetes-preserve-unknown-fields: true
vpn:
description: Customization for the [gluetun](https://github.com/qdm12/gluetun) container that connects to the VPN. The structure of this field corresponds to the [`Container`](k8s_openapi::api::core::v1::Container) schema. Validation is disabled for both peformance and simplicity.
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- init
- probe
- vpn
type: object
pod:
description: Optional customization for the verification [`Pod`](k8s_openapi::api::core::v1::Pod) resource. The structure of this field corresponds to the [`Pod`](k8s_openapi::api::core::v1::Pod) schema. Validation is disabled for both peformance and simplicity.
type: object
x-kubernetes-preserve-unknown-fields: true
required:
- pod
type: object
skip:
description: If `true`, credentials verification is skipped entirely. This is useful if your [`MaskProviderSpec::secret`] can't be plugged into a gluetun container, but you still want to use vpn-operator. Defaults to `false`.
nullable: true
type: boolean
timeout:
description: Duration string for how long the verify pod is allowed to take before verification is considered failed. The controller doesn't inspect the gluetun logs, so the only way to know if verification has failed is if containers exit with nonzero codes or if this timeout has passed. In testing, the latter is more common. This value must be at least as long as your VPN service could possibly take to connect (e.g. `"60s"`).
nullable: true
type: string
type: object
required:
- maxSlots
- secret
type: object
status:
description: Status object for the [`MaskProvider`] resource.
nullable: true
properties:
activeSlots:
description: Number of active slots reserved by [`Mask`] resources.
format: uint
minimum: 0.0
nullable: true
type: integer
lastUpdated:
description: Timestamp of when the [`MaskProviderStatus`] object was last updated.
nullable: true
type: string
lastVerified:
description: Timestamp of when the credentials were last verified.
nullable: true
type: string
message:
description: A human-readable message indicating details about why the [`MaskProvider`] is in this phase.
nullable: true
type: string
phase:
description: A short description of the [`MaskProvider`] resource's current state.
enum:
- Pending
- Verifying
- Verified
- Ready
- Active
- Terminating
- ErrSecretNotFound
- ErrVerifyFailed
nullable: true
type: string
type: object
required:
- spec
title: MaskProvider
type: object
served: true
storage: true
subresources:
status: {}