Skip to content

Common library add-ons

Our Helm charts have a few add-ons which are meant to simplify some features you might be looking for. These are sidecars that run in the same pod as your application you configured it with.

Code Server

The code-server add-on can be used to access and modify persistent volume data in your application. This can be useful when you need to edit the persistent volume data, for example with Home Assistant.

Example values

Below is a snippet from a values.yaml using the add-on. More configuration options can be found in our common chart documentation.

Note

This example will mount /config into the code-server sidecar.

addons:
  codeserver:
    enabled: true
    image:
      repository: codercom/code-server
      tag: 3.9.0
    workingDir: "/config"
    args:
    - --auth
    - "none"
    - --user-data-dir
    - "/config/.vscode"
    - --extensions-dir
    - "/config/.vscode"
    ingress:
      enabled: true
      annotations:
        kubernetes.io/ingress.class: "nginx"
      hosts:
      - host: app-config.domain.tld
        paths:
        - path: /
          pathType: Prefix
      tls:
      - hosts:
        - app-config.domain.tld
    volumeMounts:
    - name: config
      mountPath: /config

Wireguard VPN

The Wireguard add-on enables you to force all (or selected) network traffic through a VPN.

This example shows how to add a Wireguard sidecar to our qBittorrent Helm chart. It does not cover all of the configuration possibilities of the Wireguard client image, but should give a good starting point for configuring a similar setup.

Example values

Below is an annotated example values.yaml that will result in a qBittorrent container with all its traffic routed through a VPN. In order to have functioning ingress and/or probes, it might be required to open certain networks or ports on the VPN firewall. That is beyond the scope of this document. Please refer to the Wireguard client image for more details on these environment variables.

Note

The WAIT_FOR_VPN environment variable is specifically implemented by our own qBittorrent image, and it will not work with other container images.

image:
  repository: k8sathome/qbittorrent
  tag: v4.3.3
  pullPolicy: IfNotPresent

env:
  # Our qBittorrent image has a feature that can wait for the VPN to be connected before actually starting the application.
  # It does this by checking the contents of a file /shared/vpnstatus to contain the string 'connected'.
  WAIT_FOR_VPN: "true"

persistence:
  config:
    enabled: true
    type: emptyDir
    mountPath: /config

  # This should be enabled so that both the qBittorrent and Wireguard container have access to a shared volume mounted to /shared.
  # It will be used to communicate between the two containers.
  shared:
    enabled: true
    type: emptyDir
    mountPath: /shared

addons:
  vpn:
    enabled: true
    # This Should be set to `wireguard`. This will set the add-on to use the default settings for Wireguard based connections.
    type: wireguard

    # If the podSecurityContext is set to run as a different user, make sure to run the Wireguard container as UID/GID 568.
    # This is required for it to be able to read certain configuration files.
    securityContext:
      runAsUser: 568
      runAsGroup: 568

    env:
      # Enable a killswitch that kills all trafic when the VPN is not connected
      KILLSWITCH: "true"

    # The wireguard configuration file provided by your VPN provider goes here.
    #
    # Set AllowedIPs to 0.0.0.0/0 to route all traffic through the VPN.
    #
    # Pay close attention to the PostUp and PreDown lines. They must be added if you wish to run a script when the connection
    # is opened / closed.
    configFile: |-
      [Interface]
      PrivateKey = <my-private-key>
      Address = <interface address>
      DNS = <interface DNS server>
      PostUp = /config/up.sh %i
      PreDown = /config/down.sh %i

      [Peer]
      PublicKey = <my-public-key>
      AllowedIPs = 0.0.0.0/0
      Endpoint = <peer endpoint>

    # The scripts that get run when the VPN connection opens/closes are defined here.
    # The default scripts will write a string to represent the current connection state to a file.
    # Our qBittorrent image has a feature that can wait for this file to contain the word 'connected' before actually starting the application.
    scripts:
      up: |-
        #!/bin/bash
        echo "connected" > /shared/vpnstatus

      down: |-
        #!/bin/bash
        echo "disconnected" > /shared/vpnstatus

OpenVPN

Similar to the Wireguard VPN, the OpenVPN add-on enables you to force all (or selected) network traffic through a VPN.

This example shows how to add an OpenVPN sidecar to our qBittorrent Helm chart. It does not cover all of the configuration possibilities of the OpenVPN client image by @dperson, but should give a good starting point for configuring a similar setup.

Example values

Below is an annotated example values.yaml that will result in a qBittorrent container with all its traffic routed through a VPN. In order to have functioning ingress and/or probes, it might be required to open certain networks or ports on the VPN firewall. That is beyond the scope of this document. Please refer to the OpenVPN client image for more details on these environment variables.

Note

The WAIT_FOR_VPN environment variable is specifically implemented by our own qBittorrent image, and it will not work with other container images.

image:
  repository: k8sathome/qbittorrent
  tag: v4.3.3
  pullPolicy: IfNotPresent

env:
  # Our qBittorrent image has a feature that can wait for the VPN to be
  # connected before actually starting the application.
  # It does this by checking the contents of a file /shared/vpnstatus to
  # contain the string 'connected'.
  WAIT_FOR_VPN: "true"

persistence:
  config:
    enabled: true
    type: emptyDir
    mountPath: /config

  # This should be enabled so that both the qBittorrent and OpenVPN container have access to a shared volume mounted to /shared.
  # It will be used to communicate between the two containers.
  shared:
    enabled: true
    type: emptyDir
    mountPath: /shared

addons:
  vpn:
    enabled: true
    # This Should be set to `openvpn`. This will set the add-on to use the default settings for OpenVPN based connections.
    type: openvpn

    openvpn:
      # This gets read by the Helm chart. The default OpenVPN image reads this and uses it to connect to the VPN provider.
      auth: |
        myuser
        mypassword

    # If the podSecurityContext is set to run as a different user, make sure to run the OpenVPN container as root. 
    # This is required for it to be able to read certain configuration files. 
    securityContext:
      runAsGroup: 0
      runAsUser: 0

    env:
      # Set this environment variable to 'on' to make sure all traffic gets routed through the VPN container.
      # Make sure to check the other environment variables for the OpenVPN image to see how you can exclude certain
      # traffic from these firewall rules.
      FIREWALL: 'on'

    # The .ovpn file provided by your VPN provider goes here.
    #
    # Any CA / certificate must either be placed inline, or provided through an additionalVolumeMount so that OpenVPN can find it.
    #
    # Pay close attention to the last 3 lines in this file. They must be added if you wish to run a script when the connection
    # is opened / closed.
    configFile: |-
      client
      dev tun
      proto udp
      remote my-awesome-vpn-provider.com 995
      remote-cert-tls server
      resolv-retry infinite
      nobind
      tls-version-min 1.2
      cipher AES-128-GCM
      compress
      ncp-disable
      tun-mtu-extra 32
      auth-user-pass

      <ca>
      -----BEGIN CERTIFICATE-----
      MIIDMTCCAhmgAwIBAgIJAKnGGJK6qLqSMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNV
      -----END CERTIFICATE-----
      </ca>

      script-security 2
      up /vpn/up.sh
      down /vpn/down.sh

    # The scripts that get run when the VPN connection opens/closes are defined here.
    # The default scripts will write a string to represent the current connection state to a file.
    # Our qBittorrent image has a feature that can wait for this file to contain the word 'connected' before actually starting the application.
    scripts:
      up: |-
        #!/bin/bash
        /etc/openvpn/up.sh
        echo "connected" > /shared/vpnstatus

      down: |-
        #!/bin/bash
        /etc/openvpn/down.sh
        echo "disconnected" > /shared/vpnstatus