Guidance on How to Deploy To Kubernetes

[craigmiller160]

Is your feature request related to a problem? Please describe.

Not really a problem, just something that would benefit me.

Describe the solution you'd like

I have a whole Kubernetes cluster setup on my home machine and I would love to add this. However, my understanding of the networking involved in this setup is limited. I can't seem to get the nginx proxy to connect to qbittorrent while the VPN is setup. I can get everything to work following your docker-compose documentation, but I can either have qbittorrent connected to the VPN, or have it be reach-able via the nginx proxy. I can't seem to do both together.

Describe alternatives you've considered

I could just use docker-compose, but kubernetes is my preference. Just hoping for some guidance from you, if you have it.

Additional context

Here is my Kubernetes deployment config file. I also have configmaps and secrets, but they are just for setting environment variables.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nord-vpn-torrent
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nord-vpn-torrent
  template:
    metadata:
      labels:
        app: nord-vpn-torrent
    spec:
      initContainers:
        - name: init-sysctl
          image: busybox
          command:
            - sysctl
            - -w
            - net.ipv4.conf.all.rp_filter=2
          securityContext:
            privileged: true
            runAsUser: 0
            runAsNonRoot: false
      containers:
        - name: nordvpn
          image: bubuntux/nordvpn
          envFrom:
            - configMapRef:
                name: nordvpn-config
          env:
            - name: PASS
              valueFrom:
                secretKeyRef:
                  name: nordvpn-password
                  key: password
          securityContext:
            capabilities:
              add:
                - NET_ADMIN
                - SYS_MODULE
        - name: qbittorrent
          image: ghcr.io/linuxserver/qbittorrent
          envFrom:
            - configMapRef:
                name: qbittorrent-config
          volumeMounts:
            - mountPath: /downloads
              name: qbittorrent-downloads
            - mountPath: /config
              name: qbittorrent-config
          ports:
            - containerPort: 30007
      volumes:
        - name: qbittorrent-config
          hostPath:
            path: /opt/kubernetes/data/qbittorrent/config
        - name: qbittorrent-downloads
          hostPath:
            path: /opt/kubernetes/data/qbittorrent/downloads
---
apiVersion: v1
kind: Service
metadata:
  name: nord-vpn-torrent-service
spec:
  type: NodePort
  selector:
    app: nord-vpn-torrent
  ports:
    - port: 30007
      targetPort: 30007
      nodePort: 30007
      protocol: TCP

[tgallacher]

Is your nginx proxy also running inside a pod on the same cluster?

If it is external, you might just have to whitelist your IP range. For example, if your local IP range is something like 192.168.1.0/24 then you just need to set the appropriate env var:

 - name: nordvpn
          image: bubuntux/nordvpn
          envFrom:
            - configMapRef:
                name: nordvpn-config    # <------ not sure what settings you have configured here
          env:
            - name: PASS
              valueFrom:
                secretKeyRef:
                  name: nordvpn-password
                  key: password
            - name: NETWORK
               value: 192.168.1.0/24
          securityContext:
            capabilities:
              add:
                - NET_ADMIN
                - SYS_MODULE

then you should be able to curl http://<ip of you node>:30007

If your nginx proxy is inside the cluster you might need some additional config.

Hope this helps

[craigmiller160]

Hey thanks for the help. Everything is inside the same cluster. The nginx proxy is in a separate pod within the same cluster.

One thing I've learned by experimenting with possible solutions is that port forwarding works. I'm writing this on my phone so I apologize for not including the exact command, but if I explicitly port forward from the qbittorrent/nordvpn pod, then I can access it on localhost.

However, my k8s service fails. As in, requests from my nginx proxy using the k8s service name you see in my config above, it resolves the hostname but fails to reach the pod.

Again, thanks for the reply. Any other guidance you can offer would be great. I would be happy to share the final k8s setup with you.

[tgallacher]

Cool. In this case I think you just need to add the NETWORK variable as above, but add in your cluster IP CIDR instead. This will whitelist the internal cluster traffic within the VPN firewall.

You can grab the cluster IP CIDR using kubectl:

kubectl cluster-info dump -o json --namespaces default | jq '.items[].spec.podCIDR | select(. != null)'

An example would be something like: 10.42.0.0/16. This value will depend on your config and the k8 tool used, I imagine.

Don't forget to restart the Deployment which includes your VPN container to pick up the new value. You should then be able to see the IP CIDR you've added within the output logs of the VPN, as it adds it to the firewall rules.

Hope this fixes your issue 🤞

Note: I've limited the output to just the default namespace to avoid jq reporting parsing error, as cluster-info dump will output container logs as well, which are not in json format

[craigmiller160]

Hey, thanks. So I can't find the CIDR. The command you gave doesn't work perfectly, since the logs still come into the output so jq doesn't work. However, I outputted the whole thing and couldn't find any podCIDR property in it. I'm running microk8s on my Linux Mint machine, and I've been hunting for some command or anything to find the CIDR. I'm trying to figure out some way to find this value and make it work, but no luck so far.

Appreciate all the help so far, not sure what else you can do at this point, but any ideas would be appreciated.

[tgallacher]

Odd. Output must be distro dependent; I'm currently using k3s.

You could use an educated guess: If you look at all the ClusterIPs of your services:

kubectl get svc -A

Look at the first two octets in the IPs, which they will likely/should share in common. Then use that and a /16 CIDR range.

Alternatively, you could just hunt down the ClusterIP for your Nginx pod and set that directly -- Note this won't be scalable as the IP will change anytime you restart (or redeploy) your Nginx pod, but should at least allow you to test if this is the right solution:

# Assumes your nginx pod has the follow app label
kubectl get pod -A -l app=nginx

Then you can put that single IP in the NETWORK env var and see if that unlocks access for you.