• Stars
    star
    540
  • Rank 82,257 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 6 years ago
  • Updated about 3 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Run Tor onion services on Kubernetes

tor-controller

Build Status

Tor is an anonymity network that provides:

  • privacy
  • enhanced tamperproofing
  • freedom from network surveillance
  • NAT traversal

tor-controller allows you to create OnionService resources in kubernetes. These services are used similarly to standard kubernetes services, but they only serve traffic on the tor network (available on .onion addresses).

See this page for more information about onion services.

tor-controller creates the following resources for each OnionService:

  • a service, which is used to send traffic to application pods
  • tor pod, which contains a tor daemon to serve incoming traffic from the tor network, and a management process that watches the kubernetes API and generates tor config, signaling the tor daemon when it changes
  • rbac rules

Install

Install tor-controller:

$ kubectl apply -f hack/install.yaml

Quickstart with random address

Create an onion service, onionservice.yaml:

apiVersion: tor.k8s.io/v1alpha1
kind: OnionService
metadata:
  name: basic-onion-service
spec:
  version: 2
  selector:
    app: example
  ports:
  - publicPort: 80
    targetPort: 80

Apply it:

$ kubectl apply -f onionservice.yaml

View it:

$ kubectl get onionservices -o=custom-columns=NAME:.metadata.name,HOSTNAME:.status.hostname
NAME                    HOSTNAME
basic-onion-service     h7px2yyugjqkztrb.onion

Exposing a deployment with a fixed address

Create some deployment to test against, in this example we'll deploy an echoserver. Create echoserver.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-app
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-app
  template:
    metadata:
      labels:
        app: http-app
    spec:
      containers:
      - name: http-app
        image: gcr.io/google_containers/echoserver:1.8
        ports:
        - containerPort: 8080

Apply it:

$ kubectl apply -f echoserver.yaml

For a fixed address, we need a private key. This should be kept safe, since someone can impersonate your onion service if it is leaked. Generate an RSA private key (only valid for v2 onion services, v3 services use Ed25519 instead):

$ openssl genrsa -out private_key 1024

Put your private key into a secret:

$ kubectl create secret generic example-onion-key --from-file=private_key

Create an onion service, onionservice.yaml, referencing the private key we just created:

apiVersion: tor.k8s.io/v1alpha1
kind: OnionService
metadata:
  name: example-onion-service
spec:
  version: 2
  selector:
    app: http-app
  ports:
    - targetPort: 8080
      publicPort: 80
  privateKeySecret:
    name: example-onion-key
    key: private_key

Apply it:

$ kubectl apply -f onionservice.yaml

List active OnionServices:

$ kubectl get onionservices -o=custom-columns=NAME:.metadata.name,HOSTNAME:.status.hostname
NAME                    HOSTNAME
example-onion-service   s2c6qry5bj57vyms.onion

This service should now be accessable from any tor client, for example Tor Browser:

Random service names

If spec.privateKeySecret is not specified, tor-controller will start a service with a random name. This will remain in use until the tor-daemon pod restarts or is terminated for some other reason.

Onion service versions

The spec.version field specifies which onion protocol to use. v2 is the classic and well supported, v3 is the new replacement.

The biggest difference from a user's point of view is the length of addresses. v2 service names are short, like x3yvl2svtqgzhcyz.onion. v3 are longer, like ljgpby5ba3xi5osslpdvqsumdb4sbclb2amxtm6a3cwnq7w7sj72noid.onion.

tor-controller defaults to using v3 if spec.version is not specified.

Using with nginx-ingress

tor-controller on its own simply directs TCP traffic to a backend service. If you want to serve HTTP stuff, you'll probably want to pair it with nginx-ingress or some other ingress controller.

To do this, first install nginx-ingress normally. Then point an onion service at the nginx-ingress-controller, for example:

apiVersion: tor.k8s.io/v1alpha1
kind: OnionService
metadata:
  name: nginx-onion-service
spec:
  version: 2
  selector:
    app: nginx-ingress-controller
    name: nginx-ingress-controller
  ports:
  - publicPort: 80
    targetPort: 80
    name: http
  privateKeySecret:
    name: nginx-onion-key
    key: private_key

This can then be used in the same way any other ingress is. Here's a full example, with a default backend and a subdomain:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-app
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-app
  template:
    metadata:
      labels:
        app: http-app
    spec:
      containers:
      - name: http-app
        image: gcr.io/google_containers/echoserver:1.8
        ports:
        - containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: http-app
  labels:
    app: http-app
spec:
  ports:
  - port: 80
    protocol: TCP
    targetPort: 8080
  selector:
    app: http-app
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: http-app
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  backend:
    serviceName: default-http-backend
    servicePort: 80
  rules:
  - host: echoserver.h7px3yyugjqkztrb.onion
    http:
      paths:
      - path: /
        backend:
          serviceName: http-app
          servicePort: 8080

More Repositories

1

json-sempai

Use JSON files as if they are python modules
Python
1,252
star
2

python-etcd3

Python client for the etcd API v3
Python
426
star
3

anyprint

Use any* language's print statements in Python
Python
402
star
4

cookiecutter-pypackage-minimal

A minimal template for python packages
Python
200
star
5

omochabako

Toy container runtime, capable of running docker images
Python
67
star
6

pam-2fa-scream

Highly secure second factor auth by screaming at your computer.
C
18
star
7

typejudge

Automated semver compliance based on type hints
Python
16
star
8

whalie

Jimble your while loops.
Python
15
star
9

python-pixiv

Pixiv API client for python
Python
13
star
10

tor-ingress-controller

An ingress controller to expose kubernetes services as onion services on the tor network
Go
12
star
11

reddit-auto-respond

Responds to privates messages on reddit
Python
11
star
12

doot

💀 t̷h͝e̴ s̶ke̡l͜tal͞ 💀 of ke̢rn̕e͢l 💀
C
10
star
13

nixbot

Python
8
star
14

configuration.nix

NixOS configuration files
Nix
8
star
15

CMPS10

Arduino library for the CMPS10 compass
C++
5
star
16

toot

Mastodon API client for Go
Go
5
star
17

inidiff

Find the differences between two ini files
Python
4
star
18

dot-files

Some config files
Perl
4
star
19

librowind

C library for the RO Wind sensor
C
4
star
20

amnesiafs

C
3
star
21

comfc

The comfy compositor
C
3
star
22

containers

Easily manipulate app containers
Python
2
star
23

soilmaker

Makes pictures of soil
Python
2
star
24

lode

Tiny and minimalistic logging utility module
Python
2
star
25

java-player

Mirror of the javaclient3 branch of java-player
Java
2
star
26

christmas-eval

Python
2
star
27

hyoki

Go
2
star
28

piebook

A small console-based ebook reader written in python
Python
2
star
29

morsecat

Like cat(1), but with morse code and lights
Rust
2
star
30

anon-ircd

Python
2
star
31

computing

Random stuff with python
Python
1
star
32

github-setup-irc-notifications

Configure all repositories in an organization with irc notifications
Python
1
star
33

musc

Small music playing server
Python
1
star
34

fpc-stuff

some rather rancid fpc projects
Pascal
1
star
35

betamax-yaml-serializer

YAML serializer for betamax
Python
1
star
36

gpsts

Attempts to sync system and GPS time
Python
1
star
37

m8

1
star
38

pypmon

ip address monitor
Python
1
star
39

mushroom

Mirror of https://git.sr.ht/~kragniz/mushroom
C
1
star
40

llgc

Python
1
star
41

nyaa-scrobble

Scrobbles music from nyaa-radio
Python
1
star
42

prettytable

Automatically exported from code.google.com/p/prettytable
Python
1
star
43

sails-fedora

1
star
44

wch

Small mplayer wrapper which allows restarting from the episode last watched
Python
1
star
45

proxy

Go
1
star
46

hexogen

tile based declarative texture synthesis
Python
1
star
47

sudoku-solver

Simple non-backtracking sudoku solver
Java
1
star
48

pygamebook

Makes nice looking game books
Python
1
star
49

pixiv-bot-demo

Python
1
star
50

pychi

py can has internet - check if this machine is connected to the world wide web
Python
1
star
51

nduko

n by n suduko
Python
1
star