fixup! dev-docs: full L3 connectivity in VPN chart

edgelesssys · Jan 11, 2024 · 4a19333 · 4a19333
1 parent 9e839f5
commit 4a19333
Show file tree

Hide file tree

Showing 17 changed files with 68 additions and 274 deletions.
diff --git a/dev-docs/howto/vpn/helm/README.md b/dev-docs/howto/vpn/helm/README.md
@@ -61,7 +61,7 @@ ping $(kubectl get pods vpn-frontend-0 -o go-template --template '{{ .status.pod
 
 The VPN server is deployed as a `StatefulSet` to the cluster. It hosts the VPN
 frontend component, which is responsible for relaying traffic between the pod
-and the on-prem network. The frontend supports IPSec and Wireguard.
+and the on-prem network over an IPSec tunnel.
 
 The VPN frontend is exposed with a public LoadBalancer so that it becomes
 accessible from the on-prem network.

diff --git a/.../howto/vpn/helm/files/routing/operator.sh → ...wto/vpn/helm/files/operator/entrypoint.sh b/.../howto/vpn/helm/files/routing/operator.sh → ...wto/vpn/helm/files/operator/entrypoint.sh
@@ -1,5 +1,11 @@
 #!/bin/sh
 
+signaled() {
+  exit 143
+}
+
+trap signaled INT TERM
+
 all_ips() {
   kubectl get pods "${VPN_FRONTEND_POD}" -o go-template --template '{{ range .status.podIPs }}{{ printf "%s " .ip }}{{ end }}'
   echo "${VPN_PEER_CIDRS}"

diff --git a/dev-docs/howto/vpn/helm/files/routing/pod-l3-setup.sh b/dev-docs/howto/vpn/helm/files/routing/pod-l3-setup.sh
diff --git a/dev-docs/howto/vpn/helm/files/routing/sidecar.sh b/dev-docs/howto/vpn/helm/files/routing/sidecar.sh
diff --git a/dev-docs/howto/vpn/helm/files/strongswan/sidecar.sh b/dev-docs/howto/vpn/helm/files/strongswan/sidecar.sh
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+set -u
+
+if [ "$$" -eq "1" ]; then
+  echo 'This script must run in the root PID namespace, but $$ == 1!' >&2
+  exit 1
+fi
+
+myip() {
+  ip -j addr show eth0 | jq -r '.[0].addr_info[] | select(.family == "inet") | .local'
+}
+
+# Disable source IP verification on our network interface. Otherwise, VPN
+# packets will be dropped by Cilium.
+reconcile_sip_verification() {
+  # We want all of the cilium calls in this function to target the same
+  # process, so that we fail if the agent restarts in between. Thus, we only
+  # query the pid once per reconciliation.
+  cilium_agent=$(pidof cilium-agent) || return 0
+
+  cilium() {
+    nsenter -t "${cilium_agent}" -a -r -w cilium "$@"
+  }
+
+  myendpoint=$(cilium endpoint get "ipv4:$(myip)" | jq '.[0].id') || return 0
+
+  if [ "$(cilium endpoint config "${myendpoint}" -o json | jq -r .realized.options.SourceIPVerification)" = "Enabled" ]; then
+    cilium endpoint config "${myendpoint}" SourceIPVerification=Disabled
+  fi
+}
+
+# Set up the route from the node network namespace to the VPN pod.
+reconcile_route() {
+  for cidr in ${VPN_PEER_CIDRS}; do
+    nsenter -t 1 -n ip route replace "${cidr}" via "$(myip)"
+  done
+}
+
+while true; do
+  reconcile_route
+  reconcile_sip_verification
+  sleep 10
+done
diff --git a/dev-docs/howto/vpn/helm/files/strongswan/strongswan-setup.sh b/dev-docs/howto/vpn/helm/files/strongswan/strongswan-setup.sh
diff --git a/dev-docs/howto/vpn/helm/files/wireguard-setup.sh b/dev-docs/howto/vpn/helm/files/wireguard-setup.sh
diff --git a/dev-docs/howto/vpn/helm/templates/_helpers.tpl b/dev-docs/howto/vpn/helm/templates/_helpers.tpl
@@ -37,8 +37,6 @@ app.kubernetes.io/instance: {{ .Release.Name }}
   value: {{ .Values.podCIDR | quote }}
 - name: VPN_SERVICE_CIDR
   value: {{ .Values.serviceCIDR | quote }}
-- name: VPN_INTERFACE
-  value: vpn0
 - name: VPN_FRONTEND_POD
   value: {{ include "..fullname" . }}-frontend-0
 {{- end }}
diff --git a/dev-docs/howto/vpn/helm/templates/configmaps.yaml b/dev-docs/howto/vpn/helm/templates/configmaps.yaml
@@ -1,21 +1,10 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "..fullname" . }}-scripts
+  name: {{ include "..fullname" . }}-operator
   labels: {{- include "..labels" . | nindent 4 }}
 data:
-{{ (.Files.Glob "files/routing/*.sh").AsConfig | indent 2 }}
-{{- if .Values.wireguard.enabled }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "..fullname" . }}-wg
-  labels: {{- include "..labels" . | nindent 4 }}
-data:
-{{ (.Files.Glob "files/wireguard-setup.sh").AsConfig | indent 2 }}
-{{- end }}
-{{- if .Values.ipsec.enabled }}
+{{ (.Files.Glob "files/operator/*").AsConfig | indent 2 }}
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -24,4 +13,3 @@ metadata:
   labels: {{- include "..labels" . | nindent 4 }}
 data:
 {{ (.Files.Glob "files/strongswan/*").AsConfig | indent 2 }}
-{{- end }}
diff --git a/dev-docs/howto/vpn/helm/templates/operator-deployment.yaml b/dev-docs/howto/vpn/helm/templates/operator-deployment.yaml
@@ -20,7 +20,7 @@ spec:
       containers:
       - name: operator
         image: {{ .Values.image | quote }}
-        command: ["tini", "sh", "--", "/scripts/operator.sh"]
+        command: ["sh", "/scripts/entrypoint.sh"] # TODO: remove tini and add signal handler
         env: {{- include "..commonEnv" . | nindent 10 }}
         volumeMounts:
         - name: scripts
@@ -29,4 +29,4 @@ spec:
       volumes:
       - name: scripts
         configMap:
-          name: {{ include "..fullname" . }}-scripts
+          name: {{ include "..fullname" . }}-operator
diff --git a/dev-docs/howto/vpn/helm/templates/secrets.yaml b/dev-docs/howto/vpn/helm/templates/secrets.yaml
@@ -1,15 +1,3 @@
-{{- if .Values.wireguard.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "..fullname" . }}-wg
-  labels:
-    {{- include "..labels" . | nindent 4 }}
-data:
-  wg.conf: {{ include "wireguard.conf" . | b64enc }}
-{{- end }}
----
-{{ if .Values.ipsec.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -18,4 +6,3 @@ metadata:
     {{- include "..labels" . | nindent 4 }}
 data:
   swanctl.conf: {{ include "strongswan.swanctl-conf" . | b64enc }}
-{{- end }}
diff --git a/dev-docs/howto/vpn/helm/templates/service.yaml b/dev-docs/howto/vpn/helm/templates/service.yaml
@@ -11,16 +11,9 @@ spec:
     component: frontend
   externalTrafficPolicy: Local
   ports:
-    {{- if .Values.ipsec.enabled }}
     - name: isakmp
       protocol: UDP
       port: 500
     - name: ipsec-nat-t
       protocol: UDP
       port: 4500
-    {{- end }}
-    {{- if .Values.wireguard.enabled }}
-    - name: wg
-      protocol: UDP
-      port: {{ .Values.wireguard.port }}
-    {{- end }}
diff --git a/dev-docs/howto/vpn/helm/templates/strongswan-secret.tpl b/dev-docs/howto/vpn/helm/templates/strongswan-secret.tpl
@@ -1,8 +1,6 @@
 {{- define "strongswan.swanctl-conf" }}
 connections {
     net-net {
-      if_id_in = 0xfe
-      if_id_out = 0xfe
       remote_addrs = {{ .Values.ipsec.peer }}
       local {
           auth = psk

diff --git a/dev-docs/howto/vpn/helm/templates/strongswan-statefulset.yaml b/dev-docs/howto/vpn/helm/templates/strongswan-statefulset.yaml
@@ -1,4 +1,3 @@
-{{ if .Values.ipsec.enabled -}}
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -16,82 +15,40 @@ spec:
         component: frontend
     spec:
       hostPID: true
-      initContainers:
-      - name: strongswan-setup
-        image: {{ .Values.image | quote }}
-        command: ["/bin/sh", "-x", "/entrypoint.sh"]
-        env: {{- include "..commonEnv" . | nindent 10 }}
-        securityContext:
-          capabilities:
-            add: ["NET_ADMIN"]
-        volumeMounts:
-        - name: strongswan
-          mountPath: "/entrypoint.sh"
-          subPath: "strongswan-setup.sh"
-          readOnly: true
-      - name: networking-setup
-        image: {{ .Values.image | quote }}
-        command: ["/bin/sh", "-x", "/scripts/pod-l3-setup.sh"]
-        env: {{- include "..commonEnv" . | nindent 10 }}
-        securityContext:
-          privileged: true
-        volumeMounts:
-        - name: scripts
-          mountPath: "/scripts"
-          readOnly: true
-        - name: netns
-          mountPath: "/var/run/netns"
       containers:
       - name: strongswan
         image: {{ .Values.image | quote }}
-        command: ["tini", "sh", "--", "-x", "/entrypoint.sh"]
+        command: ["sh", "-x", "/entrypoint.sh"]
         securityContext:
           capabilities:
             add: ["NET_ADMIN"]
         volumeMounts:
-        - name: strongswan
+        - name: files
           mountPath: "/entrypoint.sh"
           subPath: "entrypoint.sh"
           readOnly: true
-        - name: strongswan
+        - name: files
           mountPath: "/etc/strongswan.d/charon-logging.conf"
           subPath: "charon-logging.conf"
           readOnly: true
-        - name: strongswan
+        - name: config
           mountPath: "/etc/swanctl/swanctl.conf"
           subPath: "swanctl.conf"
           readOnly: true
       - name: cilium-setup
         image: {{ .Values.image | quote }}
-        command: ["tini", "sh", "--", "/scripts/sidecar.sh"]
+        command: ["sh", "/scripts/sidecar.sh"]
         env: {{- include "..commonEnv" . | nindent 10 }}
         securityContext:
           privileged: true
         volumeMounts:
-        - name: scripts
+        - name: files
           mountPath: "/scripts"
           readOnly: true
       volumes:
-      - name: netns
-        emptyDir: {}
-      - name: scripts
+      - name: files
         configMap:
-          name: {{ include "..fullname" . }}-scripts
-      - name: strongswan
-        projected:
-          sources:
-          - secret:
-              name: {{ include "..fullname" . }}-strongswan
-              items:
-                - key: swanctl.conf
-                  path: swanctl.conf
-          - configMap:
-              name: {{ include "..fullname" . }}-strongswan
-              items:
-                - key: entrypoint.sh
-                  path: entrypoint.sh
-                - key: charon-logging.conf
-                  path: charon-logging.conf
-                - key: strongswan-setup.sh
-                  path: strongswan-setup.sh
-{{- end }}
+          name: {{ include "..fullname" . }}-strongswan
+      - name: config
+        secret:
+          secretName: {{ include "..fullname" . }}-strongswan
diff --git a/dev-docs/howto/vpn/helm/templates/wireguard-secret.tpl b/dev-docs/howto/vpn/helm/templates/wireguard-secret.tpl