fixup! dev-docs: full L3 connectivity in VPN chart

edgelesssys · Jan 5, 2024 · ac5466b · ac5466b
1 parent a089f83
commit ac5466b
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 17 deletions.
diff --git a/dev-docs/howto/vpn/helm/files/routing/pod-l3-setup.sh b/dev-docs/howto/vpn/helm/files/routing/pod-l3-setup.sh
@@ -7,20 +7,6 @@ if [ "$$" -eq "1" ]; then
   exit 1
 fi
 
-# Disable source IP verification on our network interface. Otherwise, VPN
-# packets will be dropped by Cilium.
-
-cilium_agent=$(pidof cilium-agent)
-myip=$(ip -j addr show eth0 | jq -r '.[0].addr_info[] | select(.family == "inet") | .local')
-
-cilium() {
-  nsenter -t "${cilium_agent}" -a -r -w cilium "$@"
-}
-
-myendpoint=$(cilium endpoint get "ipv4:${myip}" | jq '.[0].id')
-
-cilium endpoint config "${myendpoint}" SourceIPVerification=Disabled
-
 # Set up routes for VPN traffic. Inside our netns, point to the VPN interface.
 # In the host network namespace, point to the pod interface.
 
@@ -38,6 +24,7 @@ ip_root() {
 lower_interface_id=$(ip -j l show eth0 | jq '.[0].link_index')
 lower_interface=$(ip_root -j link show | jq -r ".[] | select(.ifindex == ${lower_interface_id}) | .ifname")
 
+myip=$(ip -j addr show eth0 | jq -r '.[0].addr_info[] | select(.family == "inet") | .local')
 for cidr in ${VPN_PEER_CIDRS}; do
   ip_root route replace "${cidr}" via "${myip}" dev "${lower_interface}"
 done
diff --git a/dev-docs/howto/vpn/helm/files/routing/sidecar.sh b/dev-docs/howto/vpn/helm/files/routing/sidecar.sh
@@ -0,0 +1,29 @@
+#!/bin/sh
+
+# Disable source IP verification on our network interface. Otherwise, VPN
+# packets will be dropped by Cilium.
+
+reconcile_sip_verification() {
+
+    # Disable source IP verification on our network interface. Otherwise, VPN
+    # packets will be dropped by Cilium.
+
+    cilium_agent=$(pidof cilium-agent)
+    myip=$(ip -j addr show eth0 | jq -r '.[0].addr_info[] | select(.family == "inet") | .local')
+
+    cilium() {
+    nsenter -t "${cilium_agent}" -a -r -w cilium "$@"
+    }
+
+    myendpoint=$(cilium endpoint get "ipv4:${myip}" | jq '.[0].id')
+
+    if [ "$(cilium endpoint config "${myendpoint}" -o json | jq -r .realized.options.SourceIPVerification)" = "Enabled" ]; then
+        cilium endpoint config "${myendpoint}" SourceIPVerification=Disabled
+    fi
+
+}
+
+while true; do
+  reconcile_sip_verification
+  sleep 10
+done
diff --git a/dev-docs/howto/vpn/helm/templates/strongswan-statefulset.yaml b/dev-docs/howto/vpn/helm/templates/strongswan-statefulset.yaml
@@ -61,6 +61,16 @@ spec:
           mountPath: "/etc/swanctl/swanctl.conf"
           subPath: "swanctl.conf"
           readOnly: true
+      - name: cilium-setup
+        image: {{ .Values.image | quote }}
+        command: ["/bin/sh", "/scripts/sidecar.sh"]
+        env: {{- include "..commonEnv" . | nindent 10 }}
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: scripts
+          mountPath: "/scripts"
+          readOnly: true
       volumes:
       - name: netns
         emptyDir: {}

diff --git a/dev-docs/howto/vpn/helm/templates/wireguard-statefulset.yaml b/dev-docs/howto/vpn/helm/templates/wireguard-statefulset.yaml
@@ -41,9 +41,16 @@ spec:
         - name: netns
           mountPath: "/var/run/netns"
       containers:
-      - name: placeholder # TODO: replace with pause
-        image:  {{ .Values.image | quote }}
-        command: ["/bin/sh", "-c", "while true; do sleep 1000; done"]
+      - name: cilium-setup
+        image: {{ .Values.image | quote }}
+        command: ["/bin/sh", "/scripts/sidecar.sh"]
+        env: {{- include "..commonEnv" . | nindent 10 }}
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: scripts
+          mountPath: "/scripts"
+          readOnly: true
       volumes:
       - name: netns
         emptyDir: {}