to be squashed: address review comments

edgelesssys · Nov 21, 2023 · ba30fae · ba30fae
1 parent 5597ff8
commit ba30fae
Show file tree

Hide file tree

Showing 5 changed files with 71 additions and 43 deletions.
diff --git a/dev-docs/howto/vpn/Chart.yaml b/dev-docs/howto/vpn/Chart.yaml
@@ -5,5 +5,3 @@ description: A VPN server for Constellation
 type: application
 
 version: 0.1.0
-
-appVersion: "v2.13.0"  # target Constellation version
diff --git a/dev-docs/howto/vpn/templates/NOTES.txt b/dev-docs/howto/vpn/templates/NOTES.txt
diff --git a/dev-docs/howto/vpn/templates/service.yaml b/dev-docs/howto/vpn/templates/service.yaml
@@ -9,6 +9,7 @@ spec:
   selector:
     {{- include "..selectorLabels" . | nindent 4 }}
     component: frontend
+  externalTrafficPolicy: Local
   ports:
     {{- if .Values.ipsec.enabled }}
     - name: isakmp

diff --git a/...docs/howto/vpn/templates/statefulset.yaml → ...vpn/templates/strongswan-statefulset.yaml b/...docs/howto/vpn/templates/statefulset.yaml → ...vpn/templates/strongswan-statefulset.yaml
@@ -1,3 +1,4 @@
+{{ if .Values.ipsec.enabled -}}
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -28,19 +29,6 @@ spec:
           mountPath: "/entrypoint.sh"
           subPath: "tproxy-setup.sh"
           readOnly: true
-      {{- if .Values.wireguard.enabled }}
-      - name: wg-setup
-        image: "nixery.dev/busybox/wireguard-tools"
-        command: ["/bin/sh", "-x", "/etc/wireguard/wireguard-setup.sh"]
-        env: {{- include "..commonEnv" . | nindent 10 }}
-        securityContext:
-          capabilities:
-            add: ["NET_ADMIN"]
-        volumeMounts:
-        - name: wireguard
-          mountPath: "/etc/wireguard"
-          readOnly: true
-      {{- end }}
       containers:
       - name: tproxy
         # Image source: github.com/burgerdev/go-tproxy
@@ -49,7 +37,6 @@ spec:
         securityContext:
           capabilities:
             add: ["NET_RAW"]
-      {{- if .Values.ipsec.enabled }}
       - name: strongswan
         image: "nixery.dev/shell/strongswan"
         command: ["/bin/sh", "-x", "/entrypoint.sh"]
@@ -69,27 +56,10 @@ spec:
           mountPath: "/etc/swanctl/swanctl.conf"
           subPath: "swanctl.conf"
           readOnly: true
-      {{- end }}
       volumes:
       - name: tproxy-setup
         configMap:
           name: {{ include "..fullname" . }}-tproxy
-      {{- if .Values.wireguard.enabled }}
-      - name: wireguard
-        projected:
-          sources:
-          - secret:
-              name: {{ include "..fullname" . }}-wg
-              items:
-                - key: wg.conf
-                  path: wg.conf
-          - configMap:
-              name: {{ include "..fullname" . }}-wg
-              items:
-                - key: wireguard-setup.sh
-                  path: wireguard-setup.sh
-      {{- end }}
-      {{- if .Values.ipsec.enabled }}
       - name: strongswan
         projected:
           sources:
@@ -105,4 +75,4 @@ spec:
                   path: entrypoint.sh
                 - key: charon-logging.conf
                   path: charon-logging.conf
-      {{- end }}
+{{- end }}
diff --git a/dev-docs/howto/vpn/templates/wireguard-statefulset.yaml b/dev-docs/howto/vpn/templates/wireguard-statefulset.yaml
@@ -0,0 +1,68 @@
+{{ if .Values.wireguard.enabled -}}
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "..fullname" . }}-frontend
+  labels: {{- include "..labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "..selectorLabels" . | nindent 6 }}
+      component: frontend
+  template:
+    metadata:
+      labels:
+        {{- include "..selectorLabels" . | nindent 8 }}
+        component: frontend
+    spec:
+      hostNetwork: false
+      initContainers:
+      - name: tproxy-setup
+        image: nixery.dev/busybox/iptables
+        command: ["/bin/sh", "-x", "/entrypoint.sh"]
+        env: {{- include "..commonEnv" . | nindent 10 }}
+        securityContext:
+          capabilities:
+            add: ["NET_ADMIN"]
+        volumeMounts:
+        - name: tproxy-setup
+          mountPath: "/entrypoint.sh"
+          subPath: "tproxy-setup.sh"
+          readOnly: true
+      - name: wg-setup
+        image: "nixery.dev/busybox/wireguard-tools"
+        command: ["/bin/sh", "-x", "/etc/wireguard/wireguard-setup.sh"]
+        env: {{- include "..commonEnv" . | nindent 10 }}
+        securityContext:
+          capabilities:
+            add: ["NET_ADMIN"]
+        volumeMounts:
+        - name: wireguard
+          mountPath: "/etc/wireguard"
+          readOnly: true
+      containers:
+      - name: tproxy
+        # Image source: github.com/burgerdev/go-tproxy
+        image:  ghcr.io/burgerdev/go-tproxy:latest
+        command: ["/tproxy", "--port=61001", "--nat=true"]
+        securityContext:
+          capabilities:
+            add: ["NET_RAW"]
+      volumes:
+      - name: tproxy-setup
+        configMap:
+          name: {{ include "..fullname" . }}-tproxy
+      - name: wireguard
+        projected:
+          sources:
+          - secret:
+              name: {{ include "..fullname" . }}-wg
+              items:
+                - key: wg.conf
+                  path: wg.conf
+          - configMap:
+              name: {{ include "..fullname" . }}-wg
+              items:
+                - key: wireguard-setup.sh
+                  path: wireguard-setup.sh
+{{- end }}
Original file line number	Diff line number	Diff line change
Expand Up		@@ -5,5 +5,3 @@ description: A VPN server for Constellation
		type: application

		version: 0.1.0

		appVersion: "v2.13.0" # target Constellation version