diff --git a/dev-docs/howto/vpn/Chart.yaml b/dev-docs/howto/vpn/Chart.yaml index 26a8c917be..6c66f70b97 100644 --- a/dev-docs/howto/vpn/Chart.yaml +++ b/dev-docs/howto/vpn/Chart.yaml @@ -5,5 +5,3 @@ description: A VPN server for Constellation type: application version: 0.1.0 - -appVersion: "v2.13.0" # target Constellation version diff --git a/dev-docs/howto/vpn/templates/NOTES.txt b/dev-docs/howto/vpn/templates/NOTES.txt deleted file mode 100644 index 5bcbfa9384..0000000000 --- a/dev-docs/howto/vpn/templates/NOTES.txt +++ /dev/null @@ -1,9 +0,0 @@ -{{- if .Values.ipsec.enabled }} -Required postinstallation steps (also see README.md): - -# Configure the LoadBalancer - -1. Find the node hosting the VPN server: - kubectl get pods {{ include "..fullname" . }}-frontend-0 -o jsonpath={.spec.nodeName} -2. Edit the load balancer resource in GCP and remove all other endpoints. -{{- end }} diff --git a/dev-docs/howto/vpn/templates/service.yaml b/dev-docs/howto/vpn/templates/service.yaml index eada5c45d1..6c4bc97552 100644 --- a/dev-docs/howto/vpn/templates/service.yaml +++ b/dev-docs/howto/vpn/templates/service.yaml @@ -9,6 +9,7 @@ spec: selector: {{- include "..selectorLabels" . | nindent 4 }} component: frontend + externalTrafficPolicy: Local ports: {{- if .Values.ipsec.enabled }} - name: isakmp diff --git a/dev-docs/howto/vpn/templates/statefulset.yaml b/dev-docs/howto/vpn/templates/strongswan-statefulset.yaml similarity index 70% rename from dev-docs/howto/vpn/templates/statefulset.yaml rename to dev-docs/howto/vpn/templates/strongswan-statefulset.yaml index 64bbf73704..f619373f19 100644 --- a/dev-docs/howto/vpn/templates/statefulset.yaml +++ b/dev-docs/howto/vpn/templates/strongswan-statefulset.yaml @@ -1,3 +1,4 @@ +{{ if .Values.ipsec.enabled -}} apiVersion: apps/v1 kind: StatefulSet metadata: @@ -28,19 +29,6 @@ spec: mountPath: "/entrypoint.sh" subPath: "tproxy-setup.sh" readOnly: true - {{- if .Values.wireguard.enabled }} - - name: wg-setup - image: "nixery.dev/busybox/wireguard-tools" - command: ["/bin/sh", "-x", "/etc/wireguard/wireguard-setup.sh"] - env: {{- include "..commonEnv" . | nindent 10 }} - securityContext: - capabilities: - add: ["NET_ADMIN"] - volumeMounts: - - name: wireguard - mountPath: "/etc/wireguard" - readOnly: true - {{- end }} containers: - name: tproxy # Image source: github.com/burgerdev/go-tproxy @@ -49,7 +37,6 @@ spec: securityContext: capabilities: add: ["NET_RAW"] - {{- if .Values.ipsec.enabled }} - name: strongswan image: "nixery.dev/shell/strongswan" command: ["/bin/sh", "-x", "/entrypoint.sh"] @@ -69,27 +56,10 @@ spec: mountPath: "/etc/swanctl/swanctl.conf" subPath: "swanctl.conf" readOnly: true - {{- end }} volumes: - name: tproxy-setup configMap: name: {{ include "..fullname" . }}-tproxy - {{- if .Values.wireguard.enabled }} - - name: wireguard - projected: - sources: - - secret: - name: {{ include "..fullname" . }}-wg - items: - - key: wg.conf - path: wg.conf - - configMap: - name: {{ include "..fullname" . }}-wg - items: - - key: wireguard-setup.sh - path: wireguard-setup.sh - {{- end }} - {{- if .Values.ipsec.enabled }} - name: strongswan projected: sources: @@ -105,4 +75,4 @@ spec: path: entrypoint.sh - key: charon-logging.conf path: charon-logging.conf - {{- end }} +{{- end }} diff --git a/dev-docs/howto/vpn/templates/wireguard-statefulset.yaml b/dev-docs/howto/vpn/templates/wireguard-statefulset.yaml new file mode 100644 index 0000000000..f39b05cc77 --- /dev/null +++ b/dev-docs/howto/vpn/templates/wireguard-statefulset.yaml @@ -0,0 +1,68 @@ +{{ if .Values.wireguard.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "..fullname" . }}-frontend + labels: {{- include "..labels" . | nindent 4 }} +spec: + selector: + matchLabels: + {{- include "..selectorLabels" . | nindent 6 }} + component: frontend + template: + metadata: + labels: + {{- include "..selectorLabels" . | nindent 8 }} + component: frontend + spec: + hostNetwork: false + initContainers: + - name: tproxy-setup + image: nixery.dev/busybox/iptables + command: ["/bin/sh", "-x", "/entrypoint.sh"] + env: {{- include "..commonEnv" . | nindent 10 }} + securityContext: + capabilities: + add: ["NET_ADMIN"] + volumeMounts: + - name: tproxy-setup + mountPath: "/entrypoint.sh" + subPath: "tproxy-setup.sh" + readOnly: true + - name: wg-setup + image: "nixery.dev/busybox/wireguard-tools" + command: ["/bin/sh", "-x", "/etc/wireguard/wireguard-setup.sh"] + env: {{- include "..commonEnv" . | nindent 10 }} + securityContext: + capabilities: + add: ["NET_ADMIN"] + volumeMounts: + - name: wireguard + mountPath: "/etc/wireguard" + readOnly: true + containers: + - name: tproxy + # Image source: github.com/burgerdev/go-tproxy + image: ghcr.io/burgerdev/go-tproxy:latest + command: ["/tproxy", "--port=61001", "--nat=true"] + securityContext: + capabilities: + add: ["NET_RAW"] + volumes: + - name: tproxy-setup + configMap: + name: {{ include "..fullname" . }}-tproxy + - name: wireguard + projected: + sources: + - secret: + name: {{ include "..fullname" . }}-wg + items: + - key: wg.conf + path: wg.conf + - configMap: + name: {{ include "..fullname" . }}-wg + items: + - key: wireguard-setup.sh + path: wireguard-setup.sh +{{- end }}