From 6807909990d234926b72b85e171ed6993673914b Mon Sep 17 00:00:00 2001 From: Jared Hancock Date: Tue, 14 Sep 2021 15:21:27 -0500 Subject: [PATCH 1/6] added samples for multi-region saml --- samples/ra-vpn/redirector-lb/ravpn-pool.yaml | 2 +- .../ra-vpn/redirector-lb/route53-ingress.yaml | 6 + .../saml-multi-region/ca-certificate.yaml | 111 ++++++++++++++++ .../saml-multi-region/enforcers-asaconf.yaml | 121 ++++++++++++++++++ .../eu-region/asaconfig-domain.yaml | 29 +++++ .../eu-region/ravpn-pool.yaml | 17 +++ .../eu-region/route53-europe.yaml | 29 +++++ .../saml-multi-region/fileobjects-ravpn.yaml | 67 ++++++++++ .../saml-multi-region/redirector-asaconf.yaml | 87 +++++++++++++ .../ra-vpn/saml-multi-region/redis-ca.yaml | 38 ++++++ .../saml-multi-region/s3-auth-secret.yaml | 14 ++ .../us-region/asaconfig-domain.yaml | 30 +++++ .../us-region/ravpn-pool.yaml | 19 +++ .../us-region/route53-us.yaml | 32 +++++ 14 files changed, 601 insertions(+), 1 deletion(-) create mode 100644 samples/ra-vpn/saml-multi-region/ca-certificate.yaml create mode 100644 samples/ra-vpn/saml-multi-region/enforcers-asaconf.yaml create mode 100644 samples/ra-vpn/saml-multi-region/eu-region/asaconfig-domain.yaml create mode 100644 samples/ra-vpn/saml-multi-region/eu-region/ravpn-pool.yaml create mode 100644 samples/ra-vpn/saml-multi-region/eu-region/route53-europe.yaml create mode 100644 samples/ra-vpn/saml-multi-region/fileobjects-ravpn.yaml create mode 100644 samples/ra-vpn/saml-multi-region/redirector-asaconf.yaml create mode 100644 samples/ra-vpn/saml-multi-region/redis-ca.yaml create mode 100644 samples/ra-vpn/saml-multi-region/s3-auth-secret.yaml create mode 100644 samples/ra-vpn/saml-multi-region/us-region/asaconfig-domain.yaml create mode 100644 samples/ra-vpn/saml-multi-region/us-region/ravpn-pool.yaml create mode 100644 samples/ra-vpn/saml-multi-region/us-region/route53-us.yaml diff --git a/samples/ra-vpn/redirector-lb/ravpn-pool.yaml b/samples/ra-vpn/redirector-lb/ravpn-pool.yaml index d5c3509..b4b644c 100644 --- a/samples/ra-vpn/redirector-lb/ravpn-pool.yaml +++ b/samples/ra-vpn/redirector-lb/ravpn-pool.yaml @@ -9,7 +9,7 @@ metadata: # EP's node interface index that will be used as route target aws.cnfw.cisco.com/interface-index: "3" # AWS Route Table ID that will be synced with assigned subnets. - # This should be the table that includes your outside and inside networks, usually named "Public Subnets" + # This should be the table that includes your inside networks, usually named "Inside Subnets" aws.cnfw.cisco.com/route-table-id: spec: address: "10.10.0.0" diff --git a/samples/ra-vpn/redirector-lb/route53-ingress.yaml b/samples/ra-vpn/redirector-lb/route53-ingress.yaml index 88723f1..a8021b8 100644 --- a/samples/ra-vpn/redirector-lb/route53-ingress.yaml +++ b/samples/ra-vpn/redirector-lb/route53-ingress.yaml @@ -23,3 +23,9 @@ spec: # Change to your VPN domain name recordSetName: vpn.domain.com recordUpdate: SUBDOMAIN + endpointSelector: + serviceRole: default + interfaceIndex: 2 + addressType: public + + diff --git a/samples/ra-vpn/saml-multi-region/ca-certificate.yaml b/samples/ra-vpn/saml-multi-region/ca-certificate.yaml new file mode 100644 index 0000000..1836345 --- /dev/null +++ b/samples/ra-vpn/saml-multi-region/ca-certificate.yaml @@ -0,0 +1,111 @@ +apiVersion: v1 +kind: Secret +metadata: + name: mypkcs + namespace: sfcn-system +stringData: + trustpoint: ssltp + password: test + # Change to your own CA Certificate + value: | + MIIS2gIBAzCCEqAGCSqGSIb3DQEHAaCCEpEEghKNMIISiTCCDQcGCSqGSIb3DQEH + BqCCDPgwggz0AgEAMIIM7QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIh63X + 549tUD0CAggAgIIMwHVhJkKRWCORnqaj4ixxBJL80fmIH327kRtftzBY59Rjz93s + ZwNibpOx2/UadS+LYaB9G9+ZfK38fxyRkPIejME1BEQXhok3uhlijFqaoCpAY5xz + 9uJK5fOBxuOzGaImc8I1Y5+S+NE6kNv+UJxJvQkgiId5WUt9ziTC31Kcb9DFTtUT + 1kAj1//nry3QWuOHkT5qkBFq03ZLFlzYJi8IJNYbmqf76K4HgKtjLl3k89qc6/3b + +jlryN0bsK1xacKlfSXMQO20g8R2+NdTIFBGQKj59YF1vfL1jQa0RN4tR7gFRDvE + eH5MNegdgcI9ZjODaJUvzKIjyBUhFwry0OLTy+kJs7hHTQfMwj0L+km4BLhl5s+H + YE6wiBmWmgwgFHPas8I3lx75wTeu3wEXu+xXSdA33xOA/UfavgukVOYRwiuJaEoc + lYdH0wcgYh33pYQ0JpttvFoLtTzo3fyw+qnPSugs3CLovxGWIyVV/VEGkGWE7tPe + /CkOJa8wNrI8bLgpFBnc11+FQ0PIhsDA9pQ51CQ+xf6ydxW7SCQZQXjDxr7OLZ8b + AqFzaZh45dtLKks0kv+zk1CPvnefyKdveA9hXUVjaydnLMWYYFpXB6tnckKKQ48a + W1L54Rzk5j2+AAkckA7FcmAAZkwAfQUxQtAlv7XqW5bRqukDtNPBhGW+Da7KGtBi + /9GiudWrGe0kbIPO9VkUNDHJC/+7RofkIZyRGRJ4MFDOV5HfF0ak5TGT5lKgotv+ + JOz4XpwejLM0lLJuxGOY8Fu19dJKkyZ7wj/5/gj4K2aqyGm3zKsssv34eT4iTxWQ + 11RUJZQF/oHWmYNv+IKH1mjNoHFhWpOSUwxBwZnaqMsGr21r6UBvOSOtO8bWpMdg + cbCAuIcx/rnYaSpM0UFbeQSJmS7GXRMjJjfB1vQJmwtBp654YHy16UmP3dqmjRGG + NlRPEbKn6Mj096O7wMhOEIstlWQ/AZAWpYF43tFYDs3jDCdyo3/0ZZzaG5NodLVG + g0GW2UVVlISXJdRgmCVuAREA9BJRBiLbC7bMdDxIaJ0XxOzKgY/e+JOozwlW0evv + R9MMyTNm7LI0K9kUzrsAcdWSaQxCeS/EJM7z9AU3641AoQIGjKQaUmdWGlNSJdV6 + s2JHBDdgeAXfRk3bMAFo8eAsnKuWT/QvMV2eqcRfylv1LzteVpJcsAJyIYe5Ge5M + gnqgrPpVQDdUjglsBruQQfKZlUimLdyGsCZJxmQJwhGbRdD6dxhs8V20dANmbxOA + sqF77/EwGOjMtL5g3BGfwWDeKwf3LyS0awk8Zx+ZGKJjg97DNZYbqVbPpYo4VYi9 + k/YD7JF12pyZjhGiOXjZhtjw+92AWi/v6a2czO+X6As8ws5ZkP+OzsY95kJ69B1a + X7AU6/Y8Ix0kSQaONYzdlL+ivQ3EC1ANDpGfDhlgB4gHCCTi0CSRUp9S5/0Doo0d + bWvIeKGoluu92tOxeWWaP0z2Sj9uorrbekqbTFzWBNmru+HIkcwdRs21R/eaMAJu + QNV/BF/t7GojmDZov4g6a1ltvpxAl0WC+9+u3mPaa+A9CR9BAW97KRSW/nVCUhP7 + b1XWXNrrump5DjNKaluSCs2OOvtUDZl0P/Qk7C+NNGhmZif4c4yDtHCU69J8FoK9 + zWJT941axYgSGQkIuaMo8NeXCYsWp6kwHh1LH+3v9AbqOnMFuxE/jIUVFhGoj1Jz + u59AYG+SZn8aZe16XC3NqroeiyiK2BU/4Hiky9wmDsKTLHKrDpPjaMJWVgIxQYkY + AX1WRJgmClhrb7epxmb+MleO+t3zvpDHMy2b60afrR8/GmZmr++CWXJTTX2r2J1k + /uGVB5SAUoSulW+4I4CjETww+hab3UnF7yEugeg7eyI62dA/R9Q7yESuMwATmyhm + CWs3Why9MiFxJAfqaeyGKPFnphB7QD+1F10Wz8Qj6S73pP7d+xhmEigHbIs6apVX + j1HfwGKSRSkrjDhBpBRjaYN/D07ipZE7IkTHwhrLy4bJoDfXDlp6oH3eAwEX9xnK + 22VtEWbmJ3Wzggwi77qb3EK5z6l6exVtn1lbFAKHlCO70Fl4U0YAYGlSqGtUQ6rG + X6cwxn1aY7loZfk+i4aONmPNHtOd6BNFnVVXKAbEjxsNguDivSPH+6z8KyhQEr5M + l4znmL0aMqnibpelDqOMnz43k/RcaLjTNyXdKyETOs4IoKYoD2dApSH9J8ouZ4mx + lFQOdLd2G5wHV7Y/G52fp2l2AzaZWovPVWzeYffxGhpeycTeP04jQnVlXc1/0l4i + VTXKi1//C+aky/PkLMQif8VbbBpP/31eLgXnS1uYkVxg2lvSTkdM5I32b6TMhPT7 + zI/tU+x4RsIi+zx4fPTVrhyOB/oMzkHkBQyYLd5g37fpiAOxnZiod4X4ALIC6de2 + Ybqv1vi4Kduh5sAozhiSM3wpemtKr6X7wvzR5RftcPOWM2AE9MR15aMSRLVjoxGQ + Wn1K+zxoNZX0PCFTGmMDkU/DRH2abAqCaxuN4iQO98LaIVJfcyI3YeVBd3mAhX4u + vkZ5fcPFReYW6FknJY0cMqlFP4/aHNmiAEZla3OO2xCCxsjNgFfv0d+9hzlQaPeu + xYF/BGICncYllVYNG1Sfst+y7/UW/OSSrEtCy/gf/JKrGLA9xN/hVFssmonIjMBy + MYyJDM0cesMC1Fus8rESAhQ+swbhPI8jVOk5wB0NrnOLz13FMAVbEzY7HpXy0Rcc + 6ELhKVFLzWeH2Tl/omuAKvUttZfqF75z6NJhx2DZe7HOgnV78ESYNlbAFBOEq91C + zlN4rSMC3gtUeTFT78Zc1X/QvbvJ59zmqHg3mGNA0kyCK3o9c84HW1CZ0oZ7aLD6 + qeYHkceFP65AKo1kCQGTGO+GzffhqnsKBFo5Vo56QKAu/IOyTuvUHHiOhM/Llj8f + YycuZUL3Qtahq2gJJXSoRsRzK8BPy/IZ2Zo7YtUYvfDv1Ks2rRaP8VT8z6tTUwwl + udMYibYzZ+8bj5C6O75ng9+k9f7/SNwzts3Pi4zEChHbO+med3vNdpfyYjyMJLTL + 955lSPCAeLCTaWSjMHRIap6sCKsXfn51/YV9tnG8XCLh3ImpZ6LNGEU3QObhPVqK + 3vYKNi5MG1/C9RGUYB0bUFLgZTfKm2jyHCkN35EqtFRQwQ9iuhJVYc+g6xCTmVRc + DhulhN9BW9pW4WUlE4Vnejd+yplnhKjCZWWeOApqfEciLWTSCK7o8K0WCIp/NegF + YNJxfz5neXipXWooU/g6XdWxbig7BEw9Zt1dhuChxC8AJhg7HdxNv68o7tKB/Ln+ + VRcJdqBGNOq8ekVAJtE/DCkOfb4vso/j4r91oqzo20r0Rw6yral+JpWzJvlq9Fbx + JRhttK/fG8bz9giJjIw1jtFegfOMZcBkVNktNeEpgIL0t9iMhPjRi4ykZeCdIE8C + LlM3O+Xy81Msq4a0mH4QQpEdiTTFm223utDoZCjAnpakrFclEOxVSiVqny5t97P/ + krcaYKnq6bmab2oXj1Uj0KwW1xNw9PU7x4ZUpx3FHRWPLfbrbsDI1h+SBLH9uQdd + Xd6Ko6RJxb7tajbFBYIXmtLhBi0B/Zn871AaHZLU0IG3PerrNkeOBL/5b/IJJqnx + RSEFPt1Wl3W725APsWHXQCpWtEPA4I1ATRRI6U8LbUksGjApLpt1VqIQGG9FlVQK + 2d6szUKsciKX1Ah/aWKW/g0e+XTYasmE5pYAFP/uDKFpcZy2XF28NcCnA2ukKO/A + F1Z1MobDOgr/efZWPDlO1DupX65Q1LRhwsAu4JJjcB15Usdlx0pXexm6UZ+5EhaS + b2mkl0L4h9ilYl8TQx2jKGQ/LtRD5UaYjiCs2ROkzbLt/SMixWHBjfBKlc/vVdxf + zgogcGF/C7i5FVsii4hnfion5SidoL4JXddWtwuCG7A2coDw8JTyruHXeyGuuy5u + 54HHBv+PHzQ3bnIT1aMADvapo+MIE4PInFQZGHdq8d37F0wgisH6bJc+FcK9qKl/ + SATp5UFlPvnB1CliZ0VB+iwxtjbu3hgwmS18OcZuFoeSlmjgR7AoaOp5pjr5fCA5 + iclOZMCFq2jnfLtepalPzJFFcc3RDOI3aDbqFmVkmQWX7f7lwQMSjXJ9xq6mf0p7 + bFBdB153uQeJlkpu7nmuL1NPT7jhw3UCxEJZ7UP4bzxigvMEycUUH9cln4nLpSLb + mVw9Ibe918wOuzkBxPrasRGF1p1eWCKAx6CldZlN1FBPWPx7oCF4Qh4X7iWuOEjq + TEukZhssTymYDc3SUq33gU/kzsyrRgLXFFl8JaEHv5H04rKeboB09DF2pr/qQU/q + SY35bMckfkwIrBXnkDCCBXoGCSqGSIb3DQEHAaCCBWsEggVnMIIFYzCCBV8GCyqG + SIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcNAQwBAzAOBAiOc2uYfUs5/AICCAAE + ggTIj7mC9S+YQYBp+9K6rRbmMTCmbmZBMPzZJwdx/A+bRH74zAPDQGmNc5wgmm3+ + e28tCx7TNJ71Hee+wgTC1xe1zPu3LUcalr6WWiPWkPcXCe2og+YiqLPpyviu/bkZ + SHX29FWUe+MW21dIsN+gd8HM1FUzoCo6P5r1IL2ytyEvX7RNpIM3GPtyHEjYNAkH + WK2ECtVhSyVgthhjBkc6sSIWS28JYYkOBXkYKZFF4Nct6zdxhBL5u+c+APOrcJSq + FpM45W5jUo+w+1UWQ7qLYyxV/iKiYASQHVNLcKVw6wtfWhDEMxOLuyJG5SDM7S0C + 5i+cedL2tVbKK13HC2bhKH4kYClpkTctEnjbGiiEopfElGq9cdYxz/qEX5mWhU/v + UdTw8sWTYYyg2ZlYy41KXdE12tiXXNg4PnH9ho9QQua8JRYYnbdE3d6LTBy0/TP0 + UtQA60FN4C6+CixN7zHu48HlbwYga5qZFsWJp+OTChdsK63h1TNHZHT/m1E1h8Wt + R4NbpTnaYszUJp9TdaU/eizHq3/675gfKGDv3gnpvxezZk8DaYOzRBHTTgRK55iB + I1e/RESY9E7L/ASi8rr7zBkCx3KSFT+1qdIPoRS9YJ7ZghW3fg7agEAZEyPWzMGW + 5bRN8TCZk/FfXlzsuzzR0aEY4EqaXUoLsgYLVnuVSfWZTK2VI7Hsljyi8vbcw2Eg + EMFIqiEIZV0bD/QzHSR2QZADsgf22RewZaynKg4xju3d+SzzElGS243v5Z3KaQju + pK3Ty9C690dJw0Hhea05Ld0G5fTGgh7R+V2qREZtKTOKIIVob1+LpaLxkkVAmKvp + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + NOxZTFvzmOK/ReAbAof2gp8HMpNDqpIrHliS6zj/2jvvy/2dkQLswwrwTIN4nps4 + sFWMx9bC/UE2gXkT0RG/lzSyu6BwElx6Bob93vSG6DQSi5WNs6Lfz2YEOrzkTjRw + gWkafU22nyFSPDy8SSTOR5nXP4q+OYlAMAcx0F8PbThKTZdSNa0N1RGj7jVddAkp + xVpid+Si4Nuoh/Gq4jIMpexIpMKgtHFng9AUxqL99xv4PFXzGSD2T/+Kmber6Jpf + gaUtXw1X5PJzlBXb5+5Bw3LnhYXKXykMKPhQ8E9Lr2wvycnC0/Xn1/l792PRj0Ii + akXRw/X9L/Ss/cY7c1X0GyS1u7mXxbgHPSkbCnhLtVNC49xT43Dn35vHgfqKKDy8 + t7se7rG/fDCE1S27xxywHnbhuOFcB5CUpdhvwk2+bUQMHaeKFscyY2BtwhzxQwsf + 53LrVosGd7RpKAXTb9EX23qMm/cTMBpB7bwe6oZFQxfRoAjjZyfuaEkXdu2YuivQ + g9hUZDEPZSZRcp0ZROlFV5a5EbWQG/ofHMtVFSotNwJyqU0LiYih7VAfdoA1XplZ + zFQgmO+IfUhOKMdkjCl8AR+gjERmjwiBnetATZETsM+g/mXAbkaslTZ0l2PUX/uK + U8sArPvJ46pC47JtlIJ2kgWcXe9PchFJ8OsWdGQ1luscefar0GFsKCHBJRkmbc4V + NB/qKalRbzpZyLHKvLGwR+eSZcJNgMR1tgnaMV4wIwYJKoZIhvcNAQkVMRYEFDU2 + NwYrJrvSiWR8adr1GPsUvcVcMDcGCSqGSIb3DQEJFDEqHigAbQB1AHMAaABlAHQA + aAAuAGsAYQBzAGEALQB2AHAAbgAuAGMAbwBtMDEwITAJBgUrDgMCGgUABBTXA3/u + MRpjKvfSuc8qmM5TPxnLJwQILJ/u4ij4txACAggA diff --git a/samples/ra-vpn/saml-multi-region/enforcers-asaconf.yaml b/samples/ra-vpn/saml-multi-region/enforcers-asaconf.yaml new file mode 100644 index 0000000..eec5e5a --- /dev/null +++ b/samples/ra-vpn/saml-multi-region/enforcers-asaconf.yaml @@ -0,0 +1,121 @@ +# This config is not region-specific, and can be applied to any of your clusters. +# ASAConfigurations sensitive to region can be found in ./eu-region/ and ./us-region +# respectively. +apiVersion: cnfw.cisco.com/v1 +kind: ASAConfiguration +metadata: + name: ravpn-enforcer-config + namespace: sfcn-system + labels: + sfcn.cisco.com/service-role: "default" +spec: + order: 1 + description: "RA-VPN Configuration" + fileObjects: + - "ravpnprofile" + - "anyconnectlinux" + - "anyconnectwin" + - "anyconnectmac" + ipv4SubnetPools: + - "ravpnpool" + secrets: + - "sfcn-redis" + - "mypkcs" + - "samlpkcs" + cliLines: | + interface Management0/0 + no management-only + nameif management + security-level 0 + ip address dhcp + interface TenGigabitEthernet0/0 + nameif outside + security-level 0 + ip address dhcp + interface TenGigabitEthernet0/1 + nameif inside + security-level 100 + ip address dhcp + # Configure route to internet over outside interface + route outside 0 0 {{ index .nodeLabels "sfcn.cisco.com.interface.2/gateway-ipv4" }} 1 + # configure route to vpc addresses over inside interface + route inside 10.37.0.0 255.255.0.0 {{ index .nodeLabels "sfcn.cisco.com.interface.3/gateway-ipv4" }} 2 + + dns domain-lookup outside + dns server-group DefaultDNS + name-server 169.254.169.253 + + # Configure the IP address pool from where the clients will receive an IP address + ip local pool VPN_POOL {{.ipv4SubnetPools.ravpnpool.assignedRange}} mask 255.255.255.0 + access-list Split_Tunnel_ACL extended permit ip 10.37.0.0 255.255.0.0 any4 + vpn load-balancing + external-database + priority 1 + interface lbpublic outside + redirect-fqdn enable + nat {{ index .nodeLabels "sfcn.cisco.com.interface.2/public-ip" }} + vpn-sessiondb external-database + external-database + host {{ index .secrets "sfcn-redis" "host" }} + port 6379 + # this should match the token used for elasticache creation (EnforcerCacheAuthToken). If you omitted that field, then + # you should also omit the `db-password` line below. + db-password {{ index .secrets "sfcn-redis" "token" }} + enable + + webvpn + enable outside + anyconnect profiles my_AC_profile {{ .fileObjects.ravpnprofile.path }} + anyconnect image {{ .fileObjects.anyconnectwin.path }} 1 + anyconnect image {{ .fileObjects.anyconnectmac.path }} 2 + anyconnect image {{ .fileObjects.anyconnectlinux.path }} 3 + anyconnect enable + saml idp https://app.onelogin.com/saml/metadata/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx + url sign-in https://ciscovpn-dev.onelogin.com/trust/saml2/http-post/sso/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx + url sign-out https://ciscovpn-dev.onelogin.com/trust/saml2/http-redirect/slo/xxxxxxx + # The base URL should be the global domain that clients will connect to regardless of region + base-url https://global.domain.com + trustpoint idp {{ .secrets.samlpkcs.trustpoint }} + trustpoint sp {{ .secrets.mypkcs.trustpoint }} + signature rsa-sha256 + force re-authentication + tunnel-group-list enable + group-policy VPN_group_policy internal + group-policy VPN_group_policy attributes + vpn-tunnel-protocol ssl-client + webvpn + anyconnect profiles value my_AC_profile type user + tunnel-group VPN_tunnel_group type remote-access + tunnel-group VPN_tunnel_group general-attributes + address-pool VPN_POOL + default-group-policy VPN_group_policy + tunnel-group VPN_tunnel_group webvpn-attributes + group-alias VPN_tunnel_group enable + authentication saml + saml identity-provider https://app.onelogin.com/saml/metadata/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx + +--- +# Configures the certs and trustpoints for SSL and Redis +apiVersion: cnfw.cisco.com/v1 +kind: ASAConfiguration +metadata: + name: ravpn-enforcer-certs + namespace: sfcn-system + labels: + sfcn.cisco.com/service-role: "default" +spec: + order: 2 + description: "RA-VPN Configuration" + secrets: + - "mypkcs" + - "redisca" + cliLines: | + crypto ca trustpoint {{ .secrets.redisca.trustpoint }} + enrollment terminal + crypto ca authenticate {{ .secrets.redisca.trustpoint }} nointeractive + {{ .secrets.redisca.value }} + quit + crypto ca import {{ .secrets.mypkcs.trustpoint }} pkcs12 {{ .secrets.mypkcs.password }} nointeractive + {{ .secrets.mypkcs.value }} + quit + ssl trust-point {{ .secrets.mypkcs.trustpoint }} \ No newline at end of file diff --git a/samples/ra-vpn/saml-multi-region/eu-region/asaconfig-domain.yaml b/samples/ra-vpn/saml-multi-region/eu-region/asaconfig-domain.yaml new file mode 100644 index 0000000..1f64633 --- /dev/null +++ b/samples/ra-vpn/saml-multi-region/eu-region/asaconfig-domain.yaml @@ -0,0 +1,29 @@ +# This configuration is region-specific and should match the domain +# used in the corresponding Route53Ingress spec. +# +apiVersion: cnfw.cisco.com/v1 +kind: ASAConfiguration +metadata: + labels: + sfcn.cisco.com/service-role: default + name: eu-enforcer-domain + namespace: sfcn-system + spec: + order: 3 + cliLines: | + domain-name eu.domain.com +--- +# This configuration is region-specific and should match the domain +# used in the corresponding Route53Ingress spec. +# +apiVersion: cnfw.cisco.com/v1 +kind: ASAConfiguration +metadata: + labels: + sfcn.cisco.com/service-role: vpnredirector + name: eu-redirector-domain + namespace: sfcn-system + spec: + order: 3 + cliLines: | + domain-name eu.domain.com \ No newline at end of file diff --git a/samples/ra-vpn/saml-multi-region/eu-region/ravpn-pool.yaml b/samples/ra-vpn/saml-multi-region/eu-region/ravpn-pool.yaml new file mode 100644 index 0000000..b4b644c --- /dev/null +++ b/samples/ra-vpn/saml-multi-region/eu-region/ravpn-pool.yaml @@ -0,0 +1,17 @@ +apiVersion: cnfw.cisco.com/v1 +kind: IPv4SubnetPool +metadata: + name: ravpnpool + namespace: sfcn-system + annotations: + # enables AWS Route Table integration for this pool + aws.cnfw.cisco.com/type: "route-table" + # EP's node interface index that will be used as route target + aws.cnfw.cisco.com/interface-index: "3" + # AWS Route Table ID that will be synced with assigned subnets. + # This should be the table that includes your inside networks, usually named "Inside Subnets" + aws.cnfw.cisco.com/route-table-id: +spec: + address: "10.10.0.0" + supernetPrefix: 16 + subnetPrefix: 24 \ No newline at end of file diff --git a/samples/ra-vpn/saml-multi-region/eu-region/route53-europe.yaml b/samples/ra-vpn/saml-multi-region/eu-region/route53-europe.yaml new file mode 100644 index 0000000..34bb2c5 --- /dev/null +++ b/samples/ra-vpn/saml-multi-region/eu-region/route53-europe.yaml @@ -0,0 +1,29 @@ +apiVersion: cnfw.cisco.com/v1 +kind: Route53Ingress +metadata: + name: europe-redirector + namespace: sfcn-system +spec: + # Change to your Route53 hosted zone + hostedZone: Z056XXXXXXXXXXXXXE0EK + # Change to your VPN domain name + recordSetName: eu.domain.com + recordUpdate: DOMAIN + endpointSelector: + serviceRole: vpnredirector +--- +apiVersion: cnfw.cisco.com/v1 +kind: Route53Ingress +metadata: + name: europe-enforcers + namespace: sfcn-system +spec: + # Change to your Route53 hosted zone + hostedZone: Z056XXXXXXXXXXXXXE0EK + # Change to your VPN domain name + recordSetName: eu.domain.com + recordUpdate: SUBDOMAIN + endpointSelector: + serviceRole: default + interfaceIndex: 2 + addressType: public \ No newline at end of file diff --git a/samples/ra-vpn/saml-multi-region/fileobjects-ravpn.yaml b/samples/ra-vpn/saml-multi-region/fileobjects-ravpn.yaml new file mode 100644 index 0000000..746d9fb --- /dev/null +++ b/samples/ra-vpn/saml-multi-region/fileobjects-ravpn.yaml @@ -0,0 +1,67 @@ +# us-east-1 is used here, but you don't necessarily need to replicate the files to all regions. +# S3 is just a file server in this context, so as long as you can reach it from your org +# you can have a single config for all clusters. +apiVersion: cnfw.cisco.com/v1 +kind: FileObject +metadata: + name: ravpnprofile + namespace: sfcn-system +spec: + fileName: ravpn-profile.xml + s3: + bucket: sfcn-s3-bucket + region: us-east-1 + item: ravpn-profile.xml + auth: + secretName: s3-auth-secret + accessKeyField: access_key + secretKeyField: secret_key +--- +apiVersion: cnfw.cisco.com/v1 +kind: FileObject +metadata: + name: anyconnectlinux + namespace: sfcn-system +spec: + fileName: anyconnect-linux64-4.9.05042-webdeploy-k9.pkg + s3: + bucket: sfcn-s3-bucket + region: us-east-1 + item: anyconnect-linux64-4.9.05042-webdeploy-k9.pkg + auth: + secretName: s3-auth-secret + accessKeyField: access_key + secretKeyField: secret_key +--- +apiVersion: cnfw.cisco.com/v1 +kind: FileObject +metadata: + name: anyconnectwin + namespace: sfcn-system +spec: + fileName: anyconnect-win-4.9.05042-webdeploy-k9.pkg + s3: + bucket: sfcn-s3-bucket + region: us-east-1 + item: anyconnect-win-4.9.05042-webdeploy-k9.pkg + auth: + secretName: s3-auth-secret + accessKeyField: access_key + secretKeyField: secret_key +--- +apiVersion: cnfw.cisco.com/v1 +kind: FileObject +metadata: + name: anyconnectmac + namespace: sfcn-system +spec: + fileName: anyconnect-macos-4.9.05042-webdeploy-k9.pkg + s3: + bucket: sfcn-s3-bucket + region: us-east-1 + item: anyconnect-macos-4.9.05042-webdeploy-k9.pkg + auth: + secretName: s3-auth-secret + accessKeyField: access_key + secretKeyField: secret_key +--- diff --git a/samples/ra-vpn/saml-multi-region/redirector-asaconf.yaml b/samples/ra-vpn/saml-multi-region/redirector-asaconf.yaml new file mode 100644 index 0000000..cd50e21 --- /dev/null +++ b/samples/ra-vpn/saml-multi-region/redirector-asaconf.yaml @@ -0,0 +1,87 @@ +# This config is not region-specific, and can be applied to any of your clusters. +# ASAConfigurations sensitive to region can be found in ./eu-region/ and ./us-region +# respectively. +apiVersion: cnfw.cisco.com/v1 +kind: ASAConfiguration +metadata: + name: redirector-config + namespace: sfcn-system + labels: + sfcn.cisco.com/service-role: "vpnredirector" +spec: + order: 1 + description: "RAVPN Redirector Configuration" + secrets: + - "sfcn-redis" + cliLines: | + interface Management0/0 + no management-only + nameif management + security-level 0 + ip address dhcp + interface TenGigabitEthernet0/0 + nameif outside + security-level 0 + ip address dhcp + interface TenGigabitEthernet0/1 + nameif inside + security-level 100 + ip address dhcp + # Configure route to internet over outside interface + route outside 0 0 {{ index .nodeLabels "sfcn.cisco.com.interface.2/gateway-ipv4" }} 1 + + dns domain-lookup outside + dns server-group DefaultDNS + name-server 169.254.169.253 + + vpn load-balancing + external-database + priority 10 + interface lbpublic outside + redirect-fqdn enable + nat {{ index .nodeLabels "sfcn.cisco.com.interface.2/public-ip" }} + vpn-sessiondb external-database + external-database + host {{ index .secrets "sfcn-redis" "host" }} + port 6379 + # this should match the token used for elasticache creation (EnforcerCacheAuthToken). If you omitted that field, then + # you should also omit the `db-password` line below. + db-password {{ index .secrets "sfcn-redis" "token" }} + enable + webvpn + enable outside + +--- +# Configures the certs and trustpoints for SSL and Redis +apiVersion: cnfw.cisco.com/v1 +kind: ASAConfiguration +metadata: + name: redirector-certs + namespace: sfcn-system + labels: + sfcn.cisco.com/service-role: "vpnredirector" +spec: + order: 2 + description: "Certs and trustpoints for RAVPN Redirector service role" + secrets: + - "mypkcs" + - "redisca" + - "samlpkcs" + cliLines: | + crypto ca trustpoint {{ .secrets.redisca.trustpoint }} + enrollment terminal + crypto ca authenticate {{ .secrets.redisca.trustpoint }} nointeractive + {{ .secrets.redisca.value }} + quit + + crypto ca import {{ .secrets.mypkcs.trustpoint }} pkcs12 {{ .secrets.mypkcs.password }} nointeractive + {{ .secrets.mypkcs.value }} + quit + ssl trust-point {{ .secrets.mypkcs.trustpoint }} + + crypto ca trustpoint {{ .secrets.samlpkcs.trustpoint }} + enrollment terminal + no ca-check + crypto ca authenticate {{ .secrets.samlpkcs.trustpoint }} nointeractive + {{ .secrets.samlpkcs.value }} + quit \ No newline at end of file diff --git a/samples/ra-vpn/saml-multi-region/redis-ca.yaml b/samples/ra-vpn/saml-multi-region/redis-ca.yaml new file mode 100644 index 0000000..c75aa96 --- /dev/null +++ b/samples/ra-vpn/saml-multi-region/redis-ca.yaml @@ -0,0 +1,38 @@ +# This establishes trust between AWS Elasticache and your cluster. This cert +# doesn't often change, so most of the time you can just apply this +# secret directly. However, if you want to ensure you have an +# up-to-date cert you can issue the following command: +# +# kubectl exec -it -n sfcn-system -c asac -- bash -c "echo QUIT | openssl s_client -connect :6379 -showcerts" +# The intermediate cert should be captured and applied into this secret value. +apiVersion: v1 +kind: Secret +metadata: + name: redisca + namespace: sfcn-system +stringData: + trustpoint: redisca + value: | + MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF + ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 + b24gUm9vdCBDQSAxMB4XDTE1MTAyMjAwMDAwMFoXDTI1MTAxOTAwMDAwMFowRjEL + MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEVMBMGA1UECxMMU2VydmVyIENB + IDFCMQ8wDQYDVQQDEwZBbWF6b24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK + AoIBAQDCThZn3c68asg3Wuw6MLAd5tES6BIoSMzoKcG5blPVo+sDORrMd4f2AbnZ + cMzPa43j4wNxhplty6aUKk4T1qe9BOwKFjwK6zmxxLVYo7bHViXsPlJ6qOMpFge5 + blDP+18x+B26A0piiQOuPkfyDyeR4xQghfj66Yo19V+emU3nazfvpFA+ROz6WoVm + B5x+F2pV8xeKNR7u6azDdU5YVX1TawprmxRC1+WsAYmz6qP+z8ArDITC2FMVy2fw + 0IjKOtEXc/VfmtTFch5+AfGYMGMqqvJ6LcXiAhqG5TI+Dr0RtM88k+8XUBCeQ8IG + KuANaL7TiItKZYxK1MMuTJtV9IblAgMBAAGjggE7MIIBNzASBgNVHRMBAf8ECDAG + AQH/AgEAMA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUWaRmBlKge5WSPKOUByeW + dFv5PdAwHwYDVR0jBBgwFoAUhBjMhTTsvAyUlC4IWZzHshBOCggwewYIKwYBBQUH + AQEEbzBtMC8GCCsGAQUFBzABhiNodHRwOi8vb2NzcC5yb290Y2ExLmFtYXpvbnRy + dXN0LmNvbTA6BggrBgEFBQcwAoYuaHR0cDovL2NydC5yb290Y2ExLmFtYXpvbnRy + dXN0LmNvbS9yb290Y2ExLmNlcjA/BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vY3Js + LnJvb3RjYTEuYW1hem9udHJ1c3QuY29tL3Jvb3RjYTEuY3JsMBMGA1UdIAQMMAow + CAYGZ4EMAQIBMA0GCSqGSIb3DQEBCwUAA4IBAQCFkr41u3nPo4FCHOTjY3NTOVI1 + 59Gt/a6ZiqyJEi+752+a1U5y6iAwYfmXss2lJwJFqMp2PphKg5625kXg8kP2CN5t + 6G7bMQcT8C8xDZNtYTd7WPD8UZiRKAJPBXa30/AbwuZe0GaFEQ8ugcYQgSn+IGBI + 8/LwhBNTZTUVEWuCUUBVV18YtbAiPq3yXqMB48Oz+ctBWuZSkbvkNodPLamkB2g1 + upRyzQ7qDn1X8nn8N8V7YJ6y68AtkHcNSRAnpTitxBKjtKPISLMVCx7i4hncxHZS + yLyKQXhw2W2Xs0qLeC1etA+jTGDK4UfLeC0SF7FSi8o5LL21L8IzApar2pR/ \ No newline at end of file diff --git a/samples/ra-vpn/saml-multi-region/s3-auth-secret.yaml b/samples/ra-vpn/saml-multi-region/s3-auth-secret.yaml new file mode 100644 index 0000000..02813a3 --- /dev/null +++ b/samples/ra-vpn/saml-multi-region/s3-auth-secret.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Secret +metadata: + name: s3-auth-secret + namespace: sfcn-system +type: Opaque +data: + # Add your user access key and secret key which correspond to your + # AWS credentials. This will allow you to pull files from your S3 + # bucket via the FileObject CRD. + # Note: If your files are hosted on an http/https server, you + # can skip this step + access_key: + secret_key: \ No newline at end of file diff --git a/samples/ra-vpn/saml-multi-region/us-region/asaconfig-domain.yaml b/samples/ra-vpn/saml-multi-region/us-region/asaconfig-domain.yaml new file mode 100644 index 0000000..0b1db75 --- /dev/null +++ b/samples/ra-vpn/saml-multi-region/us-region/asaconfig-domain.yaml @@ -0,0 +1,30 @@ + +# This configuration is region-specific and should match the domain +# used in the corresponding Route53Ingress spec. +# +apiVersion: cnfw.cisco.com/v1 +kind: ASAConfiguration +metadata: + labels: + sfcn.cisco.com/service-role: default + name: us-enforcer-domain + namespace: sfcn-system + spec: + order: 3 + cliLines: | + domain-name us.domain.com +--- +# This configuration is region-specific and should match the domain +# used in the corresponding Route53Ingress spec. +# +apiVersion: cnfw.cisco.com/v1 +kind: ASAConfiguration +metadata: + labels: + sfcn.cisco.com/service-role: vpnredirector + name: us-redirector-domain + namespace: sfcn-system + spec: + order: 3 + cliLines: | + domain-name us.domain.com \ No newline at end of file diff --git a/samples/ra-vpn/saml-multi-region/us-region/ravpn-pool.yaml b/samples/ra-vpn/saml-multi-region/us-region/ravpn-pool.yaml new file mode 100644 index 0000000..040b976 --- /dev/null +++ b/samples/ra-vpn/saml-multi-region/us-region/ravpn-pool.yaml @@ -0,0 +1,19 @@ +# Route table IDs are VPC-specific, +# so we need one for each cluster +apiVersion: cnfw.cisco.com/v1 +kind: IPv4SubnetPool +metadata: + name: ravpnpool + namespace: sfcn-system + annotations: + # enables AWS Route Table integration for this pool + aws.cnfw.cisco.com/type: "route-table" + # EP's node interface index that will be used as route target + aws.cnfw.cisco.com/interface-index: "3" + # AWS Route Table ID that will be synced with assigned subnets. + # This should be the table that includes your inside networks, usually named "Inside Subnets" + aws.cnfw.cisco.com/route-table-id: +spec: + address: "10.10.0.0" + supernetPrefix: 16 + subnetPrefix: 24 \ No newline at end of file diff --git a/samples/ra-vpn/saml-multi-region/us-region/route53-us.yaml b/samples/ra-vpn/saml-multi-region/us-region/route53-us.yaml new file mode 100644 index 0000000..6687bc1 --- /dev/null +++ b/samples/ra-vpn/saml-multi-region/us-region/route53-us.yaml @@ -0,0 +1,32 @@ +apiVersion: cnfw.cisco.com/v1 +kind: Route53Ingress +metadata: + name: us-redirector + namespace: sfcn-system +spec: + # Change to your Route53 hosted zone + hostedZone: Z056XXXXXXXXXXXXXE0EK + # Change to your VPN domain name + recordSetName: us.domain.com + recordUpdate: DOMAIN + endpointSelector: + serviceRole: vpnredirector +--- +apiVersion: cnfw.cisco.com/v1 +kind: Route53Ingress +metadata: + name: us-enforcers + namespace: sfcn-system +spec: + # Change to your Route53 hosted zone + hostedZone: Z056XXXXXXXXXXXXXE0EK + # Change to your VPN domain name + recordSetName: us.domain.com + recordUpdate: SUBDOMAIN + endpointSelector: + serviceRole: default + interfaceIndex: 2 + addressType: public +--- + + From 2c9e01f532c69f184367d05ecb5d06d6bfa30ef7 Mon Sep 17 00:00:00 2001 From: Jared Hancock Date: Tue, 14 Sep 2021 15:40:37 -0500 Subject: [PATCH 2/6] added sample for samlpkcs secret --- .../ra-vpn/saml-multi-region/saml-cert.yaml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 samples/ra-vpn/saml-multi-region/saml-cert.yaml diff --git a/samples/ra-vpn/saml-multi-region/saml-cert.yaml b/samples/ra-vpn/saml-multi-region/saml-cert.yaml new file mode 100644 index 0000000..6f93be9 --- /dev/null +++ b/samples/ra-vpn/saml-multi-region/saml-cert.yaml @@ -0,0 +1,25 @@ +# This cert is provided by your SAML Identity Provider. Replace +# the value in this file with your own. +# This is applied as a secret so it can be referenced +# in ASAConfiguration specs. +apiVersion: v1 +kind: Secret +metadata: + name: samlpkcs + namespace: sfcn-system +stringData: + trustpoint: samlpkcs + value: | + -----BEGIN CERTIFICATE----- + MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF + MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF + MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF + MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF + MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF + MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF + MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF + MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF + 8/LwhBNTZTUVEWuCUUBVV18YtbAiPq3yXqMB48Oz+ctBWuZSkbvkNodPLamkB2g1 + upRyzQ7qDn1X8nn8N8V7YJ6y68AtkHcNSRAnpTitxBKjtKPISLMVCx7i4hncxHZS + yLyKQXhw2W2Xs0qLeC1etA+jTGDK4UfLeC0SF7FSi8o5LL21L8IzApar2pR/ + -----END CERTIFICATE----- \ No newline at end of file From 4e4317b24a0ec57ec58e6055cbed45ed4a7631d2 Mon Sep 17 00:00:00 2001 From: Jared Hancock Date: Tue, 14 Sep 2021 16:14:46 -0500 Subject: [PATCH 3/6] added description to the user-provided domain cert secret example --- .../saml-multi-region/ca-certificate.yaml | 116 +++--------------- 1 file changed, 20 insertions(+), 96 deletions(-) diff --git a/samples/ra-vpn/saml-multi-region/ca-certificate.yaml b/samples/ra-vpn/saml-multi-region/ca-certificate.yaml index 1836345..5bceed4 100644 --- a/samples/ra-vpn/saml-multi-region/ca-certificate.yaml +++ b/samples/ra-vpn/saml-multi-region/ca-certificate.yaml @@ -1,3 +1,12 @@ +# This certificate is provided by you. It is a PKCS12 formatted cert +# generated on the domains used in your Route53Ingress config. +# For multi-region support, this should be a wildcard cert which +# covers the parent and subdomains used for VPN. +# +# Example: if using "domain.com" as the parent domain, with +# "us.domain.com" and "eu.domain.com" as subdomains, your wildcard +# should include "*.domain.com", "*.us.domain.com", and "*.eu.domain.com" +# apiVersion: v1 kind: Secret metadata: @@ -6,106 +15,21 @@ metadata: stringData: trustpoint: ssltp password: test - # Change to your own CA Certificate value: | MIIS2gIBAzCCEqAGCSqGSIb3DQEHAaCCEpEEghKNMIISiTCCDQcGCSqGSIb3DQEH BqCCDPgwggz0AgEAMIIM7QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIh63X 549tUD0CAggAgIIMwHVhJkKRWCORnqaj4ixxBJL80fmIH327kRtftzBY59Rjz93s ZwNibpOx2/UadS+LYaB9G9+ZfK38fxyRkPIejME1BEQXhok3uhlijFqaoCpAY5xz - 9uJK5fOBxuOzGaImc8I1Y5+S+NE6kNv+UJxJvQkgiId5WUt9ziTC31Kcb9DFTtUT - 1kAj1//nry3QWuOHkT5qkBFq03ZLFlzYJi8IJNYbmqf76K4HgKtjLl3k89qc6/3b - +jlryN0bsK1xacKlfSXMQO20g8R2+NdTIFBGQKj59YF1vfL1jQa0RN4tR7gFRDvE - eH5MNegdgcI9ZjODaJUvzKIjyBUhFwry0OLTy+kJs7hHTQfMwj0L+km4BLhl5s+H - YE6wiBmWmgwgFHPas8I3lx75wTeu3wEXu+xXSdA33xOA/UfavgukVOYRwiuJaEoc - lYdH0wcgYh33pYQ0JpttvFoLtTzo3fyw+qnPSugs3CLovxGWIyVV/VEGkGWE7tPe - /CkOJa8wNrI8bLgpFBnc11+FQ0PIhsDA9pQ51CQ+xf6ydxW7SCQZQXjDxr7OLZ8b - AqFzaZh45dtLKks0kv+zk1CPvnefyKdveA9hXUVjaydnLMWYYFpXB6tnckKKQ48a - W1L54Rzk5j2+AAkckA7FcmAAZkwAfQUxQtAlv7XqW5bRqukDtNPBhGW+Da7KGtBi - /9GiudWrGe0kbIPO9VkUNDHJC/+7RofkIZyRGRJ4MFDOV5HfF0ak5TGT5lKgotv+ - JOz4XpwejLM0lLJuxGOY8Fu19dJKkyZ7wj/5/gj4K2aqyGm3zKsssv34eT4iTxWQ - 11RUJZQF/oHWmYNv+IKH1mjNoHFhWpOSUwxBwZnaqMsGr21r6UBvOSOtO8bWpMdg - cbCAuIcx/rnYaSpM0UFbeQSJmS7GXRMjJjfB1vQJmwtBp654YHy16UmP3dqmjRGG - NlRPEbKn6Mj096O7wMhOEIstlWQ/AZAWpYF43tFYDs3jDCdyo3/0ZZzaG5NodLVG - g0GW2UVVlISXJdRgmCVuAREA9BJRBiLbC7bMdDxIaJ0XxOzKgY/e+JOozwlW0evv - R9MMyTNm7LI0K9kUzrsAcdWSaQxCeS/EJM7z9AU3641AoQIGjKQaUmdWGlNSJdV6 - s2JHBDdgeAXfRk3bMAFo8eAsnKuWT/QvMV2eqcRfylv1LzteVpJcsAJyIYe5Ge5M - gnqgrPpVQDdUjglsBruQQfKZlUimLdyGsCZJxmQJwhGbRdD6dxhs8V20dANmbxOA - sqF77/EwGOjMtL5g3BGfwWDeKwf3LyS0awk8Zx+ZGKJjg97DNZYbqVbPpYo4VYi9 - k/YD7JF12pyZjhGiOXjZhtjw+92AWi/v6a2czO+X6As8ws5ZkP+OzsY95kJ69B1a - X7AU6/Y8Ix0kSQaONYzdlL+ivQ3EC1ANDpGfDhlgB4gHCCTi0CSRUp9S5/0Doo0d - bWvIeKGoluu92tOxeWWaP0z2Sj9uorrbekqbTFzWBNmru+HIkcwdRs21R/eaMAJu - QNV/BF/t7GojmDZov4g6a1ltvpxAl0WC+9+u3mPaa+A9CR9BAW97KRSW/nVCUhP7 - b1XWXNrrump5DjNKaluSCs2OOvtUDZl0P/Qk7C+NNGhmZif4c4yDtHCU69J8FoK9 - zWJT941axYgSGQkIuaMo8NeXCYsWp6kwHh1LH+3v9AbqOnMFuxE/jIUVFhGoj1Jz - u59AYG+SZn8aZe16XC3NqroeiyiK2BU/4Hiky9wmDsKTLHKrDpPjaMJWVgIxQYkY - AX1WRJgmClhrb7epxmb+MleO+t3zvpDHMy2b60afrR8/GmZmr++CWXJTTX2r2J1k - /uGVB5SAUoSulW+4I4CjETww+hab3UnF7yEugeg7eyI62dA/R9Q7yESuMwATmyhm - CWs3Why9MiFxJAfqaeyGKPFnphB7QD+1F10Wz8Qj6S73pP7d+xhmEigHbIs6apVX - j1HfwGKSRSkrjDhBpBRjaYN/D07ipZE7IkTHwhrLy4bJoDfXDlp6oH3eAwEX9xnK - 22VtEWbmJ3Wzggwi77qb3EK5z6l6exVtn1lbFAKHlCO70Fl4U0YAYGlSqGtUQ6rG - X6cwxn1aY7loZfk+i4aONmPNHtOd6BNFnVVXKAbEjxsNguDivSPH+6z8KyhQEr5M - l4znmL0aMqnibpelDqOMnz43k/RcaLjTNyXdKyETOs4IoKYoD2dApSH9J8ouZ4mx - lFQOdLd2G5wHV7Y/G52fp2l2AzaZWovPVWzeYffxGhpeycTeP04jQnVlXc1/0l4i - VTXKi1//C+aky/PkLMQif8VbbBpP/31eLgXnS1uYkVxg2lvSTkdM5I32b6TMhPT7 - zI/tU+x4RsIi+zx4fPTVrhyOB/oMzkHkBQyYLd5g37fpiAOxnZiod4X4ALIC6de2 - Ybqv1vi4Kduh5sAozhiSM3wpemtKr6X7wvzR5RftcPOWM2AE9MR15aMSRLVjoxGQ - Wn1K+zxoNZX0PCFTGmMDkU/DRH2abAqCaxuN4iQO98LaIVJfcyI3YeVBd3mAhX4u - vkZ5fcPFReYW6FknJY0cMqlFP4/aHNmiAEZla3OO2xCCxsjNgFfv0d+9hzlQaPeu - xYF/BGICncYllVYNG1Sfst+y7/UW/OSSrEtCy/gf/JKrGLA9xN/hVFssmonIjMBy - MYyJDM0cesMC1Fus8rESAhQ+swbhPI8jVOk5wB0NrnOLz13FMAVbEzY7HpXy0Rcc - 6ELhKVFLzWeH2Tl/omuAKvUttZfqF75z6NJhx2DZe7HOgnV78ESYNlbAFBOEq91C - zlN4rSMC3gtUeTFT78Zc1X/QvbvJ59zmqHg3mGNA0kyCK3o9c84HW1CZ0oZ7aLD6 - qeYHkceFP65AKo1kCQGTGO+GzffhqnsKBFo5Vo56QKAu/IOyTuvUHHiOhM/Llj8f - YycuZUL3Qtahq2gJJXSoRsRzK8BPy/IZ2Zo7YtUYvfDv1Ks2rRaP8VT8z6tTUwwl - udMYibYzZ+8bj5C6O75ng9+k9f7/SNwzts3Pi4zEChHbO+med3vNdpfyYjyMJLTL - 955lSPCAeLCTaWSjMHRIap6sCKsXfn51/YV9tnG8XCLh3ImpZ6LNGEU3QObhPVqK - 3vYKNi5MG1/C9RGUYB0bUFLgZTfKm2jyHCkN35EqtFRQwQ9iuhJVYc+g6xCTmVRc - DhulhN9BW9pW4WUlE4Vnejd+yplnhKjCZWWeOApqfEciLWTSCK7o8K0WCIp/NegF - YNJxfz5neXipXWooU/g6XdWxbig7BEw9Zt1dhuChxC8AJhg7HdxNv68o7tKB/Ln+ - VRcJdqBGNOq8ekVAJtE/DCkOfb4vso/j4r91oqzo20r0Rw6yral+JpWzJvlq9Fbx - JRhttK/fG8bz9giJjIw1jtFegfOMZcBkVNktNeEpgIL0t9iMhPjRi4ykZeCdIE8C - LlM3O+Xy81Msq4a0mH4QQpEdiTTFm223utDoZCjAnpakrFclEOxVSiVqny5t97P/ - krcaYKnq6bmab2oXj1Uj0KwW1xNw9PU7x4ZUpx3FHRWPLfbrbsDI1h+SBLH9uQdd - Xd6Ko6RJxb7tajbFBYIXmtLhBi0B/Zn871AaHZLU0IG3PerrNkeOBL/5b/IJJqnx - RSEFPt1Wl3W725APsWHXQCpWtEPA4I1ATRRI6U8LbUksGjApLpt1VqIQGG9FlVQK - 2d6szUKsciKX1Ah/aWKW/g0e+XTYasmE5pYAFP/uDKFpcZy2XF28NcCnA2ukKO/A - F1Z1MobDOgr/efZWPDlO1DupX65Q1LRhwsAu4JJjcB15Usdlx0pXexm6UZ+5EhaS - b2mkl0L4h9ilYl8TQx2jKGQ/LtRD5UaYjiCs2ROkzbLt/SMixWHBjfBKlc/vVdxf - zgogcGF/C7i5FVsii4hnfion5SidoL4JXddWtwuCG7A2coDw8JTyruHXeyGuuy5u - 54HHBv+PHzQ3bnIT1aMADvapo+MIE4PInFQZGHdq8d37F0wgisH6bJc+FcK9qKl/ - SATp5UFlPvnB1CliZ0VB+iwxtjbu3hgwmS18OcZuFoeSlmjgR7AoaOp5pjr5fCA5 - iclOZMCFq2jnfLtepalPzJFFcc3RDOI3aDbqFmVkmQWX7f7lwQMSjXJ9xq6mf0p7 - bFBdB153uQeJlkpu7nmuL1NPT7jhw3UCxEJZ7UP4bzxigvMEycUUH9cln4nLpSLb - mVw9Ibe918wOuzkBxPrasRGF1p1eWCKAx6CldZlN1FBPWPx7oCF4Qh4X7iWuOEjq - TEukZhssTymYDc3SUq33gU/kzsyrRgLXFFl8JaEHv5H04rKeboB09DF2pr/qQU/q - SY35bMckfkwIrBXnkDCCBXoGCSqGSIb3DQEHAaCCBWsEggVnMIIFYzCCBV8GCyqG - SIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcNAQwBAzAOBAiOc2uYfUs5/AICCAAE - ggTIj7mC9S+YQYBp+9K6rRbmMTCmbmZBMPzZJwdx/A+bRH74zAPDQGmNc5wgmm3+ - e28tCx7TNJ71Hee+wgTC1xe1zPu3LUcalr6WWiPWkPcXCe2og+YiqLPpyviu/bkZ - SHX29FWUe+MW21dIsN+gd8HM1FUzoCo6P5r1IL2ytyEvX7RNpIM3GPtyHEjYNAkH - WK2ECtVhSyVgthhjBkc6sSIWS28JYYkOBXkYKZFF4Nct6zdxhBL5u+c+APOrcJSq - FpM45W5jUo+w+1UWQ7qLYyxV/iKiYASQHVNLcKVw6wtfWhDEMxOLuyJG5SDM7S0C - 5i+cedL2tVbKK13HC2bhKH4kYClpkTctEnjbGiiEopfElGq9cdYxz/qEX5mWhU/v - UdTw8sWTYYyg2ZlYy41KXdE12tiXXNg4PnH9ho9QQua8JRYYnbdE3d6LTBy0/TP0 - UtQA60FN4C6+CixN7zHu48HlbwYga5qZFsWJp+OTChdsK63h1TNHZHT/m1E1h8Wt - R4NbpTnaYszUJp9TdaU/eizHq3/675gfKGDv3gnpvxezZk8DaYOzRBHTTgRK55iB - I1e/RESY9E7L/ASi8rr7zBkCx3KSFT+1qdIPoRS9YJ7ZghW3fg7agEAZEyPWzMGW - 5bRN8TCZk/FfXlzsuzzR0aEY4EqaXUoLsgYLVnuVSfWZTK2VI7Hsljyi8vbcw2Eg - EMFIqiEIZV0bD/QzHSR2QZADsgf22RewZaynKg4xju3d+SzzElGS243v5Z3KaQju - pK3Ty9C690dJw0Hhea05Ld0G5fTGgh7R+V2qREZtKTOKIIVob1+LpaLxkkVAmKvp EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs - NOxZTFvzmOK/ReAbAof2gp8HMpNDqpIrHliS6zj/2jvvy/2dkQLswwrwTIN4nps4 - sFWMx9bC/UE2gXkT0RG/lzSyu6BwElx6Bob93vSG6DQSi5WNs6Lfz2YEOrzkTjRw - gWkafU22nyFSPDy8SSTOR5nXP4q+OYlAMAcx0F8PbThKTZdSNa0N1RGj7jVddAkp - xVpid+Si4Nuoh/Gq4jIMpexIpMKgtHFng9AUxqL99xv4PFXzGSD2T/+Kmber6Jpf - gaUtXw1X5PJzlBXb5+5Bw3LnhYXKXykMKPhQ8E9Lr2wvycnC0/Xn1/l792PRj0Ii - akXRw/X9L/Ss/cY7c1X0GyS1u7mXxbgHPSkbCnhLtVNC49xT43Dn35vHgfqKKDy8 - t7se7rG/fDCE1S27xxywHnbhuOFcB5CUpdhvwk2+bUQMHaeKFscyY2BtwhzxQwsf - 53LrVosGd7RpKAXTb9EX23qMm/cTMBpB7bwe6oZFQxfRoAjjZyfuaEkXdu2YuivQ - g9hUZDEPZSZRcp0ZROlFV5a5EbWQG/ofHMtVFSotNwJyqU0LiYih7VAfdoA1XplZ - zFQgmO+IfUhOKMdkjCl8AR+gjERmjwiBnetATZETsM+g/mXAbkaslTZ0l2PUX/uK - U8sArPvJ46pC47JtlIJ2kgWcXe9PchFJ8OsWdGQ1luscefar0GFsKCHBJRkmbc4V - NB/qKalRbzpZyLHKvLGwR+eSZcJNgMR1tgnaMV4wIwYJKoZIhvcNAQkVMRYEFDU2 - NwYrJrvSiWR8adr1GPsUvcVcMDcGCSqGSIb3DQEJFDEqHigAbQB1AHMAaABlAHQA - aAAuAGsAYQBzAGEALQB2AHAAbgAuAGMAbwBtMDEwITAJBgUrDgMCGgUABBTXA3/u + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + MRpjKvfSuc8qmM5TPxnLJwQILJ/u4ij4txACAggA From b84a89541b4834361e58800a014b75b4acc4c8f5 Mon Sep 17 00:00:00 2001 From: Jared Hancock Date: Tue, 14 Sep 2021 17:14:30 -0500 Subject: [PATCH 4/6] fixed wonky indentation and updated the old ca-cert example with fake cert and comments --- .../ra-vpn/redirector-lb/ca-certificate.yaml | 116 +++--------------- .../redirector-lb/ravpn-enforcer-config.yaml | 63 +++++----- .../ravpn-redirector-config.yaml | 22 ++-- samples/ra-vpn/redirector-lb/redis-ca.yaml | 9 +- 4 files changed, 69 insertions(+), 141 deletions(-) diff --git a/samples/ra-vpn/redirector-lb/ca-certificate.yaml b/samples/ra-vpn/redirector-lb/ca-certificate.yaml index 1836345..2253c34 100644 --- a/samples/ra-vpn/redirector-lb/ca-certificate.yaml +++ b/samples/ra-vpn/redirector-lb/ca-certificate.yaml @@ -1,3 +1,12 @@ +# This certificate is provided by you. It is a PKCS12 formatted cert +# generated on the domains used in your Route53Ingress config. +# For VPN Redirector tolology, this should be a wildcard cert which +# covers the parent and subdomains used for VPN. +# +# Example: if using "domain.com" as the parent domain, with +# "us.domain.com" and "eu.domain.com" as subdomains, your wildcard +# should include "*.domain.com", "*.us.domain.com", and "*.eu.domain.com" +# apiVersion: v1 kind: Secret metadata: @@ -6,106 +15,21 @@ metadata: stringData: trustpoint: ssltp password: test - # Change to your own CA Certificate value: | MIIS2gIBAzCCEqAGCSqGSIb3DQEHAaCCEpEEghKNMIISiTCCDQcGCSqGSIb3DQEH BqCCDPgwggz0AgEAMIIM7QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIh63X 549tUD0CAggAgIIMwHVhJkKRWCORnqaj4ixxBJL80fmIH327kRtftzBY59Rjz93s ZwNibpOx2/UadS+LYaB9G9+ZfK38fxyRkPIejME1BEQXhok3uhlijFqaoCpAY5xz - 9uJK5fOBxuOzGaImc8I1Y5+S+NE6kNv+UJxJvQkgiId5WUt9ziTC31Kcb9DFTtUT - 1kAj1//nry3QWuOHkT5qkBFq03ZLFlzYJi8IJNYbmqf76K4HgKtjLl3k89qc6/3b - +jlryN0bsK1xacKlfSXMQO20g8R2+NdTIFBGQKj59YF1vfL1jQa0RN4tR7gFRDvE - eH5MNegdgcI9ZjODaJUvzKIjyBUhFwry0OLTy+kJs7hHTQfMwj0L+km4BLhl5s+H - YE6wiBmWmgwgFHPas8I3lx75wTeu3wEXu+xXSdA33xOA/UfavgukVOYRwiuJaEoc - lYdH0wcgYh33pYQ0JpttvFoLtTzo3fyw+qnPSugs3CLovxGWIyVV/VEGkGWE7tPe - /CkOJa8wNrI8bLgpFBnc11+FQ0PIhsDA9pQ51CQ+xf6ydxW7SCQZQXjDxr7OLZ8b - AqFzaZh45dtLKks0kv+zk1CPvnefyKdveA9hXUVjaydnLMWYYFpXB6tnckKKQ48a - W1L54Rzk5j2+AAkckA7FcmAAZkwAfQUxQtAlv7XqW5bRqukDtNPBhGW+Da7KGtBi - /9GiudWrGe0kbIPO9VkUNDHJC/+7RofkIZyRGRJ4MFDOV5HfF0ak5TGT5lKgotv+ - JOz4XpwejLM0lLJuxGOY8Fu19dJKkyZ7wj/5/gj4K2aqyGm3zKsssv34eT4iTxWQ - 11RUJZQF/oHWmYNv+IKH1mjNoHFhWpOSUwxBwZnaqMsGr21r6UBvOSOtO8bWpMdg - cbCAuIcx/rnYaSpM0UFbeQSJmS7GXRMjJjfB1vQJmwtBp654YHy16UmP3dqmjRGG - NlRPEbKn6Mj096O7wMhOEIstlWQ/AZAWpYF43tFYDs3jDCdyo3/0ZZzaG5NodLVG - g0GW2UVVlISXJdRgmCVuAREA9BJRBiLbC7bMdDxIaJ0XxOzKgY/e+JOozwlW0evv - R9MMyTNm7LI0K9kUzrsAcdWSaQxCeS/EJM7z9AU3641AoQIGjKQaUmdWGlNSJdV6 - s2JHBDdgeAXfRk3bMAFo8eAsnKuWT/QvMV2eqcRfylv1LzteVpJcsAJyIYe5Ge5M - gnqgrPpVQDdUjglsBruQQfKZlUimLdyGsCZJxmQJwhGbRdD6dxhs8V20dANmbxOA - sqF77/EwGOjMtL5g3BGfwWDeKwf3LyS0awk8Zx+ZGKJjg97DNZYbqVbPpYo4VYi9 - k/YD7JF12pyZjhGiOXjZhtjw+92AWi/v6a2czO+X6As8ws5ZkP+OzsY95kJ69B1a - X7AU6/Y8Ix0kSQaONYzdlL+ivQ3EC1ANDpGfDhlgB4gHCCTi0CSRUp9S5/0Doo0d - bWvIeKGoluu92tOxeWWaP0z2Sj9uorrbekqbTFzWBNmru+HIkcwdRs21R/eaMAJu - QNV/BF/t7GojmDZov4g6a1ltvpxAl0WC+9+u3mPaa+A9CR9BAW97KRSW/nVCUhP7 - b1XWXNrrump5DjNKaluSCs2OOvtUDZl0P/Qk7C+NNGhmZif4c4yDtHCU69J8FoK9 - zWJT941axYgSGQkIuaMo8NeXCYsWp6kwHh1LH+3v9AbqOnMFuxE/jIUVFhGoj1Jz - u59AYG+SZn8aZe16XC3NqroeiyiK2BU/4Hiky9wmDsKTLHKrDpPjaMJWVgIxQYkY - AX1WRJgmClhrb7epxmb+MleO+t3zvpDHMy2b60afrR8/GmZmr++CWXJTTX2r2J1k - /uGVB5SAUoSulW+4I4CjETww+hab3UnF7yEugeg7eyI62dA/R9Q7yESuMwATmyhm - CWs3Why9MiFxJAfqaeyGKPFnphB7QD+1F10Wz8Qj6S73pP7d+xhmEigHbIs6apVX - j1HfwGKSRSkrjDhBpBRjaYN/D07ipZE7IkTHwhrLy4bJoDfXDlp6oH3eAwEX9xnK - 22VtEWbmJ3Wzggwi77qb3EK5z6l6exVtn1lbFAKHlCO70Fl4U0YAYGlSqGtUQ6rG - X6cwxn1aY7loZfk+i4aONmPNHtOd6BNFnVVXKAbEjxsNguDivSPH+6z8KyhQEr5M - l4znmL0aMqnibpelDqOMnz43k/RcaLjTNyXdKyETOs4IoKYoD2dApSH9J8ouZ4mx - lFQOdLd2G5wHV7Y/G52fp2l2AzaZWovPVWzeYffxGhpeycTeP04jQnVlXc1/0l4i - VTXKi1//C+aky/PkLMQif8VbbBpP/31eLgXnS1uYkVxg2lvSTkdM5I32b6TMhPT7 - zI/tU+x4RsIi+zx4fPTVrhyOB/oMzkHkBQyYLd5g37fpiAOxnZiod4X4ALIC6de2 - Ybqv1vi4Kduh5sAozhiSM3wpemtKr6X7wvzR5RftcPOWM2AE9MR15aMSRLVjoxGQ - Wn1K+zxoNZX0PCFTGmMDkU/DRH2abAqCaxuN4iQO98LaIVJfcyI3YeVBd3mAhX4u - vkZ5fcPFReYW6FknJY0cMqlFP4/aHNmiAEZla3OO2xCCxsjNgFfv0d+9hzlQaPeu - xYF/BGICncYllVYNG1Sfst+y7/UW/OSSrEtCy/gf/JKrGLA9xN/hVFssmonIjMBy - MYyJDM0cesMC1Fus8rESAhQ+swbhPI8jVOk5wB0NrnOLz13FMAVbEzY7HpXy0Rcc - 6ELhKVFLzWeH2Tl/omuAKvUttZfqF75z6NJhx2DZe7HOgnV78ESYNlbAFBOEq91C - zlN4rSMC3gtUeTFT78Zc1X/QvbvJ59zmqHg3mGNA0kyCK3o9c84HW1CZ0oZ7aLD6 - qeYHkceFP65AKo1kCQGTGO+GzffhqnsKBFo5Vo56QKAu/IOyTuvUHHiOhM/Llj8f - YycuZUL3Qtahq2gJJXSoRsRzK8BPy/IZ2Zo7YtUYvfDv1Ks2rRaP8VT8z6tTUwwl - udMYibYzZ+8bj5C6O75ng9+k9f7/SNwzts3Pi4zEChHbO+med3vNdpfyYjyMJLTL - 955lSPCAeLCTaWSjMHRIap6sCKsXfn51/YV9tnG8XCLh3ImpZ6LNGEU3QObhPVqK - 3vYKNi5MG1/C9RGUYB0bUFLgZTfKm2jyHCkN35EqtFRQwQ9iuhJVYc+g6xCTmVRc - DhulhN9BW9pW4WUlE4Vnejd+yplnhKjCZWWeOApqfEciLWTSCK7o8K0WCIp/NegF - YNJxfz5neXipXWooU/g6XdWxbig7BEw9Zt1dhuChxC8AJhg7HdxNv68o7tKB/Ln+ - VRcJdqBGNOq8ekVAJtE/DCkOfb4vso/j4r91oqzo20r0Rw6yral+JpWzJvlq9Fbx - JRhttK/fG8bz9giJjIw1jtFegfOMZcBkVNktNeEpgIL0t9iMhPjRi4ykZeCdIE8C - LlM3O+Xy81Msq4a0mH4QQpEdiTTFm223utDoZCjAnpakrFclEOxVSiVqny5t97P/ - krcaYKnq6bmab2oXj1Uj0KwW1xNw9PU7x4ZUpx3FHRWPLfbrbsDI1h+SBLH9uQdd - Xd6Ko6RJxb7tajbFBYIXmtLhBi0B/Zn871AaHZLU0IG3PerrNkeOBL/5b/IJJqnx - RSEFPt1Wl3W725APsWHXQCpWtEPA4I1ATRRI6U8LbUksGjApLpt1VqIQGG9FlVQK - 2d6szUKsciKX1Ah/aWKW/g0e+XTYasmE5pYAFP/uDKFpcZy2XF28NcCnA2ukKO/A - F1Z1MobDOgr/efZWPDlO1DupX65Q1LRhwsAu4JJjcB15Usdlx0pXexm6UZ+5EhaS - b2mkl0L4h9ilYl8TQx2jKGQ/LtRD5UaYjiCs2ROkzbLt/SMixWHBjfBKlc/vVdxf - zgogcGF/C7i5FVsii4hnfion5SidoL4JXddWtwuCG7A2coDw8JTyruHXeyGuuy5u - 54HHBv+PHzQ3bnIT1aMADvapo+MIE4PInFQZGHdq8d37F0wgisH6bJc+FcK9qKl/ - SATp5UFlPvnB1CliZ0VB+iwxtjbu3hgwmS18OcZuFoeSlmjgR7AoaOp5pjr5fCA5 - iclOZMCFq2jnfLtepalPzJFFcc3RDOI3aDbqFmVkmQWX7f7lwQMSjXJ9xq6mf0p7 - bFBdB153uQeJlkpu7nmuL1NPT7jhw3UCxEJZ7UP4bzxigvMEycUUH9cln4nLpSLb - mVw9Ibe918wOuzkBxPrasRGF1p1eWCKAx6CldZlN1FBPWPx7oCF4Qh4X7iWuOEjq - TEukZhssTymYDc3SUq33gU/kzsyrRgLXFFl8JaEHv5H04rKeboB09DF2pr/qQU/q - SY35bMckfkwIrBXnkDCCBXoGCSqGSIb3DQEHAaCCBWsEggVnMIIFYzCCBV8GCyqG - SIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcNAQwBAzAOBAiOc2uYfUs5/AICCAAE - ggTIj7mC9S+YQYBp+9K6rRbmMTCmbmZBMPzZJwdx/A+bRH74zAPDQGmNc5wgmm3+ - e28tCx7TNJ71Hee+wgTC1xe1zPu3LUcalr6WWiPWkPcXCe2og+YiqLPpyviu/bkZ - SHX29FWUe+MW21dIsN+gd8HM1FUzoCo6P5r1IL2ytyEvX7RNpIM3GPtyHEjYNAkH - WK2ECtVhSyVgthhjBkc6sSIWS28JYYkOBXkYKZFF4Nct6zdxhBL5u+c+APOrcJSq - FpM45W5jUo+w+1UWQ7qLYyxV/iKiYASQHVNLcKVw6wtfWhDEMxOLuyJG5SDM7S0C - 5i+cedL2tVbKK13HC2bhKH4kYClpkTctEnjbGiiEopfElGq9cdYxz/qEX5mWhU/v - UdTw8sWTYYyg2ZlYy41KXdE12tiXXNg4PnH9ho9QQua8JRYYnbdE3d6LTBy0/TP0 - UtQA60FN4C6+CixN7zHu48HlbwYga5qZFsWJp+OTChdsK63h1TNHZHT/m1E1h8Wt - R4NbpTnaYszUJp9TdaU/eizHq3/675gfKGDv3gnpvxezZk8DaYOzRBHTTgRK55iB - I1e/RESY9E7L/ASi8rr7zBkCx3KSFT+1qdIPoRS9YJ7ZghW3fg7agEAZEyPWzMGW - 5bRN8TCZk/FfXlzsuzzR0aEY4EqaXUoLsgYLVnuVSfWZTK2VI7Hsljyi8vbcw2Eg - EMFIqiEIZV0bD/QzHSR2QZADsgf22RewZaynKg4xju3d+SzzElGS243v5Z3KaQju - pK3Ty9C690dJw0Hhea05Ld0G5fTGgh7R+V2qREZtKTOKIIVob1+LpaLxkkVAmKvp EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs - NOxZTFvzmOK/ReAbAof2gp8HMpNDqpIrHliS6zj/2jvvy/2dkQLswwrwTIN4nps4 - sFWMx9bC/UE2gXkT0RG/lzSyu6BwElx6Bob93vSG6DQSi5WNs6Lfz2YEOrzkTjRw - gWkafU22nyFSPDy8SSTOR5nXP4q+OYlAMAcx0F8PbThKTZdSNa0N1RGj7jVddAkp - xVpid+Si4Nuoh/Gq4jIMpexIpMKgtHFng9AUxqL99xv4PFXzGSD2T/+Kmber6Jpf - gaUtXw1X5PJzlBXb5+5Bw3LnhYXKXykMKPhQ8E9Lr2wvycnC0/Xn1/l792PRj0Ii - akXRw/X9L/Ss/cY7c1X0GyS1u7mXxbgHPSkbCnhLtVNC49xT43Dn35vHgfqKKDy8 - t7se7rG/fDCE1S27xxywHnbhuOFcB5CUpdhvwk2+bUQMHaeKFscyY2BtwhzxQwsf - 53LrVosGd7RpKAXTb9EX23qMm/cTMBpB7bwe6oZFQxfRoAjjZyfuaEkXdu2YuivQ - g9hUZDEPZSZRcp0ZROlFV5a5EbWQG/ofHMtVFSotNwJyqU0LiYih7VAfdoA1XplZ - zFQgmO+IfUhOKMdkjCl8AR+gjERmjwiBnetATZETsM+g/mXAbkaslTZ0l2PUX/uK - U8sArPvJ46pC47JtlIJ2kgWcXe9PchFJ8OsWdGQ1luscefar0GFsKCHBJRkmbc4V - NB/qKalRbzpZyLHKvLGwR+eSZcJNgMR1tgnaMV4wIwYJKoZIhvcNAQkVMRYEFDU2 - NwYrJrvSiWR8adr1GPsUvcVcMDcGCSqGSIb3DQEJFDEqHigAbQB1AHMAaABlAHQA - aAAuAGsAYQBzAGEALQB2AHAAbgAuAGMAbwBtMDEwITAJBgUrDgMCGgUABBTXA3/u + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + MRpjKvfSuc8qmM5TPxnLJwQILJ/u4ij4txACAggA diff --git a/samples/ra-vpn/redirector-lb/ravpn-enforcer-config.yaml b/samples/ra-vpn/redirector-lb/ravpn-enforcer-config.yaml index 5a9938e..63885ab 100644 --- a/samples/ra-vpn/redirector-lb/ravpn-enforcer-config.yaml +++ b/samples/ra-vpn/redirector-lb/ravpn-enforcer-config.yaml @@ -22,35 +22,31 @@ spec: - "sfcn-redis" cliLines: | interface Management0/0 - no management-only - nameif management - security-level 0 - ip address dhcp + no management-only + nameif management + security-level 0 + ip address dhcp interface TenGigabitEthernet0/0 - nameif outside - security-level 0 - ip address dhcp + nameif outside + security-level 0 + ip address dhcp interface TenGigabitEthernet0/1 - nameif inside - security-level 100 - ip address dhcp + nameif inside + security-level 100 + ip address dhcp + # Configure route to internet over outside interface route outside 0 0 {{ index .nodeLabels "sfcn.cisco.com.interface.2/gateway-ipv4" }} 1 # configure route to vpc addresses over inside interface route inside 10.37.0.0 255.255.0.0 {{ index .nodeLabels "sfcn.cisco.com.interface.3/gateway-ipv4" }} 2 - # Add an explicit route to Redis server IP address over outside interface - route outside 255.255.255.255 {{ index .nodeLabels "sfcn.cisco.com.interface.2/gateway-ipv4" }} - # Add the following DNS configuration to have ASA contact R53 for DNS lookup dns domain-lookup outside dns server-group DefaultDNS - # published AWS DNS server name-server 169.254.169.253 + # Configure the IP address pool from where the clients will receive an IP address ip local pool VPN_AC_pool {{.ipv4SubnetPools.ravpnpool.assignedRange}} mask 255.255.255.0 - # Define access lists as required. - # access-list standard - # access-list for optional split tunnel access to AWS VPC access-list Split_Tunnel_ACL extended permit ip 10.37.0.0 255.255.0.0 any4 + webvpn enable outside anyconnect profiles my_AC_profile {{ .fileObjects.ravpnprofile.path }} @@ -62,44 +58,41 @@ spec: group-policy VPN_group_policy internal group-policy VPN_group_policy attributes vpn-tunnel-protocol ssl-client - # Enable split tunnel if required. - # Example: - #split-tunnel-policy tunnelspecified - #split-tunnel-network-list value Split_Tunnel_ACL webvpn anyconnect profiles value my_AC_profile type user username {{ .secrets.userinfo.username }} password {{ .secrets.userinfo.password }} privilege {{ .secrets.userinfo.privilege }} tunnel-group VPN_tunnel_group type remote-access tunnel-group VPN_tunnel_group general-attributes - address-pool VPN_AC_pool - default-group-policy VPN_group_policy + address-pool VPN_AC_pool + default-group-policy VPN_group_policy tunnel-group VPN_tunnel_group webvpn-attributes - group-alias VPN_tunnel_group enable + group-alias VPN_tunnel_group enable + # Configure Redis server IP and enable external database. external-database - host - port 6379 + host {{ index .secrets "sfcn-redis" "host" }} + port 6379 # this should match the token used for elasticache creation (EnforcerCacheAuthToken). If you omitted that field, then # you should also omit the `db-password` line below. db-password {{ index .secrets "sfcn-redis" "token" }} enable - vpn load-balancing - external-database + # Any priority value other than 10 designates the ASAc # as a member. - priority 1 - interface lbpublic outside - # We add the public IP of the "outside" interface for NAT command - # The interface indices for "management", "outside" and "inside" interfaces - # are 1, 2 and 3 respectively. - nat {{ index .nodeLabels "sfcn.cisco.com.interface.2/public-ip" }} + vpn load-balancing + external-database + priority 1 + interface lbpublic outside + nat {{ index .nodeLabels "sfcn.cisco.com.interface.2/public-ip" }} vpn-sessiondb external-database + # Configure the Redis CA certificate crypto ca trustpoint {{ .secrets.redisca.trustpoint }} - enrollment terminal + enrollment terminal crypto ca authenticate {{ .secrets.redisca.trustpoint }} nointeractive {{ .secrets.redisca.value }} quit + # Import PKCS12 certificate for SSL connection crypto ca import {{ .secrets.mypkcs.trustpoint }} pkcs12 {{ .secrets.mypkcs.password }} nointeractive {{ .secrets.mypkcs.value }} diff --git a/samples/ra-vpn/redirector-lb/ravpn-redirector-config.yaml b/samples/ra-vpn/redirector-lb/ravpn-redirector-config.yaml index 114f8b7..bef9d1f 100644 --- a/samples/ra-vpn/redirector-lb/ravpn-redirector-config.yaml +++ b/samples/ra-vpn/redirector-lb/ravpn-redirector-config.yaml @@ -27,14 +27,22 @@ spec: nameif management ip address dhcp no shutdown - hostname redirector + + # create a route to the internet over the outside interface + route outside 0 0 {{ index .nodeLabels "sfcn.cisco.com.interface.2/gateway-ipv4" }} + # Add the following DNS configuration to have ASA contact R53 for DNS lookup + dns domain-lookup outside + dns server-group DefaultDNS + name-server 169.254.169.253 + external-database - host + host {{ index .secrets "sfcn-redis" "host" }} port 6379 # this should match the token used for elasticache creation (EnforcerCacheAuthToken). If you omitted that field, then # you should also omit the `db-password` line below. db-password {{ index .secrets "sfcn-redis" "token" }} enable + vpn load-balancing external-database # A priority of 10 designates an ASAc as a redirector @@ -42,22 +50,20 @@ spec: interface lbpublic outside # Set the following to enable FQDN based redirects. Redirects will be IPs otherwise redirect-fqdn enable + # Set the domain name used in your Route53Ingress; required for FQDN redirects and SSL connections. domain-name vpn.domain.com - # create a route to the internet over the outside interface - route outside 0 0 {{ index .nodeLabels "sfcn.cisco.com.interface.2/gateway-ipv4" }} - # Add the following DNS configuration to have ASA contact R53 for DNS lookup - dns domain-lookup outside - dns server-group DefaultDNS - name-server 169.254.169.253 + webvpn enable outside + # Configure the Redis CA certificate crypto ca trustpoint {{ .secrets.redisca.trustpoint }} enrollment terminal crypto ca authenticate {{ .secrets.redisca.trustpoint }} nointeractive {{ .secrets.redisca.value }} quit + # Import PKCS12 certificate for SSL connection crypto ca import {{ .secrets.mypkcs.trustpoint }} pkcs12 {{ .secrets.mypkcs.password }} nointeractive {{ .secrets.mypkcs.value }} diff --git a/samples/ra-vpn/redirector-lb/redis-ca.yaml b/samples/ra-vpn/redirector-lb/redis-ca.yaml index dde2418..c75aa96 100644 --- a/samples/ra-vpn/redirector-lb/redis-ca.yaml +++ b/samples/ra-vpn/redirector-lb/redis-ca.yaml @@ -1,3 +1,10 @@ +# This establishes trust between AWS Elasticache and your cluster. This cert +# doesn't often change, so most of the time you can just apply this +# secret directly. However, if you want to ensure you have an +# up-to-date cert you can issue the following command: +# +# kubectl exec -it -n sfcn-system -c asac -- bash -c "echo QUIT | openssl s_client -connect :6379 -showcerts" +# The intermediate cert should be captured and applied into this secret value. apiVersion: v1 kind: Secret metadata: @@ -5,8 +12,6 @@ metadata: namespace: sfcn-system stringData: trustpoint: redisca - # Change to your redis issuer certificate. - # Use the following command: kubectl exec -it -n sfcn-system -c asac -- bash -c "echo QUIT | openssl s_client -connect :6379 -showcerts" value: | MIIESTCCAzGgAwIBAgITBn+UV4WH6Kx33rJTMlu8mYtWDTANBgkqhkiG9w0BAQsF ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 From e7b52934b6fdce4c54658fbe297914ac16712a25 Mon Sep 17 00:00:00 2001 From: Jared Hancock Date: Tue, 14 Sep 2021 17:52:49 -0500 Subject: [PATCH 5/6] fixed typo in comment --- samples/ra-vpn/redirector-lb/ca-certificate.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/samples/ra-vpn/redirector-lb/ca-certificate.yaml b/samples/ra-vpn/redirector-lb/ca-certificate.yaml index 2253c34..7a65ff6 100644 --- a/samples/ra-vpn/redirector-lb/ca-certificate.yaml +++ b/samples/ra-vpn/redirector-lb/ca-certificate.yaml @@ -1,6 +1,6 @@ # This certificate is provided by you. It is a PKCS12 formatted cert # generated on the domains used in your Route53Ingress config. -# For VPN Redirector tolology, this should be a wildcard cert which +# For VPN Redirector topology, this should be a wildcard cert which # covers the parent and subdomains used for VPN. # # Example: if using "domain.com" as the parent domain, with From 78224afe9da1950ad45e0699479376151e899a9d Mon Sep 17 00:00:00 2001 From: Jared Hancock Date: Tue, 14 Sep 2021 17:55:50 -0500 Subject: [PATCH 6/6] used dummy value in simple ravpn sample --- samples/ra-vpn/route53-vpn/route53-vpn.yaml | 144 +++++--------------- 1 file changed, 34 insertions(+), 110 deletions(-) diff --git a/samples/ra-vpn/route53-vpn/route53-vpn.yaml b/samples/ra-vpn/route53-vpn/route53-vpn.yaml index 04c598f..1ae6318 100644 --- a/samples/ra-vpn/route53-vpn/route53-vpn.yaml +++ b/samples/ra-vpn/route53-vpn/route53-vpn.yaml @@ -74,6 +74,15 @@ spec: accessKeyField: "access_key" secretKeyField: "secret_key" --- +# This certificate is provided by you. It is a PKCS12 formatted cert +# generated on the domains used in your Route53Ingress config. +# For VPN Redirector topology, this should be a wildcard cert which +# covers the parent and subdomains used for VPN. +# +# Example: if using "domain.com" as the parent domain, with +# "us.domain.com" and "eu.domain.com" as subdomains, your wildcard +# should include "*.domain.com", "*.us.domain.com", and "*.eu.domain.com" +# apiVersion: v1 kind: Secret metadata: @@ -82,108 +91,23 @@ metadata: stringData: trustpoint: ssltp password: test - # Change to your own CA Certificate value: | MIIS2gIBAzCCEqAGCSqGSIb3DQEHAaCCEpEEghKNMIISiTCCDQcGCSqGSIb3DQEH BqCCDPgwggz0AgEAMIIM7QYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIh63X 549tUD0CAggAgIIMwHVhJkKRWCORnqaj4ixxBJL80fmIH327kRtftzBY59Rjz93s ZwNibpOx2/UadS+LYaB9G9+ZfK38fxyRkPIejME1BEQXhok3uhlijFqaoCpAY5xz - 9uJK5fOBxuOzGaImc8I1Y5+S+NE6kNv+UJxJvQkgiId5WUt9ziTC31Kcb9DFTtUT - 1kAj1//nry3QWuOHkT5qkBFq03ZLFlzYJi8IJNYbmqf76K4HgKtjLl3k89qc6/3b - +jlryN0bsK1xacKlfSXMQO20g8R2+NdTIFBGQKj59YF1vfL1jQa0RN4tR7gFRDvE - eH5MNegdgcI9ZjODaJUvzKIjyBUhFwry0OLTy+kJs7hHTQfMwj0L+km4BLhl5s+H - YE6wiBmWmgwgFHPas8I3lx75wTeu3wEXu+xXSdA33xOA/UfavgukVOYRwiuJaEoc - lYdH0wcgYh33pYQ0JpttvFoLtTzo3fyw+qnPSugs3CLovxGWIyVV/VEGkGWE7tPe - /CkOJa8wNrI8bLgpFBnc11+FQ0PIhsDA9pQ51CQ+xf6ydxW7SCQZQXjDxr7OLZ8b - AqFzaZh45dtLKks0kv+zk1CPvnefyKdveA9hXUVjaydnLMWYYFpXB6tnckKKQ48a - W1L54Rzk5j2+AAkckA7FcmAAZkwAfQUxQtAlv7XqW5bRqukDtNPBhGW+Da7KGtBi - /9GiudWrGe0kbIPO9VkUNDHJC/+7RofkIZyRGRJ4MFDOV5HfF0ak5TGT5lKgotv+ - JOz4XpwejLM0lLJuxGOY8Fu19dJKkyZ7wj/5/gj4K2aqyGm3zKsssv34eT4iTxWQ - 11RUJZQF/oHWmYNv+IKH1mjNoHFhWpOSUwxBwZnaqMsGr21r6UBvOSOtO8bWpMdg - cbCAuIcx/rnYaSpM0UFbeQSJmS7GXRMjJjfB1vQJmwtBp654YHy16UmP3dqmjRGG - NlRPEbKn6Mj096O7wMhOEIstlWQ/AZAWpYF43tFYDs3jDCdyo3/0ZZzaG5NodLVG - g0GW2UVVlISXJdRgmCVuAREA9BJRBiLbC7bMdDxIaJ0XxOzKgY/e+JOozwlW0evv - R9MMyTNm7LI0K9kUzrsAcdWSaQxCeS/EJM7z9AU3641AoQIGjKQaUmdWGlNSJdV6 - s2JHBDdgeAXfRk3bMAFo8eAsnKuWT/QvMV2eqcRfylv1LzteVpJcsAJyIYe5Ge5M - gnqgrPpVQDdUjglsBruQQfKZlUimLdyGsCZJxmQJwhGbRdD6dxhs8V20dANmbxOA - sqF77/EwGOjMtL5g3BGfwWDeKwf3LyS0awk8Zx+ZGKJjg97DNZYbqVbPpYo4VYi9 - k/YD7JF12pyZjhGiOXjZhtjw+92AWi/v6a2czO+X6As8ws5ZkP+OzsY95kJ69B1a - X7AU6/Y8Ix0kSQaONYzdlL+ivQ3EC1ANDpGfDhlgB4gHCCTi0CSRUp9S5/0Doo0d - bWvIeKGoluu92tOxeWWaP0z2Sj9uorrbekqbTFzWBNmru+HIkcwdRs21R/eaMAJu - QNV/BF/t7GojmDZov4g6a1ltvpxAl0WC+9+u3mPaa+A9CR9BAW97KRSW/nVCUhP7 - b1XWXNrrump5DjNKaluSCs2OOvtUDZl0P/Qk7C+NNGhmZif4c4yDtHCU69J8FoK9 - zWJT941axYgSGQkIuaMo8NeXCYsWp6kwHh1LH+3v9AbqOnMFuxE/jIUVFhGoj1Jz - u59AYG+SZn8aZe16XC3NqroeiyiK2BU/4Hiky9wmDsKTLHKrDpPjaMJWVgIxQYkY - AX1WRJgmClhrb7epxmb+MleO+t3zvpDHMy2b60afrR8/GmZmr++CWXJTTX2r2J1k - /uGVB5SAUoSulW+4I4CjETww+hab3UnF7yEugeg7eyI62dA/R9Q7yESuMwATmyhm - CWs3Why9MiFxJAfqaeyGKPFnphB7QD+1F10Wz8Qj6S73pP7d+xhmEigHbIs6apVX - j1HfwGKSRSkrjDhBpBRjaYN/D07ipZE7IkTHwhrLy4bJoDfXDlp6oH3eAwEX9xnK - 22VtEWbmJ3Wzggwi77qb3EK5z6l6exVtn1lbFAKHlCO70Fl4U0YAYGlSqGtUQ6rG - X6cwxn1aY7loZfk+i4aONmPNHtOd6BNFnVVXKAbEjxsNguDivSPH+6z8KyhQEr5M - l4znmL0aMqnibpelDqOMnz43k/RcaLjTNyXdKyETOs4IoKYoD2dApSH9J8ouZ4mx - lFQOdLd2G5wHV7Y/G52fp2l2AzaZWovPVWzeYffxGhpeycTeP04jQnVlXc1/0l4i - VTXKi1//C+aky/PkLMQif8VbbBpP/31eLgXnS1uYkVxg2lvSTkdM5I32b6TMhPT7 - zI/tU+x4RsIi+zx4fPTVrhyOB/oMzkHkBQyYLd5g37fpiAOxnZiod4X4ALIC6de2 - Ybqv1vi4Kduh5sAozhiSM3wpemtKr6X7wvzR5RftcPOWM2AE9MR15aMSRLVjoxGQ - Wn1K+zxoNZX0PCFTGmMDkU/DRH2abAqCaxuN4iQO98LaIVJfcyI3YeVBd3mAhX4u - vkZ5fcPFReYW6FknJY0cMqlFP4/aHNmiAEZla3OO2xCCxsjNgFfv0d+9hzlQaPeu - xYF/BGICncYllVYNG1Sfst+y7/UW/OSSrEtCy/gf/JKrGLA9xN/hVFssmonIjMBy - MYyJDM0cesMC1Fus8rESAhQ+swbhPI8jVOk5wB0NrnOLz13FMAVbEzY7HpXy0Rcc - 6ELhKVFLzWeH2Tl/omuAKvUttZfqF75z6NJhx2DZe7HOgnV78ESYNlbAFBOEq91C - zlN4rSMC3gtUeTFT78Zc1X/QvbvJ59zmqHg3mGNA0kyCK3o9c84HW1CZ0oZ7aLD6 - qeYHkceFP65AKo1kCQGTGO+GzffhqnsKBFo5Vo56QKAu/IOyTuvUHHiOhM/Llj8f - YycuZUL3Qtahq2gJJXSoRsRzK8BPy/IZ2Zo7YtUYvfDv1Ks2rRaP8VT8z6tTUwwl - udMYibYzZ+8bj5C6O75ng9+k9f7/SNwzts3Pi4zEChHbO+med3vNdpfyYjyMJLTL - 955lSPCAeLCTaWSjMHRIap6sCKsXfn51/YV9tnG8XCLh3ImpZ6LNGEU3QObhPVqK - 3vYKNi5MG1/C9RGUYB0bUFLgZTfKm2jyHCkN35EqtFRQwQ9iuhJVYc+g6xCTmVRc - DhulhN9BW9pW4WUlE4Vnejd+yplnhKjCZWWeOApqfEciLWTSCK7o8K0WCIp/NegF - YNJxfz5neXipXWooU/g6XdWxbig7BEw9Zt1dhuChxC8AJhg7HdxNv68o7tKB/Ln+ - VRcJdqBGNOq8ekVAJtE/DCkOfb4vso/j4r91oqzo20r0Rw6yral+JpWzJvlq9Fbx - JRhttK/fG8bz9giJjIw1jtFegfOMZcBkVNktNeEpgIL0t9iMhPjRi4ykZeCdIE8C - LlM3O+Xy81Msq4a0mH4QQpEdiTTFm223utDoZCjAnpakrFclEOxVSiVqny5t97P/ - krcaYKnq6bmab2oXj1Uj0KwW1xNw9PU7x4ZUpx3FHRWPLfbrbsDI1h+SBLH9uQdd - Xd6Ko6RJxb7tajbFBYIXmtLhBi0B/Zn871AaHZLU0IG3PerrNkeOBL/5b/IJJqnx - RSEFPt1Wl3W725APsWHXQCpWtEPA4I1ATRRI6U8LbUksGjApLpt1VqIQGG9FlVQK - 2d6szUKsciKX1Ah/aWKW/g0e+XTYasmE5pYAFP/uDKFpcZy2XF28NcCnA2ukKO/A - F1Z1MobDOgr/efZWPDlO1DupX65Q1LRhwsAu4JJjcB15Usdlx0pXexm6UZ+5EhaS - b2mkl0L4h9ilYl8TQx2jKGQ/LtRD5UaYjiCs2ROkzbLt/SMixWHBjfBKlc/vVdxf - zgogcGF/C7i5FVsii4hnfion5SidoL4JXddWtwuCG7A2coDw8JTyruHXeyGuuy5u - 54HHBv+PHzQ3bnIT1aMADvapo+MIE4PInFQZGHdq8d37F0wgisH6bJc+FcK9qKl/ - SATp5UFlPvnB1CliZ0VB+iwxtjbu3hgwmS18OcZuFoeSlmjgR7AoaOp5pjr5fCA5 - iclOZMCFq2jnfLtepalPzJFFcc3RDOI3aDbqFmVkmQWX7f7lwQMSjXJ9xq6mf0p7 - bFBdB153uQeJlkpu7nmuL1NPT7jhw3UCxEJZ7UP4bzxigvMEycUUH9cln4nLpSLb - mVw9Ibe918wOuzkBxPrasRGF1p1eWCKAx6CldZlN1FBPWPx7oCF4Qh4X7iWuOEjq - TEukZhssTymYDc3SUq33gU/kzsyrRgLXFFl8JaEHv5H04rKeboB09DF2pr/qQU/q - SY35bMckfkwIrBXnkDCCBXoGCSqGSIb3DQEHAaCCBWsEggVnMIIFYzCCBV8GCyqG - SIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcNAQwBAzAOBAiOc2uYfUs5/AICCAAE - ggTIj7mC9S+YQYBp+9K6rRbmMTCmbmZBMPzZJwdx/A+bRH74zAPDQGmNc5wgmm3+ - e28tCx7TNJ71Hee+wgTC1xe1zPu3LUcalr6WWiPWkPcXCe2og+YiqLPpyviu/bkZ - SHX29FWUe+MW21dIsN+gd8HM1FUzoCo6P5r1IL2ytyEvX7RNpIM3GPtyHEjYNAkH - WK2ECtVhSyVgthhjBkc6sSIWS28JYYkOBXkYKZFF4Nct6zdxhBL5u+c+APOrcJSq - FpM45W5jUo+w+1UWQ7qLYyxV/iKiYASQHVNLcKVw6wtfWhDEMxOLuyJG5SDM7S0C - 5i+cedL2tVbKK13HC2bhKH4kYClpkTctEnjbGiiEopfElGq9cdYxz/qEX5mWhU/v - UdTw8sWTYYyg2ZlYy41KXdE12tiXXNg4PnH9ho9QQua8JRYYnbdE3d6LTBy0/TP0 - UtQA60FN4C6+CixN7zHu48HlbwYga5qZFsWJp+OTChdsK63h1TNHZHT/m1E1h8Wt - R4NbpTnaYszUJp9TdaU/eizHq3/675gfKGDv3gnpvxezZk8DaYOzRBHTTgRK55iB - I1e/RESY9E7L/ASi8rr7zBkCx3KSFT+1qdIPoRS9YJ7ZghW3fg7agEAZEyPWzMGW - 5bRN8TCZk/FfXlzsuzzR0aEY4EqaXUoLsgYLVnuVSfWZTK2VI7Hsljyi8vbcw2Eg - EMFIqiEIZV0bD/QzHSR2QZADsgf22RewZaynKg4xju3d+SzzElGS243v5Z3KaQju - pK3Ty9C690dJw0Hhea05Ld0G5fTGgh7R+V2qREZtKTOKIIVob1+LpaLxkkVAmKvp EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs - NOxZTFvzmOK/ReAbAof2gp8HMpNDqpIrHliS6zj/2jvvy/2dkQLswwrwTIN4nps4 - sFWMx9bC/UE2gXkT0RG/lzSyu6BwElx6Bob93vSG6DQSi5WNs6Lfz2YEOrzkTjRw - gWkafU22nyFSPDy8SSTOR5nXP4q+OYlAMAcx0F8PbThKTZdSNa0N1RGj7jVddAkp - xVpid+Si4Nuoh/Gq4jIMpexIpMKgtHFng9AUxqL99xv4PFXzGSD2T/+Kmber6Jpf - gaUtXw1X5PJzlBXb5+5Bw3LnhYXKXykMKPhQ8E9Lr2wvycnC0/Xn1/l792PRj0Ii - akXRw/X9L/Ss/cY7c1X0GyS1u7mXxbgHPSkbCnhLtVNC49xT43Dn35vHgfqKKDy8 - t7se7rG/fDCE1S27xxywHnbhuOFcB5CUpdhvwk2+bUQMHaeKFscyY2BtwhzxQwsf - 53LrVosGd7RpKAXTb9EX23qMm/cTMBpB7bwe6oZFQxfRoAjjZyfuaEkXdu2YuivQ - g9hUZDEPZSZRcp0ZROlFV5a5EbWQG/ofHMtVFSotNwJyqU0LiYih7VAfdoA1XplZ - zFQgmO+IfUhOKMdkjCl8AR+gjERmjwiBnetATZETsM+g/mXAbkaslTZ0l2PUX/uK - U8sArPvJ46pC47JtlIJ2kgWcXe9PchFJ8OsWdGQ1luscefar0GFsKCHBJRkmbc4V - NB/qKalRbzpZyLHKvLGwR+eSZcJNgMR1tgnaMV4wIwYJKoZIhvcNAQkVMRYEFDU2 - NwYrJrvSiWR8adr1GPsUvcVcMDcGCSqGSIb3DQEJFDEqHigAbQB1AHMAaABlAHQA - aAAuAGsAYQBzAGEALQB2AHAAbgAuAGMAbwBtMDEwITAJBgUrDgMCGgUABBTXA3/u + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + EZF8S6wcSGkeu7444GAVfcQjiPH54T5QEST07GlGlQjObO6K4CtC2E9YQPFOyGFs + MRpjKvfSuc8qmM5TPxnLJwQILJ/u4ij4txACAggA --- apiVersion: cnfw.cisco.com/v1 @@ -219,7 +143,7 @@ metadata: # EP's node interface index that will be used as route target aws.cnfw.cisco.com/interface-index: "3" # AWS Route Table ID that will be synced with assigned subnets. - # This should be the table that includes your outside and inside networks, usually named "Public Subnets" + # This should be the table that includes your outside and inside networks, usually named "Inside Subnets" aws.cnfw.cisco.com/route-table-id: spec: address: "10.10.0.0" @@ -248,18 +172,18 @@ spec: - "ravpnpool" cliLines: | interface Management0/0 - no management-only - nameif management - security-level 0 - ip address dhcp + no management-only + nameif management + security-level 0 + ip address dhcp interface TenGigabitEthernet0/0 - nameif outside - security-level 0 - ip address dhcp + nameif outside + security-level 0 + ip address dhcp interface TenGigabitEthernet0/1 - nameif inside - security-level 100 - ip address dhcp + nameif inside + security-level 100 + ip address dhcp route outside 0.0.0.0 0.0.0.0 {{ index .nodeLabels "sfcn.cisco.com.interface.2/gateway-ipv4" }} 1 route inside 10.37.0.0 255.255.0.0 {{ index .nodeLabels "sfcn.cisco.com.interface.3/gateway-ipv4" }} 2 ip local pool AC_Pool {{.ipv4SubnetPools.ravpnpool.assignedRange}} mask 255.255.255.0 @@ -289,10 +213,10 @@ spec: username {{ .secrets.userinfo.username }} password {{ .secrets.userinfo.password }} privilege 15 tunnel-group AC_Profile type remote-access tunnel-group AC_Profile general-attributes - address-pool AC_Pool - default-group-policy GroupPolicy_AC_Profile + address-pool AC_Pool + default-group-policy GroupPolicy_AC_Profile tunnel-group AC_Profile webvpn-attributes - group-alias Anyconnect enable + group-alias Anyconnect enable crypto ca import {{ .secrets.mypkcs.trustpoint }} pkcs12 {{ .secrets.mypkcs.password }} nointeractive {{ .secrets.mypkcs.value }} quit