Merge pull request #81 from jgilfoil/feature/vpn

shift network policy back to stand alone
jgilfoil · Feb 29, 2024 · d08f9d5 · d08f9d5
2 parents 45d6cbe + e6e8d57
commit d08f9d5
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 22 deletions.
diff --git a/kubernetes/apps/network/vpn-gateway/app/helmrelease.yaml b/kubernetes/apps/network/vpn-gateway/app/helmrelease.yaml
@@ -91,19 +91,8 @@ spec:
             memory: 10M
 
         networkPolicy:
-          enabled: true
+          enabled: false
 
-          egress:
-            - to:
-              - ipBlock:
-                  cidr: 0.0.0.0/0
-              ports:
-              # VPN traffic
-              - port: ${SECRET_VPN_GATEWAY_PORT}
-                protocol: UDP
-            - to:
-              - ipBlock:
-                  cidr: 10.0.0.0/8
     settings:
       # -- If using a VPN, interface name created by it
       VPN_INTERFACE: wg0
@@ -114,19 +103,17 @@ spec:
       # -- Traffic to these IPs will be sent through the K8S gateway
       VPN_LOCAL_CIDRS: "10.0.0.0/8 192.168.1.0/24"
       NOT_ROUTED_TO_GATEWAY_CIDRS: "10.0.0.0/8 192.168.0.0/24"
-      # VXLAN_ID: 43
-      # VXLAN_IP_NETWORK: 172.16.1
 
     # -- settings to expose ports, usually through a VPN provider.
     # NOTE: if you change it you will need to manually restart the gateway POD
-    # publicPorts:
-    # - hostname: transmission
-    #   IP: 10 # must be an integer between 2 and VXLAN_GATEWAY_FIRST_DYNAMIC_IP (20 by default)
-    #   ports:
-    #   - type: udp
-    #     port: 27071
-    #   - type: tcp
-    #     port: 27071
+    publicPorts:
+    - hostname: transmission
+      IP: 10 # must be an integer between 2 and VXLAN_GATEWAY_FIRST_DYNAMIC_IP (20 by default)
+      ports:
+      - type: udp
+        port: 27071
+      - type: tcp
+        port: 27071
 
     routed_namespaces:
     - testing

diff --git a/kubernetes/apps/network/vpn-gateway/app/kustomization.yaml b/kubernetes/apps/network/vpn-gateway/app/kustomization.yaml
@@ -5,3 +5,4 @@ kind: Kustomization
 resources:
   - ./helmrelease.yaml
   - ./secret.sops.yaml
+  - ./networkpolicy.yaml
diff --git a/kubernetes/apps/network/vpn-gateway/app/networkpolicy.yaml b/kubernetes/apps/network/vpn-gateway/app/networkpolicy.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: vpn-pod-gateway
+  namespace: network
+  labels:
+    app.kubernetes.io/instance: vpn-gateway
+    app.kubernetes.io/name: pod-gateway
+spec:
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/instance: vpn-gateway
+      app.kubernetes.io/name: pod-gateway
+
+  egress:
+    - toCIDR:
+        - 0.0.0.0/0
+      toPorts:
+        - ports:
+            - port: "${SECRET_VPN_GATEWAY_PORT}"
+              protocol: UDP
+    - toEntities:
+        - cluster