Skip to content

Commit

Permalink
Merge pull request #71 from jgilfoil/feature/vpn
Browse files Browse the repository at this point in the history 
add pod-gateway vpn back in
  • Loading branch information
@jgilfoil
jgilfoil authored Feb 28, 2024
2 parents 3a3da49 + 48d72c4 commit f691619
Show file tree
Hide file tree
Showing 12 changed files with 176 additions and 40 deletions.
2 changes: 1 addition & 1 deletion kubernetes/apps/network/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@ resources:
- ./external-dns/ks.yaml
- ./ingress-nginx/ks.yaml
- ./k8s-gateway/ks.yaml
# - ./vpn-gateway/ks.yaml
- ./vpn-gateway/ks.yaml
99 changes: 62 additions & 37 deletions kubernetes/apps/network/vpn-gateway/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: vpn-gateway
# labels:
# Avoid variable substitution of shell variables bellow
# kustomize.toolkit.fluxcd.io/substitute: disabled
spec:
interval: 5m
chart:
Expand All @@ -19,18 +16,23 @@ spec:
namespace: flux-system
#See https://github.com/angelnu/helm-charts/blob/main/charts/apps/pod-gateway/values.yaml
values:

image:
repository: ghcr.io/angelnu/pod-gateway
tag: v1.10.0
tag: v1.8.1@sha256:690b6365728fe9012ad4cdfca38334992664596513dca187d1b93d2025205776

podAnnotations:
reloader.stakater.com/auto: "true"

DNS: 172.16.1.1

addons:
vpn:
enabled: true
type: gluetun
gluetun:
image:
repository: docker.io/qmcgaw/gluetun
tag: v3.37.0
tag: v3.35.0@sha256:a98d1ec99e09a1b806aff7f0c3d8a133a8ede7d3d7a250b62029a39a61f01525

env:
# - name: VPN_SERVICE_PROVIDER
Expand All @@ -43,6 +45,10 @@ spec:
value: "off"
- name: DOT
value: "off"
- name: LOG_LEVEL
value: "debug"
- name: HEALTH_VPN_DURATION_INITIAL
value: 30s
# - name: WIREGUARD_PRIVATE_KEY
# value: set in secret
# - name: WIREGUARD_PRESHARED_KEY
Expand All @@ -56,7 +62,6 @@ spec:
- secretRef:
name: vpn-gateway-config


# livenessProbe:
# exec:
# command:
Expand All @@ -67,20 +72,40 @@ spec:
# periodSeconds: 60
# failureThreshold: 3

networkPolicy:
enabled: true
resources:
requests:
cpu: 5m
memory: 64M
limits:
memory: 64M
securityContext:
capabilities:
add:
- NET_ADMIN

netshoot:
enabled: true
resources:
requests:
cpu: 5m
memory: 10M
limits:
memory: 10M

# networkPolicy:
# enabled: true

egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
# VPN traffic
- port: ${SECRET_VPN_GATEWAY_PORT}
protocol: UDP
- to:
- ipBlock:
cidr: 10.0.0.0/8
# egress:
# - to:
# - ipBlock:
# cidr: 0.0.0.0/0
# ports:
# # VPN traffic
# - port: ${SECRET_VPN_GATEWAY_PORT}
# protocol: UDP
# - to:
# - ipBlock:
# cidr: 10.0.0.0/8
settings:
# -- If using a VPN, interface name created by it
VPN_INTERFACE: wg0
Expand All @@ -89,28 +114,28 @@ spec:
# -- If VPN_BLOCK_OTHER_TRAFFIC is true, allow VPN traffic over this port
VPN_TRAFFIC_PORT: ${SECRET_VPN_GATEWAY_PORT}
# -- Traffic to these IPs will be sent through the K8S gateway
VPN_LOCAL_CIDRS: "10.69.0.0/16 10.96.0.0/16 192.168.1.0/24"
VPN_LOCAL_CIDRS: "10.0.0.0/8 192.168.1.0/24"
NOT_ROUTED_TO_GATEWAY_CIDRS: "10.0.0.0/8 192.168.0.0/24"
VXLAN_ID: 43
VXLAN_IP_NETWORK: 172.16.1

# -- settings to expose ports, usually through a VPN provider.
# NOTE: if you change it you will need to manually restart the gateway POD
publicPorts:
- hostname: transmission
IP: 10 # must be an integer between 2 and VXLAN_GATEWAY_FIRST_DYNAMIC_IP (20 by default)
ports:
- type: udp
port: 27071
- type: tcp
port: 27071
# publicPorts:
# - hostname: transmission
# IP: 10 # must be an integer between 2 and VXLAN_GATEWAY_FIRST_DYNAMIC_IP (20 by default)
# ports:
# - type: udp
# port: 27071
# - type: tcp
# port: 27071

routed_namespaces:
- media
- testing
webhook:
image:
repository: ghcr.io/angelnu/gateway-admision-controller
pullPolicy: Always
tag: v3.9.0
gatewayDefault: true
# gatewayLabel: setGateway
# gatewayAnnotation: setGateway
namespaceSelector:
label: "vpn-routed-gateway"
tag: v3.9.0@sha256:4e169da5af107a9c6c784d3e03c89da07fad45f18358ab5b7177662df12d955a
gatewayDefault: false
gatewayLabel: setGateway
gatewayAnnotation: setGateway
7 changes: 7 additions & 0 deletions kubernetes/apps/testing/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./namespace.yaml
- ./vpn-routed-pods/ks.yaml
- ./non-vpn-routed-pods/ks.yaml
7 changes: 7 additions & 0 deletions kubernetes/apps/testing/namespace.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: testing
# labels:
# kustomize.toolkit.fluxcd.io/prune: disabled
6 changes: 6 additions & 0 deletions kubernetes/apps/testing/non-vpn-routed-pods/app/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./non-vpn-routed-pod.yaml

20 changes: 20 additions & 0 deletions kubernetes/apps/testing/non-vpn-routed-pods/app/non-vpn-routed-pod.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: &name novpn
namespace: testing
spec:
replicas: 1
selector:
matchLabels:
app: *name
template:
metadata:
labels:
app: *name
spec:
containers:
- name: dnsutils
image: nicolaka/netshoot
command: ["/bin/bash", "-c", "--"]
args: ["while true; do sleep 30; done;"]
20 changes: 20 additions & 0 deletions kubernetes/apps/testing/non-vpn-routed-pods/ks.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app non-vpn-routed
namespace: flux-system
spec:
targetNamespace: testing
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/testing/non-vpn-routed-pods/app
prune: true
sourceRef:
kind: GitRepository
name: home-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
6 changes: 6 additions & 0 deletions kubernetes/apps/testing/vpn-routed-pods/app/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./vpn-routed-pod.yaml

25 changes: 25 additions & 0 deletions kubernetes/apps/testing/vpn-routed-pods/app/vpn-routed-pod.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: &name vpn-routed
namespace: testing
annotations:
setGateway: "true"
labels:
setGateway: "true"
spec:
replicas: 1
selector:
matchLabels:
app: *name
template:
metadata:
labels:
app: *name
spec:
containers:
- name: dnsutils
image: nicolaka/netshoot
command: ["/bin/bash", "-c", "--"]
args: ["while true; do sleep 30; done;"]
20 changes: 20 additions & 0 deletions kubernetes/apps/testing/vpn-routed-pods/ks.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app vpn-routed
namespace: flux-system
spec:
targetNamespace: testing
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/testing/vpn-routed-pods/app
prune: true
sourceRef:
kind: GitRepository
name: home-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
2 changes: 1 addition & 1 deletion tests/vpn/novpn-pod.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: &name novpn
namespace: media
namespace: testing
spec:
replicas: 1
selector:
Expand Down
2 changes: 1 addition & 1 deletion tests/vpn/vpn-routed-pod.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: &name vpn-routed
namespace: media
namespace: testing
annotations:
setGateway: "true"
labels:
Expand Down

0 comments on commit f691619

Please sign in to comment.