diff --git a/kubernetes/apps/network/kustomization.yaml b/kubernetes/apps/network/kustomization.yaml index 73bc5b6c..81261c4d 100644 --- a/kubernetes/apps/network/kustomization.yaml +++ b/kubernetes/apps/network/kustomization.yaml @@ -8,4 +8,4 @@ resources: - ./external-dns/ks.yaml - ./ingress-nginx/ks.yaml - ./k8s-gateway/ks.yaml - # - ./vpn-gateway/ks.yaml + - ./vpn-gateway/ks.yaml diff --git a/kubernetes/apps/network/vpn-gateway/app/helmrelease.yaml b/kubernetes/apps/network/vpn-gateway/app/helmrelease.yaml index 6d7010d6..11b33761 100644 --- a/kubernetes/apps/network/vpn-gateway/app/helmrelease.yaml +++ b/kubernetes/apps/network/vpn-gateway/app/helmrelease.yaml @@ -3,9 +3,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: vpn-gateway - # labels: - # Avoid variable substitution of shell variables bellow - # kustomize.toolkit.fluxcd.io/substitute: disabled spec: interval: 5m chart: @@ -19,10 +16,15 @@ spec: namespace: flux-system #See https://github.com/angelnu/helm-charts/blob/main/charts/apps/pod-gateway/values.yaml values: - image: repository: ghcr.io/angelnu/pod-gateway - tag: v1.10.0 + tag: v1.8.1@sha256:690b6365728fe9012ad4cdfca38334992664596513dca187d1b93d2025205776 + + podAnnotations: + reloader.stakater.com/auto: "true" + + DNS: 172.16.1.1 + addons: vpn: enabled: true @@ -30,7 +32,7 @@ spec: gluetun: image: repository: docker.io/qmcgaw/gluetun - tag: v3.37.0 + tag: v3.35.0@sha256:a98d1ec99e09a1b806aff7f0c3d8a133a8ede7d3d7a250b62029a39a61f01525 env: # - name: VPN_SERVICE_PROVIDER @@ -43,6 +45,10 @@ spec: value: "off" - name: DOT value: "off" + - name: LOG_LEVEL + value: "debug" + - name: HEALTH_VPN_DURATION_INITIAL + value: 30s # - name: WIREGUARD_PRIVATE_KEY # value: set in secret # - name: WIREGUARD_PRESHARED_KEY @@ -56,7 +62,6 @@ spec: - secretRef: name: vpn-gateway-config - # livenessProbe: # exec: # command: @@ -67,20 +72,40 @@ spec: # periodSeconds: 60 # failureThreshold: 3 - networkPolicy: - enabled: true + resources: + requests: + cpu: 5m + memory: 64M + limits: + memory: 64M + securityContext: + capabilities: + add: + - NET_ADMIN + + netshoot: + enabled: true + resources: + requests: + cpu: 5m + memory: 10M + limits: + memory: 10M + + # networkPolicy: + # enabled: true - egress: - - to: - - ipBlock: - cidr: 0.0.0.0/0 - ports: - # VPN traffic - - port: ${SECRET_VPN_GATEWAY_PORT} - protocol: UDP - - to: - - ipBlock: - cidr: 10.0.0.0/8 + # egress: + # - to: + # - ipBlock: + # cidr: 0.0.0.0/0 + # ports: + # # VPN traffic + # - port: ${SECRET_VPN_GATEWAY_PORT} + # protocol: UDP + # - to: + # - ipBlock: + # cidr: 10.0.0.0/8 settings: # -- If using a VPN, interface name created by it VPN_INTERFACE: wg0 @@ -89,28 +114,28 @@ spec: # -- If VPN_BLOCK_OTHER_TRAFFIC is true, allow VPN traffic over this port VPN_TRAFFIC_PORT: ${SECRET_VPN_GATEWAY_PORT} # -- Traffic to these IPs will be sent through the K8S gateway - VPN_LOCAL_CIDRS: "10.69.0.0/16 10.96.0.0/16 192.168.1.0/24" + VPN_LOCAL_CIDRS: "10.0.0.0/8 192.168.1.0/24" + NOT_ROUTED_TO_GATEWAY_CIDRS: "10.0.0.0/8 192.168.0.0/24" + VXLAN_ID: 43 + VXLAN_IP_NETWORK: 172.16.1 # -- settings to expose ports, usually through a VPN provider. # NOTE: if you change it you will need to manually restart the gateway POD - publicPorts: - - hostname: transmission - IP: 10 # must be an integer between 2 and VXLAN_GATEWAY_FIRST_DYNAMIC_IP (20 by default) - ports: - - type: udp - port: 27071 - - type: tcp - port: 27071 + # publicPorts: + # - hostname: transmission + # IP: 10 # must be an integer between 2 and VXLAN_GATEWAY_FIRST_DYNAMIC_IP (20 by default) + # ports: + # - type: udp + # port: 27071 + # - type: tcp + # port: 27071 routed_namespaces: - - media + - testing webhook: image: repository: ghcr.io/angelnu/gateway-admision-controller - pullPolicy: Always - tag: v3.9.0 - gatewayDefault: true - # gatewayLabel: setGateway - # gatewayAnnotation: setGateway - namespaceSelector: - label: "vpn-routed-gateway" \ No newline at end of file + tag: v3.9.0@sha256:4e169da5af107a9c6c784d3e03c89da07fad45f18358ab5b7177662df12d955a + gatewayDefault: false + gatewayLabel: setGateway + gatewayAnnotation: setGateway diff --git a/kubernetes/apps/testing/kustomization.yaml b/kubernetes/apps/testing/kustomization.yaml new file mode 100644 index 00000000..e7f1af05 --- /dev/null +++ b/kubernetes/apps/testing/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./vpn-routed-pods/ks.yaml + - ./non-vpn-routed-pods/ks.yaml diff --git a/kubernetes/apps/testing/namespace.yaml b/kubernetes/apps/testing/namespace.yaml new file mode 100644 index 00000000..c3735f4e --- /dev/null +++ b/kubernetes/apps/testing/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: testing + # labels: + # kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/apps/testing/non-vpn-routed-pods/app/kustomization.yaml b/kubernetes/apps/testing/non-vpn-routed-pods/app/kustomization.yaml new file mode 100644 index 00000000..9937dba8 --- /dev/null +++ b/kubernetes/apps/testing/non-vpn-routed-pods/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./non-vpn-routed-pod.yaml + diff --git a/kubernetes/apps/testing/non-vpn-routed-pods/app/non-vpn-routed-pod.yaml b/kubernetes/apps/testing/non-vpn-routed-pods/app/non-vpn-routed-pod.yaml new file mode 100644 index 00000000..598036f2 --- /dev/null +++ b/kubernetes/apps/testing/non-vpn-routed-pods/app/non-vpn-routed-pod.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: &name novpn + namespace: testing +spec: + replicas: 1 + selector: + matchLabels: + app: *name + template: + metadata: + labels: + app: *name + spec: + containers: + - name: dnsutils + image: nicolaka/netshoot + command: ["/bin/bash", "-c", "--"] + args: ["while true; do sleep 30; done;"] diff --git a/kubernetes/apps/testing/non-vpn-routed-pods/ks.yaml b/kubernetes/apps/testing/non-vpn-routed-pods/ks.yaml new file mode 100644 index 00000000..54b10249 --- /dev/null +++ b/kubernetes/apps/testing/non-vpn-routed-pods/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app non-vpn-routed + namespace: flux-system +spec: + targetNamespace: testing + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/testing/non-vpn-routed-pods/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/testing/vpn-routed-pods/app/kustomization.yaml b/kubernetes/apps/testing/vpn-routed-pods/app/kustomization.yaml new file mode 100644 index 00000000..034f8dc5 --- /dev/null +++ b/kubernetes/apps/testing/vpn-routed-pods/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./vpn-routed-pod.yaml + diff --git a/kubernetes/apps/testing/vpn-routed-pods/app/vpn-routed-pod.yaml b/kubernetes/apps/testing/vpn-routed-pods/app/vpn-routed-pod.yaml new file mode 100644 index 00000000..e0be1054 --- /dev/null +++ b/kubernetes/apps/testing/vpn-routed-pods/app/vpn-routed-pod.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: &name vpn-routed + namespace: testing + annotations: + setGateway: "true" + labels: + setGateway: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: *name + template: + metadata: + labels: + app: *name + spec: + containers: + - name: dnsutils + image: nicolaka/netshoot + command: ["/bin/bash", "-c", "--"] + args: ["while true; do sleep 30; done;"] diff --git a/kubernetes/apps/testing/vpn-routed-pods/ks.yaml b/kubernetes/apps/testing/vpn-routed-pods/ks.yaml new file mode 100644 index 00000000..716742ca --- /dev/null +++ b/kubernetes/apps/testing/vpn-routed-pods/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app vpn-routed + namespace: flux-system +spec: + targetNamespace: testing + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/testing/vpn-routed-pods/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/tests/vpn/novpn-pod.yaml b/tests/vpn/novpn-pod.yaml index 67920ecd..598036f2 100644 --- a/tests/vpn/novpn-pod.yaml +++ b/tests/vpn/novpn-pod.yaml @@ -2,7 +2,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: &name novpn - namespace: media + namespace: testing spec: replicas: 1 selector: diff --git a/tests/vpn/vpn-routed-pod.yaml b/tests/vpn/vpn-routed-pod.yaml index 3b595de4..e0be1054 100644 --- a/tests/vpn/vpn-routed-pod.yaml +++ b/tests/vpn/vpn-routed-pod.yaml @@ -3,7 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: &name vpn-routed - namespace: media + namespace: testing annotations: setGateway: "true" labels: