Merge pull request #29 from jgilfoil/feature/vpn

deply vpn-gateway

kubernetes/apps/network/kustomization.yaml

@@ -8,3 +8,4 @@ resources:
   - ./external-dns/ks.yaml
   - ./ingress-nginx/ks.yaml
   - ./k8s-gateway/ks.yaml
+  - ./vpn-gateway/ks.yaml

kubernetes/apps/network/vpn-gateway/app/helmrelease.yaml

@@ -0,0 +1,116 @@
+
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: vpn-gateway
+  labels:
+    # Avoid variable substitution of shell variables bellow
+    kustomize.toolkit.fluxcd.io/substitute: disabled
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: pod-gateway
+      version: 6.5.1
+      interval: 15m
+      sourceRef:
+        kind: HelmRepository
+        name: angelnu-helm-charts
+        namespace: flux-system
+  #See https://github.com/angelnu/helm-charts/blob/main/charts/apps/pod-gateway/values.yaml
+  values:
+
+    image:
+      repository: ghcr.io/angelnu/pod-gateway
+      tag: v1.10.0
+    addons:
+      vpn:
+        enabled: true
+        type: gluetun
+        gluetun:
+          image:
+            repository: docker.io/qmcgaw/gluetun
+            tag: v3.37.0
+
+        env:
+        # - name:  VPN_SERVICE_PROVIDER
+        #   value: set in secret
+        - name:  VPN_TYPE
+          value: wireguard
+        - name:  VPN_INTERFACE
+          value: wg0
+        - name:  FIREWALL
+          value: "off"
+        - name:  DOT
+          value: "off"
+        # - name:  WIREGUARD_PRIVATE_KEY
+        #   value: set in secret
+        # - name:  WIREGUARD_PRESHARED_KEY
+        #   value: set in secret
+        # - name:  WIREGUARD_ADDRESSES
+        #   value: set in secret
+        # - name:  SERVER_COUNTRIES
+        #   value: set in secret
+
+        envFrom:
+          - secretRef:
+              name: vpn-gateway-config
+
+
+        livenessProbe:
+          exec:
+            command:
+              - sh
+              - -c
+              - if [ $(wget -q -O- https://ipinfo.io/country) == 'NO' ]; then exit 0; else exit $?; fi
+          initialDelaySeconds: 30
+          periodSeconds: 60
+          failureThreshold: 3
+
+        networkPolicy:
+          enabled: true
+
+          egress:
+            - to:
+              - ipBlock:
+                  cidr: 0.0.0.0/0
+              ports:
+              # VPN traffic
+              - port: ${SECRET_VPN_GATEWAY_PORT}
+                protocol: UDP
+            - to:
+              - ipBlock:
+                  cidr: 10.0.0.0/8
+    settings:
+      # -- If using a VPN, interface name created by it
+      VPN_INTERFACE: wg0
+      # -- Prevent non VPN traffic to leave the gateway
+      VPN_BLOCK_OTHER_TRAFFIC: true
+      # -- If VPN_BLOCK_OTHER_TRAFFIC is true, allow VPN traffic over this port
+      VPN_TRAFFIC_PORT: ${SECRET_VPN_GATEWAY_PORT}
+      # -- Traffic to these IPs will be sent through the K8S gateway
+      VPN_LOCAL_CIDRS: "10.69.0.0/16 10.96.0.0/16 192.168.1.0/24"
+
+    # -- settings to expose ports, usually through a VPN provider.
+    # NOTE: if you change it you will need to manually restart the gateway POD
+    publicPorts:
+    - hostname: transmission
+      IP: 10 # must be an integer between 2 and VXLAN_GATEWAY_FIRST_DYNAMIC_IP (20 by default)
+      ports:
+      - type: udp
+        port: 27071
+      - type: tcp
+        port: 27071
+
+    routed_namespaces:
+    - media
+    webhook:
+      image:
+        repository: ghcr.io/angelnu/gateway-admision-controller
+        pullPolicy: Always
+        tag: v3.9.0
+      gatewayDefault: false
+      gatewayLabel: routeToVPN
+      gatewayAnnotation: routeToVPN
+      namespaceSelector:
+        label: "vpn-routed-gateway"

kubernetes/apps/network/vpn-gateway/app/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
+  - ./secret.sops.yaml

kubernetes/apps/network/vpn-gateway/app/secret.sops.yaml

@@ -0,0 +1,38 @@
+# yamllint disable
+# VPN_SERVICE_PROVIDER: 
+# SERVER_COUNTRIES: 
+# WIREGUARD_PRIVATE_KEY: 
+# WIREGUARD_PRESHARED_KEY: 
+# WIREGUARD_ADDRESSES: 
+apiVersion: v1
+kind: Secret
+metadata:
+    name: vpn-gateway-config
+    namespace: vpn-gateway
+stringData:
+    VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:JrZc/5AK,iv:Mun8inBuXTlUArPpD1wGSqbgqbwJeeQbOXFKzswA1Es=,tag:HsDK72U0Zi9tSV0rYH3anw==,type:str]
+    SERVER_COUNTRIES: ENC[AES256_GCM,data:5EfYcD8u,iv:YpHbv+YDdsur1v9TQfYr76SBMrSh4BE0zX0ZwqpgXeQ=,tag:xdrXMfja+x5sCMLVRpX9fg==,type:str]
+    WIREGUARD_PRIVATE_KEY: ENC[AES256_GCM,data:LE8rUFzwXun/+rUu4dbM8gWIc5vcZOXXDOlnF6lyE83QSR7Et2r/6Zp+zao=,iv:0hqpZlUCQCJIi0LgCpM/cpCByhbrNKCF1Zu/SeLkwkY=,tag:qw51hSTf+PQpgR6B/Ocihg==,type:str]
+    WIREGUARD_PRESHARED_KEY: ENC[AES256_GCM,data:6ksxxiuJMutjrb0Y8v/axq+TBQgtJcWO9XgVTWZdqQzr8WahuHZcUqyuIy4=,iv:p3cmC6JTA2EzLwrlNYuyNyx77kcBwbjh2+be2btN3v4=,tag:/M5ssJQ1fvW6QtccjXRBlA==,type:str]
+    WIREGUARD_ADDRESSES: ENC[AES256_GCM,data:6Q/wRGtA8nB3F88pau5t4GpoSRm8DpOl36mIwTt6SrUnJG7NBZFU/E7PtdIyIo+sqV5xTrXVx3aorhwt,iv:1CBhrhYh+3ZNP+BahRlCqB5/pl1Yp85EBAJYVqKwiXM=,tag:tRyZlV3Q99HSYMYWbJhOFA==,type:str]
+    vpnConfigfile: ENC[AES256_GCM,data:XXOyUBfV81BEbfL7uc+gEAmIqikgbiV/wmV9oL24inXRMeQ4aKoo/fRZwEE4AWBq32b86oM41WbNGdZYNO2qjoNI1+HT/bTqemSukPHfkws+FXHyrltLVeGF6mhRPbvHOHfCN1zfUhjZHWjrFWAi8COvCgmENCVith4KqJoIciorRKvIF5WD4E02LrUBVkUl42OY/bE+WKFVtAV/UruUFndkPjwNuh+m4vRhWGtjyJ5d2eAx9H4H8/EuYogfaWGp/LIkLbC0xncjo6eVlmIy0QcoEwPA+wP+XYMwhsKkG3lG0abHwUzllH+i8eINZRGUfyTO6nExbcuwNkWvRUR3h+iJ4/IbfZjv+ATD1JHMpyft/HhcypfDgTkOo2p2L8NHORSbhoParsQLim7meu1bmBEWmTrm9pyx6hcYAKA02EkpKguGy8bTmX5+Ao0WLOCb768+3fzx6z+UsByARe626PSSGzaOalH2yCpU3NiBc9jJMQ3OLwYsi0u7E29C6zKNZvSDeWzu88olsiwDgU1yXfVddSe/x0URbpTtHcOLP6OvxA==,iv:DhjZ1h9KGxn9hLTPbzPJPEacHd1zyVcXFuUVwoqHCaY=,tag:MH3XuCM2QZaQuYxW7Eq5ag==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ktk92hs2qmfm8wnchvjve4z3wx60csm8g37mqj5gaw480x6mvemsn3rd4p
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBON0Y0Vy9qS0k5TmtFZGkx
+            VWZIZUlpbndBMWl1VG9oOWcwb0ltNHlKd0RvClRvWUljdXV3WjB5aiszd2Q5YklJ
+            MUs3L0xsM21SZE9qbTlkUEJVcWNpWWMKLS0tIHAxS3lnMm4yS2VSZC90cjVqQ09i
+            SmVIYXU4RHQyYWFtMGFnRU02QU9ONEEKxjUnVhjGmFEdpnePwzM4LX+9q/6yKP2U
+            TRiGcEHnOwvcpfGy+taeyqdOVevBJ2gMW/X6no78INf/QWdsqbVYPQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-05T02:36:41Z"
+    mac: ENC[AES256_GCM,data:pnX6ToNWtRoMy2mAEx41itvRa3+n7RiHUa6EAjUISN7xbJkABzZMTm902Fi2SiQI9Q+HbTmTjdsvSW0Kv0xZ6Wo8SYHYfxWjm08B1vLVGo4oLnPOPaGDdQMEOreDFTbBlFsu4y9h144z6snx8J06t0M6qo+y1yXCBxtipEi/HOw=,iv:D33nww03fQcFSYe0xqIERiqtnsK7eohaVx/rZ+8uUDY=,tag:c3HbYQHkvqJmT/eqnV64Zg==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.1

kubernetes/apps/network/vpn-gateway/ks.yaml

@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app vpn-gateway
+  namespace: flux-system
+spec:
+  targetNamespace: network
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/network/vpn-gateway/app
+  prune: false
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: true
+  interval: 30m
+  retryInterval: 5m30s
+  timeout: 5m

kubernetes/flux/repositories/helm/angelnu.yaml

@@ -0,0 +1,9 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: angelnu
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://angelnu.github.io/helm-charts
+  timeout: 15m

kubernetes/flux/repositories/helm/kustomization.yaml

@@ -2,6 +2,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ./angelnu.yaml
   - ./backube.yaml
   - ./bitnami.yaml
   - ./bjw-s.yaml