Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add pod-gateway vpn back in #71

Merged
merged 3 commits into from
Feb 28, 2024
Merged

add pod-gateway vpn back in #71

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0afc01f
add pod-gateway vpn back in
jgilfoil Feb 28, 2024
860760b
add pod manifests
jgilfoil Feb 28, 2024
48d72c4
fix ksutomization for testing ns
jgilfoil Feb 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion kubernetes/apps/network/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,4 +8,4 @@ resources:
- ./external-dns/ks.yaml
- ./ingress-nginx/ks.yaml
- ./k8s-gateway/ks.yaml
# - ./vpn-gateway/ks.yaml
- ./vpn-gateway/ks.yaml
99 changes: 62 additions & 37 deletions kubernetes/apps/network/vpn-gateway/app/helmrelease.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: vpn-gateway
# labels:
# Avoid variable substitution of shell variables bellow
# kustomize.toolkit.fluxcd.io/substitute: disabled
spec:
interval: 5m
chart:
Expand All @@ -19,18 +16,23 @@ spec:
namespace: flux-system
#See https://github.com/angelnu/helm-charts/blob/main/charts/apps/pod-gateway/values.yaml
values:

image:
repository: ghcr.io/angelnu/pod-gateway
tag: v1.10.0
tag: v1.8.1@sha256:690b6365728fe9012ad4cdfca38334992664596513dca187d1b93d2025205776

podAnnotations:
reloader.stakater.com/auto: "true"

DNS: 172.16.1.1

addons:
vpn:
enabled: true
type: gluetun
gluetun:
image:
repository: docker.io/qmcgaw/gluetun
tag: v3.37.0
tag: v3.35.0@sha256:a98d1ec99e09a1b806aff7f0c3d8a133a8ede7d3d7a250b62029a39a61f01525

env:
# - name: VPN_SERVICE_PROVIDER
Expand All @@ -43,6 +45,10 @@ spec:
value: "off"
- name: DOT
value: "off"
- name: LOG_LEVEL
value: "debug"
- name: HEALTH_VPN_DURATION_INITIAL
value: 30s
# - name: WIREGUARD_PRIVATE_KEY
# value: set in secret
# - name: WIREGUARD_PRESHARED_KEY
Expand All @@ -56,7 +62,6 @@ spec:
- secretRef:
name: vpn-gateway-config


# livenessProbe:
# exec:
# command:
Expand All @@ -67,20 +72,40 @@ spec:
# periodSeconds: 60
# failureThreshold: 3

networkPolicy:
enabled: true
resources:
requests:
cpu: 5m
memory: 64M
limits:
memory: 64M
securityContext:
capabilities:
add:
- NET_ADMIN

netshoot:
enabled: true
resources:
requests:
cpu: 5m
memory: 10M
limits:
memory: 10M

# networkPolicy:
# enabled: true

egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
ports:
# VPN traffic
- port: ${SECRET_VPN_GATEWAY_PORT}
protocol: UDP
- to:
- ipBlock:
cidr: 10.0.0.0/8
# egress:
# - to:
# - ipBlock:
# cidr: 0.0.0.0/0
# ports:
# # VPN traffic
# - port: ${SECRET_VPN_GATEWAY_PORT}
# protocol: UDP
# - to:
# - ipBlock:
# cidr: 10.0.0.0/8
settings:
# -- If using a VPN, interface name created by it
VPN_INTERFACE: wg0
Expand All @@ -89,28 +114,28 @@ spec:
# -- If VPN_BLOCK_OTHER_TRAFFIC is true, allow VPN traffic over this port
VPN_TRAFFIC_PORT: ${SECRET_VPN_GATEWAY_PORT}
# -- Traffic to these IPs will be sent through the K8S gateway
VPN_LOCAL_CIDRS: "10.69.0.0/16 10.96.0.0/16 192.168.1.0/24"
VPN_LOCAL_CIDRS: "10.0.0.0/8 192.168.1.0/24"
NOT_ROUTED_TO_GATEWAY_CIDRS: "10.0.0.0/8 192.168.0.0/24"
VXLAN_ID: 43
VXLAN_IP_NETWORK: 172.16.1

# -- settings to expose ports, usually through a VPN provider.
# NOTE: if you change it you will need to manually restart the gateway POD
publicPorts:
- hostname: transmission
IP: 10 # must be an integer between 2 and VXLAN_GATEWAY_FIRST_DYNAMIC_IP (20 by default)
ports:
- type: udp
port: 27071
- type: tcp
port: 27071
# publicPorts:
# - hostname: transmission
# IP: 10 # must be an integer between 2 and VXLAN_GATEWAY_FIRST_DYNAMIC_IP (20 by default)
# ports:
# - type: udp
# port: 27071
# - type: tcp
# port: 27071

routed_namespaces:
- media
- testing
webhook:
image:
repository: ghcr.io/angelnu/gateway-admision-controller
pullPolicy: Always
tag: v3.9.0
gatewayDefault: true
# gatewayLabel: setGateway
# gatewayAnnotation: setGateway
namespaceSelector:
label: "vpn-routed-gateway"
tag: v3.9.0@sha256:4e169da5af107a9c6c784d3e03c89da07fad45f18358ab5b7177662df12d955a
gatewayDefault: false
gatewayLabel: setGateway
gatewayAnnotation: setGateway
7 changes: 7 additions & 0 deletions kubernetes/apps/testing/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./namespace.yaml
- ./vpn-routed-pods/ks.yaml
- ./non-vpn-routed-pods/ks.yaml
7 changes: 7 additions & 0 deletions kubernetes/apps/testing/namespace.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: testing
# labels:
# kustomize.toolkit.fluxcd.io/prune: disabled
6 changes: 6 additions & 0 deletions kubernetes/apps/testing/non-vpn-routed-pods/app/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./non-vpn-routed-pod.yaml

20 changes: 20 additions & 0 deletions kubernetes/apps/testing/non-vpn-routed-pods/app/non-vpn-routed-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: &name novpn
namespace: testing
spec:
replicas: 1
selector:
matchLabels:
app: *name
template:
metadata:
labels:
app: *name
spec:
containers:
- name: dnsutils
image: nicolaka/netshoot
command: ["/bin/bash", "-c", "--"]
args: ["while true; do sleep 30; done;"]
20 changes: 20 additions & 0 deletions kubernetes/apps/testing/non-vpn-routed-pods/ks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app non-vpn-routed
namespace: flux-system
spec:
targetNamespace: testing
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/testing/non-vpn-routed-pods/app
prune: true
sourceRef:
kind: GitRepository
name: home-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
6 changes: 6 additions & 0 deletions kubernetes/apps/testing/vpn-routed-pods/app/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./vpn-routed-pod.yaml

25 changes: 25 additions & 0 deletions kubernetes/apps/testing/vpn-routed-pods/app/vpn-routed-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: &name vpn-routed
namespace: testing
annotations:
setGateway: "true"
labels:
setGateway: "true"
spec:
replicas: 1
selector:
matchLabels:
app: *name
template:
metadata:
labels:
app: *name
spec:
containers:
- name: dnsutils
image: nicolaka/netshoot
command: ["/bin/bash", "-c", "--"]
args: ["while true; do sleep 30; done;"]
20 changes: 20 additions & 0 deletions kubernetes/apps/testing/vpn-routed-pods/ks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app vpn-routed
namespace: flux-system
spec:
targetNamespace: testing
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/testing/vpn-routed-pods/app
prune: true
sourceRef:
kind: GitRepository
name: home-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
2 changes: 1 addition & 1 deletion tests/vpn/novpn-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: &name novpn
namespace: media
namespace: testing
spec:
replicas: 1
selector:
Expand Down
2 changes: 1 addition & 1 deletion tests/vpn/vpn-routed-pod.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: &name vpn-routed
namespace: media
namespace: testing
annotations:
setGateway: "true"
labels:
Expand Down
Loading