add pod-gateway vpn back in #71

jgilfoil · 2024-02-28T21:51:35Z

No description provided.

github-actions · 2024-02-28T21:59:34Z

--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/vpn-gateway

+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/vpn-gateway

@@ -0,0 +1,40 @@

+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: cluster-apps
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: vpn-gateway
+  namespace: flux-system
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: vpn-gateway
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  interval: 30m
+  path: ./kubernetes/apps/network/vpn-gateway/app
+  postBuild:
+    substituteFrom:
+    - kind: ConfigMap
+      name: cluster-settings
+    - kind: Secret
+      name: cluster-secrets
+    - kind: ConfigMap
+      name: cluster-settings-user
+      optional: true
+    - kind: Secret
+      name: cluster-secrets-user
+      optional: true
+  prune: true
+  retryInterval: 5m30s
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  targetNamespace: network
+  timeout: 5m
+  wait: true
+
--- kubernetes/apps Kustomization: flux-system/cluster-apps Namespace: flux-system/testing

+++ kubernetes/apps Kustomization: flux-system/cluster-apps Namespace: flux-system/testing

@@ -0,0 +1,9 @@

+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: cluster-apps
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: testing
+
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/vpn-routed

+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/vpn-routed

@@ -0,0 +1,40 @@

+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: cluster-apps
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: vpn-routed
+  namespace: flux-system
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: vpn-routed
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  interval: 30m
+  path: ./kubernetes/apps/testing/vpn-routed-pods/app
+  postBuild:
+    substituteFrom:
+    - kind: ConfigMap
+      name: cluster-settings
+    - kind: Secret
+      name: cluster-secrets
+    - kind: ConfigMap
+      name: cluster-settings-user
+      optional: true
+    - kind: Secret
+      name: cluster-secrets-user
+      optional: true
+  prune: true
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  targetNamespace: testing
+  timeout: 5m
+  wait: false
+
--- kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/non-vpn-routed

+++ kubernetes/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/non-vpn-routed

@@ -0,0 +1,40 @@

+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  labels:
+    kustomize.toolkit.fluxcd.io/name: cluster-apps
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: non-vpn-routed
+  namespace: flux-system
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: non-vpn-routed
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  interval: 30m
+  path: ./kubernetes/apps/testing/non-vpn-routed-pods/app
+  postBuild:
+    substituteFrom:
+    - kind: ConfigMap
+      name: cluster-settings
+    - kind: Secret
+      name: cluster-secrets
+    - kind: ConfigMap
+      name: cluster-settings-user
+      optional: true
+    - kind: Secret
+      name: cluster-secrets-user
+      optional: true
+  prune: true
+  retryInterval: 1m
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  targetNamespace: testing
+  timeout: 5m
+  wait: false
+
--- kubernetes/apps/network/vpn-gateway/app Kustomization: flux-system/vpn-gateway HelmRelease: network/vpn-gateway

+++ kubernetes/apps/network/vpn-gateway/app Kustomization: flux-system/vpn-gateway HelmRelease: network/vpn-gateway

@@ -17,65 +17,72 @@

         kind: HelmRepository
         name: angelnu
         namespace: flux-system
       version: 6.5.1
   interval: 5m
   values:
+    DNS: 172.16.1.1
     addons:
+      netshoot:
+        enabled: true
+        resources:
+          limits:
+            memory: 10M
+          requests:
+            cpu: 5m
+            memory: 10M
       vpn:
         enabled: true
         env:
         - name: VPN_TYPE
           value: wireguard
         - name: VPN_INTERFACE
           value: wg0
         - name: FIREWALL
           value: 'off'
         - name: DOT
           value: 'off'
+        - name: LOG_LEVEL
+          value: debug
+        - name: HEALTH_VPN_DURATION_INITIAL
+          value: 30s
         envFrom:
         - secretRef:
             name: vpn-gateway-config
         gluetun:
           image:
             repository: docker.io/qmcgaw/gluetun
-            tag: v3.37.0
-        networkPolicy:
-          egress:
-          - ports:
-            - port: ${SECRET_VPN_GATEWAY_PORT}
-              protocol: UDP
-            to:
-            - ipBlock:
-                cidr: 0.0.0.0/0
-          - to:
-            - ipBlock:
-                cidr: 10.0.0.0/8
-          enabled: true
+            tag: v3.35.0@sha256:a98d1ec99e09a1b806aff7f0c3d8a133a8ede7d3d7a250b62029a39a61f01525
+        resources:
+          limits:
+            memory: 64M
+          requests:
+            cpu: 5m
+            memory: 64M
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
         type: gluetun
     image:
       repository: ghcr.io/angelnu/pod-gateway
-      tag: v1.10.0
-    publicPorts:
-    - IP: 10
-      hostname: transmission
-      ports:
-      - port: 27071
-        type: udp
-      - port: 27071
-        type: tcp
+      tag: v1.8.1@sha256:690b6365728fe9012ad4cdfca38334992664596513dca187d1b93d2025205776
+    podAnnotations:
+      reloader.stakater.com/auto: 'true'
     routed_namespaces:
-    - media
+    - testing
     settings:
+      NOT_ROUTED_TO_GATEWAY_CIDRS: 10.0.0.0/8 192.168.0.0/24
       VPN_BLOCK_OTHER_TRAFFIC: true
       VPN_INTERFACE: wg0
-      VPN_LOCAL_CIDRS: 10.69.0.0/16 10.96.0.0/16 192.168.1.0/24
+      VPN_LOCAL_CIDRS: 10.0.0.0/8 192.168.1.0/24
       VPN_TRAFFIC_PORT: ${SECRET_VPN_GATEWAY_PORT}
+      VXLAN_ID: 43
+      VXLAN_IP_NETWORK: 172.16.1
     webhook:
-      gatewayDefault: true
+      gatewayAnnotation: setGateway
+      gatewayDefault: false
+      gatewayLabel: setGateway
       image:
-        pullPolicy: Always
         repository: ghcr.io/angelnu/gateway-admision-controller
-        tag: v3.9.0
-      namespaceSelector:
-        label: vpn-routed-gateway
+        tag: v3.9.0@sha256:4e169da5af107a9c6c784d3e03c89da07fad45f18358ab5b7177662df12d955a
 
--- kubernetes/apps/testing/non-vpn-routed-pods/app Kustomization: flux-system/non-vpn-routed Deployment: testing/novpn

+++ kubernetes/apps/testing/non-vpn-routed-pods/app Kustomization: flux-system/non-vpn-routed Deployment: testing/novpn

@@ -0,0 +1,30 @@

+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: non-vpn-routed
+    kustomize.toolkit.fluxcd.io/name: non-vpn-routed
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: novpn
+  namespace: testing
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: novpn
+  template:
+    metadata:
+      labels:
+        app: novpn
+    spec:
+      containers:
+      - args:
+        - while true; do sleep 30; done;
+        command:
+        - /bin/bash
+        - -c
+        - --
+        image: nicolaka/netshoot
+        name: dnsutils
+
--- kubernetes/apps/testing/vpn-routed-pods/app Kustomization: flux-system/vpn-routed Deployment: testing/vpn-routed

+++ kubernetes/apps/testing/vpn-routed-pods/app Kustomization: flux-system/vpn-routed Deployment: testing/vpn-routed

@@ -0,0 +1,33 @@

+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  annotations:
+    setGateway: 'true'
+  labels:
+    app.kubernetes.io/name: vpn-routed
+    kustomize.toolkit.fluxcd.io/name: vpn-routed
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+    setGateway: 'true'
+  name: vpn-routed
+  namespace: testing
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: vpn-routed
+  template:
+    metadata:
+      labels:
+        app: vpn-routed
+    spec:
+      containers:
+      - args:
+        - while true; do sleep 30; done;
+        command:
+        - /bin/bash
+        - -c
+        - --
+        image: nicolaka/netshoot
+        name: dnsutils
+

github-actions · 2024-02-28T21:59:34Z

--- HelmRelease: network/vpn-gateway NetworkPolicy: network/vpn-gateway-pod-gateway

+++ HelmRelease: network/vpn-gateway NetworkPolicy: network/vpn-gateway-pod-gateway

@@ -13,13 +13,13 @@

       app.kubernetes.io/instance: vpn-gateway
       app.kubernetes.io/name: pod-gateway
   policyTypes:
   - Egress
   egress:
   - ports:
-    - port: ${SECRET_VPN_GATEWAY_PORT}
+    - port: 1194
       protocol: UDP
     to:
     - ipBlock:
         cidr: 0.0.0.0/0
   - to:
     - ipBlock:
--- HelmRelease: network/vpn-gateway ConfigMap: media/vpn-gateway-pod-gateway

+++ HelmRelease: network/vpn-gateway ConfigMap: media/vpn-gateway-pod-gateway

@@ -1,29 +0,0 @@

----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: vpn-gateway-pod-gateway
-  namespace: media
-  labels:
-    app.kubernetes.io/name: pod-gateway
-    app.kubernetes.io/instance: vpn-gateway
-    app.kubernetes.io/managed-by: Helm
-data:
-  settings.sh: |
-    #!/bin/sh
-    # Generated by vpn-gateway-pod-gateway
-    DNS_LOCAL_CIDRS="local"
-    NOT_ROUTED_TO_GATEWAY_CIDRS=""
-    VPN_BLOCK_OTHER_TRAFFIC="true"
-    VPN_INTERFACE="wg0"
-    VPN_LOCAL_CIDRS="10.69.0.0/16 10.96.0.0/16 192.168.1.0/24"
-    VPN_TRAFFIC_PORT="${SECRET_VPN_GATEWAY_PORT}"
-    VXLAN_GATEWAY_FIRST_DYNAMIC_IP="20"
-    VXLAN_ID="42"
-    VXLAN_IP_NETWORK="172.16.0"
-  nat.conf: |
-    # Generated by vpn-gateway-pod-gateway
-    transmission 10 udp:27071,tcp:27071
-  nat6.conf: |
-    # Generated by vpn-gateway-pod-gateway
-
--- HelmRelease: network/vpn-gateway ConfigMap: network/vpn-gateway-pod-gateway

+++ HelmRelease: network/vpn-gateway ConfigMap: network/vpn-gateway-pod-gateway

@@ -10,20 +10,19 @@

     app.kubernetes.io/managed-by: Helm
 data:
   settings.sh: |
     #!/bin/sh
     # Generated by vpn-gateway-pod-gateway
     DNS_LOCAL_CIDRS="local"
-    NOT_ROUTED_TO_GATEWAY_CIDRS=""
+    NOT_ROUTED_TO_GATEWAY_CIDRS="10.0.0.0/8 192.168.0.0/24"
     VPN_BLOCK_OTHER_TRAFFIC="true"
     VPN_INTERFACE="wg0"
-    VPN_LOCAL_CIDRS="10.69.0.0/16 10.96.0.0/16 192.168.1.0/24"
+    VPN_LOCAL_CIDRS="10.0.0.0/8 192.168.1.0/24"
     VPN_TRAFFIC_PORT="${SECRET_VPN_GATEWAY_PORT}"
     VXLAN_GATEWAY_FIRST_DYNAMIC_IP="20"
-    VXLAN_ID="42"
-    VXLAN_IP_NETWORK="172.16.0"
+    VXLAN_ID="43"
+    VXLAN_IP_NETWORK="172.16.1"
   nat.conf: |
     # Generated by vpn-gateway-pod-gateway
-    transmission 10 udp:27071,tcp:27071
   nat6.conf: |
     # Generated by vpn-gateway-pod-gateway
 
--- HelmRelease: network/vpn-gateway Deployment: network/vpn-gateway-pod-gateway

+++ HelmRelease: network/vpn-gateway Deployment: network/vpn-gateway-pod-gateway

@@ -15,35 +15,37 @@

   selector:
     matchLabels:
       app.kubernetes.io/name: pod-gateway
       app.kubernetes.io/instance: vpn-gateway
   template:
     metadata:
+      annotations:
+        reloader.stakater.com/auto: 'true'
       labels:
         app.kubernetes.io/name: pod-gateway
         app.kubernetes.io/instance: vpn-gateway
     spec:
       serviceAccountName: default
       automountServiceAccountToken: true
       dnsPolicy: ClusterFirst
       enableServiceLinks: true
       initContainers:
       - command:
         - /bin/gateway_init.sh
-        image: ghcr.io/angelnu/pod-gateway:v1.10.0
+        image: ghcr.io/angelnu/pod-gateway:v1.8.1@sha256:690b6365728fe9012ad4cdfca38334992664596513dca187d1b93d2025205776
         imagePullPolicy: IfNotPresent
         name: routes
         securityContext:
           privileged: true
         volumeMounts:
         - mountPath: /config
           name: config
           readOnly: true
       containers:
       - name: vpn-gateway-pod-gateway
-        image: ghcr.io/angelnu/pod-gateway:v1.10.0
+        image: ghcr.io/angelnu/pod-gateway:v1.8.1@sha256:690b6365728fe9012ad4cdfca38334992664596513dca187d1b93d2025205776
         imagePullPolicy: IfNotPresent
         command:
         - /bin/gateway_sidecar.sh
         securityContext:
           capabilities:
             add:
@@ -63,23 +65,49 @@

         - name: VPN_INTERFACE
           value: wg0
         - name: FIREWALL
           value: 'off'
         - name: DOT
           value: 'off'
+        - name: LOG_LEVEL
+          value: debug
+        - name: HEALTH_VPN_DURATION_INITIAL
+          value: 30s
         envFrom:
         - secretRef:
             name: vpn-gateway-config
-        image: docker.io/qmcgaw/gluetun:v3.37.0
+        image: docker.io/qmcgaw/gluetun:v3.35.0@sha256:a98d1ec99e09a1b806aff7f0c3d8a133a8ede7d3d7a250b62029a39a61f01525
         imagePullPolicy: null
         name: gluetun
+        resources:
+          limits:
+            memory: 64M
+          requests:
+            cpu: 5m
+            memory: 64M
         securityContext:
           capabilities:
             add:
             - NET_ADMIN
-            - SYS_MODULE
+      - command:
+        - /bin/sh
+        - -c
+        - sleep infinity
+        image: ghcr.io/nicolaka/netshoot:v0.11
+        imagePullPolicy: null
+        name: netshoot
+        resources:
+          limits:
+            memory: 10M
+          requests:
+            cpu: 5m
+            memory: 10M
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
       volumes:
       - name: config
         configMap:
           defaultMode: 365
           name: vpn-gateway-pod-gateway
 
--- HelmRelease: network/vpn-gateway Deployment: network/vpn-gateway-pod-gateway-webhook

+++ HelmRelease: network/vpn-gateway Deployment: network/vpn-gateway-pod-gateway-webhook

@@ -25,29 +25,28 @@

       - name: certs
         secret:
           secretName: vpn-gateway-pod-gateway-webhook-tls
           defaultMode: 420
       containers:
       - name: webhook
-        image: ghcr.io/angelnu/gateway-admision-controller:v3.9.0
+        image: ghcr.io/angelnu/gateway-admision-controller:v3.9.0@sha256:4e169da5af107a9c6c784d3e03c89da07fad45f18358ab5b7177662df12d955a
         args:
         - --webhook-listen-address=:8080
         - --gateway=vpn-gateway-pod-gateway.network.svc.cluster.local
-        - --DNS=172.16.0.1,172.16.0.2
+        - --DNS=172.16.1.1
         - --configmapName=vpn-gateway-pod-gateway
         - --setGatewayLabel=setGateway
         - --setGatewayAnnotation=setGateway
-        - --setGatewayDefault
         - --tls-cert-file-path=/tls/tls.crt
         - --tls-key-file-path=/tls/tls.key
         - --DNSPolicy=None
-        - --initImage=ghcr.io/angelnu/pod-gateway:v1.10.0
+        - --initImage=ghcr.io/angelnu/pod-gateway:v1.8.1@sha256:690b6365728fe9012ad4cdfca38334992664596513dca187d1b93d2025205776
         - --initImagePullPol=IfNotPresent
         - --initCmd=/bin/client_init.sh
         - --initMountPoint=/config
-        - --sidecarImage=ghcr.io/angelnu/pod-gateway:v1.10.0
+        - --sidecarImage=ghcr.io/angelnu/pod-gateway:v1.8.1@sha256:690b6365728fe9012ad4cdfca38334992664596513dca187d1b93d2025205776
         - --sidecarImagePullPol=IfNotPresent
         - --sidecarCmd=/bin/client_sidecar.sh
         - --sidecarMountPoint=/config
         ports:
         - name: http
           containerPort: 8080
--- HelmRelease: network/vpn-gateway MutatingWebhookConfiguration: network/vpn-gateway-pod-gateway

+++ HelmRelease: network/vpn-gateway MutatingWebhookConfiguration: network/vpn-gateway-pod-gateway

@@ -10,13 +10,13 @@

   annotations:
     cert-manager.io/inject-ca-from: network/vpn-gateway-pod-gateway-webhook-tls
 webhooks:
 - name: vpn-gateway-pod-gateway.svc.cluster.local
   namespaceSelector:
     matchLabels:
-      vpn-routed-gateway: 'true'
+      routed-gateway: 'true'
   rules:
   - apiGroups:
     - ''
     apiVersions:
     - v1
     operations:
--- HelmRelease: network/vpn-gateway ConfigMap: testing/vpn-gateway-pod-gateway

+++ HelmRelease: network/vpn-gateway ConfigMap: testing/vpn-gateway-pod-gateway

@@ -0,0 +1,28 @@

+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: vpn-gateway-pod-gateway
+  namespace: testing
+  labels:
+    app.kubernetes.io/name: pod-gateway
+    app.kubernetes.io/instance: vpn-gateway
+    app.kubernetes.io/managed-by: Helm
+data:
+  settings.sh: |
+    #!/bin/sh
+    # Generated by vpn-gateway-pod-gateway
+    DNS_LOCAL_CIDRS="local"
+    NOT_ROUTED_TO_GATEWAY_CIDRS="10.0.0.0/8 192.168.0.0/24"
+    VPN_BLOCK_OTHER_TRAFFIC="true"
+    VPN_INTERFACE="wg0"
+    VPN_LOCAL_CIDRS="10.0.0.0/8 192.168.1.0/24"
+    VPN_TRAFFIC_PORT="${SECRET_VPN_GATEWAY_PORT}"
+    VXLAN_GATEWAY_FIRST_DYNAMIC_IP="20"
+    VXLAN_ID="43"
+    VXLAN_IP_NETWORK="172.16.1"
+  nat.conf: |
+    # Generated by vpn-gateway-pod-gateway
+  nat6.conf: |
+    # Generated by vpn-gateway-pod-gateway
+

add pod-gateway vpn back in

0afc01f

github-actions bot added the area/kubernetes label Feb 28, 2024

jgilfoil added 2 commits February 28, 2024 21:57

add pod manifests

860760b

fix ksutomization for testing ns

48d72c4

jgilfoil merged commit f691619 into main Feb 28, 2024
5 checks passed

jgilfoil deleted the feature/vpn branch February 28, 2024 22:11

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add pod-gateway vpn back in #71

add pod-gateway vpn back in #71

jgilfoil commented Feb 28, 2024

github-actions bot commented Feb 28, 2024

github-actions bot commented Feb 28, 2024

add pod-gateway vpn back in #71

add pod-gateway vpn back in #71

Conversation

jgilfoil commented Feb 28, 2024

github-actions bot commented Feb 28, 2024

github-actions bot commented Feb 28, 2024