dev-docs: add on-prem terraform to vpn setup (#2619)

* vpn: add fake-on-prem infra * dev-docs: move vpn helm
2025-05-02 14:26:23 -04:00 · 2023-11-23 16:13:37 +01:00 · 2023-11-23 16:13:37 +01:00 · 0564e4ebb4
commit 0564e4ebb4
parent c922864f30
20 changed files with 407 additions and 0 deletions
--- a/dev-docs/howto/vpn/helm/templates/_helpers.tpl
+++ b/dev-docs/howto/vpn/helm/templates/_helpers.tpl
@ -0,0 +1,40 @@
+
+{{- define "..name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 42 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "..fullname" -}}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 42 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 42 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+
+{{- define "..chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 42 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "..labels" -}}
+helm.sh/chart: {{ include "..chart" . }}
+{{ include "..selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{- define "..selectorLabels" -}}
+app.kubernetes.io/name: {{ include "..name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{- define "..commonEnv" -}}
+- name: VPN_PEER_CIDRS
+  value: {{ join " " .Values.peerCIDRs | quote }}
+- name: VPN_POD_CIDR
+  value: {{ .Values.podCIDR | quote }}
+- name: VPN_SERVICE_CIDR
+  value: {{ .Values.serviceCIDR | quote }}
+{{- end }}
--- a/dev-docs/howto/vpn/helm/templates/configmaps.yaml
+++ b/dev-docs/howto/vpn/helm/templates/configmaps.yaml
@ -0,0 +1,27 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "..fullname" . }}-tproxy
+  labels: {{- include "..labels" . | nindent 4 }}
+data:
+{{ (.Files.Glob "files/tproxy-setup.sh").AsConfig | indent 2 }}
+---
+{{- if .Values.wireguard.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "..fullname" . }}-wg
+  labels: {{- include "..labels" . | nindent 4 }}
+data:
+{{ (.Files.Glob "files/wireguard-setup.sh").AsConfig | indent 2 }}
+{{- end }}
+---
+{{ if .Values.ipsec.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "..fullname" . }}-strongswan
+  labels: {{- include "..labels" . | nindent 4 }}
+data:
+{{ (.Files.Glob "files/strongswan/*").AsConfig | indent 2 }}
+{{- end }}
--- a/dev-docs/howto/vpn/helm/templates/secrets.yaml
+++ b/dev-docs/howto/vpn/helm/templates/secrets.yaml
@ -0,0 +1,21 @@
+{{- if .Values.wireguard.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "..fullname" . }}-wg
+  labels:
+    {{- include "..labels" . | nindent 4 }}
+data:
+  wg.conf: {{ include "wireguard.conf" . | b64enc }}
+{{- end }}
+---
+{{ if .Values.ipsec.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "..fullname" . }}-strongswan
+  labels:
+    {{- include "..labels" . | nindent 4 }}
+data:
+  swanctl.conf: {{ include "strongswan.swanctl-conf" . | b64enc }}
+{{- end }}
--- a/dev-docs/howto/vpn/helm/templates/service.yaml
+++ b/dev-docs/howto/vpn/helm/templates/service.yaml
@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "..fullname" . }}-lb
+  labels:
+    {{- include "..labels" . | nindent 4 }}
+spec:
+  type: LoadBalancer
+  selector:
+    {{- include "..selectorLabels" . | nindent 4 }}
+    component: frontend
+  externalTrafficPolicy: Local
+  ports:
+    {{- if .Values.ipsec.enabled }}
+    - name: isakmp
+      protocol: UDP
+      port: 500
+    - name: ipsec-nat-t
+      protocol: UDP
+      port: 4500
+    {{- end }}
+    {{- if .Values.wireguard.enabled }}
+    - name: wg
+      protocol: UDP
+      port: {{ .Values.wireguard.port }}
+    {{- end }}
--- a/dev-docs/howto/vpn/helm/templates/strongswan-secret.tpl
+++ b/dev-docs/howto/vpn/helm/templates/strongswan-secret.tpl
@ -0,0 +1,26 @@
+{{- define "strongswan.swanctl-conf" }}
+connections {
+    net-net {
+      remote_addrs = {{ .Values.ipsec.peer }}
+      local {
+          auth = psk
+      }
+      remote {
+          auth = psk
+      }
+      children {
+          net-net {
+              local_ts  = {{ .Values.podCIDR }},{{ .Values.serviceCIDR }}
+              remote_ts = {{ join "," .Values.peerCIDRs }}
+              start_action = trap
+          }
+      }
+    }
+}
+
+secrets {
+    ike {
+        secret = {{ quote .Values.ipsec.psk }}
+    }
+}
+{{- end }}
--- a/dev-docs/howto/vpn/helm/templates/strongswan-statefulset.yaml
+++ b/dev-docs/howto/vpn/helm/templates/strongswan-statefulset.yaml
@ -0,0 +1,78 @@
+{{ if .Values.ipsec.enabled -}}
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "..fullname" . }}-frontend
+  labels: {{- include "..labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "..selectorLabels" . | nindent 6 }}
+      component: frontend
+  template:
+    metadata:
+      labels:
+        {{- include "..selectorLabels" . | nindent 8 }}
+        component: frontend
+    spec:
+      hostNetwork: false
+      initContainers:
+      - name: tproxy-setup
+        image: nixery.dev/busybox/iptables
+        command: ["/bin/sh", "-x", "/entrypoint.sh"]
+        env: {{- include "..commonEnv" . | nindent 10 }}
+        securityContext:
+          capabilities:
+            add: ["NET_ADMIN"]
+        volumeMounts:
+        - name: tproxy-setup
+          mountPath: "/entrypoint.sh"
+          subPath: "tproxy-setup.sh"
+          readOnly: true
+      containers:
+      - name: tproxy
+        # Image source: github.com/burgerdev/go-tproxy
+        image:  ghcr.io/burgerdev/go-tproxy:latest
+        command: ["/tproxy", "--port=61001", "--nat=true"]
+        securityContext:
+          capabilities:
+            add: ["NET_RAW"]
+      - name: strongswan
+        image: "nixery.dev/shell/strongswan"
+        command: ["/bin/sh", "-x", "/entrypoint.sh"]
+        securityContext:
+          capabilities:
+            add: ["NET_ADMIN"]
+        volumeMounts:
+        - name: strongswan
+          mountPath: "/entrypoint.sh"
+          subPath: "entrypoint.sh"
+          readOnly: true
+        - name: strongswan
+          mountPath: "/etc/strongswan.d/charon-logging.conf"
+          subPath: "charon-logging.conf"
+          readOnly: true
+        - name: strongswan
+          mountPath: "/etc/swanctl/swanctl.conf"
+          subPath: "swanctl.conf"
+          readOnly: true
+      volumes:
+      - name: tproxy-setup
+        configMap:
+          name: {{ include "..fullname" . }}-tproxy
+      - name: strongswan
+        projected:
+          sources:
+          - secret:
+              name: {{ include "..fullname" . }}-strongswan
+              items:
+                - key: swanctl.conf
+                  path: swanctl.conf
+          - configMap:
+              name: {{ include "..fullname" . }}-strongswan
+              items:
+                - key: entrypoint.sh
+                  path: entrypoint.sh
+                - key: charon-logging.conf
+                  path: charon-logging.conf
+{{- end }}
--- a/dev-docs/howto/vpn/helm/templates/wireguard-secret.tpl
+++ b/dev-docs/howto/vpn/helm/templates/wireguard-secret.tpl
@ -0,0 +1,14 @@
+{{- define "wireguard.conf" }}
+[Interface]
+ListenPort = {{ .Values.wireguard.port }}
+PrivateKey = {{ .Values.wireguard.private_key }}
+[Peer]
+PublicKey = {{ .Values.wireguard.peer_key }}
+AllowedIPs = {{ join "," .Values.peerCIDRs }}
+{{- if .Values.wireguard.endpoint }}
+Endpoint = {{- .Values.wireguard.endpoint }}
+{{- end }}
+{{- if .Values.wireguard.keepAlive }}
+PersistentKeepalive = {{- .Values.wireguard.keepAlive }}
+{{- end }}
+{{ end }}
--- a/dev-docs/howto/vpn/helm/templates/wireguard-statefulset.yaml
+++ b/dev-docs/howto/vpn/helm/templates/wireguard-statefulset.yaml
@ -0,0 +1,68 @@
+{{ if .Values.wireguard.enabled -}}
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: {{ include "..fullname" . }}-frontend
+  labels: {{- include "..labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "..selectorLabels" . | nindent 6 }}
+      component: frontend
+  template:
+    metadata:
+      labels:
+        {{- include "..selectorLabels" . | nindent 8 }}
+        component: frontend
+    spec:
+      hostNetwork: false
+      initContainers:
+      - name: tproxy-setup
+        image: nixery.dev/busybox/iptables
+        command: ["/bin/sh", "-x", "/entrypoint.sh"]
+        env: {{- include "..commonEnv" . | nindent 10 }}
+        securityContext:
+          capabilities:
+            add: ["NET_ADMIN"]
+        volumeMounts:
+        - name: tproxy-setup
+          mountPath: "/entrypoint.sh"
+          subPath: "tproxy-setup.sh"
+          readOnly: true
+      - name: wg-setup
+        image: "nixery.dev/busybox/wireguard-tools"
+        command: ["/bin/sh", "-x", "/etc/wireguard/wireguard-setup.sh"]
+        env: {{- include "..commonEnv" . | nindent 10 }}
+        securityContext:
+          capabilities:
+            add: ["NET_ADMIN"]
+        volumeMounts:
+        - name: wireguard
+          mountPath: "/etc/wireguard"
+          readOnly: true
+      containers:
+      - name: tproxy
+        # Image source: github.com/burgerdev/go-tproxy
+        image:  ghcr.io/burgerdev/go-tproxy:latest
+        command: ["/tproxy", "--port=61001", "--nat=true"]
+        securityContext:
+          capabilities:
+            add: ["NET_RAW"]
+      volumes:
+      - name: tproxy-setup
+        configMap:
+          name: {{ include "..fullname" . }}-tproxy
+      - name: wireguard
+        projected:
+          sources:
+          - secret:
+              name: {{ include "..fullname" . }}-wg
+              items:
+                - key: wg.conf
+                  path: wg.conf
+          - configMap:
+              name: {{ include "..fullname" . }}-wg
+              items:
+                - key: wireguard-setup.sh
+                  path: wireguard-setup.sh
+{{- end }}