mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-01-11 23:49:30 -05:00
dev-docs: add on-prem terraform to vpn setup (#2619)
* vpn: add fake-on-prem infra * dev-docs: move vpn helm
This commit is contained in:
parent
c922864f30
commit
0564e4ebb4
73
dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl
generated
Normal file
73
dev-docs/howto/vpn/on-prem-terraform/.terraform.lock.hcl
generated
Normal file
@ -0,0 +1,73 @@
|
|||||||
|
# This file is maintained automatically by "terraform init".
|
||||||
|
# Manual edits may be lost in future updates.
|
||||||
|
|
||||||
|
provider "registry.terraform.io/hashicorp/azurerm" {
|
||||||
|
version = "3.74.0"
|
||||||
|
constraints = "3.74.0"
|
||||||
|
hashes = [
|
||||||
|
"h1:4b15khHtc5OkIVEFg0W5QRwf/ov1WVQkXVdSiAcTCS8=",
|
||||||
|
"h1:ETVZfmulZQ435+lgFCkZRpfVOLyAxfDOwbPXFg3aLLQ=",
|
||||||
|
"h1:H3diAufZ5VDQKsQNYykVRaFTOUJ4gjFiT2VLYi574+w=",
|
||||||
|
"h1:LEdK8BxNSNiBQbtcJhQZKMMHDjmPpUsvDpr3Mzs93Tg=",
|
||||||
|
"h1:VfBB00BE0wvFiod7BlL+Cn6r2599MEi94hnAQ277ux8=",
|
||||||
|
"zh:0424c70152f949da1ec52ba96d20e5fd32fd22d9bd9203ce045d5f6aab3d20fc",
|
||||||
|
"zh:16dbf581d10f8e7937185bcdcceb4f91d08c919e452fb8da7580071288c8c397",
|
||||||
|
"zh:3019103bc2c3b4e185f5c65696c349697644c968f5c085af5505fed6d01c4241",
|
||||||
|
"zh:49bb56ebaed6653fdb913c2b2bb74fc8b5399e7258d1e89084f72c44ea1130dd",
|
||||||
|
"zh:85547666517f899d88620bd23a000a8f43c7dc93587c350eb1ea17bcb3e645c7",
|
||||||
|
"zh:8bed8b646ff1822d8764de68b56b71e5dd971a4b77eba80d47f400a530800bea",
|
||||||
|
"zh:8bfa6c70c004ba05ebce47f74f49ce872c28a68a18bb71b281a9681bcbbdbfa1",
|
||||||
|
"zh:a2ae9e38fda0695fb8aa810e4f1ce4b104bfda651a87923b307bb1728680d8b6",
|
||||||
|
"zh:beac1efe32f99072c892095f5ff46e40d6852b66679a03bc3acbe1b90fb1f653",
|
||||||
|
"zh:d8a6ca20e49ebe7ea5688d91233d571e2c2ccc3e41000c39a7d7031df209ea8e",
|
||||||
|
"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
|
||||||
|
"zh:f937b5fdf49b072c0347408d0a1c5a5d822dae1a23252915930e5a82d1d8ce8b",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
provider "registry.terraform.io/hashicorp/random" {
|
||||||
|
version = "3.5.1"
|
||||||
|
constraints = "3.5.1"
|
||||||
|
hashes = [
|
||||||
|
"h1:3hjTP5tQBspPcFAJlfafnWrNrKnr7J4Cp0qB9jbqf30=",
|
||||||
|
"h1:6FVyQ/aG6tawPam6B+oFjgdidKd83uG9n7dOSQ66HBA=",
|
||||||
|
"h1:IL9mSatmwov+e0+++YX2V6uel+dV6bn+fC/cnGDK3Ck=",
|
||||||
|
"h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=",
|
||||||
|
"h1:sZ7MTSD4FLekNN2wSNFGpM+5slfvpm5A/NLVZiB7CO0=",
|
||||||
|
"zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
|
||||||
|
"zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
|
||||||
|
"zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
|
||||||
|
"zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
|
||||||
|
"zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
|
||||||
|
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||||
|
"zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
|
||||||
|
"zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
|
||||||
|
"zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
|
||||||
|
"zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
|
||||||
|
"zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
|
||||||
|
"zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
|
||||||
|
provider "registry.terraform.io/hashicorp/tls" {
|
||||||
|
version = "4.0.4"
|
||||||
|
hashes = [
|
||||||
|
"h1:GZcFizg5ZT2VrpwvxGBHQ/hO9r6g0vYdQqx3bFD3anY=",
|
||||||
|
"h1:Wd3RqmQW60k2QWPN4sK5CtjGuO1d+CRNXgC+D4rKtXc=",
|
||||||
|
"h1:bNsvpX5EGuVxgGRXBQVLXlmq40PdoLp8Rfuh1ZmV7yY=",
|
||||||
|
"h1:pe9vq86dZZKCm+8k1RhzARwENslF3SXb9ErHbQfgjXU=",
|
||||||
|
"h1:rKKMyIEBZwR+8j6Tx3PwqBrStuH+J+pxcbCR5XN8WAw=",
|
||||||
|
"zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55",
|
||||||
|
"zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848",
|
||||||
|
"zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be",
|
||||||
|
"zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5",
|
||||||
|
"zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe",
|
||||||
|
"zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e",
|
||||||
|
"zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48",
|
||||||
|
"zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8",
|
||||||
|
"zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60",
|
||||||
|
"zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e",
|
||||||
|
"zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316",
|
||||||
|
"zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
|
||||||
|
]
|
||||||
|
}
|
294
dev-docs/howto/vpn/on-prem-terraform/main.tf
Normal file
294
dev-docs/howto/vpn/on-prem-terraform/main.tf
Normal file
@ -0,0 +1,294 @@
|
|||||||
|
terraform {
|
||||||
|
required_providers {
|
||||||
|
azurerm = {
|
||||||
|
source = "hashicorp/azurerm"
|
||||||
|
version = "3.74.0"
|
||||||
|
}
|
||||||
|
random = {
|
||||||
|
source = "hashicorp/random"
|
||||||
|
version = "3.5.1"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
provider "azurerm" {
|
||||||
|
features {}
|
||||||
|
}
|
||||||
|
|
||||||
|
locals {
|
||||||
|
username = "azureadmin"
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "random_pet" "rg_name" {
|
||||||
|
prefix = var.name_prefix
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_resource_group" "rg" {
|
||||||
|
location = var.resource_group_location
|
||||||
|
name = random_pet.rg_name.id
|
||||||
|
}
|
||||||
|
|
||||||
|
# Create virtual network
|
||||||
|
resource "azurerm_virtual_network" "network" {
|
||||||
|
name = "network"
|
||||||
|
address_space = [var.local_ts]
|
||||||
|
location = azurerm_resource_group.rg.location
|
||||||
|
resource_group_name = azurerm_resource_group.rg.name
|
||||||
|
}
|
||||||
|
|
||||||
|
# Create subnet
|
||||||
|
resource "azurerm_subnet" "subnet" {
|
||||||
|
name = "subnet"
|
||||||
|
resource_group_name = azurerm_resource_group.rg.name
|
||||||
|
virtual_network_name = azurerm_virtual_network.network.name
|
||||||
|
address_prefixes = [cidrsubnet(var.local_ts, 8, 0)]
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "tls_private_key" "ssh_key" {
|
||||||
|
algorithm = "RSA"
|
||||||
|
rsa_bits = 4096
|
||||||
|
}
|
||||||
|
|
||||||
|
# Create public IPs
|
||||||
|
resource "azurerm_public_ip" "pubIP" {
|
||||||
|
name = "publicIP"
|
||||||
|
location = azurerm_resource_group.rg.location
|
||||||
|
resource_group_name = azurerm_resource_group.rg.name
|
||||||
|
allocation_method = "Dynamic"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Create Network Security Group and rule
|
||||||
|
resource "azurerm_network_security_group" "security_group" {
|
||||||
|
name = "secuityGroup"
|
||||||
|
location = azurerm_resource_group.rg.location
|
||||||
|
resource_group_name = azurerm_resource_group.rg.name
|
||||||
|
|
||||||
|
security_rule {
|
||||||
|
name = "SSH"
|
||||||
|
priority = 1001
|
||||||
|
direction = "Inbound"
|
||||||
|
access = "Allow"
|
||||||
|
protocol = "Tcp"
|
||||||
|
source_port_range = "*"
|
||||||
|
destination_port_range = "22"
|
||||||
|
source_address_prefix = "*"
|
||||||
|
destination_address_prefix = "*"
|
||||||
|
}
|
||||||
|
security_rule {
|
||||||
|
name = "strongSwan_500"
|
||||||
|
priority = 1002
|
||||||
|
direction = "Inbound"
|
||||||
|
access = "Allow"
|
||||||
|
protocol = "Udp"
|
||||||
|
source_port_range = "*"
|
||||||
|
destination_port_range = "500"
|
||||||
|
source_address_prefix = "*"
|
||||||
|
destination_address_prefix = "*"
|
||||||
|
}
|
||||||
|
security_rule {
|
||||||
|
name = "strongSwan_4500"
|
||||||
|
priority = 1003
|
||||||
|
direction = "Inbound"
|
||||||
|
access = "Allow"
|
||||||
|
protocol = "Udp"
|
||||||
|
source_port_range = "*"
|
||||||
|
destination_port_range = "4500"
|
||||||
|
source_address_prefix = "*"
|
||||||
|
destination_address_prefix = "*"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_route_table" "route_table" {
|
||||||
|
name = "vpn-routes"
|
||||||
|
location = azurerm_resource_group.rg.location
|
||||||
|
resource_group_name = azurerm_resource_group.rg.name
|
||||||
|
disable_bgp_route_propagation = false
|
||||||
|
|
||||||
|
dynamic "route" {
|
||||||
|
for_each = var.remote_ts
|
||||||
|
content {
|
||||||
|
name = "route-${route.key}"
|
||||||
|
address_prefix = route.value
|
||||||
|
next_hop_type = "VirtualAppliance"
|
||||||
|
next_hop_in_ip_address = azurerm_network_interface.public_nic.private_ip_address
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_subnet_route_table_association" "route_table_association" {
|
||||||
|
subnet_id = azurerm_subnet.subnet.id
|
||||||
|
route_table_id = azurerm_route_table.route_table.id
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Create network interface
|
||||||
|
resource "azurerm_network_interface" "public_nic" {
|
||||||
|
name = "public-nic"
|
||||||
|
location = azurerm_resource_group.rg.location
|
||||||
|
resource_group_name = azurerm_resource_group.rg.name
|
||||||
|
|
||||||
|
ip_configuration {
|
||||||
|
name = "my_nic_configuration"
|
||||||
|
subnet_id = azurerm_subnet.subnet.id
|
||||||
|
private_ip_address_allocation = "Dynamic"
|
||||||
|
public_ip_address_id = azurerm_public_ip.pubIP.id
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Connect the security group to the network interface
|
||||||
|
resource "azurerm_network_interface_security_group_association" "example" {
|
||||||
|
network_interface_id = azurerm_network_interface.public_nic.id
|
||||||
|
network_security_group_id = azurerm_network_security_group.security_group.id
|
||||||
|
}
|
||||||
|
|
||||||
|
# Create virtual machine
|
||||||
|
resource "azurerm_linux_virtual_machine" "public_vm" {
|
||||||
|
name = "public_vm"
|
||||||
|
location = azurerm_resource_group.rg.location
|
||||||
|
resource_group_name = azurerm_resource_group.rg.name
|
||||||
|
network_interface_ids = [azurerm_network_interface.public_nic.id]
|
||||||
|
size = "Standard_B2ats_v2"
|
||||||
|
|
||||||
|
os_disk {
|
||||||
|
name = "disk_public_vm"
|
||||||
|
caching = "ReadWrite"
|
||||||
|
storage_account_type = "Premium_LRS"
|
||||||
|
}
|
||||||
|
|
||||||
|
source_image_reference {
|
||||||
|
publisher = "Canonical"
|
||||||
|
offer = "0001-com-ubuntu-server-jammy"
|
||||||
|
sku = "22_04-lts-gen2"
|
||||||
|
version = "latest"
|
||||||
|
}
|
||||||
|
|
||||||
|
computer_name = "hostname"
|
||||||
|
admin_username = local.username
|
||||||
|
|
||||||
|
admin_ssh_key {
|
||||||
|
username = local.username
|
||||||
|
public_key = tls_private_key.ssh_key.public_key_openssh
|
||||||
|
}
|
||||||
|
|
||||||
|
boot_diagnostics {
|
||||||
|
}
|
||||||
|
|
||||||
|
user_data = base64encode(<<EOF
|
||||||
|
#!/bin/bash
|
||||||
|
set -x
|
||||||
|
|
||||||
|
apt-get update
|
||||||
|
apt-get install strongswan-charon strongswan-swanctl -y
|
||||||
|
|
||||||
|
|
||||||
|
cat <<'EOT' >> /etc/strongswan.d/charon-logging.conf
|
||||||
|
charon {
|
||||||
|
filelog {
|
||||||
|
stderr {
|
||||||
|
time_format = %b %e %T
|
||||||
|
ike_name = yes
|
||||||
|
default = 1
|
||||||
|
ike = 2
|
||||||
|
flush_line = yes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOT
|
||||||
|
|
||||||
|
|
||||||
|
cat <<'EOT' >> /etc/swanctl/conf.d/constellation.conf
|
||||||
|
connections {
|
||||||
|
gw-gw {
|
||||||
|
remote_addrs = ${var.remote_addr}
|
||||||
|
|
||||||
|
local {
|
||||||
|
auth = psk
|
||||||
|
}
|
||||||
|
remote {
|
||||||
|
auth = psk
|
||||||
|
}
|
||||||
|
children {
|
||||||
|
net-net {
|
||||||
|
local_ts = ${var.local_ts}
|
||||||
|
remote_ts = ${join(",", var.remote_ts)}
|
||||||
|
|
||||||
|
start_action = trap
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
secrets {
|
||||||
|
ike {
|
||||||
|
secret = ${var.ike_psk}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOT
|
||||||
|
|
||||||
|
cat <<'EOT' >> /home/${local.username}/restart-and-reload-strongswan.sh
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
# Restart charon daemon
|
||||||
|
ipsec restart
|
||||||
|
|
||||||
|
sleep 5
|
||||||
|
|
||||||
|
# Load all the config files
|
||||||
|
swanctl --load-all
|
||||||
|
|
||||||
|
echo "You now should be able to ping and curl the remote network (Pod IPs and Services)"
|
||||||
|
|
||||||
|
EOT
|
||||||
|
|
||||||
|
chmod +x /home/${local.username}/restart-and-reload-strongswan.sh
|
||||||
|
sysctl -w net.ipv4.ip_forward=1
|
||||||
|
|
||||||
|
EOF
|
||||||
|
)
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "azurerm_network_interface" "private_nic" {
|
||||||
|
name = "private-nic"
|
||||||
|
location = var.resource_group_location
|
||||||
|
resource_group_name = azurerm_resource_group.rg.name
|
||||||
|
|
||||||
|
ip_configuration {
|
||||||
|
name = "internal"
|
||||||
|
subnet_id = azurerm_subnet.subnet.id
|
||||||
|
private_ip_address_allocation = "Dynamic"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
# Create virtual machine
|
||||||
|
resource "azurerm_linux_virtual_machine" "private_vm" {
|
||||||
|
name = "private_vm"
|
||||||
|
location = azurerm_resource_group.rg.location
|
||||||
|
resource_group_name = azurerm_resource_group.rg.name
|
||||||
|
network_interface_ids = [azurerm_network_interface.private_nic.id]
|
||||||
|
size = "Standard_B2ats_v2"
|
||||||
|
|
||||||
|
os_disk {
|
||||||
|
name = "disk_private_vm"
|
||||||
|
caching = "ReadWrite"
|
||||||
|
storage_account_type = "Premium_LRS"
|
||||||
|
}
|
||||||
|
|
||||||
|
source_image_reference {
|
||||||
|
publisher = "Canonical"
|
||||||
|
offer = "0001-com-ubuntu-server-jammy"
|
||||||
|
sku = "22_04-lts-gen2"
|
||||||
|
version = "latest"
|
||||||
|
}
|
||||||
|
|
||||||
|
computer_name = "hostname"
|
||||||
|
admin_username = local.username
|
||||||
|
|
||||||
|
admin_ssh_key {
|
||||||
|
username = local.username
|
||||||
|
public_key = tls_private_key.ssh_key.public_key_openssh
|
||||||
|
}
|
||||||
|
|
||||||
|
boot_diagnostics {
|
||||||
|
}
|
||||||
|
}
|
8
dev-docs/howto/vpn/on-prem-terraform/output.tf
Normal file
8
dev-docs/howto/vpn/on-prem-terraform/output.tf
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
output "private_key" {
|
||||||
|
value = tls_private_key.ssh_key.private_key_pem
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|
||||||
|
output "public_ip" {
|
||||||
|
value = azurerm_public_ip.pubIP.ip_address
|
||||||
|
}
|
32
dev-docs/howto/vpn/on-prem-terraform/variables.tf
Normal file
32
dev-docs/howto/vpn/on-prem-terraform/variables.tf
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
variable "resource_group_location" {
|
||||||
|
type = string
|
||||||
|
default = "westeurope"
|
||||||
|
description = "Location of the resource group."
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "name_prefix" {
|
||||||
|
type = string
|
||||||
|
default = "vpn-test"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "remote_addr" {
|
||||||
|
type = string
|
||||||
|
description = "The public IP address of the remote host."
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "ike_psk" {
|
||||||
|
type = string
|
||||||
|
description = "The IKE pre-shared key."
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "local_ts" {
|
||||||
|
type = string
|
||||||
|
description = "The local traffic selector."
|
||||||
|
default = "10.99.0.0/16"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "remote_ts" {
|
||||||
|
type = list(string)
|
||||||
|
description = "The remote traffic selector."
|
||||||
|
default = ["10.10.0.0/16", "10.96.0.0/12"]
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user