mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-05-06 16:25:21 -04:00
dev-docs: Helm chart for full L3 VPN connectivity (#2620)
* dev-docs: add 'things to try' section to VPN howto * dev-docs: full L3 connectivity in VPN chart
This commit is contained in:
Markus Rudy
GitHub
parent
9181705299
commit
16c63d57cd
15 changed files with 242 additions and 246 deletions
46
dev-docs/howto/vpn/helm/files/operator/entrypoint.sh
Normal file
46
dev-docs/howto/vpn/helm/files/operator/entrypoint.sh
Normal file
|
|
@ -0,0 +1,46 @@
|
|||
#!/bin/sh
|
||||
|
||||
signaled() {
|
||||
exit 143
|
||||
}
|
||||
|
||||
trap signaled INT TERM
|
||||
|
||||
all_ips() {
|
||||
kubectl get pods "${VPN_FRONTEND_POD}" -o go-template --template '{{ range .status.podIPs }}{{ printf "%s " .ip }}{{ end }}'
|
||||
echo "${VPN_PEER_CIDRS}"
|
||||
}
|
||||
|
||||
cep_patch() {
|
||||
for ip in $(all_ips); do printf '{"ipv4": "%s"}' "${ip}"; done | jq -s -c -j |
|
||||
jq '[{op: "replace", path: "/status/networking/addressing", value: . }]'
|
||||
}
|
||||
|
||||
# Format the space-separated CIDRs into a JSON array.
|
||||
vpn_cidrs=$(for ip in ${VPN_PEER_CIDRS}; do printf '"%s" ' "${ip}"; done | jq -s -c -j)
|
||||
|
||||
masq_patch() {
|
||||
kubectl -n kube-system get configmap ip-masq-agent -o json |
|
||||
jq -r .data.config |
|
||||
jq "{ masqLinkLocal: .masqLinkLocal, nonMasqueradeCIDRs: ((.nonMasqueradeCIDRs - ${vpn_cidrs}) + ${vpn_cidrs}) }" |
|
||||
jq '@json | [{op: "replace", path: "/data/config", value: . }]'
|
||||
}
|
||||
|
||||
reconcile_masq() {
|
||||
if ! kubectl -n kube-system get configmap ip-masq-agent > /dev/null; then
|
||||
# We don't know enough to create an ip-masq-agent.
|
||||
return 0
|
||||
fi
|
||||
|
||||
kubectl -n kube-system patch configmap ip-masq-agent --type json --patch "$(masq_patch)" > /dev/null
|
||||
}
|
||||
|
||||
while true; do
|
||||
# Reconcile CiliumEndpoint to advertise VPN CIDRs.
|
||||
kubectl patch ciliumendpoint "${VPN_FRONTEND_POD}" --type json --patch "$(cep_patch)" > /dev/null
|
||||
|
||||
# Reconcile ip-masq-agent configuration to exclude VPN traffic.
|
||||
reconcile_masq
|
||||
|
||||
sleep 10
|
||||
done
|
||||
44
dev-docs/howto/vpn/helm/files/strongswan/sidecar.sh
Normal file
44
dev-docs/howto/vpn/helm/files/strongswan/sidecar.sh
Normal file
|
|
@ -0,0 +1,44 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -u
|
||||
|
||||
if [ "$$" -eq "1" ]; then
|
||||
echo 'This script must run in the root PID namespace, but $$ == 1!' >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
myip() {
|
||||
ip -j addr show eth0 | jq -r '.[0].addr_info[] | select(.family == "inet") | .local'
|
||||
}
|
||||
|
||||
# Disable source IP verification on our network interface. Otherwise, VPN
|
||||
# packets will be dropped by Cilium.
|
||||
reconcile_sip_verification() {
|
||||
# We want all of the cilium calls in this function to target the same
|
||||
# process, so that we fail if the agent restarts in between. Thus, we only
|
||||
# query the pid once per reconciliation.
|
||||
cilium_agent=$(pidof cilium-agent) || return 0
|
||||
|
||||
cilium() {
|
||||
nsenter -t "${cilium_agent}" -a -r -w cilium "$@"
|
||||
}
|
||||
|
||||
myendpoint=$(cilium endpoint get "ipv4:$(myip)" | jq '.[0].id') || return 0
|
||||
|
||||
if [ "$(cilium endpoint config "${myendpoint}" -o json | jq -r .realized.options.SourceIPVerification)" = "Enabled" ]; then
|
||||
cilium endpoint config "${myendpoint}" SourceIPVerification=Disabled
|
||||
fi
|
||||
}
|
||||
|
||||
# Set up the route from the node network namespace to the VPN pod.
|
||||
reconcile_route() {
|
||||
for cidr in ${VPN_PEER_CIDRS}; do
|
||||
nsenter -t 1 -n ip route replace "${cidr}" via "$(myip)"
|
||||
done
|
||||
}
|
||||
|
||||
while true; do
|
||||
reconcile_route
|
||||
reconcile_sip_verification
|
||||
sleep 10
|
||||
done
|
||||
|
|
@ -1,38 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -eu
|
||||
|
||||
### Pod IPs ###
|
||||
|
||||
# Pod IPs are just NATed.
|
||||
|
||||
iptables -t nat -N VPN_POST || iptables -t nat -F VPN_POST
|
||||
|
||||
for cidr in ${VPN_PEER_CIDRS}; do
|
||||
iptables -t nat -A VPN_POST -s "${cidr}" -d "${VPN_POD_CIDR}" -j MASQUERADE
|
||||
done
|
||||
|
||||
iptables -t nat -C POSTROUTING -j VPN_POST || iptables -t nat -A POSTROUTING -j VPN_POST
|
||||
|
||||
### Service IPs ###
|
||||
|
||||
# Service IPs need to be connected to locally to trigger the cgroup connect hook, thus we send them to the transparent proxy.
|
||||
|
||||
# Packets with mark 1 are for tproxy and need to be delivered locally.
|
||||
# For more information see: https://www.kernel.org/doc/Documentation/networking/tproxy.txt
|
||||
pref=42
|
||||
table=42
|
||||
mark=0x1/0x1
|
||||
ip rule add pref "${pref}" fwmark "${mark}" lookup "${table}"
|
||||
ip route replace local 0.0.0.0/0 dev lo table "${table}"
|
||||
|
||||
iptables -t mangle -N VPN_PRE || iptables -t mangle -F VPN_PRE
|
||||
|
||||
for cidr in ${VPN_PEER_CIDRS}; do
|
||||
for proto in tcp udp; do
|
||||
iptables -t mangle -A VPN_PRE -p "${proto}" -s "${cidr}" -d "${VPN_SERVICE_CIDR}" \
|
||||
-j TPROXY --tproxy-mark "${mark}" --on-port 61001
|
||||
done
|
||||
done
|
||||
|
||||
iptables -t mangle -C PREROUTING -j VPN_PRE || iptables -t mangle -A PREROUTING -j VPN_PRE
|
||||
|
|
@ -1,13 +0,0 @@
|
|||
#!/bin/sh
|
||||
|
||||
set -eu
|
||||
|
||||
dev=vpn_wg0
|
||||
|
||||
ip link add dev "${dev}" type wireguard
|
||||
wg setconf "${dev}" /etc/wireguard/wg.conf
|
||||
ip link set dev "${dev}" up
|
||||
|
||||
for cidr in ${VPN_PEER_CIDRS}; do
|
||||
ip route replace "${cidr}" dev "${dev}"
|
||||
done
|
||||
Loading…
Add table
Add a link
Reference in a new issue