dev-docs: Helm chart for full L3 VPN connectivity (#2620)

* dev-docs: add 'things to try' section to VPN howto

* dev-docs: full L3 connectivity in VPN chart

dev-docs/howto/vpn/helm/templates/_helpers.tpl

@@ -37,4 +37,6 @@ app.kubernetes.io/instance: {{ .Release.Name }}
   value: {{ .Values.podCIDR | quote }}
 - name: VPN_SERVICE_CIDR
   value: {{ .Values.serviceCIDR | quote }}
+- name: VPN_FRONTEND_POD
+  value: {{ include "..fullname" . }}-frontend-0
 {{- end }}

dev-docs/howto/vpn/helm/templates/configmaps.yaml

@@ -1,22 +1,11 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  name: {{ include "..fullname" . }}-tproxy
+  name: {{ include "..fullname" . }}-operator
   labels: {{- include "..labels" . | nindent 4 }}
 data:
-{{ (.Files.Glob "files/tproxy-setup.sh").AsConfig | indent 2 }}
+{{ (.Files.Glob "files/operator/*").AsConfig | indent 2 }}
 ---
-{{- if .Values.wireguard.enabled }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "..fullname" . }}-wg
-  labels: {{- include "..labels" . | nindent 4 }}
-data:
-{{ (.Files.Glob "files/wireguard-setup.sh").AsConfig | indent 2 }}
-{{- end }}
----
-{{ if .Values.ipsec.enabled }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -24,4 +13,3 @@ metadata:
   labels: {{- include "..labels" . | nindent 4 }}
 data:
 {{ (.Files.Glob "files/strongswan/*").AsConfig | indent 2 }}
-{{- end }}

dev-docs/howto/vpn/helm/templates/operator-deployment.yaml

@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "..fullname" . }}-operator
+  labels: {{- include "..labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "..selectorLabels" . | nindent 6 }}
+      component: operator
+  template:
+    metadata:
+      labels:
+        {{- include "..selectorLabels" . | nindent 8 }}
+        component: operator
+    spec:
+      serviceAccountName: {{ include "..fullname" . }}
+      automountServiceAccountToken: true
+      containers:
+      - name: operator
+        image: {{ .Values.image | quote }}
+        command: ["sh", "/scripts/entrypoint.sh"]
+        env: {{- include "..commonEnv" . | nindent 10 }}
+        volumeMounts:
+        - name: scripts
+          mountPath: "/scripts"
+          readOnly: true
+      volumes:
+      - name: scripts
+        configMap:
+          name: {{ include "..fullname" . }}-operator

dev-docs/howto/vpn/helm/templates/rbac.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "..fullname" . }}
+automountServiceAccountToken: false
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "..fullname" . }}
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get"]
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["get", "patch"]
+- apiGroups: ["cilium.io"]
+  resources: ["ciliumendpoints"]
+  verbs: ["get", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "..fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "..fullname" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "..fullname" . }}
+  apiGroup: rbac.authorization.k8s.io

dev-docs/howto/vpn/helm/templates/secrets.yaml

@@ -1,15 +1,3 @@
-{{- if .Values.wireguard.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ include "..fullname" . }}-wg
-  labels:
-    {{- include "..labels" . | nindent 4 }}
-data:
-  wg.conf: {{ include "wireguard.conf" . | b64enc }}
-{{- end }}
----
-{{ if .Values.ipsec.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -18,4 +6,3 @@ metadata:
     {{- include "..labels" . | nindent 4 }}
 data:
   swanctl.conf: {{ include "strongswan.swanctl-conf" . | b64enc }}
-{{- end }}

dev-docs/howto/vpn/helm/templates/service.yaml

@@ -11,16 +11,9 @@ spec:
     component: frontend
   externalTrafficPolicy: Local
   ports:
-    {{- if .Values.ipsec.enabled }}
     - name: isakmp
       protocol: UDP
       port: 500
     - name: ipsec-nat-t
       protocol: UDP
       port: 4500
-    {{- end }}
-    {{- if .Values.wireguard.enabled }}
-    - name: wg
-      protocol: UDP
-      port: {{ .Values.wireguard.port }}
-    {{- end }}

dev-docs/howto/vpn/helm/templates/strongswan-statefulset.yaml

@@ -1,4 +1,3 @@
-{{ if .Values.ipsec.enabled -}}
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -15,64 +14,41 @@ spec:
         {{- include "..selectorLabels" . | nindent 8 }}
         component: frontend
     spec:
-      hostNetwork: false
-      initContainers:
-      - name: tproxy-setup
-        image: nixery.dev/busybox/iptables
-        command: ["/bin/sh", "-x", "/entrypoint.sh"]
-        env: {{- include "..commonEnv" . | nindent 10 }}
-        securityContext:
-          capabilities:
-            add: ["NET_ADMIN"]
-        volumeMounts:
-        - name: tproxy-setup
-          mountPath: "/entrypoint.sh"
-          subPath: "tproxy-setup.sh"
-          readOnly: true
+      hostPID: true
       containers:
-      - name: tproxy
-        # Image source: github.com/burgerdev/go-tproxy
-        image:  ghcr.io/burgerdev/go-tproxy:latest
-        command: ["/tproxy", "--port=61001", "--nat=true"]
-        securityContext:
-          capabilities:
-            add: ["NET_RAW"]
       - name: strongswan
-        image: "nixery.dev/shell/strongswan"
-        command: ["/bin/sh", "-x", "/entrypoint.sh"]
+        image: {{ .Values.image | quote }}
+        command: ["sh", "-x", "/entrypoint.sh"]
         securityContext:
           capabilities:
             add: ["NET_ADMIN"]
         volumeMounts:
-        - name: strongswan
+        - name: files
           mountPath: "/entrypoint.sh"
           subPath: "entrypoint.sh"
           readOnly: true
-        - name: strongswan
+        - name: files
           mountPath: "/etc/strongswan.d/charon-logging.conf"
           subPath: "charon-logging.conf"
           readOnly: true
-        - name: strongswan
+        - name: config
           mountPath: "/etc/swanctl/swanctl.conf"
           subPath: "swanctl.conf"
           readOnly: true
+      - name: cilium-setup
+        image: {{ .Values.image | quote }}
+        command: ["sh", "/scripts/sidecar.sh"]
+        env: {{- include "..commonEnv" . | nindent 10 }}
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: files
+          mountPath: "/scripts"
+          readOnly: true
       volumes:
-      - name: tproxy-setup
+      - name: files
         configMap:
-          name: {{ include "..fullname" . }}-tproxy
-      - name: strongswan
-        projected:
-          sources:
-          - secret:
-              name: {{ include "..fullname" . }}-strongswan
-              items:
-                - key: swanctl.conf
-                  path: swanctl.conf
-          - configMap:
-              name: {{ include "..fullname" . }}-strongswan
-              items:
-                - key: entrypoint.sh
-                  path: entrypoint.sh
-                - key: charon-logging.conf
-                  path: charon-logging.conf
-{{- end }}
+          name: {{ include "..fullname" . }}-strongswan
+      - name: config
+        secret:
+          secretName: {{ include "..fullname" . }}-strongswan

dev-docs/howto/vpn/helm/templates/wireguard-secret.tpl

@@ -1,14 +0,0 @@
-{{- define "wireguard.conf" }}
-[Interface]
-ListenPort = {{ .Values.wireguard.port }}
-PrivateKey = {{ .Values.wireguard.private_key }}
-[Peer]
-PublicKey = {{ .Values.wireguard.peer_key }}
-AllowedIPs = {{ join "," .Values.peerCIDRs }}
-{{- if .Values.wireguard.endpoint }}
-Endpoint = {{- .Values.wireguard.endpoint }}
-{{- end }}
-{{- if .Values.wireguard.keepAlive }}
-PersistentKeepalive = {{- .Values.wireguard.keepAlive }}
-{{- end }}
-{{ end }}

dev-docs/howto/vpn/helm/templates/wireguard-statefulset.yaml

@@ -1,68 +0,0 @@
-{{ if .Values.wireguard.enabled -}}
-apiVersion: apps/v1
-kind: StatefulSet
-metadata:
-  name: {{ include "..fullname" . }}-frontend
-  labels: {{- include "..labels" . | nindent 4 }}
-spec:
-  selector:
-    matchLabels:
-      {{- include "..selectorLabels" . | nindent 6 }}
-      component: frontend
-  template:
-    metadata:
-      labels:
-        {{- include "..selectorLabels" . | nindent 8 }}
-        component: frontend
-    spec:
-      hostNetwork: false
-      initContainers:
-      - name: tproxy-setup
-        image: nixery.dev/busybox/iptables
-        command: ["/bin/sh", "-x", "/entrypoint.sh"]
-        env: {{- include "..commonEnv" . | nindent 10 }}
-        securityContext:
-          capabilities:
-            add: ["NET_ADMIN"]
-        volumeMounts:
-        - name: tproxy-setup
-          mountPath: "/entrypoint.sh"
-          subPath: "tproxy-setup.sh"
-          readOnly: true
-      - name: wg-setup
-        image: "nixery.dev/busybox/wireguard-tools"
-        command: ["/bin/sh", "-x", "/etc/wireguard/wireguard-setup.sh"]
-        env: {{- include "..commonEnv" . | nindent 10 }}
-        securityContext:
-          capabilities:
-            add: ["NET_ADMIN"]
-        volumeMounts:
-        - name: wireguard
-          mountPath: "/etc/wireguard"
-          readOnly: true
-      containers:
-      - name: tproxy
-        # Image source: github.com/burgerdev/go-tproxy
-        image:  ghcr.io/burgerdev/go-tproxy:latest
-        command: ["/tproxy", "--port=61001", "--nat=true"]
-        securityContext:
-          capabilities:
-            add: ["NET_RAW"]
-      volumes:
-      - name: tproxy-setup
-        configMap:
-          name: {{ include "..fullname" . }}-tproxy
-      - name: wireguard
-        projected:
-          sources:
-          - secret:
-              name: {{ include "..fullname" . }}-wg
-              items:
-                - key: wg.conf
-                  path: wg.conf
-          - configMap:
-              name: {{ include "..fullname" . }}-wg
-              items:
-                - key: wireguard-setup.sh
-                  path: wireguard-setup.sh
-{{- end }}