vpn: ship our own container image (#2909)

* vpn: ship our own container image The container image used in the VPN chart should be reproducible and stable. We're sticking close to the original nixery.dev version by building the image with nix ourselves, and then publishing the single layer from the result with Bazel OCI rules. The resulting image should be handled similar to s3proxy: it's built as a part of the Constellation release process and then consumed from a Helm chart in our registry. Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
2025-05-02 14:26:23 -04:00 · 2024-02-15 13:08:27 +01:00 · 2024-02-15 13:08:27 +01:00 · 473001be55
commit 473001be55
parent 896f68c26d
12 changed files with 123 additions and 40 deletions
--- a/dev-docs/howto/vpn/helm/files/operator/entrypoint.sh
+++ b/dev-docs/howto/vpn/helm/files/operator/entrypoint.sh
@ -1,46 +0,0 @@
-#!/bin/sh
-
-signaled() {
-  exit 143
-}
-
-trap signaled INT TERM
-
-all_ips() {
-  kubectl get pods "${VPN_FRONTEND_POD}" -o go-template --template '{{ range .status.podIPs }}{{ printf "%s " .ip }}{{ end }}'
-  echo "${VPN_PEER_CIDRS}"
-}
-
-cep_patch() {
-  for ip in $(all_ips); do printf '{"ipv4": "%s"}' "${ip}"; done | jq -s -c -j |
-    jq '[{op: "replace", path: "/status/networking/addressing", value: . }]'
-}
-
-# Format the space-separated CIDRs into a JSON array.
-vpn_cidrs=$(for ip in ${VPN_PEER_CIDRS}; do printf '"%s" ' "${ip}"; done | jq -s -c -j)
-
-masq_patch() {
-  kubectl -n kube-system get configmap ip-masq-agent -o json |
-    jq -r .data.config |
-    jq "{ masqLinkLocal: .masqLinkLocal, nonMasqueradeCIDRs: ((.nonMasqueradeCIDRs - ${vpn_cidrs}) + ${vpn_cidrs}) }" |
-    jq '@json | [{op: "replace", path: "/data/config", value: . }]'
-}
-
-reconcile_masq() {
-  if ! kubectl -n kube-system get configmap ip-masq-agent > /dev/null; then
-    # We don't know enough to create an ip-masq-agent.
-    return 0
-  fi
-
-  kubectl -n kube-system patch configmap ip-masq-agent --type json --patch "$(masq_patch)" > /dev/null
-}
-
-while true; do
-  # Reconcile CiliumEndpoint to advertise VPN CIDRs.
-  kubectl patch ciliumendpoint "${VPN_FRONTEND_POD}" --type json --patch "$(cep_patch)" > /dev/null
-
-  # Reconcile ip-masq-agent configuration to exclude VPN traffic.
-  reconcile_masq
-
-  sleep 10
-done
--- a/dev-docs/howto/vpn/helm/files/strongswan/charon-logging.conf
+++ b/dev-docs/howto/vpn/helm/files/strongswan/charon-logging.conf
@ -1,11 +0,0 @@
-charon {
-    filelog {
-        stderr {
-            time_format = %b %e %T
-            ike_name = yes
-            default = 1
-            ike = 2
-            flush_line = yes
-        }
-    }
-}
--- a/dev-docs/howto/vpn/helm/files/strongswan/entrypoint.sh
+++ b/dev-docs/howto/vpn/helm/files/strongswan/entrypoint.sh
@ -1,13 +0,0 @@
-#!/bin/sh
-
-# The charon binary is not included in the PATH generated by nixery.dev, find it manually.
-charon="$(dirname "$(readlink -f "$(command -v charon-systemd)")")/../libexec/ipsec/charon"
-
-"${charon}" &
-
-while ! swanctl --stats > /dev/null 2> /dev/null; do
-  sleep 1
-done
-swanctl --load-all
-
-wait
--- a/dev-docs/howto/vpn/helm/files/strongswan/sidecar.sh
+++ b/dev-docs/howto/vpn/helm/files/strongswan/sidecar.sh
@ -1,44 +0,0 @@
-#!/bin/sh
-
-set -u
-
-if [ "$$" -eq "1" ]; then
-  echo 'This script must run in the root PID namespace, but $$ == 1!' >&2
-  exit 1
-fi
-
-myip() {
-  ip -j addr show eth0 | jq -r '.[0].addr_info[] | select(.family == "inet") | .local'
-}
-
-# Disable source IP verification on our network interface. Otherwise, VPN
-# packets will be dropped by Cilium.
-reconcile_sip_verification() {
-  # We want all of the cilium calls in this function to target the same
-  # process, so that we fail if the agent restarts in between. Thus, we only
-  # query the pid once per reconciliation.
-  cilium_agent=$(pidof cilium-agent) || return 0
-
-  cilium() {
-    nsenter -t "${cilium_agent}" -a -r -w cilium "$@"
-  }
-
-  myendpoint=$(cilium endpoint get "ipv4:$(myip)" | jq '.[0].id') || return 0
-
-  if [ "$(cilium endpoint config "${myendpoint}" -o json | jq -r .realized.options.SourceIPVerification)" = "Enabled" ]; then
-    cilium endpoint config "${myendpoint}" SourceIPVerification=Disabled
-  fi
-}
-
-# Set up the route from the node network namespace to the VPN pod.
-reconcile_route() {
-  for cidr in ${VPN_PEER_CIDRS}; do
-    nsenter -t 1 -n ip route replace "${cidr}" via "$(myip)"
-  done
-}
-
-while true; do
-  reconcile_route
-  reconcile_sip_verification
-  sleep 10
-done
--- a/dev-docs/howto/vpn/helm/templates/operator-deployment.yaml
+++ b/dev-docs/howto/vpn/helm/templates/operator-deployment.yaml
@ -20,13 +20,5 @@ spec:
      containers:
      - name: operator
        image: {{ .Values.image | quote }}
-        command: ["sh", "/scripts/entrypoint.sh"]
+        command: ["/bin/operator.sh"]
        env: {{- include "..commonEnv" . | nindent 10 }}
-        volumeMounts:
-        - name: scripts
-          mountPath: "/scripts"
-          readOnly: true
-      volumes:
-      - name: scripts
-        configMap:
-          name: {{ include "..fullname" . }}-operator
--- a/dev-docs/howto/vpn/helm/templates/strongswan-statefulset.yaml
+++ b/dev-docs/howto/vpn/helm/templates/strongswan-statefulset.yaml
@ -18,37 +18,22 @@ spec:
      containers:
      - name: strongswan
        image: {{ .Values.image | quote }}
-        command: ["sh", "-x", "/entrypoint.sh"]
+        command: ["/bin/strongswan.sh"]
        securityContext:
          capabilities:
            add: ["NET_ADMIN"]
        volumeMounts:
-        - name: files
-          mountPath: "/entrypoint.sh"
-          subPath: "entrypoint.sh"
-          readOnly: true
-        - name: files
-          mountPath: "/etc/strongswan.d/charon-logging.conf"
-          subPath: "charon-logging.conf"
-          readOnly: true
        - name: config
          mountPath: "/etc/swanctl/swanctl.conf"
          subPath: "swanctl.conf"
          readOnly: true
      - name: cilium-setup
        image: {{ .Values.image | quote }}
-        command: ["sh", "/scripts/sidecar.sh"]
+        command: ["/bin/sidecar.sh"]
        env: {{- include "..commonEnv" . | nindent 10 }}
        securityContext:
          privileged: true
-        volumeMounts:
-        - name: files
-          mountPath: "/scripts"
-          readOnly: true
      volumes:
-      - name: files
-        configMap:
-          name: {{ include "..fullname" . }}-strongswan
      - name: config
        secret:
          secretName: {{ include "..fullname" . }}-strongswan
--- a/dev-docs/howto/vpn/helm/values.yaml
+++ b/dev-docs/howto/vpn/helm/values.yaml
@ -15,5 +15,4 @@ ipsec:
  # Address of the peer's gateway router.
  peer: ""

-# required tools:  sh    nsenter    ip       pidof  jq kubectl    charon
-image: "nixery.dev/shell/util-linux/iproute2/procps/jq/kubernetes/strongswan"
+image: "ghcr.io/edgelesssys/constellation/vpn@sha256:34e28ced172d04dfdadaadbefb1a53b5857cb24fb24e275fbbc537f3639a789e"