vpn: ship our own container image (#2909)

* vpn: ship our own container image

The container image used in the VPN chart should be reproducible and
stable. We're sticking close to the original nixery.dev version by
building the image with nix ourselves, and then publishing the single
layer from the result with Bazel OCI rules. The resulting image should
be handled similar to s3proxy: it's built as a part of the Constellation
release process and then consumed from a Helm chart in our registry.

Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>

dev-docs/howto/vpn/helm/files/strongswan/sidecar.sh

@@ -1,44 +0,0 @@
-#!/bin/sh
-
-set -u
-
-if [ "$$" -eq "1" ]; then
-  echo 'This script must run in the root PID namespace, but $$ == 1!' >&2
-  exit 1
-fi
-
-myip() {
-  ip -j addr show eth0 | jq -r '.[0].addr_info[] | select(.family == "inet") | .local'
-}
-
-# Disable source IP verification on our network interface. Otherwise, VPN
-# packets will be dropped by Cilium.
-reconcile_sip_verification() {
-  # We want all of the cilium calls in this function to target the same
-  # process, so that we fail if the agent restarts in between. Thus, we only
-  # query the pid once per reconciliation.
-  cilium_agent=$(pidof cilium-agent) || return 0
-
-  cilium() {
-    nsenter -t "${cilium_agent}" -a -r -w cilium "$@"
-  }
-
-  myendpoint=$(cilium endpoint get "ipv4:$(myip)" | jq '.[0].id') || return 0
-
-  if [ "$(cilium endpoint config "${myendpoint}" -o json | jq -r .realized.options.SourceIPVerification)" = "Enabled" ]; then
-    cilium endpoint config "${myendpoint}" SourceIPVerification=Disabled
-  fi
-}
-
-# Set up the route from the node network namespace to the VPN pod.
-reconcile_route() {
-  for cidr in ${VPN_PEER_CIDRS}; do
-    nsenter -t 1 -n ip route replace "${cidr}" via "$(myip)"
-  done
-}
-
-while true; do
-  reconcile_route
-  reconcile_sip_verification
-  sleep 10
-done