vpn: ship our own container image (#2909)

* vpn: ship our own container image The container image used in the VPN chart should be reproducible and stable. We're sticking close to the original nixery.dev version by building the image with nix ourselves, and then publishing the single layer from the result with Bazel OCI rules. The resulting image should be handled similar to s3proxy: it's built as a part of the Constellation release process and then consumed from a Helm chart in our registry. Co-authored-by: Malte Poll <1780588+malt3@users.noreply.github.com>
2025-08-08 15:02:18 -04:00 · 2024-02-15 13:08:27 +01:00 · 2024-02-15 13:08:27 +01:00 · 473001be55
commit 473001be55
parent 896f68c26d
12 changed files with 123 additions and 40 deletions
--- a/dev-docs/howto/vpn/helm/templates/operator-deployment.yaml
+++ b/dev-docs/howto/vpn/helm/templates/operator-deployment.yaml
@ -20,13 +20,5 @@ spec:
      containers:
      - name: operator
        image: {{ .Values.image | quote }}
-        command: ["sh", "/scripts/entrypoint.sh"]
+        command: ["/bin/operator.sh"]
        env: {{- include "..commonEnv" . | nindent 10 }}
-        volumeMounts:
-        - name: scripts
-          mountPath: "/scripts"
-          readOnly: true
-      volumes:
-      - name: scripts
-        configMap:
-          name: {{ include "..fullname" . }}-operator
--- a/dev-docs/howto/vpn/helm/templates/strongswan-statefulset.yaml
+++ b/dev-docs/howto/vpn/helm/templates/strongswan-statefulset.yaml
@ -18,37 +18,22 @@ spec:
      containers:
      - name: strongswan
        image: {{ .Values.image | quote }}
-        command: ["sh", "-x", "/entrypoint.sh"]
+        command: ["/bin/strongswan.sh"]
        securityContext:
          capabilities:
            add: ["NET_ADMIN"]
        volumeMounts:
-        - name: files
-          mountPath: "/entrypoint.sh"
-          subPath: "entrypoint.sh"
-          readOnly: true
-        - name: files
-          mountPath: "/etc/strongswan.d/charon-logging.conf"
-          subPath: "charon-logging.conf"
-          readOnly: true
        - name: config
          mountPath: "/etc/swanctl/swanctl.conf"
          subPath: "swanctl.conf"
          readOnly: true
      - name: cilium-setup
        image: {{ .Values.image | quote }}
-        command: ["sh", "/scripts/sidecar.sh"]
+        command: ["/bin/sidecar.sh"]
        env: {{- include "..commonEnv" . | nindent 10 }}
        securityContext:
          privileged: true
-        volumeMounts:
-        - name: files
-          mountPath: "/scripts"
-          readOnly: true
      volumes:
-      - name: files
-        configMap:
-          name: {{ include "..fullname" . }}-strongswan
      - name: config
        secret:
          secretName: {{ include "..fullname" . }}-strongswan