mirror of
https://github.com/edgelesssys/constellation.git
synced 2025-05-02 22:34:56 -04:00
16c63d57cd
* dev-docs: add 'things to try' section to VPN howto * dev-docs: full L3 connectivity in VPN chart
44 lines
1.2 KiB
Bash
44 lines
1.2 KiB
Bash
#!/bin/sh
|
|
|
|
set -u
|
|
|
|
if [ "$$" -eq "1" ]; then
|
|
echo 'This script must run in the root PID namespace, but $$ == 1!' >&2
|
|
exit 1
|
|
fi
|
|
|
|
myip() {
|
|
ip -j addr show eth0 | jq -r '.[0].addr_info[] | select(.family == "inet") | .local'
|
|
}
|
|
|
|
# Disable source IP verification on our network interface. Otherwise, VPN
|
|
# packets will be dropped by Cilium.
|
|
reconcile_sip_verification() {
|
|
# We want all of the cilium calls in this function to target the same
|
|
# process, so that we fail if the agent restarts in between. Thus, we only
|
|
# query the pid once per reconciliation.
|
|
cilium_agent=$(pidof cilium-agent) || return 0
|
|
|
|
cilium() {
|
|
nsenter -t "${cilium_agent}" -a -r -w cilium "$@"
|
|
}
|
|
|
|
myendpoint=$(cilium endpoint get "ipv4:$(myip)" | jq '.[0].id') || return 0
|
|
|
|
if [ "$(cilium endpoint config "${myendpoint}" -o json | jq -r .realized.options.SourceIPVerification)" = "Enabled" ]; then
|
|
cilium endpoint config "${myendpoint}" SourceIPVerification=Disabled
|
|
fi
|
|
}
|
|
|
|
# Set up the route from the node network namespace to the VPN pod.
|
|
reconcile_route() {
|
|
for cidr in ${VPN_PEER_CIDRS}; do
|
|
nsenter -t 1 -n ip route replace "${cidr}" via "$(myip)"
|
|
done
|
|
}
|
|
|
|
while true; do
|
|
reconcile_route
|
|
reconcile_sip_verification
|
|
sleep 10
|
|
done
|