forked from hswaw/hscloud
implr/vpn: create
Change-Id: I2843ccb60d257ec10f305e8842a7ebb08c2b5e06
This commit is contained in:
parent
cae27ecd99
commit
9fed3c95c7
2 changed files with 206 additions and 0 deletions
37
personal/implr/vpn/vpn.jsonnet
Normal file
37
personal/implr/vpn/vpn.jsonnet
Normal file
|
|
@ -0,0 +1,37 @@
|
|||
local kube = import "../../../kube/kube.libsonnet";
|
||||
local vpn = import "vpn.libsonnet";
|
||||
|
||||
{
|
||||
local top = self,
|
||||
tls: vpn.PKI("implr-vpn"),
|
||||
|
||||
servers: {
|
||||
praisethesun: vpn.Server("openvpn-implr-praisethesun", 11223, top.tls) {
|
||||
cfg+: {
|
||||
namespace: "implr-vpn",
|
||||
configFile: |||
|
||||
dev tun
|
||||
tmp-dir /dev/shm/
|
||||
proto udp
|
||||
port 11223
|
||||
topology subnet
|
||||
server 172.17.1.0 255.255.255.0
|
||||
keepalive 10 60
|
||||
persist-tun
|
||||
persist-key
|
||||
compress lz4
|
||||
cipher AES-256-CBC
|
||||
dh none
|
||||
ca /mnt/pki/ca.crt
|
||||
cert /mnt/pki/tls.crt
|
||||
key /mnt/pki/tls.key
|
||||
|||
|
||||
}
|
||||
},
|
||||
},
|
||||
clients: {
|
||||
kektop: vpn.Client("kektop", top.servers.praisethesun),
|
||||
admin1: vpn.Client("admin1", top.servers.praisethesun),
|
||||
desk1: vpn.Client("desk1", top.servers.praisethesun),
|
||||
}
|
||||
}
|
||||
169
personal/implr/vpn/vpn.libsonnet
Normal file
169
personal/implr/vpn/vpn.libsonnet
Normal file
|
|
@ -0,0 +1,169 @@
|
|||
local kube = import "../../../kube/kube.libsonnet";
|
||||
|
||||
{
|
||||
PKI(namespace):: {
|
||||
local env = self,
|
||||
namespace:: namespace,
|
||||
selfSignedIssuer: kube.Issuer("pki-selfsigned") {
|
||||
metadata+: {
|
||||
namespace: env.namespace,
|
||||
},
|
||||
spec: {
|
||||
selfSigned: {},
|
||||
},
|
||||
},
|
||||
selfSignedCert: kube.Certificate("pki-selfsigned") {
|
||||
metadata+: {
|
||||
namespace: env.namespace,
|
||||
},
|
||||
spec: {
|
||||
secretName: "pki-selfsigned-cert",
|
||||
duration: "43800h0m0s", // 5 years,
|
||||
isCA: true,
|
||||
issuerRef: {
|
||||
name: env.selfSignedIssuer.metadata.name,
|
||||
},
|
||||
commonName: "pki-ca",
|
||||
},
|
||||
},
|
||||
issuer: kube.Issuer("pki-ca") {
|
||||
metadata+: {
|
||||
namespace: env.namespace,
|
||||
},
|
||||
spec: {
|
||||
ca: {
|
||||
secretName: env.selfSignedCert.spec.secretName,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
|
||||
Client(name, server):: {
|
||||
local client = self,
|
||||
metadata:: {
|
||||
namespace: server.cfg.namespace,
|
||||
},
|
||||
cert: kube.Certificate(name + "-cert") {
|
||||
metadata+: client.metadata,
|
||||
|
||||
spec: {
|
||||
secretName: name + "-cert",
|
||||
duration: "35040h0m0s", // 4 years
|
||||
issuerRef: {
|
||||
name: server.pki.issuer.metadata.name,
|
||||
kind: "Issuer",
|
||||
},
|
||||
commonName: "client-%s.%s" % [name, server.cfg.namespace],
|
||||
},
|
||||
},
|
||||
|
||||
},
|
||||
|
||||
Server(name, port, pki):: {
|
||||
local server = self,
|
||||
local cfg = server.cfg,
|
||||
|
||||
pki: pki,
|
||||
|
||||
cfg:: {
|
||||
namespace: error "namespace must be set",
|
||||
storageClassName: "waw-hdd-redundant-3",
|
||||
|
||||
image: "nixery.dev/shell/openvpn",
|
||||
configFile: error "configFile must be set",
|
||||
|
||||
},
|
||||
namespace: kube.Namespace(cfg.namespace),
|
||||
|
||||
metadata:: {
|
||||
namespace: cfg.namespace,
|
||||
},
|
||||
|
||||
config: kube.ConfigMap(name + "-config") {
|
||||
metadata+: server.metadata,
|
||||
data: {
|
||||
"openvpn.conf": cfg.configFile,
|
||||
}
|
||||
},
|
||||
|
||||
cert: kube.Certificate(name + "-cert") {
|
||||
metadata+: server.metadata,
|
||||
|
||||
spec: {
|
||||
secretName: name + "-cert",
|
||||
duration: "35040h0m0s", // 4 years
|
||||
issuerRef: {
|
||||
name: pki.issuer.metadata.name,
|
||||
kind: "Issuer",
|
||||
},
|
||||
commonName: "server.%s.%s" % [name, cfg.namespace],
|
||||
//dnsNames: [
|
||||
//"%s" % [component.svc.metadata.name ],
|
||||
//"%s.%s" % [component.svc.metadata.name, component.svc.metadata.namespace ],
|
||||
//"%s.%s.svc" % [component.svc.metadata.name, component.svc.metadata.namespace ],
|
||||
//"%s.%s.svc.cluster.local" % [component.svc.metadata.name, component.svc.metadata.namespace ],
|
||||
//"%s.%s.svc.%s" % [component.svc.metadata.name, component.svc.metadata.namespace, env.pkiClusterFQDN ],
|
||||
//],
|
||||
},
|
||||
},
|
||||
|
||||
|
||||
deployment: kube.Deployment(name) {
|
||||
metadata+: server.metadata,
|
||||
spec+: {
|
||||
template+: {
|
||||
spec+: {
|
||||
volumes_: {
|
||||
config: kube.ConfigMapVolume(server.config),
|
||||
pki: {
|
||||
secret: { secretName: server.cert.spec.secretName },
|
||||
},
|
||||
},
|
||||
|
||||
containers_: {
|
||||
server: kube.Container("server") {
|
||||
image: cfg.image,
|
||||
env_: {
|
||||
},
|
||||
command: [
|
||||
"/bin/openvpn", "--config", "/config/openvpn.conf"
|
||||
],
|
||||
ports_: {
|
||||
client: { containerPort: port },
|
||||
},
|
||||
volumeMounts_: {
|
||||
config: { mountPath: "/config" },
|
||||
pki: { mountPath: "/mnt/pki" },
|
||||
},
|
||||
resources: {
|
||||
requests: {
|
||||
cpu: "250m",
|
||||
memory: "100Mi",
|
||||
},
|
||||
limits: {
|
||||
cpu: "500m",
|
||||
memory: "512Mi",
|
||||
},
|
||||
},
|
||||
securityContext: {
|
||||
privileged: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
svc: kube.Service(name) {
|
||||
metadata+: server.metadata,
|
||||
target_pod:: server.deployment.spec.template,
|
||||
spec+: {
|
||||
ports: [
|
||||
{ name: "client", port: port, targetPort: port, protocol: "UDP" },
|
||||
],
|
||||
type: "LoadBalancer",
|
||||
externalTrafficPolicy: "Local",
|
||||
},
|
||||
},
|
||||
},
|
||||
}
|
||||
Loading…
Reference in a new issue