local kube = import "../../../kube/kube.libsonnet"; { PKI(namespace):: { local env = self, namespace:: namespace, selfSignedIssuer: kube.Issuer("pki-selfsigned") { metadata+: { namespace: env.namespace, }, spec: { selfSigned: {}, }, }, selfSignedCert: kube.Certificate("pki-selfsigned") { metadata+: { namespace: env.namespace, }, spec: { secretName: "pki-selfsigned-cert", duration: "43800h0m0s", // 5 years, isCA: true, issuerRef: { name: env.selfSignedIssuer.metadata.name, }, commonName: "pki-ca", }, }, issuer: kube.Issuer("pki-ca") { metadata+: { namespace: env.namespace, }, spec: { ca: { secretName: env.selfSignedCert.spec.secretName, }, }, }, }, Client(name, server):: { local client = self, metadata:: { namespace: server.cfg.namespace, }, cert: kube.Certificate(name + "-cert") { metadata+: client.metadata, spec: { secretName: name + "-cert", duration: "35040h0m0s", // 4 years issuerRef: { name: server.pki.issuer.metadata.name, kind: "Issuer", }, commonName: "client-%s.%s" % [name, server.cfg.namespace], }, }, }, Server(name, port, pki):: { local server = self, local cfg = server.cfg, pki: pki, cfg:: { namespace: error "namespace must be set", storageClassName: "waw-hdd-redundant-3", image: "nixery.dev/shell/openvpn/inetutils/iproute2/netcat-openbsd/tcpdump", configFile: error "configFile must be set", }, namespace: kube.Namespace(cfg.namespace), metadata:: { namespace: cfg.namespace, }, config: kube.ConfigMap(name + "-config") { metadata+: server.metadata, data: { "openvpn.conf": cfg.configFile, } }, cert: kube.Certificate(name + "-cert") { metadata+: server.metadata, spec: { secretName: name + "-cert", duration: "35040h0m0s", // 4 years issuerRef: { name: pki.issuer.metadata.name, kind: "Issuer", }, commonName: "server.%s.%s" % [name, cfg.namespace], //dnsNames: [ //"%s" % [component.svc.metadata.name ], //"%s.%s" % [component.svc.metadata.name, component.svc.metadata.namespace ], //"%s.%s.svc" % [component.svc.metadata.name, component.svc.metadata.namespace ], //"%s.%s.svc.cluster.local" % [component.svc.metadata.name, component.svc.metadata.namespace ], //"%s.%s.svc.%s" % [component.svc.metadata.name, component.svc.metadata.namespace, env.pkiClusterFQDN ], //], }, }, deployment: kube.Deployment(name) { metadata+: server.metadata, spec+: { template+: { spec+: { volumes_: { config: kube.ConfigMapVolume(server.config), pki: { secret: { secretName: server.cert.spec.secretName }, }, }, containers_: { server: kube.Container("server") { image: cfg.image, env_: { }, command: [ "/bin/openvpn", "--config", "/config/openvpn.conf" ], ports_: { client: { containerPort: port }, }, volumeMounts_: { config: { mountPath: "/config" }, pki: { mountPath: "/mnt/pki" }, }, resources: { requests: { cpu: "250m", memory: "100Mi", }, limits: { cpu: "500m", memory: "512Mi", }, }, securityContext: { privileged: true, }, }, }, }, }, }, }, svc: kube.Service(name) { metadata+: server.metadata, target_pod:: server.deployment.spec.template, spec+: { ports: [ { name: "client", port: port, targetPort: port, protocol: "UDP" }, ], type: "LoadBalancer", externalTrafficPolicy: "Local", }, }, }, }