| local kube = import "../../../kube/kube.libsonnet"; |
| |
| { |
| PKI(namespace):: { |
| local env = self, |
| namespace:: namespace, |
| selfSignedIssuer: kube.Issuer("pki-selfsigned") { |
| metadata+: { |
| namespace: env.namespace, |
| }, |
| spec: { |
| selfSigned: {}, |
| }, |
| }, |
| selfSignedCert: kube.Certificate("pki-selfsigned") { |
| metadata+: { |
| namespace: env.namespace, |
| }, |
| spec: { |
| secretName: "pki-selfsigned-cert", |
| duration: "43800h0m0s", // 5 years, |
| isCA: true, |
| issuerRef: { |
| name: env.selfSignedIssuer.metadata.name, |
| }, |
| commonName: "pki-ca", |
| }, |
| }, |
| issuer: kube.Issuer("pki-ca") { |
| metadata+: { |
| namespace: env.namespace, |
| }, |
| spec: { |
| ca: { |
| secretName: env.selfSignedCert.spec.secretName, |
| }, |
| }, |
| }, |
| }, |
| |
| Client(name, server):: { |
| local client = self, |
| metadata:: { |
| namespace: server.cfg.namespace, |
| }, |
| cert: kube.Certificate(name + "-cert") { |
| metadata+: client.metadata, |
| |
| spec: { |
| secretName: name + "-cert", |
| duration: "35040h0m0s", // 4 years |
| issuerRef: { |
| name: server.pki.issuer.metadata.name, |
| kind: "Issuer", |
| }, |
| commonName: "client-%s.%s" % [name, server.cfg.namespace], |
| }, |
| }, |
| |
| }, |
| |
| Server(name, port, pki):: { |
| local server = self, |
| local cfg = server.cfg, |
| |
| pki: pki, |
| |
| cfg:: { |
| namespace: error "namespace must be set", |
| storageClassName: "waw-hdd-redundant-3", |
| |
| image: "nixery.dev/shell/openvpn/inetutils/iproute2/netcat-openbsd/tcpdump", |
| configFile: error "configFile must be set", |
| |
| }, |
| namespace: kube.Namespace(cfg.namespace), |
| |
| metadata:: { |
| namespace: cfg.namespace, |
| }, |
| |
| config: kube.ConfigMap(name + "-config") { |
| metadata+: server.metadata, |
| data: { |
| "openvpn.conf": cfg.configFile, |
| } |
| }, |
| |
| cert: kube.Certificate(name + "-cert") { |
| metadata+: server.metadata, |
| |
| spec: { |
| secretName: name + "-cert", |
| duration: "35040h0m0s", // 4 years |
| issuerRef: { |
| name: pki.issuer.metadata.name, |
| kind: "Issuer", |
| }, |
| commonName: "server.%s.%s" % [name, cfg.namespace], |
| //dnsNames: [ |
| //"%s" % [component.svc.metadata.name ], |
| //"%s.%s" % [component.svc.metadata.name, component.svc.metadata.namespace ], |
| //"%s.%s.svc" % [component.svc.metadata.name, component.svc.metadata.namespace ], |
| //"%s.%s.svc.cluster.local" % [component.svc.metadata.name, component.svc.metadata.namespace ], |
| //"%s.%s.svc.%s" % [component.svc.metadata.name, component.svc.metadata.namespace, env.pkiClusterFQDN ], |
| //], |
| }, |
| }, |
| |
| |
| deployment: kube.Deployment(name) { |
| metadata+: server.metadata, |
| spec+: { |
| template+: { |
| spec+: { |
| volumes_: { |
| config: kube.ConfigMapVolume(server.config), |
| pki: { |
| secret: { secretName: server.cert.spec.secretName }, |
| }, |
| }, |
| |
| containers_: { |
| server: kube.Container("server") { |
| image: cfg.image, |
| env_: { |
| }, |
| command: [ |
| "/bin/openvpn", "--config", "/config/openvpn.conf" |
| ], |
| ports_: { |
| client: { containerPort: port }, |
| }, |
| volumeMounts_: { |
| config: { mountPath: "/config" }, |
| pki: { mountPath: "/mnt/pki" }, |
| }, |
| resources: { |
| requests: { |
| cpu: "250m", |
| memory: "100Mi", |
| }, |
| limits: { |
| cpu: "500m", |
| memory: "512Mi", |
| }, |
| }, |
| securityContext: { |
| privileged: true, |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| }, |
| svc: kube.Service(name) { |
| metadata+: server.metadata, |
| target_pod:: server.deployment.spec.template, |
| spec+: { |
| ports: [ |
| { name: "client", port: port, targetPort: port, protocol: "UDP" }, |
| ], |
| type: "LoadBalancer", |
| externalTrafficPolicy: "Local", |
| }, |
| }, |
| }, |
| } |