Gitiles
Code Review Sign In
gerrit.hackerspace.pl / hscloud / 491542589b6b330abfb611a5b49ff0e0fdabdccc / . / personal / implr / vpn / vpn.libsonnet
blob: 70873b324610f984094180506881de78f1d0cff6 [file] [log] [blame]
Bartosz Stebel9fed3c92020-07-09 15:13:42 +0200[diff] [blame]1local kube = import "../../../kube/kube.libsonnet";
2
3{
4 PKI(namespace):: {
5 local env = self,
6 namespace:: namespace,
7 selfSignedIssuer: kube.Issuer("pki-selfsigned") {
8 metadata+: {
9 namespace: env.namespace,
10 },
11 spec: {
12 selfSigned: {},
13 },
14 },
15 selfSignedCert: kube.Certificate("pki-selfsigned") {
16 metadata+: {
17 namespace: env.namespace,
18 },
19 spec: {
20 secretName: "pki-selfsigned-cert",
21 duration: "43800h0m0s", // 5 years,
22 isCA: true,
23 issuerRef: {
24 name: env.selfSignedIssuer.metadata.name,
25 },
26 commonName: "pki-ca",
27 },
28 },
29 issuer: kube.Issuer("pki-ca") {
30 metadata+: {
31 namespace: env.namespace,
32 },
33 spec: {
34 ca: {
35 secretName: env.selfSignedCert.spec.secretName,
36 },
37 },
38 },
39 },
40
41 Client(name, server):: {
42 local client = self,
43 metadata:: {
44 namespace: server.cfg.namespace,
45 },
46 cert: kube.Certificate(name + "-cert") {
47 metadata+: client.metadata,
48
49 spec: {
50 secretName: name + "-cert",
51 duration: "35040h0m0s", // 4 years
52 issuerRef: {
53 name: server.pki.issuer.metadata.name,
54 kind: "Issuer",
55 },
56 commonName: "client-%s.%s" % [name, server.cfg.namespace],
57 },
58 },
59
60 },
61
62 Server(name, port, pki):: {
63 local server = self,
64 local cfg = server.cfg,
65
66 pki: pki,
67
68 cfg:: {
69 namespace: error "namespace must be set",
70 storageClassName: "waw-hdd-redundant-3",
71
72 image: "nixery.dev/shell/openvpn",
73 configFile: error "configFile must be set",
74
75 },
76 namespace: kube.Namespace(cfg.namespace),
77
78 metadata:: {
79 namespace: cfg.namespace,
80 },
81
82 config: kube.ConfigMap(name + "-config") {
83 metadata+: server.metadata,
84 data: {
85 "openvpn.conf": cfg.configFile,
86 }
87 },
88
89 cert: kube.Certificate(name + "-cert") {
90 metadata+: server.metadata,
91
92 spec: {
93 secretName: name + "-cert",
94 duration: "35040h0m0s", // 4 years
95 issuerRef: {
96 name: pki.issuer.metadata.name,
97 kind: "Issuer",
98 },
99 commonName: "server.%s.%s" % [name, cfg.namespace],
100 //dnsNames: [
101 //"%s" % [component.svc.metadata.name ],
102 //"%s.%s" % [component.svc.metadata.name, component.svc.metadata.namespace ],
103 //"%s.%s.svc" % [component.svc.metadata.name, component.svc.metadata.namespace ],
104 //"%s.%s.svc.cluster.local" % [component.svc.metadata.name, component.svc.metadata.namespace ],
105 //"%s.%s.svc.%s" % [component.svc.metadata.name, component.svc.metadata.namespace, env.pkiClusterFQDN ],
106 //],
107 },
108 },
109
110
111 deployment: kube.Deployment(name) {
112 metadata+: server.metadata,
113 spec+: {
114 template+: {
115 spec+: {
116 volumes_: {
117 config: kube.ConfigMapVolume(server.config),
118 pki: {
119 secret: { secretName: server.cert.spec.secretName },
120 },
121 },
122
123 containers_: {
124 server: kube.Container("server") {
125 image: cfg.image,
126 env_: {
127 },
128 command: [
129 "/bin/openvpn", "--config", "/config/openvpn.conf"
130 ],
131 ports_: {
132 client: { containerPort: port },
133 },
134 volumeMounts_: {
135 config: { mountPath: "/config" },
136 pki: { mountPath: "/mnt/pki" },
137 },
138 resources: {
139 requests: {
140 cpu: "250m",
141 memory: "100Mi",
142 },
143 limits: {
144 cpu: "500m",
145 memory: "512Mi",
146 },
147 },
148 securityContext: {
149 privileged: true,
150 },
151 },
152 },
153 },
154 },
155 },
156 },
157 svc: kube.Service(name) {
158 metadata+: server.metadata,
159 target_pod:: server.deployment.spec.template,
160 spec+: {
161 ports: [
162 { name: "client", port: port, targetPort: port, protocol: "UDP" },
163 ],
164 type: "LoadBalancer",
165 externalTrafficPolicy: "Local",
166 },
167 },
168 },
169}