Skip to content

Commit

Permalink
fix(vpn-gateway): updated parameters to finally cover the migration t…
Browse files Browse the repository at this point in the history
…o cilium (#1328)
  • Loading branch information
thiagoalmeidasa authored Nov 23, 2024
1 parent ea8899a commit d603701
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 31 deletions.
7 changes: 4 additions & 3 deletions kubernetes/apps/vpn-gateway/gateway/app/helmrelease.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -59,11 +59,12 @@ spec:
routed_namespaces:
- media
settings:
NOT_ROUTED_TO_GATEWAY_CIDRS: "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
VPN_BLOCK_OTHER_TRAFFIC: true
VPN_INTERFACE: "tun0"
VPN_BLOCK_OTHER_TRAFFIC: false
VPN_LOCAL_CIDRS: "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"
VPN_TRAFFIC_PORT: "1194"
VPN_LOCAL_CIDRS: 10.0.0.0/8 192.168.0.0/16
NOT_ROUTED_TO_GATEWAY_CIDRS: 10.0.0.0/8 192.168.0.0/16
VXLAN_PORT: 4789
webhook:
image:
repository: ghcr.io/angelnu/gateway-admision-controller
Expand Down
44 changes: 34 additions & 10 deletions kubernetes/apps/vpn-gateway/gateway/app/networkpolicy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,46 +4,70 @@ kind: CiliumNetworkPolicy
metadata:
name: pod-gateway
labels:
app.kubernetes.io/instance: pod-gateway
app.kubernetes.io/name: pod-gateway
app.kubernetes.io/instance: &instance vpn-gateway
app.kubernetes.io/name: &name pod-gateway
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/instance: pod-gateway
app.kubernetes.io/name: pod-gateway
app.kubernetes.io/instance: *instance
app.kubernetes.io/name: *name
egress:
- toCIDR:
- 0.0.0.0/0
toPorts:
# - ports:
# - port: "443"
# protocol: TCP
- ports:
- port: "1194"
protocol: UDP
- toEntities:
- cluster
---
# vpn-gateway to communicate over the default VXLAN port 4789
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: pod-gateway-vxlan
labels:
app.kubernetes.io/instance: pod-gateway
app.kubernetes.io/name: pod-gateway
app.kubernetes.io/instance: &instance vpn-gateway
app.kubernetes.io/name: &name pod-gateway
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/instance: pod-gateway
app.kubernetes.io/name: pod-gateway
app.kubernetes.io/instance: *instance
app.kubernetes.io/name: *name
egress:
- toPorts:
- ports:
- port: "8472"
- port: "4789"
protocol: UDP
ingress:
- toPorts:
- ports:
- port: "8472"
- port: "4789"
protocol: UDP
- icmps:
- fields:
- type: 8
family: IPv4

---
# vpn-gateway-pod-gateway webhook receive traffic
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: pod-gateway-webhook
labels:
app.kubernetes.io/instance: &instance vpn-gateway
app.kubernetes.io/name: &name pod-gateway
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/instance: *instance
app.kubernetes.io/name: *name
ingress:
- toPorts:
- ports:
- port: "8080"
protocol: TCP
40 changes: 22 additions & 18 deletions kubernetes/apps/vpn-gateway/gateway/app/secret.sops.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,17 +4,21 @@ metadata:
name: vpn-gateway-pod-gateway
namespace: vpn-gateway
stringData:
VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:hoiWunzvBg==,iv:UcGbhhAv6bDHroQpYp0rmMbzXKLR7qALIqnUXJdOPr8=,tag:LEIwVrXJHNeeyrZG5ube0Q==,type:str]
OPENVPN_USER: ENC[AES256_GCM,data:zjRjHD8K0/26LUKI9pXMRh6L9eUYkIjj,iv:fY8+CJcKTQzga9aCbP8EthvfTEWp3ZAj5rMFLHLYNl0=,tag:CTZnQ9MafvQ1gfPPuQhzdA==,type:str]
OPENVPN_PASSWORD: ENC[AES256_GCM,data:JWqgZtLdrIqQ6w0nbBEWi4CeMb255T0x,iv:D5g/MiariqhfCYo2KNfU4LAecRbVoLrpm9h1JeMjNfI=,tag:675f6j2ixMIPhTh6yf39Rw==,type:str]
SERVER_COUNTRIES: ENC[AES256_GCM,data:xzRCdgLG,iv:yDGgyhpTI0bel96RaX3qXtZxQ4CVbn07s5h3ASViG1I=,tag:jagvwK/nIwteIQ/8zToRVg==,type:str]
SERVER_CATEGORIES: ENC[AES256_GCM,data:NYBo,iv:7RTXG1fjIqzt05E8iBikIFjKtXB9SGQRJDw2d4/5yfc=,tag:mI3mhWYkTHCxOXG/z0wDzw==,type:str]
VPN_INTERFACE: ENC[AES256_GCM,data:EdtrFg==,iv:PURogGK0muxXphPRjxXNcZqlBhIaDZofYn+epers9qU=,tag:NUF3xRZ8CONYUDqcMbSZ/w==,type:str]
FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT: ENC[AES256_GCM,data:iGXh,iv:JyVuTheVa0TXRT3pkgkRc4J9QCspdxv+ICLDnsZ9pZk=,tag:Ic/sjf6y8A4XVGpbRjS0bQ==,type:str]
DNS_ADDRESS: ENC[AES256_GCM,data:vZlMG84mwQ==,iv:OxQ5uQCdPZNMO1rxa4trOq6y3mgtq40E+qsKOmmwVzo=,tag:RZzL/LGsTwSvo7C6xmEc/Q==,type:str]
FIREWALL: ENC[AES256_GCM,data:XYAg,iv:SJXxy1uH31UQ2ZLNHzTczbqjATe5APE2PofSRqqfKMI=,tag:KTvCtKTX3DkeXKeQnyO+BQ==,type:str]
DOT: ENC[AES256_GCM,data:1vC0,iv:5Cdu7PvPeBEJT3LJotjpOn3+L/ju7E4AcFSJ41VISzo=,tag:HADGPbhL1VaC58MkYZTsog==,type:str]
FIREWALL_DEBUG: ENC[AES256_GCM,data:b78=,iv:3BMQ0DGNtWp7F1B9OwxyXJovvgno7W9xyDqz8kVq7Ng=,tag:EvReyPJwuYR9VmQy3qLmmw==,type:str]
#ENC[AES256_GCM,data:9b2XCi3BFhSAwDzMv7yJlg==,iv:SZZTbshhmldXLwrC1Tv5+Fn0fAALWIhs4YpVPtHz97Y=,tag:xwKkFjFoV0fjsjqX//iIOQ==,type:comment]
VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:uGnXdM2UmA==,iv:LvXRUQcsmIY4QFnAnz4xyuYV9DiTk1H+z9GRLhN+qws=,tag:Fev90HR7WzhtUPRoITdlhQ==,type:str]
OPENVPN_USER: ENC[AES256_GCM,data:GNWPfy82NNMagpXHSgG1+Vfdlc+K8giz,iv:AdrhDIkuq16hB8LzQ/xSi6sBtAEmgjKnuvnZacDLBOg=,tag:cMoDJi0l+e5JMeeSfmQ8/A==,type:str]
OPENVPN_PASSWORD: ENC[AES256_GCM,data:8U1iv0/YGJp7OqbRwIpOdkHaJ3BehLiS,iv:z+qU8njBNknjMqVTTtxE29A4DxS676S8GevR2d96M/c=,tag:OtSh1S3wlxVw9RslDMkDKQ==,type:str]
SERVER_COUNTRIES: ENC[AES256_GCM,data:5Jzm1bDM,iv:JtSsoc53rsJ2lnr8MKhUteo2vFULz0C4OUnTtwOMQW0=,tag:qk3rtR4Dx5dpueRYfWs3ng==,type:str]
SERVER_CATEGORIES: ENC[AES256_GCM,data:dGkg,iv:MCatvlYzGY+gNjd0yQQ9FDkzsi6DCpH4Fl7KVu0Xqus=,tag:YAIkCtZIMygdAyspIVG4HQ==,type:str]
VPN_INTERFACE: ENC[AES256_GCM,data:5We6Ag==,iv:7yseYCdwSZJEDgd/ztYeKf8SozgfP+ZHEJpr7q/sPWA=,tag:QBv62YZZ4SGwwtJjy76XDQ==,type:str]
#ENC[AES256_GCM,data:4uR2Z+D0H/df,iv:Z4MvyZqtLJjGO75yolAp/RXXad8/+lPnZsRfABMorWQ=,tag:/OKufqevxqcmdWuTfv7GQQ==,type:comment]
FIREWALL_ENABLED_DISABLING_IT_SHOOTS_YOU_IN_YOUR_FOOT: ENC[AES256_GCM,data:/fmF,iv:PxRaHhvr+Cy4w/t5CTHXggFNxS5PxcIjDO12Ctc+iCY=,tag:4m9YJblHLh7LlCLDeBcgTQ==,type:str]
FIREWALL_DEBUG: ENC[AES256_GCM,data:HLM=,iv:vgYXQzHmpvsdfVPwdkDfmOJ7R4ktFNxXRAtBgHneZC4=,tag:vI80Ceoz/t5TkZ4TIdk3BA==,type:str]
#ENC[AES256_GCM,data:UO8bHQ==,iv:/GuvRJP2w/g7vICM1NDZVHTXm+sBo/kkjlevDi7LaYo=,tag:6P1aN6OXi2u2CckEc0+Eww==,type:comment]
BLOCK_MALICIOUS: ENC[AES256_GCM,data:wL+d,iv:9hoLzbQi2aNa2zQu9ZB9XzqmqpeDFj82iBTmhi6bfbk=,tag:C2s6RtSC93AROyDNZwKoZw==,type:str]
#ENC[AES256_GCM,data:gf8ng5oalgXLqEUNq9EF+DK9VOY=,iv:iMT0FkZ81zJLjwmgv6gaEPcDz5CLCzw4HV8OdrQyK6I=,tag:KHW4EyNAKc2EOfGQdfNncQ==,type:comment]
DNS_ADDRESS: ENC[AES256_GCM,data:Mld9rWXi8Dwhck9Ejw==,iv:Jz3TSOyaVNTj8cjZpGXSpaBX2GqrJEYFOTRkrciUQI0=,tag:3yN4Fkcyr98NYRl5+17xXw==,type:str]
DNS_UPDATE_PERIOD: ENC[AES256_GCM,data:CR1F,iv:X8m6tpU/h/Gk/D+9F1AES7O0wqEVDLodp/m+4Vu4+wk=,tag:Se8IDRZHJLIbjV6DoqxPIw==,type:str]
sops:
kms: []
gcp_kms: []
Expand All @@ -24,14 +28,14 @@ sops:
- recipient: age1w02zzfg0y4ast9mgnd9w0yuym0wqx6q967kmrmq355w4cnw0xytq2x369r
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPQ3VjZlRqMFVoK3ZYUU9V
ZXptS2xDVGE1WkxIZUppQm0zSUFYckliOHkwCjJLR0pKamtocVlKOUhrRmpwcExP
ODM3R3RmdGMwNi8rYnNFdnVvRk5ya0EKLS0tIG9na2RzdXhaT2ZkTzJKdTdRajBI
VWRteGcvYWJLU2gxblpabC9FZVdEUk0KcAYdtdimc4uIvuZrtap3Yr9A1JREt/+2
7vbuA8BxlxYrL+44mdlDRL0wdBpGQTjbC39EudWiTg/jp2kCWAYeYA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHQXRPdXN4cGJoS0VSNkNT
QVhBcHhEWTJ6YktjZVlhMmxZZ0h2VUNheW1BCnZUL09nSlUwTDBBS3NNRUdYNHBN
MHZoQ0dhODBjWUxCUmxPd0NOc0xER3MKLS0tIHBib3dLYUl2N0tpLzF3czNxRXRn
NUVGbkY1ZnFMRXZ4em9DckRmTnZvNjQKx/t/uKtGf/7mZMgdFJqVciyr52LQt1b2
2edS5U3Bhrv2bkKTbeAtsxkrkMNAFYITLGFD9voIRV2X4fv58+9PZQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-25T18:37:31Z"
mac: ENC[AES256_GCM,data:dzQysVjm/03nFZFDgu22BZ6rN7/pFvd1zO2zvmOw86Xh+/l+3eUmpQBIxXeIJPZ5jQpbFxtiy3ThVQp/9kRQ12hKIAeB7farDCEwIA8VO+U9wQcFf1qILj9/yNBNxnqQkDajHcikaMvgfxehxlcPp+iXCysXfZwV1Zaabkd0C1o=,iv:Bs5E8lSdx0jy+LVz+N9WyuAQ5Q5ymQ4k9NBx34N3Q+I=,tag:0+uhn+0CEx1eYCU8nLgXAw==,type:str]
lastmodified: "2024-11-23T22:32:21Z"
mac: ENC[AES256_GCM,data:LfKSpfwHiQG0SOSA6pMxsVvvR6vRJeV3WZE7LNKlneEk4DCRFnbhK/Z6zLM8e2l2rxcQspOen806Zz35FfTvdwv50QVkgWx0JJDgJW4p2S+8J5BZ7yr3WsKcrHtRQxc5w1q1aoGbj5QGdZh1a9FYnXhLxuLkPNTnHcTn2DoJf6g=,iv:MtwzVY1lrgLt7CI/VXCwk34EXDMnd5hxspkJyzvqByo=,tag:Cd7do3V467dqy6GbYIoTPg==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.9.0

0 comments on commit d603701

Please sign in to comment.