2 years ago · d7a7fcd9cb
--- a/README.md
+++ b/README.md
@@ -1,3 +1,8 @@
 
				 # openvpn
			
 
				 
			
 
				-Repo for openvpn images and helm
			
 
				+Repo for openvpn images and helm
			
 
				+
			
 
				+v.2 tasks:
			
 
				+
			
 
				+* Авто определение virtIP_dev
			
 
				+* В daemonset регулярная (раз в 10 сек) проверка корректности маршрутов и проверка корректности расположения ivrtIP_addr
			
--- a/helm/123/cm-router.yaml
+++ b/helm/123/cm-router.yaml
@@ -1,35 +0,0 @@
 
				-apiVersion: v1
			
 
				-kind: ConfigMap
			
 
				-metadata:
			
 
				-  name: {{ include "openvpn.fullname" . }}-routecheck
			
 
				-data:
			
 
				-  route-check: | 
			
 
				-    set -x
			
 
				-    while sleep 10
			
 
				-    do
			
 
				-      date
			
 
				-      _cdr=$(mask2cdr {{ .Values.mask }})
			
 
				-      ip link list {{ .Values.dev_name }} > /dev/null 2>&1
			
 
				-      if [ $? -ne 0 ]; then
			
 
				-        __server_pod_ip=$(kubectl get po -o json | jq -r '.items[] | select(.metadata.labels.component=="application" and .metadata.labels["app.kubernetes.io/instance"]=="{{ .Release.Name }}" and .metadata.labels["app.kubernetes.io/name"]=="{{ include "openvpn.name" . }}" and .metadata.deletionTimestamp==null and .status.phase=="Running").status.podIP')
			
 
				-        if [ -z "$__server_pod_ip" ]; then
			
 
				-          ip route delete {{ .Values.net }}/$_cdr > /dev/null 2>&1
			
 
				-          continue
			
 
				-        fi
			
 
				-        __route_ip=$(ip route get {{ .Values.net }}/$_cdr | awk '{print $3}')
			
 
				-        if [[ $__server_pod_ip != $__route_ip ]]; then
			
 
				-          ip route delete {{ .Values.net }}/$_cdr > /dev/null 2>&1
			
 
				-          ip route add {{ .Values.net }}/$_cdr via $__server_pod_ip
			
 
				-        fi
			
 
				-      else
			
 
				-        if [ ! -z "$(ip route show to match {{ .Values.net }}/$_cdr | grep -E -v 'default|{{ .Values.dev_name }}')" ]; then
			
 
				-          ip route delete $(ip route show to match {{ .Values.net }}/$_cdr | grep -E -v 'default|{{ .Values.dev_name }}')
			
 
				-        fi
			
 
				-        if [ -z "$(ip route show to match {{ .Values.net }}/$_cdr | grep '{{ .Values.dev_name }}')" ]; then
			
 
				-          ip route add {{ .Values.net }}/$_cdr dev {{ .Values.dev_name }}
			
 
				-        fi
			
 
				-      fi
			
 
				-      sleep 50
			
 
				-    done
			
 
				-  route-delete: |
			
 
				-    ip route delete $(ip route show to match {{ .Values.net }}/$(mask2cdr {{ .Values.mask }}) | grep -E -v 'default|{{ .Values.dev_name }}')) > /dev/null 2>&1
			
--- a/helm/templates/cm-openvpnscripts.yaml
+++ b/helm/templates/cm-openvpnscripts.yaml
@@ -1,10 +1,20 @@
 
				-{{- if .Values.openvpn.scripts }}
			
 
				 apiVersion: v1
			
 
				 kind: ConfigMap
			
 
				 metadata:
			
 
				   name: {{ include "openvpn.fullname" . }}-scripts
			
 
				 data:
			
 
				-  {{- range $key, $val := .Values.openvpn.scripts }}
			
 
				-  {{ $key }}: {{- toYaml $val | indent 2}}
			
 
				-  {{- end }}
			
 
				-{{- end }}
			
 
				+  # Main openvpn container startup script, aka ENTRYPOINT
			
 
				+  startscript: |-
			
 
				+    #!/bin/bash
			
 
				+    ip addr add {{ .Values.virtIP_addr }} dev {{ .Values.virtIP_dev }}
			
 
				+    mkdir /dev/net
			
 
				+    mknod /dev/net/tun c 10 200
			
 
				+    exec "/usr/sbin/openvpn" "--config" "/etc/openvpn/configuration/openvpn.conf"
			
 
				+  
			
 
				+  # Stop script, executed by separate container on Pod termination.
			
 
				+  stopscript: |-
			
 
				+    #!/bin/bash
			
 
				+    ip addr delete {{ .Values.virtIP_addr }} dev {{ .Values.virtIP_dev }}
			
 
				+  {{- if .Values.openvpn.healthcheck }}
			
 
				+  healthcheck: {{- toYaml .Values.openvpn.healthcheck | indent 2 }}
			
 
				+  {{- end }}
			
--- a/helm/templates/cm-router.yaml
+++ b/helm/templates/cm-router.yaml
@@ -0,0 +1,14 @@
 
				+apiVersion: v1
			
 
				+kind: ConfigMap
			
 
				+metadata:
			
 
				+  name: {{ include "openvpn.fullname" . }}-routecheck
			
 
				+data:
			
 
				+  route-add: | 
			
 
				+    {{- range .Values.netOpenvpn}}
			
 
				+    ip route add {{ . }} via {{ $.Values.virtIP_addr }} metric 200
			
 
				+    {{- end}}
			
 
				+    sleep infinity
			
 
				+  route-delete: |
			
 
				+    {{- range .Values.netOpenvpn}}
			
 
				+    ip route delete {{ . }} via {{ $.Values.virtIP_addr }} metric 200
			
 
				+    {{- end}}
			
--- a/helm/templates/daemonset.yaml
+++ b/helm/templates/daemonset.yaml
@@ -25,7 +25,7 @@ spec:
 
				           image: "{{ .Values.router.image }}:{{ .Values.router.tag }}"
			
 
				           imagePullPolicy: IfNotPresent
			
 
				           command: ["/bin/sh"]
			
 
				-          args: ["-c","/opt/route-check"]
			
 
				+          args: ["-c","/opt/route-add"]
			
 
				           lifecycle:
			
 
				             preStop:
			
 
				               exec:
			
--- a/helm/templates/deployment.yaml
+++ b/helm/templates/deployment.yaml
@@ -18,36 +18,15 @@ spec:
 
				       labels:
			
 
				         {{- include "openvpn.selectorLabels" . | nindent 8 }}
			
 
				     spec:
			
 
				-      securityContext:
			
 
				-        sysctls:
			
 
				-        - name: net.ipv4.ip_forward
			
 
				-          value: "1"
			
 
				       {{- if .Values.registry_secret_data }}
			
 
				       imagePullSecrets:
			
 
				       - name: {{ include "openvpn.fullname" . }}-registry-secret
			
 
				       {{- end }}
			
 
				-#      hostNetwork: true
			
 
				-      {{- if .Values.openvpn.scripts.initscript }}
			
 
				-      initContainers:
			
 
				-        - name: {{ .Chart.Name }}-init
			
 
				-          image: "{{ .Values.openvpn.image }}:{{ .Values.openvpn.tag | default "latest" }}"
			
 
				-          imagePullPolicy: {{ .Values.openvpn.pullPolicy }}
			
 
				-          command: ["/scripts/initscript"]
			
 
				-          volumeMounts:
			
 
				-            - name: scripts
			
 
				-              mountPath: /scripts/
			
 
				-          securityContext:
			
 
				-            capabilities:
			
 
				-              add:
			
 
				-                - NET_ADMIN
			
 
				-                - MKNOD
			
 
				-      {{- end }}
			
 
				+      hostNetwork: true
			
 
				       containers:
			
 
				         - name: {{ .Chart.Name }}
			
 
				-          {{- if .Values.openvpn.scripts.startscript }}
			
 
				           command: ["/scripts/startscript"]
			
 
				-          {{- end }}
			
 
				-          {{- if .Values.openvpn.scripts.healthcheck }}
			
 
				+          {{- if .Values.openvpn.healthcheck }}
			
 
				           livenessProbe:
			
 
				             exec:
			
 
				               command:
			
@@ -75,11 +54,8 @@ spec:
 
				               mountPath: /etc/openvpn/ccd/
			
 
				             - name: configuration
			
 
				               mountPath: /etc/openvpn/configuration/
			
 
				-            {{- if .Values.openvpn.scripts }}
			
 
				             - name: scripts
			
 
				               mountPath: /scripts/
			
 
				-            {{- end }}
			
 
				-        {{- if .Values.openvpn.scripts.stopscript }}
			
 
				         - name: {{ .Chart.Name }}-stop
			
 
				           image: "{{ .Values.openvpn.image }}:{{ .Values.openvpn.tag | default "latest" }}"
			
 
				           imagePullPolicy: {{ .Values.openvpn.pullPolicy }}
			
@@ -96,7 +72,6 @@ spec:
 
				               add:
			
 
				                 - NET_ADMIN
			
 
				                 - MKNOD
			
 
				-        {{- end }}
			
 
				       volumes:
			
 
				       - name: keys
			
 
				         secret:
			
@@ -107,9 +82,7 @@ spec:
 
				       - name: configuration
			
 
				         configMap:
			
 
				           name: {{ include "openvpn.fullname" . }}-configuration
			
 
				-      {{- if .Values.openvpn.scripts }}
			
 
				       - name: scripts
			
 
				         configMap:
			
 
				           name: {{ include "openvpn.fullname" . }}-scripts
			
 
				           defaultMode: 0755
			
 
				-      {{- end }}
			
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -56,58 +56,39 @@ openvpn:
 
				       -----BEGIN X509 CRL-----
			
 
				       -----END X509 CRL-----
			
 
				 
			
 
				-  # Openvn deployment scripts
			
 
				-  scripts:
			
 
				-    # Initscript, executed by dedicated initialization container, main purpose - set firewall rules, or some similar, before openvpn start.
			
 
				-    initscript: |-
			
 
				-      #!/bin/bash
			
 
				-      iptables -I FORWARD 1 -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
			
 
				-      iptables -I FORWARD 1 -m state --state NEW -s 10.100.10.0/24 -d 192.168.205.10 -i openvpn-tun -j ACCEPT
			
 
				-      iptables -I INPUT 1 -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
			
 
				-      iptables -I INPUT 1 -m state --state NEW -s 10.100.10.0/24 -d 217.74.42.72 -i openvpn-tun -j ACCEPT
			
 
				-    # Main openvpn container startup script, aka ENTRYPOINT
			
 
				-    startscript: |-
			
 
				-      #!/bin/bash
			
 
				-      mkdir /dev/net
			
 
				-      mknod /dev/net/tun c 10 200
			
 
				-      exec "/usr/sbin/openvpn" "--config" "/etc/openvpn/configuration/openvpn.conf"
			
 
				-    # Stop script, executed by separate container on Pod termination.
			
 
				-    stopscript: |-
			
 
				-      #!/bin/bash
			
 
				-      iptables -D FORWARD -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
			
 
				-      iptables -D FORWARD -m state --state NEW -s 10.100.10.0/24 -d 192.168.205.10 -i openvpn-tun -j ACCEPT
			
 
				-      iptables -D INPUT -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
			
 
				-      iptables -D INPUT -m state --state NEW -s 10.100.10.0/24 -d 217.74.42.72 -i openvpn-tun -j ACCEPT
			
 
				-    # The health check script
			
 
				-    healthcheck: |-
			
 
				-      #!/bin/bash
			
 
				-      # ping something, or check connection status on port 7505
			
 
				-
			
 
				+  # Openvn healthcheck script
			
 
				+  # healthcheck: |-
			
 
				+  #   #!/bin/bash
			
 
				+  #   echo state | nc localhost 7505 | grep -i connected
			
 
				 
			
 
				 # Inbound IP and port
			
 
				 # ip, port and protocol for loadbalancer service, in case it's a server
			
 
				-inbound_IP: 10.1.2.3
			
 
				+inbound_IP: 192.168.21.75
			
 
				 # must be same, as port in openvpn config
			
 
				 inbound_port: 1194
			
 
				 # must be same, as proto in openvpn config
			
 
				 inbound_proto: UDP
			
 
				 
			
 
				-# Openvpn settings, musb be the same, as in config, used in router daemonset
			
 
				-dev_name: openvpn-tun
			
 
				-net: 10.100.0.0
			
 
				-mask: 255.255.0.0
			
 
				+# Virtual flow ip for openvpn service
			
 
				+virtIP_addr: 192.168.21.71
			
 
				+virtIP_dev: team0
			
 
				+
			
 
				+# Networks CIDR which has to be routed through openvpn
			
 
				+netOpenvpn:
			
 
				+  - 10.10.0.0/16
			
 
				+  - 10.1.200.0/24
			
 
				 
			
 
				 # CCD configmap
			
 
				 ccd:
			
 
				-  client: ifconfig-push 10.100.10.2 255.255.0.0
			
 
				-  someclient: |-
			
 
				-    ifconfig-push 10.100.10.3 255.255.0.0
			
 
				-    iroute 192.168.250.0 255.255.255.0
			
 
				+  test: |-
			
 
				+    ifconfig-push 10.10.10.10 255.255.0.0
			
 
				+    iroute 10.1.200.0 255.255.255.0
			
 
				+#    push "route 192.168.200.0 255.255.248.0"
			
 
				 
			
 
				 # Router container
			
 
				 router:
			
 
				-  image: "jcr.infoclinica.ru/sys/kubectl"
			
 
				-  tag: "1.18.9-3"
			
 
				+  image: "images.sdsys.ru/sys/ovpn-rsa" #nicolaka/netshoot 
			
 
				+  tag: "200207025"         
			
 
				   pullPolicy: IfNotPresent
			
 
				   resources:
			
 
				     limits:
			
@@ -115,5 +96,4 @@ router:
 
				       memory: 50Mi
			
 
				     requests:
			
 
				       cpu: 50m
			
 
				-      memory: 50Mi
			
 
				-
			
 
				+      memory: 50Mi