move to virtual floating IP

README.md

@@ -1,3 +1,8 @@
 # openvpn
 
-Repo for openvpn images and helm
+Repo for openvpn images and helm
+
+v.2 tasks:
+
+* Авто определение virtIP_dev
+* В daemonset регулярная (раз в 10 сек) проверка корректности маршрутов и проверка корректности расположения ivrtIP_addr

helm/123/cm-router.yaml

@@ -1,35 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: {{ include "openvpn.fullname" . }}-routecheck
-data:
-  route-check: | 
-    set -x
-    while sleep 10
-    do
-      date
-      _cdr=$(mask2cdr {{ .Values.mask }})
-      ip link list {{ .Values.dev_name }} > /dev/null 2>&1
-      if [ $? -ne 0 ]; then
-        __server_pod_ip=$(kubectl get po -o json | jq -r '.items[] | select(.metadata.labels.component=="application" and .metadata.labels["app.kubernetes.io/instance"]=="{{ .Release.Name }}" and .metadata.labels["app.kubernetes.io/name"]=="{{ include "openvpn.name" . }}" and .metadata.deletionTimestamp==null and .status.phase=="Running").status.podIP')
-        if [ -z "$__server_pod_ip" ]; then
-          ip route delete {{ .Values.net }}/$_cdr > /dev/null 2>&1
-          continue
-        fi
-        __route_ip=$(ip route get {{ .Values.net }}/$_cdr | awk '{print $3}')
-        if [[ $__server_pod_ip != $__route_ip ]]; then
-          ip route delete {{ .Values.net }}/$_cdr > /dev/null 2>&1
-          ip route add {{ .Values.net }}/$_cdr via $__server_pod_ip
-        fi
-      else
-        if [ ! -z "$(ip route show to match {{ .Values.net }}/$_cdr | grep -E -v 'default|{{ .Values.dev_name }}')" ]; then
-          ip route delete $(ip route show to match {{ .Values.net }}/$_cdr | grep -E -v 'default|{{ .Values.dev_name }}')
-        fi
-        if [ -z "$(ip route show to match {{ .Values.net }}/$_cdr | grep '{{ .Values.dev_name }}')" ]; then
-          ip route add {{ .Values.net }}/$_cdr dev {{ .Values.dev_name }}
-        fi
-      fi
-      sleep 50
-    done
-  route-delete: |
-    ip route delete $(ip route show to match {{ .Values.net }}/$(mask2cdr {{ .Values.mask }}) | grep -E -v 'default|{{ .Values.dev_name }}')) > /dev/null 2>&1

helm/templates/cm-openvpnscripts.yaml

@@ -1,10 +1,20 @@
-{{- if .Values.openvpn.scripts }}
 apiVersion: v1
 kind: ConfigMap
 metadata:
   name: {{ include "openvpn.fullname" . }}-scripts
 data:
-  {{- range $key, $val := .Values.openvpn.scripts }}
-  {{ $key }}: {{- toYaml $val | indent 2}}
-  {{- end }}
-{{- end }}
+  # Main openvpn container startup script, aka ENTRYPOINT
+  startscript: |-
+    #!/bin/bash
+    ip addr add {{ .Values.virtIP_addr }} dev {{ .Values.virtIP_dev }}
+    mkdir /dev/net
+    mknod /dev/net/tun c 10 200
+    exec "/usr/sbin/openvpn" "--config" "/etc/openvpn/configuration/openvpn.conf"
+  
+  # Stop script, executed by separate container on Pod termination.
+  stopscript: |-
+    #!/bin/bash
+    ip addr delete {{ .Values.virtIP_addr }} dev {{ .Values.virtIP_dev }}
+  {{- if .Values.openvpn.healthcheck }}
+  healthcheck: {{- toYaml .Values.openvpn.healthcheck | indent 2 }}
+  {{- end }}

helm/templates/cm-router.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "openvpn.fullname" . }}-routecheck
+data:
+  route-add: | 
+    {{- range .Values.netOpenvpn}}
+    ip route add {{ . }} via {{ $.Values.virtIP_addr }} metric 200
+    {{- end}}
+    sleep infinity
+  route-delete: |
+    {{- range .Values.netOpenvpn}}
+    ip route delete {{ . }} via {{ $.Values.virtIP_addr }} metric 200
+    {{- end}}

helm/123/daemonset.yaml → helm/templates/daemonset.yaml

@@ -25,7 +25,7 @@ spec:
           image: "{{ .Values.router.image }}:{{ .Values.router.tag }}"
           imagePullPolicy: IfNotPresent
           command: ["/bin/sh"]
-          args: ["-c","/opt/route-check"]
+          args: ["-c","/opt/route-add"]
           lifecycle:
             preStop:
               exec:

helm/templates/deployment.yaml

@@ -18,36 +18,15 @@ spec:
       labels:
         {{- include "openvpn.selectorLabels" . | nindent 8 }}
     spec:
-      securityContext:
-        sysctls:
-        - name: net.ipv4.ip_forward
-          value: "1"
       {{- if .Values.registry_secret_data }}
       imagePullSecrets:
       - name: {{ include "openvpn.fullname" . }}-registry-secret
       {{- end }}
-#      hostNetwork: true
-      {{- if .Values.openvpn.scripts.initscript }}
-      initContainers:
-        - name: {{ .Chart.Name }}-init
-          image: "{{ .Values.openvpn.image }}:{{ .Values.openvpn.tag | default "latest" }}"
-          imagePullPolicy: {{ .Values.openvpn.pullPolicy }}
-          command: ["/scripts/initscript"]
-          volumeMounts:
-            - name: scripts
-              mountPath: /scripts/
-          securityContext:
-            capabilities:
-              add:
-                - NET_ADMIN
-                - MKNOD
-      {{- end }}
+      hostNetwork: true
       containers:
         - name: {{ .Chart.Name }}
-          {{- if .Values.openvpn.scripts.startscript }}
           command: ["/scripts/startscript"]
-          {{- end }}
-          {{- if .Values.openvpn.scripts.healthcheck }}
+          {{- if .Values.openvpn.healthcheck }}
           livenessProbe:
             exec:
               command:
@@ -75,11 +54,8 @@ spec:
               mountPath: /etc/openvpn/ccd/
             - name: configuration
               mountPath: /etc/openvpn/configuration/
-            {{- if .Values.openvpn.scripts }}
             - name: scripts
               mountPath: /scripts/
-            {{- end }}
-        {{- if .Values.openvpn.scripts.stopscript }}
         - name: {{ .Chart.Name }}-stop
           image: "{{ .Values.openvpn.image }}:{{ .Values.openvpn.tag | default "latest" }}"
           imagePullPolicy: {{ .Values.openvpn.pullPolicy }}
@@ -96,7 +72,6 @@ spec:
               add:
                 - NET_ADMIN
                 - MKNOD
-        {{- end }}
       volumes:
       - name: keys
         secret:
@@ -107,9 +82,7 @@ spec:
       - name: configuration
         configMap:
           name: {{ include "openvpn.fullname" . }}-configuration
-      {{- if .Values.openvpn.scripts }}
       - name: scripts
         configMap:
           name: {{ include "openvpn.fullname" . }}-scripts
           defaultMode: 0755
-      {{- end }}

helm/values.yaml

@@ -56,58 +56,39 @@ openvpn:
       -----BEGIN X509 CRL-----
       -----END X509 CRL-----
 
-  # Openvn deployment scripts
-  scripts:
-    # Initscript, executed by dedicated initialization container, main purpose - set firewall rules, or some similar, before openvpn start.
-    initscript: |-
-      #!/bin/bash
-      iptables -I FORWARD 1 -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
-      iptables -I FORWARD 1 -m state --state NEW -s 10.100.10.0/24 -d 192.168.205.10 -i openvpn-tun -j ACCEPT
-      iptables -I INPUT 1 -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
-      iptables -I INPUT 1 -m state --state NEW -s 10.100.10.0/24 -d 217.74.42.72 -i openvpn-tun -j ACCEPT
-    # Main openvpn container startup script, aka ENTRYPOINT
-    startscript: |-
-      #!/bin/bash
-      mkdir /dev/net
-      mknod /dev/net/tun c 10 200
-      exec "/usr/sbin/openvpn" "--config" "/etc/openvpn/configuration/openvpn.conf"
-    # Stop script, executed by separate container on Pod termination.
-    stopscript: |-
-      #!/bin/bash
-      iptables -D FORWARD -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
-      iptables -D FORWARD -m state --state NEW -s 10.100.10.0/24 -d 192.168.205.10 -i openvpn-tun -j ACCEPT
-      iptables -D INPUT -m state --state NEW -s 10.100.10.0/24 -i openvpn-tun -j DROP
-      iptables -D INPUT -m state --state NEW -s 10.100.10.0/24 -d 217.74.42.72 -i openvpn-tun -j ACCEPT
-    # The health check script
-    healthcheck: |-
-      #!/bin/bash
-      # ping something, or check connection status on port 7505
-
+  # Openvn healthcheck script
+  # healthcheck: |-
+  #   #!/bin/bash
+  #   echo state | nc localhost 7505 | grep -i connected
 
 # Inbound IP and port
 # ip, port and protocol for loadbalancer service, in case it's a server
-inbound_IP: 10.1.2.3
+inbound_IP: 192.168.21.75
 # must be same, as port in openvpn config
 inbound_port: 1194
 # must be same, as proto in openvpn config
 inbound_proto: UDP
 
-# Openvpn settings, musb be the same, as in config, used in router daemonset
-dev_name: openvpn-tun
-net: 10.100.0.0
-mask: 255.255.0.0
+# Virtual flow ip for openvpn service
+virtIP_addr: 192.168.21.71
+virtIP_dev: team0
+
+# Networks CIDR which has to be routed through openvpn
+netOpenvpn:
+  - 10.10.0.0/16
+  - 10.1.200.0/24
 
 # CCD configmap
 ccd:
-  client: ifconfig-push 10.100.10.2 255.255.0.0
-  someclient: |-
-    ifconfig-push 10.100.10.3 255.255.0.0
-    iroute 192.168.250.0 255.255.255.0
+  test: |-
+    ifconfig-push 10.10.10.10 255.255.0.0
+    iroute 10.1.200.0 255.255.255.0
+#    push "route 192.168.200.0 255.255.248.0"
 
 # Router container
 router:
-  image: "jcr.infoclinica.ru/sys/kubectl"
-  tag: "1.18.9-3"
+  image: "images.sdsys.ru/sys/ovpn-rsa" #nicolaka/netshoot 
+  tag: "200207025"         
   pullPolicy: IfNotPresent
   resources:
     limits:
@@ -115,5 +96,4 @@ router:
       memory: 50Mi
     requests:
       cpu: 50m
-      memory: 50Mi
-
+      memory: 50Mi