Merge pull request #26 from lalithkota/main

Added K8s mode in wireguard bastion. Updated istio scripts
OpenG2P · May 28, 2024 · 379c0c0 · 379c0c0
2 parents cbdc51f + 70a8be8
commit 379c0c0
Show file tree

Hide file tree

Showing 7 changed files with 109 additions and 21 deletions.
diff --git a/kubernetes/istio/istio-ef-spdy-upgrade.yaml b/kubernetes/istio/istio-ef-spdy-upgrade.yaml
@@ -0,0 +1,19 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: EnvoyFilter
+metadata:
+  name: spdy-upgrade-filter
+  namespace: istio-system
+spec:
+  configPatches:
+  - applyTo: NETWORK_FILTER
+    match:      
+      listener:
+        filterChain:
+          filter:
+            name: "envoy.filters.network.http_connection_manager"
+    patch:
+      operation: MERGE
+      value:
+        typed_config:
+          "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager"
+          "upgradeConfigs": [ { "upgradeType": "SPDY/3.1" } ]
diff --git a/kubernetes/istio/istio-gateway-tls.yaml b/kubernetes/istio/istio-gateway-tls.yaml
@@ -8,19 +8,19 @@ spec:
     istio: ingressgateway
   servers:
   - hosts:
-    - ${WILDCARD_HOSTNAME}
+    - "${WILDCARD_HOSTNAME}"
     port:
       name: http2
       number: 8080
       protocol: HTTP2
     tls:
       httpsRedirect: true
   - hosts:
-    - ${WILDCARD_HOSTNAME}
+    - "${WILDCARD_HOSTNAME}"
     port:
       name: https
       number: 8443
-      protocol: HTTP2
+      protocol: HTTPS
     tls:
-      credentialName: tls-openg2p-ingress
+      credentialName: tls-openg2p-${NS}-ingress
       mode: SIMPLE
diff --git a/kubernetes/istio/istio-gateway.yaml b/kubernetes/istio/istio-gateway.yaml
@@ -8,15 +8,15 @@ spec:
     istio: ingressgateway
   servers:
   - hosts:
-    - ${WILDCARD_HOSTNAME}
+    - "${WILDCARD_HOSTNAME}"
     port:
       name: http2-redirect-https
       number: 8081
       protocol: HTTP2
     tls:
       httpsRedirect: true
   - hosts:
-    - ${WILDCARD_HOSTNAME}
+    - "${WILDCARD_HOSTNAME}"
     port:
       name: http2
       number: 8080
@@ -32,15 +32,15 @@ spec:
     istio: ingressgateway-public
   servers:
   - hosts:
-    - ${WILDCARD_HOSTNAME}
+    - "${WILDCARD_HOSTNAME}"
     port:
       name: http2-redirect-https
       number: 8081
       protocol: HTTP2
     tls:
       httpsRedirect: true
   - hosts:
-    - ${WILDCARD_HOSTNAME}
+    - "${WILDCARD_HOSTNAME}"
     port:
       name: http2
       number: 8080

diff --git a/kubernetes/rke2/rke2-agent.conf.template b/kubernetes/rke2/rke2-agent.conf.template
@@ -5,3 +5,5 @@ node-ip: <node internal ip>
 node-label: "shouldInstallIstioIngress=true"
 disable:
   - rke2-ingress-nginx
+kubelet-arg:
+  - --allowed-unsafe-sysctls=net.ipv4.conf.all.src_valid_mark,net.ipv4.ip_forward
diff --git a/kubernetes/rke2/rke2-server.conf.primary.template b/kubernetes/rke2/rke2-server.conf.primary.template
@@ -4,3 +4,5 @@ node-ip: <node internal ip>
 node-label: "shouldInstallIstioIngress=true"
 disable:
   - rke2-ingress-nginx
+kubelet-arg:
+  - --allowed-unsafe-sysctls=net.ipv4.conf.all.src_valid_mark,net.ipv4.ip_forward
diff --git a/kubernetes/rke2/rke2-server.conf.subsequent.template b/kubernetes/rke2/rke2-server.conf.subsequent.template
@@ -5,5 +5,5 @@ node-ip: <node internal ip>
 node-label: "shouldInstallIstioIngress=true"
 disable:
   - rke2-ingress-nginx
-tls-san:
-  - <nodeip>
+kubelet-arg:
+  - --allowed-unsafe-sysctls=net.ipv4.conf.all.src_valid_mark,net.ipv4.ip_forward
diff --git a/kubernetes/wireguard/wg.sh b/kubernetes/wireguard/wg.sh
@@ -7,6 +7,13 @@ if [ $USER != "root" ]; then
   exit 1
 fi
 
+if [ -z $WG_MODE ]; then
+  export WG_MODE=docker
+elif [ $WG_MODE != "docker" ] && [ $WG_MODE != "k8s" ]; then
+  echo "Unsupported WG_MODE. defaulting to docker"
+  export WG_MODE=docker
+fi
+
 if [ $# -lt 3 ]; then
   echo "Usage: ./wg.sh <wireguard name> <subnet for this wireguard> <port for this wireguard> [no of peers] [clients allowed ips]"
   exit 1
@@ -53,20 +60,15 @@ chmod +x /postdown.rules.sh
 iptables -A FORWARD -i wg0 -j ACCEPT
 iptables -A FORWARD -o wg0 -j ACCEPT
 
-#iptables -A FORWARD -m iprange --src-range 10.13.13.2-10.13.13.51 -d 172.31.35.104 -j ACCEPT
-#iptables -A FORWARD -m iprange --dst-range 10.13.13.2-10.13.13.51 -s 172.31.35.104 -j ACCEPT
-
-#iptables -A FORWARD -m iprange --src-range 10.13.13.2-10.13.13.51 -d 172.31.31.67 -j ACCEPT
-#iptables -A FORWARD -m iprange --dst-range 10.13.13.2-10.13.13.51 -s 172.31.31.67 -j ACCEPT
-
 iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
 ' > /etc/$WG_NAME/rules.sh
 chmod +x /etc/$WG_NAME/rules.sh
 
+if [ $WG_MODE = "docker" ]; then
+
 docker run -d \
   --name=$WG_NAME \
   --cap-add=NET_ADMIN \
-  --cap-add=SYS_MODULE \
   -e PUID=1000 \
   -e PGID=1000 \
   -e TZ=Asia/Calcutta\
@@ -77,10 +79,73 @@ docker run -d \
   -e SERVERPORT=$WG_PORT \
   -p ${WG_PORT}:${WG_PORT}/udp \
   -v /etc/$WG_NAME/:/config \
-  -v /lib/modules:/lib/modules \
   --restart unless-stopped \
-  ghcr.io/linuxserver/wireguard
+  --sysctl="net.ipv4.conf.all.src_valid_mark=1" \
+  --sysctl="net.ipv4.ip_forward=1" \
+  ghcr.io/linuxserver/wireguard || \
+{ echo "Error starting Docker"; exit 1; }
+
+elif [ $WG_MODE = "k8s" ]; then
 
-WG_CONT_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' $WG_NAME)
-ip route add $WG_SUBNET via $WG_CONT_IP
+kubectl create ns wireguard-system || echo "Namespace Already Exists"
+echo \
+'apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: '"${WG_NAME//_/-}"'
+  namespace: wireguard-system
+spec:
+  selector:
+    matchLabels:
+      app: '"${WG_NAME//_/-}"'
+  template:
+    metadata:
+      labels:
+        app: '"${WG_NAME//_/-}"'
+    spec:
+      nodeName: node1
+      securityContext:
+        sysctls:
+          - name: net.ipv4.conf.all.src_valid_mark
+            value: "1"
+          - name: net.ipv4.ip_forward
+            value: "1"
+      containers:
+      - name: wireguard
+        image: ghcr.io/linuxserver/wireguard
+        securityContext:
+          capabilities:
+            add:
+            - NET_ADMIN
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Asia/Calcutta"
+        - name: PEERS
+          value: "'"${WG_PEERS}"'"
+        - name: PEERDNS
+          value: ""
+        - name: INTERNAL_SUBNET
+          value: "'"${WG_SUBNET_SPLIT_ARR[0]}"'"
+        - name: ALLOWEDIPS
+          value: "'"$WG_ALLOWED_IPS"'"
+        - name: SERVERPORT
+          value: "'"$WG_PORT"'"
+        ports:
+        - containerPort: '"$WG_PORT"'
+          hostPort: '"$WG_PORT"'
+          protocol: UDP
+        volumeMounts:
+        - mountPath: /config
+          name: wg-configs
+      volumes:
+      - name: wg-configs
+        hostPath:
+          path: /etc/'"$WG_NAME"'
+' | kubectl apply -f - || \
+{ echo "Error starting Pod"; exit 1; }
 
+fi