Skip to content

Commit 5a5b787

Browse files
sshi100bmonkman
andauthored
257 add vpn support (#85)
* initial submit * set initial sample client public keys * add random_seed * fix folder * enhancement with review * run terraform fmt against related directories * add hostname vpn.* pointing to service NLB * formalized configuration * added app client configuration retrieval script and initial README * added local script to help user adding and configuration generation * added local script to help user adding and configuration generation * use template for PROJECT * attached k8s current context with config file name * revision on config file name * A few tweaks to documentation Co-authored-by: Bill Monkman <[email protected]>
1 parent bacc352 commit 5a5b787

20 files changed

Lines changed: 432 additions & 42 deletions

templates/Makefile

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
ENVIRONMENT ?= stage
22
PROJECT = <% .Name %>
33

4-
apply: apply-remote-state apply-secrets apply-env apply-k8s-utils post-apply-setup
4+
apply: apply-remote-state apply-secrets apply-env update-k8s-conf pre-k8s apply-k8s-utils post-apply-setup
55

66
apply-remote-state:
77
aws s3 ls $(PROJECT)-$(ENVIRONMENT)-terraform-state || (\
@@ -22,7 +22,13 @@ apply-env:
2222
terraform init && \
2323
terraform apply $(AUTO_APPROVE)
2424

25-
apply-k8s-utils: update-k8s-conf
25+
pre-k8s:
26+
@echo "Creating VPN private key..."
27+
WGKEY=$(shell kubectl run -i --tty zero-k8s-utilities --image=commitdev/zero-k8s-utilities:0.0.3 --restart=Never -- wg genkey) && kubectl delete pod/zero-k8s-utilities && \
28+
aws secretsmanager create-secret --name $(PROJECT)-$(ENVIRONMENT)-vpn-wg-privatekey-<% index .Params `randomSeed` %> --description "Auto-generated Wireguard VPN private key" --secret-string $$WGKEY
29+
@echo "Done VPN private key creation"
30+
31+
apply-k8s-utils:
2632
cd kubernetes/terraform/environments/$(ENVIRONMENT) && \
2733
terraform init && \
2834
terraform apply $(AUTO_APPROVE)

templates/kubernetes/terraform/environments/dev/application_iam_policy.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,4 +10,4 @@ data "aws_iam_policy_document" "resource_access_backendservice" {
1010
resources = ["arn:aws:ec2:::dev-*"]
1111
}
1212
# can be more statements here
13-
}
13+
}

templates/kubernetes/terraform/environments/dev/main.tf

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,11 +16,12 @@ module "kubernetes" {
1616

1717
environment = "dev"
1818
region = "<% index .Params `region` %>"
19+
random_seed = "<% index .Params `randomSeed` %>"
1920

2021
# Authenticate with the EKS cluster via the cluster id
2122
cluster_name = "<% .Name %>-dev-<% index .Params `region` %>"
2223

23-
external_dns_zone = "<% index .Params `stagingHostRoot` %>"
24+
external_dns_zone = "<% index .Params `stagingHostRoot` %>"
2425
external_dns_owner_id = "<% GenerateUUID %>" # randomly generated ID
2526

2627
# Registration email for LetsEncrypt
@@ -38,4 +39,11 @@ module "kubernetes" {
3839
}
3940
# could be more policies defined here (if have)
4041
]
42+
43+
# Wireguard configuration
44+
vpn_server_address = "10.10.254.0/24"
45+
vpn_client_publickeys = [
46+
["Max C", "10.10.254.201/32", "/B3Q/Hlf+ILInjpehTLk9DZGgybdGdbm0SsG87OnWV0="],
47+
["Carter L", "10.10.254.202/32", "h2jMuaXNIlx7Z0a3owWFjPsAA8B+ZpQH3FbZK393+08="],
48+
]
4149
}

templates/kubernetes/terraform/environments/prod/main.tf

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ terraform {
99
}
1010

1111
provider "aws" {
12-
region = "<% index .Params `region` %>"
12+
region = "<% index .Params `region` %>"
1313
}
1414

1515
# Provision kubernetes resources required to run services/applications
@@ -24,7 +24,7 @@ module "kubernetes" {
2424
# Authenticate with the EKS cluster via the cluster id
2525
cluster_name = "<% .Name %>-prod-<% index .Params `region` %>"
2626

27-
external_dns_zone = "<% index .Params `productionHostRoot` %>"
27+
external_dns_zone = "<% index .Params `productionHostRoot` %>"
2828
external_dns_owner_id = "<% GenerateUUID %>" # randomly generated ID
2929

3030
# Registration email for LetsEncrypt
@@ -42,4 +42,11 @@ module "kubernetes" {
4242
}
4343
# could be more policies defined here (if have)
4444
]
45+
46+
# Wireguard configuration
47+
vpn_server_address = "10.10.99.0/24"
48+
vpn_client_publickeys = [
49+
["Max C", "10.10.99.201/32", "/B3Q/Hlf+ILInjpehTLk9DZGgybdGdbm0SsG87OnWV0="],
50+
["Carter L", "10.10.99.202/32", "h2jMuaXNIlx7Z0a3owWFjPsAA8B+ZpQH3FbZK393+08="],
51+
]
4552
}

templates/kubernetes/terraform/environments/stage/application_iam_policy.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,4 +10,4 @@ data "aws_iam_policy_document" "resource_access_backendservice" {
1010
resources = ["arn:aws:ec2:::stage-*"]
1111
}
1212
# can be more statements here
13-
}
13+
}

templates/kubernetes/terraform/environments/stage/main.tf

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ terraform {
99
}
1010

1111
provider "aws" {
12-
region = "<% index .Params `region` %>"
12+
region = "<% index .Params `region` %>"
1313
}
1414

1515
# Provision kubernetes resources required to run services/applications
@@ -20,11 +20,12 @@ module "kubernetes" {
2020

2121
environment = "stage"
2222
region = "<% index .Params `region` %>"
23+
random_seed = "<% index .Params `randomSeed` %>"
2324

2425
# Authenticate with the EKS cluster via the cluster id
2526
cluster_name = "<% .Name %>-stage-<% index .Params `region` %>"
2627

27-
external_dns_zone = "<% index .Params `stagingHostRoot` %>"
28+
external_dns_zone = "<% index .Params `stagingHostRoot` %>"
2829
external_dns_owner_id = "<% GenerateUUID %>" # randomly generated ID
2930

3031
# Registration email for LetsEncrypt
@@ -42,4 +43,11 @@ module "kubernetes" {
4243
}
4344
# could be more policies defined here (if have)
4445
]
46+
47+
# Wireguard configuration
48+
vpn_server_address = "10.10.199.0/24"
49+
vpn_client_publickeys = [
50+
["Max C", "10.10.199.201/32", "/B3Q/Hlf+ILInjpehTLk9DZGgybdGdbm0SsG87OnWV0="],
51+
["Carter L", "10.10.199.202/32", "h2jMuaXNIlx7Z0a3owWFjPsAA8B+ZpQH3FbZK393+08="],
52+
]
4553
}

templates/kubernetes/terraform/modules/kubernetes/README.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,29 @@ The `irsa` module makes it easy to grant a pod to have a specific level of acces
5252
```
5353

5454

55+
## WireGuard VPN support
56+
WireGuard® is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. This allows users to access internal resources securely.
57+
58+
A WireGuard pod will be started inside the cluster and users can be added to it by appending lines to `kubernetes/terraform/environments/<env>/main.tf`:
59+
```
60+
vpn_client_publickeys = [
61+
# name, IP, public key
62+
["Your Name", "10.10.199.203/32", "yz6gNspLJE/HtftBwcj5x0yK2XG6+/SHIaZ****vFRc="],
63+
]
64+
```
65+
66+
A new user can add themselves to the VPN server easily. Any user with access to the kubernetes cluster should be able to run the script `scripts/add-vpn-user.sh`
67+
This will ask for their name, and automatically generate a line like the one above, which they can then add to the terraform and apply themselves, or give the line to an administrator and ask them to apply it.
68+
The environment they are added to will be decided by the current `kubectl` context. You can see your current context with `kubectl config current-context`.
69+
A user will need to repeat this for each environment they need access to (for example, staging and production.)
70+
71+
*Note that this will try to detect the next available IP address for the user but you should still take care to ensure there are no duplicate IPs in the list.*
72+
73+
It will also generate a WireGuard client config file on their local machine which will be properly populated with all the values to allow them to connect to the server.
74+
75+
The WireGuard client can be downloaded at [https://www.wireguard.com/install/](https://www.wireguard.com/install/)
76+
77+
Once connected to the VPN, the user should have direct access to anything running inside the AWS VPC.
5578

5679
## Organization
5780

templates/kubernetes/terraform/modules/kubernetes/cert_manager.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -70,12 +70,12 @@ resource "helm_release" "cert_manager" {
7070
set {
7171
type = "string"
7272
name = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
73-
value = module.iam_assumable_role_cert_manager.this_iam_role_arn
73+
value = module.iam_assumable_role_cert_manager.this_iam_role_arn
7474
}
7575
set {
7676
type = "string"
7777
name = "podAnnotations.eks\\.amazonaws\\.com/role-arn"
78-
value = module.iam_assumable_role_cert_manager.this_iam_role_arn
78+
value = module.iam_assumable_role_cert_manager.this_iam_role_arn
7979
}
8080
set {
8181
name = "securityContext.fsGroup"

templates/kubernetes/terraform/modules/kubernetes/cluster_autoscaler.tf

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ resource "helm_release" "cluster_autoscaler" {
2020
set {
2121
type = "string"
2222
name = "rbac.serviceAccountAnnotations.eks\\.amazonaws\\.com/role-arn"
23-
value = module.iam_assumable_role_cluster_autoscaler.this_iam_role_arn
23+
value = module.iam_assumable_role_cluster_autoscaler.this_iam_role_arn
2424
}
2525
set {
2626
name = "awsRegion"

templates/kubernetes/terraform/modules/kubernetes/database_service.tf

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,10 +8,10 @@ resource "kubernetes_service" "app_db" {
88
## https://github.com/commitdev/zero-deployable-backend/blob/b2cee21982b1e6a0ac9996e2a1bf214e5bf10ab5/db-ops/create-db-user.sh#L6
99
metadata {
1010
namespace = kubernetes_namespace.app_namespace.metadata[0].name
11-
name = "database"
11+
name = "database"
1212
}
1313
spec {
14-
type = "ExternalName"
14+
type = "ExternalName"
1515
external_name = data.aws_db_instance.database.address
1616
}
1717
}

0 commit comments

Comments
 (0)