The source code and default configuration of the Building Block is available in our code.sysEleven.de. Infos on release notes and new features please follow Release note on openvpn
Authentication and authorization component to securely access your internal cluster resources.
You need to provide a storage provider for this Building Block. Proceed with the following prerequisite description to use the Velero Building Block out of the box.
A recommended resource overview is listed in the table below.
CPU / vCPU | Memory | |
---|---|---|
3 | 6000MiB |
No further activities need to be carried out in advance.
Add the directory syseleven-openvpn
to your control repository. Add a .gitlab-ci.yml
to the directory with the following content:
include:
- project: syseleven/building-blocks/helmfiles/openvpn
file: JobDevelopment.yaml
ref: 3.24.0
- project: syseleven/building-blocks/helmfiles/openvpn
file: JobStaging.yaml
ref: 3.24.0
- project: syseleven/building-blocks/helmfiles/openvpn
file: JobProduction.yaml
ref: 3.24.0
Remove environments you are not using by removing their include.
No configuration is required.
You can set up external-dns to automatically publish your openvpn-server to your DNS zone.
Add the following yaml to your values-*.yaml
file:
service:
annotations:
external-dns.alpha.kubernetes.io/hostname: vpn.myhostname.com
openvpn:
clientConfServer: "vpn.myhostname.com"
The helm chart will print the following commands to the shell when deploying. If you changed any of the configuration, check the CI pipeline deploy run for the appropriate commands
# Set the name for the key
KEY_NAME=example-user
POD_NAME=$(kubectl get pods --namespace "syseleven-managed-openvpn" -l "app=openvpn,release=openvpn" -o jsonpath='{ .items[0].metadata.name }')
SERVICE_NAME=$(kubectl get svc --namespace "syseleven-managed-openvpn" -l "app=openvpn,release=openvpn" -o jsonpath='{ .items[0].metadata.name }')
SERVICE_IP=$(kubectl get svc --namespace "syseleven-managed-openvpn" "$SERVICE_NAME" -o go-template='{{ range $k, $v := (index .status.loadBalancer.ingress 0)}}{{ $v }}{{end}}')
kubectl --namespace "syseleven-managed-openvpn" exec -it "$POD_NAME" /etc/openvpn/setup/newClientCert.sh "$KEY_NAME" "$SERVICE_IP"
kubectl --namespace "syseleven-managed-openvpn" exec -it "$POD_NAME" cat "/etc/openvpn/certs/pki/$KEY_NAME.ovpn" > "$KEY_NAME.ovpn"
Copy the resulting $KEY_NAME.ovpn file to your open vpn client (ex: in tunnelblick, just double click on the file). Do this for each user that needs to connect to the VPN. Change KEY_NAME for each additional user.
To revoke a certificate, execute the following:
# This needs to be the same as it was generated as
KEY_NAME=example-user
POD_NAME=$(kubectl get pods -n "syseleven-managed-openvpn" -l "app=openvpn,release=openvpn" -o jsonpath='{.items[0].metadata.name}')
kubectl -n "syseleven-managed-openvpn" exec -it "$POD_NAME" /etc/openvpn/setup/revokeClientCert.sh $KEY_NAME
As for the creation of certificates, if you changed any config, please check the CI pipeline deploy run for the appropriate commands.
Technical limitation on OpenVPN as for :
Please find more infos on release notes and new features Release notes OpenVPN