first release

Author: angelnu

Dockerfile

@@ -1,27 +1,16 @@
-FROM golang:1.16 AS build
-
-WORKDIR /workspace
-ENV GO111MODULE=on
-
-COPY *.go go.mod *.sum ./
-
-# Build
-RUN go mod download
-
-RUN CGO_ENABLED=0 go build -o app -ldflags '-w -extldflags "-static"' .
-
-#Test
-RUN  CCGO_ENABLED=0 go test -v .
-
-# Use distroless as minimal base image to package the manager binary
-# Refer to https://github.com/GoogleContainerTools/distroless for more details
-# debug tag adds a shell (not recommended for prod)
-FROM gcr.io/distroless/static:nonroot
+FROM alpine:3.13.5
 WORKDIR /
-COPY --from=build /workspace/app /app/app
-USER nonroot:nonroot
 
-ENTRYPOINT ["/app/app"]
+# iproute2 -> bridge
+# bind-tools -> bind
+# dhclient -> get dynamic IP
+# dnsmasq -> DNS & DHCP server
+# coreutils -> need REAL chown and chmod for dhclient (it uses reference option not supported in busybox)
+RUN apk add --no-cache coreutils dnsmasq iproute2 bind-tools dhclient
+
+COPY config /config
+COPY bin /bin
+CMD [ "/bin/entry.sh" ]
 
 ARG IMAGE_SOURCE
 #https://github.com/k8s-at-home/template-container-image

Makefile

@@ -1,30 +1,6 @@
 
 # Image URL to use all building/pushing image targets
-IMG ?= template-container-image:latest
-
-# Run tests
-test: build
-	go test -v .
-
-# Build manager binary
-build: fmt vet
-	go build -o app main.go
-
-# Download dependencies
-download:
-	go mod download
-
-# Download dependencies
-tidy: download
-	go mod tidy
-
-# Run go fmt against code
-fmt: tidy
-	go fmt ./...
-
-# Run go vet against code
-vet: tidy
-	go vet ./...
+IMG ?= pod-gateway:latest
 
 # Build the docker image
 docker-build:

README.md

@@ -1,6 +1,13 @@
-# template-container-image
+# pod-gateway
 
-Template for k8s-at-home containers. You can use it to as base to create your container.
+This container includes scripts used to route traafic from pods through another gateway pod. Typically
+the gateway pod then runs a openvpn client to forward the traffic.
+
+The connection between the pods is done via a vxlan. The gatway provides a DHCP server to let client
+pods to get automatically an IP.
+
+Ougoing traffic is masqueraded (SNAT). It is also possible to define port forwardind so ports of client
+pods can be reached from the outside.
 
 The [.github](.github) folder will get PRs from this template so you can apply the latest workflows.
 
@@ -13,15 +20,13 @@ You need to create the following secrets (not needed within the k8s-at-home org
 
 ## How to build
 
-1. Build and test local
-    ```bash
-    make
-    ```
-2. Build the container
-    ```bash
-    make docker-build
-    ```
+1. Build the container
+   ```bash
+   make
+   ```
 
-Check the [Makefile] for other build targets
+Testing requires multiple containers - see
+[Helm chart](https://github.com/k8s-at-home/charts/tree/master/charts/stable/pod-gateway-setter)
+and check the [Makefile] for other build targets.
 
 

bin/dnsmasq.sh

@@ -0,0 +1,19 @@
+#!/bin/sh -ex
+
+cat /config/settings.sh
+. /config/settings.sh
+
+#Block default output traffic
+iptables --policy OUTPUT DROP
+
+#create config
+echo "interface=vxlan0
+bind-interfaces
+dhcp-range=${VXLAN_IP_NETWORK}.20,${VXLAN_IP_NETWORK}.200,12h
+server=/local/${DNS_ORG}">>/etc/dnsmasq.conf
+
+#Need to wait until new DNS server in /etc/resolv.conf is setup
+#TBD: find a better way
+sleep 10
+
+exec dnsmasq -k

bin/entry.sh

@@ -0,0 +1,72 @@
+#!/bin/sh -ex
+
+#Load main settings
+cat /config/settings.sh
+. /config/settings.sh
+
+#in re-entry we need to remove the vxlan
+#on first entry set a routing rule to the k8s DNS server
+if ip addr|grep -q vxlan0; then
+  ip link del vxlan0
+fi
+
+
+
+K8S_GW_ROUTE=$(ip route get ${DNS_ORG}|head -1)
+K8S_GW_ROUTE=${K8S_GW_ROUTE%%uid*}
+ip route add $K8S_GW_ROUTE || /bin/true
+
+#Delete default GW to prevent outgoing traffic to leave this docker
+echo "Deleting existing default GWs"
+ip route del 0/0 || /bin/true
+
+
+#After this point nothing should be reachable -> check
+if ping -c 1 -W 1000 8.8.8.8; then
+  echo "WE SHOULD NOT BE ABLE TO PING -> EXIT"
+  exit 255
+fi
+
+#derived settings
+OPENVPN_ROUTER_IP="$(dig +short $OPENVPN_ROUTER_NAME @${DNS_ORG})"
+GW_ORG=$(route |awk '$1=="default"{print $2}')
+NAT_ENTRY="$(grep $(hostname) /config/nat.conf||true)"
+
+#Create tunnel NIC
+ip link add vxlan0 type vxlan id $VXLAN_ID dev eth0 dstport 0 || true
+bridge fdb append to 00:00:00:00:00:00 dst $OPENVPN_ROUTER_IP dev vxlan0
+ip link set up dev vxlan0
+
+#Configure IP and default GW though the VPN docker
+if [ -z "$NAT_ENTRY" ]; then
+  echo "Get dynamic IP"
+  dhclient -cf /config/dhclient.conf vxlan0
+else
+  IP=$(echo $NAT_ENTRY|cut -d' ' -f2)
+  VXLAN_IP="${VXLAN_IP_NETWORK}.${IP}"
+  echo "Use fixed IP $VXLAN_IP"
+  ip addr add $VXLAN_IP/24 dev vxlan0
+  route add default gw $VXLAN_ROUTER_IP
+  echo "nameserver $VXLAN_ROUTER_IP">/etc/resolv.conf.dhclient
+fi
+ping -c1 $VXLAN_ROUTER_IP
+
+#Set DNS
+#route add $DNS_ORG gw $GW_ORG
+cp -av /etc/resolv.conf.dhclient* /etc_shared/resolv.conf
+
+FIRST_BOOT_MARKER=/etc_shared/booted
+if [ ! -e "$FIRST_BOOT_MARKER" ] || [ -n "$FIRST_BOOT" ]; then
+  touch $FIRST_BOOT_MARKER
+  echo "First boot (init container): ending now."
+  exit 0
+else
+  echo "Not first boot: stay on monitoring connection to VPN"
+  while true; do
+    # Sleep while reacting to signals
+    sleep 600 &
+    wait $!
+    #Ping router
+    ping -c1 $VXLAN_ROUTER_IP
+  done
+fi

bin/router.sh

@@ -0,0 +1,59 @@
+#!/bin/sh -ex
+
+cat /config/settings.sh
+. /config/settings.sh
+
+#Create tunnel NIC
+ip link add vxlan0 type vxlan id $VXLAN_ID  dev eth0 dstport 0 || true
+ip addr add ${VXLAN_ROUTER_IP}/24 dev vxlan0 || true
+ip link set up dev vxlan0
+
+#Enable outbound NAT
+iptables -t nat -A POSTROUTING -j MASQUERADE
+
+#Open inbond NAT ports
+while read aLine; do
+  case "$aLine" in
+    \#*) continue;;
+    *) echo Processing: $aLine ;;
+  esac
+  #Skip lines with comments
+  [[ '$aLine' == \#* ]] && continue
+  NAME=$(echo $aLine|cut -d' ' -f1)
+  IP=$(echo $aLine|cut -d' ' -f2)
+  PORTS=$(echo $aLine|cut -d' ' -f3)
+  #Add NAT entries
+  for portStr in $(echo $PORTS|sed 's/,/ /g'); do
+    PORT_TYPE=$(echo $portStr|cut -d':' -f1)
+    PORT_NUMBER=$(echo $portStr|cut -d':' -f2)
+    echo "IP: $IP , NAME: $NAME , PORT: $PORT_NUMBER , TYPE: $PORT_TYPE"
+    iptables -t nat -A PREROUTING -p ${PORT_TYPE} -i tun0 --dport ${PORT_NUMBER} -j DNAT --to-destination ${VXLAN_IP_NETWORK}.${IP}:${PORT_NUMBER}
+    iptables -A FORWARD -p ${PORT_TYPE} -d ${VXLAN_IP_NETWORK}.${IP} --dport ${PORT_NUMBER} -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
+  done
+done </config/nat.conf
+
+#Firewall incomming traffic from VPN
+echo Accept traffic alredy ESTABLISHED
+iptables -A FORWARD -i tun0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+echo "Reject other traffic"
+iptables -A FORWARD -i tun0 -j REJECT
+#iptables -A INPUT -i tun0 -j REJECT
+
+#Do not forward any traffic that does not leave through tun0
+# The openvpn will also add drop rules but this is to ensure we block even if VPN is not connecting
+iptables --policy FORWARD DROP
+iptables -I FORWARD -o tun0 -j ACCEPT
+
+#Do not allow outbound traffic on eth0 beyond VPN and local traffic
+iptables --policy OUTPUT DROP
+iptables -A OUTPUT -p udp --dport 443 -j ACCEPT #VPN traffic over UDP
+iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT #VPN traffic over TCP
+iptables -A OUTPUT -d 10.0.0.0/8  -j ACCEPT
+iptables -A OUTPUT -d 192.168.0.0/16  -j ACCEPT
+iptables -A OUTPUT -o tun0 -j ACCEPT
+iptables -A OUTPUT -o vxlan0 -j ACCEPT
+
+#Routes for local networks
+GW_IP=$(/sbin/ip route | awk '/default/ { print $3 }')
+ip route add 10.0.0.0/8 via ${GW_IP}
+ip route add 192.168.0.0/16 via ${GW_IP}

bin/webhook

@@ -0,0 +1,19 @@
+backoff-cutoff 2;
+initial-interval 1;
+link-timeout 10;
+reboot 0;
+retry 10;
+select-timeout 0;
+timeout 30;
+
+interface "vxlan0"
+ {
+  apend domain-name-servers 10.96.0.1;
+  request subnet-mask,
+          broadcast-address,
+          routers,
+          domain-name-servers;
+  require routers,
+          subnet-mask,
+          domain-name-servers;
+ }

config/dhclient.conf

@@ -0,0 +1,2 @@
+#name IP ports(coma separated)
+#transmission 10 tcp:18289,udp:18289

config/nat.conf

@@ -0,0 +1,6 @@
+#!/bin/sh
+VXLAN_IP_NETWORK="172.16.0"
+DNS_ORG="10.96.0.10"
+VXLAN_ROUTER_IP="${VXLAN_IP_NETWORK}.1"
+VXLAN_ID="42"
+OPENVPN_ROUTER_NAME="openvpn.kube-system.svc.cluster.local"