Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make VPN Network configurable #78

Merged
merged 7 commits into from
Apr 9, 2024
Merged

Make VPN Network configurable #78

merged 7 commits into from
Apr 9, 2024

Conversation

timebertt
Copy link
Member

@timebertt timebertt commented Apr 5, 2024
edited
Loading

What this PR does / why we need it:

This PR introduces the VPN_NETWORK env var in both seed-server and shoot-client that allows configuring a custom VPN CIDR.
If unset, it defaults to the current hard-coded values (192.168.123.0/24 and fd8f:6d53:b97a:1::/120 respectively).

This PR introduces some changes to both the seed-server and the shoot-client components to fulfill these requirements.

Which issue(s) this PR fixes:

Part of gardener/gardener#8987

Special notes for your reviewer:

The PR builds upon #64. It rebases the existing commits and adds a few more commits to address the remaining issues.

Images for testing:

  • ghcr.io/timebertt/dev-images/vpn-seed-server:0.23.0-31-g96cad9e
  • ghcr.io/timebertt/dev-images/vpn-shoot-client:0.23.0-31-g96cad9e

TODOs:

  • verify this change without configuring VPN_NETWORK (backward-compatibility): must result in the same VPN configs, IP addresses, and routes
    • IPv4 non-HA
    • IPv4 HA
    • IPv6 (IPv6 setup in g/g is currently broken)
  • verify this change with a non-default VPN_NETWORK (manually configured)
    • IPv4 non-HA
    • IPv4 HA
    • IPv6 (IPv6 setup in g/g is currently broken)

Release note:

The VPN components now support configuring a custom VPN network using the `VPN_NETWORK` environment variable.
The `IP_BASE` environment variable in `acquire-ip` (part of `vpn-shoot-client`) is dropped in favor of the `VPN_NETWORK` environment variable.

SimonKienzler and others added 7 commits April 5, 2024 10:09
@SimonKienzler @timebertt
Add support for VPN_NETWORK env var in seed-server component
55441f3
@SimonKienzler @timebertt
Add support for VPN_NETWORK env var in shoot-client component
9444c09
@SimonKienzler @timebertt
Fix defaults for IPv4 and IPv6
63d5df6
@timebertt
seed-server: make IPv4 the first case
896ca73 
Previously we checked for `IP_FAMILIES==IPv4` so we shouldn't switch to checking `IP_FAMILIES==IPv6` in if/else, which is different.
This commit goes back to the previous `IP_FAMILIES=IPv4` check but keeps the inverted logic of first checking the IP family and then the HA config.

It also simplifies calculation of the first three VPN network octets.
@timebertt
seed-server: verify that IPv6 VPN net has expected size
8693042
@timebertt
shoot-client: verify that IPv6 VPN net has expected size
46d05c4 
It also simplifies calculation of the first three VPN network octets.
@timebertt
shoot-client: handle VPN_NETWORK in acquire-ip
96cad9e 
It removes the `IP_BASE` env var in favor of `VPN_NETWORK`.
The `IP_BASE` env var was not set in this repo or in gardener/gardener.
Hence, it is dropped so that no duplicated configuration is needed.
@gardener-robot gardener-robot added the needs/review Needs review label Apr 5, 2024
@gardener-robot-ci-2
Copy link
Contributor

Thank you @timebertt for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.

@gardener-robot
Copy link

@timebertt Thank you for your contribution.

@gardener-robot gardener-robot added the size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) label Apr 5, 2024
This was referenced Apr 5, 2024
Closed
Closed
@timebertt
Copy link
Member Author

@axel7born I finished verifying this PR as far as I could in a local setup (see PR description for the cases I tested).
To me, it seemed like everything was working perfectly fine.
Can you kindly take another look? :)

Next, I will finish gardener/gardener#8991, which requires this PR and a release including it.
As I manually verified non-default VPN CIDRS using the VPN_NETWORK already, I'm confident that this PR fulfills the requirements for making things work in g/g e2e :)

@gardener-robot
Copy link

@axel7born, @DockToFuture, @ScheererJ, @marwinski You have pull request review open invite, please check

@axel7born
Copy link
Collaborator

/assign

@axel7born
Copy link
Collaborator

/ok-to-test

@gardener-robot gardener-robot added the needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Apr 9, 2024
@axel7born axel7born added reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Apr 9, 2024
@gardener-robot-ci-3 gardener-robot-ci-3 added needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) and removed reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) labels Apr 9, 2024
@axel7born
Copy link
Collaborator

/lgtm
I tested with the extensions setup, ipv4 and ipv4 HA.
I also tested in the local ipv6 only setup with the g/g fix

@gardener-robot gardener-robot added reviewed/lgtm Has approval for merging and removed needs/review Needs review labels Apr 9, 2024
@gardener-robot-ci-1 gardener-robot-ci-1 added the reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) label Apr 9, 2024
@axel7born axel7born merged commit 17369d6 into gardener:master Apr 9, 2024
7 checks passed
@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Apr 9, 2024
@timebertt timebertt deleted the configurable-vpn-network branch April 9, 2024 17:44
@timebertt timebertt mentioned this pull request Apr 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@axel7born axel7born axel7born approved these changes

@DockToFuture DockToFuture Awaiting requested review from DockToFuture DockToFuture is a code owner

@marwinski marwinski Awaiting requested review from marwinski marwinski is a code owner

@ScheererJ ScheererJ Awaiting requested review from ScheererJ ScheererJ is a code owner

Assignees

@axel7born axel7born

Labels
needs/ok-to-test Needs approval for testing (check PR in detail before setting this label because PR is run on CI/CD) reviewed/lgtm Has approval for merging reviewed/ok-to-test Has approval for testing (check PR in detail before setting this label because PR is run on CI/CD) size/m Size of pull request is medium (see gardener-robot robot/bots/size.py) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@timebertt @gardener-robot-ci-2 @gardener-robot @axel7born @gardener-robot-ci-1 @gardener-robot-ci-3 @SimonKienzler