/openvpn-helm

This is a fork of https://github.com/helm/charts/blob/master/stable/openvpn/ which was archived/deprecated on Nov 13, 2020.

Primary LanguageSmartyApache License 2.0Apache-2.0

Helm chart for OpenVPN

This chart will install an OpenVPN server inside a kubernetes cluster. New certificates are generated on install, and a script is provided to generate client keys as needed. The chart will automatically configure dns to use kube-dns and route all network traffic to kubernetes pods and services through the vpn. By connecting to this vpn a host is effectively inside a cluster’s network.

Usage

helm repo add stable http://storage.googleapis.com/kubernetes-charts
helm install stable/openvpn

Wait for the external load balancer IP to become available. Check service status via: src_bash{kubectl get svc}

Please be aware that certificate generation is variable and may take some time (minutes). Check pod status, replacing src_bash{HELM_RELEASE} with the name of your release, via:

POD_NAME=$(kubectl get pods -l "app=openvpn,release=$HELM_RELEASE" -o jsonpath='{.items[0].metadata.name}') \
&& kubectl logs "$POD_NAME" --follow

When all components of the openvpn chart have started use the following script to generate a client key:

#!/bin/bash

if [ $# -ne 3 ]
then
  echo "Usage: $0 <CLIENT_KEY_NAME> <NAMESPACE> <HELM_RELEASE>"
  exit
fi

KEY_NAME=$1
NAMESPACE=$2
HELM_RELEASE=$3
POD_NAME=$(kubectl get pods -n "$NAMESPACE" -l "app=openvpn,release=$HELM_RELEASE" -o jsonpath='{.items[0].metadata.name}')
SERVICE_NAME=$(kubectl get svc -n "$NAMESPACE" -l "app=openvpn,release=$HELM_RELEASE" -o jsonpath='{.items[0].metadata.name}')
SERVICE_IP=$(kubectl get svc -n "$NAMESPACE" "$SERVICE_NAME" -o go-template='{{range $k, $v := (index .status.loadBalancer.ingress 0)}}{{$v}}{{end}}')
kubectl -n "$NAMESPACE" exec -it "$POD_NAME" /etc/openvpn/setup/newClientCert.sh "$KEY_NAME" "$SERVICE_IP"
kubectl -n "$NAMESPACE" exec -it "$POD_NAME" cat "/etc/openvpn/pki/$KEY_NAME.ovpn" > "$KEY_NAME.ovpn"

In order to revoke certificates in later steps:

#!/bin/bash

if [ $# -ne 3 ]
then
  echo "Usage: $0 <CLIENT_KEY_NAME> <NAMESPACE> <HELM_RELEASE>"
  exit
fi

KEY_NAME=$1
NAMESPACE=$2
HELM_RELEASE=$3
POD_NAME=$(kubectl get pods -n "$NAMESPACE" -l "app=openvpn,release=$HELM_RELEASE" -o jsonpath='{.items[0].metadata.name}')
kubectl -n "$NAMESPACE" exec -it "$POD_NAME" /etc/openvpn/setup/revokeClientCert.sh $KEY_NAME

Be sure to change src_bash{KEY_NAME} if generating additional keys. Import the .ovpn file into your favorite openvpn tool like tunnelblick and verify connectivity.

Configuration

The following table lists the configurable parameters of the `openvpn` chart and their default values, and can be overwritten via the helm `–set` flag.

ParameterDescriptionDefault
replicaCountamount of parallel openvpn replicas to be started1
updateStrategyupdate strategy for deployment{}
image.repositoryopenvpn image repositorykylemanna/openvpn
image.tagopenvpn image tag2.4
image.pullPolicyImage pull policyIfNotPresent
imagePullSecretNameDocker registry pull secret name
service.typek8s service type exposing ports, e.g. NodePortLoadBalancer
service.externalPortTCP port reported when creating configuration files443
service.internalPortTCP port on which the service works443
service.hostPortExpose openvpn directly using host portnil
service.nodePortNodePort value if service.type is NodePortnil (auto-assigned)
service.clusterIPclusterIP value if service.type is ClusterIPnil
service.externalIPsExternal IPs to listen on[]
resources.requests.cpuOpenVPN cpu request300m
resources.requests.memoryOpenVPN memory request128Mi
resources.limits.cpuOpenVPN cpu limit300m
resources.limits.memoryOpenVPN memory limit128Mi
readinessProbe.initialDelaySecondsTime to wait to start first probe5
readinessProbe.periodSecondsInterval of readiness probe5
readinessProbe.successThresholdMinimum consecutive successes for probe to be considered healthy2
persistence.enabledUse a PVC to persist configurationtrue
persistence.subPathSubdirectory of the volume to mount atnil
persistence.existingClaimProvide an existing PersistentVolumeClaimnil
persistence.storageClassStorage class of backing PVCnil
persistence.accessModeUse volume as ReadOnly or ReadWriteReadWriteOnce
persistence.sizeSize of data volume2M
podAnnotationsKey-value pairs to add as pod annotations{}
openvpn.OVPN_NETWORKNetwork allocated for openvpn clients10.240.0.0
openvpn.OVPN_SUBNETNetwork subnet allocated for openvpn255.255.0.0
openvpn.OVPN_PROTOProtocol used by openvpn tcp or udptcp
openvpn.OVPN_K8S_POD_NETWORKKubernetes pod network (optional)10.0.0.0
openvpn.OVPN_K8S_POD_SUBNETKubernetes pod network subnet (optional)255.0.0.0
openvpn.OVPN_K8S_SVC_NETWORKKubernetes service network (optional)nil
openvpn.OVPN_K8S_SVC_SUBNETKubernetes service network subnet (optional)nil
openvpn.DEFAULT_ROUTE_ENABLEDPush a route which openvpn sets by defaulttrue
openvpn.dhcpOptionDomainPush a dhcp-option DOMAIN configtrue
openvpn.serverConfLines appended to the end of the server configuration file (optional)nil
openvpn.clientConfLines appended into the client configuration file (optional)nil
openvpn.redirectGatewayRedirect all client traffic through VPNtrue
openvpn.useCrlUse/generate a certificate revocation list (crl.pem)false
openvpn.taKeyUse/generate a ta.key file for hardening securityfalse
openvpn.cipherOverride the default ciphernil (OpenVPN default)
openvpn.istio.enabledEnables istio support for openvpn clientsfalse
openvpn.istio.proxy.portIstio proxy port15001
openvpn.iptablesExtraCustom iptables rules for clients[]
openvpn.ccd.enabledEnable creation and mounting of CCD configfalse
openvpn.ccd.configCCD configuration (see below){}
nodeSelectorNode labels for pod assignment{}
tolerationsTolerations for node taints[]
ipForwardInitContainerAdd privileged init container to enable IPv4 forwardingfalse

This chart has been engineered to use kube-dns and route all network traffic to kubernetes pods and services, to disable this behaviour set openvpn.OVPN_K8S_POD_NETWORK and openvpn.OVPN_K8S_POD_SUBNET to null.

Issues