Skip to content

Commit d7dad5d

Browse files
fra98cheina97
fra98
authored and
cheina97
committed
Add dedicated WG server template for legacy NLB on EKS
1 parent 26e7010 commit d7dad5d

File tree

3 files changed

+253
-6
lines changed

3 files changed

+253
-6
lines changed

deployments/liqo/templates/liqo-wireguard-gateway-server-template-eks-nlb.yaml

Lines changed: 247 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,247 @@
1+
{{- $templateConfig := (merge (dict "name" "wireguard-server" "module" "networking" "isGwTemplate" true) .) -}}
2+
{{- $gatewayConfig := (merge (dict "name" "gateway" "module" "networking" "version" .Values.networking.gatewayTemplates.container.gateway.image.version) .) -}}
3+
{{- $wireguardConfig := (merge (dict "name" "gateway-wireguard" "module" "networking" "version" .Values.networking.gatewayTemplates.container.wireguard.image.version) .) -}}
4+
{{- $geneveConfig := (merge (dict "name" "gateway-geneve" "module" "networking" "version" .Values.networking.gatewayTemplates.container.geneve.image.version) .) -}}
5+
6+
{{- if .Values.networking.enabled }}
7+
8+
apiVersion: networking.liqo.io/v1beta1
9+
kind: WgGatewayServerTemplate
10+
metadata:
11+
name: {{ $templateConfig.name }}-eks-nlb
12+
labels:
13+
{{- include "liqo.labels" $templateConfig | nindent 4 }}
14+
spec:
15+
objectKind:
16+
apiVersion: networking.liqo.io/v1beta1
17+
kind: WgGatewayServer
18+
template:
19+
metadata:
20+
{{- include "liqo.metadataTemplate" $templateConfig | nindent 6 }}
21+
spec:
22+
secretRef:
23+
name: "{{"{{ .Spec.SecretRef.Name }}"}}"
24+
service:
25+
metadata:
26+
{{- include "liqo.metadataTemplate" $templateConfig | nindent 10 }}
27+
{{- if .Values.networking.gatewayTemplates.server.service.annotations }}
28+
annotations:
29+
{{- toYaml .Values.networking.gatewayTemplates.server.service.annotations | nindent 12 }}
30+
service.beta.kubernetes.io/aws-load-balancer-type: nlb
31+
service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
32+
{{- end }}
33+
spec:
34+
selector:
35+
{{- include "liqo.selectorTemplate" (merge (dict "isService" true) $templateConfig) | nindent 12 }}
36+
type: "{{"{{ .Spec.Endpoint.ServiceType }}"}}"
37+
?loadBalancerIP: "{{"{{ .Spec.Endpoint.LoadBalancerIP }}"}}"
38+
ports:
39+
- port: "{{"{{ .Spec.Endpoint.Port }}"}}"
40+
protocol: UDP
41+
targetPort: "{{"{{ .Spec.Endpoint.Port }}"}}"
42+
?nodePort: "{{"{{ .Spec.Endpoint.NodePort }}"}}"
43+
{{- if .Values.networking.gatewayTemplates.server.service.allocateLoadBalancerNodePorts }}
44+
allocateLoadBalancerNodePorts: {{ .Values.networking.gatewayTemplates.server.service.allocateLoadBalancerNodePorts }}
45+
{{- end }}
46+
deployment:
47+
metadata:
48+
{{- include "liqo.metadataTemplate" $templateConfig | nindent 10 }}
49+
spec:
50+
replicas: {{ .Values.networking.gatewayTemplates.replicas }}
51+
strategy:
52+
type: Recreate
53+
selector:
54+
matchLabels:
55+
{{- include "liqo.selectorTemplate" $templateConfig | nindent 14 }}
56+
template:
57+
metadata:
58+
{{- include "liqo.metadataTemplate" $templateConfig | nindent 14 }}
59+
spec:
60+
serviceAccount: "{{"{{ .Name }}"}}"
61+
serviceAccountName: "{{"{{ .Name }}"}}"
62+
{{- include "liqo.imagePullSecrets" . | nindent 14 }}
63+
{{- if .Values.networking.gatewayTemplates.pod.tolerations }}
64+
tolerations:
65+
{{- toYaml .Values.networking.gatewayTemplates.pod.tolerations | nindent 14 }}
66+
{{- end }}
67+
containers:
68+
- name: gateway
69+
image: {{ .Values.networking.gatewayTemplates.container.gateway.image.name }}{{ include "liqo.suffix" $gatewayConfig }}:{{ include "liqo.version" $gatewayConfig }}
70+
imagePullPolicy: {{ .Values.pullPolicy }}
71+
args:
72+
- --name={{"{{ .Name }}"}}
73+
- --namespace={{"{{ .Namespace }}"}}
74+
- --remote-cluster-id={{"{{ .ClusterID }}"}}
75+
- --node-name={{"$(NODE_NAME)"}}
76+
- --pod-name={{"$(POD_NAME)"}}
77+
- --gateway-uid={{"{{ .GatewayUID }}"}}
78+
- --mode=server
79+
- --container-name=gateway
80+
- --concurrent-containers-names=wireguard,geneve
81+
{{- if .Values.common.globalAnnotations }}
82+
{{- $d := dict "commandName" "--global-annotations" "dictionary" .Values.common.globalAnnotations -}}
83+
{{- include "liqo.concatenateMap" $d | nindent 16 }}
84+
{{- end }}
85+
{{- if .Values.common.globalLabels }}
86+
{{- $d := dict "commandName" "--global-labels" "dictionary" .Values.common.globalLabels -}}
87+
{{- include "liqo.concatenateMap" $d | nindent 16 }}
88+
{{- end }}
89+
{{- if .Values.metrics.enabled }}
90+
- --metrics-address=:8082
91+
{{- end }}
92+
- --health-probe-bind-address=:8083
93+
- --ping-enabled=true
94+
- --ping-loss-threshold={{ .Values.networking.gatewayTemplates.ping.lossThreshold }}
95+
- --ping-interval={{ .Values.networking.gatewayTemplates.ping.interval }}
96+
- --ping-update-status-interval={{ .Values.networking.gatewayTemplates.ping.updateStatusInterval }}
97+
{{- if gt (int .Values.networking.gatewayTemplates.replicas) 1 }}
98+
- --leader-election=true
99+
{{- else }}
100+
- --leader-election=false
101+
{{- end }}
102+
{{- if not .Values.requirements.kernel.enabled }}
103+
- --disable-kernel-version-check
104+
{{- end }}
105+
- --enable-nft-monitor={{ .Values.networking.gatewayTemplates.nftablesMonitor }}
106+
- --enable-route-monitor={{ .Values.networking.gatewayTemplates.routeMonitor }}
107+
volumeMounts:
108+
- name: ipc
109+
mountPath: /ipc
110+
ports:
111+
{{- if .Values.metrics.enabled }}
112+
- containerPort: 8082
113+
name: gw-metrics
114+
{{- end }}
115+
- containerPort: 8083
116+
name: healthz
117+
# ATTENTION: uncomment the readinessProbe section if you are aware of the consequences.
118+
# If you have more replicas of the same gateway, the passive ones will not reach the ready state.
119+
#readinessProbe:
120+
# httpGet:
121+
# path: /readyz
122+
# port: healthz
123+
env:
124+
- name: NODE_NAME
125+
valueFrom:
126+
fieldRef:
127+
fieldPath: spec.nodeName
128+
- name: POD_NAME
129+
valueFrom:
130+
fieldRef:
131+
fieldPath: metadata.name
132+
securityContext:
133+
privileged: true
134+
capabilities:
135+
add:
136+
- NET_ADMIN
137+
- NET_RAW
138+
- name: wireguard
139+
image: {{ .Values.networking.gatewayTemplates.container.wireguard.image.name }}{{ include "liqo.suffix" $wireguardConfig }}:{{ include "liqo.version" $wireguardConfig }}
140+
imagePullPolicy: {{ .Values.pullPolicy }}
141+
args:
142+
- --name={{"{{ .Name }}"}}
143+
- --namespace={{"{{ .Namespace }}"}}
144+
- --remote-cluster-id={{"{{ .ClusterID }}"}}
145+
- --gateway-uid={{"{{ .GatewayUID }}"}}
146+
- --mode=server
147+
- --container-name=wireguard
148+
- --mtu={{"{{ .Spec.MTU }}"}}
149+
- --listen-port={{"{{ .Spec.Endpoint.Port }}"}}
150+
{{- if .Values.metrics.enabled }}
151+
- --metrics-address=:8084
152+
{{- end }}
153+
- --health-probe-bind-address=:8085
154+
{{- if gt (int .Values.networking.gatewayTemplates.replicas) 1 }}
155+
- --leader-election=true
156+
{{- else }}
157+
- --leader-election=false
158+
{{- end }}
159+
- --implementation={{ .Values.networking.gatewayTemplates.wireguard.implementation }}
160+
ports:
161+
{{- if .Values.metrics.enabled }}
162+
- containerPort: 8084
163+
name: wg-metrics
164+
{{- end }}
165+
- containerPort: 8085
166+
name: healthz
167+
# ATTENTION: uncomment the readinessProbe section if you are aware of the consequences.
168+
# If you have more replicas of the same gateway, the passive ones will not reach the ready state.
169+
#readinessProbe:
170+
# httpGet:
171+
# path: /readyz
172+
# port: healthz
173+
securityContext:
174+
capabilities:
175+
add:
176+
- NET_ADMIN
177+
- NET_RAW
178+
{{ if .Values.networking.gatewayTemplates.wireguard.implementation | eq "userspace" }}
179+
privileged: true
180+
{{ end }}
181+
volumeMounts:
182+
- name: ipc
183+
mountPath: /ipc
184+
- name: wireguard-config
185+
mountPath: /etc/wireguard/keys
186+
- name: geneve
187+
image: {{ .Values.networking.gatewayTemplates.container.geneve.image.name }}{{ include "liqo.suffix" $geneveConfig }}:{{ include "liqo.version" $geneveConfig }}
188+
imagePullPolicy: {{ .Values.pullPolicy }}
189+
args:
190+
- --name={{"{{ .Name }}"}}
191+
- --namespace={{"{{ .Namespace }}"}}
192+
- --remote-cluster-id={{"{{ .ClusterID }}"}}
193+
- --node-name={{"$(NODE_NAME)"}}
194+
- --pod-name={{"$(POD_NAME)"}}
195+
- --gateway-uid={{"{{ .GatewayUID }}"}}
196+
- --mode=server
197+
- --container-name=geneve
198+
- --geneve-port={{ .Values.networking.genevePort }}
199+
{{- if .Values.metrics.enabled }}
200+
- --metrics-address=:8086
201+
{{- end }}
202+
- --health-probe-bind-address=:8087
203+
{{- if gt (int .Values.networking.gatewayTemplates.replicas) 1 }}
204+
- --leader-election=true
205+
{{- else }}
206+
- --leader-election=false
207+
{{- end }}
208+
volumeMounts:
209+
- name: ipc
210+
mountPath: /ipc
211+
ports:
212+
{{- if .Values.metrics.enabled }}
213+
- containerPort: 8086
214+
name: gv-metrics
215+
{{- end }}
216+
- containerPort: 8087
217+
name: healthz
218+
# ATTENTION: uncomment the readinessProbe section if you are aware of the consequences.
219+
# If you have more replicas of the same gateway, the passive ones will not reach the ready state.
220+
#readinessProbe:
221+
# httpGet:
222+
# path: /readyz
223+
# port: healthz
224+
env:
225+
- name: NODE_NAME
226+
valueFrom:
227+
fieldRef:
228+
fieldPath: spec.nodeName
229+
- name: POD_NAME
230+
valueFrom:
231+
fieldRef:
232+
fieldPath: metadata.name
233+
securityContext:
234+
capabilities:
235+
add:
236+
- NET_ADMIN
237+
- NET_RAW
238+
{{- if .Values.networking.gatewayTemplates.pod.priorityClassName }}
239+
priorityClassName: {{ .Values.networking.gatewayTemplates.pod.priorityClassName }}
240+
{{- end }}
241+
volumes:
242+
- name: wireguard-config
243+
secret:
244+
secretName: "{{"{{ .SecretName }}"}}"
245+
- name: ipc
246+
emptyDir: {}
247+
{{- end }}

deployments/liqo/templates/liqo-wireguard-gateway-server-template-eks.yaml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,12 @@
33
{{- $wireguardConfig := (merge (dict "name" "gateway-wireguard" "module" "networking" "version" .Values.networking.gatewayTemplates.container.wireguard.image.version) .) -}}
44
{{- $geneveConfig := (merge (dict "name" "gateway-geneve" "module" "networking" "version" .Values.networking.gatewayTemplates.container.geneve.image.version) .) -}}
55

6-
{{- if and .Values.networking.enabled .Values.authentication.awsConfig.accessKeyId }}
6+
{{- if .Values.networking.enabled }}
77

88
apiVersion: networking.liqo.io/v1beta1
99
kind: WgGatewayServerTemplate
1010
metadata:
11-
name: {{ $templateConfig.name }}
11+
name: {{ $templateConfig.name }}-eks-external
1212
labels:
1313
{{- include "liqo.labels" $templateConfig | nindent 4 }}
1414
spec:
@@ -212,8 +212,8 @@ spec:
212212
{{- else }}
213213
- --leader-election=false
214214
{{- end }}
215-
volumeMounts:
216-
- name: ipc
215+
volumeMounts:
216+
- name: ipc
217217
mountPath: /ipc
218218
ports:
219219
{{- if .Values.metrics.enabled }}

deployments/liqo/templates/liqo-wireguard-gateway-server-template.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,12 +3,12 @@
33
{{- $wireguardConfig := (merge (dict "name" "gateway-wireguard" "module" "networking" "version" .Values.networking.gatewayTemplates.container.wireguard.image.version) .) -}}
44
{{- $geneveConfig := (merge (dict "name" "gateway-geneve" "module" "networking" "version" .Values.networking.gatewayTemplates.container.geneve.image.version) .) -}}
55

6-
{{- if and .Values.networking.enabled (not .Values.authentication.awsConfig.accessKeyId) }}
6+
{{- if .Values.networking.enabled }}
77

88
apiVersion: networking.liqo.io/v1beta1
99
kind: WgGatewayServerTemplate
1010
metadata:
11-
name: {{ $templateConfig.name }}
11+
name: {{ $templateConfig.name }}
1212
labels:
1313
{{- include "liqo.labels" $templateConfig | nindent 4 }}
1414
spec:

0 commit comments

Comments
 (0)