On 2022-06-07 21:24, Kevin Fenzi wrote:
Hum... that sounds reasonable, but I am not sure what the details would
look like. ;( Would that be in openshift-ingress?
Not necessary. Ideally it would be in its own namespace.
I've took a closer look and I think you will need the following:
- pod running as root: OpenVPN will need that to run correctly (create &
manage the tun device).
- hostNetwork: Needed to create the tun device on host.
- access to host's /dev/net/tun: Also needed to create the tun device
- NET_ADMIN capability: Needed to configure the newly tun device.
All that will require a dedicated ServiceAccount with a new SCC unless
we run the pod
in privileged mode, but I would advise against this.
Something like: https://paste.centos.org/view/bc095501
The vpn part itself is pretty simple, just needs the openvpn service, a
small config file and a pub/private/ca cert tripplet.
Right. The deployment should looks like
https://paste.centos.org/view/73abc392
That is just an example (but a working one). That would need some extra
affinity rules
to make it run only on router node and everything but that should get
you an idea.
_______________________________________________
infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
