On Tue, Jun 07, 2022 at 11:02:22PM +0200, darknao wrote: > On 2022-06-07 21:24, Kevin Fenzi wrote: > > Hum... that sounds reasonable, but I am not sure what the details would > > look like. ;( Would that be in openshift-ingress? > > Not necessary. Ideally it would be in its own namespace. > I've took a closer look and I think you will need the following: > - pod running as root: OpenVPN will need that to run correctly (create & > manage the tun device). > - hostNetwork: Needed to create the tun device on host. > - access to host's /dev/net/tun: Also needed to create the tun device > - NET_ADMIN capability: Needed to configure the newly tun device. > > All that will require a dedicated ServiceAccount with a new SCC unless we > run the pod > in privileged mode, but I would advise against this. > Something like: https://paste.centos.org/view/bc095501 Alas, I took too long to get back to this and the paste is gone. ;( > > > > > The vpn part itself is pretty simple, just needs the openvpn service, a > > small config file and a pub/private/ca cert tripplet. > > > > Right. The deployment should looks like > https://paste.centos.org/view/73abc392 > That is just an example (but a working one). That would need some extra > affinity rules > to make it run only on router node and everything but that should get you an > idea. Another issue I thought of: with openvpn each client has its own set of certs. so, each pod needs just the ones for that node... Would you be willing to work up a PR? I'm kinda out of my depth with this one... Or if not, perhaps davidk would be able to move it forward... kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
