diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2020-06-20 05:20:46 +0200 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2020-06-20 05:20:46 +0200 |
| commit | b39c3b91269a8482207863234acc298f623deae6 (patch) | |
| tree | 21e70e6746bb11bdf8e49a8a125271ed8149a894 /roles/kubernetes/kubeadm/base/templates/net_kubeguard/peer.service.j2 | |
| parent | kubernetes: move kubeguard/reset to kubeadm/reset (diff) | |
kubernetes: add node pruning role
Diffstat (limited to 'roles/kubernetes/kubeadm/base/templates/net_kubeguard/peer.service.j2')
| -rw-r--r-- | roles/kubernetes/kubeadm/base/templates/net_kubeguard/peer.service.j2 | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/roles/kubernetes/kubeadm/base/templates/net_kubeguard/peer.service.j2 b/roles/kubernetes/kubeadm/base/templates/net_kubeguard/peer.service.j2 new file mode 100644 index 00000000..c9d96a5a --- /dev/null +++ b/roles/kubernetes/kubeadm/base/templates/net_kubeguard/peer.service.j2 @@ -0,0 +1,37 @@ +[Unit] +Description=Kubernetes Network Peer {{ peer }} +After=network.target +Requires=kubeguard-interface.service +After=kubeguard-interface.service + +{% set pod_ip_self = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[inventory_hostname]) | ipaddr(1) | ipaddr('address') -%} +{% set pod_net_peer = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[peer]) -%} +{% set direct_zone = kubeguard.direct_net_zones | default({}) | kubeguard_direct_net_zone(inventory_hostname, peer) -%} +{% if direct_zone %} +{% set direct_ip = kubeguard.direct_net_zones[direct_zone].transfer_net | ipaddr(kubeguard.node_index[inventory_hostname]) %} +{% set direct_interface = kubeguard.direct_net_zones[direct_zone].node_interface[inventory_hostname] %} +{% set direct_ip_peer = kubeguard.direct_net_zones[direct_zone].transfer_net | ipaddr(kubeguard.node_index[peer]) %} +{% else %} +{% set tun_ip = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ipaddr(kubeguard.node_index[peer]) -%} +{% set wg_pubkey = hostvars[peer].kubeguard_wireguard_pubkey.stdout -%} +{% set wg_host = hostvars[peer].external_ip_cooked | default(hostvars[peer].ansible_default_ipv4.address) -%} +{% set wg_port = hostvars[peer].kubeguard_wireguard_port | default(51820) -%} +{% set wg_allowedips = (tun_ip | ipaddr('address')) + "/32," + pod_net_peer %} +{% endif %} +[Service] +Type=oneshot +{% if direct_zone %} +ExecStart=/sbin/ip addr add {{ direct_ip }} dev {{ direct_interface }} +ExecStart=/sbin/ip link set up dev {{ direct_interface }} +ExecStart=/sbin/ip route add {{ pod_net_peer }} via {{ direct_ip_peer | ipaddr('address') }} src {{ pod_ip_self }} +ExecStop=/sbin/ip route del {{ pod_net_peer }} +ExecStop=/sbin/ip link set down dev {{ direct_interface }} +ExecStop=/sbin/ip addr del {{ direct_ip }} dev {{ direct_interface }} +{% else %} +ExecStart=/usr/bin/wg set kubeguard-wg0 peer {{ wg_pubkey }} allowed-ips {{ wg_allowedips }} endpoint {{ wg_host }}:{{ wg_port }} persistent-keepalive 10 +ExecStop=/usr/bin/wg set kubeguard-wg0 peer {{ wg_pubkey }} remove +{% endif %} +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target |