blob: 745a5b31a240d31b9cf67b2be5342b488f2f7b4a (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
[Unit]
Description=Kubernetes Network Peer {{ peer }}
After=network.target
Requires=kubeguard-interface.service
After=kubeguard-interface.service
{% set pod_ip_self = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[inventory_hostname]) | ansible.utils.ipaddr(1) | ansible.utils.ipaddr('address') -%}
{% set pod_net_peer = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubeguard.node_index[peer]) -%}
{% set direct_zone = kubeguard.direct_net_zones | default({}) | kubeguard_direct_net_zone(inventory_hostname, peer) -%}
{% if direct_zone %}
{% set direct_ip = kubeguard.direct_net_zones[direct_zone].transfer_net | ansible.utils.ipaddr(kubeguard.node_index[inventory_hostname]) %}
{% set direct_interface = kubeguard.direct_net_zones[direct_zone].node_interface[inventory_hostname] %}
{% set direct_ip_peer = kubeguard.direct_net_zones[direct_zone].transfer_net | ansible.utils.ipaddr(kubeguard.node_index[peer]) %}
{% else %}
{% set tun_ip = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ansible.utils.ipaddr(kubeguard.node_index[peer]) -%}
{% set wg_pubkey = hostvars[peer].kubeguard_wireguard_pubkey.stdout -%}
{% set wg_host = hostvars[peer].external_ip | default(hostvars[peer].ansible_default_ipv4.address) -%}
{% set wg_port = hostvars[peer].kubeguard_wireguard_port | default(51820) -%}
{% set wg_allowedips = (tun_ip | ansible.utils.ipaddr('address')) + "/32," + pod_net_peer %}
{% endif %}
[Service]
Type=oneshot
{% if direct_zone %}
ExecStart=/sbin/ip addr add {{ direct_ip }} dev {{ direct_interface }}
ExecStart=/sbin/ip link set up dev {{ direct_interface }}
ExecStart=/sbin/ip route add {{ pod_net_peer }} via {{ direct_ip_peer | ansible.utils.ipaddr('address') }} src {{ pod_ip_self }}
ExecStop=/sbin/ip route del {{ pod_net_peer }}
ExecStop=/sbin/ip link set down dev {{ direct_interface }}
ExecStop=/sbin/ip addr del {{ direct_ip }} dev {{ direct_interface }}
{% else %}
ExecStart=/usr/bin/wg set kubeguard-wg0 peer {{ wg_pubkey }} allowed-ips {{ wg_allowedips }} endpoint {{ wg_host }}:{{ wg_port }} persistent-keepalive 10
ExecStop=/usr/bin/wg set kubeguard-wg0 peer {{ wg_pubkey }} remove
{% endif %}
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
|
