blob: 54251caf23fa79f4c4acec9f97511056ae65c5a8 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
[Unit]
Description=Kubernetes Network Peer {{ peer }}
After=network.target
Requires=kubeguard-interfaces.service
After=kubeguard-interfaces.service
{% set pod_net_peer = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, kubernetes.net_index[peer]) -%}
{% set direct_zone = kubernetes.direct_net_zones | direct_net_zone(inventory_hostname, peer) -%}
{% if direct_zone %}
{% set direct_ip = kubernetes.direct_net_zones[direct_zone].transfer_net | ipaddr(kubernetes.net_index[inventory_hostname]) %}
{% set direct_interface = kubernetes.direct_net_zones[direct_zone].node_interface[inventory_hostname] %}
{% set direct_ip_peer = kubernetes.direct_net_zones[direct_zone].transfer_net | ipaddr(kubernetes.net_index[peer]) %}
{% else %}
{% set tun_ip = kubernetes.pod_ip_range | ipsubnet(kubernetes.pod_ip_range_size, 0) | ipaddr(kubernetes.net_index[peer]) -%}
{% set wg_pubkey = hostvars[peer].kubeguard_wireguard_pubkey.stdout -%}
{% set wg_host = hostvars[peer].external_ip | default(hostvars[peer].ansible_default_ipv4.address) -%}
{% set wg_port = hostvars[peer].kubeguard_wireguard_port -%}
{% set wg_allowedips = (tun_ip | ipaddr('address')) + "/32," + pod_net_peer %}
{% endif %}
[Service]
Type=oneshot
{% if direct_zone %}
ExecStart=/sbin/ip addr add {{ direct_ip }} dev {{ direct_interface }}
ExecStart=/sbin/ip link set up dev {{ direct_interface }}
ExecStart=/sbin/ip route add {{ pod_net_peer }} via {{ direct_ip_peer | ipaddr('address') }}
ExecStop=/sbin/ip route del {{ pod_net_peer }}
ExecStop=/sbin/ip link set down dev {{ direct_interface }}
ExecStop=/sbin/ip addr del {{ direct_ip }} dev {{ direct_interface }}
{% else %}
ExecStart=/usr/bin/wg set kube-wg0 peer {{ wg_pubkey }} allowed-ips {{ wg_allowedips }} endpoint {{ wg_host }}:{{ wg_port }} persistent-keepalive 10
ExecStop=/usr/bin/wg set kube-wg0 peer {{ wg_pubkey }} remove
{% endif %}
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
|