Merge branch 'doc-pritunl' of wit/ops into master
This commit is contained in:
commit
53fc155a7f
|
@ -0,0 +1,40 @@
|
||||||
|
# Pritunl
|
||||||
|
|
||||||
|
[Pritunl](https://pritunl.com/) is an [open source](https://github.com/pritunl/pritunl) VPN server with a web UI. It manages many [openvpn](https://openvpn.net/) instances underneath its python daemon and Go frontend. The basic version supports multiple servers/users with PKI + TOTP multi-factor auth. The professional/enterprise versions offer site-to-site VPNs as well as multiple SSO options for user auth.
|
||||||
|
|
||||||
|
|
||||||
|
## WIT on Pritunl
|
||||||
|
|
||||||
|
WIT is using as our VPN server as it is both OSS and user friendly; something we can offer to customers. The VPN is being used to access the overlay network of customer clouds, while control plane access will remain via a bastion host for now.
|
||||||
|
|
||||||
|
## Pritunl on WIT Cloud
|
||||||
|
|
||||||
|
Pritunl only has one external dependency: it uses mongodb for storing organization/server/user data. Connect to the existing mongo daemon and create a new database and user for Pritunl. Store the password as a secret in the cloud-ui.
|
||||||
|
|
||||||
|
Note that the WIT Cloud ingress layer currently only supports TCP based VPN servers.
|
||||||
|
|
||||||
|
## Configuring the Daemon
|
||||||
|
|
||||||
|
First setup the daemon according to `daemon-pritunl.conf`.
|
||||||
|
|
||||||
|
Once the deployment is up and running edit it directly to add the container `securityContext`.
|
||||||
|
|
||||||
|
`kubectl -n <namespace> edit deploy <deploy-name>`
|
||||||
|
|
||||||
|
Add the following block below `spec.template.spec.container.securityContext`:
|
||||||
|
|
||||||
|
```
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
add:
|
||||||
|
- NET_ADMIN
|
||||||
|
```
|
||||||
|
|
||||||
|
TODO: ping @tim once WIT Cloud supports configuring container `securityContext`.
|
||||||
|
|
||||||
|
## Configuring Pritunl
|
||||||
|
|
||||||
|
Follow the [Pritunl Setup](https://docs.pritunl.com/docs/connecting) instructions with the following notes:
|
||||||
|
|
||||||
|
- Use a TCP based VPN server. Make sure to configure both the HAProxy on `roberto` as well as configuring `wit-proxy` via `etcd`
|
||||||
|
- Once the server is created make sure to remove the default route and add the appropriate routes for the k8s pod and services subnets.
|
|
@ -0,0 +1,17 @@
|
||||||
|
name: pritunl
|
||||||
|
cpu: 500m
|
||||||
|
disk:
|
||||||
|
- path: /var/lib/pritunl
|
||||||
|
size: 5
|
||||||
|
environment:
|
||||||
|
PRITUNL_MONGODB_URI: "mongodb://pritunl:{{secrets.pritunl}}@{{deps.mongo.ip}}:27017/pritunl"
|
||||||
|
PRITUNL_BEHIND_LOADBAL: true
|
||||||
|
image: registry.services.wit.com/drags/pritunl
|
||||||
|
internet-facing: true
|
||||||
|
memory: 1024
|
||||||
|
ports: [9700, 1194]
|
||||||
|
replicas: 1
|
||||||
|
containerSecurityContext:
|
||||||
|
capabilities:
|
||||||
|
add:
|
||||||
|
- "NET_ADMIN"
|
Loading…
Reference in New Issue