Merge branch 'doc-pritunl' of wit/ops into master
This commit is contained in:
drags
Gogs
commit
53fc155a7f
|
|
@ -0,0 +1,40 @@
|
|||
# Pritunl
|
||||
|
||||
[Pritunl](https://pritunl.com/) is an [open source](https://github.com/pritunl/pritunl) VPN server with a web UI. It manages many [openvpn](https://openvpn.net/) instances underneath its python daemon and Go frontend. The basic version supports multiple servers/users with PKI + TOTP multi-factor auth. The professional/enterprise versions offer site-to-site VPNs as well as multiple SSO options for user auth.
|
||||
|
||||
|
||||
## WIT on Pritunl
|
||||
|
||||
WIT is using as our VPN server as it is both OSS and user friendly; something we can offer to customers. The VPN is being used to access the overlay network of customer clouds, while control plane access will remain via a bastion host for now.
|
||||
|
||||
## Pritunl on WIT Cloud
|
||||
|
||||
Pritunl only has one external dependency: it uses mongodb for storing organization/server/user data. Connect to the existing mongo daemon and create a new database and user for Pritunl. Store the password as a secret in the cloud-ui.
|
||||
|
||||
Note that the WIT Cloud ingress layer currently only supports TCP based VPN servers.
|
||||
|
||||
## Configuring the Daemon
|
||||
|
||||
First setup the daemon according to `daemon-pritunl.conf`.
|
||||
|
||||
Once the deployment is up and running edit it directly to add the container `securityContext`.
|
||||
|
||||
`kubectl -n <namespace> edit deploy <deploy-name>`
|
||||
|
||||
Add the following block below `spec.template.spec.container.securityContext`:
|
||||
|
||||
```
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- NET_ADMIN
|
||||
```
|
||||
|
||||
TODO: ping @tim once WIT Cloud supports configuring container `securityContext`.
|
||||
|
||||
## Configuring Pritunl
|
||||
|
||||
Follow the [Pritunl Setup](https://docs.pritunl.com/docs/connecting) instructions with the following notes:
|
||||
|
||||
- Use a TCP based VPN server. Make sure to configure both the HAProxy on `roberto` as well as configuring `wit-proxy` via `etcd`
|
||||
- Once the server is created make sure to remove the default route and add the appropriate routes for the k8s pod and services subnets.
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
name: pritunl
|
||||
cpu: 500m
|
||||
disk:
|
||||
- path: /var/lib/pritunl
|
||||
size: 5
|
||||
environment:
|
||||
PRITUNL_MONGODB_URI: "mongodb://pritunl:{{secrets.pritunl}}@{{deps.mongo.ip}}:27017/pritunl"
|
||||
PRITUNL_BEHIND_LOADBAL: true
|
||||
image: registry.services.wit.com/drags/pritunl
|
||||
internet-facing: true
|
||||
memory: 1024
|
||||
ports: [9700, 1194]
|
||||
replicas: 1
|
||||
containerSecurityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- "NET_ADMIN"
|
||||
Loading…
Reference in New Issue