This feature is available in Enterprise Edition only. It might significantly change in the future. Currently, it's not intended to be used without special assistance from Flant.

This module is disabled by default. To enable it, add the following lines to the deckhouse ConfigMap:

data:
  openvpnEnabled: "true"

Parameters

  • inlet — the way the connection is implemented;
    • The following inlet types are supported:
      • ExternalIP — when there are nodes with public IPs. It is used together with the externalIP parameter;
      • LoadBalancer — for all cloud providers and cloud-based placement strategies that support the provision of LoadBalancers;
      • Direct — for non-standard cases. You need to create a service called openvpn-external in the d8-openvpn namespace. It will route traffic to the pod with the app: openvpn label to the port called ovpn-tcp (or just 1194). This service provides the externalIP, the IP address of the balancer or its host. If none of these are present, you need to specify the externalHost parameter;
  • loadBalancer — a section of optional parameters of the LoadBalancer inlet:
    • annotations — annotations to assign to the service for flexible configuration of the load balancer;
      • Note that module does not take into account the specifics of setting annotations in different clouds. If annotations for the provision of the load balancer are only used when the service is being created, then you need to restart the module (disable/enable it) to update them;
    • sourceRanges — a list of CIDRs that are allowed to connect to the load balancer;
      • Format — an array of strings;
      • The cloud provider may not support this option or ignore it;
  • externalIP — the IP address of a cluster node to connect OpenVPN clients;
    • It is only required if the ExternalIP inlet is used;
  • externalPort — the port to expose on the externalIP or load balancer;
    • The default port is 5416;
  • tunnelNetwork — a subnet used for tunneling;
    • The default subnet is 172.25.175.0/255.255.255.0;
  • pushToClientRoutes — a list of routes to send to clients upon their connection;
    • By default, this list is generated automatically using the local cluster network, service subnet, and pod subnet;
  • pushToClientDNS — the IP address of the DNS server to send to clients upon connection;
    • By default, the IP address of the kube-system/kube-dns service is used;
  • pushToClientSearchDomains — a list of search domains to send to clients upon connection;
    • The default value is global.discovery.clusterDomain;
  • storageClass — the name of the StorageClass to use;
    • If omitted, the StorageClass of the existing PVC is used. If there is no PVC yet, either global.StorageClass or global.discovery.defaultStorageClass is used, and if those are undefined, the emptyDir volume is used to store the data;
    • CAUTION! Setting this value to one that differs from the current one (in the existing PVC) will result in disk reprovisioning and data loss;
    • Setting it to false forces the use of an emptyDir volume;
  • auth — options related to authentication or authorization in the application:
    • externalAuthentication — a set of parameters to enable external authentication (it is based on the Nginx Ingress external-auth mechanism that uses the Nginx auth_request module) (the externalAuthentication parameters are set automatically if the user-authn module is enabled);
      • authURL — the URL of the authentication service. If the user is authenticated, the service should return an HTTP 200 response code;
      • authSignInURL — the URL to redirect the user for authentication (if the authentication service returned a non-200 HTTP response code);
    • password — the password for http authorization of the admin user (it is generated automatically, but you can change it);
      • This parameter is used if the externalAuthentication parameter is not enabled;
    • allowedUserGroups — an array of user groups that can access the openvpn admin panel;
      • This parameter is used if the user-authn module is enabled or the externalAuthentication parameter is set;
      • Caution! Note that you must add those groups to the appropriate field in the DexProvider config if this module is used together with the user-authn one;
    • whitelistSourceRanges — the CIDR range for which authentication to access the openvpn is allowed;
  • externalHost — an IP address or a domain clients use to connect to the OpenVPN server;
    • By default, data from an openvpn-external service are used;
  • ingressClass — the class of the Ingress controller used for the openvpn admin panel;
    • By default, the modules.ingressClass global value is used;
  • https — what certificate type to use with the openvpn admin panel;
    • This parameter completely overrides the global.modules.https settings;
    • mode — the HTTPS usage mode:
      • Disabled — in this mode, the openvpn admin panel works over http only;
      • CertManager — he openvpn admin panel will use HTTPS and get a certificate from the clusterissuer defined in the certManager.clusterIssuerName parameter;
      • CustomCertificate — the openvpn admin panel will use the certificate from the d8-system namespace for HTTPS;
      • OnlyInURI — the openvpn admin panel will work over HTTP (thinking that there is an external HTTPS load balancer in front of it that terminates HTTPS traffic). All the links in the user-authn will be generated using the HTTPS scheme;
    • certManager
      • clusterIssuerName — what ClusterIssuer to use for the openvpn admin panel (currently, letsencrypt, letsencrypt-staging, selfsigned are available; also, you can define your own);
        • By default, letsencrypt is used;
    • customCertificate
      • secretName - the name of the secret in the d8-system namespace to use with the openvpn admin panel (this secret must have the kubernetes.io/tls format);
        • It is set to false by default;
  • nodeSelector — the same as in the pods’ spec.nodeSelector parameter in Kubernetes;
    • If the parameter is omitted or false, it will be determined automatically.
  • tolerations — the same as in the pods’ spec.tolerations parameter in Kubernetes;
    • If the parameter is omitted or false, it will be determined automatically.