Lev Goncharov

Infrastructure simplifying engineer

View My GitHub Profile

Openvpn inside kubernetes inside google cloud platform

gce4vpn

Date: 2018-09-23

It is text version of my presentation at chaos constructions 2018-08-26 & Hashicorp meetup 2018-08-29. This project was created just for luls:

Main idea

idea

I was using a network with a proxy server when I faced the issue that I should connect to a MySQL port. An application didn’t support proxy. Eventually, I got a coupon for google cloud. As the result, I decided to create proof of concept: try OpenVPN inside kubernetes and connect to the MySQL through google cloud.

Preparation

Vagrant

vagrant

First of all, I created a VM via vagrant with all needed tools. Vagrant is an infrastructure as code software by HashiCorp. Vagrant is a wrapper around hypervisors. It is cross-platform solutions, it might help you to unify your workflow in a team & create identical environments. There were docker, gcloud, terraform inside the VM, it was provisioned by ansible

PKI

pki

I decided to create a PKI infrastructure for my VPN solution. A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store & revoke digital certificates and manage public-key encryption.

A PKI consists of some ideas:

Terraform

terraform

Terraform is an infrastructure as code software by HashiCorp. It might prevent you from vendor locking. It allows users to define a data centre infrastructure in a high-level configuration language. It supports clouds such as AWS, Google Cloud Platform, Microsoft Azure.

Kubernetes

k8s

Kubernetes is an open-source container-orchestration system for automating deployment, scaling and management of containerized applications. It aims to provide a “platform for automating deployment, scaling, and operations of application containers across clusters of hosts”. A vast majority of cloud providers allows creating k8s installations as a service.

Top level schema

schema

I built the OpenVPN container. It allows to generate a PKI infrastructure, client/servers configs & run inside k8s. After that, I described the whole OpenVPN infrastructure in the Google Cloud Platform. The infrastructure consists of a PKI, a k8s and an OpenVPN server. I did some assumptions: the PKI infrastructure is stored at the VM & we don’t use self-hosted k8s.

Conclusion

Conclusion

As a result, it works. On one hand, there are some kludges, but on the other hand, it’had been helped to connect to the MySQL & is good enough as a Proof of Concept.

GCP