Make VPN Network configurable

timebertt commented 7 months ago

What this PR does / why we need it:

This PR introduces the VPN_NETWORK env var in both seed-server and shoot-client that allows configuring a custom VPN CIDR. If unset, it defaults to the current hard-coded values (192.168.123.0/24 and fd8f:6d53:b97a:1::/120 respectively).

This PR introduces some changes to both the seed-server and the shoot-client components to fulfill these requirements.

Which issue(s) this PR fixes:

Part of https://github.com/gardener/gardener/issues/8987

Special notes for your reviewer:

The PR builds upon https://github.com/gardener/vpn2/pull/64. It rebases the existing commits and adds a few more commits to address the remaining issues.

Images for testing:

ghcr.io/timebertt/dev-images/vpn-seed-server:0.23.0-31-g96cad9e
ghcr.io/timebertt/dev-images/vpn-shoot-client:0.23.0-31-g96cad9e

TODOs:

[x] verify this change without configuring VPN_NETWORK (backward-compatibility): must result in the same VPN configs, IP addresses, and routes
- [x] IPv4 non-HA
- [x] IPv4 HA
- [x] ~~IPv6~~ (IPv6 setup in g/g is currently broken)
[x] verify this change with a non-default VPN_NETWORK (manually configured)
- [x] IPv4 non-HA
- [x] IPv4 HA
- [x] ~~IPv6~~ (IPv6 setup in g/g is currently broken)

Release note:

The VPN components now support configuring a custom VPN network using the `VPN_NETWORK` environment variable.

The `IP_BASE` environment variable in `acquire-ip` (part of `vpn-shoot-client`) is dropped in favor of the `VPN_NETWORK` environment variable.

gardener-robot-ci-2 commented 7 months ago

Thank you @timebertt for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.

gardener-robot commented 7 months ago

@timebertt Thank you for your contribution.

timebertt commented 7 months ago

@axel7born I finished verifying this PR as far as I could in a local setup (see PR description for the cases I tested). To me, it seemed like everything was working perfectly fine. Can you kindly take another look? :)

Next, I will finish https://github.com/gardener/gardener/pull/8991, which requires this PR and a release including it. As I manually verified non-default VPN CIDRS using the VPN_NETWORK already, I'm confident that this PR fulfills the requirements for making things work in g/g e2e :)

gardener-robot commented 7 months ago

@axel7born, @docktofuture, @scheererj, @marwinski You have pull request review open invite, please check

axel7born commented 7 months ago

/assign

axel7born commented 7 months ago

/ok-to-test

axel7born commented 7 months ago

/lgtm I tested with the extensions setup, ipv4 and ipv4 HA. I also tested in the local ipv6 only setup with the g/g fix

gardener / vpn2

Make VPN Network configurable #78