From f76153ff5dc34551de5515a48a85ab72b4ee4ce4 Mon Sep 17 00:00:00 2001 From: "maximilian.bartz" Date: Tue, 22 Jul 2025 10:47:20 +0200 Subject: [PATCH] new test of fortigate for KSD --- firewall-dev/ks-vm.yaml | 18 ----- firewall-dev/vm/fortigate.yaml | 64 ----------------- firewall-s3/ks-vm.yaml | 2 +- .../vm/ksd/loadbalancers/fortigate-wan.yaml | 30 ++++++++ .../vm/ksd/network-definitions/lan.yaml | 20 ++++++ .../vm/ksd/network-definitions/mgmt.yaml | 14 ++++ firewall-s3/vm/{ => ksd/vm}/fortigate.yaml | 38 ++++++---- firewall/ks-vm.yaml | 18 ----- firewall/vm/fortigate.yaml | 72 ------------------- ubuntu-vm-1/ubuntu/ubuntu-vm.yaml | 16 +++-- 10 files changed, 97 insertions(+), 195 deletions(-) delete mode 100644 firewall-dev/ks-vm.yaml delete mode 100644 firewall-dev/vm/fortigate.yaml create mode 100644 firewall-s3/vm/ksd/loadbalancers/fortigate-wan.yaml create mode 100644 firewall-s3/vm/ksd/network-definitions/lan.yaml create mode 100644 firewall-s3/vm/ksd/network-definitions/mgmt.yaml rename firewall-s3/vm/{ => ksd/vm}/fortigate.yaml (66%) delete mode 100644 firewall/ks-vm.yaml delete mode 100644 firewall/vm/fortigate.yaml diff --git a/firewall-dev/ks-vm.yaml b/firewall-dev/ks-vm.yaml deleted file mode 100644 index aa1db72..0000000 --- a/firewall-dev/ks-vm.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app fortigate-dev - namespace: ${TENANT_NAMESPACE} -spec: - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./firewall-dev/vm - prune: true - sourceRef: - kind: GitRepository - name: tenant-repos - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m \ No newline at end of file diff --git a/firewall-dev/vm/fortigate.yaml b/firewall-dev/vm/fortigate.yaml deleted file mode 100644 index e0b92a8..0000000 --- a/firewall-dev/vm/fortigate.yaml +++ /dev/null @@ -1,64 +0,0 @@ -apiVersion: kubevirt.io/v1 -kind: VirtualMachine -metadata: - name: fortigate-dev - namespace: ${TENANT_NAMESPACE} -spec: - dataVolumeTemplates: - - metadata: - name: fortigate-rootdisk-dev - spec: - source: - http: - url: http://nginx.demo.svc.cluster.local:80/fortios_v7_6_3.qcow2 - storage: - resources: - requests: - storage: 30Gi - runStrategy: Always - template: - metadata: - labels: - kubevirt.io/domain: fortigate-dev - spec: - domain: - cpu: - cores: 2 - memory: - guest: 4Gi - features: - acpi: {} - smm: - enabled: true - firmware: - bootloader: - efi: - secureBoot: true - devices: - rng: {} - networkInterfaceMultiqueue: true - interfaces: - - name: default - masquerade: {} - ports: - - port: 443 - - port: 22 - disks: - - disk: - bus: sata - name: rootdisk - resources: - requests: - memory: 4Gi - cpu: 2 - limits: - memory: 4Gi - cpu: 2 - networks: - - name: default - pod: {} - terminationGracePeriodSeconds: 180 - volumes: - - name: rootdisk - dataVolume: - name: fortigate-rootdisk-dev \ No newline at end of file diff --git a/firewall-s3/ks-vm.yaml b/firewall-s3/ks-vm.yaml index a365abc..61e2924 100644 --- a/firewall-s3/ks-vm.yaml +++ b/firewall-s3/ks-vm.yaml @@ -7,7 +7,7 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - path: ./firewall-s3/vm + path: ./firewall-s3/vm/ksd prune: true sourceRef: kind: GitRepository diff --git a/firewall-s3/vm/ksd/loadbalancers/fortigate-wan.yaml b/firewall-s3/vm/ksd/loadbalancers/fortigate-wan.yaml new file mode 100644 index 0000000..00ea2c3 --- /dev/null +++ b/firewall-s3/vm/ksd/loadbalancers/fortigate-wan.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: fortigate-lb + namespace: ${TENANT_NAMESPACE} + labels: + app.kubernetes.io/component: fortigate-lb +spec: + type: LoadBalancer + externalTrafficPolicy: Local + ports: + - port: 4500 + name: ipsec-nat + targetPort: 4500 + protocol: UDP + - port: 500 + name: key-management + targetPort: 500 + protocol: UDP + #- port: 22 + # name: ssh + # targetPort: 22 + # protocol: TCP + - port: 443 + name: https + targetPort: 443 + protocol: TCP + selector: + kubevirt.io/domain: fortigate-ksd diff --git a/firewall-s3/vm/ksd/network-definitions/lan.yaml b/firewall-s3/vm/ksd/network-definitions/lan.yaml new file mode 100644 index 0000000..ccc343b --- /dev/null +++ b/firewall-s3/vm/ksd/network-definitions/lan.yaml @@ -0,0 +1,20 @@ +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: lan-net + namespace: ${TENANT_NAMESPACE} +spec: + config: '{ + "cniVersion": "0.3.1", + "type": "bridge", + "bridge": "br-lan", + "ipam": { + "type": "static", + "addresses": [ + { + "address": "172.168.100.2/24", + "gateway": "172.168.100.1" + } + ] + } + }' \ No newline at end of file diff --git a/firewall-s3/vm/ksd/network-definitions/mgmt.yaml b/firewall-s3/vm/ksd/network-definitions/mgmt.yaml new file mode 100644 index 0000000..a1e6f34 --- /dev/null +++ b/firewall-s3/vm/ksd/network-definitions/mgmt.yaml @@ -0,0 +1,14 @@ +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: mgmt-net + namespace: ${TENANT_NAMESPACE} +spec: + config: '{ + "cniVersion": "0.3.1", + "type": "bridge", + "bridge": "br-mgmt", + "ipam": { + "type": "dhcp" + } + }' \ No newline at end of file diff --git a/firewall-s3/vm/fortigate.yaml b/firewall-s3/vm/ksd/vm/fortigate.yaml similarity index 66% rename from firewall-s3/vm/fortigate.yaml rename to firewall-s3/vm/ksd/vm/fortigate.yaml index 755f5ea..83562dd 100644 --- a/firewall-s3/vm/fortigate.yaml +++ b/firewall-s3/vm/ksd/vm/fortigate.yaml @@ -1,14 +1,12 @@ apiVersion: kubevirt.io/v1 kind: VirtualMachine metadata: - name: fortigate-s3 + name: fortigate-ksd namespace: ${TENANT_NAMESPACE} - annotations: - #kubevirt.io/allow-pod-bridge-network-live-migration: spec: dataVolumeTemplates: - metadata: - name: fortigate-rootdisk-s3 + name: fortigate-rootdisk-ksd spec: source: http: @@ -22,16 +20,16 @@ spec: template: metadata: labels: - kubevirt.io/domain: fortigate-s3 + kubevirt.io/domain: fortigate-ksd spec: domain: cpu: - cores: 2 + cores: 1 memory: - guest: 4Gi + guest: 2Gi features: acpi: {} - smm: + smm: enabled: true firmware: bootloader: @@ -41,29 +39,39 @@ spec: rng: {} networkInterfaceMultiqueue: true interfaces: - - name: external + - name: wan masquerade: {} ports: - port: 4500 - port: 443 - port: 22 - port: 500 + - name: mgmt + bridge: {} + - name: lan + bridge: {} disks: - disk: bus: sata name: rootdisk resources: requests: - memory: 4Gi - cpu: 2 + memory: 2Gi + cpu: 1 limits: - memory: 4Gi - cpu: 2 + memory: 2Gi + cpu: 1 networks: - - name: external + - name: wan pod: {} + - name: mgmt + multus: + networkName: ${TENANT_NAMESPACE}/mgmt-net + - name: lan + multus: + networkName: ${TENANT_NAMESPACE}/lan-net terminationGracePeriodSeconds: 180 volumes: - name: rootdisk dataVolume: - name: fortigate-rootdisk-s3 \ No newline at end of file + name: fortigate-rootdisk-ksd \ No newline at end of file diff --git a/firewall/ks-vm.yaml b/firewall/ks-vm.yaml deleted file mode 100644 index 257d4ce..0000000 --- a/firewall/ks-vm.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app fortigate - namespace: ${TENANT_NAMESPACE} -spec: - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./firewall/vm - prune: true - sourceRef: - kind: GitRepository - name: tenant-repos - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m \ No newline at end of file diff --git a/firewall/vm/fortigate.yaml b/firewall/vm/fortigate.yaml deleted file mode 100644 index b0f6236..0000000 --- a/firewall/vm/fortigate.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: kubevirt.io/v1 -kind: VirtualMachine -metadata: - name: fortigate - namespace: ${TENANT_NAMESPACE} -spec: - dataVolumeTemplates: - - metadata: - name: fortigate-rootdisk - spec: - source: - http: - url: http://nginx.demo.svc.cluster.local:80/fortios_v7_6_3.qcow2 - storage: - resources: - requests: - storage: 30Gi - runStrategy: Always - template: - metadata: - labels: - kubevirt.io/domain: fortigate - spec: - domain: - cpu: - cores: 2 - memory: - guest: 4Gi - devices: - rng: {} - networkInterfaceMultiqueue: true - interfaces: - - name: default - masquerade: {} - ports: - - port: 80 - - port: 443 - - port: 22 - - port: 2222 - - port: 5050 - disks: - - disk: - bus: sata - name: rootdisk - # - disk: - # bus: scsi - # name: datadisk - # - disk: - # bus: scsi - # name: cloudinitdisk - resources: - requests: - memory: 4Gi - cpu: 2 - limits: - memory: 4Gi - cpu: 2 - networks: - - name: default - pod: {} - terminationGracePeriodSeconds: 180 - volumes: - - name: rootdisk - dataVolume: - name: fortigate-rootdisk - # - name: datadisk - # persistentVolumeClaim: - # claimName: gitlab-datadisk - # - name: cloudinitdisk - # cloudInitNoCloud: - # secretRef: - # name: gitlab-cloud-init \ No newline at end of file diff --git a/ubuntu-vm-1/ubuntu/ubuntu-vm.yaml b/ubuntu-vm-1/ubuntu/ubuntu-vm.yaml index af8a38c..31e1d2e 100644 --- a/ubuntu-vm-1/ubuntu/ubuntu-vm.yaml +++ b/ubuntu-vm-1/ubuntu/ubuntu-vm.yaml @@ -38,11 +38,13 @@ spec: cloudInitNoCloud: userData: | #cloud-config - hostname: ubuntu-vm-1 - ssh_pwauth: True users: - - name: ubuntu - ssh-authorized-keys: - - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPqlhZW/pPLK8zENt3o6tgl0QVinhGAF1sHvajqq3UvI ubuntu - sudo: ['ALL=(ALL) NOPASSWD:ALL'] - shell: /bin/bash \ No newline at end of file + - name: testuser + groups: [sudo] + sudo: "ALL=(ALL) NOPASSWD:ALL" + lock_passwd: false + passwd: "$6$oMZf5uou7t0.oAJ1$825Te06yt7JZwHSSj4MGQMjpd87LflANQpajCwIVPASkKZdOJo4L2bAEDDuK.jtu.fsRNc9bZAsYefmoqdN8O1" + + chpasswd: + expire: false + ssh_pwauth: true \ No newline at end of file