new test of fortigate for KSD

2025-07-22 10:47:20 +02:00 · 2025-07-22 10:47:20 +02:00 · f76153ff5d
commit f76153ff5d
parent 9980d50b07
10 changed files with 97 additions and 195 deletions
--- a/firewall-s3/vm/ksd/loadbalancers/fortigate-wan.yaml
+++ b/firewall-s3/vm/ksd/loadbalancers/fortigate-wan.yaml
@ -0,0 +1,30 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: fortigate-lb
+  namespace: ${TENANT_NAMESPACE}
+  labels:
+    app.kubernetes.io/component: fortigate-lb
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  ports:
+    - port: 4500
+      name: ipsec-nat
+      targetPort: 4500
+      protocol: UDP
+    - port: 500
+      name: key-management
+      targetPort: 500
+      protocol: UDP
+    #- port: 22
+    #  name: ssh
+    #  targetPort: 22
+    #  protocol: TCP
+    - port: 443
+      name: https
+      targetPort: 443
+      protocol: TCP
+  selector:
+    kubevirt.io/domain: fortigate-ksd
--- a/firewall-s3/vm/ksd/network-definitions/lan.yaml
+++ b/firewall-s3/vm/ksd/network-definitions/lan.yaml
@ -0,0 +1,20 @@
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  name: lan-net
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  config: '{
+    "cniVersion": "0.3.1",
+    "type": "bridge",
+    "bridge": "br-lan",
+    "ipam": {
+      "type": "static",
+      "addresses": [
+        {
+          "address": "172.168.100.2/24",
+          "gateway": "172.168.100.1"
+        }
+      ]
+    }
+  }'
--- a/firewall-s3/vm/ksd/network-definitions/mgmt.yaml
+++ b/firewall-s3/vm/ksd/network-definitions/mgmt.yaml
@ -0,0 +1,14 @@
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  name: mgmt-net
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  config: '{
+    "cniVersion": "0.3.1",
+    "type": "bridge",
+    "bridge": "br-mgmt",
+    "ipam": {
+      "type": "dhcp"
+    }
+  }'
--- a/firewall-s3/vm/ksd/vm/fortigate.yaml
+++ b/firewall-s3/vm/ksd/vm/fortigate.yaml
@ -0,0 +1,77 @@
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  name: fortigate-ksd
+  namespace: ${TENANT_NAMESPACE}
+spec:
+  dataVolumeTemplates:
+    - metadata:
+        name: fortigate-rootdisk-ksd
+      spec:
+        source:
+          http:
+            url: "https://glacier-1.kvant.cloud/ocp-virt-images/sources/fortios_7_6_3.qcow2"
+            #secretRef: s3-virt-credentials
+        storage:
+          resources:
+            requests:
+              storage: 30Gi
+  runStrategy: Always
+  template:
+    metadata:
+      labels:
+        kubevirt.io/domain: fortigate-ksd
+    spec:
+      domain:
+        cpu:
+          cores: 1
+        memory:
+          guest: 2Gi
+        features:
+          acpi: {}
+          smm:
+            enabled: true
+        firmware:
+          bootloader:
+            efi:
+              secureBoot: false
+        devices:
+          rng: {}
+          networkInterfaceMultiqueue: true
+          interfaces:
+            - name: wan
+              masquerade: {}
+              ports:
+              - port: 4500
+              - port: 443
+              - port: 22
+              - port: 500
+            - name: mgmt
+              bridge: {}
+            - name: lan
+              bridge: {}
+          disks:
+            - disk:
+                bus: sata
+              name: rootdisk
+        resources:
+          requests:
+            memory: 2Gi
+            cpu: 1
+          limits:
+            memory: 2Gi
+            cpu: 1
+      networks:
+        - name: wan
+          pod: {}
+        - name: mgmt
+          multus:
+            networkName: ${TENANT_NAMESPACE}/mgmt-net
+        - name: lan
+          multus:
+            networkName: ${TENANT_NAMESPACE}/lan-net
+      terminationGracePeriodSeconds: 180
+      volumes:
+        - name: rootdisk
+          dataVolume:
+            name: fortigate-rootdisk-ksd