The VPN Shoot is a tool that is used for Shoot clusters. It serves an endpoint for incoming connections, allows contacting any IP address within its network and routes the packets back to the caller (usually the vpn-seed). By that, it connects the components running in the Seed cluster with those running in the Shoot cluster.
The vpn-shoot requires a load balancer pointing to it which must be reachable from the Seed cluster network (usually a public load balancer).
$VERSION variable in the Makefile before creating a new release:
make releaseThis will create a new Docker image with the tag you specified in the Makefile, push it to our image registry, and clean up afterwards.
Please find an example Kubernetes manifest within the /example directory.
These are a few sample commands for generating keys and certificates
# generate the DH parameters file for the server
openssl dhparam -out dh2048.pem 2048
# geneate ca
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/CN=mycat"
# create keys for client and server
openssl genrsa -out client-key.pem 2048
openssl genrsa -out server-key.pem 2048
# create a signing request and sign the client key
openssl req -new -key client-key.pem -out client-key.csr -subj "/CN=myclient"
openssl x509 -req -in client-key.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out client-cert.pem -days 500 -sha256
# create a signing request and sign the server key
openssl req -new -key server-key.pem -out server-key.csr -subj "/CN=myserver"
openssl x509 -req -in server-key.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server-cert.pem -days 500 -sha256
# generate tls auth key (see )
openvpn --genkey --secret vpn.tlsauth