Add warpgate

app/warpgate.yml

@@ -0,0 +1,96 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: warpgate
+ labels:
+ app: warpgate
+spec:
+ replicas: 1
+ strategy:
+ type: Recreate 
+ selector:
+ matchLabels:
+ app: warpgate
+ template:
+ metadata:
+ labels:
+ app: warpgate
+ spec:
+ hostNetwork: true
+ dnsPolicy: ClusterFirstWithHostNet
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: kubernetes.io/hostname
+ operator: In
+ values:
+ - minio-48e6a175
+ containers:
+ - name: warpgate
+ image: ghcr.io/warp-tech/warpgate:v0.7.4
+ args:
+ - "-c"
+ - "/data/warpgate.yaml"
+ - "run"
+ env:
+ ports:
+ - containerPort: 2222
+ - containerPort: 8888
+ volumeMounts:
+ - name: db
+ mountPath: /data/
+ volumes:
+ - name: db
+ hostPath:
+ path: /opt/warpgate/
+ type: Directory
+ tolerations:
+ - key: "kubernetes.io/hostname"
+ operator: "Equal"
+ value: "minio"
+ effect: "NoSchedule"
+ - key: "node.kubernetes.io/unreachable"
+ operator: "Exists"
+ effect: "NoExecute"
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: warpgate
+spec:
+ selector:
+ app: warpgate
+ ports:
+ - protocol: TCP
+ port: 8888
+ name: http
+ - protocol: TCP
+ port: 2222
+ name: ssh
+ clusterIP: None
+ type: ClusterIP
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ name: warpgate-ingress
+ annotations:
+ kubernetes.io/ingress.class: "nginx"
+ nginx.ingress.kubernetes.io/ssl-redirect: "true"
+ nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+ cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+ tls:
+ - hosts:
+ - warp.erebe.eu
+ secretName: warpgate-tls
+ rules:
+ - host: warp.erebe.eu
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: warpgate
+ servicePort: 8888

config/nftables.rules

@@ -18,7 +18,7 @@ table inet SERVER_FIREWALL {
  meta l4proto ipv6-icmp accept comment "accept all ICMP types"
  udp dport 546 ip6 saddr { fc00::/7, fe80::/10, 2001:bc8:2::5:136:1 } accept comment "allow DHCPv6 client"
 
- tcp dport 22 accept comment "accept SSH"
+ tcp dport { 22, 2222 } accept comment "accept local SSH & warpgate SSH"
 
  tcp dport { 80, 443 } accept comment "accept http"
 
@@ -30,6 +30,13 @@ table inet SERVER_FIREWALL {
  #tcp dport 6443 accept comment "accept kubernetes"
  }
 
+ chain nat_pretrouting {
+ type nat hook prerouting priority 0; policy accept;
+
+ iif enp1s0 tcp dport 2222 dnat ip to 10.200.200.6:2222 comment "forward to warpgate ssh connections"
+ iif enp1s0 tcp dport 2222 dnat ip6 to [fc00:cafe::6]:2222 comment "forward to warpgate ssh connections"
+ }
+
  chain forward {
  type filter hook forward priority 0; policy drop;
 
@@ -43,7 +50,10 @@ table inet SERVER_FIREWALL {
  chain nat_postrouting {
  type nat hook postrouting priority 0; policy accept;
 
- iifname cni0 ip saddr 10.42.0.0/24 masquerade comment "NAT kube traffic to avoid leaking private network"
+ iif enp1s0 tcp dport 2222 ip daddr 10.200.200.6 masquerade comment "forward to warpgate ssh connections"
+ iif enp1s0 tcp dport 2222 ip6 daddr fc00:cafe::6 masquerade comment "forward to warpgate ssh connections"
+
+ oif enp1s0 ip saddr 10.42.0.0/24 masquerade comment "NAT kube traffic to avoid leaking private network"
 
  oif enp1s0 ip saddr 10.200.200.0/24 masquerade comment "Allow NATing IPv4 wireguard traffic"
  oif enp1s0 ip6 saddr fc00:cafe::/80 masquerade comment "Allow NATing IPv6 wireguard traffic"

dns/erebe.eu.zones

@@ -51,4 +51,8 @@ blog 10800 IN A 195.154.119.61
 blog 10800 IN AAAA 2001:bc8:6005:136:208:a2ff:fe0c:634e
 bitwarden 10800 IN A 195.154.119.61
 bitwarden 10800 IN AAAA 2001:bc8:6005:136:208:a2ff:fe0c:634e
+warp 10800 IN A 195.154.119.61
+warp 10800 IN AAAA 2001:bc8:6005:136:208:a2ff:fe0c:634e
+*.warp 10800 IN A 195.154.119.61
+*.warp 10800 IN AAAA 2001:bc8:6005:136:208:a2ff:fe0c:634e
 cafe 10800 IN AAAA 2001:0bc8:3d8f:cafe::cafe