feat(openvpn) refactor to allow hieradata network setup (#2517)

* chore(tests) use different hieradata configurations for unit tests and vagrant

Signed-off-by: Damien Duportal <[email protected]>

* chore(updatecli) track puppetlabs-firewall module and bump it to 4.0.0

Signed-off-by: Damien Duportal <[email protected]>

* chore(vagrant) add a 2nd NIC, which requires ubuntu 20.04 and iptables package to avoid iptables errors - robbertkl/docker-ipv6nat#47

Signed-off-by: Damien Duportal <[email protected]>

* fix(openvpn) correct bootstrap from scratch by fixing recursive directories issue

Signed-off-by: Damien Duportal <[email protected]>

* fix(openvpn) correct boostrap by ensuring that required CLI are installe (route CLI)

Signed-off-by: Damien Duportal <[email protected]>

* chore(openvpn) refactorize role to allow defining CIDRs, peering and VPN networks through hieradata

Signed-off-by: Damien Duportal <[email protected]>

* Apply suggestions from code review

Co-authored-by: Hervé Le Meur <[email protected]>

Signed-off-by: Damien Duportal <[email protected]>
Co-authored-by: Hervé Le Meur <[email protected]>

Author: dduportal

.gitignore

@@ -1,7 +1,8 @@
 *.sw*
 .vagrant*
 .ruby-*
-spec/fixtures/
+spec/fixtures/manifests
+spec/fixtures/modules
 .bundle
 modules
 modules/

Puppetfile

@@ -25,7 +25,7 @@ mod 'puppetlabs-cron_core', '1.1.0'
 mod 'saz-sudo', '5.0.0'
 
 # Needed for managing firewall rules
-mod 'puppetlabs-firewall', '3.0.1'
+mod 'puppetlabs-firewall', '4.0.0'
 
 # Needed for managing .yaml files from within Puppet
 mod 'reidmv-yamlfile'

Vagrantfile

@@ -13,6 +13,9 @@ Vagrant.configure("2") do |config|
         d.has_ssh = true
     end
 
+    # Add a secondary NIC ("private" network simulation for roles such as openvpn)
+    config.vm.network "private_network", ip: "192.168.0.10", netmask: 24, docker_network__internal: true, docker_network__gateway: "192.168.0.1"
+
     config.vm.network "forwarded_port", guest: 80, host: 80
     config.vm.network "forwarded_port", guest: 443, host: 443
     config.vm.network "forwarded_port", guest: 8080, host: 8080
@@ -45,7 +48,7 @@ Vagrant.configure("2") do |config|
                 puppet.working_directory = "/vagrant"
                 puppet.manifests_path = "manifests"
                 puppet.manifest_file = "site.pp"
-                puppet.options = "--hiera_config=/vagrant/spec/fixtures/hiera.yaml --execute 'require profile::vagrant\n include role::#{veggie}'"
+                puppet.options = "--hiera_config=/vagrant/vagrant-docker/hiera.yaml --execute 'require profile::vagrant\n include role::#{veggie}'"
             end
         end
     end

dist/profile/manifests/openvpn.pp

@@ -42,11 +42,21 @@
     require          => [Docker::Image[$image]],
   }
 
+  file { '/etc/cloud':
+    ensure  => 'directory',
+    owner   => 'root',
+    group   => 'root',
+    recurse => true,
+  }
+
   file { '/etc/cloud/cloud.cfg.d':
     ensure  => 'directory',
     owner   => 'root',
     group   => 'root',
     recurse => true,
+    require => [
+      File['/etc/cloud'],
+    ],
   }
 
   # Ensure cloud-init doesn't manage network (netplan config + netplan apply + systemd, in Ubuntu Bionic)
@@ -79,79 +89,77 @@
     content => template("${module_name}/openvpn/90-network-config.yaml.erb"),
   }
 
-  ## Custom routes for peered networks
-  exec { 'addroute-10.240.0.0':
-    command => 'ip route add 10.240.0.0/14 via 10.0.2.1 dev eth1',
-    unless  => 'route | grep 10.240.0.0',
-    path    => '/usr/bin:/usr/sbin:/bin:/sbin',
+  # The CLI '/sbin/route' included in net-tools is required to create custom routes for peered networks
+  package { 'net-tools':
+    ensure => present,
   }
 
+  # Allow openvpn clients (incoming 443)
   firewall { '107 accept incoming 443 connections':
-    proto  => 'tcp',
-    port   => 443,
-    action => 'accept',
-  }
-
-  # Following firewall rules authorizes different network accesses as defined in https://github.com/jenkins-infra/openvpn
-  firewall { '100 snat for network public data tier from default vpn network to port 80/443':
-    chain       => 'POSTROUTING',
-    jump        => 'MASQUERADE',
-    proto       => 'tcp',
-    outiface    => 'eth1',
-    source      => '10.8.0.0/24',
-    dport       => [80,443],
-    destination => '10.0.2.0/24',
-    table       => 'nat',
-  }
-
-  # Admin Rules
-  firewall { '100 snat for network public dmz tier from admin vpn network':
-    chain       => 'POSTROUTING',
-    jump        => 'MASQUERADE',
-    proto       => 'all',
-    outiface    => 'eth0',
-    source      => '10.8.1.0/24',
-    destination => '10.0.99.0/24',
-    table       => 'nat',
-  }
-
-  firewall { '100 snat for network public data tier from admin vpn network':
-    chain       => 'POSTROUTING',
-    jump        => 'MASQUERADE',
-    proto       => 'all',
-    outiface    => 'eth1',
-    source      => '10.8.1.0/24',
-    destination => '10.0.2.0/24',
-    table       => 'nat',
-  }
-
-  firewall { '100 snat for network public app tier from admin vpn network':
-    chain       => 'POSTROUTING',
-    jump        => 'MASQUERADE',
-    proto       => 'all',
-    outiface    => 'eth2',
-    source      => '10.8.1.0/24',
-    destination => '10.0.1.0/24',
-    table       => 'nat',
+    proto   => 'tcp',
+    dport   => 443,
+    action  => 'accept',
+    iniface => 'eth0',
   }
 
-  firewall { '100 snat for network private-vnet default tier from default vpn network (peered with public network)':
-    chain       => 'POSTROUTING',
-    jump        => 'MASQUERADE',
-    proto       => 'all',
-    outiface    => 'eth1',
-    source      => '10.8.0.0/24',
-    destination => '10.240.0.0/14',
-    table       => 'nat',
+  # Allow SSH clients (incoming 2)
+  firewall { '107 accept incoming 22 connections':
+    proto   => 'tcp',
+    dport   => 22,
+    action  => 'accept',
+    iniface => 'eth0',
   }
 
-  firewall { '100 snat for network private-vnet default tier from admin vpn network (peered with public network)':
-    chain       => 'POSTROUTING',
-    jump        => 'MASQUERADE',
-    proto       => 'all',
-    outiface    => 'eth1',
-    source      => '10.8.1.0/24',
-    destination => '10.240.0.0/14',
-    table       => 'nat',
+  # Create firewall rules and route for each specified NIC to allow routing from VPN virtual networks to different networks
+  lookup('profile::openvpn::networks').each |$network_nic, $network_setup| {
+    # Remove the mask from CIDR to only keep the network Ipv4 (`10.0.0.0/24` returns `10.0.0.0`)
+    $network_first_ip = split($network_setup['network_cidr'], '/')[1]
+    # Only get the 3 first digits of the IPv4 (`10.0.0.0` returns `10.0.0`)
+    $network_prefix = join(split($network_setup['network_cidr'], '[.]')[0,3], '.')
+
+    # A given NIC has a "main" CIDR (its network) but may also be used for routes to peered networks
+    # If there are any peered network, then add a manual route
+    if $network_setup['peered_network_cidrs'] and $network_setup['peered_network_cidrs'].length > 0 {
+      $network_setup['peered_network_cidrs'].each | $peered_net_cidr | {
+        # Remove the mask from CIDR to only keep the network Ipv4 (`10.0.0.0/24` returns `10.0.0.0`)
+        $peered_network_ip  = split($peered_net_cidr, '/')[0]
+        # Only get the 3 first digits of the IPv4 (`10.0.0.0` returns `10.0.0`)
+        $peered_network_prefix = join(split($peered_network_ip, '[.]')[0,3], '.')
+
+        ## Custom routes for peered networks
+        $gateway = "${network_prefix}.1"
+        exec { "addroute ${peered_network_prefix}.0 through ${gateway} (NIC ${network_nic})":
+          command => "ip route add ${peered_net_cidr} via ${gateway} dev ${network_nic}",
+          unless  => "route | grep ${peered_network_prefix}.0",
+          require => [
+            # The CLI command 'route' is needed
+            Package['net-tools'],
+          ],
+          path    => '/usr/bin:/usr/sbin:/bin:/sbin',
+        }
+      }
+    }
+
+    # The lambda filter is used to cleanup the array from empty element (when $network_setup['peered_network_cidrs'] is undefined)
+    $destinations_cidrs = ([$network_setup['network_cidr']] + $network_setup['peered_network_cidrs']).filter |$item| {
+      $item and $item.length > 0
+    }
+
+    # For each VPN network, add all the destinations per interface
+    lookup('profile::openvpn::vpn_networks_cidr').each |$vpn_network_cidr| {
+      $destinations_cidrs.each |$destination_cidr| {
+        # Then add firewall rules to allow routing through networks using masquerading
+        firewall { "100 allow routing from ${vpn_network_cidr} to ${destination_cidr} on ports 80/443":
+          chain       => 'POSTROUTING',
+          jump        => 'MASQUERADE',
+          proto       => 'tcp',
+          outiface    => $network_nic,
+          source      => $vpn_network_cidr,
+          dport       => [80,443],
+          destination => $destination_cidr,
+          table       => 'nat',
+        }
+      }
+    }
   }
 }

hieradata/clients/vpn.jenkins.io.yaml

@@ -1,14 +1,26 @@
 ---
 profile::openvpn::networks:
   eth0:
+    name: Subnet 'dmz' of network 'prod-jenkins-public-prod'
     route-metric: 100
     macaddress: 00:0d:3a:0e:4b:1c
+    network_cidr: 10.0.99.0/24
   eth1:
+    name: Subnet 'data-tier' of network 'prod-jenkins-public-prod'
     route-metric: 200
     macaddress: 00:0d:3a:0e:4f:89
+    network_cidr: 10.0.2.0/24
+    peered_network_cidrs:
+      # Network 'prod-jenkins-private-prod-vnet' through peering
+      - 10.240.0.0/14
   eth2:
+    name: Subnet 'app-tier' of network 'prod-jenkins-public-prod'
     route-metric: 300
     macaddress: 00:0d:3a:0e:4e:7e
+    network_cidr: 10.0.1.0/24
+profile::openvpn::vpn_networks_cidr:
+  - 10.8.0.0/24 # Normal VPN
+  - 10.8.1.0/24 # Admin network (legacy: only used for KK openvpn client config) - https://github.com/jenkins-infra/docker-openvpn/blob/583f84af3fb7f0a60bfb0b100e56e1b905d713f2/config.yaml#L12-L19
 profile::openvpn::auth_ldap_binddn: ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAUnLHzSYfhy9wQ622F9qg27p80NMo+5M1I0XJUM3vQ6+XhcmG8OeFN0lksZJMD1p2tp8vZTAbq+BtdCfy9e9iaZudQvL2XHqlGFSrssz25FfpfKny5/QvKRZJqOW7K/7gfwnj+kIO7kVMFkO0XhcqRKsCjO2hBIaWBw/3BtIpE0MB/pPw/vLI3aERnj/YBRg6iHQUuBiYOZc5WJ6CJiVPiiCcfz1YhzvsdjeE/6PLCXSWVzR6fXJaIv8AeLOJ/T/KrulWZbQ2C3fE/hWYCznIEzmsHHnd/td8/gTOyetl8CbPeeVWnl3z4cjD3dhpRc80hDB912Wpp7p3U6QeM2qlszBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDTNSew0xsPvYG7UiPm3rC2gDBdODpfNj9Y+ihtpKsm67MmN88nbQZ2LPfg2ClMVFQOYtKs+3nQoT8LupqIDGMIRYo=]
 profile::openvpn::auth_ldap_password: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAHnkX82SuWKYuW/ROAxQX3fw+HrN/AQf3BpbeUdSwCe9+ljLni05W4ZypQkRNgEksUfD0bBgK2RA7PF+KYSnTpA5v+GkqjUn8iAZg9whEpQaK7wfidp8rSL+nlsJFNE8mPHLCoO+6xHMFmm6XCCsFnQ2qYNQAjWeecngdp3IIZi2Vs8NBYJbOEovsRgdksNu7gO516C9DBrWKaTOf7j9x28g22XFQ3kxefxq89QGquvwc3Lyl8iNInJNUQ8wmCk54+m2CvTKzbqnO53QgHbw2VUwN+6JnmN+HgxzSM9o+VO8x2S8o8dzS0v45fWwLM4sKuwUPeAxfVGpfb2J46ab3tzBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAidRxKsLYgBugid4s3KGq+gCBhpSsRd85sDKxC3m6l5ys56qg96hfUV7BRqeygYAztiw==]
 # CA comes from https://github.com/jenkins-infra/docker-openvpn