Kubernetes Operator for a Cloud-Native OpenVPN Deployment.

Overview

Meerkat

Meerkat is a Kubernetes Operator that facilitates the deployment of OpenVPN in a Kubernetes cluster. By leveraging Hashicorp Vault, Meerkat securely manages the underlying PKI.

Features

Meerkat revolves around two CRDs, namely OvpnServer and OvpnClient. There may exist arbitrarily many servers while clients are always associated with a single server. These two CRDs give rise to the following features:

  • Generation of shared secrets for TLS Auth
  • Creation of a PKI for each server independently with secure private key
  • Dynamic OVPN server configuration
  • Rendering of ovpn client files for each client
  • Revocation of client certificates as an OvpnClient is deleted

Usage

This section gives a very brief overview of how Meerkat may be installed in your cluster.

Prerequisites

In order to use Meerkat, you must have access to a Vault instance. It requires the following:

  • Kubernetes Auth has to be enabled and a role for Meerkat has to be defined
  • A service account must be configured with a policy to manage PKIs at a specified path (and its subpaths).

Operator Deployment

Then, you can deploy the operator using Helm:

helm repo add borchero https://charts.borchero.com
helm install meerkat borchero/meerkat \
    --set rbac.serviceAccountName=${SERVICE_ACCOUNT_NAME} \
    --set vault.auth.config.role=${KUBERNETES_ROLE} \
    --set vault.pkiPath=${PKI_PATH}

You can also leave all of these fields blank and they choose sensible defaults. Consult the values file for further details.

Custom Resources

Once the operator is running, you can install the custom resources, creating a server and your clients. Have a look at the example manifests.

Once a client is created, there exists a secret with the client's name, containing the client's OVPN certificate. It can be retrieved by using kubectl:

kubectl get secret <SECRET_NAME> -o json | jq -r '.data."certificate.ovpn"' | base64 -d

License

Meerkat is licensed under the MIT License.

Issues
  • Secret with client cert not generated

    Secret with client cert not generated

    The README says something about a secret being made named after the client which should contain the client certificate. I made a ovpnserver and ovpnclient resource like such:

    ❯ kubectl -n production get ovpnservers
    NAME      AGE
    prodvpn   8m18s
    
    ❯ kubectl -n production get ovpnclients
    NAME      AGE
    merlin    6m30s
    
    ❯ kubectl -n production describe ovpnclients/merlin
    Name:         merlin
    Namespace:    production
    Labels:       <none>
    Annotations:  API Version:  meerkat.borchero.com/v1alpha1
    Kind:         OvpnClient
    [...]
      Common Name:  merlin.hvs.saphyre.net
      Server Name:  prodvpn
    

    however there appears to be no secret named merlin:

    ❯ kubectl -n production get secret merlin -o json | jq -r '.data."certificate.ovpn"' | base64 -d
    Error from server (NotFound): secrets "merlin" not found
    

    Am I missing something?

    opened by Jayfrown 3
Releases(0.1.0)
Owner
Oliver Borchert
MSc Data Engineering and Analytics @ TUM | Research Assistant @ Data Analytics and Machine Learning Group
Oliver Borchert
Basic Kubernetes operator that have multiple versions in CRD. This operator can be used to experiment and understand Operator/CRD behaviors.

add-operator Basic Kubernetes operator that have multiple versions in CRD. This operator can be used to experiment and understand Operator/CRD behavio

Dinesh Parvathaneni 0 Dec 15, 2021
The OCI Service Operator for Kubernetes (OSOK) makes it easy to connect and manage OCI services from a cloud native application running in a Kubernetes environment.

OCI Service Operator for Kubernetes Introduction The OCI Service Operator for Kubernetes (OSOK) makes it easy to create, manage, and connect to Oracle

Oracle 22 Jun 17, 2022
An operator which complements grafana-operator for custom features which are not feasible to be merged into core operator

Grafana Complementary Operator A grafana which complements grafana-operator for custom features which are not feasible to be merged into core operator

Snapp Cab Incubators 4 May 24, 2022
kube-champ 37 Jun 6, 2022
Kubernetes Operator to automate Helm, DaemonSet, StatefulSet & Deployment updates

Keel - automated Kubernetes deployments for the rest of us Website https://keel.sh Slack - kubernetes.slack.com look for channel #keel Keel is a tool

Keel 2k Jun 17, 2022
An open-source, distributed, cloud-native CD (Continuous Delivery) product designed for developersAn open-source, distributed, cloud-native CD (Continuous Delivery) product designed for developers

Developer-oriented Continuous Delivery Product ⁣ English | 简体中文 Table of Contents Zadig Table of Contents What is Zadig Quick start How to use? How to

null 0 Oct 19, 2021
The Elastalert Operator is an implementation of a Kubernetes Operator, to easily integrate elastalert with gitops.

Elastalert Operator for Kubernetes The Elastalert Operator is an implementation of a Kubernetes Operator. Getting started Firstly, learn How to use el

null 18 Apr 13, 2022
Minecraft-operator - A Kubernetes operator for Minecraft Java Edition servers

Minecraft Operator A Kubernetes operator for dedicated servers of the video game

James Laverack 6 May 10, 2022
K8s-network-config-operator - Kubernetes network config operator to push network config to switches

Kubernetes Network operator Will add more to the readme later :D Operations The

Daniel Hertzberg 6 May 16, 2022
Pulumi-k8s-operator-example - OpenGitOps Compliant Pulumi Kubernetes Operator Example

Pulumi GitOps Example OpenGitOps Compliant Pulumi Kubernetes Operator Example Pr

Christian Hernandez 3 May 6, 2022
Kubernetes Operator Samples using Go, the Operator SDK and OLM

Kubernetes Operator Patterns and Best Practises This project contains Kubernetes operator samples that demonstrate best practices how to develop opera

International Business Machines 16 Jun 22, 2022
provide api for cloud service like aliyun, aws, google cloud, tencent cloud, huawei cloud and so on

cloud-fitter 云适配 Communicate with public and private clouds conveniently by a set of apis. 用一套接口,便捷地访问各类公有云和私有云 对接计划 内部筹备中,后续开放,有需求欢迎联系。 开发者社区 开发者社区文档

null 23 May 8, 2022
provider-kubernetes is a Crossplane Provider that enables deployment and management of arbitrary Kubernetes objects on clusters

provider-kubernetes provider-kubernetes is a Crossplane Provider that enables deployment and management of arbitrary Kubernetes objects on clusters ty

International Business Machines 2 Jan 5, 2022
Cloud-gaming-operator - The one that manages VMs for cloud gaming built on GCE

cloud-gaming-operator GCE上に建てたクラウドゲーミング用のVMを管理するやつ 事前準備 GCEのインスタンスかマシンイメージを作成してお

Naoki Kishi 1 Jan 22, 2022
Kubernetes operator to autoscale Google's Cloud Bigtable clusters

Bigtable Autoscaler Operator Bigtable Autoscaler Operator is a Kubernetes Operator to autoscale the number of nodes of a Google Cloud Bigtable instanc

RD Station 22 Nov 5, 2021
A Kubernetes Operator, that helps DevOps team accelerate their journey into the cloud and K8s.

A Kubernetes Operator, that helps DevOps team accelerate their journey into the cloud and K8s. OAM operator scaffolds all of the code required to create resources across various cloud provides, which includes both K8s and Non-K8s resources

Pavan Kumar 2 Nov 30, 2021
Christmas Hack Day Project: Build an Kubernetes Operator to deploy Camunda Cloud services

Camunda Cloud Operator Christmas Hack Day Project (2021): Build an Kubernetes Operator to deploy Camunda Cloud services Motiviation / Idea We currentl

Camunda Community Hub 0 May 18, 2022
Test Operator using operator-sdk 1.15

test-operator Test Operator using operator-sdk 1.15 operator-sdk init --domain rbt.com --repo github.com/ravitri/test-operator Writing kustomize manif

Ravi Trivedi 0 Dec 28, 2021
a k8s operator 、operator-sdk

helloworld-operator a k8s operator 、operator-sdk Operator 参考 https://jicki.cn/kubernetes-operator/ https://learnku.com/articles/60683 https://opensour

Mark YiL 0 Jan 27, 2022