Summary

Currently, the VPN network range used in Gardener is restricted to the hard-coded default values, 192.168.123.0/24 and fd8f:6d53:b97a:1::/120. We propose to make this network range configurable to offer more flexibility to both operators and users. This is achieved by a new configuration option in gardener/gardener and gardener/vpn2.

Goals

• allow deploying shoots into infrastructure networks that use the currently hard-coded VPN network (192.168.123.0/24)

Non-Goals

• lift restrictions that shoot and seed networks must not overlap with the VPN network

Proposal

The proposal targets two projects: gardener/gardener and gardener/vpn2.

• In gardener/gardener, configure VPN Network on Seed Level by introducing a new optional field Seed.spec.networks.vpn, type *string
  • default: current VPN CIDR (192.168.123.0/24/fd8f:6d53:b97a:1::/120)
  • validation:
    • must be a valid CIDR matching the selected IPFamily
    • must have the same size as the current hard-coded network: /24 (IPv4), /120 (IPv6)
    • instead of validating disjointedness with the hard-coded CIDR, the seed networks must be disjoint with the specified CIDR
  • scheduling: shoot networks must be disjoint with seed VPN network (similar to other seed networks)
    • validate during admission
    • consider in scheduler during seed filtering
  • Implemented in Make VPN Network configurable #9597
• In gardener/vpn2, introduce a new environment variable for configuring the VPN network to use:VPN_NETWORK
  • the value (if set) replaces the hard-coded default networks
  • similar to the current logic, the /24 is split up into 4 equally-sized /26 networks for configuring HA VPN setups
  • Implemented in Make VPN Network configurable vpn2#78

The gardenlet sets the configured VPN network in the values provided to the vpn-seed-server and vpn-shoot ManagedResource deployments.

Alternatives

• introduce a new optional field Shoot.spec.networking.vpn, type *string
  • default: current VPN CIDR (192.168.123.0/24/fd8f:6d53:b97a:1::/120)
  • validation:
    • must be a valid CIDR matching the selected IPFamily
    • must have the same size as the current hard-coded network: /24 (IPv4), /120 (IPv6)
    • Seed: the seed network disjointedness check with the VPN network is removed, as it can't be performed ahead of time (VPN Networks can be different for new Shoots)
  • Admission during shoot scheduling: validate that the specified VPN network is disjoint with the seed networks
  • CON: larger API surface. For the use cases we are aware of right now, the VPN CIDR range will be the same on all Shoots anyway
  • PRO: more flexibility, as VPN network can be selected individually for every Shoot

References

• GEP-14 Reversed Cluster VPN
• HA VPN Deployment

How to categorize this issue?
/area networking
/kind enhancement

/cc @timebertt @Kumm-Kai