github.com/telepresenceio/telepresence/v2@v2.20.0-pro.6.0.20240517030216-236ea954e789/test-infra/aws-vpn/README.md (about) 1 # aws-vpn infrastructure example 2 3 This example will provision a VPC on AWS, together with an EKS cluster that's private to the VPC and a ClientVPN endpoint to access it. 4 This is basically all that is needed for a private EKS cluster inside a VPC, and can be used to test how telepresence interacts with different VPN scenarios. 5 6 ## How to use it 7 8 ### 0. Prerequisites 9 10 You will need a route53 zone in your AWS account. 11 A hosted zone will be created as a subdomain of this existing zone to serve as the DNS name for the VPN's certificates. 12 13 You'll also need to configure your `aws` CLI and authenticate into AWS. Please read the [AWS docs](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-welcome.html) to know how to do this. 14 15 Finally, you need to install [terraform](https://www.terraform.io/) and run `terraform init` in the `aws-vpn` directory (this directory!) 16 17 ### 1. Generating PKI 18 19 First, you need to generate key material for the VPN. 20 This can be done by simply running the `pki.sh` script in the `aws-vpn` directory. 21 The certs and keys for the VPN will be placed in a `certs` folder 22 23 ### 2. Configuration 24 25 Next, you need to configure this Terraform stack to generate a VPC/VPN/Cluster with the parameters you need. 26 The easiest way to do this is to create a `terraform.tfvars` file inside the `aws-vpn` directory and place the configuration's variables there. 27 The format of this file should be: 28 29 30 ```hcl 31 aws_region = "us-east-1" # The AWS region to use 32 parent_domain = "foo.net" # The hosted zone mentioned in section 0 33 child_subdomain = "my-subdomain" # The name of the subdomain that will be created under it. 34 child_subdomain_comment = "My subdomain's comment" # A human-readable description for the subdomain 35 vpc_cidr = "10.0.0.0/16" # The CIDR range for IP addresses within the VPC 36 vpn_client_cidr = "10.20.0.0/22" # The CIDR range for clients that connect to the VPN 37 service_cidr = "10.19.0.0/16" # The CIDR range for k8s services in the EKS cluster 38 split_tunnel = true # Whether the VPN should be configured with split tunneling 39 ``` 40 41 ### 3. Deploying 42 43 44 Now all you have to do is apply the configuration: 45 46 ```bash 47 terraform apply 48 ``` 49 50 Terraform will show you the infrasturcture to provision and ask for confirmation. 51 52 ### 4. Connecting 53 54 First, you will have to download the VPN configuration from AWS. The following command will download it and place it in a `config.ovpn` file 55 56 ```bash 57 # Note that you may need to pass a --region flag 58 aws ec2 export-client-vpn-client-configuration --client-vpn-endpoint-id $(terraform output -raw vpn_id) | jq -r .ClientConfiguration > config.ovpn 59 ``` 60 61 Note that it does not include the client cert and key, to add those simply: 62 63 ```bash 64 echo "<cert>" >> config.ovpn 65 cat certs/VPNCert.crt >> config.ovpn 66 echo "</cert>" >> config.ovpn 67 echo "<key>" >> config.ovpn 68 cat certs/VPNCert.key >> config.ovpn 69 echo "</key>" >> config.ovpn 70 ``` 71 72 At that point, you should be able to import the `config.ovpn` file into any OpenVPN client. 73 74 Lastly, you'll need to download the kubernetes configuration: 75 76 ```bash 77 aws eks --region us-east-1 update-kubeconfig --name $(terraform output -raw eks_name) 78 ``` 79 80 Once you do this, and connect to the VPN through your client, `kubectl` should be connected to the new cluster!