VPNaaS custom script - Provisioning VPN as a Service based on Firezone
This python script provisions VPN as a Service based on Firezone in OpenStack in Waldur. It uses Flatcar Linux and a butane binary that the user needs to provide inside a Docker container used for running Waldur custom scripts.
An additional requirement is an OpenID Connect provider for end-user authentication in Firezone. Default VPN port: UDP/51820.
- Keycloak with admin access for OpenID Connect client creation
- Butane for converting Flarcar Linux yaml config into json
- OpenStack nova for running the Firezone VM
- OpenStack designate for the VM FQDN generation. Firezone will use that FQDN for HTTPS certificate generation.
Firezone VM needs Internet connection for Let's Encrypt certificate generation and Github access for script download.
- Prepare waldur custom script runner container to have Butane and required Python packages
- Paste the create.py into the creation script and terminate.py into the termination script
- Populate environment variables
- Add user input field with internal name "tenant" and type - "Select OpenStack tenant", make it a required field
The following environment variables need to be provided in the Waldur custom script:
WALDUR_API_URL- API URL of Waldur that holds OpenStack
WALDUR_API_TOKEN- Waldur API token
KEYCLOAK_URL- Keycloak address for creating OpenID connect clients
KEYCLOAK_USERNAME- Keycloak admin username
KEYCLOAK_PASSWORD- Keycloak admin password
KEYCLOAK_REALM- Keycloak realm
CREATOR_EMAIL- Email of the user, that created the VPN instance
IMAGE- OpenStack image
FLAVOR- OpenStack flavor
SYSTEM_VOLUME_SIZE- Size of the system volume for OpenStack VM
RUN_BUTANE_IN_DOCKER- When set to True - run butane in docker container instead of just binary