feat(nginx): Add TCP/UDP port openings

2025-03-24 17:49:41 +01:00 · 2025-03-24 17:49:41 +01:00 · 7084aa1257
commit 7084aa1257
parent 05003237f6
12 changed files with 188 additions and 7 deletions
--- a/nginx/external/deploy.yaml
+++ b/nginx/external/deploy.yaml
@ -351,6 +351,30 @@ spec:
    port: 443
    protocol: TCP
    targetPort: https
+  - name: netbird-one-udp
+    port: 3478
+    protocol: UDP
+    targetPort: netbird-one-udp
+  - name: netbird-one-tcp
+    port: 3478
+    protocol: TCP
+    targetPort: netbird-one-tcp
+  - name: netbird-two-udp
+    port: 5349
+    protocol: UDP
+    targetPort: netbird-two-udp
+  - name: netbird-two-tcp
+    port: 5349
+    protocol: TCP
+    targetPort: netbird-two-tcp
+  - name: netbird-rel-tcp
+    port: 33080
+    protocol: TCP
+    targetPort: netbird-rel-tcp
+  - name: netbird-rel-udp
+    port: 33080
+    protocol: UDP
+    targetPort: netbird-rel-udp
  - name: prometheus
    port: 10254
    protocol: TCP
@ -444,6 +468,8 @@ spec:
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
        - --enable-metrics=true
+        - --udp-services-configmap=$(POD_NAMESPACE)/nginx-external-ingress-udp-services
+        - --tcp-services-configmap=$(POD_NAMESPACE)/nginx-external-ingress-tcp-services
        env:
        - name: POD_NAME
          valueFrom:
@ -480,6 +506,24 @@ spec:
        - containerPort: 443
          name: https
          protocol: TCP
+        - containerPort: 3478
+          name: netbird-one-udp
+          protocol: UDP
+        - containerPort: 3478
+          name: netbird-one-tcp
+          protocol: TCP
+        - containerPort: 5349
+          name: netbird-two-udp
+          protocol: UDP
+        - containerPort: 5349
+          name: netbird-two-tcp
+          protocol: TCP
+        - containerPort: 33080
+          name: netbird-rel-tcp
+          protocol: TCP
+        - containerPort: 33080
+          name: netbird-rel-udp
+          protocol: UDP
        - containerPort: 8443
          name: webhook
          protocol: TCP
--- a/nginx/external/kustomization.yaml
+++ b/nginx/external/kustomization.yaml
@ -4,4 +4,6 @@ kind: Kustomization
 resources:
  - deploy.yaml
  - loadbalancer.yaml
-  - networkpolicy.yaml
+  #- networkpolicy.yaml
+  - udp-services.yaml
+  - tcp-services.yaml
--- a/nginx/external/loadbalancer.yaml
+++ b/nginx/external/loadbalancer.yaml
@ -17,5 +17,29 @@ spec:
      port: 443
      protocol: TCP
      targetPort: 443
+    - name: netbird-one-udp
+      port: 3478
+      protocol: UDP
+      targetPort: 3478
+    - name: netbird-one-tcp
+      port: 3478
+      protocol: TCP
+      targetPort: 3478
+    - name: netbird-two-udp
+      port: 5349
+      protocol: UDP
+      targetPort: 5349
+    - name: netbird-two-tcp
+      port: 5349
+      protocol: TCP
+      targetPort: 5349
+    - name: netbird-rel-udp
+      port: 33080
+      protocol: UDP
+      targetPort: 33080
+    - name: netbird-rel-tcp
+      port: 33080
+      protocol: TCP
+      targetPort: 33080
  type: LoadBalancer
  externalTrafficPolicy: Local
--- a/nginx/external/networkpolicy.yaml
+++ b/nginx/external/networkpolicy.yaml
@ -21,8 +21,8 @@ spec:
          - 54.224.0.0/11 # Random crawler
    ports:
    - protocol: TCP
-      port: 80
-    - protocol: TCP
-      port: 443
-    - protocol: TCP
-      port: 8443
+      port: 1
+      endPort: 65535
+    - protocol: UDP
+      port: 1
+      endPort: 65535
--- a/nginx/external/tcp-services.yaml
+++ b/nginx/external/tcp-services.yaml
@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-external-ingress-tcp-services
+  namespace: nginx-ingress
+data:
+  "3478": "netbird/netbird-turn-svc:3478"
+  "5349": "netbird/netbird-turn-svc:5349"
+  "33080": "netbird/netbird-relay-svc:33080"
--- a/nginx/external/udp-services.yaml
+++ b/nginx/external/udp-services.yaml
@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-external-ingress-udp-services
+  namespace: nginx-ingress
+data:
+  "3478": "netbird/netbird-turn-svc:3478"
+  "5349": "netbird/netbird-turn-svc:5349"
+  "33080": "netbird/netbird-relay-svc:33080"
--- a/nginx/internal/deploy.yaml
+++ b/nginx/internal/deploy.yaml
@ -341,6 +341,14 @@ spec:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
+  - name: dns-tcp
+    port: 53
+    protocol: TCP
+    targetPort: dns-tcp
+  - name: dns-udp
+    port: 53
+    protocol: TCP
+    targetPort: dns-udp
  - appProtocol: http
    name: http
    port: 80
@ -444,6 +452,8 @@ spec:
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
        - --enable-metrics=true
+        - --udp-services-configmap=$(POD_NAMESPACE)/nginx-internal-ingress-udp-services
+        - --tcp-services-configmap=$(POD_NAMESPACE)/nginx-internal-ingress-tcp-services
        env:
        - name: POD_NAME
          valueFrom:
@ -474,6 +484,12 @@ spec:
          timeoutSeconds: 1
        name: controller
        ports:
+        - containerPort: 53
+          name: dns-tcp
+          protocol: TCP
+        - containerPort: 53
+          name: dns-udp
+          protocol: UDP
        - containerPort: 80
          name: http
          protocol: TCP
--- a/nginx/internal/kustomization.yaml
+++ b/nginx/internal/kustomization.yaml
@ -3,4 +3,7 @@ kind: Kustomization

 resources:
  - deploy.yaml
-  - loadbalancer.yaml
+  - loadbalancer-local.yaml
+  - loadbalancer-vpn.yaml
+  - udp-services.yaml
+  - tcp-services.yaml
--- a/nginx/internal/loadbalancer-local.yaml
+++ b/nginx/internal/loadbalancer-local.yaml
@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-internal-ingress-controller-loadbalancer-local
+  namespace: nginx-ingress
+spec:
+  selector:
+    app.kubernetes.io/component: controller-internal
+    app.kubernetes.io/instance: nginx-internal-ingress
+    app.kubernetes.io/name: nginx-internal-ingress
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    - name: dns-tcp
+      port: 53
+      protocol: TCP
+      targetPort: 53
+    - name: dns-udp
+      port: 53
+      protocol: UDP
+      targetPort: 53
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  loadBalancerIP: 10.10.0.16
--- a/nginx/internal/loadbalancer-vpn.yaml
+++ b/nginx/internal/loadbalancer-vpn.yaml
@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nginx-internal-ingress-controller-loadbalancer-vpn
+  namespace: nginx-ingress
+spec:
+  selector:
+    app.kubernetes.io/component: controller-internal
+    app.kubernetes.io/instance: nginx-internal-ingress
+    app.kubernetes.io/name: nginx-internal-ingress
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    - name: dns-tcp
+      port: 53
+      protocol: TCP
+      targetPort: 53
+    - name: dns-udp
+      port: 53
+      protocol: UDP
+      targetPort: 53
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  loadBalancerIP: 10.20.0.1
--- a/nginx/internal/tcp-services.yaml
+++ b/nginx/internal/tcp-services.yaml
@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-internal-ingress-tcp-services
+  namespace: nginx-ingress
+data:
+  "53": "adguard/adguard-svc:53"
--- a/nginx/internal/udp-services.yaml
+++ b/nginx/internal/udp-services.yaml
@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nginx-internal-ingress-udp-services
+  namespace: nginx-ingress
+data:
+  "53": "adguard/adguard-svc:53"