support raven l7

Dockerfile

@@ -17,7 +17,7 @@ ARG TARGETOS
 ARG TARGETARCH
 
 # Build
-RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} GO111MODULE=on go build -a -o agent cmd/agent/main.go
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} GO111MODULE=on go build -a -o raven-agent-ds cmd/agent/main.go
 
 
 FROM alpine:3.17
@@ -28,9 +28,10 @@ RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories
     && mkdir -p /run/openrc \
     && mkdir -p /run/pluto \
     && touch /run/openrc/softlevel \
-    && rc-update add ipsec
+    && rc-update add ipsec \
+    && [ "$(cat /proc/sys/net/ipv4/conf/all/send_redirects)" = 0 ] || echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
 
-COPY --from=builder /workspace/agent /usr/local/bin/
-COPY pluto raven.sh /usr/local/bin/
+COPY --from=builder /workspace/raven-agent-ds /usr/local/bin/
+COPY pluto /usr/local/bin/
 
-ENTRYPOINT raven.sh
+ENTRYPOINT ["/usr/local/bin/raven-agent-ds"]

charts/raven-agent/templates/config.yaml

@@ -3,6 +3,10 @@ data:
   vpn-driver: {{ .Values.vpn.driver }}
   forward-node-ip: {{ .Values.vpn.forwardNodeIP | quote }}
   metric-bind-addr: {{ .Values.vpn.metricBindAddr }}
+  tunnel-bind-addr: {{ .Values.vpn.tunnelAddr }}
+  proxy-external-addr: {{ .Values.proxy.externalAddr }}
+  proxy-internal-insecure-addr: {{ .Values.proxy.internalInsecureAddr }}
+  proxy-internal-secure-addr: {{ .Values.proxy.internalSecureAddr }}
 kind: ConfigMap
 metadata:
   name: raven-agent-config

charts/raven-agent/templates/daemonset.yaml

@@ -26,6 +26,8 @@ spec:
         env:
           {{- toYaml . | nindent 8 }}
         {{- end }}
+        args:
+          - --v=4
       hostNetwork: true
       {{- with .Values.nodeSelector }}
       nodeSelector:

charts/raven-agent/templates/rbac.yaml

@@ -19,6 +19,26 @@ rules:
       - watch
       - patch
       - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - services
+      - nodes
+    verbs:
+      - get
+      - list
+      - update
+      - watch
+  - apiGroups:
+      - certificates.k8s.io
+    resources:
+      - certificatesigningrequests
+    verbs:
+      - create
+      - get
+      - list
+      - watch
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -31,4 +51,43 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: raven-agent-account
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ .Release.Namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  annotations:
+    rbac.authorization.kubernetes.io/autoupdate: "true"
+  name: raven-proxy-user
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - nodes/stats
+      - nodes/metrics
+      - nodes/log
+      - nodes/spec
+      - nodes/proxy
+    verbs:
+      - create
+      - get
+      - list
+      - watch
+      - delete
+      - update
+      - patch
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: raven-proxy-user-binding
+subjects:
+  - kind: User
+    name: tunnel-proxy-client
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: raven-proxy-user
+  apiGroup: rbac.authorization.k8s.io
+---

charts/raven-agent/values.yaml

@@ -30,7 +30,6 @@ securityContext:
   privileged: true
 
 nodeSelector:
-  kubernetes.io/arch: amd64
   kubernetes.io/os: linux
 
 tolerations: [{"operator": "Exists"}]
@@ -50,6 +49,10 @@ containerEnv:
       valueFrom:
         fieldRef:
           fieldPath: spec.nodeName
+    - name: NODE_IP
+      valueFrom:
+        fieldRef:
+          fieldPath: status.hostIP
     - name: VPN_CONNECTION_PSK
       valueFrom:
         secretKeyRef:
@@ -70,6 +73,26 @@ containerEnv:
         configMapKeyRef:
           key: metric-bind-addr
           name: raven-agent-config
+    - name: VPN_BIND_ADDRESS
+      valueFrom:
+        configMapKeyRef:
+          key: tunnel-bind-addr
+          name: raven-agent-config
+    - name: PROXY_SERVER_INTERNAL_SECURE_ADDRESS
+      valueFrom:
+        configMapKeyRef:
+          key: proxy-internal-secure-addr
+          name: raven-agent-config
+    - name: PROXY_SERVER_INTERNAL_INSECURE_ADDRESS
+      valueFrom:
+        configMapKeyRef:
+          key: proxy-internal-insecure-addr
+          name: raven-agent-config
+    - name: PROXY_SERVER_EXTERNAL_ADDRESS
+      valueFrom:
+        configMapKeyRef:
+          key: proxy-external-addr
+          name: raven-agent-config
 vpn:
   driver: libreswan
   forwardNodeIP: false
@@ -79,6 +102,13 @@ vpn:
   # Pass it to helm with '--set vpn.psk=`openssl rand -hex 64`'
   # IMPORTANT: You should NOT use the example psk for a production deployment!
   psk: OPENYURT-RAVEN-AGENT-VPN-PSK
-  metricBindAddr: ":8080"
+  metricBindAddr: ":10265"
+  tunnelAddr: ":4500"
+proxy:
+  externalAddr: ":10262"
+  internalInsecureAddr: ":10264"
+  internalSecureAddr: ":10263"
+
+
 rollingUpdate:
   maxUnavailable: 5%

cmd/agent/app/config/config.go

@@ -24,12 +24,32 @@ import (
 // Config is the main context object for raven agent
 type Config struct {
 	NodeName           string
-	Kubeconfig         *rest.Config
-	Manager            manager.Manager
-	VPNDriver          string
-	RouteDriver        string
-	ForwardNodeIP      bool
+	NodeIP             string
 	MetricsBindAddress string
+	KubeConfig         *rest.Config
+	Manager            manager.Manager
+	Tunnel             *TunnelConfig
+	Proxy              *ProxyConfig
+}
+
+type TunnelConfig struct {
+	VPNDriver     string
+	VPNPort       string
+	RouteDriver   string
+	ForwardNodeIP bool
+}
+
+type ProxyConfig struct {
+	ProxyMetricsAddress string
+	ProxyClientCertDir  string
+
+	InternalInsecureAddress  string
+	InternalSecureAddress    string
+	ExternalAddress          string
+	ProxyServerCertDNSNames  string
+	ProxyServerCertIPs       string
+	ProxyServerCertDir       string
+	InterceptorServerUDSFile string
 }
 
 type completedConfig struct {