This repository is deprecated. Use borchero/meerkat instead.
Meerkat provides a cloud-native OpenVPN deployment that is tightly integrated with Vault to securely provision client certificates.
Compared to existing solutions, Meerkat has the following advantages:
- Certificates (especially the CA root certificate) are managed securely and cannot be accessed easily.
- Users can be managed via an HTTP API and certificates can be created/revoked dynamically. This also allows for easily adding a GUI in the future.
- Meerkat can be deployed fully automatically on Kubernetes, i.e. no manual steps are required.
The HTTP API is currently very minimal and not suited for any serious production environments.
Deploying Meerkat consists of multiple steps to ensure a high level of security. Furthermore, the following components must be installed on the cluster prior to this installation:
- Postgres: Database used for user management. This component is required.
- Vault: PKI for the OpenVPN server. This component is required (including the agent injector). Optionally, it may be used to provide database credentials. Though recommended, this is up to the user.
- Traefik: Router which e.g. sets up basic authentication for the API. This component is optional and any resources depending on it are disabled by default.
- Switchboard: Kubernetes controller to set DNS records on the Google Cloud Platform. This component is optional and any resources depending on it are disabled by default.
Meerkat extensively uses Vault and its configuration is therefore provided as Terraform module. To add the Meerkat configuration, run the manual setup steps explained here. Subsequently, you may add the following to your Terraform files configuring Vault:
module "meerkat" {
source = "borchero/meerkat/vault"
version = "<version>"
pki_common_name = "vpn.example.com"
pki_organization = "Example Corp"
}
Additional configuration options are documented here.
Using Helm, Meerkat itself can be deployed as follows. Make sure that you set the values according to your prior steps.
helm repo add borchero https://charts.borchero.com
helm install meerkat borchero/meerkat
The Helm chart is currently mostly undocumented and does not provide a lot of customization points but focuses on most common use cases at the moment.
Major building blocks that may be added in the future:
- Additional documentation
- A more robust API
- GUI for user management