Deploying a partial configuration

The following example ipsec-configmap.yml file shows a partial configuration:

apiVersion: v1
kind: ConfigMap
metadata:
    name: foscfg-ipsec 
    labels:
        app: fos
        category: config
data:
    type: partial
    config: |-
        config vpn certificate ca
            edit "ipsec-ca"
                set ca "-----BEGIN CERTIFICATE-----
                MIIDJDCCAgygAwIBAgIJAK6dHv+qKBjJMA0GCSqGSIb3DQEBCwUAMBExDzANBgNV
                BAMMBnRlc3RjYTAeFw0yMjAxMTMxODIxMThaFw0zMjAxMTExODIxMThaMBExDzAN
                BgNVBAMMBnRlc3RjYTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOXE
                ct+WmzZ8YT+rJEQKDGfgqiJu9kzNz+Na0smwPvFEOfcm6XYHqy/li+CdyIGCtlQX
                hDbABD7uQiVBObzO4VzPn3Ik7PMR+hBr0sULqOQ8SkgU/H/pgm5WjSO0oiiPoQon
                LWDQXs294aF0EouNp0KfI9vXkAvzv57RUGeuPfr9tvoLyIgBB1nqWbK98GfMyX1K
                sHB0mp0PCxq1S6hQK9pny3/wvsq3YxggpJAFpCAbDXI97jhk9atMaIRjGErUZNsO
                .....
                .....
                .....
                -----END CERTIFICATE-----"
                next
            end
        config vpn certificate local
            edit "ipsec-cert"
                set password "{{ipsec-certs:ipsec-cert-pass}}"
                set private-key "{{ipsec-certs:ipsec-cert-key}}"
                set certificate "-----BEGIN CERTIFICATE-----
                MIIDYDCCAkigAwIBAgIQAx0NCLIRx9Q5lWcGmS2U+DANBgkqhkiG9w0BAQsFADAR
                MQ8wDQYDVQQDDAZ0ZXN0Y2EwHhcNMjIwMTEzMTkwMDUzWhcNMjQwNDE3MTkwMDUz
                WjAYMRYwFAYDVQQDDA1pcHNlYy1jbGllbnQyMIIBIjANBgkqhkiG9w0BAQEFAAOC
                AQ8AMIIBCgKCAQEAyXXh8OiuEf5Drh+df3FJm2f/ZKNvRONEQba/77cHVRT2pjOV
                07llYQye1mG0JBedUM0SFEkmWkafyYE+KzYzse2r7NSX1bkFizW/TwrNk/VCuLMt
                +HUgClrcmrPAdbDUZYyIKWKN4FwlOyZz0YNA14NuM/gNE+fY1kaaaojxqfpneJCW
                nYcfCTuNgADnyHjzXZMLulj+4Cy1OylKSKX7cAVt9pS2SwzzGF4fGnlDKhfAtxzR
                .....
                .....
                .....
                -----END CERTIFICATE-----"
                next
            end
        config vpn ipsec phase1-interface
            edit "test-p1"
                set interface "eth0"
                set peertype any
                set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
                set psksecret {{ipsec-psks:psk1}}
                set auto-negotiate disable
                next
            end
        config vpn ipsec phase2-interface
            edit "test-p2"
                set phase1name "test-p1"
                set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
                set dhgrp 14 15 5
                set src-subnet 10.4.96.0 255.255.240.0
                set dst-subnet 10.0.4.0 255.255.255.0
                next
            end

Configuration should be created with the following guidelines:

• Labels app: fos and category: config are required.

• type: partial indicates that this is a partial configuration.

• The config section holds the actual configuration data as a series of CLI commands.

• In the configuration, there are variables (for example, {{ipsec-certs:ipsec-cert-pass}} and {{ipsec-certs:ipsec-cert-key}}) that are references to the keys in Secrets. Kubenets use Secrets to store sensitive data.

  In this example, we save an IPSEC pre-shared key in a Secret called ipsec-certs with key ipsec-cert-pass. In the configuration we can use {{ipsec-certs:ipsec-cert-pass}} to refer it.

  The format is {{<Secret name>:<Key name>}}.

  The following example command creates this secret:

  kubectl create secret generic ipsec-certs --from-literal=ipsec-cert-pass=12345678

  For more information about Kubernets Secrets, see https://kubernetes.io/docs/concepts/configuration/secret/.