pkg/k8s/apis: support for preshared keys in peers

This commit adds support for defining preshared keys when declaring a new Peer CRD. This preshared key will be used whenever the nodes in the Kilo mesh communicate with that peer. Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-05 11:36:39 +02:00
parent e4829832c5
commit 0a10dc921c
9 changed files with 64 additions and 9 deletions
--- a/pkg/k8s/apis/kilo/v1alpha1/openapi_generated.go
+++ b/pkg/k8s/apis/kilo/v1alpha1/openapi_generated.go
@@ -304,9 +304,16 @@ func schema_k8s_apis_kilo_v1alpha1_PeerSpec(ref common.ReferenceCallback) common
 							Format:      "int32",
 						},
 					},
+					"presharedKey": {
+						SchemaProps: spec.SchemaProps{
+							Description: "PresharedKey is the optional symmetric encryption key for the peer.",
+							Type:        []string{"string"},
+							Format:      "",
+						},
+					},
 					"publicKey": {
 						SchemaProps: spec.SchemaProps{
-							Description: "PublicKey is the WireGuard public key for the node.",
+							Description: "PublicKey is the WireGuard public key for the peer.",
 							Type:        []string{"string"},
 							Format:      "",
 						},
--- a/pkg/k8s/apis/kilo/v1alpha1/types.go
+++ b/pkg/k8s/apis/kilo/v1alpha1/types.go
@@ -72,7 +72,10 @@ type PeerSpec struct {
 	// disables the feature.
 	// +optional
 	PersistentKeepalive int `json:"persistentKeepalive,omitempty"`
-	// PublicKey is the WireGuard public key for the node.
+	// PresharedKey is the optional symmetric encryption key for the peer.
+	// +optional
+	PresharedKey string `json:"presharedKey"`
+	// PublicKey is the WireGuard public key for the peer.
 	PublicKey string `json:"publicKey"`
 }

--- a/pkg/k8s/backend.go
+++ b/pkg/k8s/backend.go
@@ -336,6 +336,10 @@ func translatePeer(peer *v1alpha1.Peer) *mesh.Peer {
 	if len(peer.Spec.PublicKey) > 0 {
 		key = []byte(peer.Spec.PublicKey)
 	}
+	var psk []byte
+	if len(peer.Spec.PresharedKey) > 0 {
+		psk = []byte(peer.Spec.PresharedKey)
+	}
 	var pka int
 	if peer.Spec.PersistentKeepalive > 0 {
 		pka = peer.Spec.PersistentKeepalive
@@ -345,8 +349,9 @@ func translatePeer(peer *v1alpha1.Peer) *mesh.Peer {
 		Peer: wireguard.Peer{
 			AllowedIPs:          aips,
 			Endpoint:            endpoint,
-			PublicKey:           key,
 			PersistentKeepalive: pka,
+			PresharedKey:        psk,
+			PublicKey:           key,
 		},
 	}
 }
@@ -465,6 +470,7 @@ func (pb *peerBackend) Set(name string, peer *mesh.Peer) error {
 		}
 	}
 	p.Spec.PersistentKeepalive = peer.PersistentKeepalive
+	p.Spec.PresharedKey = string(peer.PresharedKey)
 	p.Spec.PublicKey = string(peer.PublicKey)
 	if _, err = pb.client.KiloV1alpha1().Peers().Update(p); err != nil {
 		return fmt.Errorf("failed to update peer: %v", err)
--- a/pkg/k8s/backend_test.go
+++ b/pkg/k8s/backend_test.go
@@ -299,6 +299,17 @@ func TestTranslatePeer(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "valid preshared key",
+			spec: v1alpha1.PeerSpec{
+				PresharedKey: "psk",
+			},
+			out: &mesh.Peer{
+				Peer: wireguard.Peer{
+					PresharedKey: []byte("psk"),
+				},
+			},
+		},
 	} {
 		p := &v1alpha1.Peer{}
 		p.Spec = tc.spec