From 9d10d4a3dedc153d5787d0653b8e97186cb4bcbd Mon Sep 17 00:00:00 2001 From: leonnicolas Date: Mon, 22 Feb 2021 20:28:16 +0100 Subject: [PATCH] FEATURE: allow disabling private IPs When forcing the internal IP to "" or "-", private IPs won't be used. --- pkg/k8s/backend.go | 7 +++++++ pkg/k8s/backend_test.go | 36 ++++++++++++++++++++++++++++++++++-- pkg/mesh/backend.go | 7 ++++--- pkg/mesh/mesh.go | 3 ++- pkg/mesh/topology.go | 2 ++ 5 files changed, 49 insertions(+), 6 deletions(-) diff --git a/pkg/k8s/backend.go b/pkg/k8s/backend.go index 4a27a30..1395c00 100644 --- a/pkg/k8s/backend.go +++ b/pkg/k8s/backend.go @@ -271,6 +271,12 @@ func translateNode(node *v1.Node, topologyLabel string) *mesh.Node { if internalIP == nil { internalIP = normalizeIP(node.ObjectMeta.Annotations[internalIPAnnotationKey]) } + // Set the ForceInternalIP flag, if force-internal-ip annotation was set to "". + noInternalIP := false + if s, ok := node.ObjectMeta.Annotations[forceInternalIPAnnotationKey]; ok && (s == "" || s == "-") { + noInternalIP = true + internalIP = nil + } // Set Wireguard PersistentKeepalive setting for the node. var persistentKeepalive int64 if keepAlive, ok := node.ObjectMeta.Annotations[persistentKeepaliveKey]; !ok { @@ -296,6 +302,7 @@ func translateNode(node *v1.Node, topologyLabel string) *mesh.Node { // It is valid for the InternalIP to be nil, // if the given node only has public IP addresses. Endpoint: endpoint, + NoInternalIP: noInternalIP, InternalIP: internalIP, Key: []byte(node.ObjectMeta.Annotations[keyAnnotationKey]), LastSeen: lastSeen, diff --git a/pkg/k8s/backend_test.go b/pkg/k8s/backend_test.go index 1543d99..51d2c2b 100644 --- a/pkg/k8s/backend_test.go +++ b/pkg/k8s/backend_test.go @@ -137,7 +137,8 @@ func TestTranslateNode(t *testing.T) { forceInternalIPAnnotationKey: "-10.1.0.2/24", }, out: &mesh.Node{ - InternalIP: &net.IPNet{IP: net.ParseIP("10.1.0.1"), Mask: net.CIDRMask(24, 32)}, + InternalIP: &net.IPNet{IP: net.ParseIP("10.1.0.1"), Mask: net.CIDRMask(24, 32)}, + NoInternalIP: false, }, }, { @@ -147,7 +148,8 @@ func TestTranslateNode(t *testing.T) { forceInternalIPAnnotationKey: "10.1.0.2/24", }, out: &mesh.Node{ - InternalIP: &net.IPNet{IP: net.ParseIP("10.1.0.2"), Mask: net.CIDRMask(24, 32)}, + InternalIP: &net.IPNet{IP: net.ParseIP("10.1.0.2"), Mask: net.CIDRMask(24, 32)}, + NoInternalIP: false, }, }, { @@ -176,6 +178,7 @@ func TestTranslateNode(t *testing.T) { }, out: &mesh.Node{ Endpoint: &wireguard.Endpoint{DNSOrIP: wireguard.DNSOrIP{IP: net.ParseIP("10.0.0.2")}, Port: 51821}, + NoInternalIP: false, InternalIP: &net.IPNet{IP: net.ParseIP("10.1.0.2"), Mask: net.CIDRMask(32, 32)}, Key: []byte("foo"), LastSeen: 1000000000, @@ -214,6 +217,35 @@ func TestTranslateNode(t *testing.T) { }, subnet: "10.2.1.0/24", }, + { + name: "Force no internal IP", + annotations: map[string]string{ + endpointAnnotationKey: "10.0.0.1:51820", + internalIPAnnotationKey: "10.1.0.1/32", + forceInternalIPAnnotationKey: "", + keyAnnotationKey: "foo", + lastSeenAnnotationKey: "1000000000", + locationAnnotationKey: "b", + persistentKeepaliveKey: "25", + wireGuardIPAnnotationKey: "10.4.0.1/16", + }, + labels: map[string]string{ + RegionLabelKey: "a", + }, + out: &mesh.Node{ + Endpoint: &wireguard.Endpoint{DNSOrIP: wireguard.DNSOrIP{IP: net.ParseIP("10.0.0.1")}, Port: 51820}, + NoInternalIP: true, + InternalIP: nil, + Key: []byte("foo"), + LastSeen: 1000000000, + Leader: false, + Location: "b", + PersistentKeepalive: 25, + Subnet: &net.IPNet{IP: net.ParseIP("10.2.1.0"), Mask: net.CIDRMask(24, 32)}, + WireGuardIP: &net.IPNet{IP: net.ParseIP("10.4.0.1"), Mask: net.CIDRMask(16, 32)}, + }, + subnet: "10.2.1.0/24", + }, } { n := &v1.Node{} n.ObjectMeta.Annotations = tc.annotations diff --git a/pkg/mesh/backend.go b/pkg/mesh/backend.go index 35ca2f2..6053da1 100644 --- a/pkg/mesh/backend.go +++ b/pkg/mesh/backend.go @@ -51,9 +51,10 @@ const ( // Node represents a node in the network. type Node struct { - Endpoint *wireguard.Endpoint - Key []byte - InternalIP *net.IPNet + Endpoint *wireguard.Endpoint + Key []byte + NoInternalIP bool + InternalIP *net.IPNet // LastSeen is a Unix time for the last time // the node confirmed it was live. LastSeen int64 diff --git a/pkg/mesh/mesh.go b/pkg/mesh/mesh.go index 64eec75..44b40ae 100644 --- a/pkg/mesh/mesh.go +++ b/pkg/mesh/mesh.go @@ -371,7 +371,7 @@ func (m *Mesh) handleLocal(n *Node) { if n.Endpoint == nil || (n.Endpoint.DNS == "" && n.Endpoint.IP == nil) { n.Endpoint = &wireguard.Endpoint{DNSOrIP: wireguard.DNSOrIP{IP: m.externalIP.IP}, Port: m.port} } - if n.InternalIP == nil { + if n.InternalIP == nil && !n.NoInternalIP { n.InternalIP = m.internalIP } // Compare the given node to the calculated local node. @@ -380,6 +380,7 @@ func (m *Mesh) handleLocal(n *Node) { local := &Node{ Endpoint: n.Endpoint, Key: m.pub, + NoInternalIP: n.NoInternalIP, InternalIP: n.InternalIP, LastSeen: time.Now().Unix(), Leader: n.Leader, diff --git a/pkg/mesh/topology.go b/pkg/mesh/topology.go index 5e158fe..1390d1d 100644 --- a/pkg/mesh/topology.go +++ b/pkg/mesh/topology.go @@ -83,6 +83,8 @@ func NewTopology(nodes map[string]*Node, peers map[string]*Peer, granularity Gra switch granularity { case LogicalGranularity: location = logicalLocationPrefix + node.Location + // Put node in a different location, if no private + // IP was found. if node.InternalIP == nil { location = nodeLocationPrefix + node.Name }