Commit Graph

42 Commits

Author SHA1 Message Date
Sebastian Rojo
a9d5883a3a
ADD manifest for k3s with cilium as CNI (#331) 2022-09-10 13:38:38 +02:00
leonnicolas
e328646617
Pin boringtun image tag (#319)
* Pin boringtun image tag

Pin the image to a tag before boringtun's cli changed.
Specifically the --disable-drop-privileges flag need a boolean param.

* Fix image name
2022-07-11 23:17:05 +02:00
Antoine
4be792ea54
feat: cilium add-mode support (#312)
* feat: cilium add-mode support

when cni management by kilo is disable, we can use existing cluster's cni setup thanks to add-on mode

https://kilo.squat.ai/docs/introduction#add-on-mode

* feat: manifest example for cilium addon mode

* fix: apply comment from PR review

* fix: add mutex to interface retrieval into flannel addon mode
2022-05-20 02:13:07 +02:00
Lucas Servén Marín
37a5aef6ea
cut 0.5.0
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2022-04-25 10:39:39 +02:00
leonnicolas
213688fd7d
Update autogenerated code and CRD
Also edit Makefile to generate valid manifest.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2022-04-23 11:39:37 +02:00
Lucas Servén Marín
1f19133ea8
manifests: use CNI 0.4.0
As mentioned in the Kilo Slack [0], Kubernetes supports CNI 0.4.0 and
does not yet support 1.0.0. Correspondingly, this commit downgrades the
declared CNI version in the configuration to 0.4.0 and crucially updates
the configuration used in the e2e tests to exercise this new CNI
version.

[0] https://kubernetes.slack.com/archives/C022EB4R7TK/p1650455432970199?thread_ts=1650368553.132859&cid=C022EB4R7TK

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2022-04-20 14:57:21 +02:00
Dave Allan
19c13b7401 reduce cniVersion from 1.0.1 to 1.0.0 to match spec version 2022-04-19 08:28:31 -04:00
Lucas Servén Marín
8cadff2b79
CNI: bump to 1.0.1 (#297)
* CNI: bump to 1.0.1

This commit bumps the declared version of CNI in the Kilo manifests to
1.0.1. This is possible with no changes to the configuration lists
because our simple configuration is not affected by any of the
deprecations, and there was effectively no change between 0.4.0 and
1.0.0, other than the declaration of a stable API. Similarly, this
commit also bumps the version of the CNI library and the plugins
package.

Bumping to CNI 1.0.0 will help ensure that Kilo stays compatible with
container runtimes in the future.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>

* vendor: revendor

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2022-04-18 19:00:37 +02:00
Clive Jevons
7c5f9ecc40 bump referenced image version to 0.4.1 in preparation for release 0.4.1 2022-04-11 18:18:26 +02:00
Clive Jevons
c00cf69b55 pin release-0.4 image version to tag 0.4.0 2022-04-11 15:46:27 +02:00
hhstu
d95e590f5c
add example for kubeadm-userspace,kubeadm-flannel-userspace (#284)
* add example for  kubeadm-userspace,kubeadm-flannel-userspace

* remove configmap of kilo when use flannel
2022-04-03 12:50:41 +02:00
leonnicolas
edb8f63848
Add WireGuard monitor and docs
This commit adds a manifest for deploying a WireGuard prometheus
exporter, Role and RoleBinding for kube-prometheus to monitor the Kilo
namespace and a new guide in the docs about how to monitor Kilo.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-10-19 22:46:44 +02:00
leonnicolas
c8ed21cac4
manifests/peer-validation.yaml: fix image and flag
Use a maintained fork of certgen.
The former project is not maintained anymore and will not work for
Kubernteses v1.22 because the admission v1beta1 API was dropped.

Also fix the name of the liste-metrics flag.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-09-07 10:52:40 +02:00
leonnicolas
086b2e1ddd
cmd/kg/*: sub command peer validation webhook
This commit adds a sub command `webhook` to Kilo.
It will start a https web server that answeres request from a Kubernetes
API server to validate updates and creations of Kilo peers.

It also updates the "Peer Validation" docs to enable users to
install the web hook server and generate the self signed certificates in
the cluster by only applying a manifest.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

Apply suggestions from code review

Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
2021-09-06 21:14:44 +02:00
leonnicolas
e886f5d24e
Merge pull request #228 from squat/release-0.3
Merge Release 0.3 into Main
2021-08-20 09:50:03 +03:00
Lucas Servén Marín
288bb824aa
pkg/k8s: fix resource scope of Kilo CRD
When updating Kilo to the latest version of the CustomResourceDefinition
API, the Kilo Peer CRD was incorrectly scoped as a namespaced resource
due to differences in the ergonomics of the tooling.

This commit fixes the scoping of the Peer CRD to be cluster-wide.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-08-19 22:58:42 +02:00
Steffen Vogel
7c8905f10d k3s: add missing ServiceAccountName to nkml DaemonSet 2021-07-15 15:24:00 +02:00
Steffen Vogel
d1f7c32760 k3s: generate kubeconfig based on token from ServiceAccount and master address & cacert from kubelet kubeconfig (closes #49) 2021-07-15 14:01:38 +02:00
Lucas Servén Marín
abecadf707
manifests,e2e: reduce cluster role permissions (#211)
Since Kilo now uses the `kilo.squat.ai/discovered-endpoints` annotation
for Peer discovery, Kilo no longer needs to update Peer resources, so we
can remove this permission from the ClusterRole. Note, the RBAC in the
manifests is not used today, but we eventually want to migrate to this.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-07-14 13:20:05 +02:00
leonnicolas
36643b77b4
Use apiextension v1
- upgrade from apiextension v1beta1 to v1
 - generate yaml manifest for crd intead of applying it at runtime
  - users will have to apply the manifest with kubectl
 - kg and kgctl log an error if the crd is not present
 - now validation should actually work

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-06-14 12:59:33 +02:00
leonnicolas
3f0404d9e3
manifests/*: add example podMonitor
Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-05-13 16:25:29 +02:00
Lucas Servén Marín
8fce69d373
manifests: declare metrics port
This commit ammends all of the Kilo manifests so that the DaemonSets
declare the port they expose.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-05-06 19:30:43 +02:00
Lucas Servén Marín
a408ce9f35
manifests: fix kubeadm CNI path
As discussed in
https://github.com/squat/kilo/issues/129#issuecomment-789651850,
the Kilo manifests for kubeadm install the CNI configuration in the
wrong directory. They are using /etc/kubernetes/cni/net.d [0] when they
should be using /etc/cni/net.d [1].

[0]
https://github.com/squat/kilo/blob/main/manifests/kilo-kubeadm.yaml#L163
[1]
https://kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/#cni

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-03-04 12:53:46 +01:00
leonnicolas
e30cff5293
FEATURE: user space wireguard
Add the possibility to use a user space implementation of wireguard. Specifically, the rust implementation boringtun.
2020-12-29 18:50:58 +01:00
Eddie Wang
b646118146
fix typo and add to k3s-flannel yaml 2020-07-01 12:59:09 -05:00
Eddie Wang
a3bc74d27f
add notes for k3s setup 2020-07-01 12:29:19 -05:00
Lucas Servén Marín
b188abf0b6
manifests: ensure ip6tables kernel module can load
Fixes: #55

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-05-11 09:40:11 +02:00
Lucas Servén Marín
94f9a5e507
docs: add network policies examples
This commit adds a guide for deploying Kubernetes NetworkPolicy support
to a cluster running Kilo.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-04-28 15:00:07 +02:00
Pavel
b6afa6e9b2 Change path to kubeconfig to match k3s v1.0 2020-03-20 18:59:23 +03:00
Lucas Servén Marín
223b641ee1
manifests: set MTU for CNI bridge
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 16:57:01 +01:00
Lucas Servén Marín
a6afc3247d
manifests: ensure kube-bridge uses latest CIDR
This commit ensures that the kube-bridge uses the latest CIDR assigned
by the Kubernetes API, rather than defaulting to a previously assigned
CIDR.

xref:
* https://github.com/containernetworking/plugins/tree/master/plugins/main/bridge#network-configuration-reference
* https://github.com/cloudnativelabs/kube-router/issues/689

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-10 16:04:44 +01:00
sam
5fc13de6cb manifests: change the kubeconfig hostPath for k3s
Enhancement: change the kubeconfig hostPath for k3s agent nodes. This makes it easier to install Kilo on k3s as no manual kubeconfig copying is necessary. (#14)
2019-08-14 08:55:15 +02:00
Lucas Servén Marín
d385686fa9
manifests: add selector to daemonsets
Fixes #9
2019-08-01 16:51:03 +02:00
Lucas Servén Marín
1d5e3685e3
manifests: update API groups
This commit updates the API group for DaemonSets to apps/v1
and the API version for ClusterRoles to v1.
2019-07-16 23:41:20 +02:00
Lucas Servén Marín
55280ab09b
manifests: default hostname to spec.nodeName
Not all K8s installs will correctly match the node's hostname to the
node's name in the API. We can get around this by setting the name Kilo
uses to the node name in the API.
2019-05-17 22:29:55 +02:00
Lucas Servén Marín
81d6077fc2
manifests,pkg/encapsulation: Flannel compatibility
This commit adds basic support to run in compatibility mode with
Flannel. This allows clusters running Flannel as their principal
networking solution to leverage some advances Kilo features. In certain
Flannel setups, the clusters can even leverage muti-cloud. For this, the
cluster needs to either run in a full mesh, or Flannel needs to use the
API server's external IP address.
2019-05-14 01:01:58 +02:00
K. S. Ernest (iFIre) Lee
81ce93dab7
manifests: add support for k3s 2019-05-13 14:10:13 +02:00
Lucas Servén Marín
e4ad7c29ec
manifests: keep private key between restarts
This commit ensures that the WireGuard private key is re-used between
container restarts. The result of this is that external peers can keep
using their configuration and don't need to be re-configured just
because the Kilo container restarted.
2019-05-10 22:21:56 +02:00
Lucas Servén Marín
b3a3c37e0a
*: add complete CNI support
This commit enables Kilo to work as an independent networking provider.
This is done by leveraging CNI. Kilo brings the necessary CNI plugins to
operate and takes care of all networking.

Add-on compatibility for Calico, Flannel, etc, will be re-introduced
shortly.
2019-05-07 01:49:59 +02:00
Lucas Servén Marín
2425a06cd8
*: add peer VPN support
This commit adds support for defining arbitrary peers that should have
access to the VPN. In k8s, this is accomplished using the new Peer CRD.
2019-05-03 12:53:44 +02:00
Lucas Serven
465ae73370
manifests: add RBAC resources 2019-01-21 19:55:30 +01:00
Lucas Serven
e989f0a25f
init 2019-01-18 02:50:10 +01:00