Commit Graph

122 Commits

Author SHA1 Message Date
Alex Stockinger
1921c6a212
Add metrics for iptables operations (#323)
* Add metrics for iptables operations

* Update pkg/iptables/metrics.go

Co-authored-by: leonnicolas <60091705+leonnicolas@users.noreply.github.com>

* Reorg imports

* pass registerer via controller option

* Update pkg/iptables/metrics.go

Co-authored-by: leonnicolas <60091705+leonnicolas@users.noreply.github.com>

* move registerer check into metrics wrapper method

* Register all metrics in

Co-authored-by: leonnicolas <60091705+leonnicolas@users.noreply.github.com>
Co-authored-by: Clive Jevons <clive@jevons-it.net>
2022-08-05 23:24:50 +02:00
Clive Jevons
0f0b0bda13 prepend encapsulation rules to reduce number of reconciliation thereof
because of the way the iptables rules are reconciled, having the encapsulation
rules at the end of the slice of rules results in them being deleted and re-added
many times, even though they are very static. Prepending them to the slice of
rules prevents this from happening, making that iptables chain more stable
and saving a bunch of roundtrips to iptables.
2022-07-12 15:01:58 +02:00
Antoine
4be792ea54
feat: cilium add-mode support (#312)
* feat: cilium add-mode support

when cni management by kilo is disable, we can use existing cluster's cni setup thanks to add-on mode

https://kilo.squat.ai/docs/introduction#add-on-mode

* feat: manifest example for cilium addon mode

* fix: apply comment from PR review

* fix: add mutex to interface retrieval into flannel addon mode
2022-05-20 02:13:07 +02:00
Lucas Servén Marín
50fbc2eec2
staticcheck (#313)
* CI: use staticcheck for linting

This commit switches the linter for Go code from golint to staticcheck.
Golint has been deprecated since last year and staticcheck is a
recommended replacement.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>

* revendor

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>

* cmd,pkg: fix lint warnings

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2022-05-19 19:45:43 +02:00
leonnicolas
0820a9d32f
Remove context.TODO() (#310)
Remove almost all (except the ones created by informer-gen)
context.TODOs.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2022-04-28 19:39:57 +02:00
leonnicolas
213688fd7d
Update autogenerated code and CRD
Also edit Makefile to generate valid manifest.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2022-04-23 11:39:37 +02:00
leonnicolas
0dfb744630
kgctl connect (#269)
* kgctl connect

Use kgctl connect to connect your laptop to a cluster.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* cmd/kgctl: finish connect command

This commit fixes some bugs and finishes the implementation of the
`kgctl connect` command.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>

* e2e: add tests for kgctl connect

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>

* docs: add documentation for `kgctl connect`

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>

* pkg/mesh: move peer route generation to mesh

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>

Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
2022-04-08 13:42:13 +02:00
Lucas Servén Marín
e782d1be98
Merge pull request #287 from squat/respect_allowed_location_ips_for_peers
pkg/mesh: respect allowed location IPs in peers
2022-04-01 09:33:21 +02:00
Lucas Servén Marín
fb03520fb5
Merge pull request #286 from squat/fix_pka_peers
backend: fix Peer persistent keepalive
2022-03-31 21:35:10 +02:00
Lucas Servén Marín
df8d2cb68f
pkg/mesh: respect allowed location IPs in peers
Currently, when rendering the configuration for a Peer, the allowed
location configs of any segment are erroneously ignored, meaning that an
administrator will have to manually edit the configuration to get the
expected behavior from a Peer. This commit fixes the generation of the
configuration.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2022-03-31 21:26:53 +02:00
Lucas Servén Marín
38a5dd22e9
backend: fix Peer persistent keepalive
Right now, the persistent keepalive field of the Peer CRD is always
interpretted as nanoseconds and not seconds. This causes a mismatch
between Kilo's expected behavior and the actual interval that is given
to Peers. Because the interval is interpretted as nanoseconds the value
rounds down to 0 seconds.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2022-03-31 21:24:03 +02:00
Lucas Servén Marín
e598102f04
pkg/mesh: fix routes for NATed nodes
Currently, when a node is behind NAT, it is possible that routes to the
node's private IP address, i.e. routes necessary to communicate with the
Kubelet and any Pods on the host network, will not be created because
the private IP is seen as the same as the location's endpoint and is
thus skipped because trying to encapsulate traffic to the endpoint would
break communiation with the endpoint itself.

This logic is not correct for nodes that are behind NAT, because the
endpoin that the node reports may not be the same as the discovered
endpoint for the location. Instead, we should compare the private IP
address to the discovered endpoint.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2022-03-30 13:58:29 +02:00
Lucas Servén Marín
a1af9790ea
Merge pull request #278 from SerialVelocity/fix-peer-node-equality-checking
Fix peer and node equality checking
2022-03-01 21:09:46 +01:00
Ben Grabham
3bf7eacc7e Fix private key generation code 2022-03-01 18:21:08 +00:00
Ben Grabham
6d6c62ae49 Fix peer and node equality checking 2022-03-01 18:09:25 +00:00
leonnicolas
6a696e03e7
migrate to golang.zx2c4.com/wireguard/wgctrl (#239)
* migrate to golang.zx2c4.com/wireguard/wgctrl

This commit introduces the usage of wgctrl.
It avoids the usage of exec calls of the wg command
and parsing the output of `wg show`.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* vendor wgctrl

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* apply suggestions from code review

Remove wireguard.Enpoint struct and use net.UDPAddr for the resolved
endpoint and addr string (dnsanme:port) if a DN was supplied.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* pkg/*: use wireguard.Enpoint

This commit introduces the wireguard.Enpoint struct.
It encapsulates a DN name with port and a net.UPDAddr.
The fields are private and only accessible over exported Methods
to avoid accidental modification.

Also iptables.GetProtocol is improved to avoid ipv4 rules being applied
by `ip6tables`.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* pkg/wireguard/conf_test.go: add tests for Endpoint

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* cmd/kg/main.go: validate port range

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* add suggestions from review

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* pkg/mesh/mesh.go: use Equal func

Implement an Equal func for Enpoint and use it instead of comparing
strings.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* cmd/kgctl/main.go: check port range

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* vendor

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2022-01-30 17:38:45 +01:00
Lucas Servén Marín
ee650342d5
pkg/k8s: update generated licenses
After running make, the licenses for the generated go files is updated,
resulting in a diff in the repository. This makes later invocations of
`make container` generate tags with `$ARCH-$SHA-dirty` rather than just
`$ARM-$SHA`, which causes `make manifest` to fail, as some of the
images cannot be found.

A more permanent fix would be to ensure that running `make container`
does not cause the go code to unnecessarily regenerated, but this will
at least fix CI until next year.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2022-01-04 14:01:29 +01:00
Lucas Servén Marín
1f8c736ba4
Merge pull request #260 from squat/allow_disabling_ipv6
iptables: allow disabling IPv6
2022-01-04 13:17:13 +01:00
Lucas Servén Marín
57a89b49ff
iptables: allow disabling IPv6
This commit enhances the iptables controller to disable reconciliation
of IPv6 rules whenever it detects that IPv6 is disabled in the kernel,
in order to fix #259.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2022-01-04 11:56:29 +01:00
leonnicolas
ac65330c71
Apply suggestions from code review
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
2021-11-01 19:02:49 +01:00
leonnicolas
c59ac10e15
pkg/mesh/routes.go: forward private IPs and allowed location IPs
If the `iptables-allow-forwad` is true, we should also forward packages
to and from private IPs and allowed location IPs of the location.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-10-17 19:58:17 +02:00
leonnicolas
3de4bf527b
pkg/mesh/routes.go: add iptbales forward allow rules for segment.
Before this commit we added the forward ALLOW rule only for the node's
pod CIDR  and not all pod CIDRs of a location. This commit adds the
forward ALLOW rule for packages from (source) and to (destination) all
pod CIDRs of the location if the node is a leader node.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-10-11 23:41:41 +02:00
leonnicolas
70d2751030
bumg golang 1.15 -> 1.17
Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-09-30 17:47:47 +02:00
leonnicolas
9b14c227a9
pkg/mesh/routes.go: add flag for generic ACCEPT in FORWARD chain (#244)
* pkg/mesh/routes.go: add flag for generic ACCEPT in FORWARD chain

Some linux distros or docker will set the default policy in the FORWARD
chain in the filter table to DROP. With the new ip-tables-forward-rules
flag a generic ACCEPT for all packages going from and to the pod subnet
is added to the FORWARD chain.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* Update cmd/kg/main.go

Co-authored-by: Lucas Servén Marín <lserven@gmail.com>

* Update cmd/kg/main.go

Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
2021-09-30 14:39:06 +02:00
Sean Baildon
3174467751
pkg/mesh: optionally assign external IP to node's private IP (#232) 2021-09-24 10:02:51 +02:00
Sean Baildon
9ec155b843 pkg/mesh: filter local IP addresses when scanning for ips resolved by hostname 2021-08-22 12:40:55 +01:00
leonnicolas
e886f5d24e
Merge pull request #228 from squat/release-0.3
Merge Release 0.3 into Main
2021-08-20 09:50:03 +03:00
Lucas Servén Marín
288bb824aa
pkg/k8s: fix resource scope of Kilo CRD
When updating Kilo to the latest version of the CustomResourceDefinition
API, the Kilo Peer CRD was incorrectly scoped as a namespaced resource
due to differences in the ergonomics of the tooling.

This commit fixes the scoping of the Peer CRD to be cluster-wide.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-08-19 22:58:42 +02:00
Lucas Servén Marín
2c74a560c4
pkg/wireguard: allow configuring MTU (#215)
This commit makes it possible to configure the MTU for the WireGuard
interface created by Kilo.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-07-16 14:23:11 +02:00
Julien Viard de Galbert
e12b5029d7
Use LatestHandshake to validate endpoint (#149)
* wireguard: `wg show iface dump` reader and parser

* mesh: use LatestHandshake to validate NAT Endpoints

* add skip on error

* switch to loop parsing

So the stop on error pattern can be used

* Add error handling to ParseDump
2021-07-06 14:14:59 +02:00
leonnicolas
088578b055
pkg/ cmd/: kgctl autodetect mesh granularity
Addes granularity annotation to auto detect the mesh granularity when
using kubectl

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-06-18 15:59:25 +02:00
leonnicolas
31ffaa0e71
pkg/: FEATURE: support allowed IPs outside a cluster
Users can specify IPs with the annotation "allowed-location-ips".
It makes no difference which node of a location is annotated.
The IP should be routable from the particular location, e.g. a printer in
the same LAN.
This way these IPs become routable from other location.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
2021-06-15 22:17:35 +02:00
leonnicolas
36643b77b4
Use apiextension v1
- upgrade from apiextension v1beta1 to v1
 - generate yaml manifest for crd intead of applying it at runtime
  - users will have to apply the manifest with kubectl
 - kg and kgctl log an error if the crd is not present
 - now validation should actually work

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-06-14 12:59:33 +02:00
Lucas Servén Marín
845df22a32
docs,README.md: clean up documentation
This commit cleans up some typos in the documentation, clarifies some
explanations, fixes a bash script that would not expand a variable, and
renames the API documentation generator command from gen-docs to
docs-gen to match the output binary name.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-05-20 12:45:02 +02:00
leonnicolas
51f1ae94ef
cmd/gen-docs/main.go: auto generate docs for CRD
The new make command `make gen-docs` is introduced.
It will build a markdown file from the CRD introduced by Kilo.

The generation of the docs is a requirement for building the website.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-05-17 13:54:56 +02:00
leonnicolas
a3bf13711c
go.mod: bump client-go and api machinerie
I had to run `make generate`.
Some API functions got additional parameters `Options` and `Context`.
I used empty options and `context.TODO()` for now.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-05-15 12:12:50 +02:00
Lucas Servén Marín
e843262064
Merge pull request #152 from squat/check_netlink_events
pkg/route: correct route error check
2021-05-02 20:08:06 +02:00
leonnicolas
64ea86436f
pkg/k8s/apis/kilo/v1alpha1/types.go: add public key validation
Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-04-30 22:03:34 +02:00
Lucas Servén Marín
19abddf1fe
pkg/route: correct route error check
Currently, when the route controller processes updates from netlink, it
checks if the routes in the table are nil or have no destination.
However, we control this and can guarantee that it's never the case.
Instead, we should check if the routes from netlink are valid.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-04-30 18:17:51 +02:00
Lucas Servén Marín
166094b5ad
Merge pull request #148 from JulienVdG/sync-not-ready
RFC: Remove syncNodes/syncPeers 'not Ready' special case
2021-04-21 19:49:12 +02:00
Julien Viard de Galbert
2ac000c68a
Nat to nat (#146)
* wireguard: export an Endpoint comparison method

* Record discovered endpoints in node

* Synchronize DiscoveredEndpoints in k8s backend

* Add discoveredEndpointsAreEqual

* Handle discovered Endpoints in topology to enable NAT 2 NAT

* Refactor to use Endpoint.Equal

Compare IP first by default and compare DNS name first when we know the Endpoint was resolved.

* Drop the shallow copies of nodes and peers

Now that updateNATEndpoints was updated to discoverNATEndpoints and that
the endpoints are overridden by topology instead of mutating the nodes and
peers object, we can safely drop this copy.
2021-04-21 19:47:29 +02:00
Julien Viard de Galbert
81f592de74 Remove syncNodes/syncPeers not Ready special case
First the comment "so remove it from the mesh" is wrong / missleading as
since 034c27ab78 the delete in that if is
not in there anymore.

Second the m.nodes map is not updated so setting `diff = true` will call `applyTopology` without any changes... which seams useless.

Third the rest of the code already checks for Ready so this special case
here should not be needed.
2021-04-21 11:33:37 +02:00
leonnicolas
a6fcab6878
pkg/mesh/graph.go: fix format
Previously the newlines were ignored by circo.
This lead to very flat ellipses.
Masked newlines "\\n" are correctly handeled.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-03-26 11:12:05 +01:00
Lucas Servén Marín
d1948acd77
pkg/mesh: fix panic in graph
Commit 4d00bc56fe introduced a bug in the
Kilo graph generation logic. This commit used the WireGuard CIDR from
the topology struct as the graph title, however this field is nil
whenever the selected node is not a leader, causing the program to
panic.

This commit changes the meaning of the topology struct's wireGuardCIDR
field so that the field is always defined and the normalized value will
always be equal to the Kilo subnet CIDR. When the selected node is a
leader node, then the field's IP will be the IP allocated to the node
within the subnet. This effectively prevents the program from panicking.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-03-25 02:59:54 +01:00
leonnicolas
9d10d4a3de
FEATURE: allow disabling private IPs
When forcing the internal IP to "" or "-", private IPs won't be used.
2021-03-13 23:33:18 +01:00
leonnicolas
50ba744e74
pkg/encapsulation/ipip.go: fix order of flags 2021-03-13 19:55:00 +01:00
leonnicolas
db62b273c0
pkg/mesh/mesh.go: actually add resync period
resync period was not added to mesh struct.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-03-13 16:31:09 +01:00
Lucas Servén Marín
ede3118cc8
pkg/encapsulation/ipip*: fix ipip iptables rules
Since #116 implemented fragile comparisons of iptables rules to avoid
calling the iptables binary excessively during every reconciliation, the
iptables rules for IPIP encapsulation must be updated to match the
expected output. One complication is that rather than returning the
protocol number in the rule, iptables resolves the protocol number to a
name by looking up the number in the netd protocols database. This name
can vary depending on the host's environment. This commit adds two
solutions for resolving the protocol name:
1. a fixed mapping to the string `ipencap`, which should always work
for Kilo whenever it runs in the Alpine Linux container; and
2. a runtime lookup using the netd database, which only works if Kilo is
compiled with CGO and is meant to be used only if Kilo is not running in
the normal container environment.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-03-13 15:24:55 +01:00
Lucas Servén Marín
39803cef66
pkg/mesh: correctly check 172.16/12 IP range
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-03-06 00:50:48 +01:00
Lucas Servén Marín
7cc707f335
pkg/mesh: correctly idenitfy 172.16/12 IPs
Currently Kilo incorrectly identifies the 172.16/12 private IP range.
This commit fixes the logic.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-03-05 18:27:12 +01:00