* CI: use staticcheck for linting
This commit switches the linter for Go code from golint to staticcheck.
Golint has been deprecated since last year and staticcheck is a
recommended replacement.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* revendor
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* cmd,pkg: fix lint warnings
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* migrate to golang.zx2c4.com/wireguard/wgctrl
This commit introduces the usage of wgctrl.
It avoids the usage of exec calls of the wg command
and parsing the output of `wg show`.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* vendor wgctrl
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* apply suggestions from code review
Remove wireguard.Enpoint struct and use net.UDPAddr for the resolved
endpoint and addr string (dnsanme:port) if a DN was supplied.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/*: use wireguard.Enpoint
This commit introduces the wireguard.Enpoint struct.
It encapsulates a DN name with port and a net.UPDAddr.
The fields are private and only accessible over exported Methods
to avoid accidental modification.
Also iptables.GetProtocol is improved to avoid ipv4 rules being applied
by `ip6tables`.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/wireguard/conf_test.go: add tests for Endpoint
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* cmd/kg/main.go: validate port range
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* add suggestions from review
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/mesh/mesh.go: use Equal func
Implement an Equal func for Enpoint and use it instead of comparing
strings.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* cmd/kgctl/main.go: check port range
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* vendor
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* wireguard: `wg show iface dump` reader and parser
* mesh: use LatestHandshake to validate NAT Endpoints
* add skip on error
* switch to loop parsing
So the stop on error pattern can be used
* Add error handling to ParseDump
* wireguard: export an Endpoint comparison method
* Record discovered endpoints in node
* Synchronize DiscoveredEndpoints in k8s backend
* Add discoveredEndpointsAreEqual
* Handle discovered Endpoints in topology to enable NAT 2 NAT
* Refactor to use Endpoint.Equal
Compare IP first by default and compare DNS name first when we know the Endpoint was resolved.
* Drop the shallow copies of nodes and peers
Now that updateNATEndpoints was updated to discoverNATEndpoints and that
the endpoints are overridden by topology instead of mutating the nodes and
peers object, we can safely drop this copy.
This commit adds support for defining preshared keys when declaring a
new Peer CRD. This preshared key will be used whenever the nodes in the
Kilo mesh communicate with that peer.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit changes how Kilo allows nodes and peers behind NAT to roam.
Rather that ignore changes to endpoints when comparing WireGuard
configurations, Kilo now incorporates changes to endpoints for peers
behind NAT into its configuration first and later compares the
configurations.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit enables Kilo to ignore changes to the endpoints of peers
that sit behind a NAT gateway. We use the heuristic of a non-zero
persistent keepalive to decide whether the endpoint field should be
ignored. This will allow NATed peers to roam and for every node in the
cluster to have a different value for a peer's endpoint, as is natural
when a peer's connections are NATed.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit allows DNS names to be used when specifying the endpoint
for a node in the WireGuard mesh. This is useful in many scenarios, in
particular when operating an IoT device whose public IP is dynamic. This
change allows the administrator to use a dynamic DNS name in the node's
endpoint.
One of the side-effects of this change is that the WireGuard port can
now be specified individually for each node in the mesh, if the
administrator wishes to do so.
*Note*: this commit introduces a breaking change; the
`force-external-ip` node annotation has been removed; its functionality
has been ported over to the `force-endpoint` annotation. This annotation
is documented in the annotations.md file. The expected content of this
annotation is no longer a CIDR but rather a host:port. The host can be
either a DNS name or an IP.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit makes it possible to specify the Kilo interface name. If the
specified interface exists, it will be used; if it does not exist, Kilo
will create it. If the interface already existed, then it will not be
deleted on shutdown; otherwise Kilo will destroy the interface.
Fixes: https://github.com/squat/kilo/issues/8
Addresses: 1/2 of https://github.com/squat/kilo/issues/17
We need to defensively deduplicate peer allowed IPs.
If two peers claim the same IP, the WireGuard configuration
could flap, causing the interface to churn.
Lucas Servén Marín
leonnicolas
leonnicolas
Julien Viard de Galbert