This commit adds a manifest for deploying a WireGuard prometheus
exporter, Role and RoleBinding for kube-prometheus to monitor the Kilo
namespace and a new guide in the docs about how to monitor Kilo.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
If the `iptables-allow-forwad` is true, we should also forward packages
to and from private IPs and allowed location IPs of the location.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Before this commit we added the forward ALLOW rule only for the node's
pod CIDR and not all pod CIDRs of a location. This commit adds the
forward ALLOW rule for packages from (source) and to (destination) all
pod CIDRs of the location if the node is a leader node.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/mesh/routes.go: add flag for generic ACCEPT in FORWARD chain
Some linux distros or docker will set the default policy in the FORWARD
chain in the filter table to DROP. With the new ip-tables-forward-rules
flag a generic ACCEPT for all packages going from and to the pod subnet
is added to the FORWARD chain.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* Update cmd/kg/main.go
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
* Update cmd/kg/main.go
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds a stage to the GitHub Actions CI workflow to verify
that vendor and go.mod/sum are always up-to-date. If the vendored files
require any changes then CI will fail. This ensures that the repo
remains the source of truth.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* docs: kgctl binary install on Archlinux
I've created a package in Arch User Repository for easily installing `kgctl` on Archlinux via an AUR helper like `yay` or `paru`. This internally fetches the binaries from [the GitHub releases page](https://github.com/squat/kilo/releases)
Related Links:
- https://aur.archlinux.org/packages/kgctl-bin
- https://github.com/codingCoffee/PKGBUILDs
Signed-off-by: Ameya Shenoy <shenoy.ameya@gmail.com>
* docs(kgctl): syntactical sugar
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
* docs(kgctl): syntactical sugar
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
* docs(kgctl): syntactical sugar
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
`cobra` automatically prints and error if `runE` returns an error.
Since we explicitly print the error, we need to silence cobra.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Use a maintained fork of certgen.
The former project is not maintained anymore and will not work for
Kubernteses v1.22 because the admission v1beta1 API was dropped.
Also fix the name of the liste-metrics flag.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
This commit adds a sub command `webhook` to Kilo.
It will start a https web server that answeres request from a Kubernetes
API server to validate updates and creations of Kilo peers.
It also updates the "Peer Validation" docs to enable users to
install the web hook server and generate the self signed certificates in
the cluster by only applying a manifest.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Apply suggestions from code review
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
This commit uses cobra instead of pflags in kg to handle flags in preparation to add a new subcommand
for the webhook server.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
When updating Kilo to the latest version of the CustomResourceDefinition
API, the Kilo Peer CRD was incorrectly scoped as a namespaced resource
due to differences in the ergonomics of the tooling.
This commit fixes the scoping of the Peer CRD to be cluster-wide.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
adjacency is running in the default namespace.
Prior to this commit the block_until_ready function
received the adjacency namespace instead of the default
namespace as a parameter.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
docker: add missing fonts for rasterized graphviz output formats
add missing license header
kg: do not export handlers
use http package for status codes
keep checks for errors in a single line
simplify error message about failed invocation of dot
pass node hostname and subnet to graph handler
use SVG as default format for graph handler
register health handler with HandleFunc
add option for selecting layout to graph handler and using circo as new default
e2e: add tests for HTTP handlers
e2e: fix and simplify handler tests
add should comments to assertions
e2s: use assert_fail instead of assert _not
add missing mime-type header for graph handler
use switch/case statements for validating formats / layouts
e2e: fix handlers tests
Co-authored-by: leonnicolas <60091705+leonnicolas@users.noreply.github.com>
graph-handler: add missing font to Dockerfile
Dockerfile: remove unnecessary font
This commit leaves Noto as the only font package, as one font package is
sufficient for the container.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Since Kilo now uses the `kilo.squat.ai/discovered-endpoints` annotation
for Peer discovery, Kilo no longer needs to update Peer resources, so we
can remove this permission from the ClusterRole. Note, the RBAC in the
manifests is not used today, but we eventually want to migrate to this.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit standardizes how we display a `note` in our docs.
Previously, we used a mix of `_Note_:`, `__Note:__`, `> Note`, and `>
**Note**:` among others. Now, all notes appear as `> **Note**:`.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds a new test suite to the e2e tests that validates
multi-cluster connectivity in Kilo. This is really just an extension of
the testing of the Peers CRD and related tooling that also exercises the
`--allowed-ips` flag of the `kgctl` tool.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Lucas Servén Marín
leonnicolas
leonnicolas
dependabot[bot]
Sean Baildon
Ameya Shenoy
Steffen Vogel