After running make, the licenses for the generated go files is updated,
resulting in a diff in the repository. This makes later invocations of
`make container` generate tags with `$ARCH-$SHA-dirty` rather than just
`$ARM-$SHA`, which causes `make manifest` to fail, as some of the
images cannot be found.
A more permanent fix would be to ensure that running `make container`
does not cause the go code to unnecessarily regenerated, but this will
at least fix CI until next year.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit enhances the iptables controller to disable reconciliation
of IPv6 rules whenever it detects that IPv6 is disabled in the kernel,
in order to fix#259.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
If the `iptables-allow-forwad` is true, we should also forward packages
to and from private IPs and allowed location IPs of the location.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Before this commit we added the forward ALLOW rule only for the node's
pod CIDR and not all pod CIDRs of a location. This commit adds the
forward ALLOW rule for packages from (source) and to (destination) all
pod CIDRs of the location if the node is a leader node.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/mesh/routes.go: add flag for generic ACCEPT in FORWARD chain
Some linux distros or docker will set the default policy in the FORWARD
chain in the filter table to DROP. With the new ip-tables-forward-rules
flag a generic ACCEPT for all packages going from and to the pod subnet
is added to the FORWARD chain.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* Update cmd/kg/main.go
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
* Update cmd/kg/main.go
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
When updating Kilo to the latest version of the CustomResourceDefinition
API, the Kilo Peer CRD was incorrectly scoped as a namespaced resource
due to differences in the ergonomics of the tooling.
This commit fixes the scoping of the Peer CRD to be cluster-wide.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* wireguard: `wg show iface dump` reader and parser
* mesh: use LatestHandshake to validate NAT Endpoints
* add skip on error
* switch to loop parsing
So the stop on error pattern can be used
* Add error handling to ParseDump
Users can specify IPs with the annotation "allowed-location-ips".
It makes no difference which node of a location is annotated.
The IP should be routable from the particular location, e.g. a printer in
the same LAN.
This way these IPs become routable from other location.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
- upgrade from apiextension v1beta1 to v1
- generate yaml manifest for crd intead of applying it at runtime
- users will have to apply the manifest with kubectl
- kg and kgctl log an error if the crd is not present
- now validation should actually work
Signed-off-by: leonnicolas <leonloechner@gmx.de>
This commit cleans up some typos in the documentation, clarifies some
explanations, fixes a bash script that would not expand a variable, and
renames the API documentation generator command from gen-docs to
docs-gen to match the output binary name.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
The new make command `make gen-docs` is introduced.
It will build a markdown file from the CRD introduced by Kilo.
The generation of the docs is a requirement for building the website.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
I had to run `make generate`.
Some API functions got additional parameters `Options` and `Context`.
I used empty options and `context.TODO()` for now.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Currently, when the route controller processes updates from netlink, it
checks if the routes in the table are nil or have no destination.
However, we control this and can guarantee that it's never the case.
Instead, we should check if the routes from netlink are valid.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* wireguard: export an Endpoint comparison method
* Record discovered endpoints in node
* Synchronize DiscoveredEndpoints in k8s backend
* Add discoveredEndpointsAreEqual
* Handle discovered Endpoints in topology to enable NAT 2 NAT
* Refactor to use Endpoint.Equal
Compare IP first by default and compare DNS name first when we know the Endpoint was resolved.
* Drop the shallow copies of nodes and peers
Now that updateNATEndpoints was updated to discoverNATEndpoints and that
the endpoints are overridden by topology instead of mutating the nodes and
peers object, we can safely drop this copy.
First the comment "so remove it from the mesh" is wrong / missleading as
since 034c27ab78 the delete in that if is
not in there anymore.
Second the m.nodes map is not updated so setting `diff = true` will call `applyTopology` without any changes... which seams useless.
Third the rest of the code already checks for Ready so this special case
here should not be needed.
Previously the newlines were ignored by circo.
This lead to very flat ellipses.
Masked newlines "\\n" are correctly handeled.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Commit 4d00bc56fe introduced a bug in the
Kilo graph generation logic. This commit used the WireGuard CIDR from
the topology struct as the graph title, however this field is nil
whenever the selected node is not a leader, causing the program to
panic.
This commit changes the meaning of the topology struct's wireGuardCIDR
field so that the field is always defined and the normalized value will
always be equal to the Kilo subnet CIDR. When the selected node is a
leader node, then the field's IP will be the IP allocated to the node
within the subnet. This effectively prevents the program from panicking.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Since #116 implemented fragile comparisons of iptables rules to avoid
calling the iptables binary excessively during every reconciliation, the
iptables rules for IPIP encapsulation must be updated to match the
expected output. One complication is that rather than returning the
protocol number in the rule, iptables resolves the protocol number to a
name by looking up the number in the netd protocols database. This name
can vary depending on the host's environment. This commit adds two
solutions for resolving the protocol name:
1. a fixed mapping to the string `ipencap`, which should always work
for Kilo whenever it runs in the Alpine Linux container; and
2. a runtime lookup using the netd database, which only works if Kilo is
compiled with CGO and is meant to be used only if Kilo is not running in
the normal container environment.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Currently Kilo incorrectly identifies the 172.16/12 private IP range.
This commit fixes the logic.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit introduces a new `--resync-period` flag to control how often
the Kilo controllers should reconcile.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds a logger to the iptables controller using the options
pattern. It also logs when the controller needs to reset rules, to be
able to identify costly reconciliations.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Currently, every time the iptables controller syncs rules, it spawns an
an iptables process for every rule it checks. This causes two problems:
1. it creates unnecessary load on the system; and
2. it causes contention on the xtables lock file.
This commit creates a lazy cache for iptables rules and chains that
avoids spawning iptables processes. This means that each time the
iptables rules are reconciled, if no rules need to be changed then at
most one iptables process should be spawned to check all of the rules in
a chain and at most one process should be spawned to check all of the
chains in a table.
Note: the success of this reduction in calls to iptables depends on a
somewhat fragile comparison of iptables rule text. The text of any rule
must match exactly, including the order of the flags. An improvement to
come would be to implement an iptables rule parser than can be used to
check semantic equivalence betweem iptables rules.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Because of new naming conventions for locations, the CIDRs were not
being set within locations.
This lead to no iptables rules added for nodes in the same location.
This commit fixes a bug where the variable holding the index of the
private interface was shadowed, causing it to always be "0".
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Add default iptables to allow forward traffic from and to pod cidr.
Previously Kilo expected the default behaviour of the forward chain to
accept packets, which can not be guaranteed.
This commit changes the graph so that the WireGuard CIDR is used as the
title rather than the pod subnet assigned to a node in the cluster.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This ensures that Kilo will not select an IP assigned to the Kilo
interface when discovering public and private IPs.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Lucas Servén Marín
leonnicolas
leonnicolas
Sean Baildon
Julien Viard de Galbert
Julien Viard de Galbert
Ben Grabham
Tadeuš Varnas
varnastadues