The current Alpine package CDN is timing out for aarch64. This commit
updates it to another mirror. This commit also changes the channel
Alpine channel from edge to v3.12. Note: the Dockerfile overrides the
Alpine CDN settings to ensure that a mirror with support for TLS is
used.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit introduces a new Prometheus metric to detect if the node is
a leader of its location, from its own point of view.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Previously, when `deleteFromIndex` exited early due to an error, nil
rules would be left in the controller's list of rules, which could
provoke a panic on the next reconciliation. This commit ensures that nil
rules are removed before an early exit.
Fixes: #51
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Previously, when udpdating the persistent keepalive of a node via
annotations, the node's WireGuard configuration was not updated. This
corrects the behavior.
Fixes: #54
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds support for defining preshared keys when declaring a
new Peer CRD. This preshared key will be used whenever the nodes in the
Kilo mesh communicate with that peer.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds a guide for deploying Kubernetes NetworkPolicy support
to a cluster running Kilo.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit enables simultaneously managing IPv4 and IPv6 iptables
rules. This makes it possible to have peers with IPv6 allowed IPs in an
otherwise IPv4 stack and vice versa.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit introduces a the Kilo website. It is generated with
Docusaurus and can be deployed with standard services like Netlify.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit introduces a new document explaining how peers can use the
Kilo cluster VPN as a gateway to the internet.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit enables NAT-ing packets outgoing to the WAN from both the
Pod subnet as well as from peers. This means that Pods can access the
Internet and that peers can use the Kilo mesh as a gateway to the
Internet.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit better organizes the location of iptables rules. This is
made possible by exposing two new funcs, `NewRule` and `NewChain`.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit re-enables old functionality, which permitted the generation
of the configuration for a cluster without any peers.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit changes how Kilo allows nodes and peers behind NAT to roam.
Rather that ignore changes to endpoints when comparing WireGuard
configurations, Kilo now incorporates changes to endpoints for peers
behind NAT into its configuration first and later compares the
configurations.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit documents the use of the persistent-keepalive annotation and
corrects the implementation of keepalives.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Kilo had a routine that synchronized the endpoints of peers back into
the API to ensure that endpoints updated by WireGuard for a roaming peer
would always positively compare with the endpoints in the API. This is
no longer needed as Kilo will now simply ignore changes to endpoints for
peers with a non-zero persistent keepalive.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit enables Kilo to ignore changes to the endpoints of peers
that sit behind a NAT gateway. We use the heuristic of a non-zero
persistent keepalive to decide whether the endpoint field should be
ignored. This will allow NATed peers to roam and for every node in the
cluster to have a different value for a peer's endpoint, as is natural
when a peer's connections are NATed.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit fixes the issue encountered in #36, where the CNI config is
touched even though CNI management is disabled.
Fixes: #36
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit allows DNS names to be used when specifying the endpoint
for a node in the WireGuard mesh. This is useful in many scenarios, in
particular when operating an IoT device whose public IP is dynamic. This
change allows the administrator to use a dynamic DNS name in the node's
endpoint.
One of the side-effects of this change is that the WireGuard port can
now be specified individually for each node in the mesh, if the
administrator wishes to do so.
*Note*: this commit introduces a breaking change; the
`force-external-ip` node annotation has been removed; its functionality
has been ported over to the `force-endpoint` annotation. This annotation
is documented in the annotations.md file. The expected content of this
annotation is no longer a CIDR but rather a host:port. The host can be
either a DNS name or an IP.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Lucas Servén Marín
Ruben Vermeersch
Eddie Wang
dependabot[bot]
Pavel