If the `iptables-allow-forwad` is true, we should also forward packages
to and from private IPs and allowed location IPs of the location.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Before this commit we added the forward ALLOW rule only for the node's
pod CIDR and not all pod CIDRs of a location. This commit adds the
forward ALLOW rule for packages from (source) and to (destination) all
pod CIDRs of the location if the node is a leader node.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/mesh/routes.go: add flag for generic ACCEPT in FORWARD chain
Some linux distros or docker will set the default policy in the FORWARD
chain in the filter table to DROP. With the new ip-tables-forward-rules
flag a generic ACCEPT for all packages going from and to the pod subnet
is added to the FORWARD chain.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* Update cmd/kg/main.go
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
* Update cmd/kg/main.go
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds a stage to the GitHub Actions CI workflow to verify
that vendor and go.mod/sum are always up-to-date. If the vendored files
require any changes then CI will fail. This ensures that the repo
remains the source of truth.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* docs: kgctl binary install on Archlinux
I've created a package in Arch User Repository for easily installing `kgctl` on Archlinux via an AUR helper like `yay` or `paru`. This internally fetches the binaries from [the GitHub releases page](https://github.com/squat/kilo/releases)
Related Links:
- https://aur.archlinux.org/packages/kgctl-bin
- https://github.com/codingCoffee/PKGBUILDs
Signed-off-by: Ameya Shenoy <shenoy.ameya@gmail.com>
* docs(kgctl): syntactical sugar
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
* docs(kgctl): syntactical sugar
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
* docs(kgctl): syntactical sugar
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
`cobra` automatically prints and error if `runE` returns an error.
Since we explicitly print the error, we need to silence cobra.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Use a maintained fork of certgen.
The former project is not maintained anymore and will not work for
Kubernteses v1.22 because the admission v1beta1 API was dropped.
Also fix the name of the liste-metrics flag.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
This commit adds a sub command `webhook` to Kilo.
It will start a https web server that answeres request from a Kubernetes
API server to validate updates and creations of Kilo peers.
It also updates the "Peer Validation" docs to enable users to
install the web hook server and generate the self signed certificates in
the cluster by only applying a manifest.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Apply suggestions from code review
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
This commit uses cobra instead of pflags in kg to handle flags in preparation to add a new subcommand
for the webhook server.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
When updating Kilo to the latest version of the CustomResourceDefinition
API, the Kilo Peer CRD was incorrectly scoped as a namespaced resource
due to differences in the ergonomics of the tooling.
This commit fixes the scoping of the Peer CRD to be cluster-wide.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
adjacency is running in the default namespace.
Prior to this commit the block_until_ready function
received the adjacency namespace instead of the default
namespace as a parameter.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
docker: add missing fonts for rasterized graphviz output formats
add missing license header
kg: do not export handlers
use http package for status codes
keep checks for errors in a single line
simplify error message about failed invocation of dot
pass node hostname and subnet to graph handler
use SVG as default format for graph handler
register health handler with HandleFunc
add option for selecting layout to graph handler and using circo as new default
e2e: add tests for HTTP handlers
e2e: fix and simplify handler tests
add should comments to assertions
e2s: use assert_fail instead of assert _not
add missing mime-type header for graph handler
use switch/case statements for validating formats / layouts
e2e: fix handlers tests
Co-authored-by: leonnicolas <60091705+leonnicolas@users.noreply.github.com>
graph-handler: add missing font to Dockerfile
Dockerfile: remove unnecessary font
This commit leaves Noto as the only font package, as one font package is
sufficient for the container.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Since Kilo now uses the `kilo.squat.ai/discovered-endpoints` annotation
for Peer discovery, Kilo no longer needs to update Peer resources, so we
can remove this permission from the ClusterRole. Note, the RBAC in the
manifests is not used today, but we eventually want to migrate to this.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit standardizes how we display a `note` in our docs.
Previously, we used a mix of `_Note_:`, `__Note:__`, `> Note`, and `>
**Note**:` among others. Now, all notes appear as `> **Note**:`.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds a new test suite to the e2e tests that validates
multi-cluster connectivity in Kilo. This is really just an extension of
the testing of the Peers CRD and related tooling that also exercises the
`--allowed-ips` flag of the `kgctl` tool.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit enables the filtering of e2e tests that should be run when
using the Makefile's `e2e` target through the specification of the
`BASH_UNIT_FLAGS` environment variable. The value of this variable will
be passed as arguments to the `bash_unit` command, enabling filtering of
tests.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* wireguard: `wg show iface dump` reader and parser
* mesh: use LatestHandshake to validate NAT Endpoints
* add skip on error
* switch to loop parsing
So the stop on error pattern can be used
* Add error handling to ParseDump
This commit simplifies the check_adjacency helper to us the curl_pod
helper rather than a re-written version of it. It also simplifies the
curl_pod helper slightly to avoid the need for an additional shell.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit allows the kind cluster configuration to be parameterized at
call time. This enables the test suite to build multiple clusters with
different configurations, e.g. different CIDRs, different numbers of
nodes, etc.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit modifies the logic of the check_adjacent helper so that
rather than expecting the argument to be n^2+n it expects simply n. This
makes it easier to update the caller when the number of nodes in the
cluster changes.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit modifies the e2e shell scripts so that the KUBECONFIG
variable does not need to be exported. This will become important once
we allow the e2e test suite to launch multiple clusters, e.g. to test
multi-cluster connectivity.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Currently, each test suite spins up its own kind cluster, which results
in longer e2e test times as each test suite needs to wait for the
cluster to be ready and for images to download. This commit creates two
new virtual test suites that are run before and after the actual e2e
tests and are responsible for creating and destroying a kind cluster
respectively. Any test suite that needs a fresh cluster can still spin
up its own using the `create_cluster` helper in the lib.sh file.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>