* Pin boringtun image tag
Pin the image to a tag before boringtun's cli changed.
Specifically the --disable-drop-privileges flag need a boolean param.
* Fix image name
As mentioned in the Kilo Slack [0], Kubernetes supports CNI 0.4.0 and
does not yet support 1.0.0. Correspondingly, this commit downgrades the
declared CNI version in the configuration to 0.4.0 and crucially updates
the configuration used in the e2e tests to exercise this new CNI
version.
[0] https://kubernetes.slack.com/archives/C022EB4R7TK/p1650455432970199?thread_ts=1650368553.132859&cid=C022EB4R7TK
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* kgctl connect
Use kgctl connect to connect your laptop to a cluster.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* cmd/kgctl: finish connect command
This commit fixes some bugs and finishes the implementation of the
`kgctl connect` command.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* e2e: add tests for kgctl connect
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* docs: add documentation for `kgctl connect`
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* pkg/mesh: move peer route generation to mesh
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
* migrate to golang.zx2c4.com/wireguard/wgctrl
This commit introduces the usage of wgctrl.
It avoids the usage of exec calls of the wg command
and parsing the output of `wg show`.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* vendor wgctrl
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* apply suggestions from code review
Remove wireguard.Enpoint struct and use net.UDPAddr for the resolved
endpoint and addr string (dnsanme:port) if a DN was supplied.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/*: use wireguard.Enpoint
This commit introduces the wireguard.Enpoint struct.
It encapsulates a DN name with port and a net.UPDAddr.
The fields are private and only accessible over exported Methods
to avoid accidental modification.
Also iptables.GetProtocol is improved to avoid ipv4 rules being applied
by `ip6tables`.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/wireguard/conf_test.go: add tests for Endpoint
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* cmd/kg/main.go: validate port range
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* add suggestions from review
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/mesh/mesh.go: use Equal func
Implement an Equal func for Enpoint and use it instead of comparing
strings.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* cmd/kgctl/main.go: check port range
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* vendor
Signed-off-by: leonnicolas <leonloechner@gmx.de>
adjacency is running in the default namespace.
Prior to this commit the block_until_ready function
received the adjacency namespace instead of the default
namespace as a parameter.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
docker: add missing fonts for rasterized graphviz output formats
add missing license header
kg: do not export handlers
use http package for status codes
keep checks for errors in a single line
simplify error message about failed invocation of dot
pass node hostname and subnet to graph handler
use SVG as default format for graph handler
register health handler with HandleFunc
add option for selecting layout to graph handler and using circo as new default
e2e: add tests for HTTP handlers
e2e: fix and simplify handler tests
add should comments to assertions
e2s: use assert_fail instead of assert _not
add missing mime-type header for graph handler
use switch/case statements for validating formats / layouts
e2e: fix handlers tests
Co-authored-by: leonnicolas <60091705+leonnicolas@users.noreply.github.com>
graph-handler: add missing font to Dockerfile
Dockerfile: remove unnecessary font
This commit leaves Noto as the only font package, as one font package is
sufficient for the container.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Since Kilo now uses the `kilo.squat.ai/discovered-endpoints` annotation
for Peer discovery, Kilo no longer needs to update Peer resources, so we
can remove this permission from the ClusterRole. Note, the RBAC in the
manifests is not used today, but we eventually want to migrate to this.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds a new test suite to the e2e tests that validates
multi-cluster connectivity in Kilo. This is really just an extension of
the testing of the Peers CRD and related tooling that also exercises the
`--allowed-ips` flag of the `kgctl` tool.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit simplifies the check_adjacency helper to us the curl_pod
helper rather than a re-written version of it. It also simplifies the
curl_pod helper slightly to avoid the need for an additional shell.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit allows the kind cluster configuration to be parameterized at
call time. This enables the test suite to build multiple clusters with
different configurations, e.g. different CIDRs, different numbers of
nodes, etc.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit modifies the logic of the check_adjacent helper so that
rather than expecting the argument to be n^2+n it expects simply n. This
makes it easier to update the caller when the number of nodes in the
cluster changes.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit modifies the e2e shell scripts so that the KUBECONFIG
variable does not need to be exported. This will become important once
we allow the e2e test suite to launch multiple clusters, e.g. to test
multi-cluster connectivity.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Currently, each test suite spins up its own kind cluster, which results
in longer e2e test times as each test suite needs to wait for the
cluster to be ready and for images to download. This commit creates two
new virtual test suites that are run before and after the actual e2e
tests and are responsible for creating and destroying a kind cluster
respectively. Any test suite that needs a fresh cluster can still spin
up its own using the `create_cluster` helper in the lib.sh file.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit splits the e2e tests into different suites that all reuse
helper functions from the lib.sh file. This split ensures that the tests
within a suite can all have the same setup, e.g. all tests depending on
a full-mesh will be set up with a full-mesh, and is resilient against
changes in test ordering.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds a new e2e test fot the recently introduced
allowed-location-ips annotation. This test annotates the control-plane
node with an allowed IP and then ensures this IPs is reachable from
the curl helper Pod, which is now guaranteed to be scheduled on a
worker node.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds an e2e test that ensures that invalid Kilo Peers are
rejected thanks to the improved OpenAPI v3 validation.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
The recent test refactor wrapped the adjacency check in a `retry`,
however, the `check_adjacent` function had an `assert` in it, which
meant that the test would fail immediately and not be retried. This
commit moves the assertion out of the check, which also allows for
improved code reuse.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds testing of the VPN feature of Kilo to the e2e tests.
Also, in order to make the tests less flaky, this commit ensures that
the Kilo Pods use the "root" kubeconfig to connect to the API rather
than the Kubernetes API's cluster IP, which can become unavailable when
networking is reconfigured.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit refactors the e2e tests in the following ways:
* bump the version of `bash_unit` to 1.7.2: the previous version was
from 2018;
* remove the unused `block` function;
* fix the order of `block_unitil_ready_by_name` and `check_ping`: we
should not attempt to interact with pods before they are considered
ready;
* extract the retry logic into a reusable function called `retry`; and
* retry the `check_adjacent` function for robustness.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
- upgrade from apiextension v1beta1 to v1
- generate yaml manifest for crd intead of applying it at runtime
- users will have to apply the manifest with kubectl
- kg and kgctl log an error if the crd is not present
- now validation should actually work
Signed-off-by: leonnicolas <leonloechner@gmx.de>
This commit fixes lint warnings produced by shellcheck. This simplifies
some of the `if`s and protects against variables with spaces. We may
want to consider shellchecking all scripts in the repo.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Tests are using kind, adjacency and bash_unit.
A kind cluster is spun up and the previously build container image of
Kilo is loaded into it.
Adjacency and a curl container is started.
From the curl container a http request is send to the adjacency service.
The test fails if curl returns an unexpected result.
Two test are run. One with `mesh-granularity=full` and `location`.
The e2e test is only run for pull request because it is a bit flaky for
automatic nightly runs.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
leonnicolas
Lucas Servén Marín
leonnicolas
Steffen Vogel