* Pin boringtun image tag
Pin the image to a tag before boringtun's cli changed.
Specifically the --disable-drop-privileges flag need a boolean param.
* Fix image name
* feat: cilium add-mode support
when cni management by kilo is disable, we can use existing cluster's cni setup thanks to add-on mode
https://kilo.squat.ai/docs/introduction#add-on-mode
* feat: manifest example for cilium addon mode
* fix: apply comment from PR review
* fix: add mutex to interface retrieval into flannel addon mode
As mentioned in the Kilo Slack [0], Kubernetes supports CNI 0.4.0 and
does not yet support 1.0.0. Correspondingly, this commit downgrades the
declared CNI version in the configuration to 0.4.0 and crucially updates
the configuration used in the e2e tests to exercise this new CNI
version.
[0] https://kubernetes.slack.com/archives/C022EB4R7TK/p1650455432970199?thread_ts=1650368553.132859&cid=C022EB4R7TK
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* CNI: bump to 1.0.1
This commit bumps the declared version of CNI in the Kilo manifests to
1.0.1. This is possible with no changes to the configuration lists
because our simple configuration is not affected by any of the
deprecations, and there was effectively no change between 0.4.0 and
1.0.0, other than the declaration of a stable API. Similarly, this
commit also bumps the version of the CNI library and the plugins
package.
Bumping to CNI 1.0.0 will help ensure that Kilo stays compatible with
container runtimes in the future.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* vendor: revendor
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds a manifest for deploying a WireGuard prometheus
exporter, Role and RoleBinding for kube-prometheus to monitor the Kilo
namespace and a new guide in the docs about how to monitor Kilo.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Use a maintained fork of certgen.
The former project is not maintained anymore and will not work for
Kubernteses v1.22 because the admission v1beta1 API was dropped.
Also fix the name of the liste-metrics flag.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
This commit adds a sub command `webhook` to Kilo.
It will start a https web server that answeres request from a Kubernetes
API server to validate updates and creations of Kilo peers.
It also updates the "Peer Validation" docs to enable users to
install the web hook server and generate the self signed certificates in
the cluster by only applying a manifest.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Apply suggestions from code review
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
When updating Kilo to the latest version of the CustomResourceDefinition
API, the Kilo Peer CRD was incorrectly scoped as a namespaced resource
due to differences in the ergonomics of the tooling.
This commit fixes the scoping of the Peer CRD to be cluster-wide.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Since Kilo now uses the `kilo.squat.ai/discovered-endpoints` annotation
for Peer discovery, Kilo no longer needs to update Peer resources, so we
can remove this permission from the ClusterRole. Note, the RBAC in the
manifests is not used today, but we eventually want to migrate to this.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
- upgrade from apiextension v1beta1 to v1
- generate yaml manifest for crd intead of applying it at runtime
- users will have to apply the manifest with kubectl
- kg and kgctl log an error if the crd is not present
- now validation should actually work
Signed-off-by: leonnicolas <leonloechner@gmx.de>
This commit ammends all of the Kilo manifests so that the DaemonSets
declare the port they expose.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds a guide for deploying Kubernetes NetworkPolicy support
to a cluster running Kilo.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Enhancement: change the kubeconfig hostPath for k3s agent nodes. This makes it easier to install Kilo on k3s as no manual kubeconfig copying is necessary. (#14)
Not all K8s installs will correctly match the node's hostname to the
node's name in the API. We can get around this by setting the name Kilo
uses to the node name in the API.
This commit adds basic support to run in compatibility mode with
Flannel. This allows clusters running Flannel as their principal
networking solution to leverage some advances Kilo features. In certain
Flannel setups, the clusters can even leverage muti-cloud. For this, the
cluster needs to either run in a full mesh, or Flannel needs to use the
API server's external IP address.
This commit ensures that the WireGuard private key is re-used between
container restarts. The result of this is that external peers can keep
using their configuration and don't need to be re-configured just
because the Kilo container restarted.
This commit enables Kilo to work as an independent networking provider.
This is done by leveraging CNI. Kilo brings the necessary CNI plugins to
operate and takes care of all networking.
Add-on compatibility for Calico, Flannel, etc, will be re-introduced
shortly.