* Pin boringtun image tag
Pin the image to a tag before boringtun's cli changed.
Specifically the --disable-drop-privileges flag need a boolean param.
* Fix image name
* feat: cilium add-mode support
when cni management by kilo is disable, we can use existing cluster's cni setup thanks to add-on mode
https://kilo.squat.ai/docs/introduction#add-on-mode
* feat: manifest example for cilium addon mode
* fix: apply comment from PR review
* fix: add mutex to interface retrieval into flannel addon mode
* CI: use staticcheck for linting
This commit switches the linter for Go code from golint to staticcheck.
Golint has been deprecated since last year and staticcheck is a
recommended replacement.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* revendor
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* cmd,pkg: fix lint warnings
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit enhances the Kilo agent internal HTTP server to include
pprof endpoints. For simplicity, this commit migrates the internal
server creation to https://github.com/metalmatze/signal/internalserver,
which allows for easy registration of common internal server
observability endpoints.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
- bump golang 1.17 -> 1.18
- bump alpine 3.14 -> 3.15
- revendor
We need to use golang instead of golang:alpine because it does not
contain git anymore. This should be fine as we are not enabling CGO,
thus not linking against musl instead of libc.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Currently, Kilo _only_ supports adding firewall rules via the legacy
iptables API. This means that on systems using nftables in the host
network namespace, the namespace will be polluted and both firewall
infrastructures will be used, causing unexpected and difficult
to predict interactions. In other words, networking may not work as
expected on nftables-based systems.
This PR fixes this by using the iptables-wrappers project [0] to install
run-time detection of the in-use iptables backend.
[0] https://github.com/kubernetes-sigs/iptables-wrappers
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit updates the CI configuration for Kilo to ensure that the
documentation, specifically the generated docs, are up-to-date.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
As mentioned in the Kilo Slack [0], Kubernetes supports CNI 0.4.0 and
does not yet support 1.0.0. Correspondingly, this commit downgrades the
declared CNI version in the configuration to 0.4.0 and crucially updates
the configuration used in the e2e tests to exercise this new CNI
version.
[0] https://kubernetes.slack.com/archives/C022EB4R7TK/p1650455432970199?thread_ts=1650368553.132859&cid=C022EB4R7TK
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* CNI: bump to 1.0.1
This commit bumps the declared version of CNI in the Kilo manifests to
1.0.1. This is possible with no changes to the configuration lists
because our simple configuration is not affected by any of the
deprecations, and there was effectively no change between 0.4.0 and
1.0.0, other than the declaration of a stable API. Similarly, this
commit also bumps the version of the CNI library and the plugins
package.
Bumping to CNI 1.0.0 will help ensure that Kilo stays compatible with
container runtimes in the future.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* vendor: revendor
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Currently,the job to build kgctl binaries is named `linux`, which
suggests to the reader that the job is only building binaries for Linux,
when it is in fact building binaries for Linux, Darwin, and Windows.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Currently, CI only runs for PRs to the main branch. This commit modifies
the configuration so that it runs for PRs to any branch.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* kgctl connect
Use kgctl connect to connect your laptop to a cluster.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* cmd/kgctl: finish connect command
This commit fixes some bugs and finishes the implementation of the
`kgctl connect` command.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* e2e: add tests for kgctl connect
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* docs: add documentation for `kgctl connect`
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* pkg/mesh: move peer route generation to mesh
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
Currently, when rendering the configuration for a Peer, the allowed
location configs of any segment are erroneously ignored, meaning that an
administrator will have to manually edit the configuration to get the
expected behavior from a Peer. This commit fixes the generation of the
configuration.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Right now, the persistent keepalive field of the Peer CRD is always
interpretted as nanoseconds and not seconds. This causes a mismatch
between Kilo's expected behavior and the actual interval that is given
to Peers. Because the interval is interpretted as nanoseconds the value
rounds down to 0 seconds.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Currently, when a node is behind NAT, it is possible that routes to the
node's private IP address, i.e. routes necessary to communicate with the
Kubelet and any Pods on the host network, will not be created because
the private IP is seen as the same as the location's endpoint and is
thus skipped because trying to encapsulate traffic to the endpoint would
break communiation with the endpoint itself.
This logic is not correct for nodes that are behind NAT, because the
endpoin that the node reports may not be the same as the discovered
endpoint for the location. Instead, we should compare the private IP
address to the discovered endpoint.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>