Currently, when a node is behind NAT, it is possible that routes to the
node's private IP address, i.e. routes necessary to communicate with the
Kubelet and any Pods on the host network, will not be created because
the private IP is seen as the same as the location's endpoint and is
thus skipped because trying to encapsulate traffic to the endpoint would
break communiation with the endpoint itself.
This logic is not correct for nodes that are behind NAT, because the
endpoin that the node reports may not be the same as the discovered
endpoint for the location. Instead, we should compare the private IP
address to the discovered endpoint.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* migrate to golang.zx2c4.com/wireguard/wgctrl
This commit introduces the usage of wgctrl.
It avoids the usage of exec calls of the wg command
and parsing the output of `wg show`.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* vendor wgctrl
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* apply suggestions from code review
Remove wireguard.Enpoint struct and use net.UDPAddr for the resolved
endpoint and addr string (dnsanme:port) if a DN was supplied.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/*: use wireguard.Enpoint
This commit introduces the wireguard.Enpoint struct.
It encapsulates a DN name with port and a net.UPDAddr.
The fields are private and only accessible over exported Methods
to avoid accidental modification.
Also iptables.GetProtocol is improved to avoid ipv4 rules being applied
by `ip6tables`.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/wireguard/conf_test.go: add tests for Endpoint
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* cmd/kg/main.go: validate port range
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* add suggestions from review
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/mesh/mesh.go: use Equal func
Implement an Equal func for Enpoint and use it instead of comparing
strings.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* cmd/kgctl/main.go: check port range
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* vendor
Signed-off-by: leonnicolas <leonloechner@gmx.de>
After running make, the licenses for the generated go files is updated,
resulting in a diff in the repository. This makes later invocations of
`make container` generate tags with `$ARCH-$SHA-dirty` rather than just
`$ARM-$SHA`, which causes `make manifest` to fail, as some of the
images cannot be found.
A more permanent fix would be to ensure that running `make container`
does not cause the go code to unnecessarily regenerated, but this will
at least fix CI until next year.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit enhances the iptables controller to disable reconciliation
of IPv6 rules whenever it detects that IPv6 is disabled in the kernel,
in order to fix#259.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds a manifest for deploying a WireGuard prometheus
exporter, Role and RoleBinding for kube-prometheus to monitor the Kilo
namespace and a new guide in the docs about how to monitor Kilo.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
If the `iptables-allow-forwad` is true, we should also forward packages
to and from private IPs and allowed location IPs of the location.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Before this commit we added the forward ALLOW rule only for the node's
pod CIDR and not all pod CIDRs of a location. This commit adds the
forward ALLOW rule for packages from (source) and to (destination) all
pod CIDRs of the location if the node is a leader node.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/mesh/routes.go: add flag for generic ACCEPT in FORWARD chain
Some linux distros or docker will set the default policy in the FORWARD
chain in the filter table to DROP. With the new ip-tables-forward-rules
flag a generic ACCEPT for all packages going from and to the pod subnet
is added to the FORWARD chain.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* Update cmd/kg/main.go
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
* Update cmd/kg/main.go
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds a stage to the GitHub Actions CI workflow to verify
that vendor and go.mod/sum are always up-to-date. If the vendored files
require any changes then CI will fail. This ensures that the repo
remains the source of truth.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* docs: kgctl binary install on Archlinux
I've created a package in Arch User Repository for easily installing `kgctl` on Archlinux via an AUR helper like `yay` or `paru`. This internally fetches the binaries from [the GitHub releases page](https://github.com/squat/kilo/releases)
Related Links:
- https://aur.archlinux.org/packages/kgctl-bin
- https://github.com/codingCoffee/PKGBUILDs
Signed-off-by: Ameya Shenoy <shenoy.ameya@gmail.com>
* docs(kgctl): syntactical sugar
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
* docs(kgctl): syntactical sugar
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
* docs(kgctl): syntactical sugar
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
`cobra` automatically prints and error if `runE` returns an error.
Since we explicitly print the error, we need to silence cobra.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Use a maintained fork of certgen.
The former project is not maintained anymore and will not work for
Kubernteses v1.22 because the admission v1beta1 API was dropped.
Also fix the name of the liste-metrics flag.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
This commit adds a sub command `webhook` to Kilo.
It will start a https web server that answeres request from a Kubernetes
API server to validate updates and creations of Kilo peers.
It also updates the "Peer Validation" docs to enable users to
install the web hook server and generate the self signed certificates in
the cluster by only applying a manifest.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Apply suggestions from code review
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
This commit uses cobra instead of pflags in kg to handle flags in preparation to add a new subcommand
for the webhook server.
Signed-off-by: leonnicolas <leonloechner@gmx.de>