Commit Graph

101 Commits

Author SHA1 Message Date
Lucas Servén Marín
e681c10cb4
kilo.svg: create icon
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-09 22:15:08 +01:00
Lucas Servén Marín
494440d502
Merge pull request #44 from squat/vpn-server-docs
docs/vpn: document vpn as internet gateway
2020-03-09 18:57:54 +01:00
Lucas Servén Marín
f5064f10b8
docs/vpn: document vpn as internet gateway
This commit introduces a new document explaining how peers can use the
Kilo cluster VPN as a gateway to the internet.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-09 18:47:21 +01:00
Lucas Servén Marín
7051b9fe29
pkg/mesh: enable outgoing NAT to WAN
This commit enables NAT-ing packets outgoing to the WAN from both the
Pod subnet as well as from peers. This means that Pods can access the
Internet and that peers can use the Kilo mesh as a gateway to the
Internet.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-09 18:45:01 +01:00
Lucas Servén Marín
8908cf19cb
pkg/iptables: re-organize rules
This commit better organizes the location of iptables rules. This is
made possible by exposing two new funcs, `NewRule` and `NewChain`.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-06 16:57:09 +01:00
Lucas Servén Marín
f6549185cf
Merge pull request #45 from squat/kgctl-doc
docs/kgctl.md: add kgctl doc
2020-03-06 16:37:47 +01:00
Lucas Servén Marín
b34e064c8e
docs/kgctl.md: add kgctl doc
This commit introduces a new doc for the kgctl commandline tool.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-06 16:25:42 +01:00
Lucas Servén Marín
b54b31b699
pkg/mesh: enable generating config without peer
This commit re-enables old functionality, which permitted the generation
of the configuration for a cluster without any peers.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-06 16:06:41 +01:00
Lucas Servén Marín
810dae695e
pkg/wireguard: edge case when endpoints are nil
Peers may have nil endpoints, a case which must be gracefully handled.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-06 15:21:30 +01:00
Lucas Servén Marín
6947eb4154
Merge pull request #43 from squat/fix_keepalive_logic
pkg/mesh,pkg/wireguard: update NAT endpoints
2020-03-04 02:15:11 +01:00
Lucas Servén Marín
29280a987e
pkg/mesh,pkg/wireguard: sync NAT endpoints
This commit changes how Kilo allows nodes and peers behind NAT to roam.
Rather that ignore changes to endpoints when comparing WireGuard
configurations, Kilo now incorporates changes to endpoints for peers
behind NAT into its configuration first and later compares the
configurations.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-04 01:37:08 +01:00
Lucas Servén Marín
24d7c27901
pkg/mesh,docs: document and fix keepalive logic
This commit documents the use of the persistent-keepalive annotation and
corrects the implementation of keepalives.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-03-04 01:36:56 +01:00
Lucas Servén Marín
406a397566
Merge pull request #41 from squat/ignore-nat-peer-changes
pkg/wireguard: ignore changes to peers behind NAT
2020-03-03 17:10:55 +01:00
Lucas Servén Marín
515a57a301
pkg/mesh: don't synchronize peer endpoints
Kilo had a routine that synchronized the endpoints of peers back into
the API to ensure that endpoints updated by WireGuard for a roaming peer
would always positively compare with the endpoints in the API. This is
no longer needed as Kilo will now simply ignore changes to endpoints for
peers with a non-zero persistent keepalive.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-28 15:07:23 +01:00
Lucas Servén Marín
0d199db009
pkg/wireguard: ignore changes to peers behind NAT
This commit enables Kilo to ignore changes to the endpoints of peers
that sit behind a NAT gateway. We use the heuristic of a non-zero
persistent keepalive to decide whether the endpoint field should be
ignored. This will allow NATed peers to roam and for every node in the
cluster to have a different value for a peer's endpoint, as is natural
when a peer's connections are NATed.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-28 14:56:02 +01:00
Lucas Servén Marín
12220b790d
pkg/encapsulation: remove unused 'none' encapsulation 2020-02-22 22:42:02 +01:00
Lucas Servén Marín
e08920c4fb
pkg/mesh: allow fully disabling CNI
This commit fixes the issue encountered in #36, where the CNI config is
touched even though CNI management is disabled.

Fixes: #36

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 22:37:01 +01:00
Lucas Servén Marín
409d738124
pkg/mesh: fix segfault in #36
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 22:16:45 +01:00
Lucas Servén Marín
ba00b6c180
Merge pull request #35 from squat/dns-endpoint
pkg/mesh,pkg/wireguard: allow DNS name endpoints
2020-02-22 17:50:45 +01:00
Lucas Servén Marín
aa376ff0d1
pkg/mesh,pkg/wireguard: allow DNS name endpoints
This commit allows DNS names to be used when specifying the endpoint
for a node in the WireGuard mesh. This is useful in many scenarios, in
particular when operating an IoT device whose public IP is dynamic. This
change allows the administrator to use a dynamic DNS name in the node's
endpoint.

One of the side-effects of this change is that the WireGuard port can
now be specified individually for each node in the mesh, if the
administrator wishes to do so.

*Note*: this commit introduces a breaking change; the
`force-external-ip` node annotation has been removed; its functionality
has been ported over to the `force-endpoint` annotation. This annotation
is documented in the annotations.md file. The expected content of this
annotation is no longer a CIDR but rather a host:port. The host can be
either a DNS name or an IP.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 17:17:13 +01:00
Lucas Servén Marín
223b641ee1
manifests: set MTU for CNI bridge
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-22 16:57:01 +01:00
Lucas Servén Marín
134cbe90be
pkg/route,pkg/mesh: replace NAT with ip rules
This commit entirely replaces NAT in Kilo with a few iproute2 rules.
Previously, Kilo would source-NAT the majority of packets in order to
avoid problems with strict source checks in cloud providers causing
packets to be considered martians. This source-NAT-ing made it
difficult to correctly apply Kuberenetes NetworkPolicies based on source
IPs.

This rewrite instead relies on a handful of iproute2 rules to ensure
that packets get encapsulated in certain scenarios based on the source
network and/or source interface.

This has the benefit of avoiding extra iptables bloat as well as
enabling better compatibility with NetworkPolicies.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 21:27:50 +01:00
Lucas Servén Marín
4857d10da1
pkg/iptables: clean up, remove NAT
This commit cleans up the iptables package to allow other packages to
create rules.

This commit also removes all NAT from Kilo.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 21:23:23 +01:00
Lucas Servén Marín
2603cd50db
pkg/mesh: fix ip allocator helper
This commit fixes the ip allocator `newAllocator` to produce IP
addresses with the original network mask. This is makes more sense. The
original functionality can be reproduced by wrapping the produced IP
address with the `oneAddressCIDR` helper.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-20 13:54:11 +01:00
Francis Nguyen
6de0f9805a
Define WireGuard PersistentKeepAlive via Annotation (#31)
* Add WireGuardPersistentKeepAlive to mesh.Node

* Connect to configuration

* Shorten keepalive key

* Fix casing on keepalive

* Add annotated keepalive value to peer functions
2020-02-13 10:16:55 +01:00
Lucas Servén Marín
a6afc3247d
manifests: ensure kube-bridge uses latest CIDR
This commit ensures that the kube-bridge uses the latest CIDR assigned
by the Kubernetes API, rather than defaulting to a previously assigned
CIDR.

xref:
* https://github.com/containernetworking/plugins/tree/master/plugins/main/bridge#network-configuration-reference
* https://github.com/cloudnativelabs/kube-router/issues/689

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-02-10 16:04:44 +01:00
Lucas Servén Marín
63987713dd
pkg/k8s: update generated files 2020-01-09 00:15:36 +01:00
Lucas Servén Marín
aecc5ec73b
.travis: update multiarch emulation 2020-01-09 00:15:19 +01:00
Lucas Servén Marín
eb0500f994
Makefile: ensure repo is clean before testing 2020-01-08 18:05:27 +01:00
Lucas Servén Marín
4b2f6c6692
Makefile: use official alpine images for build
This commit modifies the build tooling so that we use the official
alipne build images rather than the images from the multiarch org. This
requires new logic to parse docker manifests but results in a cleaner
solution with fewer architecture definitions.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2020-01-08 17:38:47 +01:00
Lucas Servén Marín
5277ab5bad
docs,pkg: use new well-known region label
This commit updates the well-known label to determine the region of the
node to topology.kubernetes.io/region, which is the new standard as
defined by the Kubernetes documentation, now that
failure-domain.beta.kubernetes.io/region has been deprecated.
2020-01-07 18:41:55 +01:00
Lucas Servén Marín
0cbb316ec3
Makefile: bump alpine version 2020-01-07 15:08:05 +01:00
Lucas Servén Marín
4acdca89e5
Makefile: allow headers to have old years 2020-01-07 15:07:34 +01:00
Lucas Servén Marín
c9c2e9bc42
*: bump golang to 1.13.4
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2019-11-15 15:02:38 +01:00
Lucas Servén Marín
f135a16427
Makefile: bump to alpine 3.10
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2019-11-15 15:00:36 +01:00
Lucas Servén Marín
4b220b42c5
Dockerfile
The certificates for the alpine APK repositories expired today [0],
breaking builds. This switches the configured repos to ones that work.
It also changes the `main` repo to use HTTPS.

[0] uk.alpinelinux.org expired Nov 15 2019 at 02:00:31 UTC

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2019-11-15 14:59:41 +01:00
Lucas Servén Marín
4febbdbfe5
pkg/iptables: fix out of bounds err
This fixes two bugs in the iptables package that can cause out of bounds
errors.

Fixes: #22

Thanks to @SerialVelocity for reporting.
2019-09-27 11:10:55 +02:00
Lucas Servén Marín
3facc9f34f
cmd/kg: only delete iface if requested
This commit modifies the default behavior of Kilo so that the WireGuard
interface is only deleted on shutdown if explicitly requested.

Fixes: https://github.com/squat/kilo/issues/17#issuecomment-534658157
2019-09-25 13:45:31 +02:00
Lucas Servén Marín
e83db17d88
pkg/iptables: add rules in correct order
This commit takes a big step towards ensuring that iptables rules are
always kept in the correct order. Specifically, when re-setting a a
ruleset, any time a rule is missing, that rule and all following rules
are re-added to ensure that from that index onwards all rules are in the
right order. Similarly, when reconciling an existing ruleset against the
backend, if a rule is missing, that rule an all following rules are
re-added.

This change does not guarantee that the order of rules in the backend
is correct. Unless an actor is modifying the order of rules in iptables,
all rules created by Kilo should now be kept in the correct order.

Fixes: #19
2019-09-25 13:23:31 +02:00
Lucas Servén Marín
1265ce0cd5
pkg/route: filter invalid route updates
This commit fixes the underlying issue that caused crashes when
receiving a nil route update, as reported in
https://github.com/squat/kilo/issues/17.
2019-09-24 16:13:14 +02:00
Lucas Servén Marín
20349de548
pkg/wireguard: allow specifying iface named
This commit makes it possible to specify the Kilo interface name. If the
specified interface exists, it will be used; if it does not exist, Kilo
will create it. If the interface already existed, then it will not be
deleted on shutdown; otherwise Kilo will destroy the interface.

Fixes: https://github.com/squat/kilo/issues/8
Addresses: 1/2 of https://github.com/squat/kilo/issues/17
2019-09-24 16:05:10 +02:00
Lucas Servén Marín
9fda84ec05
docs,README: fix kubeconfig env var 2019-09-24 01:00:43 +02:00
Lucas Servén Marín
3df87f0e71
cmd/kgctl: allow specifying port 2019-09-24 01:00:16 +02:00
Lucas Servén Marín
676007938e
pkg/mesh: add peers to graph 2019-09-23 17:54:16 +02:00
Lucas Servén Marín
887806c7ce
Makefile: fix latest manifest 2019-09-20 00:56:25 +02:00
Lucas Servén Marín
f04944df4a
Makefile: fix arm image 2019-09-19 21:48:47 +02:00
Lucas Servén Marín
7c90a40c5a
Makefile: fix arm64 image 2019-09-08 12:02:34 +02:00
Lucas Servén Marín
c93fa1e5b1
Dockerfile: fix cni plugins for arm
This commit ensures that the architecture of the installed CNI plugins
corresponds to the architecture of the container.
2019-08-16 17:45:36 +02:00
sam
5fc13de6cb manifests: change the kubeconfig hostPath for k3s
Enhancement: change the kubeconfig hostPath for k3s agent nodes. This makes it easier to install Kilo on k3s as no manual kubeconfig copying is necessary. (#14)
2019-08-14 08:55:15 +02:00
Lucas Servén Marín
d385686fa9
manifests: add selector to daemonsets
Fixes #9
2019-08-01 16:51:03 +02:00