Right now, the persistent keepalive field of the Peer CRD is always
interpretted as nanoseconds and not seconds. This causes a mismatch
between Kilo's expected behavior and the actual interval that is given
to Peers. Because the interval is interpretted as nanoseconds the value
rounds down to 0 seconds.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
Currently, when a node is behind NAT, it is possible that routes to the
node's private IP address, i.e. routes necessary to communicate with the
Kubelet and any Pods on the host network, will not be created because
the private IP is seen as the same as the location's endpoint and is
thus skipped because trying to encapsulate traffic to the endpoint would
break communiation with the endpoint itself.
This logic is not correct for nodes that are behind NAT, because the
endpoin that the node reports may not be the same as the discovered
endpoint for the location. Instead, we should compare the private IP
address to the discovered endpoint.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
* migrate to golang.zx2c4.com/wireguard/wgctrl
This commit introduces the usage of wgctrl.
It avoids the usage of exec calls of the wg command
and parsing the output of `wg show`.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* vendor wgctrl
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* apply suggestions from code review
Remove wireguard.Enpoint struct and use net.UDPAddr for the resolved
endpoint and addr string (dnsanme:port) if a DN was supplied.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/*: use wireguard.Enpoint
This commit introduces the wireguard.Enpoint struct.
It encapsulates a DN name with port and a net.UPDAddr.
The fields are private and only accessible over exported Methods
to avoid accidental modification.
Also iptables.GetProtocol is improved to avoid ipv4 rules being applied
by `ip6tables`.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/wireguard/conf_test.go: add tests for Endpoint
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* cmd/kg/main.go: validate port range
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* add suggestions from review
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/mesh/mesh.go: use Equal func
Implement an Equal func for Enpoint and use it instead of comparing
strings.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* cmd/kgctl/main.go: check port range
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* vendor
Signed-off-by: leonnicolas <leonloechner@gmx.de>
After running make, the licenses for the generated go files is updated,
resulting in a diff in the repository. This makes later invocations of
`make container` generate tags with `$ARCH-$SHA-dirty` rather than just
`$ARM-$SHA`, which causes `make manifest` to fail, as some of the
images cannot be found.
A more permanent fix would be to ensure that running `make container`
does not cause the go code to unnecessarily regenerated, but this will
at least fix CI until next year.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit enhances the iptables controller to disable reconciliation
of IPv6 rules whenever it detects that IPv6 is disabled in the kernel,
in order to fix#259.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds a manifest for deploying a WireGuard prometheus
exporter, Role and RoleBinding for kube-prometheus to monitor the Kilo
namespace and a new guide in the docs about how to monitor Kilo.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
If the `iptables-allow-forwad` is true, we should also forward packages
to and from private IPs and allowed location IPs of the location.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Before this commit we added the forward ALLOW rule only for the node's
pod CIDR and not all pod CIDRs of a location. This commit adds the
forward ALLOW rule for packages from (source) and to (destination) all
pod CIDRs of the location if the node is a leader node.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* pkg/mesh/routes.go: add flag for generic ACCEPT in FORWARD chain
Some linux distros or docker will set the default policy in the FORWARD
chain in the filter table to DROP. With the new ip-tables-forward-rules
flag a generic ACCEPT for all packages going from and to the pod subnet
is added to the FORWARD chain.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
* Update cmd/kg/main.go
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
* Update cmd/kg/main.go
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
This commit adds a stage to the GitHub Actions CI workflow to verify
that vendor and go.mod/sum are always up-to-date. If the vendored files
require any changes then CI will fail. This ensures that the repo
remains the source of truth.
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
`cobra` automatically prints and error if `runE` returns an error.
Since we explicitly print the error, we need to silence cobra.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Use a maintained fork of certgen.
The former project is not maintained anymore and will not work for
Kubernteses v1.22 because the admission v1beta1 API was dropped.
Also fix the name of the liste-metrics flag.
Signed-off-by: leonnicolas <leonloechner@gmx.de>
Lucas Servén Marín
dependabot[bot]
Ben Grabham
leonnicolas
Alex Stockinger
leonnicolas
Sean Baildon
Ameya Shenoy