Commit Graph

381 Commits

Author SHA1 Message Date
Lucas Servén Marín
fb03520fb5
Merge pull request #286 from squat/fix_pka_peers
backend: fix Peer persistent keepalive
2022-03-31 21:35:10 +02:00
Lucas Servén Marín
ed1e9ea400
Merge pull request #285 from squat/fix_routes_for_nat_nodes
pkg/mesh: fix routes for NATed nodes
2022-03-31 21:34:54 +02:00
Lucas Servén Marín
38a5dd22e9
backend: fix Peer persistent keepalive
Right now, the persistent keepalive field of the Peer CRD is always
interpretted as nanoseconds and not seconds. This causes a mismatch
between Kilo's expected behavior and the actual interval that is given
to Peers. Because the interval is interpretted as nanoseconds the value
rounds down to 0 seconds.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2022-03-31 21:24:03 +02:00
Lucas Servén Marín
e598102f04
pkg/mesh: fix routes for NATed nodes
Currently, when a node is behind NAT, it is possible that routes to the
node's private IP address, i.e. routes necessary to communicate with the
Kubelet and any Pods on the host network, will not be created because
the private IP is seen as the same as the location's endpoint and is
thus skipped because trying to encapsulate traffic to the endpoint would
break communiation with the endpoint itself.

This logic is not correct for nodes that are behind NAT, because the
endpoin that the node reports may not be the same as the discovered
endpoint for the location. Instead, we should compare the private IP
address to the discovered endpoint.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2022-03-30 13:58:29 +02:00
dependabot[bot]
5de689ea1f
build(deps): bump prismjs from 1.25.0 to 1.27.0 in /website (#276) 2022-03-26 08:49:07 +00:00
dependabot[bot]
887ea026bb
build(deps): bump url-parse from 1.5.3 to 1.5.10 in /website (#277) 2022-03-26 08:48:31 +00:00
dependabot[bot]
75fb31a947
build(deps): bump minimist from 1.2.5 to 1.2.6 in /website (#283) 2022-03-26 08:47:47 +00:00
Lucas Servén Marín
a1af9790ea
Merge pull request #278 from SerialVelocity/fix-peer-node-equality-checking
Fix peer and node equality checking
2022-03-01 21:09:46 +01:00
Lucas Servén Marín
96029a584f
Merge pull request #279 from SerialVelocity/fix-private-key-generation
Fix private key generation code
2022-03-01 21:04:56 +01:00
Ben Grabham
3bf7eacc7e Fix private key generation code 2022-03-01 18:21:08 +00:00
Ben Grabham
6d6c62ae49 Fix peer and node equality checking 2022-03-01 18:09:25 +00:00
dependabot[bot]
02d49ded39
build(deps): bump follow-redirects from 1.14.7 to 1.14.8 in /website (#274)
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.14.7 to 1.14.8.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.14.7...v1.14.8)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2022-02-13 19:34:08 +01:00
dependabot[bot]
3e7fe47131
build(deps): bump shelljs from 0.8.4 to 0.8.5 in /website (#265) 2022-01-30 22:59:40 +00:00
dependabot[bot]
038a6d7450
build(deps): bump nanoid from 3.1.23 to 3.2.0 in /website (#266) 2022-01-30 22:49:17 +00:00
dependabot[bot]
c4e3108549
build(deps): bump algoliasearch-helper from 3.4.4 to 3.7.0 in /website (#270) 2022-01-30 22:38:15 +00:00
leonnicolas
6a696e03e7
migrate to golang.zx2c4.com/wireguard/wgctrl (#239)
* migrate to golang.zx2c4.com/wireguard/wgctrl

This commit introduces the usage of wgctrl.
It avoids the usage of exec calls of the wg command
and parsing the output of `wg show`.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* vendor wgctrl

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* apply suggestions from code review

Remove wireguard.Enpoint struct and use net.UDPAddr for the resolved
endpoint and addr string (dnsanme:port) if a DN was supplied.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* pkg/*: use wireguard.Enpoint

This commit introduces the wireguard.Enpoint struct.
It encapsulates a DN name with port and a net.UPDAddr.
The fields are private and only accessible over exported Methods
to avoid accidental modification.

Also iptables.GetProtocol is improved to avoid ipv4 rules being applied
by `ip6tables`.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* pkg/wireguard/conf_test.go: add tests for Endpoint

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* cmd/kg/main.go: validate port range

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* add suggestions from review

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* pkg/mesh/mesh.go: use Equal func

Implement an Equal func for Enpoint and use it instead of comparing
strings.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* cmd/kgctl/main.go: check port range

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* vendor

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2022-01-30 17:38:45 +01:00
Lucas Servén Marín
797133f272
Merge pull request #264 from squat/dependabot/npm_and_yarn/website/follow-redirects-1.14.7
build(deps): bump follow-redirects from 1.14.4 to 1.14.7 in /website
2022-01-14 09:16:33 +01:00
dependabot[bot]
84da98c2b1
build(deps): bump follow-redirects from 1.14.4 to 1.14.7 in /website
Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.14.4 to 1.14.7.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](https://github.com/follow-redirects/follow-redirects/compare/v1.14.4...v1.14.7)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-01-14 05:50:17 +00:00
Lucas Servén Marín
76047fe0af
Merge pull request #261 from squat/update-licenses
pkg/k8s: update generated licenses
2022-01-05 19:08:43 +01:00
Lucas Servén Marín
ee650342d5
pkg/k8s: update generated licenses
After running make, the licenses for the generated go files is updated,
resulting in a diff in the repository. This makes later invocations of
`make container` generate tags with `$ARCH-$SHA-dirty` rather than just
`$ARM-$SHA`, which causes `make manifest` to fail, as some of the
images cannot be found.

A more permanent fix would be to ensure that running `make container`
does not cause the go code to unnecessarily regenerated, but this will
at least fix CI until next year.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2022-01-04 14:01:29 +01:00
Lucas Servén Marín
1f8c736ba4
Merge pull request #260 from squat/allow_disabling_ipv6
iptables: allow disabling IPv6
2022-01-04 13:17:13 +01:00
Lucas Servén Marín
57a89b49ff
iptables: allow disabling IPv6
This commit enhances the iptables controller to disable reconciliation
of IPv6 rules whenever it detects that IPv6 is disabled in the kernel,
in order to fix #259.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2022-01-04 11:56:29 +01:00
Lucas Servén Marín
6a5643287e
Merge pull request #258 from dajudge/patch-1
Fix cmdline in docs to apply kube-router manifests
2021-12-20 10:11:59 +01:00
Alex Stockinger
e1a6ee9e2c
Fix cmdline in docs to apply kube-router manifests 2021-12-20 08:44:50 +01:00
leonnicolas
ee480dece4
cmd/kg/main.go: replace deprecated prom collectors (#255)
Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-11-15 23:08:06 +01:00
Lucas Servén Marín
05e8ded744
Merge pull request #248 from squat/fix_forward_allow_rules
pkg/mesh/routes.go: add iptbales forward allow rules for segment.
2021-11-01 19:53:52 +01:00
leonnicolas
ac65330c71
Apply suggestions from code review
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
2021-11-01 19:02:49 +01:00
Lucas Servén Marín
8a2c82267c
Merge pull request #251 from squat/wg-exporter
Add WireGuard monitor and docs
2021-11-01 18:45:56 +01:00
leonnicolas
fb70091169
Makefile: remove extra line in Makefile
Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-10-20 22:29:10 +02:00
leonnicolas
f03a0bb247
docs/grafana/kilo.json: add example manifest
Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-10-20 22:27:04 +02:00
leonnicolas
bb3554a3c6
Apply suggestions from code review
Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
2021-10-20 22:25:05 +02:00
leonnicolas
edb8f63848
Add WireGuard monitor and docs
This commit adds a manifest for deploying a WireGuard prometheus
exporter, Role and RoleBinding for kube-prometheus to monitor the Kilo
namespace and a new guide in the docs about how to monitor Kilo.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-10-19 22:46:44 +02:00
Lucas Servén Marín
bcb722b0b9
Merge pull request #250 from squat/dockerignore
.dockerignore: add dockerignore
2021-10-17 23:58:16 +02:00
leonnicolas
70b7eb52fa
.dockerignore: add dockerignore
Now about 500MB are send to docker daemon, not 1.6GB like before.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-10-17 23:27:22 +02:00
leonnicolas
c59ac10e15
pkg/mesh/routes.go: forward private IPs and allowed location IPs
If the `iptables-allow-forwad` is true, we should also forward packages
to and from private IPs and allowed location IPs of the location.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-10-17 19:58:17 +02:00
dependabot[bot]
584a8bf13d
build(deps): bump axios from 0.21.1 to 0.21.4 in /website (#243) 2021-10-16 11:35:16 +00:00
dependabot[bot]
b88ca7f8cd
build(deps): bump prismjs from 1.24.1 to 1.25.0 in /website (#240) 2021-10-16 11:34:34 +00:00
dependabot[bot]
8f7894e598
build(deps): bump url-parse from 1.5.1 to 1.5.3 in /website (#235) 2021-10-16 11:33:58 +00:00
leonnicolas
3de4bf527b
pkg/mesh/routes.go: add iptbales forward allow rules for segment.
Before this commit we added the forward ALLOW rule only for the node's
pod CIDR  and not all pod CIDRs of a location. This commit adds the
forward ALLOW rule for packages from (source) and to (destination) all
pod CIDRs of the location if the node is a leader node.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-10-11 23:41:41 +02:00
Lucas Servén Marín
f90288133d
Merge pull request #245 from squat/bump_go
bump golang 1.15 -> 1.17
2021-10-03 09:11:52 +02:00
leonnicolas
70d2751030
bumg golang 1.15 -> 1.17
Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-09-30 17:47:47 +02:00
leonnicolas
9b14c227a9
pkg/mesh/routes.go: add flag for generic ACCEPT in FORWARD chain (#244)
* pkg/mesh/routes.go: add flag for generic ACCEPT in FORWARD chain

Some linux distros or docker will set the default policy in the FORWARD
chain in the filter table to DROP. With the new ip-tables-forward-rules
flag a generic ACCEPT for all packages going from and to the pod subnet
is added to the FORWARD chain.

Signed-off-by: leonnicolas <leonloechner@gmx.de>

* Update cmd/kg/main.go

Co-authored-by: Lucas Servén Marín <lserven@gmail.com>

* Update cmd/kg/main.go

Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
2021-09-30 14:39:06 +02:00
Lucas Servén Marín
e2745b453f revendor
Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-09-30 12:10:57 +02:00
Lucas Servén Marín
a6eef5a8cf .github/workflows: ensure vendor is clean
This commit adds a stage to the GitHub Actions CI workflow to verify
that vendor and go.mod/sum are always up-to-date. If the vendored files
require any changes then CI will fail. This ensures that the repo
remains the source of truth.

Signed-off-by: Lucas Servén Marín <lserven@gmail.com>
2021-09-30 12:10:57 +02:00
Sean Baildon
3174467751
pkg/mesh: optionally assign external IP to node's private IP (#232) 2021-09-24 10:02:51 +02:00
Ameya Shenoy
df8d1aba5c
docs: kgctl binary install on Archlinux (#238)
* docs: kgctl binary install on Archlinux

I've created a package in Arch User Repository for easily installing `kgctl` on Archlinux via an AUR helper like `yay` or `paru`. This internally fetches the binaries from [the GitHub releases page](https://github.com/squat/kilo/releases)

Related Links:
- https://aur.archlinux.org/packages/kgctl-bin
- https://github.com/codingCoffee/PKGBUILDs

Signed-off-by: Ameya Shenoy <shenoy.ameya@gmail.com>

* docs(kgctl): syntactical sugar

Co-authored-by: Lucas Servén Marín <lserven@gmail.com>

* docs(kgctl): syntactical sugar

Co-authored-by: Lucas Servén Marín <lserven@gmail.com>

* docs(kgctl): syntactical sugar

Co-authored-by: Lucas Servén Marín <lserven@gmail.com>

Co-authored-by: Lucas Servén Marín <lserven@gmail.com>
2021-09-10 18:10:42 +02:00
leonnicolas
c099a70c20
Merge pull request #237 from squat/kgctl-fix-error-msg
cmd/kgctl/main.go: suppress second error message
2021-09-07 13:40:41 +03:00
Lucas Servén Marín
79e96bbe37
Merge pull request #236 from squat/update-cert-gen-image
manifests/peer-validation.yaml: fix image and flag
2021-09-07 11:14:53 +02:00
leonnicolas
b9823943e3
cmd/kgctl/main.go: suppress second error message
`cobra` automatically prints and error if `runE` returns an error.
Since we explicitly print the error, we need to silence cobra.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-09-07 11:07:03 +02:00
leonnicolas
c8ed21cac4
manifests/peer-validation.yaml: fix image and flag
Use a maintained fork of certgen.
The former project is not maintained anymore and will not work for
Kubernteses v1.22 because the admission v1beta1 API was dropped.

Also fix the name of the liste-metrics flag.

Signed-off-by: leonnicolas <leonloechner@gmx.de>
2021-09-07 10:52:40 +02:00