manifests/: fix boringtun containers

A change in boringtun's cli caused the boringtun containers to crash. Signed-off-by: leonnicolas <leonloechner@gmx.de>
2022-07-11 23:30:10 +02:00
13 changed files with 39 additions and 333 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -96,6 +96,7 @@ jobs:
      run: make unit

  e2e:
+    if: github.event_name == 'pull_request'
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
--- a/cmd/kg/main.go
+++ b/cmd/kg/main.go
@ -245,11 +245,13 @@ func runRoot(_ *cobra.Command, _ []string) error {
 	if port < 1 || port > 1<<16-1 {
 		return fmt.Errorf("invalid port: port mus be in range [%d:%d], but got %d", 1, 1<<16-1, port)
 	}
-	m, err := mesh.New(b, enc, gr, hostname, port, s, local, cni, cniPath, iface, cleanUpIface, createIface, mtu, resyncPeriod, prioritisePrivateAddr, iptablesForwardRule, log.With(logger, "component", "kilo"), registry)
+	m, err := mesh.New(b, enc, gr, hostname, port, s, local, cni, cniPath, iface, cleanUpIface, createIface, mtu, resyncPeriod, prioritisePrivateAddr, iptablesForwardRule, log.With(logger, "component", "kilo"))
 	if err != nil {
 		return fmt.Errorf("failed to create Kilo mesh: %v", err)
 	}

+	m.RegisterMetrics(registry)
+
 	var g run.Group
 	{
 		h := internalserver.NewHandler(
--- a/e2e/kilo-kind-userspace.yaml
+++ b/e2e/kilo-kind-userspace.yaml
@ -136,9 +136,9 @@ spec:
          mountPath: /etc/kubernetes
          readOnly: true
      - name: boringtun
-        image: leonnicolas/boringtun:cc19859
+        image: leonnicolas/boringtun
        args:
-        - --disable-drop-privileges=true
+        - --disable-drop-privileges
        - --foreground
        - kilo0
        securityContext:
--- a/e2e/lib.sh
+++ b/e2e/lib.sh
@ -65,7 +65,7 @@ build_kind_config() {
 }

 create_interface() {
-	docker run -d --name="$1" --rm --network=host --cap-add=NET_ADMIN --device=/dev/net/tun -v /var/run/wireguard:/var/run/wireguard -e WG_LOG_LEVEL=debug leonnicolas/boringtun:cc19859 --foreground --disable-drop-privileges true "$1"
+	docker run -d --name="$1" --rm --network=host --cap-add=NET_ADMIN --device=/dev/net/tun -v /var/run/wireguard:/var/run/wireguard -e WG_LOG_LEVEL=debug leonnicolas/boringtun --foreground --disable-drop-privileges "$1"
 }

 delete_interface() {
--- a/manifests/kilo-k3s-cilium.yaml
+++ b/manifests/kilo-k3s-cilium.yaml
@ -1,176 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kilo
-  namespace: kube-system
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: kilo
-rules:
- apiGroups:
-  - ""
-  resources:
-  - nodes
-  verbs:
-  - list
-  - patch
-  - watch
- apiGroups:
-  - kilo.squat.ai
-  resources:
-  - peers
-  verbs:
-  - list
-  - watch
- apiGroups:
-  - apiextensions.k8s.io
-  resources:
-  - customresourcedefinitions
-  verbs:
-  - get
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: kilo
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kilo
-subjects:
-  - kind: ServiceAccount
-    name: kilo
-    namespace: kube-system
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: kilo-scripts
-  namespace: kube-system
-data:
-  init.sh: |
-    #!/bin/sh
-    cat > /etc/kubernetes/kubeconfig <<EOF
-        apiVersion: v1
-        kind: Config
-        name: kilo
-        clusters:
-        - cluster:
-            server: $(sed -n 's/.*server: \(.*\)/\1/p' /var/lib/rancher/k3s/agent/kubelet.kubeconfig)
-            certificate-authority: /var/lib/rancher/k3s/agent/server-ca.crt
-        users:
-        - name: kilo
-          user:
-            token: $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
-        contexts:
-        - name: kilo
-          context:
-            cluster: kilo
-            namespace: ${NAMESPACE}
-            user: kilo
-        current-context: kilo
-    EOF
---
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: kilo
-  namespace: kube-system
-  labels:
-    app.kubernetes.io/name: kilo
-    app.kubernetes.io/part-of: kilo
-spec:
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: kilo
-      app.kubernetes.io/part-of: kilo
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: kilo
-        app.kubernetes.io/part-of: kilo
-    spec:
-      serviceAccountName: kilo
-      hostNetwork: true
-      containers:
-      - name: kilo
-        image: squat/kilo:0.5.0
-        args:
-        - --kubeconfig=/etc/kubernetes/kubeconfig
-        - --hostname=$(NODE_NAME)
-        - --cni=false
-        - --compatibility=cilium
-        - --local=false
-        - --encapsulate=crosssubnet
-        - --clean-up-interface=true
-        - --log-level=all
-        env:
-        - name: NODE_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: spec.nodeName
-        ports:
-        - containerPort: 1107
-          name: metrics
-        securityContext:
-          privileged: true
-        volumeMounts:
-        - name: kilo-dir
-          mountPath: /var/lib/kilo
-        - name: kubeconfig
-          mountPath: /etc/kubernetes
-          readOnly: true
-        - name: lib-modules
-          mountPath: /lib/modules
-          readOnly: true
-        - name: xtables-lock
-          mountPath: /run/xtables.lock
-          readOnly: false
-      initContainers:
-      - name: generate-kubeconfig
-        image: squat/kilo:0.5.0
-        command:
-        - /bin/sh
-        args:
-        - /scripts/init.sh
-        imagePullPolicy: Always
-        volumeMounts:
-        - name: kubeconfig
-          mountPath: /etc/kubernetes
-        - name: scripts
-          mountPath: /scripts/
-          readOnly: true
-        - name: k3s-agent
-          mountPath: /var/lib/rancher/k3s/agent/
-          readOnly: true
-        env:
-        - name: NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-      tolerations:
-      - effect: NoSchedule
-        operator: Exists
-      - effect: NoExecute
-        operator: Exists
-      volumes:
-      - name: kilo-dir
-        hostPath:
-          path: /var/lib/kilo
-      - name: kubeconfig
-        emptyDir: {}
-      - name: scripts
-        configMap:
-          name: kilo-scripts
-      - name: k3s-agent
-        hostPath:
-          path: /var/lib/rancher/k3s/agent
-      - name: lib-modules
-        hostPath:
-          path: /lib/modules
-      - name: xtables-lock
-        hostPath:
-          path: /run/xtables.lock
-          type: FileOrCreate
--- a/manifests/kilo-k3s-userspace-heterogeneous.yaml
+++ b/manifests/kilo-k3s-userspace-heterogeneous.yaml
@ -300,7 +300,7 @@ spec:
      - name: boringtun
        image: leonnicolas/boringtun:cc19859
        args:
-        - --disable-drop-privileges=true
+        - --disable-drop-privileges
        - --foreground
        - kilo0
        securityContext:
--- a/manifests/kilo-k3s-userspace.yaml
+++ b/manifests/kilo-k3s-userspace.yaml
@ -167,7 +167,7 @@ spec:
      - name: boringtun
        image: leonnicolas/boringtun:cc19859
        args:
-        - --disable-drop-privileges=true
+        - --disable-drop-privileges
        - --foreground
        - kilo0
        securityContext:
--- a/manifests/kilo-kubeadm-userspace.yaml
+++ b/manifests/kilo-kubeadm-userspace.yaml
@ -104,7 +104,7 @@ spec:
        image: leonnicolas/boringtun:cc19859
        imagePullPolicy: IfNotPresent
        args:
-          - --disable-drop-privileges=true
+          - --disable-drop-privileges
          - --foreground
          - kilo0
        securityContext:
--- a/pkg/iptables/iptables.go
+++ b/pkg/iptables/iptables.go
@ -25,7 +25,6 @@ import (
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/go-kit/kit/log"
 	"github.com/go-kit/kit/log/level"
-	"github.com/prometheus/client_golang/prometheus"
 )

 const ipv6ModuleDisabledPath = "/sys/module/ipv6/parameters/disable"
@ -221,7 +220,6 @@ type Controller struct {
 	errors       chan error
 	logger       log.Logger
 	resyncPeriod time.Duration
-	registerer   prometheus.Registerer

 	sync.Mutex
 	rules      []Rule
@ -253,12 +251,6 @@ func WithClients(v4, v6 Client) ControllerOption {
 	}
 }

-func WithRegisterer(registerer prometheus.Registerer) ControllerOption {
-	return func(c *Controller) {
-		c.registerer = registerer
-	}
-}
-
 // New generates a new iptables rules controller.
 // If no options are given, IPv4 and IPv6 clients
 // will be instantiated using the regular iptables backend.
@ -275,7 +267,7 @@ func New(opts ...ControllerOption) (*Controller, error) {
 		if err != nil {
 			return nil, fmt.Errorf("failed to create iptables IPv4 client: %v", err)
 		}
-		c.v4 = wrapWithMetrics(v4, "IPv4", c.registerer)
+		c.v4 = v4
 	}
 	if c.v6 == nil {
 		disabled, err := ipv6Disabled()
@ -290,7 +282,7 @@ func New(opts ...ControllerOption) (*Controller, error) {
 			if err != nil {
 				return nil, fmt.Errorf("failed to create iptables IPv6 client: %v", err)
 			}
-			c.v6 = wrapWithMetrics(v6, "IPv6", c.registerer)
+			c.v6 = v6
 		}
 	}
 	return c, nil
--- a/pkg/iptables/metrics.go
+++ b/pkg/iptables/metrics.go
@ -1,115 +0,0 @@
-// Copyright 2022 the Kilo authors
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package iptables
-
-import (
-	"github.com/prometheus/client_golang/prometheus"
-)
-
-type metricsClientWrapper struct {
-	client           Client
-	operationCounter *prometheus.CounterVec
-}
-
-func wrapWithMetrics(client Client, protocol string, registerer prometheus.Registerer) Client {
-	if registerer == nil {
-		return client
-	}
-
-	labelNames := []string{
-		"operation",
-		"table",
-		"chain",
-	}
-	counter := prometheus.NewCounterVec(prometheus.CounterOpts{
-		Name:        "kilo_iptables_operations_total",
-		Help:        "Number of iptables operations.",
-		ConstLabels: prometheus.Labels{"protocol": protocol},
-	}, labelNames)
-	registerer.MustRegister(counter)
-	return &metricsClientWrapper{client, counter}
-}
-
-func (m *metricsClientWrapper) AppendUnique(table string, chain string, rule ...string) error {
-	m.operationCounter.With(prometheus.Labels{
-		"operation": "AppendUnique",
-		"table":     table,
-		"chain":     chain,
-	}).Inc()
-	return m.client.AppendUnique(table, chain, rule...)
-}
-
-func (m *metricsClientWrapper) Delete(table string, chain string, rule ...string) error {
-	m.operationCounter.With(prometheus.Labels{
-		"operation": "Delete",
-		"table":     table,
-		"chain":     chain,
-	}).Inc()
-	return m.client.Delete(table, chain, rule...)
-}
-
-func (m *metricsClientWrapper) Exists(table string, chain string, rule ...string) (bool, error) {
-	m.operationCounter.With(prometheus.Labels{
-		"operation": "Exists",
-		"table":     table,
-		"chain":     chain,
-	}).Inc()
-	return m.client.Exists(table, chain, rule...)
-}
-
-func (m *metricsClientWrapper) List(table string, chain string) ([]string, error) {
-	m.operationCounter.With(prometheus.Labels{
-		"operation": "List",
-		"table":     table,
-		"chain":     chain,
-	}).Inc()
-	return m.client.List(table, chain)
-}
-
-func (m *metricsClientWrapper) ClearChain(table string, chain string) error {
-	m.operationCounter.With(prometheus.Labels{
-		"operation": "ClearChain",
-		"table":     table,
-		"chain":     chain,
-	}).Inc()
-	return m.client.ClearChain(table, chain)
-}
-
-func (m *metricsClientWrapper) DeleteChain(table string, chain string) error {
-	m.operationCounter.With(prometheus.Labels{
-		"operation": "DeleteChain",
-		"table":     table,
-		"chain":     chain,
-	}).Inc()
-	return m.client.DeleteChain(table, chain)
-}
-
-func (m *metricsClientWrapper) NewChain(table string, chain string) error {
-	m.operationCounter.With(prometheus.Labels{
-		"operation": "NewChain",
-		"table":     table,
-		"chain":     chain,
-	}).Inc()
-	return m.client.NewChain(table, chain)
-}
-
-func (m *metricsClientWrapper) ListChains(table string) ([]string, error) {
-	m.operationCounter.With(prometheus.Labels{
-		"operation": "ListChains",
-		"table":     table,
-		"chain":     "*",
-	}).Inc()
-	return m.client.ListChains(table)
-}
--- a/pkg/mesh/mesh.go
+++ b/pkg/mesh/mesh.go
@ -88,7 +88,7 @@ type Mesh struct {
 }

 // New returns a new Mesh instance.
-func New(backend Backend, enc encapsulation.Encapsulator, granularity Granularity, hostname string, port int, subnet *net.IPNet, local, cni bool, cniPath, iface string, cleanUpIface bool, createIface bool, mtu uint, resyncPeriod time.Duration, prioritisePrivateAddr, iptablesForwardRule bool, logger log.Logger, registerer prometheus.Registerer) (*Mesh, error) {
+func New(backend Backend, enc encapsulation.Encapsulator, granularity Granularity, hostname string, port int, subnet *net.IPNet, local, cni bool, cniPath, iface string, cleanUpIface bool, createIface bool, mtu uint, resyncPeriod time.Duration, prioritisePrivateAddr, iptablesForwardRule bool, logger log.Logger) (*Mesh, error) {
 	if err := os.MkdirAll(kiloPath, 0700); err != nil {
 		return nil, fmt.Errorf("failed to create directory to store configuration: %v", err)
 	}
@ -156,11 +156,11 @@ func New(backend Backend, enc encapsulation.Encapsulator, granularity Granularit
 		externalIP = publicIP
 	}
 	level.Debug(logger).Log("msg", fmt.Sprintf("using %s as the public IP address", publicIP.String()))
-	ipTables, err := iptables.New(iptables.WithRegisterer(registerer), iptables.WithLogger(log.With(logger, "component", "iptables")), iptables.WithResyncPeriod(resyncPeriod))
+	ipTables, err := iptables.New(iptables.WithLogger(log.With(logger, "component", "iptables")), iptables.WithResyncPeriod(resyncPeriod))
 	if err != nil {
 		return nil, fmt.Errorf("failed to IP tables controller: %v", err)
 	}
-	mesh := Mesh{
+	return &Mesh{
 		Backend:             backend,
 		cleanUpIface:        cleanUpIface,
 		cni:                 cni,
@ -205,15 +205,7 @@ func New(backend Backend, enc encapsulation.Encapsulator, granularity Granularit
 			Help: "Number of reconciliation attempts.",
 		}),
 		logger: logger,
-	}
-	registerer.MustRegister(
-		mesh.errorCounter,
-		mesh.leaderGuage,
-		mesh.nodesGuage,
-		mesh.peersGuage,
-		mesh.reconcileCounter,
-	)
-	return &mesh, nil
+	}, nil
 }

 // Run starts the mesh.
@ -524,9 +516,7 @@ func (m *Mesh) applyTopology() {
 				break
 			}
 		}
-
-		ipRules = append(m.enc.Rules(cidrs), ipRules...)
-
+		ipRules = append(ipRules, m.enc.Rules(cidrs)...)
 		// If we are handling local routes, ensure the local
 		// tunnel has an IP address.
 		if err := m.enc.Set(oneAddressCIDR(newAllocator(*nodes[m.hostname].Subnet).next().IP)); err != nil {
@ -583,6 +573,18 @@ func (m *Mesh) applyTopology() {
 	}
 }

+// RegisterMetrics registers Prometheus metrics on the given Prometheus
+// registerer.
+func (m *Mesh) RegisterMetrics(r prometheus.Registerer) {
+	r.MustRegister(
+		m.errorCounter,
+		m.leaderGuage,
+		m.nodesGuage,
+		m.peersGuage,
+		m.reconcileCounter,
+	)
+}
+
 func (m *Mesh) cleanUp() {
 	if err := m.ipTables.CleanUp(); err != nil {
 		level.Error(m.logger).Log("error", fmt.Sprintf("failed to clean up IP tables: %v", err))
--- a/website/src/pages/index.js
+++ b/website/src/pages/index.js
@ -12,7 +12,7 @@ const features = [
    imageUrl: 'https://kubernetes.io/images/nav_logo.svg',
    description: (
      <>
-        Kilo can be installed on any Kubernetes cluster, allowing nodes located in different clouds or in different countries to form a single cluster.
+        Kilo can be installed on any Kubernetes cluster, allowing nodes located in different clouds or in different coutries to form a single cluster.
      </>
    ),
    clip: true,
--- a/website/yarn.lock
+++ b/website/yarn.lock
@ -2543,9 +2543,9 @@ browserslist@^4.0.0, browserslist@^4.14.5, browserslist@^4.16.0, browserslist@^4
    node-releases "^1.1.71"

 buffer-from@^1.0.0:
-  version "1.1.2"
-  resolved "https://registry.yarnpkg.com/buffer-from/-/buffer-from-1.1.2.tgz#2b146a6fd72e80b4f55d255f35ed59a3a9a41bd5"
-  integrity sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ==
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/buffer-from/-/buffer-from-1.1.1.tgz#32713bc028f75c02fdb710d7c7bcec1f2c6070ef"
+  integrity sha512-MQcXEUbCKtEo7bhqEs6560Hyd4XaovZlO/k9V3hjVUF/zwW7KBVdSK4gIt/bzwS9MbR5qob+F5jusZsb0YQK2A==

 buffer-indexof@^1.0.0:
  version "1.1.1"
@ -7752,9 +7752,9 @@ source-map-resolve@^0.5.0:
    urix "^0.1.0"

 source-map-support@~0.5.12, source-map-support@~0.5.19:
-  version "0.5.21"
-  resolved "https://registry.yarnpkg.com/source-map-support/-/source-map-support-0.5.21.tgz#04fe7c7f9e1ed2d662233c28cb2b35b9f63f6e4f"
-  integrity sha512-uBHU3L3czsIyYXKX88fdrGovxdSCoTGDRZ6SYXtSRxLZUzHg5P/66Ht6uoUlHu9EZod+inXhKo3qQgwXUT/y1w==
+  version "0.5.19"
+  resolved "https://registry.yarnpkg.com/source-map-support/-/source-map-support-0.5.19.tgz#a98b62f86dcaf4f67399648c085291ab9e8fed61"
+  integrity sha512-Wonm7zOCIJzBGQdB+thsPar0kYuCIzYvxZwlBa87yi/Mdjv7Tip2cyVbLj5o0cFPN4EVkuTwb3GDDyUx2DGnGw==
  dependencies:
    buffer-from "^1.0.0"
    source-map "^0.6.0"
@ -8060,9 +8060,9 @@ terser-webpack-plugin@^5.1.3:
    terser "^5.7.0"

 terser@^4.6.3:
-  version "4.8.1"
-  resolved "https://registry.yarnpkg.com/terser/-/terser-4.8.1.tgz#a00e5634562de2239fd404c649051bf6fc21144f"
-  integrity sha512-4GnLC0x667eJG0ewJTa6z/yXrbLGv80D9Ru6HIpCQmO+Q4PfEtBFi0ObSckqwL6VyQv/7ENJieXHo2ANmdQwgw==
+  version "4.8.0"
+  resolved "https://registry.yarnpkg.com/terser/-/terser-4.8.0.tgz#63056343d7c70bb29f3af665865a46fe03a0df17"
+  integrity sha512-EAPipTNeWsb/3wLPeup1tVPaXfIaU68xMnVdPafIL1TV05OhASArYyIfFvnvJCNrR2NIOvDVNNTFRa+Re2MWyw==
  dependencies:
    commander "^2.20.0"
    source-map "~0.6.1"