e30cff5293
Add the possibility to use a user space implementation of wireguard. Specifically, the rust implementation boringtun.
1.7 KiB
Userspace WireGuard
It is possible to use a userspace implementation of WireGuard with Kilo. This can make sense if
- not all nodes in the cluster have WireGuard installed
- no one wants to install the DKMS WireGuard package on these nodes
Homogeneous Cluster
With a homogeneous cluster (no node has the WireGuard kernel module), you can run a userspace WireGuard implementation as a DaemonSet.
This will create a WireGuard interface and Kilo will configure it.
In order to avoid a race condition, kg needs to be passed the --create-interface=false flag.
An example configuration for a k3s cluster with boringtun can be applied with
kubectl apply -f https://raw.githubusercontent.com/squat/Kilo/master/manifests/kilo-k3s-userspace.yaml
Note: even if some nodes have the WireGuard kernel module, this will still use the userspace implementation of WireGuard.
Heterogeneous Cluster
If you have a heterogeneous cluster (some nodes are missing the WireGuard kernel module) and you wish to use the kernel module, if available, you can apply this configuration to a k3s cluster:
kubectl apply -f https://raw.githubusercontent.com/squat/Kilo/master/manifests/kilo-k3s-userspace-heterogeneous.yaml
This config will apply nkml as a DaemonSet to label all nodes according to the presence of the WireGuard kernel module.
It will apply two different DaemonSets with Kilo: kilo without userspace WireGuard and kilo-userspace with boringtun as a sidecar.
Because Kilo is dependant on nkml, it needs to run on the host network and needs a kubeconfig to be able to update the labels.