Skip to content

Commit

Permalink
Add WireGuard client for tunnel traffic encryption.
Browse files Browse the repository at this point in the history
This PR implements #2243. Currently WireGuard only support with antrea encap mode.

Signed-off-by: Xu Liu <[email protected]>
  • Loading branch information
xliuxu committed Jun 30, 2021
1 parent 2d19196 commit 5a751f2
Show file tree
Hide file tree
Showing 31 changed files with 1,276 additions and 81 deletions.
3 changes: 3 additions & 0 deletions build/images/scripts/install_cni
Original file line number Diff line number Diff line change
Expand Up @@ -33,5 +33,8 @@ install -m 755 /opt/cni/bin/whereabouts /host/opt/cni/bin/whereabouts
# Load the OVS kernel module
modprobe openvswitch || (echo "Failed to load the OVS kernel module from the container, try running 'modprobe openvswitch' on your Nodes"; exit 1)

# Load the WireGuard kernel module
modprobe wireguard || (echo "Failed to load the WireGuard kernel module from the container.")

# Change the default permissions of the run directory.
chmod 0750 /var/run/antrea
15 changes: 11 additions & 4 deletions build/yamls/antrea-aks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3718,6 +3718,13 @@ data:
# for the GRE tunnel type.
#enableIPSecTunnel: false
# Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
# for encap mode.
#enableWireGuardTunnel: false
# The port for WireGuard to receive traffic.
#wireGuardPort: 51850
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
Expand Down Expand Up @@ -3861,7 +3868,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-t9hc8tf75d
name: antrea-config-5t7m5kt44b
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -3932,7 +3939,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-t9hc8tf75d
value: antrea-config-5t7m5kt44b
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -3983,7 +3990,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-t9hc8tf75d
name: antrea-config-5t7m5kt44b
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4279,7 +4286,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-t9hc8tf75d
name: antrea-config-5t7m5kt44b
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
15 changes: 11 additions & 4 deletions build/yamls/antrea-eks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3718,6 +3718,13 @@ data:
# for the GRE tunnel type.
#enableIPSecTunnel: false
# Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
# for encap mode.
#enableWireGuardTunnel: false
# The port for WireGuard to receive traffic.
#wireGuardPort: 51850
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
Expand Down Expand Up @@ -3861,7 +3868,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-t9hc8tf75d
name: antrea-config-5t7m5kt44b
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -3932,7 +3939,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-t9hc8tf75d
value: antrea-config-5t7m5kt44b
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -3983,7 +3990,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-t9hc8tf75d
name: antrea-config-5t7m5kt44b
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4281,7 +4288,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-t9hc8tf75d
name: antrea-config-5t7m5kt44b
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
15 changes: 11 additions & 4 deletions build/yamls/antrea-gke.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3718,6 +3718,13 @@ data:
# for the GRE tunnel type.
#enableIPSecTunnel: false
# Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
# for encap mode.
#enableWireGuardTunnel: false
# The port for WireGuard to receive traffic.
#wireGuardPort: 51850
# ClusterIP CIDR range for IPv6 Services. It's required when using kube-proxy to provide IPv6 Service in a Dual-Stack
# cluster or an IPv6 only cluster. The value should be the same as the configuration for kube-apiserver specified by
# --service-cluster-ip-range. When AntreaProxy is enabled, this parameter is not needed.
Expand Down Expand Up @@ -3861,7 +3868,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-9g829tktd6
name: antrea-config-d8b7t88629
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -3932,7 +3939,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-9g829tktd6
value: antrea-config-d8b7t88629
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -3983,7 +3990,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-9g829tktd6
name: antrea-config-d8b7t88629
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4282,7 +4289,7 @@ spec:
path: /home/kubernetes/bin
name: host-cni-bin
- configMap:
name: antrea-config-9g829tktd6
name: antrea-config-d8b7t88629
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
15 changes: 11 additions & 4 deletions build/yamls/antrea-ipsec.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3718,6 +3718,13 @@ data:
# for the GRE tunnel type.
enableIPSecTunnel: true
# Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
# for encap mode.
#enableWireGuardTunnel: false
# The port for WireGuard to receive traffic.
#wireGuardPort: 51850
# ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
# set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
# AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
Expand Down Expand Up @@ -3866,7 +3873,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-h5kbhh859d
name: antrea-config-fk8d988bd9
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -3946,7 +3953,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-h5kbhh859d
value: antrea-config-fk8d988bd9
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -3997,7 +4004,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-h5kbhh859d
name: antrea-config-fk8d988bd9
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4328,7 +4335,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-h5kbhh859d
name: antrea-config-fk8d988bd9
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
15 changes: 11 additions & 4 deletions build/yamls/antrea.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3718,6 +3718,13 @@ data:
# for the GRE tunnel type.
#enableIPSecTunnel: false
# Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
# for encap mode.
#enableWireGuardTunnel: false
# The port for WireGuard to receive traffic.
#wireGuardPort: 51850
# ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
# set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
# AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
Expand Down Expand Up @@ -3866,7 +3873,7 @@ metadata:
annotations: {}
labels:
app: antrea
name: antrea-config-cbfh568k9m
name: antrea-config-m8b78df98b
namespace: kube-system
---
apiVersion: v1
Expand Down Expand Up @@ -3937,7 +3944,7 @@ spec:
fieldRef:
fieldPath: spec.serviceAccountName
- name: ANTREA_CONFIG_MAP_NAME
value: antrea-config-cbfh568k9m
value: antrea-config-m8b78df98b
image: projects.registry.vmware.com/antrea/antrea-ubuntu:latest
imagePullPolicy: IfNotPresent
livenessProbe:
Expand Down Expand Up @@ -3988,7 +3995,7 @@ spec:
key: node-role.kubernetes.io/master
volumes:
- configMap:
name: antrea-config-cbfh568k9m
name: antrea-config-m8b78df98b
name: antrea-config
- name: antrea-controller-tls
secret:
Expand Down Expand Up @@ -4284,7 +4291,7 @@ spec:
operator: Exists
volumes:
- configMap:
name: antrea-config-cbfh568k9m
name: antrea-config-m8b78df98b
name: antrea-config
- hostPath:
path: /etc/cni/net.d
Expand Down
7 changes: 7 additions & 0 deletions build/yamls/base/conf/antrea-agent.conf
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,13 @@ featureGates:
# for the GRE tunnel type.
#enableIPSecTunnel: false

# Whether or not to enable WireGuard encryption of tunnel traffic. WireGuard encryption is only supported
# for encap mode.
#enableWireGuardTunnel: false

# The port for WireGuard to receive traffic.
#wireGuardPort: 51850

# ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
# set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
# AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
Expand Down
8 changes: 6 additions & 2 deletions cmd/antrea-agent/agent.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,10 @@ func run(o *Options) error {
networkConfig := &config.NetworkConfig{
TunnelType: ovsconfig.TunnelType(o.config.TunnelType),
TrafficEncapMode: encapMode,
EnableIPSecTunnel: o.config.EnableIPSecTunnel}
EnableIPSecTunnel: o.config.EnableIPSecTunnel,
EnableWireGuard: o.config.EnableWireGuard,
WireGuardPort: o.config.WireGuardPort,
}

routeClient, err := route.NewClient(serviceCIDRNet, networkConfig, o.config.NoSNAT)
if err != nil {
Expand Down Expand Up @@ -162,7 +165,8 @@ func run(o *Options) error {
routeClient,
ifaceStore,
networkConfig,
nodeConfig)
nodeConfig,
agentInitializer.GetWireGuardClient())

var proxier proxy.Proxier
if features.DefaultFeatureGate.Enabled(features.AntreaProxy) {
Expand Down
6 changes: 6 additions & 0 deletions cmd/antrea-agent/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,12 @@ type AgentConfig struct {
// through an environment variable: ANTREA_IPSEC_PSK.
// Defaults to false.
EnableIPSecTunnel bool `yaml:"enableIPSecTunnel,omitempty"`
// Whether or not to enable WireGuard encryption for Pod traffic across Nodes. Currently wireguard
// is supported only with encap mode.
EnableWireGuard bool `yaml:"enableWireGuardTunnel,omitempty"`
// WireGuardPort s the port for the WireGuard to receive traffic.
// Defaults to 51850
WireGuardPort int `yaml:"wireGuardPort,omitempty"`
// APIPort is the port for the antrea-agent APIServer to serve on.
// Defaults to 10350.
APIPort int `yaml:"apiPort,omitempty"`
Expand Down
4 changes: 3 additions & 1 deletion cmd/antrea-agent/options_windows.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,9 @@ func (o *Options) checkUnsupportedFeatures() error {
if o.config.EnableIPSecTunnel {
unsupported = append(unsupported, "IPsecTunnel")
}

if o.config.EnableWireGuard {
unsupported = append(unsupported, "WireGuard")
}
if unsupported != nil {
return fmt.Errorf("unsupported features on Windows: {%s}", strings.Join(unsupported, ", "))
}
Expand Down
5 changes: 5 additions & 0 deletions cmd/antrea-agent/options_windows_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,11 @@ func TestCheckUnsupportedFeatures(t *testing.T) {
AgentConfig{EnableIPSecTunnel: true},
false,
},
{
"WireGuard tunnel",
AgentConfig{EnableWireGuard: true},
false,
},
{
"hybrid mode and GRE tunnel",
AgentConfig{TrafficEncapMode: config.TrafficEncapModeHybrid.String(), TunnelType: ovsconfig.GRETunnel},
Expand Down
9 changes: 5 additions & 4 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -41,15 +41,16 @@ require (
github.com/streamrail/concurrent-map v0.0.0-20160823150647-8bf1e9bacbf6 // indirect
github.com/stretchr/testify v1.6.1
github.com/ti-mo/conntrack v0.3.0
github.com/vishvananda/netlink v1.1.0
github.com/vishvananda/netlink v1.1.1-0.20210510164352-d17758a128bf
github.com/vmware/go-ipfix v0.5.3
golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83
golang.org/x/crypto v0.0.0-20210503195802-e9a32991a82e
golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6
golang.org/x/mod v0.4.0
golang.org/x/net v0.0.0-20210224082022-3d97a244fca7
golang.org/x/net v0.0.0-20210504132125-bbd867fde50d
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9
golang.org/x/sys v0.0.0-20210225134936-a50acf3fe073
golang.org/x/sys v0.0.0-20210503173754-0981d6026fa6
golang.org/x/time v0.0.0-20210220033141-f8bda1e9f3ba
golang.zx2c4.com/wireguard/wgctrl v0.0.0-20210506160403-92e472f520a5
google.golang.org/grpc v1.27.1
gopkg.in/natefinch/lumberjack.v2 v2.0.0
gopkg.in/yaml.v2 v2.4.0
Expand Down
Loading

0 comments on commit 5a751f2

Please sign in to comment.